Thread: [Secureideas-base-devel] BASE project developement
Brought to you by:
secureideas,
sinukas
From: nikns <ni...@se...> - 2006-04-19 10:24:37
|
Hi! As you may know, my developer cvs access has been removed by Kevin after I was rude in BASE-user forum to person who was threating me in very lame way. Kevin is not willing to any compromise. It seems that PR is much more important to Kevin than project developement, so I am forced to fork BASE project (how ironic). I haven't think out everything jet, but I can tell that project name will be BASE+ and it can be found at: http://sourceforge.net/projects/baseplus/ Everyone welcomed to take part in it ;]. Thanks! Nikns Siankin |
From: Kevin J. <kjo...@se...> - 2006-04-19 11:02:28
|
On Apr 19, 2006, at 6:24 AM, nikns wrote: > Hi! > > As you may know, my developer cvs access has been removed by Kevin > after I was rude in BASE-user forum to person who was threating me > in very > lame way. > Kevin is not willing to any compromise. It seems that PR is much > more important to Kevin than project developement, so I am forced to > fork BASE project (how ironic). > I haven't think out everything jet, but I can tell that project > name will be BASE+ and it can be found at: > http://sourceforge.net/projects/baseplus/ > > Everyone welcomed to take part in it ;]. > > > Thanks! > > Nikns Siankin Hi- First, good luck on running a successful project. I know that in time you will understand the enormous amount of work that goes beyond the development piece. I think forking the project is unnecessary but it is your choice. Second, I would like to clarify your PR statement. If PR was what I wanted, I would have published quite a bit more information on the rude and obscene replies that you posted. What caused me to remove your access is that I do not want BASE to be known as a project where people are attacked for asking questions. Paul did not threaten you, he said that if you were going to persist in calling him a liar he would stop using BASE and let people know why he did. I personally think it was a reasonable response. Calling him an ignorant moron and recommending he get a hooker is over the line that any technician would recognize. We are here to build a project and support our users. If supporting the users you do not like is hard for you, ignoring the posts was an option. As a project lead, you can not do that and be successful. Again, good luck, Kevin --------------------- BASE Project Lead http://sourceforge.net/projects/secureideas http://base.secureideas.net The next step in IDS analysis! |
From: nikns <ni...@se...> - 2006-04-20 16:48:58
|
Hi! BASE authentication can be bypassed if including this line in http headers: Cookie: BASERole=1|foo|e032862448a630f4e7a5342f19d9a88 Kevin, If I would still have my cvs access I could commit fix, but... You will have to do it on your own (grin, grin, grin...). ;] Good luck. Nikns Siankin --------------------- BASE+ Project Lead http://sourceforge.net/projects/baseplus/ "choosing to remain ignorant is stupid" -cloder |
From: Joel E. <es...@gm...> - 2006-04-20 17:00:16
|
What is baseplus? Is this another project we need to track? Joel On 4/20/06, nikns <ni...@se...> wrote: > > Hi! > > BASE authentication can be bypassed if including > this line in http headers: > Cookie: BASERole=3D1|foo|e032862448a630f4e7a5342f19d9a88 > > > Kevin, If I would still have my cvs access I could commit fix, but... > You will have to do it on your own (grin, grin, grin...). ;] > > > > Good luck. > Nikns Siankin > --------------------- > BASE+ Project Lead > http://sourceforge.net/projects/baseplus/ > "choosing to remain ignorant is stupid" -cloder > > > > ------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronim= o > http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&dat= =3D121642 > _______________________________________________ > Secureideas-base-devel mailing list > Sec...@li... > https://lists.sourceforge.net/lists/listinfo/secureideas-base-devel > -- --Joel |
From: garaged <ga...@gm...> - 2006-04-20 20:22:23
|
Is nikn's this week fork of base. By the attitude of him I would not recomend to use it, he is the last months biggest contribuitor to base, but I dont think he took really well his destitution from base because of a well deserved personal problem. He acted ratter unprofessional to the whole thing. He could be sending patches, instead he's trying to blackmail, thats pretty bad for a project leader don't you think ? Max p.d. nikns: my respects for you, you have a lot of time and are a great coder, but you really need to come back to earth if you want to keep respect from people like me, if you really care about someone. -- -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GS/S d- s: a-29 C++(+++) ULAHI+++ P+ L++>+++ E--- W++ N* o-- K- w++++ O- M-- V-- PS+ PE Y-- PGP++ t- 5- X+ R tv++ b+ DI+++ D- G++ e++ h+ r+ z** ------END GEEK CODE BLOCK------ |
From: nikns <ni...@se...> - 2006-04-20 20:47:14
|
On Thu, Apr 20, 2006 at 03:22:18PM -0500, garaged wrote: >Is nikn's this week fork of base. > >By the attitude of him I would not recomend to use it, he is the last >months biggest contribuitor to base, but I dont think he took really >well his destitution from base because of a well deserved personal >problem. >He acted ratter unprofessional to the whole thing. > >He could be sending patches, instead he's trying to blackmail, thats >pretty bad for a project leader don't you think ? What a bullshit!? You can freely go around with paul crying how unkind I am and reccomending not to use it. And yes, you should appreciation my report, since I could fix this in BASE+ without any announcement. You can freely send your patches after your cvs access will be removed to project which told you: "Thankyou, but your help are no more needed." >p.d. nikns: my respects for you, you have a lot of time and are a >great coder, but you really need to come back to earth if you want to >keep respect from people like me, if you really care about someone. Oh. Well. You are saying that I am bad too? I don't remember being unkind to you. So I don't know why would you want to tell me such words. *smirk*. Nikns >-- >-----BEGIN GEEK CODE BLOCK----- >Version: 3.12 >GS/S d- s: a-29 C++(+++) ULAHI+++ P+ L++>+++ E--- W++ N* o-- K- w++++ >O- M-- V-- PS+ PE Y-- PGP++ t- 5- X+ R tv++ b+ DI+++ D- G++ e++ h+ r+ >z** >------END GEEK CODE BLOCK------ > > >------------------------------------------------------- >Using Tomcat but need to do more? Need to support web services, security? >Get stuff done quickly with pre-integrated technology to make your job easier >Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo >http://sel.as-us.falkag.net/sel?cmd_______________________________________________ >Secureideas-base-devel mailing list >Sec...@li... >https://lists.sourceforge.net/lists/listinfo/secureideas-base-devel > |
From: garaged <ga...@gm...> - 2006-04-20 20:52:43
|
> >p.d. nikns: my respects for you, you have a lot of time and are a > >great coder, but you really need to come back to earth if you want to > >keep respect from people like me, if you really care about someone. > > Oh. Well. You are saying that I am bad too? > I don't remember being unkind to you. > So I don't know why would you want to tell me such words. *smirk*. If I say, "my respect for you", doesnt that tells you something?? I dont think you are bad, I know bad people, you just are angry because you got down by kevin, big deal, it was a silly problem, you could managed way more maturely the whole issue. Max -- -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GS/S d- s: a-29 C++(+++) ULAHI+++ P+ L++>+++ E--- W++ N* o-- K- w++++ O- M-- V-- PS+ PE Y-- PGP++ t- 5- X+ R tv++ b+ DI+++ D- G++ e++ h+ r+ z** ------END GEEK CODE BLOCK------ |
From: Kevin J. <kjo...@se...> - 2006-04-21 00:41:20
|
On Apr 20, 2006, at 12:48 PM, nikns wrote: > Hi! > Hi- > BASE authentication can be bypassed if including > this line in http headers: > Cookie: BASERole=1|foo|e032862448a630f4e7a5342f19d9a88 > Thanks for the report. Would care to elaborate the report as I am confused since the report seems to conflict with the CHANGELOG of some of the code you checked in. Specifically the line in 1.2.4: Fixed BASE authentication bypass in standalone mode for base_maintenance.php -- Nikns And the one in 1.2.5: Filtered all unfiltred (mainly auth system stuff) $_POST and $_GET variables using filterSql() -- Nikns > > Kevin, If I would still have my cvs access I could commit fix, but... > You will have to do it on your own (grin, grin, grin...). ;] > Yes we will. I would appreciate it if you would either contribute or remain off the list. We accept patches from anyone who would like to send them in. But comments like this are just a waste of time that validates my decision. > Good luck. > Nikns Siankin Thanks Kevin --------------------- BASE Project Lead http://sourceforge.net/projects/secureideas http://base.secureideas.net The next step in IDS analysis! |
From: nikns <ni...@se...> - 2006-04-21 09:39:43
|
>Thanks for the report. Would care to elaborate the report as I am >confused since the report seems to conflict with the CHANGELOG of >some of the code you checked in. Specifically the line in 1.2.4: >Fixed BASE authentication bypass in standalone mode for >base_maintenance.php -- Nikns What are you trying to say? ;] Think again, do you realy want to blame me because you was on crack when writing auth stuff? ;]] These are two different issues. See fix: http://cvs.sourceforge.net/viewcvs.py/secureideas/base-php4/includes/base_auth.inc.php?r1=1.22&r2=1.23 and osvdb entery: http://www.osvdb.org/24101 >And the one in 1.2.5: >Filtered all unfiltred (mainly auth system stuff) $_POST and $_GET >variables using filterSql() -- Nikns Right, I done heavy audit and secured $_POST/$_GET stuff. So what does cookies have to do with $_POST/$_GET stuff!? >>Kevin, If I would still have my cvs access I could commit fix, but... >>You will have to do it on your own (grin, grin, grin...). ;] >> > >Yes we will. I would appreciate it if you would either contribute or >remain off the list. We accept patches from anyone who would like to >send them in. But comments like this are just a waste of time that >validates my decision. You can't disagree to what I said. And yes, I already contributed. Don't wait that I will fix this for you, I have to do this in my BASE+ project, remember?!;] Since auth stuff is entirely your code, It would be wrong If I would fix that for you and you would remain with no clue. Nikns Siankin On Thu, Apr 20, 2006 at 08:41:03PM -0400, Kevin Johnson wrote: >On Apr 20, 2006, at 12:48 PM, nikns wrote: >>Hi! >> > >Hi- > >> BASE authentication can be bypassed if including >>this line in http headers: >>Cookie: BASERole=1|foo|e032862448a630f4e7a5342f19d9a88 >> > > > >> >>Kevin, If I would still have my cvs access I could commit fix, but... >>You will have to do it on your own (grin, grin, grin...). ;] >> > >Yes we will. I would appreciate it if you would either contribute or >remain off the list. We accept patches from anyone who would like to >send them in. But comments like this are just a waste of time that >validates my decision. > >>Good luck. >>Nikns Siankin > >Thanks >Kevin >--------------------- >BASE Project Lead >http://sourceforge.net/projects/secureideas >http://base.secureideas.net >The next step in IDS analysis! > > > > >------------------------------------------------------- >Using Tomcat but need to do more? Need to support web services, security? >Get stuff done quickly with pre-integrated technology to make your job >easier >Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 >_______________________________________________ >Secureideas-base-devel mailing list >Sec...@li... >https://lists.sourceforge.net/lists/listinfo/secureideas-base-devel |
From: Kevin J. <kjo...@se...> - 2006-04-21 10:54:25
|
On Apr 21, 2006, at 5:39 AM, nikns wrote: >> Thanks for the report. Would care to elaborate the report as I am >> confused since the report seems to conflict with the CHANGELOG of >> some of the code you checked in. Specifically the line in 1.2.4: >> Fixed BASE authentication bypass in standalone mode for >> base_maintenance.php -- Nikns > > What are you trying to say? ;] Think again, do you realy want to blame > me because you was on crack when writing auth stuff? ;]] First I wasn't blaming you, I was asking for clarification. This information clarifies it. I would appreciate it if you refrained frm the insults or stopped posting ot his list.. > These are two different issues. > See fix: > http://cvs.sourceforge.net/viewcvs.py/secureideas/base-php4/ > includes/base_auth.inc.php?r1=1.22&r2=1.23 > and osvdb entery: > http://www.osvdb.org/24101 Thanks. > >> And the one in 1.2.5: >> Filtered all unfiltred (mainly auth system stuff) $_POST and $_GET >> variables using filterSql() -- Nikns > Right, I done heavy audit and secured $_POST/$_GET stuff. > So what does cookies have to do with $_POST/$_GET stuff!? > Valid point, I am not sure why I missed that. >>> Kevin, If I would still have my cvs access I could commit fix, >>> but... >>> You will have to do it on your own (grin, grin, grin...). ;] >>> >> >> Yes we will. I would appreciate it if you would either contribute or >> remain off the list. We accept patches from anyone who would like to >> send them in. But comments like this are just a waste of time that >> validates my decision. > You can't disagree to what I said. > And yes, I already contributed. > Not sure what you mean here. But fine. > Don't wait that I will fix this for you, I have to do this in my BASE+ > project, remember?!;] Then I guess I would like to respectively ask you to go there and do what ever you would like. This list is for the development of BASE. If you are only here to complain that you aren't in "the club" anymore, please stop. It is wasting our time. > Since auth stuff is entirely your code, It would > be wrong If I would fix that for you and you would remain with no > clue. > I am not sure this comment is worth responding too. As I have said before, and I hope will not need to again, I appreciate all of the work you have done for BASE. At this time, I would appreciate it if you either chose to contribute as any user can, or please refrain from chiming in. Thanks Kevin --------------------- BASE Project Lead http://sourceforge.net/projects/secureideas http://base.secureideas.net The next step in IDS analysis! |
From: nikns <ni...@se...> - 2006-04-20 21:04:44
|
>If I say, "my respect for you", doesnt that tells you something?? Well. You said much more things. I don't need people like You or Kevin, who can such easy turn on back. Walk free, and I walk free regardless. On Thu, Apr 20, 2006 at 03:52:43PM -0500, garaged wrote: >> >p.d. nikns: my respects for you, you have a lot of time and are a >> >great coder, but you really need to come back to earth if you want to >> >keep respect from people like me, if you really care about someone. >> >> Oh. Well. You are saying that I am bad too? >> I don't remember being unkind to you. >> So I don't know why would you want to tell me such words. *smirk*. > >If I say, "my respect for you", doesnt that tells you something?? I >dont think you are bad, I know bad people, you just are angry because >you got down by kevin, big deal, it was a silly problem, you could >managed way more maturely the whole issue. > >Max > >-- >-----BEGIN GEEK CODE BLOCK----- >Version: 3.12 >GS/S d- s: a-29 C++(+++) ULAHI+++ P+ L++>+++ E--- W++ N* o-- K- w++++ >O- M-- V-- PS+ PE Y-- PGP++ t- 5- X+ R tv++ b+ DI+++ D- G++ e++ h+ r+ >z** >------END GEEK CODE BLOCK------ > > >------------------------------------------------------- >Using Tomcat but need to do more? Need to support web services, security? >Get stuff done quickly with pre-integrated technology to make your job easier >Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo >http://sel.as-us.falkag.net/sel?cmd_______________________________________________ >Secureideas-base-devel mailing list >Sec...@li... >https://lists.sourceforge.net/lists/listinfo/secureideas-base-devel > |
From: Joel E. <es...@gm...> - 2006-04-21 11:22:08
|
Yeah, I'm not sure what happened, but I'm not getting into this discussion, I just didn't know what Base+ was. I haven't worked on, or been a Project Manager for BASE since August, but I was there pretty much from the beginning, so, I'm going to bow out of this discussion. J On 4/20/06, nikns <ni...@se...> wrote: > >If I say, "my respect for you", doesnt that tells you something?? > Well. You said much more things. > > I don't need people like You or Kevin, who can such easy turn on back. > > Walk free, and I walk free regardless. > > > On Thu, Apr 20, 2006 at 03:52:43PM -0500, garaged wrote: > >> >p.d. nikns: my respects for you, you have a lot of time and are a > >> >great coder, but you really need to come back to earth if you want to > >> >keep respect from people like me, if you really care about someone. > >> > >> Oh. Well. You are saying that I am bad too? > >> I don't remember being unkind to you. > >> So I don't know why would you want to tell me such words. *smirk*. > > > >If I say, "my respect for you", doesnt that tells you something?? I > >dont think you are bad, I know bad people, you just are angry because > >you got down by kevin, big deal, it was a silly problem, you could > >managed way more maturely the whole issue. > > > >Max > > > >-- > >-----BEGIN GEEK CODE BLOCK----- > >Version: 3.12 > >GS/S d- s: a-29 C++(+++) ULAHI+++ P+ L++>+++ E--- W++ N* o-- K- w++++ > >O- M-- V-- PS+ PE Y-- PGP++ t- 5- X+ R tv++ b+ DI+++ D- G++ e++ h+ r+ > >z** > >------END GEEK CODE BLOCK------ > > > > > >------------------------------------------------------- > >Using Tomcat but need to do more? Need to support web services, security= ? > >Get stuff done quickly with pre-integrated technology to make your job e= asier > >Download IBM WebSphere Application Server v.1.0.1 based on Apache Geroni= mo > >http://sel.as-us.falkag.net/sel?cmd_____________________________________= __________ > >Secureideas-base-devel mailing list > >Sec...@li... > >https://lists.sourceforge.net/lists/listinfo/secureideas-base-devel > > > > > ------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job ea= sier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronim= o > http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&dat= =3D121642 > _______________________________________________ > Secureideas-base-devel mailing list > Sec...@li... > https://lists.sourceforge.net/lists/listinfo/secureideas-base-devel > -- --Joel |
From: nikns <ni...@se...> - 2006-04-21 13:37:27
|
Stop being redundant. Shutup and fix this. |
From: garaged <ga...@gm...> - 2006-04-21 13:46:03
|
On 4/21/06, nikns <ni...@se...> wrote: > Stop being redundant. > Shutup and fix this. I'm fixing it right now, I will send the patch in a couple of hours, the auth schema is actually wrong and I think it will take me that time to correct it, but will be fine hopefully Thanks for the report Nikns !, too bad we don't have you contribuiting but we can always correct our way isn't it ? Max -- -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GS/S d- s: a-29 C++(+++) ULAHI+++ P+ L++>+++ E--- W++ N* o-- K- w++++ O- M-- V-- PS+ PE Y-- PGP++ t- 5- X+ R tv++ b+ DI+++ D- G++ e++ h+ r+ z** ------END GEEK CODE BLOCK------ |
From: garaged <ga...@gm...> - 2006-04-21 15:06:44
|
I just commited the fix for the authentication problem, now you can forge a user by knowing his md5 password string, but that's not a base problem (correct me if I'm wrong), and any user forged will have only the user's role_id, so if the user is not admin should not be a big problem Please take a look at my 25 lines patch made in 2 hours ! :), sorry, I had to understand auth scheme, think on the change, and attend some support calls here :-) good day ! Max -- -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GS/S d- s: a-29 C++(+++) ULAHI+++ P+ L++>+++ E--- W++ N* o-- K- w++++ O- M-- V-- PS+ PE Y-- PGP++ t- 5- X+ R tv++ b+ DI+++ D- G++ e++ h+ r+ z** ------END GEEK CODE BLOCK------ |