Re: Bugtraq ID# 53694 is invalid/fake
This is in regards to:
http://www.securityfocus.com/bid/53694
This is an uncoordinated release, the author did not make any attempt
to notify us either by email or the public forum. The non-working
exploit seems to have been copied and pasted with RIPS source code
analyzer and the author didn't even bother tho test our understand the
code. A real hacker can read source code, not run a RIPS source code
analyzer and publish the finding without due diligence.
This is the result:
Try : alert('..config.inc.php could not be loaded');
1) The "/" or %2F won't be accepted. $filename =3D
preg_replace("/[^a-z._\d]/i", "", $_GET['js']); // sanitize, prevent
path traversal
2) It will only read js.gz file (I see attempts to load /etc/passwd
but that doesn't make sense - I don't think he knows/understand how to
read source code) - readfile(SITE_PATH.'/js/'.$
filename.'.js.gz'); The bad chars will be stripped anyway ...
3) Test:
http://gekkocms.babygekko.com/js/js_gzip.php?js=3D..%2Fconfig.inc.php
http://gekkocms.babygekko.com/js/js_gzip.php?js=3D../config.inc.php
The js_gzip.php was included as of v1.1.5a
Also older versions on my website:
http://www.babygekko.com/downloads/archives/gekko_web_builder_v1.1.4.zip
http://www.babygekko.com/downloads/archives/gekko_web_builder_v1.1.5a.zip
http://www.babygekko.com/downloads/archives/gekko_web_builder_v1.1.5a.zip
http://www.babygekko.com/downloads/archives/gekko_web_builder_v1.1.5c.zip
I am fine with people publishing vulnerabilities to make code more
secure. What I'm unhappy is how some wannabe script kiddiot can just
download source code analyzers/scanners and publish things WITHOUT any
prior test and WITHOUT contacting vendors. I have had people publish
their findings in my forum and I'm fine. But not when they don't at
least test or contact me and then later turns out to be a false alarm.
Here's a copy & paste from v1.1.5a (old version - the same)
/js/js_gzip.php
//++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++//
// Baby Gekko content management system - Copyright (C) Baby Gekko.
// This is a SHARED SOURCE, NOT OPEN SOURCE (GPL).
// You may use this software commercially, but you are not allowed to
create a fork or create a derivative of this software
// Please read the license for details
//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=
+//
include ('../config.inc.php');
error_reporting(0);
$filename =3D preg_replace("/[^a-z._\d]/i", "", $_GET['js']); //
sanitize, prevent path traversal
$etag =3D sprintf('bbgk%u',crc32($filename));
header("Content-type: text/javascript; charset: UTF-8");
if(isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) ||
isset($_SERVER['HTTP_IF_NONE_MATCH']))
{
=A0=A0=A0 if ($_SERVER['HTTP_IF_MODIFIED_SINCE'] || str_replace('"', '',
stripslashes($_SERVER['HTTP_IF_NONE_MATCH'])) =3D=3D $etag)
=A0=A0=A0 {
=A0=A0=A0=A0=A0=A0=A0 header('HTTP/1.1 304 Not Modified');
=A0=A0=A0=A0=A0=A0=A0 exit();
=A0=A0=A0 }
} else
if (file_exists (SITE_PATH.'/js/'.$filename.'.js.gz'))
{
=A0=A0=A0 header("Vary: Accept-Encoding");
=A0=A0=A0 header("Cache-Control: public, max-age=3D".(144000 * 24));
=A0=A0=A0 header("Pragma: public");
=A0=A0=A0 header("Expires: Tue, 30 Aug 2037 20:00:00 GMT");
=A0=A0=A0 header("Content-Encoding: gzip");
=A0=A0=A0 header("ETag: \"{$etag}\"");
=A0=A0=A0 readfile(SITE_PATH.'/js/'.$filename.'.js.gz');
} else
{
=A0=A0=A0 echo ("alert('{$filename} could not be loaded');");
}
?>