[VIM] Re: GAs Guestbook & Ultimate Forum - odd
Steven M. Christey
coley at mitre.org
Tue May 17 21:12:46 EDT 2005
>GAs Guest Book
>http://archives.neohapsis.com/archives/fulldisclosure/2005-05/0351.html
>
>Ultimate Forum
>http://archives.neohapsis.com/archives/fulldisclosure/2005-05/0350.html
>
>Same vendor so this attack being in common makes sense. However,
>hitting the vendor web page I don't see 'Ultimate Forum' listed on the
>product links anywhere (GAs Guest Book is there).
This screams "copy-and-paste" error on the part of the researcher, as
a lot of the text in one advisory is used verbatim in the other
advisory.
But let's wait and see...
>Secunia lists the vendor for the guestbook as
>http://www.4u2ges.com/gb/gb.htm...
This is linked to from the http://www.gurgensvbstuff.com/gbook/ front
page.
>...
>The 4u2ges site has "GA's Forum" but no "Ultimate Forum"
>making me wonder if this affects "GA's Forum" instead.
I downloaded "GA's Forum Light-4-RC3.0" from that URL, but it does not
have a "commit.asp" page (mentioned in basher's "Ultimate Forum" post)
nor does it have a "reset.asp" page (mentioned in the "Gurgens Guest
Book" post). Neither is there a "Genid.dat" or "mappath" in any of
the ASP files, so whatever GA's Forum is, it doesn't seem like it's
the same as "Ultimate Forum."
But then again we have this:
http://www.freevbcode.com/ShowCode.asp?ID=4288
which links "Ultimate Forum" with "Gurgen Alaverdian" and gets us
right back to http://www.gurgensvbstuff.com/
HOWEVER... I navigated to this page:
http://www.gurgensvbstuff.com/index.php?ID=22
which is theoretically *also* "GA's Forum Light"
which gives us this download URL:
http://www.gurgensvbstuff.com/Zips/forum_21.zip
which, when downloaded looks a bit different from the *other* "GA's
Forum Lite" that I had downloaded, but there's a db/genid file (no
.dat), but still no commit.asp. But it has some code that calls a
CryptText function, as mentioned in basher's "Ultimate Forum" post.
Still, it's not quite it. I went back to the freebvcode.com site with
the Ultimate Forum, and downloaded *this* :
http://www.freevbcode.com/source/Forum.zip
and voila! it has a commit.asp, a db/genid.dat, even the "$u at gess"
key.
So, we have:
1) "Ultimate Forum," released by Gurgen Alaverdian in May 2002, and
still available for download in some places; and the subject of
basher's "Ultimate Forum" post.
2) "GA's Forum 2.1," released by Gurgen Alaverdian in March 2004,
which has some code in common with "Ultimate Forum."
3) "GA's Forum Light 4 RC3.0," released by Gurgen Alaverdian in
February 2005, which has some code in common with Forum 2.1.
I just love having to infer codebase relationships for obscure
products!
- Steve
More information about the VIM
mailing list