Re: Bugtraq ID# 53694 is invalid/fake

From: Information Booth <>
Subject: Re: Bugtraq ID# 53694 is invalid/fake

This is in regards to:

This is an uncoordinated release, the author did not make any attempt
to notify us either by email or the public forum. The non-working
exploit seems to have been copied and pasted with RIPS source code
analyzer and the author didn't even bother tho test our understand the
code. A real hacker can read source code, not run a RIPS source code
analyzer and publish the finding without due diligence.

This is the result:
Try : alert(' could not be loaded');

1) The "/" or %2F won't be accepted. $filename =
preg_replace("/[^a-z._\d]/i", "", $_GET['js']); // sanitize, prevent
path traversal
2) It will only read js.gz file (I see attempts to load /etc/passwd
but that doesn't make sense - I don't think he knows/understand how to
read source code) - readfile(SITE_PATH.'/js/'.$
filename.'.js.gz'); The bad chars will be stripped anyway ...
3) Test:

The js_gzip.php was included as of v1.1.5a

Also older versions on my website:

I am fine with people publishing vulnerabilities to make code more
secure. What I'm unhappy is how some wannabe script kiddiot can just
download source code analyzers/scanners and publish things WITHOUT any
prior test and WITHOUT contacting vendors. I have had people publish
their findings in my forum and I'm fine. But not when they don't at
least test or contact me and then later turns out to be a false alarm.

Here's a copy & paste from v1.1.5a (old version - the same)

// Baby Gekko content management system - Copyright (C) Baby Gekko.
// You may use this software commercially, but you are not allowed to
create a fork or create a derivative of this software
// Please read the license for details
include ('../');

$filename = preg_replace("/[^a-z._\d]/i", "", $_GET['js']); //
sanitize, prevent path traversal
$etag = sprintf('bbgk%u',crc32($filename));
header("Content-type: text/javascript; charset: UTF-8");
 if ($_SERVER['HTTP_IF_MODIFIED_SINCE'] || str_replace('"', '',
stripslashes($_SERVER['HTTP_IF_NONE_MATCH'])) == $etag)
 header('HTTP/1.1 304 Not Modified');
} else
if (file_exists (SITE_PATH.'/js/'.$filename.'.js.gz'))
 header("Vary: Accept-Encoding");
 header("Cache-Control: public, max-age=".(144000 * 24));
 header("Pragma: public");
 header("Expires: Tue, 30 Aug 2037 20:00:00 GMT");
 header("Content-Encoding: gzip");
 header("ETag: \"{$etag}\"");
} else
 echo ("alert('{$filename} could not be loaded');");

Copyright © 1995-2019 All rights reserved.