Forums > Social Discussion > EJC2007 site prob?

Posted: 20th Jan 2007
An explanation of directory traversal:

is to exploit insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" is passed through to the file APIs.

The goal of this attack is to order an application to access a computer file that is not intended to be accessible. This attack exploits a lack of security (the software is acting exactly as it is supposed to) as opposed to exploiting a bug in the code.

Directory traversal is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking. Some forms of this attack are also canonicalization attacks.

A typical example of vulnerable application code is:

$template = 'blue.php';
if ( is_set( $_COOKIE['TEMPLATE'] ) )
$template = $_COOKIE['TEMPLATE'];
include ( "/home/users/phpguru/templates/" . $template );
?>

An attack against this system could be to send the following HTTP request:

GET /vulnerable.php HTTP/1.0
Cookie: TEMPLATE=../../../../../../../../../etc/passwd


Generating a server response such as:

HTTP/1.0 200 OK
Content-Type: text/html
Server: Apache

root:fi3sED95ibqR6:0:1:System Operator:/:/bin/ksh
daemon:*:1:1::/tmp:
phpguru:f8fk3j1OIf31.:182:100:Developer:/home/users/phpguru/:/bin/csh

The repeated ../ characters after /home/users/phpguru/templates/ has caused include() to traverse to the root directory, and then include the UNIX password file /etc/passwd.

UNIX /etc/passwd is a common file used to demonstrate directory traversal, as it is often used by crackers to try cracking the passwords.

[edit] Variations of directory traversal

Directory traversal is trickier to prevent than it might seem. A "filter out known bad characters" protection strategy is likely to fail.

There are many other factors involved that would determine whether a directory traversal would actually work. However, if the application does not validate the legitimacy of such parameters, it is quite likely that attackers may have some wiggle room to exploit this functionality for malicious purposes.

Listed below are some known directory traversal attack strings:

[edit] Directory traversal on UNIX

Common Unix-like directory traversal uses the ../ characters.

[edit] Directory traversal on Microsoft Windows

Microsoft Windows or DOS directory traversal uses the ..\ characters.

Today, many Windows programs or APIs also accept UNIX-like directory traversal characters.

Each partition has a separate root directory (labeled C:\ for a particular partition C) and there is no common root directory above that. This means that for most directory vulnerabilities on Windows, the attack is limited to a single partition.

[edit] URI encoded directory traversal

Canonicalization problem.

Some web applications scan query string for dangerous characters such as:

* ..
* ..\
* ../

to prevent directory traversal. However, the query string is usually URI decoded before use. Therefore these applications are vulnerable to percent encoded directory traversal such as:

* %2e%2e%2f which translates to ../
* %2e%2e/ which translates to ../
* ..%2f which translates to ../
* %2e%2e%5c which translates to ..\

etc.

[edit] Unicode / UTF-8 encoded directory traversal

Canonicalization problem.

UTF-8 was noted as a source of vulnerabilities and attack vectors in Cryptogram Newsletter July 2000 by Bruce Schneier and Jeffrey Streifling.

When Microsoft added unicode support to their Web server, a new way of encoding ../ was introduced into their code, causing their attempts at directory traversal prevention to be circumvented.

Multiple percent encodings, such as

* %c1%1c
* %c0%9v
* %c0%af

translated into / or \ characters.

Why? Percent encodings were decoded into the corresponding 8-bit characters by Microsoft webserver. This has historically been correct behavior as Windows and DOS traditionally used canonical 8-bit characters sets based upon of ASCII.

However, the original UTF-8 was not canonical, and several strings were now string encodings translatable into the same string. Microsoft performed the anti-traversal checks without UTF-8 canonicalization, and therefore not noticing that (HEX) C0AF and (HEX) 2F were the same character when doing string comparisons.

Enjoy fixing

Posted: 20th Jan 2007
that didn't clarify much for me and it certainly didn't solve the problem of accessibility to the server...



Last thing I heard anyways is, that the EJC 2007 is not (as announced) on the beach, but in Athens itself - which makes me a very unlikely visitor...



There is areason why people leave Athens in summer and why others die from heatstroke... I personally wouldn't be able to cool myself enough, especially not when training... AVERAGE temperature in Athens is a killer and 2007 is predicted to be (amongst) the hottest years in recorded history - go figure



If they decide back to a beach-location, you will certainly find me amongst happy fish, juggling with octopussies errm... malabrasses, errmm... ah 2am is too late to find a reasonable thought for me now... but that much for MY personal EJC2007 site prob... whoever cares
EDITED_BY: FireTom (1169318114)

the best smiles are the ones you lead to

Posted: 20th Jan 2007
Most probably the Server was attacked! ?, but then all i am going on is what richee posted above, unless i have some thing in front of me all i can offer is above.

Sorry that is of no help!, but to me it should be if Richee decided to mention it, IMO it gives him options.. if he understands it.

Posted: 20th Jan 2007
plus all i see is a gateway problem... that could be anything!

Posted: 20th Jan 2007
Thank you PK for explanation. But the point

isnt't that the site has problem. I were

looking for pre-registration and info,

but I failed.



The secutity weakness repotred to vendor

doens't change fact, who knows whats go-

ing on behind.



lightning,



:R



ps: PK, can you make it shorter please.

It is rather information discloser,

this is not technical forum by the way.

POI THEO(R)IST

Posted: 21st Jan 2007
In short.

People are able to type some thing in the address bar which in turn traverses the directories and thus supplying server and website details NOT GOOD!.

Thats what you get from poor hosting IMHO.

You see all i got was a Bad Gateway!.. you probably access lots of gateways just by viewing HoP. Some hackers send out blockers to block gateways and jam up the internet, this can take some time to clear up, normally effects IM programs such as yahoo but also websites too.

Other than the EJC website, i dont know where to advise you to go to to look for pre registration, as normally it is the main site that deals with it. and that is blocked out.

Posted: 21st Jan 2007

 Written by: FireTom


Last thing I heard anyways is, that the EJC 2007 is not (as announced) on the beach, but in Athens itself

As far as I know, the EJC will indeed be in Athens, in a part of the Olympic complex. I don't have much other info apart from that at the moment - Costas is notoriously difficult to contact via email.

There will be an EJA meeting next month in Greece, which one of our team from last year's EJC will be attending (probably not me ), and once I have any more information after that, I will post it here. Pre-registration is not yet open. As far as I know, the dates are still July 30th to August 5th.

If I hear anything further I'll let you all know...

Helen_of_Poi

EJC Ireland 2006 Organisational Team

Posted: 21st Jan 2007
Helen - I do understand the temptation of having the EJC in an Olympic complex, with all the advantages...

Hence I remember my excitement when I first read about the 2007-location

WEOW - a juggling convention ON THE BEACH *melts away* - pictures of all the beautiful people juggling and twirling next to the ocean came up in my mind...

But Athens? In the middle of the summer? (sic) well then...

the best smiles are the ones you lead to

Posted: 22nd Jan 2007


That'll be mighty hot...

Not that the beach will be any cooler...but come the evenings

Perfect temperature

Burner of Toast
Spinner of poi
Slacker of enormous magnitude

Posted: 22nd Jan 2007
Yeah, Athens does sound a little less appealing than the beach - however, there's probably a better chance of air-conditioning, decent showers etc there... From experience, I can understand why the organisers would choose an Olympic site rather than a beach site because of the amount of facilities already in place...

But that's just my theory, and shouldn't be taken as fact. I'm sure the Dee, our dedicated Irish EJA rep will be along shortly, and may be able to provide more info than i can.

Helen_of_Poi

EJC Ireland 2006 Organisational Team

Posted: 22nd Jan 2007
I just booked my flights to EJC. I am guessing they'll have an air conditioned space.

I was having problems loading the site too... I just thought that they had taken ti down to update it, as the pre reg wasn't open last i looked (when it loaded).

- just checked now, and the webpage is loading fine but still under construction, with no new info or pre reg

Never pick up a duck in a dungeon...

Posted: 22nd Jan 2007
The European Juggling Association board has a meeting in Athens the 2nd weekend in February, after which I should be able to post up some proper, well informed, details - things like when pre-registration is likely to open, the location (central Athens or seaside?) etc...

For those who remember last year (when the EJC was earlier!), pre-registration didn't start until March...

 Written by: PK_



Other than the EJC website, i dont know where to advise you to go to to look for pre registration, as normally it is the main site that deals with it. and that is blocked out.

As for how to pre-register.. country representative contact details are on the EJA website - contact the appropriate representative, or else pm me (after the middle of February, when I should be able to answer most queries!)

Dee
EJA rep, Ireland

Posted: 22nd Jan 2007
Looking foreward to hear from you.

The bug was fixed too.



excelent,



:R

POI THEO(R)IST

Posted: 22nd Jan 2007
Helen: Air-con vs. crystal clear ocean and sand that smells... so it isn't just for the mere fame that the EJC could take place in an olympic site???

the best smiles are the ones you lead to

Posted: 22nd Jan 2007
pk = hax0r

Laugh Often, Smile Much, Post lolcats Always

Posted: 22nd Jan 2007
I'm going where-ever it is. It's like an annual pilgrimage for me. I should really book my flights but I'm not the most organised man.

There's the European Go Congress just a week earlier in Vienna...I wonder If I can make both?

Walls may have ears but they don't have eyes

Posted: 24th Jan 2007

 Written by: FireTom


Helen: Air-con vs. crystal clear ocean and sand that smells... so it isn't just for the mere fame that the EJC could take place in an olympic site???

I'm with you there, i'd very much like to spend a week spinning and juggling on a beach in southern Greece with a few thousand other like minded people...

However when you consider the costs (and hassle) of setting up a site with no (or maybe some but probably not enough) existing infrastructure - sourcing, arranging delivery and paying for around 3km of fencing, 60 - 80 ish portaloos, 30 portable showers, sinks, drinking water points, enough big tops to make up for the lack of other shade, marquees for traders and caterers, bins, skips and compacters to deal with large amounts of waste in a hot climate, outdoor lighting...and then if you actually want to entertain people you need stages, stage lights and sound equipment, plus random extras like crash mats etc for workshops...

Bearing in mind that your beautiful scenic site may have poor road links, or be inaccessible to big trucks transporting all of the above because of narrow gates or bad surfaces...ok i'm ranting now

There is so very much work that goes into setting up a festival site, and making sure that it's safe and clean for everyone. In my humble opinion, the less time the organisers have to spend worrying about the physical practicalities of the site, the more time they have to think about the entertainment and fun end of things.

Anyone who was at EJC 2005 in Slovenia will have seen what happens when the organisers are so caught up with dealing with site issues (in that case due to exceptionally heavy rain, and lack of existing infrastructure) that some planned fun things never happened. And when we looked into it, it was more expensive to bring in everything we needed for a green field site (in Ireland at least) than it was to choose a site which already had the majority of the things we needed. Not that it was perfect, or that we didn't make some mistakes along the way

Try to remember that the organisers are volunteers, they are not paid in any way, or remunerated for any time off work while working on the convention. Most have full-time jobs and other responsibilities. They also do not have a great deal of money to spend.

Basically, all this is meant to say is to cut them some slack if they take an easier route.

And this is not meant as a rant, or a criticism of anything that anyone else has said (sorry FireTom if it sounds directed at you ) And please remember that I don't speak for this year's organisers, i'm just giving one possible explanation for the change of venue.

Helen_of_Poi

EJC Ireland 2006 Organisational Team

Posted: 24th Jan 2007
It looks like we may have the best of both worlds - according to the event listings in https://www.jugglingdb.com
(which Tarim, the head honcho of the EJA, tries to keep up-to-date), the site looks like it's an Olympic venue by the sea!

So it's looking like the site will be the Helliniko Olympic Complex (the old city airport site) and the adjacent Agios Kosmas Olympic sailing centre, which have a combination of large indoor spaces (converted old aircraft hangers) and being by the sea. However, I've been reliably informed by some of my office collegues (who just happen to be from Athens!) that swimming in the water there isn't that pleasant, due to the oil in the water from the nearby port of Pireaus.

Will give a further update when I have more definate details.

Dee

Posted: 24th Jan 2007

 Written by: bender


pk = hax0r

Posted: 25th Jan 2007

 Written by: TheDee


It looks like we may have the best of both worlds - according to the event listings in https://www.jugglingdb.com
(which Tarim, the head honcho of the EJA, tries to keep up-to-date), the site looks like it's an Olympic venue by the sea!

So it's looking like the site will be the Helliniko Olympic Complex (the old city airport site) and the adjacent Agios Kosmas Olympic sailing centre, which have a combination of large indoor spaces (converted old aircraft hangers) and being by the sea. However, I've been reliably informed by some of my office collegues (who just happen to be from Athens!) that swimming in the water there isn't that pleasant, due to the oil in the water from the nearby port of Pireaus.

Will give a further update when I have more definate details.

Dee

Wow that sounds like it'll be amazing!! *fingers crossed that IJDB is correct)

Never pick up a duck in a dungeon...

Posted: 11th Feb 2007
Greetings from Athens...

Just to let people know that the EJC website is up an running (subject to some corrections and frequent additions of course!)

I visited the site today. It has a huge indoor air-conditioned hall (old aircraft hangers, something like 6800m2 if I can remember correctly), plus a basketball arena (with several thousand seats, for shows) and a warm-up area (basically another big basketball hall), all air-conditioned.

It's across the road from the beach, so spinning at sunset there looks like a good option!

Dee

Posted: 13th Feb 2007
I've made an EJC thread [Old link] in the Events, Performances and Gathering forum, because it probably should belong there.

Helen_of_Poi

EJC Ireland 2006 Organisational Team