False security notice on twitter

Update: After being confronted with the details of this blog post, a retraction was posted on twitter (https://twitter.com/#!/vuln_lab/status/98858850534424576), but the security notice is still available on their website, and the description still mentions 3.0.1, even though the header has now been changed to 2.0.8. Please note that version 2.0.8 is severely out of date and was first released in mid-2009. The security notice still has all the errors below, and is still not considered valid by anyone on the bug genie team.

Hey everyone. This blog post was created to clear up any confusion around a false security notice posted by a pretend security lab on twitter. The complete security notice can be seen here: http://www.vulnerability-lab.com/get_content.php?id=45. I will explain why this security notice is false in a few seconds, but first I want to clarify something.

Real security companies looking for bugs, errors and security issues in code work closely together with vendors and projects to make sure the details are correct, and to – when possible – coordinate disclosure so that there can be a fixed version available at the time of publication. Neither of these things happened in this case, and in addition to that, there are several factual errors and inconsistencies in the report.

  • The security notice claims to have found an issue in version 3.0.1. First of all, this is an old version – it was released about six months ago. We are currently at version 3.1.3.
  • The security notice contains an outdated description of the bug genie. The description of the bug genie detailed in the security notice uses a project description we have not used at all in 2011. They claim it was copied from our website, when in fact this description is nowhere to be found on our website.
  • The short description of the bug mentions version 2, not 3, and not 3.0.1. This is just another example of the sloppiness and unprofessionalism displayed in the report.
  • The exception error code is taken from version 2, not 3 as claimed. Version 2 has been discontinued since version 3 was released. While we have released a few fixes for issues after version 3 was released, version 2 has been discontinued and has not been supported since January 31st, 2011.
  • They have posted an exception message. There is no sql injection possible in the error they have described. Even if all the above was correct, there is still no security issue displayed. They have shown no proof-of-concept code. There has been no proof shown that this is a real security issue, and their recommended workaround describes the existing implementation in the claimed affected version (2-something).

Security notices like these serves no purpose. They don’t help. They don’t shed any light on anything. Whoever is behind this notice has not given us any chance to fix, confirm or deny the issue described, and no proof-of-concept code has been provided. The issue they claim to have found is not shown in their security notice.

While no software is perfect, you should not take all security notices for granted. Responsible security labs work together with vendors so a fix can be provided together with the disclosure, and in any case provides details about security issues to the vendor in question.

There is nothing to see here. Move along.

Version 2 arrangements post-3.0

For those of you on The Bug Genie 2, you may be wondering whats going to happen to this version of The Bug Genie after Version 3 comes out. This post hopes to make it all clearer.

Users still on The Bug Genie 2.0

You really should upgrade to 2.1! We no longer support The Bug Genie 2.0 and have not released any bugfix or security updates for a while now – and this includes no fix for the security flaw included in 2.1.2.

Users on The Bug Genie 2.1

I am planning to support this for 6 months after the release of The Bug Genie 3. This will include continued supply of bugfix and security updates. This will also give you time to wait till we upgrade the messaging and calendar modules for version 3, so you can continue to use a supported platform until the functionality exists to allow you to migrate.

Upcoming release

We are planning another bugfix release, 2.1.3. Unfortunately due to the sheer amount of resources being put into getting the final release of 3.0 out the door, I haven’t had time to work on this release, but a list of bugs to be fixed is finalized, and I am hoping to have an update out in February.

I would also like to apologise for the lack of updates and news on The Bug Genie 2.

If you have any questions, or want to comment on our proposed changes, please drop us a line over on the forum!

Further details on security issues fixed in The Bug Genie 2.1.2

As announced a few days ago, a couple of security flaws have been fixed in The Bug Genie 2.1.2. More information on the fixed flaws are now available as Secunia Advisory SA42081.

We would like to thank Russ McRee and Secunia for bringing these issues to our attention.

The first issue was an XSS flaw in scope handling. You can manually specify the scope in the URL, and if the scope is invalid the value entered is returned to the user. This means that if a <script> tag is specified as the scope ID, it would be possible to execute JavaScript code on the error page. This has been fixed by just stating the scope is invalid if it is not a number, and only returning the number if the numbered scope does not exist.

The second flaw was with requests not being verified to see if they were actioned by The Bug Genie itself. That means that a link to the user delete page can be disguised as an otherwise harmless link, assuming a user with relevant permissions is logged in. All requests that manipulate data now verify that The Bug Genie initiated the request, by requiring a unique token to be specified in the request (which is also stored in the session), and this token is verified against the session cookie. If there is a difference, then the request is discarded.

Both issues are now fixed and included in the latest release, as previously stated.

2.1.2 update and upcoming beta

Version 2.1.2 was uploaded today after almost two weeks of expanded development time. The reason for this has been an undisclosed CSRF security issue which will be explained in further detail tomorrow.

If you’re running version 2, 2.1.2 is a strongly recommended update.

Version 3 is not affected by the security issue in question, but development on the beta version was postponed for about a week to fix the issue. The public beta release for version 3 will happen tomorrow 17th November. We’ve updated the release schedule in the wiki to reflect this.


Coming soon for The Bug Genie 2

With all the recent news about The Bug Genie 3, you may be thinking that not much has been going on in the 2.1 world. This is not the case, and there will be some exciting changes in the next update release, due out next month.

First of all, we have two new high quality translations; an updated Swedish translation courtesy of Johan from the forums, and thanks to jtprince we also have a brand new Hungarian translation, both of which will be included in 2.1.2.

Of course, there is the general assortment of bugfixes, with improvements in the installer (especially for Windows users who use IIS), fixes to the billboards system and other miscellaneous fixes. However something that will be of more interest in this department is MySQL STRICT mode compatibility!

My personal MySQL setup is using the most strict of MySQL setups (for those of you of a tecchie inclination, the exact sql-mode string contains most of the available options), and already issues to be fixed have been found. Hopefully this will fix yet another of the short list of longstanding issues with The Bug Genie.

We are pretty proud of the stability of The Bug Genie 2, and the much shorter list of bug reports is a testament to that. That’s why updates have been less frequent as of late. However this doesn’t mean that our work here is done! Keep reporting issues as you find them, and thank you for helping us improve The Bug Genie!

What’s next?

Here’s a heads up for whats next with The Bug Genie:

The Bug Genie 2.1
We finally got around to the first release of the 2.1 series with many new features. This can be read in the release notes for this release. So far there have not been many issues, and the current major issue is a problem with UNIX sockets causing errors. We will resolve this and any other issues in 2.1.1.

VCS Integration
A common complaint with the SVN integration module is that it only covers SVN support. A partial rewrite is planned to include support for all popular version control system.

While full support will be included in The Bug Genie 3, since I (personally) require support for another project, the finished module will be released to the public for testing and for anybody to use. Once bugfixes and improvements are collected, the module will be stabalized and fully supported in Version 3. Keep you eye here for further details.

The Bug Genie 3
A new TP came out yesterday containing much improved scrum support, as well as an updated issue viewing screen and a CLI to facilitate installation and eventually full control over the installation. Many other new features and updates are included.

We welcome more contributors to help us add more features and fix bugs – please drop by on IRC to help. Keep your eye out on the blog and news for further updates.

2.1 change list finalized

The end is at sight for 2.1!

I have updated the milestones for 2.1.0 and 2.0.12. I will not be including any bugfixes or changes not listed on the roadmap now, with a few exceptions for 2.1.0.

If all goes well, I will have 2.1.0 and 2.0.12 out this month (2.0.12 may be out before 2.1.0). 2.0.12 is a wrapup release for the 2.0 series and there will not be any further updates after this one.

Still to implement for 2.1.0 is an alert mechanism if you are going to lose the content of your issue report if you try to edit step 2 without saving step 3, and a cleanup of the issue editing dropdowns so that upon closing a submenu, the root menu does not close (one example of the incorrect behaviour is saving status).

In addition, we will be updating the documentation on the site to detail more common problems that users seem to be experiencing, and to detail changes in the 2.1 release. We also hope to have a copy of the help for The Bug Genie 2 online in all supported languages.

Keep an eye on the homepage for the releases soon!

Rolling on to 2.1

Another release candidate for The Bug Genie 2.1 has just been released, which should hopefully fix the majority of the upgrade bugs that you have been having.

2.1 is not yet fully complete, as there is still some tidying up to take care of – as well as any other bug reports that people like you find. The main missing component is to further improve the progress tracking, so only 1 save button is necessary to make your changes. Hopefully the upgrade script is fairly stable and resilliant now – so hopefully there won’t be any more fixes to make; but if there are we will hopefully squash those issues now so the final release is rock solid.

RC2 is much more stable compared to RC1, with many issues and bugs fixes, and includes all the fixes in the 2.0.11 release. The final is due out really soon – after which the focus will be on The Bug Genie 3, though the 2.1 branch will continue to be maintained (along with 1 final 2.0 release).