Comments on: Comments on 15039

Post number 15039

thebwit — Sat, 23 Feb 2002 18:17:48 -0800

How to hack grey matter A big security loophole with grey matter powered sites is out there. It lets anyone have the username and password to these sites. Luckly there is a fix for it which can be found here.

By: machaus

machaus — Sat, 23 Feb 2002 18:30:08 -0800

It's only a loophole if you didn't RTFM.

By: kfury

kfury — Sat, 23 Feb 2002 18:32:55 -0800

To be fair, it seems that it doesn't affect all Greymatter sites, just those who have directory browsing turned on in the install directory and no index.* file to mask it. Of course, because 'n' seems to be a number under 100,000, it wouldn't be hard to write a perlscript to try all the combinations on your favorite greymatter site, googled or not. Tsk, tsk, tsk on security through obscurity. Tsk, tsk also for posting the means of the hack to MeFi before trying to let site owners know through Noah's mailing lists...

By: Dreama

Dreama — Sat, 23 Feb 2002 18:45:20 -0800

It's not "security through obscurity" -- there's nothing obscure about the "Clear and Exit" button on the bookmarklets screen at all, and if you have the smallest idea of what you're doing through creating bookmarklets (or even if you don't) you'd realise that the button was there for a reason. Click there to clear and exit. It's rather a no-brainer. However, I agree, there's no reason whatsoever to have posted the link to the "hack" as an FPP. An explanation of the problem and a link to the fix would've been much more appropriate.

By: willsey

willsey — Sat, 23 Feb 2002 18:45:57 -0800

Tsk, tsk also for posting the means of the hack to MeFi before trying to let site owners know through Noah's mailing lists... But he did post a link to the fix which noah states he has been emailed about this and lets people know how to fix it. Maybe you are saying Tsk tsk because you realized your site was vunerable and didn't finish reading that he posted a link to the fix?

By: ruzz

ruzz — Sat, 23 Feb 2002 18:47:55 -0800

I think its an expedient means to get the word out. There is a lot of GM users here at MeFi. Machaus, RTFM doesnt always make the risk any less. I know, first hand, many people who have trouble configuring things like GM and RTFM doesnt help those who are barely above water as it is. But, you know, maybe thier just stupid ;) kfury, it seems thebwit linked to a greymatter forum discussing this issue so I'm unclear about -- "Tsk, tsk also for posting the means of the hack to MeFi before trying to let site owners know through Noah's mailing lists..." it would seem that by the discussion of it, its already out there. Or should we tsk tsk Noah for talking about it on GM forums before he emailed GM users too? I think too many of you sit around waiting to find fault in every post. I see it very consistantly it certainly doesnt lead to feelings of sharing and community...

By: geoff.

geoff. — Sat, 23 Feb 2002 18:50:52 -0800

Anyone with knowledge on how to hack would have figured it out from the prevention measure. The Dangerous Monkey link didn't do much. On the irony side of it, a google search turned up Dangerous Monkey's exposed file as number one.

By: jjg

jjg — Sat, 23 Feb 2002 18:53:44 -0800

it would seem that by the discussion of it, its already out there. Then a link to the fix was all that was required -- linking to the hack in a forum as heavily trafficked as this one only increases the chance that someone is going to get hacked. Maybe you are saying Tsk tsk because you realized your site was vunerable and didn't finish reading that he posted a link to the fix? willsey, you have no idea what you're talking about.

By: quonsar

quonsar — Sat, 23 Feb 2002 19:18:45 -0800

I think too many of you sit around waiting to find fault in every post.
whatever you're running for ruzz, you got my vote!

By: bloggboy

bloggboy — Sat, 23 Feb 2002 19:34:08 -0800

Geoff: Just because dangermonkey's site was listed doesn't mean he's vulnerable. He's the guy who published the hack, therefore google associates that text with him. Ironic? Hardly.

By: pete

pete — Sat, 23 Feb 2002 19:34:18 -0800

Looks like that guys copy of greymatter has already been hacked. What a fool.

By: geoff.

geoff. — Sat, 23 Feb 2002 20:00:32 -0800

bloggboy, if you took the time to look you'd find that that his gmrightclick file was indeed listed, and I checked -- it had his authorname and password listed in clear view. I guess, according to pete, he didn't change his name or password OR delete the file. Ironic. YES!

By: Mars Saxman

Mars Saxman — Sat, 23 Feb 2002 20:50:42 -0800

After reading the description, I clicked on the link expecting to find instructions for gaining root access to a human brain. -Mars

By: rcade

rcade — Sat, 23 Feb 2002 20:59:49 -0800

Releasing the details of a hole after a fix is available is standard operating procedure for security lists. The guy who found the original hole should've notified Noah privately and given him a few weeks to deal with it, but at this point, pretending people don't know the hole exists hurts more people than it helps.

By: rcade

rcade — Sat, 23 Feb 2002 21:03:59 -0800

As an aside, most Apache installations are set up so they won't serve any file that begins with .ht (such as .htaccess). If these files have to be created, less people would be at risk if it was named something like .htgmrightclick-*.

By: tsumo

tsumo — Sat, 23 Feb 2002 21:14:07 -0800

*cough*Movable Type*cough*

By: mutagen

mutagen — Sun, 24 Feb 2002 00:57:09 -0800

The big problem is the people that use the same password for *everything* (or even two or three or four). Hack Greymatter, hack their 1-click shopping at Amazon, hack their dialup, etc. I'm appreciative this was posted to the front page, I wouldn't have found out about it any other way until much later.

By: kindall

kindall — Sun, 24 Feb 2002 09:28:47 -0800

The big problem is the people that use the same password for *everything* Yeah, well, they shouldn't do that. If they didn't know that before, they do now.

By: thebwit

thebwit — Sun, 24 Feb 2002 09:36:10 -0800

I think too many of you sit around waiting to find fault in every post. I see it very consistantly it certainly doesnt lead to feelings of sharing and community... I almost didn't post this security issue because of what ruzz said. The moment I posted it I knew that someone was going to be annoyed and figure some way to attack me for posting it. I posted it on the 23 of Feb. I knew about the loophole since the 11th. I waited until I found out how to fix the loophole before posting. So to say Tsk tsk, I shouldn't have posted it - in my opinion is wrong. People need to know about this. You could have said tsk tsk if I posted only the link about the loophole and not a fix. But since I posted a fix along with the loophole, I did what is standard bug reporting.

By: beefula

beefula — Mon, 25 Feb 2002 08:30:34 -0800

"On the irony side of it, a google search turned up Dangerous Monkey's exposed file as number one." It's not irony, what is more likely is that someone totally other than dangerousmonkey discovered this exploit, searched google for gmrightclick, and then used the exploit on the first site he found, dangerousmonkey, to post the exploit. I think it's pretty obvious this is what happened.

By: crankydoodle

crankydoodle — Mon, 25 Feb 2002 13:52:36 -0800

It's only a loophole if you didn't RTFM. That's no excuse... any (software/system/etc.) designer should know that if a user is given a variety of choices, they will probably not make the right one. It's not the user who is at fault; it's the system... had the system not been open to this fault none of it would come about.