mailing list archives
Malicious post by "Manip"
From: Andrew Schmadeke <schmad () miller-group net>
Date: Sat, 3 Jul 2004 04:07:33 -0500
The Security Alert on Centre by the Miller Group seems to have been posted maliciously.
Two of the three vulnerabilities do not exist, and the first one is an obvious fabrication.
The link posted demonstrating the first vulnerability actually portrays the correct behavior of the program. <x-tad-bigger> http://demo.miller-group.net/index.php?modfunc=create_account&staff&username=admin&staff_id=new points to a page that allows parents and teachers to request access to the program. This program was meant to be open to the public, and, in fact, the extra information at the end of the URL (&staff&username=admin&staff_id=new) does not affect the program's performance. As you can see, http://demo.miller-group.net/index.php?modfunc=create_account functions the same as the URL provided by Manip. http://demo.miller-group.net/index.php?modfunc=create_account is also a link from the Centre login screen titled "Create Account." There is no way to run any other program in Centre without being authenticated.
Also, the third "vulnerability" is not an issue. All variables in SQL statements are encapsulated by single quotes, and Centre expects PHP's magic quotes to be on. Furthermore, single quotes are replaced by double single quotes (which cancels the single quote -- same behavior as \'). So, SQL injection is impossible in every module of Centre. This is obvious throughout the code.
Finally, Manip's second vulnerability did exist in Centre up until Version 1.0. This was not a major vulnerability, since the malicious code had to be somewhere on the server running Centre. However, this vulnerability has been dealt with in Version 1.01, released today. Any program not allowed to a user (or any program not in Centre) cannot be run. And, the username and IP address of whomever attempts to run it are captured by the system.
The Miller Group
schmad () miller-group net</x-tad-bigger>
- Malicious post by "Manip" Andrew Schmadeke (Jul 03)