"Security group wannabe" doing harm?

smarko

Hello,

I'd like to give following information for you to review and make up your own thoughts about it. To put it short, person with nickname r0t, belonging to "security crew" named Pridels, have claimed on their blog, that my PHP-based product contain security flaw. That claim is false. I'll explain this in more detail in next section.

http://hoito.org/en/greenminute (full version to test)

The way he comments his actions and declines to release my comments (the second one) in his moderated blog is kind of proof about what type of person he is. As it would be fruitless to make any further contact with him, I'm putting this information visible for others to read.

I would be worried, if this r0t-person is more interested in trying to gather fame by adding something new to a list of software titles, he has touched with his "security gloves", than doing acceptable security related work. I would be even more worried, if that would be common practise in "security scene". To collect name and fame among others, I mean.

THE CLAIM

http://pridels.blogspot.com/2006/04/green-minute-sql-inj-vuln.html

The claim was this: "Multiple SQL injection vulnerabilities in userscript.php in Green Minute 1.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) huserid, (2) pituus, or (3) date parameters."

Well, those parameters mentioned ARE checked (preg_match) before they are used in SQL-query, so where's the security flaw? Basically, this r0t-person haven't bothered to check things carefully and have just made a guess. Naturally, he didn't bother mention anything to me.

If someone decided to add SQL-injection stuff to certain parameter, they would see an error text, but only because nothing was passed inside that parameter (to MySQL-database). Yes, I should have made that text hidden or replace it with something else. This applies to few cases, but it certainly can not be called as "security flaw".

ABOUT THE CLAIMER

Claimer's nick: r0t
Blogger-profile: 15 years, Finland, Turku (maybe true, maybe not)
Url: http://pridels.blogspot.com/2006/04/green-minute-sql-inj-vuln.html

His blog-comments (in above url) are moderated and he have decided to not release the second comment I made (over 2 weeks ago). That way he can try to leave any impression he wants (fits in schema I see about him). My second comment would have been:

"The way you decided to choose words to your answer, proves to me, that you haven't grown to a person willing to take enough responsibility of your actions. Also, please don't call yourself a security expert, if you can not discern real security threat from from "unnecessary textual information". And if you later found something really dangerous and you are sure about it, let me know about it and don't just write about it here. That's what responsible security expert would do." (He did call himself a security expert.)

His actions remind me of people, who are "collecting fame" among other "security experts" (with nick names like rgod, waraxe, nukedx, g0df4th3r, [Oo] and str0ke). Or maybe he wants to show to everybody how many software products he has checked through (or should I say "has touched"?). See: http://www.security.nnov.ru/source12948.html (I haven't and won't test any of those other titles on his list, but that shouldn't make this post meaningless).

THE FALSE CLAIM HAVE REACHED MULTIPLE SECURITY SITES

The security "alert" have been posted atleast to these sites:

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1930
http://www.security.nnov.ru/Mdocument327.html
http://www.itsecurity.com/security.htm?s=15488
http://xforce.iss.net/xforce/xfdb/25942
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1930
http://www.osvdb.org/displayvuln.php?osvdb_id=25207
https://www.netsecurity.ne.jp/6_6549.html

I've downloaded relevant pages from those sites and put them to this .zip-archive (in case they disappear):
http://hoito.org/en/sosaidsecurityflaw.zip

BACKGROUND INFORMATION ABOUT THE AUTHOR

As background information I can tell, that I'm mediatechnology student in polytechnic, studing programming and other subjects. The Green Minute was my first "bigger" product. I've learned a lot while coding it and there's a lot of things, I now would want to do otherwise, but that claim about security flaw is still rubbish.

BOTTOM NOTE

These kinds of false "security alerts" will weaken the credibility of real security experts and their work. If this is common in "security scene", such actions might also raise unnecessary fears among general people toward privacy issues related to internet (because it increases security issue count). It also seems to be too easy make false security claims like this and get that information published in multiple sites.

Yours,

Marko Seppänen
Hoito.org - http://hoito.org

bpat1434

Honestly, for someone that blogs using the English language, and responds using English, you'd think he'd have at least gone to English class to learn it. Plenty of mistakes that aren't typing mistakes (like reversed letters, missed letters). Things like improper pluralization and incorrect grammar really stick out.

If he were respectable, and wanted to be respected, he'd take the time to learn his craft and the language in which he plans on conveying his issues. I'm from the USA, so I'm not going to say I have perfect English, nor will I say I can speak ebonics fluently (although I can make do 😉 ); however, I do know enough about my language to know it's not as hard as it seems to learn. If I were a German (Deutsch?) physicist, I wouldn't publish my papers and theories in Russian or the language spoken in Digibooti (😉). I'd write it in german!! Plus, I'd have a better name other than r0t. His name reflects his status in the security industry: r0tting 🙂 🙂 🙂

I tested out the code, and it's not a flaw (or you updated the code accordingly). Either way, brush it off and just keep moving on with your other projects. And you can file charges against him to remove the accusations, or at least update that he was mistaken/misinformed/lying about the flaw. It's slander and that's a serious offense. You might also want to file something with the other security sites to get the post reversed, or updated as a null issue.

bubblenut

I've had a good hunt around and I can't seem to find where I can download the application, only a message defending it. Where can I get a copy of the source which this guy suspects is insecure?

smarko

I've now contacted security sites mentioning about this "flaw" and I'm glad that some of them have already reacted and replied very quickly. For example, OSVDB has now marked the claimed flaw as "Myth/Fake". New analysis had been made.

I've been informed by many of them (as invidual persons, not as security companies), that:

there are significiant amount of diagnosis errors made by beginner researchers: http://www.networksecurityarchive.org/html/Web-App-Sec/2005-12/msg00040.html
these people are sometimes called as "ctrl-v kids", meaning the extent of his testing is pasting certain characters into fields and making claims based on the output
it is even common, that mentioned kinds of incorrect/false security alerts will find their way to multiple Vulnerability DataBases (VD😎
there does exist many, who do not follow disclosure guidelines, don't care who is impacted, don't try to find a workaround, and many of them can't even figure out the name of the affected script
there does exits many, who do follow disclosure guidelines, care who is impacted and how, try to find a workaround, take contact to developers, etc.

I've also been informed, that this issue isn't easy to deal with from viewpoint of management of VDB as they don't have time to indepently test and verify each vulnerability post. This was told me by one VDB person, who wrote me a lenghty email and who seems like a person, who really cares a great deal about accuracy in the database content. And I believe him.

However, another one had took time to dig up disclaimers from security sites mentioning expressions like these: "no warranties", "as is", "no pre-screening" and "user uploading the information is the responsible one". With this I don't mean to say that he was rude or something like that (he wasn't), but he corroborated that it is not possible for them to pre-check every report they get. From viewpoint of any software developer, I see that as a problem.

In my original message I mentioned certain nick names, when referring to "other security experts". I'd like to add, that they have nothing to do with this issue. They were just listed as links on claimer's blog's sidebar.

smarko

bubblenut wrote:
I've had a good hunt around and I can't seem to find where I can download the application, only a message defending it. Where can I get a copy of the source which this guy suspects is insecure?

Link to fully working online demo is in my original message. It's all there with its so called flaws. However, if somebody actually finds some new and real flaw (probably not, but ofcourse there's always tiny little possibility), then I'd like to mention that I haven't touched the source code in a long time. The product is not available for straight download. Actually the source code would only reveal what kind of coder I was almost a year ago, so I don't see the point of releasing it to public. It wouldn't tell anything about me of today. Like I said, demo is fully working. Do like the claimer instructed and see for yourself, that there's no SQL-injection problem.

bubblenut

smarko, what you provided is a link to a "fully working online demo". What I asked for is a link to the download so that I can view the source code of the application or this not an opensource project?

bpat1434

The product is not available for straight download. Actually the source code would only reveal what kind of coder I was almost a year ago, so I don't see the point of releasing it to public.

C'mon bubble... I know you read that....

dream_scape

He seems to have to taken down the report about your application.

Though I think you're right that the guy has no idea what he's talking about. I briefly looked through his archives, and one was an SQL injection report for X-Cart, which he posted 2 screenshots of the "attack", which was nothing more than an SQL error message, and really looked like a botched X-Cart install (there was a table missing).

I guess somehow to this guy SQL error === SQL injection vulnerability.

I've gotta agree with bpat1434 too. Most of his posts were painful to read. At least if he posted in his native language then we could use Google translate or Bablefish, either of which would probably do a better job of translating than he does... at least it would be somewhat comprehendible.

bubblenut

bpat1434 wrote:
C'mon bubble... I know you read that....

😊 Ooops, must have missed that, sorry.