Saturday, September 01, 2007

7 minutes to kill a monster.

Well, a response time of 1 week, is said to be good, Mozilla has 10 f***ing days, Google depending on the complexity of the vulnerability takes between 1 day to a few weeks to fix them, but Mario Heiderich, developer of the PHP-IDS, has an amazing 7 minutes time to pull a patch for a vuln.

A week ago, he talked me about a "call for hacking" to PHP-IDS, and I said it would be really difficult, because the last time, the filters where extremely enforced, so I started playing (before the call for hacking was published), and in an hour I found 3 vectors, and made a PoC, of 666 bytes (that's why it's a monster xD), 2 of them where based on Giorgio Maone window.name vector.

So, I asked Mario, if I have to wait until the call for hacking was published, but he pulled the patch immediatelly.

A few minutes later, I found another HTML vector ("style="anything), that was fixed too.

So he decided to interview me, as a price for winning an unstarted contest :P.

The vectors where:

  • open(name)
  • eval(name)
  • (1?(1?{a:1?""[1?"ev\a\l":0](1?"\a\lert":0):0}:0).a:0)[1?"\c\a\l\l":0](content,1?"x\s\s":0)
I'm sure that Gareth Heyes, and Giorgio Maone will be the next to find some vectors :)