Re: I have fixes for the Geeklog vulnerabilities
This is in response to "Geeklog Multiple Versions Vulnerabilities",
<http://www.securityfocus.com/archive/1/339494> and a follow-up post to
Full Disclosure which, I assume, was also sent to BugTraq:
Lorenzo Hernandez Garcia-Hierro wrote:
>Due to the completely incorrect treatment and work of the Geeklog
>development team , that they don't developed fixes for THEIR product
As a member of the Geeklog Development Team, I'd like to point out that
the poster of the above lines did not bother to contact us, both with his
original findings, nor with these patches. Talk about incorrect treatment.
Furthermore, of the original findings (posted here and on Full Disclosure
a week ago), only the Shoutbox issue has been confirmed (and a patch is
available on the Geeklog website).
None of the supposed SQL injection issues that Lorenzo Hernandez Garcia-
Hierro claims to have found could be confirmed by us or members of the
Geeklog community. We can only assume that he only noticed that when
attempting to inject SQL into URLs, Geeklog would produce SQL errors and
from that he seems to have deduced that Geeklog was vulnerable for SQL
injections. When asked to explain his findings, he couldn't (or wouldn't)
come up with a working example either.
Now, there's no doubt that Geeklog could do a better job in filtering
these attempts. Work on that is currently under way - which we would have
told Lorenzo Hernandez Garcia-Hierro if he had bothered to contact us.
Potential problems that we have found so far:
- the SQL error message displayed by Geeklog could, in theory, leak
sensitive information
- sites where the PHP magic_quotes setting is OFF are slightly more prone
to the (alleged) injections then when it's ON
- sites running on MySQL 4.1 (which is currently in alpha state and not
ready for production use) are at a higher risk since MySQL 4.1 allows
concatenation of SQL requests (which previous versions didn't)
We have informed our users about these issues on the Geeklog homepage and
will continue to do so. We value security very highly, but we prefer to
handle it in a non-sensationalist way. We would have prefered to come up
with a solution to the problems and then post a detailed analysis of the
problems here (and on Full Disclosure). With his failure to contact the
developers, Lorenzo Hernandez Garcia-Hierro has yet again caused more
confusion than actually helping the situation.
Overall, this is a textbook example of how NOT to handle security issues.
By not contacting the developers, posting a report full of inaccuracies,
and, in the end, mostly non-working examples, Lorenzo Hernandez Garcia-
Hierro has caused uncertainty and confusion amongst the Geeklog users and
basically wasted everyone's time, including that of the developers.
Dirk Haun,
Maintainer of the Geeklog 1.3.x branch,
Geeklog Development Team
--
http://www.geeklog.net/
http://geeklog.info/