Highlight issue is serious

[allanhardy]

Thanks for finally recognizing the Highlight security issue.
Having been hit by it today, having to leave my day job to fix things, I am glad to see a patch.

However upon research and hearing how you have handled the warnings about this over the past month, and handled howdark in general, I am left asking if you all feel you have the right policies and procedures in place? Have you learned anything from this? Your tactics against Howdark seem petty and foolish, at least in hindsite. Of course I do not have a full picture.

To satisfy us lowly users who have responsibilities to 5000 members and thier personal information, I would like to understand if you have learned anything from this and intentions moving forward? How should he, or anyone inform you of these things in the future? How can they escalate if you ignore?

Do you feel howdark is in any way vindicated now?

Allan

[A_Jelly_Doughnut]

I'm not in any way familiar with what went down, but from what I do know, the developers didn't realize a method to exploit this flaw at first, and therefore didn't want to fix it if they didn't need to. Now they have, and the party is over.

As for vindication: coding is never about vendication. It is about fixing what issues may arise, and trying to be the best (if only in a niche)

[dhn]

To satisfy us lowly users who have responsibilities to 5000 members and thier personal information, I would like to understand if you have learned anything from this and intentions moving forward? How should he, or anyone inform you of these things in the future? How can they escalate if you ignore?

We implented a pretty powerful system with the security tracker a few months back, as an answer to the problems we had with people trying to contact us before. So far this proves pretty successful, but you'll always have your black sheep.

FYI: phpBB 2.0.11 was just released.

[allanhardy]

But I am curious from them to learn if they have learned anything about taking this stuff more seriously? Did they not listen because of Hubris?
Was this just impossible to see or does their process need fixing?

Per howdarks sight the developers actualy banned his IP from here, called his ISP and accused him of some nasty stuff, and basically screwed with him. Whats that about?

[allanhardy]

We implented a pretty powerful system with the security tracker a few months back, as an answer to the problems we had with people trying to contact us before. So far this proves pretty successful, but you'll always have your black sheep.

FYI: phpBB 2.0.11 was just released.

OK, admittedly I'm a bit stressed after being hacked. Im not saying he's right, but I only have one set of data.

In any case, the 2.0.11 doesn't mention Highlight issue?

[dhn]

Per howdarks sight the developers actualy banned his IP from here, called his ISP and accused him of some nasty stuff, and basically screwed with him. Whats that about?

The website openly posted private phpbb.com team information that was obtained illegaly and was not meant for the public. In response we acted like one is supposed to react and informed the ISP. We could have gone even further if we wanted.

[dhn]

In any case, the 2.0.11 doesn't mention Highlight issue?

That is the following fix:

Fixed XSS vulnerability in username handling - AnthraX101

The issue was not seen as critical when it was first released. Neither the original reporter nor the developers saw the potential at the time.

[psoTFX]

However upon research and hearing how you have handled the warnings about this over the past month, and handled howdark in general, I am left asking if you all feel you have the right policies and procedures in place? Have you learned anything from this? Your tactics against Howdark seem petty and foolish, at least in hindsite. Of course I do not have a full picture.

Indeed you don't ... so accusing us in any way, shape or form is not exactly clever now is it? Shall we review what happened? Yes, let's do that ...

On the 21st of September someone calling themselves "jessbunny" filed a report noting a potential hole in the highlighting code in viewtopic.php. They stated they could not see any way to actively exploit this. Acyd Burn followed up this report, and upon investigation similarly concluded there was no apparent way to take advantage of it. The "exploit" was therefore given a low priority and a fix set in place for a future release.

Following this I was contacted by PM by "jessbunny". She wrote the following:

Because of the way my security group is being laid out, we want to make sure we get credits for submitting them, not because we want fame and glory, just because want to keep it open that we were the actual ones who found them, and helped support phpBB. (sounds sortve contradicting, but its just the way we decided on it).

If on agreement, we are also going to make sure you put out a patch, before we release it out our security site

We encourage the use of spreading knowledge.

If met under these terms, we will make sure you are first to hear, since we are really in the mood to break down phpbb into parts and help fix everything piece by piece.

Thanks<3! This would work especially well if you could chat with me on AIM.

For our group leader: Brett (emu so emo)
me: My nightindreams.

Now smack me over the head with a hammer but I, and indeed others were not terribly impressed by how that was phrased ... it sounds very much like a pre-condition "You promise to do X, and we'll inform you". Crikey, in some places it could be deemed blackmail. I responded to that with text which included the following:

Let me start by saying that I very strongly believe it's the responsibility of anyone finding a vulnerability in any application to first submit that to the authors of the relevant software ... no if's, no but's, no maybe's and certainly no pre-conditions To not submit an issue and give vendors a reasonable opportunity to correct it puts untold numbers of people at risk.
<snip nothing of great importance to this topic>
We here take all such submissions seriously and release updated versions as deemed necessary. Not all "vulnerabilities" are vulnerabilities, not all require immediate patching, etc. etc. Equally we note in the changelog the names of those who submit issues to us ... however it is my strongly held opinion that people should not submit issues just to "associate" their name with an application. I've submitted issues with other software to the relevant authors before and I have never expected recognition for it. IMO it's a case of doing what's right.

We request all security related issues be submitted to our tracker. That way the development "group" can respond appropriately. This ensures a "written" record of any problems, eliminating issues we've had in the past were people claimed to submit issues when in fact they hadn't. Equally it allows responses not just by myself but by others in that group.

I hope that answers your questions.

jessbunny replied with:

I agree, but I also agree credit deserves to be where credit is due. I didn't sit in front of your software for days for no reason. I'm here to make phpBB better and safer. To work faster then the people who try to abuse it.

I don't really see it a responsibility though. I'm actually morely if anything disappointed in what i've seen after scrolling through these files. There are numerous areas only protected by shear luck of intval, also tons of sloppy spelling mistakes.

And don't even get me started on the email scripts. Did you guys forget about those years ago?

I guess we'll just see how things work out.

Now again, smack me silly but that last line rather is rather "questionable" wouldn't you say?
Again, I responded with the following:

Hi,

Without wishing to start a flamewar here ... "Tons of sloppy spelling mistakes" ... come on, have you read your own PM's to me? If you say "you spelled authorization" incorrectly I'll scream

As for "luck of intval" ... it's called variable casting. Now it's very true to say we didn't do enough of this in 2.0.0 and upon problems being found by ourselves or others we've addressed them. Equally in 2.2.x we've centralised the setting of vars to better ensure they do not contain data they shouldn't. Ensuring parameters/variables contain the relevant type is one of the basic things you can do to reduce or eliminate injection and remote script execution problems.

As for "responsibility", sorry as I note, IMO it's very much a responsibility. If you lost your house keys would you like:

a) Whoever found them to pin them to your front door with a note saying "These keys belong to this house", or
b) Whoever found your keys to personally hand them to you and give you a chance to change the locks?

I'll go with b) By posting vulnerabilities in software into the public domain before informing the authors is the same as a) IMO

Finally, as I said, we note the names of those who inform us of vulnerabilities before releasing the info publically (we don't include the names of those who didn't bother informing us or who informed us after releasing the info). But I say again, that shouldn't be motivation for deciding whether or not to inform the software authors. Such submissions should be viewed IMO as being "I did something useful".

Don't get me wrong, we appreciate submissions to our security tracker. But I must admit to being a little disappointed in your "need for pre-conditions" ... IMO someone either wants to "help" by submitting issues or they don't. To place "pre-conditions" on it rather goes against the idea of "helping" IMHO.

Thanks

jessbunny responded with:

My original idea for getting them wasn't for helping, I thought I could eventually just help out and give them to you, because I do have ethics and a stance of basic morality in the computer world.

I went through hell staring at the code. There's a difference from someone finding a key on mistake, or someone looking damn well hard for that key. I would happily hand over the key, I didn't think a little note would be such a big deal.

As for sloppy spelling mistakes, apparently you didn't see that I was pointing it out in your software, not my private message, but thanks.

But you're right, this is a useless waste of my time.


Sorry for my 'pre-conditions!'

The exchange ended ... I said nothing more, we received nothing more.

Now, do tell me all, where was I rude in this exchange? Where did I "harrase" (as another member of "howdark.com" claimed?) her?

We move on ... the day before yesterday a post was sent to bugtraq noting a hole in phpBT, a bug tracking app. This app was not written by us, we have absolutely nothing to do with it. All we do is use it like a great many other people. The person posting this exploit however chose to give proof of concept by linking to _our_ bug tracker, see http://msgs.securepoint.com/cgi-bin/get ... 1/151.html This was an outrageous act, we obviously were not informed of this at all before said post appeared. Due to this our site was attacked and defaced. We logged the intrusion and from that a post was sent to the ISP in whose netblock that address was contained ... standard practice. That IP was also banned on our forums and soon after on the server level (along with several other IPs all of which were attempting to gain access to our system).

One "jess" (ring any bells?) subsequently appeared on IRC with a hostmask containing the same IP as one of those implicated in attacking our site. She apparently (I wasn't online at the time to see this but it was logged by other team members) pointed to a folder on the howdark site which contained image after image of screenshots of our board, hidden forums, the ACP, etc. Why would this person do that? hhhmmm. When I joined IRC "jess" wasn't online, when they did appear I kickbanned them ... again no shock there.

All went quiet ... then yesterday we were informed by another party (AFAIK unrelated to howdark) that the exec exploit was indeed serious and they provided suitable evidence of this (they could've phrased it a little less sarcastically but what the heck ). We immediately started testing our provisional 2.0.11.

Today, the intended (and now actual) release of 2.0.11 we discovered howdark.com were complaining about being contacted by their ISP ... now, let's examine this shall we? We contacted the ISP whose netblock contained an IP address clearly implicated in attacking our site ... we had no idea it was howdark.com, yet the ISP (Road Runner) clearly tied the IP we provided to their RADIUS/DHCP logs and contacted the relevant person. Now, combine this with the IRC hostmask which matched that IP, the fact this user was obviously involved with howdark.com ... and what do you get? Now that site has released proof of concept information, giving explicit detail on how to utilise an exploit to do damage. They should be careful in doing that ... noting an explot is one thing, handing out pieces of code which can be used to actively do damage is quite another.

So tell me, do you think we were incorrect in our actions? Do you think we should've sat back and allowed someone to attack our site (we had no idea at the time who as I've already stated)? Do you think we dealt with howdark.com badly? I think not ... I think the problem here has been howdark.com. I should add that someone else claiming to be with howdark.com joined our IRC channel recently, first they demanded an appology for us harrassing jessbunny ... we had no proof, how dare we. By the end of the discussion, following evidence as given above, this person had changed tune and was saying "Okay, I guess Jessica did fiddle with your server" ... game, set, match.

[allanhardy]

Indeed you don't ... so accusing us in any way, shape or form is not exactly clever now is it? Shall we review what happened? Yes, let's do that ...

Thank you for the time, detail, and other half of the picture. I thought I was being clever enough in not accusing while at the same time looking for transparency. I didn't accuse by asking what was going on or what was learned.

I take your issues with jessbunny and howdark into two different catagories, developer relations and you being hacked.

Since you asked, In neither catagory do I see anything questionable on your part. I was under the impression that the 'back-and-forth' was more about the issue, a valent attempt to convince you that went ignored, then who got credit. I've no place to comment on the politics/relationship aspects with other developers who want to help out, be it in security or any area.

As to the site hack, ISP reporting and howdark, again, your actions are spot on best I can tell.

Since you didn't address it, it appears that you don't feel there is any place for process improvement, that this exploit would have slipped through the cracks no matter what was done?

In closing, it appears to me that howdark's posting of the exploit technique is what enabled someone to hack my site today.

Curious, did thier posting of an explot have anything to do with you finding out one existed? I know you said --AFAIK unrelated to howdark, but the timing is coincendental.

Again, I really appreciate the time and effort to answer my questions and to help us all see the bigger picture.

[psoTFX]

In this situation I think I can truthfully say, no I don't think we could've done anything differently. We were informed of a potential exploit. Both the person informing us and one of our developers tried and yet could see no immediate method of actively taking advantage of it. It of course turned out we were both wrong.

As for the discovering of just how this exploit could be utlilised. Yea know it's interesting ... the same person who recently came to admit that jessbunny did likely "fiddle with our server" also said "he" discovered how to take advantage of this exploit soon after it was posted to bugtraq. He claims to be a member of howdark.com too ... strange that ... a "security group" that don't talk to each other in nearly three months of said exploit first being "discovered" by them. He went on to say he would "give us more time" if new issues are discovered ... kind.

[alphamonkey]

I know it probably doesn't mean much, but I appreciate you posting this. It helps me understand things a lot better. I think to myself what I would if I was in your position, both as an admin and a developer. In this situation, I do not think I would have done anything differently. So, thanks.

[AnthraX101]

In any case, the 2.0.11 doesn't mention Highlight issue?

That is the following fix:

Fixed XSS vulnerability in username handling - AnthraX101

The issue was not seen as critical when it was first released. Neither the original reporter nor the developers saw the potential at the time.

I'm not sure why my bug got rolled up under the highlight bug fix, but it is not related. I had nothing to do with the highlight bug, and am not affiliated in any way with howdark.

AnthraX101

[dhn]

I'm not sure why my bug got rolled up under the highlight bug fix, but it is not related. I had nothing to do with the highlight bug, and am not affiliated in any way with howdark.

My bad, got that mixed up. Sorry. Good that I am not a developer. 8)

[fallacy]

psoTFX did you even have this jess person's permision to post your PRIVATE converstation?

[Heimidal]

psoTFX did you even have this jess person's permision to post your PRIVATE converstation?

By sending something to someone, you are consenting that they may do with that information whatever they see fit. There is no law stating that you must obtain permission in order to tell someone what another person told you. What exactly is your point?