Topic: The supposed "poison NULL byte vulnerability"

Edit: After you've read this, make sure to read my fantastic follow-up big_smile

About two weeks ago, a security advisory titled multiple PHP application poison NULL byte vulnerability popped up on BugTraq. The advisory claimed that various PHP applications, specifically phpBB and PunBB, were vulnerable. Now I can't speak for any other application, but I can assure you that PunBB is NOT. The original author of the report probably thought PunBB was a fork of phpBB and assumed PunBB was vulnerable as well. He sure as hell can't have looked at the source code, that's for sure.

Just for fun, I decided to check out the Wikipedia entry on BugTraq. Here's a quote from that article:

Wikipedia wrote:

Bugtraq was created on November 5, 1993 by Scott Chasin in response to the perceived failings of the existing Internet security infrastructure of the time, particularly CERT. Bugtraq's policy was to publish vulnerabilities, regardless of vendor response, as part of the full disclosure movement of vulnerability disclosure.

Elias Levy, aka Aleph One, noted in an interview that "the environment at that time was such that vendors weren't making any patches. So the focus was on how to fix software that companies weren't fixing."

That's great, but fast-forward 13 years and we end up with this: Anyone can write up a vulnerability report on a piece of software and that information will be assumed to be correct. Not only that, the information will spread like wildfire making it impossible to "repair the damage" in case the information turns out to be false. You see, once something appears on BugTraq, a million other security databases include the report on their websites and on their mailing lists.

Now I'm fine with the "guilty until proven innocent" approach when it comes to security, but come on! Isn't there some kind of review process involved in all of this? I think us "vendors" need to have a say in this before a bogus report ends up on every security website in the world. Sure, we can reply to the BugTraq posting and dispute the report, but that has virtually no impact.

Oh well, I guess I'll go e-mail a bunch of vulnerability databases.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: The supposed "poison NULL byte vulnerability"

I agree whole heartedly.  These sites act very irresponsibly.  The "people" that report on these sites do so with the hope of getting a little "famous" from it, not to actually help.  If they were doing so to help, they would contact the vendor first, which almost NEVER happens.

Re: The supposed "poison NULL byte vulnerability"

In their defence, some of the more reputable security reporting sites do attempt to verify that bugs are real before they pass on any reports.

That is the responsible thing to do - otherwise they contribute to the severe noise pollution problem that security minded IT administrators have to deal with nowadays, as well as un-necessarily damaging the reputation of vendors and coders, and un-necessarily alarming users of the products concerned.

In this case, for example, I notice Secunia.com has not passed on news of this 'punBB vulnerability', presumably because they actually checked to see if the bug was real before registering it in their database.

4

Re: The supposed "poison NULL byte vulnerability"

sirena wrote:

In this case, for example, I notice Secunia.com has not passed on news of this 'punBB vulnerability', presumably because they actually checked to see if the bug was real before registering it in their database.

Secunia is the only feed I follow, the rest of the sites I just ignore.

5 (edited by sunshine 2006-09-26 06:02)

Re: The supposed "poison NULL byte vulnerability"

Same thing happened to Vanilla last month

Re: The supposed "poison NULL byte vulnerability"

I've never been able to understand security reports like these for open source projects.

I can see how its usefull for products like IIS or MSSQL where nobody but the producing company has the ability to fix the problem. 

but when you have the entire source code in front of you... it's completely retarded to post claims about any open source project.  now if folks post patches (like a diff showing the vulnerable code and hardened code) which fix the problem, well then I see it as useful. 

at least then you can know right away whether somebody's having fun on a saturday night, or there's an actual issue.

Re: The supposed "poison NULL byte vulnerability"

sirena wrote:

In their defence, some of the more reputable security reporting sites do attempt to verify that bugs are real before they pass on any reports.

That is the responsible thing to do - otherwise they contribute to the severe noise pollution problem that security minded IT administrators have to deal with nowadays, as well as un-necessarily damaging the reputation of vendors and coders, and un-necessarily alarming users of the products concerned.

In this case, for example, I notice Secunia.com has not passed on news of this 'punBB vulnerability', presumably because they actually checked to see if the bug was real before registering it in their database.

True. In this case, the CVE is still "Under review". Both mitre.org and nvd.nist.gov have been prompt in their replies to my e-mails and seem focused on getting things right. We'll see how it turns out.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

8 (edited by PunBG 2007-04-02 01:26)

Re: The supposed "poison NULL byte vulnerability"

We are lucky boys that because we work on PunBB. Thanks Rickard.

Re: The supposed "poison NULL byte vulnerability"

I'm glad to you Rickard for solving problem. Thanks for fast fix.