Re: [WEB SECURITY] [CVE-2007-3816][Advisory] JWIG Context-Dependent Template Calling Dos

To: Bubba Gump <bubbagump123@xxxxxxxxx>
Subject: Re: [WEB SECURITY] [CVE-2007-3816][Advisory] JWIG Context-Dependent Template Calling Dos
From: Pranay Kanwar <warl0ck@xxxxxxxxxxx>
Date: Sat, 21 Jul 2007 19:49:19 +0530
Cc: Aditya K Sood <zeroknock@xxxxxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, websecurity@xxxxxxxxxxxxx
In-reply-to: <4d91d1040707201558w69132345w6958cc97f0352c92@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Metaeye SG
References: <46A1B1D8.70601@xxxxxxxxxxxx> <4d91d1040707201558w69132345w6958cc97f0352c92@xxxxxxxxxxxxxx>
Reply-to: warl0ck@xxxxxxxxxxx
User-agent: Thunderbird 2.0.0.4 (X11/20070616)

Hi,

Too bad you have fell for this without verifying things first i'll just break
two of the claims given by secniche.

First of all lets all get this straight, JWIG is for web services creation. For
the attacks to succeed the attacker will have to manipulate the things at the
server end.

Reading http://www.secniche.org/papers/HackAnnotationsInJWIG.pdf

1. Claim: Code gapping.

The example given will have to be written at the server end, very similar to 
writing
a PHP program. So tell me if you write rogue code yourself and load it is it 
JWIG to
blame ?. The attacker cannot load this rogue code. For example the code at the
following link

http://www.brics.dk/JWIG/demo/TempMan.jwig

Once this is compliled and installed, can't see how an attacker will manipulate 
this.


2. Claim: XML Fragmenting

This is where it gets really strange, the example given again has to written as 
a source
code, compiled and then installed. If i write a code that refers to a XML 
document
it is me responsible for ensuring that the things are right not JWIG, also this
is simply called External XML templates and it has nothing to do with 
fragmenting.

http://www.brics.dk/JWIG/manual/documents.html

So finally to put things together, Can't see where is the vulnerability.
If you write rogue code yourself you cannot blame JWIG, PHP etc.

The rest of the article is also filled with same bogus claims.

I would request everyone to take a very close look at secniche claims.

Also please continue using JWIG it is a sweet technology, especially features
like an explicit language-based notion of sessions, which avoids cookies and URL
rewriting, makes it a more better platform for writing secure web applications.

regards

warl0ck // MSG

References:
- [CVE-2007-3816][Advisory] JWIG Context-Dependent Template Calling Dos
  - From: Aditya K Sood

Prev by Date: Secure Computing - Security Reporter Auth Bypass and Directory Traversal Vulnerability
Next by Date: Oracle E-Business Suite - Multiple Vulnerabilities
Previous by thread: [CVE-2007-3816][Advisory] JWIG Context-Dependent Template Calling Dos
Next by thread: [ANNOUNCE] RSBAC 1.3.5 released
Index(es):
- Date
- Thread