[Full-disclosure] CAcert non-persistent XSS
Hi, normally I wouldn't bother much posting a simple XSS here, but I'll make an exception for CAcert today. Kriss Andsten's blog post (http://www.shortpacket.org/2008/08/cacertorg-you-got-what-you-paid-for.html) made me want to take a look at the CAcert source myself, and so I did on Friday. It certainly isn't up to secure coding practices, they quote all HTML output and all MySQL queries manually, and so they are bound to occasionally miss something - like they did in analyse.php. Being an open source (PKI) developer, I'd be happy to see a free (not only as in beer, but also as in speech) CA that is widely accepted - having glanced shortly at the code (same as Kriss, I wouldn't be surprised if there is more to be found if you know more about PHP security than me), I wonder if CAcert is that CA ... Enough rambling, here you go: ||| Security Advisory AKLINK-SA-2008-007 ||| CAcert - Cross Site Scripting = Date released: 29.09.2008 Date reported: 26.09.2008 $Revision: 1.1 $ by Alexander Klink Cynops GmbH [EMAIL PROTECTED] https://www.cynops.de/advisories/AKLINK-SA-2008-007.txt (S/MIME signed: https://www.cynops.de/advisories/AKLINK-SA-2008-007-signed.txt) https://www.klink.name/security/aklink-sa-2008-007-cacert-xss.txt Vendor: CAcert Product: CAcert - certificate authority providing free certificates Website: http[s]://www.cacert.org Vulnerability: non-persistent cross site scripting Class: remote Status: patched Severity: moderate (authentication information may be stolen) Releases known to be affected: cacert-20080921.tar.bz2 Releases known NOT to be affected: cacert-20080928.tar.bz2 + Background: CAcert is a certifificate authority that provides free certificates to end users based on a web-of-trust assurance model. + Overview: CAcert provides a page that allows a user to show information on a given X.509 certificate. This page was vulnerable to a cross site scripting attack, which might have led to session information of a logged-in user being compromised. + Technical details: http[s]://www.cacert.org/analyse.php contains the following code: echo ""; print_r(openssl_x509_parse(openssl_x509_read($_POST['csr']))); echo ""; which is used to dump the certificate details as parsed by the openssl_x509_parse() PHP function. No escaping whatsoever of this information is done, so an attacker can create a certificate with HTML tags, which are then shown on the page. A PoC certificate can easily be creating using OpenSSL: $ openssl req -new -x509 \ -subj "/CN=<\/pre>
[Full-disclosure] W3C filtered as child porn by Finnish ISP
According to Neural Broadcaster blog of Martti Roitto: "Due to reasons yet to be determined, the website of the World Wide Web Consortium, w3.org/w3c.org, is being filtered as child pornography (wget/curl) by the Finnish ISP, DNA Internet. Update Sept 27. 3PM: DNA has removed w3c from their list, but another ISP, Mikkelin Puhelin (MPY) has added it (dig/host). To clear up some confusion: The blacklist isnt maintained independently by ISPs but rather centrally by the Finnish Police. The reason w3c isnt being blocked by other operators is simple - they havent yet updated their lists to the latest version." http://maraz.be/blog/2008/09/w3c-filtered-as-child-porn-by-finnish-isp/ The blacklist has been reportedly updated and W3C is not blocked any more. Juha-Matti ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Re: Supporters urge halt to hacker's, extradition to US
I wouldn't waste my time locking up a script kid for 60 years, Gary Mckinnon is a small fish in a big ocean, there are bigger fish to fry. Its the military's fault he got in, because they hadn't set any passwords for the systems. All the best, n3td3v On Sun, Sep 28, 2008 at 7:03 PM, Exibar <[EMAIL PROTECTED]> wrote: > McKinnon did cause damage: > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Supporters urge halt to, hacker's, extradition to US
Folks, Thanks to "Exibar" for the (likely) clarification. No issue in converting from metric, incidentally ;-) I will check out the links you provided this evening and make up my own mind. As stated, I did go to the thing, but wasn't shouting at chanting, because I felt something was certainly amiss in this, the extradition agreement between the UK and the US (which I also have yet to check out in detail) seems iffy enough. As someone has already stated, running an exploit to gain access in itself can cause damage, without necessarily being known to do so by the 'attacker', but it is equally possible that for example sh**ty PHP code can crash out a web server by going too recursive and stack smashing (see various preg_* issues) without any ill intent by the person viewing the page, merely code behaving unexpectedly. I am sure we all know many examples of how things can go awry without malicious intent, or go awry because some company forget to pay their sysadmin, and as a result he takes his eye off the ball, and something goes wrong while he has a lingering login he forgot to terminate, eg. running in a "screen" session in the background. I'm not the best at computer forensics in the world, but I'm pretty sure a sysadmin in that position would get the finger pointed at him, at least for a while. Maybe long enough to be extradited, no? That is perhaps my primary worry here. I am not yet certain. However I was quite sure that what was amiss was not necessarily in the way it was being expressed by those concerned. Perhaps I was looking in the wrong place, perhaps not. I'll find out more this evening, but for now there is work to be done. K. -- Kev Green, aka Kyrian. E: kyrian@ore.org WWW: http://kyrian.ore.org/ Linux/Security Contractor/LAMP Coder/ISP, via http://www.orenet.co.uk/ DJ via http://www.hellnoise.co.uk/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Supporters urge halt to, hacker's, extradition to US
I just think someone from the military should be in the dock as well!!! This wasn't a one sided security incident, sloppy admins were involved in the 'threat to national security' that Gary Mckinnon supposedly posed. The passwords on the systems weren't set, if it wasn't Gary Mckinnon it was going to be some other script kid who got in. I don't know why the military are making a big deal about what happened, when ultimately its their I.T security staff who were the main culprits of blame. Accoriding to Gary Mckinnon, there were lots of script kids in the systems at the same time as him, they just decided to pick him out of the crowd to make an example of the activity that was going on. This should be a non-issue that should have been delt with internally in the military, the I.T security staff blamed and the script kids left to go on their humble way. When the way of intrusion is this lame, and its obvious the blame is on the I.T security staff, then I don't think they should waste everyone's time herding one of the script kid across the atlantic, just to keep America's nation pride in tact. Geez fucking christ, it was totally the military's fault, there is no get out clause. On Mon, Sep 29, 2008 at 4:00 PM, Kyrian <[EMAIL PROTECTED]> wrote: > Folks, > > Thanks to "Exibar" for the (likely) clarification. No issue in converting > from metric, incidentally ;-) > > I will check out the links you provided this evening and make up my own mind. > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] very strange emails (email 1/2) Fwd: Sorry I did not reply sooner
On Sat, 27 Sep 2008 06:34:44 +0500, cissp79 said: > ive received 2 very strange emails and not sure why they have arrived in my > inbox Figuring these sort of things out is usually a *lot* easier when you have *all* the e-mail headers, not just the 3-4 lines created by the 'Forwarded message' feature. In particular, the Received: headers will tell you a lot about how the message got to you. pgpEEWDyTgcyM.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] very strange emails (email 1/2) Fwd: Sorry I did not reply sooner
I am wondering how someone was so board to write an email like that. And what he expects in return. He should at least use key words like the patriot act etc.. On Fri, Sep 26, 2008 at 8:31 PM, <[EMAIL PROTECTED]> wrote: > On Sat, 27 Sep 2008 06:34:44 +0500, cissp79 said: > > > ive received 2 very strange emails and not sure why they have arrived in > my > > inbox > > Figuring these sort of things out is usually a *lot* easier when you have > *all* the e-mail headers, not just the 3-4 lines created by the 'Forwarded > message' feature. In particular, the Received: headers will tell you a lot > about how the message got to you. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- http://www.goldwatches.com/ http://www.jewelerslounge.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Supporters urge halt to, hacker's, extradition to US
Further to Exibar's previous email, now I've been through the links that worked (one seemed to have been 8.3 truncated)... There does seem to be a substantial lets say "pro-american-hacker" bias in the text of the pages you provided links for. > McKinnon did cause damage: > "The charges" say he did, yes. And thanks to our dear old blind (some say to Justice as well as "visible" light) former Home Secretary, David Blunkett, that's now enough to gain an extradition, no evidence required, just an allegation, which can (and seems to be in this case) treated as fact(Australian newspaper, which should be reasonably neutral): http://www.dailyreckoning.com.au/us-extradition-laws/2007/12/07/ > A message left by him on a system: > Changing the /etc/motd file or equivalent is hardly costly, and hardly massive damage, no? Hypothetically speaking, if I wanted to do as little damage as possible and make someone get the message I'd been in there, that's probably what I'd do. > Sure sounds like a criminal that knows what he's doing, and is doing it > willfully, doesn't it? > Agreed, the use of the hardly-unique-sounding handle 'Solo' stands up to analysis. Although it's been used by someone else before, who did worse things: http://www.wired.com/science/discoveries/news/2002/11/56392 Obviously I'm not privy to all the evidence, but... In my opinion, installing remote admin software to poke around systems is inconsistent with "deleting critical system files" as it would be self-defeating, possibly causing that system to fall over, and for you to lose control of it. Indeed, the fact that it's off-the-shelf is inconsistent with trying to evade detection, which leads down the same self-defeating path. Additionally, downloading 'the same version' of software that was used in an attack is surely not sufficient to establish use of it in an attack, especially as someone else had used the same name in other attacks. > Oh yah, and he's really only facing a fine and up to 10 years of prison > time in the US... I guess things really are different translating to the > metric system in the UK... Heh. I've caught up with the joke now. However 7 counts at 10 years a piece surely does add up to 70 years?: http://cryptome.org/ips-bared.htm >McKinnon should face the charges of computer crime that he's facing. He > should, and will, be tried, either in the US or in the UK. But, keep in > mind that it is the UK that will extradite him, and it is the UK that has > ruled that he *should* be extradited for his crimes > Yes, he should be punished in some way for it, but I see no due process in the extradition, and the comments that have been aired leave considerable cause for doubt about the fairness of any due process in the USA. I have insufficient knowledge of the US judicial system to be sure that there are checks and balances against due process being derailed, and I'm open to being persuaded. If it were me, I would tell you to go f**k yourself if you wanted me to plead guilty to something I didn't do (so perhaps this is a uniquely British trait?), and I would certainly get quite upset and explore all avenues to avoid being 'fried', or imprisoned for a substantial length of time, if I thought that was what were to happen. I think this has gone on-list long enough, so I'll try and drop it now, unless anyone says anything really bloody aggravating. ;-) K. -- Kev Green, aka Kyrian. E: kyrian@ore.org WWW: http://kyrian.ore.org/ Linux/Security Contractor/LAMP Coder/ISP, via http://www.orenet.co.uk/ DJ via http://www.hellnoise.co.uk/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2008:207 ] openafs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:207 http://www.mandriva.com/security/ ___ Package : openafs Date: September 29, 2008 Affected: 2007.1, 2008.0 ___ Problem Description: A race condition in OpenAFS 1.3.40 through 1.4.5 allowed remote attackers to cause a denial of service (daemon crash) by simultaneously acquiring and giving back file callbacks (CVE-2007-6559). The updated packages have been patched to prevent this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6559 ___ Updated Packages: Mandriva Linux 2007.1: 5cfed2da74437280e139bd9a37b99a27 2007.1/i586/dkms-libafs-1.4.2-3.1mdv2007.1.i586.rpm ce10b8248835c3c2f204d3316bde628d 2007.1/i586/libopenafs1-1.4.2-3.1mdv2007.1.i586.rpm a2c32eaa669fa364bf57988bf37e2a0e 2007.1/i586/libopenafs1-devel-1.4.2-3.1mdv2007.1.i586.rpm d0f2303b30ab06ec269f2aa47344adb7 2007.1/i586/openafs-1.4.2-3.1mdv2007.1.i586.rpm 2db7adc9de4e14fc46242443d187c3c5 2007.1/i586/openafs-client-1.4.2-3.1mdv2007.1.i586.rpm 2c309a5d6e3dfb4b80a75020403738ec 2007.1/i586/openafs-doc-1.4.2-3.1mdv2007.1.i586.rpm 8ecb2c606b6d14652faf0d622bdb7d47 2007.1/i586/openafs-server-1.4.2-3.1mdv2007.1.i586.rpm 347d09eeb8161a41cde69cdeb0cd806e 2007.1/SRPMS/openafs-1.4.2-3.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: bdb3839cfe0fc276aa7555eba6be98fb 2007.1/x86_64/dkms-libafs-1.4.2-3.1mdv2007.1.x86_64.rpm df407d1f16cc88952d1ca98aa40a272d 2007.1/x86_64/lib64openafs1-1.4.2-3.1mdv2007.1.x86_64.rpm 0295c0f5e7abca166dc6cdf264eb4f89 2007.1/x86_64/lib64openafs1-devel-1.4.2-3.1mdv2007.1.x86_64.rpm 9a6da83f844d159f33a60eb77365d737 2007.1/x86_64/openafs-1.4.2-3.1mdv2007.1.x86_64.rpm 02c3be035c0fd82ee110cc22b5d8556f 2007.1/x86_64/openafs-client-1.4.2-3.1mdv2007.1.x86_64.rpm f50541fbf4049a44bb3d18ec5e86f2c7 2007.1/x86_64/openafs-doc-1.4.2-3.1mdv2007.1.x86_64.rpm fa5907f7c52987a3bae025ddfbb056a9 2007.1/x86_64/openafs-server-1.4.2-3.1mdv2007.1.x86_64.rpm 347d09eeb8161a41cde69cdeb0cd806e 2007.1/SRPMS/openafs-1.4.2-3.1mdv2007.1.src.rpm Mandriva Linux 2008.0: 95e60cbbac6d339b98ce84f70b6b3b32 2008.0/i586/dkms-libafs-1.4.4-8.2mdv2008.0.i586.rpm ed989de74390d86ae0e372c1bfbef739 2008.0/i586/libopenafs1-1.4.4-8.2mdv2008.0.i586.rpm b6f4d164c16d1665cf89b40221177d4b 2008.0/i586/libopenafs1-devel-1.4.4-8.2mdv2008.0.i586.rpm b7b01d26a73d53dafba59ecdba0f589e 2008.0/i586/openafs-1.4.4-8.2mdv2008.0.i586.rpm 67e23acb150545d2725cde43312e5c10 2008.0/i586/openafs-client-1.4.4-8.2mdv2008.0.i586.rpm 40603c470a595475d0a4e26343ac1a50 2008.0/i586/openafs-doc-1.4.4-8.2mdv2008.0.i586.rpm c1512c6915d515588973ae8f4634f8f7 2008.0/i586/openafs-server-1.4.4-8.2mdv2008.0.i586.rpm 9844d673b334a84137fcf26d6f052190 2008.0/SRPMS/openafs-1.4.4-8.2mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 14f0314e4178ed4b328328051d666810 2008.0/x86_64/dkms-libafs-1.4.4-8.2mdv2008.0.x86_64.rpm bd81cfc546181523331124824d37214d 2008.0/x86_64/lib64openafs1-1.4.4-8.2mdv2008.0.x86_64.rpm 95a655890d0302c239d6f171adce4044 2008.0/x86_64/lib64openafs1-devel-1.4.4-8.2mdv2008.0.x86_64.rpm ed9312e42b2534ed062e03f4b90a75d6 2008.0/x86_64/openafs-1.4.4-8.2mdv2008.0.x86_64.rpm dbb0957bc6dde30f4f32ae3b47182a2d 2008.0/x86_64/openafs-client-1.4.4-8.2mdv2008.0.x86_64.rpm 7aeb5a0b3cfa42dc299c36847d385a87 2008.0/x86_64/openafs-doc-1.4.4-8.2mdv2008.0.x86_64.rpm e978a2ac93085f038cfce9c2392700b8 2008.0/x86_64/openafs-server-1.4.4-8.2mdv2008.0.x86_64.rpm 9844d673b334a84137fcf26d6f052190 2008.0/SRPMS/openafs-1.4.4-8.2mdv2008.0.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFI4RTxmqjQ0CJFipgRAnOJAJ9BRllXkQYwi6d3c1K5MkSj7bmLrQCdHQ9a GJXshVIV3rsb4dMvp1DM6Aw= =9/0Q -END PGP SIGNATURE- __
[Full-disclosure] WordPress MU < 2.6 wpmu-blogs.php Crose Site Scrpting vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Security Advisory - - - WordPress MU < 2.6 wpmu-blogs.php Crose Site Scrpting vulnerability - - --- Product: Wordpress-MU (multi-user) Version: Versions prior to 2.6 are affected Url: http://mu.wordpress.org Affected by: Coss Site Scripting Attack I. Introduction. Wordpress-MU, or multi-user, allows to run unlimited blogs with a single install of wordpress. It's widely used, some examples are WordPress.com or universities like Harvard II. Description and Impact Wordpress-MU is affected by a Cross Site Scripting vulnerability, an attacker can perform an XSS attack that allows him to access the targeted user cookies to gain administrator privileges In /wp-admin/wpmu-blogs.php an attacker can inject javascript code, the input variables "s" and "ip_address" of GET method aren't properly sanitized Here is a poc: PoC: http://site/path/wp-admin/wpmu-blogs.php?action=blogs&s=%27[XSS] PoC: http://site/path/wp-admin/wpmu-blogs.php?action=blogs&ip_address=%27[XSS] The impact is the attacker can gain administrator privileges on the application. III. Timeline May 14th, 2008 - Bug discovered May 14th, 2008 - Vendor contacted and the start of a syncronized code patching May 16th, 2008 - MU trunk code fixed July 28th, 2008 - WPMU 2.6 released September 2nd, 2008 - WPMU 2.6.1 released September 29th, 2008 - Security advisory released IV. Solution Upgrade to version 2.6 or upper of wordpress multi-user. It can be downloaded from http://mu.wordpress.org V. Credits Juan Galiana Lara http://blogs.ua.es/jgaliana -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI4UoerJ7V/gP9Hy8RArw3AJkB1a1sgO5T9dvO9tbU0/QxE8DxFQCeJCiw yFDGBIx6Q5oyIKNEq4ZZ4Wc= =uQu6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] THC releases video and tool to create fake ePassports
http://blog.thc.org/index.php?/archives/4-The-Risk-of-ePassports-and-RFID.html http://freeworld.thc.org/thc-epassport/ 29th September 2008 THC/vonJeek proudly presents an ePassport emulator. This emulator applet allows you to create a backup of your own passport chip(s). A video demonstrating the weakness is available at http://freeworld.thc.org/thc-epassport/ The government plans to use ePassports at Immigration and Border Control. The information is electronically read from the Passport and displayed to a Border Control Officer or used by an automated setup. THC has discovered weaknesses in the system to (by)pass the security checks. The detection of fake passport chips is no longer working. Test setups do not raise alerts when a modified chip is used. This enables an attacker to create a Passport with an altered Picture, Name, DoB, Nationality and other credentials. This manipulated information is displayed without any alarms going off. The exploitation of this loophole is trivial and can be verified using thc-epassport. Regardless how good the intention of the government might have been, the facts are that tested implementations of the ePassports Inspection System are not secure. ePassports give us a false sense of security: We are made to believe that they make use more secure. I'm afraid that's not true: current ePassport implementations don't add security at all. Yours sincerely, vonjeek [at] thc dot org The Hackers Choice http://www.thc.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Re: Supporters urge halt to, hacker's, extradition to US
So you guys are saying that if I forget my keys in my car and the door unlocked that it's not a crime to steal my car? It's not a crime to NOT lock your house, but it's still a crime to open that door and take that big screen tv if you're not the owner... Doesn't matter if he willfully caused damage or not, he still caused that damage, he's still a criminal. The details will have to come out in court, and they will. Either in the US or in the UK, doesn't matter... He's a criminal, period... He should be treated as such... Exibar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of n3td3v Sent: Monday, September 29, 2008 11:24 AM To: full-disclosure@lists.grok.org.uk; n3td3v; [EMAIL PROTECTED] Subject: [inbox] Re: [Full-disclosure] Supporters urge halt to, hacker's,extradition to US I just think someone from the military should be in the dock as well!!! This wasn't a one sided security incident, sloppy admins were involved in the 'threat to national security' that Gary Mckinnon supposedly posed. The passwords on the systems weren't set, if it wasn't Gary Mckinnon it was going to be some other script kid who got in. I don't know why the military are making a big deal about what happened, when ultimately its their I.T security staff who were the main culprits of blame. Accoriding to Gary Mckinnon, there were lots of script kids in the systems at the same time as him, they just decided to pick him out of the crowd to make an example of the activity that was going on. This should be a non-issue that should have been delt with internally in the military, the I.T security staff blamed and the script kids left to go on their humble way. When the way of intrusion is this lame, and its obvious the blame is on the I.T security staff, then I don't think they should waste everyone's time herding one of the script kid across the atlantic, just to keep America's nation pride in tact. Geez fucking christ, it was totally the military's fault, there is no get out clause. On Mon, Sep 29, 2008 at 4:00 PM, Kyrian <[EMAIL PROTECTED]> wrote: > Folks, > > Thanks to "Exibar" for the (likely) clarification. No issue in converting > from metric, incidentally ;-) > > I will check out the links you provided this evening and make up my own mind. > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Re: Supporters urge halt to, hacker's, extradition to US
nobody could be so stupid to leave their car door unlocked, ::blush:: the u.s military did, then gary mckinnon left a note on their wind screen wiper to say, look guys, you left your door unlocked, maybe you should fix it. the u.s military come back to the car, and claim the inside of the car has been damaged, but no proof it was gary mckinnon who did it, when their were plenty other people who could have walked past the same car and done something to it. the u.s decide they can't prove it was gary mckinnon who did the damage, because all they've got is the note on the wind screen wiper saying, you left your door unlocked, maybe you should fix it. next we know, the kid is being extradited to the u.s on charges of carrying out the biggest car crime of all time, and they change the law to say, actually we don't need proof you caused the damage or that any damage existed, we're blaming you anyway. by the way, we're giving you 60 years and you're never going to see your friends and family ever again. On Mon, Sep 29, 2008 at 10:57 PM, Exibar <[EMAIL PROTECTED]> wrote: > So you guys are saying that if I forget my keys in my car and the door > unlocked that it's not a crime to steal my car? > It's not a crime to NOT lock your house, but it's still a crime to open > that door and take that big screen tv if you're not the owner... > > Doesn't matter if he willfully caused damage or not, he still caused that > damage, he's still a criminal. The details will have to come out in court, > and they will. Either in the US or in the UK, doesn't matter... > > He's a criminal, period... He should be treated as such... > > Exibar > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of n3td3v > Sent: Monday, September 29, 2008 11:24 AM > To: full-disclosure@lists.grok.org.uk; n3td3v; [EMAIL PROTECTED] > Subject: [inbox] Re: [Full-disclosure] Supporters urge halt to, > hacker's,extradition to US > > I just think someone from the military should be in the dock as > well!!! This wasn't a one sided security incident, sloppy admins were > involved in the 'threat to national security' that Gary Mckinnon > supposedly posed. > > The passwords on the systems weren't set, if it wasn't Gary Mckinnon > it was going to be some other script kid who got in. > > I don't know why the military are making a big deal about what > happened, when ultimately its their I.T security staff who were the > main culprits of blame. > > Accoriding to Gary Mckinnon, there were lots of script kids in the > systems at the same time as him, they just decided to pick him out of > the crowd to make an example of the activity that was going on. > > This should be a non-issue that should have been delt with internally > in the military, the I.T security staff blamed and the script kids > left to go on their humble way. > > When the way of intrusion is this lame, and its obvious the blame is > on the I.T security staff, then I don't think they should waste > everyone's time herding one of the script kid across the atlantic, > just to keep America's nation pride in tact. > > Geez fucking christ, it was totally the military's fault, there is no > get out clause. > > On Mon, Sep 29, 2008 at 4:00 PM, Kyrian <[EMAIL PROTECTED]> wrote: >> Folks, >> >> Thanks to "Exibar" for the (likely) clarification. No issue in converting >> from metric, incidentally ;-) >> >> I will check out the links you provided this evening and make up my own > mind. >> > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2008:208 ] pam_mount
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:208 http://www.mandriva.com/security/ ___ Package : pam_mount Date: September 29, 2008 Affected: 2007.1, 2008.0, 2008.1, Corporate 4.0 ___ Problem Description: pam_mount 0.10 through 0.45, when luserconf is enabled, does not verify mountpoint and source ownership before mounting a user-defined volume, which allows local users to bypass intended access restrictions via a local mount. The updated packages have been patched to fix the issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3970 ___ Updated Packages: Mandriva Linux 2007.1: dabe7e010c95879959959e4804ae83cb 2007.1/i586/pam_mount-0.17-1.1mdv2007.1.i586.rpm b237206c3e85a63b0e733a7db02fcba1 2007.1/i586/pam_mount-devel-0.17-1.1mdv2007.1.i586.rpm c81ceb5ccab44675322db02cdc5cc972 2007.1/SRPMS/pam_mount-0.17-1.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: db7d0a5b43608ce1741bfbcb75dccc88 2007.1/x86_64/pam_mount-0.17-1.1mdv2007.1.x86_64.rpm c18edd6508f15bb3bdf041baa8021df8 2007.1/x86_64/pam_mount-devel-0.17-1.1mdv2007.1.x86_64.rpm c81ceb5ccab44675322db02cdc5cc972 2007.1/SRPMS/pam_mount-0.17-1.1mdv2007.1.src.rpm Mandriva Linux 2008.0: 14582d4c7f686e67632d9603b33a16f6 2008.0/i586/pam_mount-0.17-1.1mdv2008.0.i586.rpm e909ab0be3d5e979500ce026c6d47217 2008.0/i586/pam_mount-devel-0.17-1.1mdv2008.0.i586.rpm 96406b251d1096347fbd9d699d158e53 2008.0/SRPMS/pam_mount-0.17-1.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 7e30f80f0b113a9c0f9089452eba9e66 2008.0/x86_64/pam_mount-0.17-1.1mdv2008.0.x86_64.rpm b0e1455f76a67b2def22fb84b3c835df 2008.0/x86_64/pam_mount-devel-0.17-1.1mdv2008.0.x86_64.rpm 96406b251d1096347fbd9d699d158e53 2008.0/SRPMS/pam_mount-0.17-1.1mdv2008.0.src.rpm Mandriva Linux 2008.1: 0f3271419c28fadaa6420438d7f434ac 2008.1/i586/pam_mount-0.33-2.1mdv2008.1.i586.rpm eec908414e3a3b50141821b4628c91e5 2008.1/SRPMS/pam_mount-0.33-2.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 3235bba384d4a2692b557b6a14ae1779 2008.1/x86_64/pam_mount-0.33-2.1mdv2008.1.x86_64.rpm eec908414e3a3b50141821b4628c91e5 2008.1/SRPMS/pam_mount-0.33-2.1mdv2008.1.src.rpm Corporate 4.0: 19f2eb0aacfc918f263797734665bd33 corporate/4.0/i586/pam_mount-0.10.0-5.1.20060mlcs4.i586.rpm 74d983393ad8d8f288df52b682e5423d corporate/4.0/i586/pam_mount-devel-0.10.0-5.1.20060mlcs4.i586.rpm 55b755782e2b61a013e60d397f1cfbbd corporate/4.0/SRPMS/pam_mount-0.10.0-5.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 5e1cd73d9ab0d15e95333e0aac62c6ed corporate/4.0/x86_64/pam_mount-0.10.0-5.1.20060mlcs4.x86_64.rpm 1a4fef46e82af0950bc034fceec01285 corporate/4.0/x86_64/pam_mount-devel-0.10.0-5.1.20060mlcs4.x86_64.rpm 55b755782e2b61a013e60d397f1cfbbd corporate/4.0/SRPMS/pam_mount-0.10.0-5.1.20060mlcs4.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFI4WslmqjQ0CJFipgRAq38AJ4jpfUyilElpY6Aa4LI9GG+z+xNaQCg7N0y 7BYibBFP7vLxAmXsoT3KJM8= =6PJX -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Re: Supporters urge halt to, hacker's, extradition to US
Whilst I agree that criminal actions should be met with criminal consequences, 60 years for breaking (I use the term losely) into shittily protected systems is absurd. You do less time for murder in most places. I wonder, if he was an American citizen, would he have been charged with treason and executed? On Tue, Sep 30, 2008 at 7:57 AM, Exibar <[EMAIL PROTECTED]> wrote: > So you guys are saying that if I forget my keys in my car and the door > unlocked that it's not a crime to steal my car? > It's not a crime to NOT lock your house, but it's still a crime to open > that door and take that big screen tv if you're not the owner... > > Doesn't matter if he willfully caused damage or not, he still caused that > damage, he's still a criminal. The details will have to come out in court, > and they will. Either in the US or in the UK, doesn't matter... > > He's a criminal, period... He should be treated as such... > > Exibar > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of n3td3v > Sent: Monday, September 29, 2008 11:24 AM > To: full-disclosure@lists.grok.org.uk; n3td3v; [EMAIL PROTECTED] > Subject: [inbox] Re: [Full-disclosure] Supporters urge halt to, > hacker's,extradition to US > > I just think someone from the military should be in the dock as > well!!! This wasn't a one sided security incident, sloppy admins were > involved in the 'threat to national security' that Gary Mckinnon > supposedly posed. > > The passwords on the systems weren't set, if it wasn't Gary Mckinnon > it was going to be some other script kid who got in. > > I don't know why the military are making a big deal about what > happened, when ultimately its their I.T security staff who were the > main culprits of blame. > > Accoriding to Gary Mckinnon, there were lots of script kids in the > systems at the same time as him, they just decided to pick him out of > the crowd to make an example of the activity that was going on. > > This should be a non-issue that should have been delt with internally > in the military, the I.T security staff blamed and the script kids > left to go on their humble way. > > When the way of intrusion is this lame, and its obvious the blame is > on the I.T security staff, then I don't think they should waste > everyone's time herding one of the script kid across the atlantic, > just to keep America's nation pride in tact. > > Geez fucking christ, it was totally the military's fault, there is no > get out clause. > > On Mon, Sep 29, 2008 at 4:00 PM, Kyrian <[EMAIL PROTECTED]> wrote: >> Folks, >> >> Thanks to "Exibar" for the (likely) clarification. No issue in converting >> from metric, incidentally ;-) >> >> I will check out the links you provided this evening and make up my own > mind. >> > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/