Blog Documentation Book a Demo
Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Bugtraq report of Vanilla 1.0.1 security vulnerability

sinnedsinned
edited August 2006 in Vanilla 1.0 Help
Doesn't anyone here read Bugtraq? http://seclists.org/bugtraq/2006/Jul/0409.html Nobody responded to these accusations at all. I e-mailed SecurityFocus.com (they tend to be the most popular repository/database of security vulnerabilities) refuting the claims made by the person posting about the vulnerability. Now first off, there's no such thing as Vanilla 1.0.1. Were they looking at the Subversion repository checkout version? Second off, I looked at the code and the $RootDirectory variable is set just a few lines above in the Vanilla 1 source. It's set based on a getcwd() call, so there's no chance for user input. Someone would have to delete those two lines and then turn on register_globals for this to be a vulnerability. wtf?
«1

Comments

  • MinisweeperMinisweeper New
    First and foremost vanilla isnt a CMS, it's a forum. it's just very clever. Vanilla 1.0.1 does exist (it's running here), but i believe it is still subversion. The install directory no longer works after the install has been done since it sets a setting in the appg/settings.php file which lets the forum know it's already been installed. And even then I'm pretty sure that since the script sets the variable it'd overwrite anything which was input by the URI?
  • sinnedsinned
    Minesweeper, yeah it would overwrite anything. I was just reporting that someone posted about a Vanilla vulnerability on the world's foremost security vulnerability mailing list and nobody here noticed and nobody there refuted the claim. It's just undeserved bad publicity.
  • MarkMark Vanilla Staff
    edited August 2006
    I don't monitor that mailing list, no.

    I'm one guy doing all of this stuff - there's only so much I can do. I'm trying to rely more on this community to watch stuff like that and dispute it if necessary. So, thanks for pointing it out, and please go ahead and dispute it.

    Actually, I wouldn't even know how to go about replying to that.
  • MinisweeperMinisweeper New
    I've never heard of it before :D Sorry if it appeared i was directing my comments at you, sinned. I was just confirming that you were correct in saying it wasnt a vulnerability. I cant even see how to dispute it though?!
  • MarkMark Vanilla Staff
    edited August 2006
    So how exactly do you reply to that idiot uninformed person?
  • gigingergiginger New
    I think it's best to just step back and wait.
  • MarkMark Vanilla Staff
    Wait for what?
  • WallPhoneWallPhone
    I could have sworn I saw a CMS named vanilla. /me searches google...
  • gigingergiginger New
    The writer to get a clue.
  • WallPhoneWallPhone
    edited August 2006
    Hmm... never mind, this vanilla is not even to version 1 yet.
  • gigingergiginger New
    I don't think it ever will be by the looks of that page. 20th November 2005?
  • MarkMark Vanilla Staff
    I wish I knew how to reply. I subscribed to the list, but I don't know how to target that guy's issue specifically when sending a message.
  • gigingergiginger New
    edited August 2006
    Could you not just use From: mfoxhacker_at_gmail.com to contact them?
  • marymary
    That's just the email address of the idiot that submitted the so-called vulnerability info. I doubt you'd get far with him.

    http://www.securityfocus.com/bid/19127/info
    Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.
  • MarkMark Vanilla Staff
    edited August 2006
    Alright - I mailed them:

    To whom it may concern,

    I am writing with regard to the so-called "vulnerability" in the Vanilla application that has been discussed on your site at:

    http://www.securityfocus.com/bid/19127/info

    Here is the code in question:

    $WorkingDirectory = str_replace('\\', '/', getcwd()).'/';
    $RootDirectory = str_replace('setup/', '', $WorkingDirectory);

    // ...

    // Include the old settings file if it is present (it just contains constants)
    if (file_exists($RootDirectory.'conf/old_settings.php')) {
    include($RootDirectory.'conf/old_settings.php');


    As you can see, there is NO vulnerability. The variable used in the path is defined a few lines above the code from the original report, and is defined using PHP's getcwd(); function. There is absolutely NO user-input that could cause the vulnerability suggested, and the "proof of concept" provided cannot possibly work.

    We ask that you please correct this information ASAP as it incorrectly casts bad light on our product.

    Kind Regards,
    Mark O'Sullivan
    http://lussumo.com
    http://getvanilla.com
    http://markosullivan.ca
  • marymary
    Well put, Mark. :)

    You know, you'd think they'd screen these things for accuracy before publishing them. Otherwise, it's extremely rude, to say the least. The fact that you also were not contacted directly and privately first - to give you reasonable time to create a patch for this non-existent security hole - makes it doubly so. Talk about shirking responsibility. If you were charging for your product, that could even cost you in lost sales and irate customers. Crap like that gets my ire up. >:/
    SecurityFocus is the most comprehensive and trusted source of security information on the Internet. SecurityFocus is a vendor-neutral site that provides objective, timely and comprehensive security information to all members of the security community, from end users, security hobbyists and network administrators to security consultants, IT Managers, CIOs and CSOs.

    With over 18 million page views a month and 2.5 million unique users annually, SecurityFocus is the preferred information source for security professionals around the world. We provide the security community with access to comprehensive, timely, and accurate security information at no charge.

    http://www.securityfocus.com/about
    "No charge"? or is it perhaps "priceless"? ;p
  • MarkMark Vanilla Staff
    This is really pissing me off. They've done nothing about it yet.
  • DinoboffDinoboff
    could you post something on the list yourself? Are you allowed to do that on this kind of list?
  • MarkMark Vanilla Staff
    I don't know. They don't explain anywhere how to go about it.
  • a_ja_j
    edited August 2006
    From the FAQ; 0.1.10 Do you verify the information on the list? No, we do not. The BUGTRAQ moderation process is not meant to verify and validate any information, patches, exploits or programs send out via the list. It is in place to keep the discussion in the list on topic. You should not assume that any of the information in the list is correct, or that any of the patches, exploits and programs do not contain backdoors or trojans without verifying this yourself. If you can't verify it yourself we recommend that you wait until other subscribers verify the validity of the information and post their result to the list. It is quite likely that there will be times when live exploits will be sent to the list. Some may even may affect your mail reading program. You should assume this will be the case and prepare for such situation. --- http://www.securityfocus.com/archive/1/description --- You could also try to mail the moderator: 0.1.5 Who is the moderator? David Mckinney <dm@securityfocus.com>
This discussion has been closed.