10/30/2010

Getting Fun from Responsible Disclosures

I've recently released two proof-of-concepts for jCart application and Simpli Easy Newsletter (formerly AFC Simple Newsletter) script. Both of these disclosures were pretty exciting actually.
As a responsible security researcher, I first contacted both vendors.
Guy from Simpli Easy Newsletter quickly replied. He said: Thanks, I'll let my friend know so he can fix.
Funny, isn't it? Three weeks have passed, but his friend did nothing and further emails from me were ignored. So, my disclosure was responsible in effect.
Absolutely different situation happened to jCart. I sent an email to its vendor, but didn't receive any reply and in a couple of days released vulnerabilities. Some time later I received annoyed email from Doug Whitney (jCart guy), where he explained that I was wrong not contacting him first. Of course, I forwarded him my previous email and, what's funny, everything was correct, but it got into Spam box. So, was it responsible disclosure or not? Anyhow, it was pretty funny.

10/02/2010

PunBB v1.3 Extension Scanner

While pentesting one project, I've faced PunBB v1.3 forum running there. As long as it would take a bit of time to check for installed extensions (even though there are not so much for it), I've written a pretty simple Python script to enumerate them. Maybe I It gets the list of available extensions from PunBB site and searches for them at provided website. Its code is really dirty, but I needed quick solution. Maybe it will be useful for someone. Or maybe I just failed googling for a one. Anyway, here it is. Usage (note no trailing slash):

$  python3 scanner.py http://www.example.com/forum

#!/usr/bin/python3

import urllib.request, re, sys

host = sys.argv[1]

try:
  l = urllib.request.urlopen('http://punbb.informer.com/svn/additions/punbb-1.3/extensions/')
except urllib.error.HTTPError:
  print('Cannot enumerate available extensions from http://punbb.informer.com/')
  exit()

e = l.read().decode()
e = re.sub('<.*?>', '', e)
e = re.findall('(pun_.*/)', e)

for i in e:
  try:
    urllib.request.urlopen(host + '/extensions/' + i)
    print('YES - ' + i)
  except urllib.error.HTTPError:
    print('NO  - ' + i)