Richee
BRONZE Member since Jan 2002

HOP librarian
Location: Prague, Czech. Republic

Total posts: 1841
Posted:Well, I were checking EJC site for a while.

It is unaccessable right now.

[502 Bad gateway]

I've found postman security weakness,
allowing 'directory traversal' too.

What's going on there?

----

Planning, all the visions,

:R


POI THEO(R)IST

Delete Topic

PK_
BRONZE Member since Dec 2001

PK_

Lambretta Fanatic
Location: , United Kingdom

Total posts: 4993
Posted:An explanation of directory traversal:

is to exploit insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" is passed through to the file APIs.

The goal of this attack is to order an application to access a computer file that is not intended to be accessible. This attack exploits a lack of security (the software is acting exactly as it is supposed to) as opposed to exploiting a bug in the code.

Directory traversal is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking. Some forms of this attack are also canonicalization attacks.

A typical example of vulnerable application code is:

<?php
$template = 'blue.php';
if ( is_set( $_COOKIE['TEMPLATE'] ) )
$template = $_COOKIE['TEMPLATE'];
include ( "/home/users/phpguru/templates/" . $template );
?>

An attack against this system could be to send the following HTTP request:

GET /vulnerable.php HTTP/1.0
Cookie: TEMPLATE=../../../../../../../../../etc/passwd


Generating a server response such as:

HTTP/1.0 200 OK
Content-Type: text/html
Server: Apache

root:fi3sED95ibqR6:0:1:System Operator:/:/bin/ksh
daemon:*:1:1::/tmp:
phpguru:f8fk3j1OIf31.:182:100:Developer:/home/users/phpguru/:/bin/csh

The repeated ../ characters after /home/users/phpguru/templates/ has caused include() to traverse to the root directory, and then include the UNIX password file /etc/passwd.

UNIX /etc/passwd is a common file used to demonstrate directory traversal, as it is often used by crackers to try cracking the passwords.

[edit] Variations of directory traversal

Directory traversal is trickier to prevent than it might seem. A "filter out known bad characters" protection strategy is likely to fail.

There are many other factors involved that would determine whether a directory traversal would actually work. However, if the application does not validate the legitimacy of such parameters, it is quite likely that attackers may have some wiggle room to exploit this functionality for malicious purposes.

Listed below are some known directory traversal attack strings:

[edit] Directory traversal on UNIX

Common Unix-like directory traversal uses the ../ characters.

[edit] Directory traversal on Microsoft Windows

Microsoft Windows or DOS directory traversal uses the ..\ characters.

Today, many Windows programs or APIs also accept UNIX-like directory traversal characters.

Each partition has a separate root directory (labeled C:\ for a particular partition C) and there is no common root directory above that. This means that for most directory vulnerabilities on Windows, the attack is limited to a single partition.

[edit] URI encoded directory traversal

Canonicalization problem.

Some web applications scan query string for dangerous characters such as:

* ..
* ..\
* ../

to prevent directory traversal. However, the query string is usually URI decoded before use. Therefore these applications are vulnerable to percent encoded directory traversal such as:

* %2e%2e%2f which translates to ../
* %2e%2e/ which translates to ../
* ..%2f which translates to ../
* %2e%2e%5c which translates to ..\

etc.

[edit] Unicode / UTF-8 encoded directory traversal

Canonicalization problem.

UTF-8 was noted as a source of vulnerabilities and attack vectors in Cryptogram Newsletter July 2000 by Bruce Schneier and Jeffrey Streifling.

When Microsoft added unicode support to their Web server, a new way of encoding ../ was introduced into their code, causing their attempts at directory traversal prevention to be circumvented.

Multiple percent encodings, such as

* %c1%1c
* %c0%9v
* %c0%af

translated into / or \ characters.

Why? Percent encodings were decoded into the corresponding 8-bit characters by Microsoft webserver. This has historically been correct behavior as Windows and DOS traditionally used canonical 8-bit characters sets based upon of ASCII.

However, the original UTF-8 was not canonical, and several strings were now string encodings translatable into the same string. Microsoft performed the anti-traversal checks without UTF-8 canonicalization, and therefore not noticing that (HEX) C0AF and (HEX) 2F were the same character when doing string comparisons.

Enjoy fixing rolleyes


PK.

"To be an angel, one need not have wings.
In giving love there is an equal grace.
Nor need one seek the aura in the face,
As love unveils the beauty of all things."

*Francois Couperin.

Delete

FireTom


Stargazer


Total posts: 6650
Posted:confused that didn't clarify much for me and it certainly didn't solve the problem of accessibility to the server... shrug



Last thing I heard anyways is, that the EJC 2007 is not (as announced) on the beach, but in Athens itself - which makes me a very unlikely visitor...



There is areason why people leave Athens in summer and why others die from heatstroke... I personally wouldn't be able to cool myself enough, especially not when training... AVERAGE temperature in Athens is a killer and 2007 is predicted to be (amongst) the hottest years in recorded history - go figure shrug



If they decide back to a beach-location, you will certainly find me amongst happy fish, juggling with octopussies biggrin redface errm... malabrasses, errmm... ah 2am is too late to find a reasonable thought for me now... but that much for MY personal EJC2007 site prob... whoever cares ubblol

EDITED_BY: FireTom (1169318114)


the best smiles are the ones you lead to wink

Delete

PK_
BRONZE Member since Dec 2001

PK_

Lambretta Fanatic
Location: , United Kingdom

Total posts: 4993
Posted:Most probably the Server was attacked! ?, but then all i am going on is what richee posted above, unless i have some thing in front of me all i can offer is above.

Sorry that is of no help!, but to me it should be if Richee decided to mention it, IMO it gives him options.. if he understands it.


PK.

"To be an angel, one need not have wings.
In giving love there is an equal grace.
Nor need one seek the aura in the face,
As love unveils the beauty of all things."

*Francois Couperin.

Delete

PK_
BRONZE Member since Dec 2001

PK_

Lambretta Fanatic
Location: , United Kingdom

Total posts: 4993
Posted:plus all i see is a gateway problem... that could be anything!

PK.

"To be an angel, one need not have wings.
In giving love there is an equal grace.
Nor need one seek the aura in the face,
As love unveils the beauty of all things."

*Francois Couperin.

Delete

Richee
BRONZE Member since Jan 2002

HOP librarian
Location: Prague, Czech. Republic

Total posts: 1841
Posted:Thank you PK for explanation. But the point

isnt't that the site has problem. I were

looking for pre-registration and info,

but I failed.



The secutity weakness repotred to vendor

doens't change fact, who knows whats go-

ing on behind.



lightning,



:R



ps: PK, can you make it shorter please.

It is rather information discloser,

this is not technical forum by the way.


POI THEO(R)IST

Delete

PK_
BRONZE Member since Dec 2001

PK_

Lambretta Fanatic
Location: , United Kingdom

Total posts: 4993
Posted:In short.

People are able to type some thing in the address bar which in turn traverses the directories and thus supplying server and website details wink NOT GOOD!.

Thats what you get from poor hosting IMHO. rolleyes

You see all i got was a Bad Gateway!.. you probably access lots of gateways just by viewing HoP. wink Some hackers send out blockers to block gateways and jam up the internet, this can take some time to clear up, normally effects IM programs such as yahoo but also websites too.

Other than the EJC website, i dont know where to advise you to go to to look for pre registration, as normally it is the main site that deals with it. confused and that is blocked out.


PK.

"To be an angel, one need not have wings.
In giving love there is an equal grace.
Nor need one seek the aura in the face,
As love unveils the beauty of all things."

*Francois Couperin.

Delete

Helen_of_Poi
SILVER Member since Apr 2004

Helen_of_Poi

lapsed spinner
Location: Dublin, Ireland

Total posts: 412
Posted: Written by: FireTom


Last thing I heard anyways is, that the EJC 2007 is not (as announced) on the beach, but in Athens itself



As far as I know, the EJC will indeed be in Athens, in a part of the Olympic complex. I don't have much other info apart from that at the moment - Costas is notoriously difficult to contact via email.

There will be an EJA meeting next month in Greece, which one of our team from last year's EJC will be attending (probably not me frown ), and once I have any more information after that, I will post it here. Pre-registration is not yet open. As far as I know, the dates are still July 30th to August 5th.

If I hear anything further I'll let you all know...

smile


Helen_of_Poi

EJC Ireland 2006 Organisational Team

Delete

FireTom


Stargazer


Total posts: 6650
Posted:Helen - I do understand the temptation of having the EJC in an Olympic complex, with all the advantages...

Hence I remember my excitement when I first read about the 2007-location bounce

WEOW - a juggling convention ON THE BEACH *melts away* - pictures of all the beautiful people juggling and twirling next to the ocean came up in my mind...

But Athens? umm In the middle of the summer? (sic) well then... shrug


the best smiles are the ones you lead to wink

Delete

Durbs
BRONZE Member since Sep 2001

Durbs

Classically British
Location: Epsom, Surrey, England

Total posts: 5688
Posted:ditto

That'll be mighty hot...

Not that the beach will be any cooler...but come the evenings ubblove

Perfect temperature biggrin


Burner of Toast
Spinner of poi
Slacker of enormous magnitude

Delete

Helen_of_Poi
SILVER Member since Apr 2004

Helen_of_Poi

lapsed spinner
Location: Dublin, Ireland

Total posts: 412
Posted:Yeah, Athens does sound a little less appealing than the beach - however, there's probably a better chance of air-conditioning, decent showers etc there... From experience, I can understand why the organisers would choose an Olympic site rather than a beach site because of the amount of facilities already in place...

But that's just my theory, and shouldn't be taken as fact. I'm sure the Dee, our dedicated Irish EJA rep will be along shortly, and may be able to provide more info than i can.


Helen_of_Poi

EJC Ireland 2006 Organisational Team

Delete

Pink...?
BRONZE Member since Apr 2002

Pink...?

Mistress of Pink...Multicoloured
Location: Over There, United Kingdom

Total posts: 6140
Posted:I just booked my flights to EJC. bounce I am guessing they'll have an air conditioned space.

I was having problems loading the site too... I just thought that they had taken ti down to update it, as the pre reg wasn't open last i looked (when it loaded).

- just checked now, and the webpage is loading fine but still under construction, with no new info or pre reg


Never pick up a duck in a dungeon...

Delete

TheDee
SILVER Member since May 2004

newbie
Location: Dublin, Ireland

Total posts: 47
Posted:The European Juggling Association board has a meeting in Athens the 2nd weekend in February, after which I should be able to post up some proper, well informed, details - things like when pre-registration is likely to open, the location (central Athens or seaside?) etc...

For those who remember last year (when the EJC was earlier!), pre-registration didn't start until March...

 Written by: PK_


<snip>
Other than the EJC website, i dont know where to advise you to go to to look for pre registration, as normally it is the main site that deals with it. confused and that is blocked out.



As for how to pre-register.. country representative contact details are on the EJA website - contact the appropriate representative, or else pm me (after the middle of February, when I should be able to answer most queries!)

Dee
EJA rep, Ireland


Delete

Richee
BRONZE Member since Jan 2002

HOP librarian
Location: Prague, Czech. Republic

Total posts: 1841
Posted:Looking foreward to hear from you.

The bug was fixed too.



excelent,



:R


POI THEO(R)IST

Delete

FireTom


Stargazer


Total posts: 6650
Posted:Helen: Air-con vs. crystal clear ocean and sand confused that smells... so it isn't just for the mere fame that the EJC could take place in an olympic site??? umm

wink


the best smiles are the ones you lead to wink

Delete

Bender_the_Offender
GOLD Member since Nov 2001

Bender_the_Offender

still can't believe it's not butter
Location: Melbourne, Australia

Total posts: 6979
Posted:pk = hax0r smile

Laugh Often, Smile Much, Post lolcats Always

Delete

Mascot


Mascot

enthusiast


Total posts: 301
Posted:I'm going where-ever it is. It's like an annual pilgrimage for me. I should really book my flights but I'm not the most organised man.

There's the European Go Congress just a week earlier in Vienna...I wonder If I can make both?


Walls may have ears but they don't have eyes

Delete

Helen_of_Poi
SILVER Member since Apr 2004

Helen_of_Poi

lapsed spinner
Location: Dublin, Ireland

Total posts: 412
Posted: Written by: FireTom


Helen: Air-con vs. crystal clear ocean and sand confused that smells... so it isn't just for the mere fame that the EJC could take place in an olympic site??? umm

wink



I'm with you there, i'd very much like to spend a week spinning and juggling on a beach in southern Greece with a few thousand other like minded people... peace

However when you consider the costs (and hassle) of setting up a site with no (or maybe some but probably not enough) existing infrastructure - sourcing, arranging delivery and paying for around 3km of fencing, 60 - 80 ish portaloos, 30 portable showers, sinks, drinking water points, enough big tops to make up for the lack of other shade, marquees for traders and caterers, bins, skips and compacters to deal with large amounts of waste in a hot climate, outdoor lighting...and then if you actually want to entertain people you need stages, stage lights and sound equipment, plus random extras like crash mats etc for workshops...

Bearing in mind that your beautiful scenic site may have poor road links, or be inaccessible to big trucks transporting all of the above because of narrow gates or bad surfaces...ok i'm ranting now redface

There is so very much work that goes into setting up a festival site, and making sure that it's safe and clean for everyone. In my humble opinion, the less time the organisers have to spend worrying about the physical practicalities of the site, the more time they have to think about the entertainment and fun end of things. juggle

Anyone who was at EJC 2005 in Slovenia will have seen what happens when the organisers are so caught up with dealing with site issues (in that case due to exceptionally heavy rain, and lack of existing infrastructure) that some planned fun things never happened. And when we looked into it, it was more expensive to bring in everything we needed for a green field site (in Ireland at least) than it was to choose a site which already had the majority of the things we needed. Not that it was perfect, or that we didn't make some mistakes along the way smile

Try to remember that the organisers are volunteers, they are not paid in any way, or remunerated for any time off work while working on the convention. Most have full-time jobs and other responsibilities. They also do not have a great deal of money to spend.

Basically, all this is meant to say is to cut them some slack if they take an easier route.

And this is not meant as a rant, or a criticism of anything that anyone else has said (sorry FireTom if it sounds directed at you hug ) And please remember that I don't speak for this year's organisers, i'm just giving one possible explanation for the change of venue.


Helen_of_Poi

EJC Ireland 2006 Organisational Team

Delete

TheDee
SILVER Member since May 2004

newbie
Location: Dublin, Ireland

Total posts: 47
Posted:It looks like we may have the best of both worlds - according to the event listings in http://www.jugglingdb.com
(which Tarim, the head honcho of the EJA, tries to keep up-to-date), the site looks like it's an Olympic venue by the sea!

So it's looking like the site will be the Helliniko Olympic Complex (the old city airport site) and the adjacent Agios Kosmas Olympic sailing centre, which have a combination of large indoor spaces (converted old aircraft hangers) and being by the sea. However, I've been reliably informed by some of my office collegues (who just happen to be from Athens!) that swimming in the water there isn't that pleasant, due to the oil in the water from the nearby port of Pireaus.

Will give a further update when I have more definate details.

Dee


Delete

PK_
BRONZE Member since Dec 2001

PK_

Lambretta Fanatic
Location: , United Kingdom

Total posts: 4993
Posted: Written by: bender


pk = hax0r smile



hug


PK.

"To be an angel, one need not have wings.
In giving love there is an equal grace.
Nor need one seek the aura in the face,
As love unveils the beauty of all things."

*Francois Couperin.

Delete

Pink...?
BRONZE Member since Apr 2002

Pink...?

Mistress of Pink...Multicoloured
Location: Over There, United Kingdom

Total posts: 6140
Posted: Written by: TheDee


It looks like we may have the best of both worlds - according to the event listings in http://www.jugglingdb.com
(which Tarim, the head honcho of the EJA, tries to keep up-to-date), the site looks like it's an Olympic venue by the sea!

So it's looking like the site will be the Helliniko Olympic Complex (the old city airport site) and the adjacent Agios Kosmas Olympic sailing centre, which have a combination of large indoor spaces (converted old aircraft hangers) and being by the sea. However, I've been reliably informed by some of my office collegues (who just happen to be from Athens!) that swimming in the water there isn't that pleasant, due to the oil in the water from the nearby port of Pireaus.

Will give a further update when I have more definate details.

Dee



Wow that sounds like it'll be amazing!! *fingers crossed that IJDB is correct)


Never pick up a duck in a dungeon...

Delete

TheDee
SILVER Member since May 2004

newbie
Location: Dublin, Ireland

Total posts: 47
Posted:Greetings from Athens...

Just to let people know that the EJC website is up an running (subject to some corrections and frequent additions of course!)

I visited the site today. It has a huge indoor air-conditioned hall (old aircraft hangers, something like 6800m2 if I can remember correctly), plus a basketball arena (with several thousand seats, for shows) and a warm-up area (basically another big basketball hall), all air-conditioned.

It's across the road from the beach, so spinning at sunset there looks like a good option!

Dee


Delete

Helen_of_Poi
SILVER Member since Apr 2004

Helen_of_Poi

lapsed spinner
Location: Dublin, Ireland

Total posts: 412
Posted:I've made an EJC thread here in the Events, Performances and Gathering forum, because it probably should belong there.

smile


Helen_of_Poi

EJC Ireland 2006 Organisational Team

Delete


Similar Topics

Using the keywords [ejc2007 prob] we found the following similar topics.
1. Forums > EJC2007 site prob? [22 replies]
2. Forums > returning to hop [8 replies]
3. Forums > Glow in the Dark paint/Tennis Balls [2 replies]
4. Forums > Picture size [1 reply]
5. Forums > Weighting short staffs [8 replies]

     Show more..