For sure Kuza and co will soon come out and tell us how bad it is to laugh at other people's mistakes.

Here we go: XSS vulnerability in GNUCITIZEN.org

[blog.php-security.org]

And yes WE laugh about it, because running around and telling everyone how doomed he is by XSS and then have XSS vulnerabilities in your own "tools" is hilarious.

Yeah right on Stefan:

[forum.hardened-php.net]

Look who's talking now.

0x000000

lol Ronald I suppose everyone makes mistakes :)

Yeah and actually it is a PHP coding mistake, which makes it all the worse ^^
Ah well, not many peepz know and yes most sites are vulnerable.

0x000000

yep, the mistake was pretty bad, but I have no idea how the heck the thing slipped through my fingers. however, the good thing is that I patched it 15 minutes after Stefan's post, thanks to SECURLS awesome API. :)

anyway, everybody makes mistakes... when you start working on corporate level jobs you will realize that things are even worse. What big guys care about is not loosing their customers. Incidental hacks and other stuff like that are covered by the insurance companies and backed up by intelligent PR campaigns and crisis management plans. It is impossible to secure a network. It is impossible to secure large sites. You may stop most attackers but if they are dedicated enough, they will always find a way in. This is it. Finito. The entire security industry is based on managing the risk levels rather then securing the parameter, which is virtually impossible. This is a message that I am trying to send the everyone. Grow up!

ionic Wrote:
-------------------------------------------------------
> For sure Kuza and co will soon come out and tell
> us how bad it is to laugh at other people's
> mistakes.
"Kuza and co" - I could get used to the sound of that, ;)

> And yes WE laugh about it, because running around
> and telling everyone how doomed he is by XSS and
> then have XSS vulnerabilities in your own "tools"
> is hilarious.

Honestly, I just can't see the humor, it just doesn't seem funny to me. Though I'm glad you can get your kicks so easily.

Now, if someone who was bitching about how easy it is to fix XSS vulns had this happen to them, I'd be laughing along with you, since that'd be ironic. But I don't see that here.

Honestly I don't care if you're laughing about it, because unless you're doing something interesting, I really don't care.

I do think the security community needs to be less vulture-like (and 4 separate people posted something about it, and then comments about who found it first is definitely vulture like), but I'm not going to achieve anything by arguing with people like you who simply don't understand that mistakes happen, and that we shouldn't react to those mistakes on a personal level.

Like I already pointed out to Ronald in his blog until he blocked my IP.

This is btw a really nice way to censor different opinions. At the moment his website even claims that I am a "security scanner". LOL.

You can blame me all day long for using a PHP software that had a security hole in it. Actually you can really blame me, because the hole was known and I oversaw it when I backported security fixes. However you cannot blame me for writing this code, because I did not.

What you don't get is that there is a huge difference between being a security expert and write vulnerable code and being a security expert and using a vulnerable application.

Only dreamers believe that they can write every piece of code they need themself. In the real world one has to rely on 3rd party code.

@ionic:

Same problems here (what a wonder). On my personal credibility-curve Princess Ronald just reached the very bottom (in case s/o wanted to know this - I don't really think so but just in case...)

over and out...
.mario

_______________________
[php-ids.org] || [gnucitizen.org]
Web Application Security 2.0

@kuza55

For me it is really funny. Just sit back and watch what happens when you point out these bugs.

They all claim what you found is not dangerous. For various reasons... Maybe because there are no cookie to steal, ... Of course this is completely different when they find similar errors in other persons sites.

And then they try to come back at you by pointing out errors in 3rd party software you have installed. The next thing is that you show them more errors in their software and then they start blocking your IP in their blog.

And yes I consider it funny when you are a web security researcher and write 10 lines of PHP code and have several XSS errors in it.

So what, those comments are spam because they spread over different articles. I won't allow spam and those who do will be blocked on IP.

0x000000

I would like to say a few thing here so everybody knows my statement. Finding vulnerabilities in public websites is wrong. What Stefan did was totally unethical. In fact, it is considered illegal. Some of you may say that it is just a simple XSS, but I've seen cases where simple XSS attacks can result into the backend going nuts and the entire system falling apart. You should not test public websites unless you have a permission to.

Second, the vulnerability within the CSRF redirector is simple and stupid. Ok, we screwed up. We fixed it and now we are moving on. We have some great projects to release and this is where I am going to concentrate my energy personally.

Thanks Ronald for supporting this statement all along. Oh, and thanks to Stefan for pointing out the vulnerability. Given the project load that we have at the moment for sure we would have missed it. BTW, things like this have happened before and we are open about it. Check this out: [www.gnucitizen.org].

:) peace, btw if you are interested in winning an XSS Book, keep up with the GC blog.

@ionic,

like I didn't know about the data directive? I was one of the first ones who published one on E-bay. Still it requires user interaction to click on it and has a char limit of 30. Go ahead, try to "pwn" it. I intentionally allowed users to submit many URI's but sensible attack charcters won't display: ' ` ^ { } < > = +

So it's just a childs game of not admitting you had a hole you didn't know. That is strange because you wrote about it in your own forum in 2005, little ironic isn't it?

I'm done with this game you play, and the posts spread across different articles is considered SPAM in my eyes and so forth it will be blocked, in this case you cannot comment with your IP, and I have all the right to do so. Oh and Stefan, better upgrade to the newest version of your "blog software" cause I found a new SQL injection point in the request parameters.

So move along, all nice friends again, I have to fix my bathroom now.

0x000000

Oh man, I am so fucking sick of all this. Damn it Ronald, was that spam on my planet meant to be some sort of revenge just because ionic and I mentioned that vulnerability on your site? Because I linked an old entry where I checked whether or not the URL field is vulnerable?

Damn it, you really think I did this on purpose to blame you, don't you? Yeah, after all those constructive thoughts I contributed in the past to your site this does make sense indeed.

This offence honestly is the poorest event of everything that has happend today. You really proved a lot by defacing a website that trusted your input.

And what the fuck is so difficult in exploiting this kind of vulnerability? Prepare a malicious link that loads some javascript from h4k.in or whatever, make the victim click on it and you're done.

Hell this sucks.

Regards,
- [christ1an.blogspot.com]

_______________________
[php-ids.org] Web Application Security 2.0

@pdp

Stop writing such bullshit I did nothing illegal/unethical. I entered an URL in your attack tool, an attack tool that is by definition unethical and nowadays illegal in countries like germany.
However there are examples where german judges told the siteowners that it is their problem if eg. a bunch of customer data incl. credit card numbers is reachable by an URL.
And it is very amusing that you call me attacking an attack tool unethical but ronald exposing an XSS vulnerability in a forum with real users is okay.

@ronald

First of all you assume to much. I have done nothing with data: directives. I used plain javascript: URLs. Something you obviously did NOT block. 30 chars might be tough but things similar to eval(location.hash) might still work. (but I am not sure).

And unlike you I admit having a hole if I have one. But you have yet to find a hole in my code. You exploited a vulnerability in a 3rd party open source forum software that I use. I am not responsible for the code in there.
This is unlike your blog that most probably was coded by yourself and that
contains holes.

And no thanks I don't think I need to update my blog software.

What holes..submitting a hyperlink?

I got another expl0it for you leets: telnet://evilsite.com

Oh wait this is a better one: [www.0x000000.com]
(be warned when you use javascript, cause you won't recover)

So, this is the last thing I say about this cause you make me sick, go exploit hyperlinks.

0x000000

Ronald you still don't get it that the javascript URL is executed within your domain, do you?

You are behaving like a little child that desperately tries to rescue its neck with nonsense pseudo arguments and spam attacks like spamming planet-websecurity.

Yes it IS only a hyperlink, but a hyperlink on YOUR site that is able to execute Javascript on behalf of YOUR domain (because YOU failed to code it correctly) if someone clicks it.

Actuall, that was kinda funny ^^

it was not SPAM it was a CSRF done by the planet's own server, that's pure magic. BTW Any feedscraper was "pwned" today. So I had my fun also. And you may distort this story in any direction you want, and shall we cut the crap on the forum here? Let's enjoy it once again.

0x000000

Stefan, it is not OK. Disclosing bugs on public sites is not OK at all. I don't even know why RSnake supports that. I think I made my statement quite clear at OWASP. But let's cut the crap and go away peacefully. You proved you point. You found a bug. We fixed it. So what? I am sure that we have better things to do then pointing each others mistakes. I know for sure that I am not going to continue this crap. There is no value in it.

“The thing that is really hard, and really amazing, is giving up on being perfect and beginning the work of becoming yourself.” or “This is the very perfection of a man, to find out his own imperfections.”

so move on... that applies to everybody



Edited 2 time(s). Last edit at 07/30/2007 01:30PM by pdp.gnucitizen.