Update: After being confronted with the details of this blog post, a retraction was posted on twitter (https://twitter.com/#!/vuln_lab/status/98858850534424576), but the security notice is still available on their website, and the description still mentions 3.0.1, even though the header has now been changed to 2.0.8. Please note that version 2.0.8 is severely out of date and was first released in mid-2009. The security notice still has all the errors below, and is still not considered valid by anyone on the bug genie team.
Hey everyone. This blog post was created to clear up any confusion around a false security notice posted by a pretend security lab on twitter. The complete security notice can be seen here: http://www.vulnerability-lab.com/get_content.php?id=45. I will explain why this security notice is false in a few seconds, but first I want to clarify something.
Real security companies looking for bugs, errors and security issues in code work closely together with vendors and projects to make sure the details are correct, and to – when possible – coordinate disclosure so that there can be a fixed version available at the time of publication. Neither of these things happened in this case, and in addition to that, there are several factual errors and inconsistencies in the report.
- The security notice claims to have found an issue in version 3.0.1. First of all, this is an old version – it was released about six months ago. We are currently at version 3.1.3.
- The security notice contains an outdated description of the bug genie. The description of the bug genie detailed in the security notice uses a project description we have not used at all in 2011. They claim it was copied from our website, when in fact this description is nowhere to be found on our website.
- The short description of the bug mentions version 2, not 3, and not 3.0.1. This is just another example of the sloppiness and unprofessionalism displayed in the report.
- The exception error code is taken from version 2, not 3 as claimed. Version 2 has been discontinued since version 3 was released. While we have released a few fixes for issues after version 3 was released, version 2 has been discontinued and has not been supported since January 31st, 2011.
- They have posted an exception message. There is no sql injection possible in the error they have described. Even if all the above was correct, there is still no security issue displayed. They have shown no proof-of-concept code. There has been no proof shown that this is a real security issue, and their recommended workaround describes the existing implementation in the claimed affected version (2-something).
Security notices like these serves no purpose. They don’t help. They don’t shed any light on anything. Whoever is behind this notice has not given us any chance to fix, confirm or deny the issue described, and no proof-of-concept code has been provided. The issue they claim to have found is not shown in their security notice.
While no software is perfect, you should not take all security notices for granted. Responsible security labs work together with vendors so a fix can be provided together with the disclosure, and in any case provides details about security issues to the vendor in question.
There is nothing to see here. Move along.
For those of you on The Bug Genie 2, you may be wondering whats going to happen to this version of The Bug Genie after Version 3 comes out. This post hopes to make it all clearer.
Users still on The Bug Genie 2.0
You really should upgrade to 2.1! We no longer support The Bug Genie 2.0 and have not released any bugfix or security updates for a while now – and this includes no fix for the security flaw included in 2.1.2.
Users on The Bug Genie 2.1
I am planning to support this for 6 months after the release of The Bug Genie 3. This will include continued supply of bugfix and security updates. This will also give you time to wait till we upgrade the messaging and calendar modules for version 3, so you can continue to use a supported platform until the functionality exists to allow you to migrate.
We are planning another bugfix release, 2.1.3. Unfortunately due to the sheer amount of resources being put into getting the final release of 3.0 out the door, I haven’t had time to work on this release, but a list of bugs to be fixed is finalized, and I am hoping to have an update out in February.
I would also like to apologise for the lack of updates and news on The Bug Genie 2.
If you have any questions, or want to comment on our proposed changes, please drop us a line over on the forum!
As announced a few days ago, a couple of security flaws have been fixed in The Bug Genie 2.1.2. More information on the fixed flaws are now available as Secunia Advisory SA42081.
We would like to thank Russ McRee and Secunia for bringing these issues to our attention.
The second flaw was with requests not being verified to see if they were actioned by The Bug Genie itself. That means that a link to the user delete page can be disguised as an otherwise harmless link, assuming a user with relevant permissions is logged in. All requests that manipulate data now verify that The Bug Genie initiated the request, by requiring a unique token to be specified in the request (which is also stored in the session), and this token is verified against the session cookie. If there is a difference, then the request is discarded.
Both issues are now fixed and included in the latest release, as previously stated.
Version 2.1.2 was uploaded today after almost two weeks of expanded development time. The reason for this has been an undisclosed CSRF security issue which will be explained in further detail tomorrow.
If you’re running version 2, 2.1.2 is a strongly recommended update.
Version 3 is not affected by the security issue in question, but development on the beta version was postponed for about a week to fix the issue. The public beta release for version 3 will happen tomorrow 17th November. We’ve updated the release schedule in the wiki to reflect this.
There’s a new wiki page up on how to import data from v2 to v3, which you can use if you want to play with v3 with data from your v2 installation. Haven’t tested this with the currently released alphas, but it runs nice on current trunk.
Have fun 🙂
With all the recent news about The Bug Genie 3, you may be thinking that not much has been going on in the 2.1 world. This is not the case, and there will be some exciting changes in the next update release, due out next month.
First of all, we have two new high quality translations; an updated Swedish translation courtesy of Johan from the forums, and thanks to jtprince we also have a brand new Hungarian translation, both of which will be included in 2.1.2.
Of course, there is the general assortment of bugfixes, with improvements in the installer (especially for Windows users who use IIS), fixes to the billboards system and other miscellaneous fixes. However something that will be of more interest in this department is MySQL STRICT mode compatibility!
My personal MySQL setup is using the most strict of MySQL setups (for those of you of a tecchie inclination, the exact sql-mode string contains most of the available options), and already issues to be fixed have been found. Hopefully this will fix yet another of the short list of longstanding issues with The Bug Genie.
We are pretty proud of the stability of The Bug Genie 2, and the much shorter list of bug reports is a testament to that. That’s why updates have been less frequent as of late. However this doesn’t mean that our work here is done! Keep reporting issues as you find them, and thank you for helping us improve The Bug Genie!
Here’s a heads up for whats next with The Bug Genie:
The Bug Genie 2.1
We finally got around to the first release of the 2.1 series with many new features. This can be read in the release notes for this release. So far there have not been many issues, and the current major issue is a problem with UNIX sockets causing errors. We will resolve this and any other issues in 2.1.1.
A common complaint with the SVN integration module is that it only covers SVN support. A partial rewrite is planned to include support for all popular version control system.
While full support will be included in The Bug Genie 3, since I (personally) require support for another project, the finished module will be released to the public for testing and for anybody to use. Once bugfixes and improvements are collected, the module will be stabalized and fully supported in Version 3. Keep you eye here for further details.
The Bug Genie 3
A new TP came out yesterday containing much improved scrum support, as well as an updated issue viewing screen and a CLI to facilitate installation and eventually full control over the installation. Many other new features and updates are included.
We welcome more contributors to help us add more features and fix bugs – please drop by on IRC to help. Keep your eye out on the blog and news for further updates.