date:20090810

Mr Fabio,

You dont even understand the bug, so please shut the hell up.






2009/8/11 Fabio N Sarmento [ Gmail ] 

> if this is an bug, please close Twitter.com, MSN.com and other services,
> because they have the same stupid "Reset password" service.
>
> So please make my day, and create a stupid script to flood with mutiple
> request to reset password.
>
> LOL
>
> 2009/8/10 Jeremy Brown <0xjbrow...@gmail.com>
>
> I'm guessing your not a Wordpress administrator, Fabio. Nice find
>> Laurent, as usual.
>>
>> On Mon, Aug 10, 2009 at 10:48 PM, laurent
>> gaffie wrote:
>> > Oh ok.
>> > Then, let's avoid that function.
>> > If it's useless to have a function who validate a reset passwd before
>> > resetting it, let's just avoid it smartass.
>> >
>> >
>> > 2009/8/10 Fabio N Sarmento [ Gmail ] 
>> >>
>> >> There is no risk on this.
>> >> It's just a little flaw, it doesn't broke anything or put your admin
>> >> access in risk.
>> >>
>> >> :-P to me , this vulnerability is more "BUZZ" then real deal. LOL
>> >>
>> >> 2009/8/10 laurent gaffie 
>> >>>
>> >>> Hi there,
>> >>>
>> >>> This wasn't tested on the 2.7* branch.
>> >>> It as been tested on the  2.8.* branch, with php 5.3.0 & php 5.2.9 as
>> an
>> >>> Apache 2.2.12 module, on a linux env.
>> >>>
>> >>>
>> >>> Regards Laurent Gaffié
>> >>>
>> >>>
>> >>>
>> >>> 2009/8/10 Nicolas Valcárcel Scerpella <
>> nicolas.valcar...@canonical.com>
>> 
>>  I don't see the issue with wp 2.7.1
>> 
>>  On Mon, 10 Aug 2009, laurent gaffie wrote:
>> 
>>  > Errata:
>>  >
>>  > "V. BUSINESS IMPACT
>>  > -
>>  > An attacker could exploit this vulnerability to compromise the
>> admin
>>  > account
>>  > of any wordpress/wordpress-mu <= 2.8.3"
>>  >
>>  > -->
>>  >
>>  > "V. BUSINESS IMPACT
>>  > -
>>  > An attacker could exploit this vulnerability to reset the admin
>>  > account of
>>  > any wordpress/wordpress-mu <= 2.8.3"
>>  >
>>  >
>>  > Regards Laurent Gaffié
>>  >
>>  >
>>  > 2009/8/10 laurent gaffie 
>>  >
>>  > > =
>>  > > - Release date: August 10th, 2009
>>  > > - Discovered by: Laurent Gaffié
>>  > > - Severity: Medium
>>  > > =
>>  > >
>>  > > I. VULNERABILITY
>>  > > -
>>  > > WordPress <= 2.8.3 Remote admin reset password
>>  > >
>>  > > II. BACKGROUND
>>  > > -
>>  > > WordPress is a state-of-the-art publishing platform with a focus
>> on
>>  > > aesthetics, web standards, and usability.
>>  > > WordPress is both free and priceless at the same time.
>>  > > More simply, WordPress is what you use when you want to work with
>>  > > your
>>  > > blogging software, not fight it.
>>  > >
>>  > > III. DESCRIPTION
>>  > > -
>>  > > The way Wordpress handle a password reset looks like this:
>>  > > You submit your email adress or username via this form
>>  > > /wp-login.php?action=lostpassword ;
>>  > > Wordpress send you a reset confirmation like that via email:
>>  > >
>>  > > "
>>  > > Someone has asked to reset the password for the following site
>> and
>>  > > username.
>>  > > http://DOMAIN_NAME.TLD/wordpress
>>  > > Username: admin
>>  > > To reset your password visit the following address, otherwise
>> just
>>  > > ignore
>>  > > this email and nothing will happen
>>  > >
>>  > >
>>  > >
>>  > >
>> http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
>>  > > "
>>  > >
>>  > > You click on the link, and then Wordpress reset your admin
>> password,
>>  > > and
>>  > > sends you over another email with your new credentials.
>>  > >
>>  > > Let's see how it works:
>>  > >
>>  > >
>>  > > wp-login.php:
>>  > > ...[snip]
>>  > > line 186:
>>  > > function reset_password($key) {
>>  > > global $wpdb;
>>  > >
>>  > > $key = preg_replace('/[^a-z0-9]/i', '', $key);
>>  > >
>>  > > if ( empty( $key ) )
>>  > > return new WP_Error('invalid_key', __('Invalid key'));
>>  > >
>>  > > $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM
>>  > > $wpdb->users WHERE
>>  > > user_activation_key = %s", $key));
>>  > > if ( empty( $user ) )
>>  > > return new WP_Error('invalid_key', __('Invalid key'));
>>  > > ...[snip]
>>  > > line 276:
>>  > > $action = isset($_REQUEST['action']) ? $_REQUEST['action'] :
>>  > > 'login';
>>  > > $errors = new WP_Error();
>>  > >
>>  > > if ( isset($_GET['key']) )
>>  > > $action = 'resetpass';
>>  > >
>>  > > // validate action so as to default to the login screen
>>  > > if (

Re: [Full-disclosure] WordPress <= 2.8.3 Remote admin reset password

Dude, your email is more funny, than serious.
It's a pure troll.
What ever from now on.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] WordPress <= 2.8.3 Remote admin reset password

"Rafal M. Los
Security & IT Risk Strategist"

where  ?

@home ?
oh boy.



2009/8/11 Rafal M. Los 

>  Empty reply... on purpose or...?
> .
>
> Rafal
>
>  *From:* laurent gaffie 
> *Sent:* Monday, August 10, 2009 11:43 PM
> *To:* Rafal M. Los 
> *Subject:* Re: [Full-disclosure] WordPress <= 2.8.3 Remote admin reset
> password
>
>
>
> 2009/8/11 Rafal M. Los 
>
>>  Hi Laurent,
>> Pardon my stupidity... I seem to be missing something tonight.  Can
>> you explain a little further for someone who doesn’t have coding (php)
>> background?  What would the "attacker" submit as a query to the server?
>> What specifically triggers the vulnerabiilty?
>> .
>>
>> Rafal M. Los
>> Security & IT Risk Strategist
>>
>>  - Blog: http://preachsecurity.blogspot.com
>>  - LinkedIn:  http://www.linkedin.com/in/rmlos
>>  - Twitter: http://twitter.com/RafalLos
>>
>>  *From:* laurent gaffie 
>> *Sent:* Monday, August 10, 2009 9:09 PM
>> *To:* full-disclosure@lists.grok.org.uk
>> *Subject:* [Full-disclosure] WordPress <= 2.8.3 Remote admin reset
>> password
>>
>> =
>> - Release date: August 10th, 2009
>> - Discovered by: Laurent Gaffié
>> - Severity: Medium
>> =
>>
>> I. VULNERABILITY
>> -
>> WordPress <= 2.8.3 Remote admin reset password
>>
>> II. BACKGROUND
>> -
>> WordPress is a state-of-the-art publishing platform with a focus on
>> aesthetics, web standards, and usability.
>> WordPress is both free and priceless at the same time.
>> More simply, WordPress is what you use when you want to work with your
>> blogging software, not fight it.
>>
>> III. DESCRIPTION
>> -
>> The way Wordpress handle a password reset looks like this:
>> You submit your email adress or username via this form
>> /wp-login.php?action=lostpassword ;
>> Wordpress send you a reset confirmation like that via email:
>>
>> "
>> Someone has asked to reset the password for the following site and
>> username.
>> http://DOMAIN_NAME.TLD/wordpress
>> Username: admin
>> To reset your password visit the following address, otherwise just ignore
>> this email and nothing will happen
>>
>>
>> http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
>> "
>>
>> You click on the link, and then Wordpress reset your admin password, and
>> sends you over another email with your new credentials.
>>
>> Let's see how it works:
>>
>>
>> wp-login.php:
>> ...[snip]
>> line 186:
>> function reset_password($key) {
>> global $wpdb;
>>
>> $key = preg_replace('/[^a-z0-9]/i', '', $key);
>>
>> if ( empty( $key ) )
>> return new WP_Error('invalid_key', __('Invalid key'));
>>
>> $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users
>> WHERE user_activation_key = %s", $key));
>> if ( empty( $user ) )
>> return new WP_Error('invalid_key', __('Invalid key'));
>> ...[snip]
>> line 276:
>> $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
>> $errors = new WP_Error();
>>
>> if ( isset($_GET['key']) )
>> $action = 'resetpass';
>>
>> // validate action so as to default to the login screen
>> if ( !in_array($action, array('logout', 'lostpassword',
>> 'retrievepassword', 'resetpass', 'rp', 'register', 'login')) && false ===
>> has_filter('login_form_' . $action) )
>> $action = 'login';
>> ...[snip]
>>
>> line 370:
>>
>> break;
>>
>> case 'resetpass' :
>> case 'rp' :
>> $errors = reset_password($_GET['key']);
>>
>> if ( ! is_wp_error($errors) ) {
>> wp_redirect('wp-login.php?checkemail=newpass');
>> exit();
>> }
>>
>> wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
>> exit();
>>
>> break;
>> ...[snip ]...
>>
>> You can abuse the password reset function, and bypass the first step and
>> then reset the admin password by submiting an array to the $key variable.
>>
>>
>> IV. PROOF OF CONCEPT
>> -
>> A web browser is sufficiant to reproduce this Proof of concept:
>> http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=
>> The password will be reset without any confirmation.
>>
>> V. BUSINESS IMPACT
>> -
>> An attacker could exploit this vulnerability to compromise the admin
>> account of any wordpress/wordpress-mu <= 2.8.3
>>
>> VI. SYSTEMS AFFECTED
>> -
>> All
>>
>> VII. SOLUTION
>> -
>> No patch aviable for the moment.
>>
>> VIII. REFERENCES
>> -
>> http://www.wordpress.org
>>
>> IX. CREDITS
>> -
>> This vulnerability has been discovered by Laurent Gaffié
>> Laurent.gaffie{remove-this}(at)gmail.com
>> I'd like to shoot some greetz to securityreason.com for them great
>> research on PHP, as for this under-estimated vulnerability discovered by
>> Maksymilian Arciemowicz :
>> h

Re: [Full-disclosure] WordPress <= 2.8.3 Remote admin reset password

Hi there,
"What would the "attacker" submit as a query to the server?"

Simply:
/wp-login.php?action=rp&key[]=

And the admin passwd would be reseted.

Regards.


2009/8/11 Rafal M. Los 

>  Hi Laurent,
> Pardon my stupidity... I seem to be missing something tonight.  Can
> you explain a little further for someone who doesn’t have coding (php)
> background?  What would the "attacker" submit as a query to the server?
> What specifically triggers the vulnerabiilty?
> .
>
> Rafal M. Los
> Security & IT Risk Strategist
>
>  - Blog: http://preachsecurity.blogspot.com
>  - LinkedIn:  http://www.linkedin.com/in/rmlos
>  - Twitter: http://twitter.com/RafalLos
>
>  *From:* laurent gaffie 
> *Sent:* Monday, August 10, 2009 9:09 PM
> *To:* full-disclosure@lists.grok.org.uk
> *Subject:* [Full-disclosure] WordPress <= 2.8.3 Remote admin reset
> password
>
> =
> - Release date: August 10th, 2009
> - Discovered by: Laurent Gaffié
> - Severity: Medium
> =
>
> I. VULNERABILITY
> -
> WordPress <= 2.8.3 Remote admin reset password
>
> II. BACKGROUND
> -
> WordPress is a state-of-the-art publishing platform with a focus on
> aesthetics, web standards, and usability.
> WordPress is both free and priceless at the same time.
> More simply, WordPress is what you use when you want to work with your
> blogging software, not fight it.
>
> III. DESCRIPTION
> -
> The way Wordpress handle a password reset looks like this:
> You submit your email adress or username via this form
> /wp-login.php?action=lostpassword ;
> Wordpress send you a reset confirmation like that via email:
>
> "
> Someone has asked to reset the password for the following site and
> username.
> http://DOMAIN_NAME.TLD/wordpress
> Username: admin
> To reset your password visit the following address, otherwise just ignore
> this email and nothing will happen
>
>
> http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
> "
>
> You click on the link, and then Wordpress reset your admin password, and
> sends you over another email with your new credentials.
>
> Let's see how it works:
>
>
> wp-login.php:
> ...[snip]
> line 186:
> function reset_password($key) {
> global $wpdb;
>
> $key = preg_replace('/[^a-z0-9]/i', '', $key);
>
> if ( empty( $key ) )
> return new WP_Error('invalid_key', __('Invalid key'));
>
> $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE
> user_activation_key = %s", $key));
> if ( empty( $user ) )
> return new WP_Error('invalid_key', __('Invalid key'));
> ...[snip]
> line 276:
> $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
> $errors = new WP_Error();
>
> if ( isset($_GET['key']) )
> $action = 'resetpass';
>
> // validate action so as to default to the login screen
> if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword',
> 'resetpass', 'rp', 'register', 'login')) && false ===
> has_filter('login_form_' . $action) )
> $action = 'login';
> ...[snip]
>
> line 370:
>
> break;
>
> case 'resetpass' :
> case 'rp' :
> $errors = reset_password($_GET['key']);
>
> if ( ! is_wp_error($errors) ) {
> wp_redirect('wp-login.php?checkemail=newpass');
> exit();
> }
>
> wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
> exit();
>
> break;
> ...[snip ]...
>
> You can abuse the password reset function, and bypass the first step and
> then reset the admin password by submiting an array to the $key variable.
>
>
> IV. PROOF OF CONCEPT
> -
> A web browser is sufficiant to reproduce this Proof of concept:
> http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=
> The password will be reset without any confirmation.
>
> V. BUSINESS IMPACT
> -
> An attacker could exploit this vulnerability to compromise the admin
> account of any wordpress/wordpress-mu <= 2.8.3
>
> VI. SYSTEMS AFFECTED
> -
> All
>
> VII. SOLUTION
> -
> No patch aviable for the moment.
>
> VIII. REFERENCES
> -
> http://www.wordpress.org
>
> IX. CREDITS
> -
> This vulnerability has been discovered by Laurent Gaffié
> Laurent.gaffie{remove-this}(at)gmail.com
> I'd like to shoot some greetz to securityreason.com for them great
> research on PHP, as for this under-estimated vulnerability discovered by
> Maksymilian Arciemowicz :
> http://securityreason.com/achievement_securityalert/38
>
> X. REVISION HISTORY
> -
> August 10th, 2009: Initial release
>
> XI. LEGAL NOTICES
> -
> The information contained within this advisory is supplied "as-is"
>

Re: [Full-disclosure] Ureleet is the Anti-Sec

2009-08-10 Thread someone lawyer

 List,

My client has asked me to study the list to make a case against them.

some...@lawyer.com

  - Original Message -
  From: "anti-scared- sheep"
  To: full-disclosure@lists.grok.org.uk
  Subject: Re: [Full-disclosure] Ureleet is the Anti-Sec
  Date: Mon, 10 Aug 2009 22:25:45 -0400

  What's your problem list ?it's the same kid all the way, the ones who
  answer to this guy,  should wonder how dumb he's.
  Dont pay attention to him, make a simple filter like "*anti.*se.*"
  and get back to work.

  He/They still get attention,and feel like he's/they're important
  because of you prick, so shut the hell up.
  They/he sucks, OK ?!?We got rid of n3td3v, plz dont make him feel
  like he's usefull by answering.

  2009/8/10 

Suck a dick bitch.

On Mon, 10 Aug 2009 22:14:13 -0400 someone lawyer
 wrote:
>List,
>
>No good you part of slanderous.
>
>(T Biehn & Valdis Kletnieks)
>
>some...@lawyer.com
>
>  - Original Message -
>  From: valdis.kletni...@vt.edu
>  To: full-disclosure@lists.grok.org.uk
>  Subject: Re: [Full-disclosure] Ureleet is the Anti-Sec
>  Date: Mon, 10 Aug 2009 16:18:03 -0400
>
>
>  On Mon, 10 Aug 2009 12:07:24 EDT, T Biehn said:
>  > n3td3v, ureleet, and anti-sec are actually all Hitler,
posting
>  after
>  > being recently unfrozen from cryogenic sleep.
>
>  Conclusion: Keeping your brain on ice for 60 years makes you
>stupid.
>  Hitler
>  was a lot smarter than that. (Crazy, yes, evil, yes - but
would
>he
>  have gotten
>  as far as he did if he was only as smart as n3td3v and
ureleet?)
>  << 1.2.dat >>
>
>  ___
>  Full-Disclosure - We believe in it.
>  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>
>--
>Be Yourself @ mail.com!
>Choose From 200+ Email Addresses
>Get a Free Account at www.mail.com!

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  ___
  Full-Disclosure - We believe in it.
  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  Hosted and sponsored by Secunia - http://secunia.com/

-- 
Be Yourself @ mail.com!
Choose From 200+ Email Addresses
Get a Free Account at www.mail.com!

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] WordPress <= 2.8.3 Remote admin reset password

2009-08-10 Thread Nicolas Valcárcel Scerpella

I don't see the issue with wp 2.7.1

On Mon, 10 Aug 2009, laurent gaffie wrote:

> Errata:
> 
> "V. BUSINESS IMPACT
> -
> An attacker could exploit this vulnerability to compromise the admin account
> of any wordpress/wordpress-mu <= 2.8.3"
> 
> -->
> 
> "V. BUSINESS IMPACT
> -
> An attacker could exploit this vulnerability to reset the admin account of
> any wordpress/wordpress-mu <= 2.8.3"
> 
> 
> Regards Laurent Gaffié
> 
> 
> 2009/8/10 laurent gaffie 
> 
> > =
> > - Release date: August 10th, 2009
> > - Discovered by: Laurent Gaffié
> > - Severity: Medium
> > =
> >
> > I. VULNERABILITY
> > -
> > WordPress <= 2.8.3 Remote admin reset password
> >
> > II. BACKGROUND
> > -
> > WordPress is a state-of-the-art publishing platform with a focus on
> > aesthetics, web standards, and usability.
> > WordPress is both free and priceless at the same time.
> > More simply, WordPress is what you use when you want to work with your
> > blogging software, not fight it.
> >
> > III. DESCRIPTION
> > -
> > The way Wordpress handle a password reset looks like this:
> > You submit your email adress or username via this form
> > /wp-login.php?action=lostpassword ;
> > Wordpress send you a reset confirmation like that via email:
> >
> > "
> > Someone has asked to reset the password for the following site and
> > username.
> > http://DOMAIN_NAME.TLD/wordpress
> > Username: admin
> > To reset your password visit the following address, otherwise just ignore
> > this email and nothing will happen
> >
> >
> > http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
> > "
> >
> > You click on the link, and then Wordpress reset your admin password, and
> > sends you over another email with your new credentials.
> >
> > Let's see how it works:
> >
> >
> > wp-login.php:
> > ...[snip]
> > line 186:
> > function reset_password($key) {
> > global $wpdb;
> >
> > $key = preg_replace('/[^a-z0-9]/i', '', $key);
> >
> > if ( empty( $key ) )
> > return new WP_Error('invalid_key', __('Invalid key'));
> >
> > $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE
> > user_activation_key = %s", $key));
> > if ( empty( $user ) )
> > return new WP_Error('invalid_key', __('Invalid key'));
> > ...[snip]
> > line 276:
> > $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
> > $errors = new WP_Error();
> >
> > if ( isset($_GET['key']) )
> > $action = 'resetpass';
> >
> > // validate action so as to default to the login screen
> > if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword',
> > 'resetpass', 'rp', 'register', 'login')) && false ===
> > has_filter('login_form_' . $action) )
> > $action = 'login';
> > ...[snip]
> >
> > line 370:
> >
> > break;
> >
> > case 'resetpass' :
> > case 'rp' :
> > $errors = reset_password($_GET['key']);
> >
> > if ( ! is_wp_error($errors) ) {
> > wp_redirect('wp-login.php?checkemail=newpass');
> > exit();
> > }
> >
> > wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
> > exit();
> >
> > break;
> > ...[snip ]...
> >
> > You can abuse the password reset function, and bypass the first step and
> > then reset the admin password by submiting an array to the $key variable.
> >
> >
> > IV. PROOF OF CONCEPT
> > -
> > A web browser is sufficiant to reproduce this Proof of concept:
> > http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=
> > The password will be reset without any confirmation.
> >
> > V. BUSINESS IMPACT
> > -
> > An attacker could exploit this vulnerability to compromise the admin
> > account of any wordpress/wordpress-mu <= 2.8.3
> >
> > VI. SYSTEMS AFFECTED
> > -
> > All
> >
> > VII. SOLUTION
> > -
> > No patch aviable for the moment.
> >
> > VIII. REFERENCES
> > -
> > http://www.wordpress.org
> >
> > IX. CREDITS
> > -
> > This vulnerability has been discovered by Laurent Gaffié
> > Laurent.gaffie{remove-this}(at)gmail.com
> > I'd like to shoot some greetz to securityreason.com for them great
> > research on PHP, as for this under-estimated vulnerability discovered by
> > Maksymilian Arciemowicz :
> > http://securityreason.com/achievement_securityalert/38
> >
> > X. REVISION HISTORY
> > -
> > August 10th, 2009: Initial release
> >
> > XI. LEGAL NOTICES
> > -
> > The information contained within this advisory is supplied "as-is"
> > with no warranties or guarantees of fitness of use or otherwise.
> > I accept no responsibility for any damage caused by the use or
> > misuse of

Re: [Full-disclosure] WordPress <= 2.8.3 Remote admin reset password

Well, i dont think so, that's why i published this.
It very limitated.
It's true, someone can make a loop script and avoid any possibility to log
back on your wordpress blog, but you also can avoid that functionality
easily, you just need to comment out 1 line.
Anyways, a patch should come out soon.

Regards Laurent Gaffié




2009/8/10 ehmo 

> Very nice Laurent. That will hurt many ppl
>
> laurent wrote,
> > =
> > - Release date: August 10th, 2009
> > - Discovered by: Laurent Gaffié
> > - Severity: Medium
> > =
>
> > I. VULNERABILITY
> > -
> > WordPress <= 2.8.3 Remote admin reset password
>
> > II. BACKGROUND
> > -
> > WordPress is a state-of-the-art publishing platform with a focus on
> > aesthetics, web standards, and usability.
> > WordPress is both free and priceless at the same time.
> > More simply, WordPress is what you use when you want to work with your
> > blogging software, not fight it.
>
> > III. DESCRIPTION
> > -
> > The way Wordpress handle a password reset looks like this:
> > You submit your email adress or username via this form
> > /wp-login.php?action=lostpassword ;
> > Wordpress send you a reset confirmation like that via email:
>
> > "
> > Someone has asked to reset the password for the following site and
> username.
> > http://DOMAIN_NAME.TLD/wordpress
> > Username: admin
> > To reset your password visit the following address, otherwise just ignore
> > this email and nothing will happen
>
> >
> http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
> > "
>
> > You click on the link, and then Wordpress reset your admin password, and
> > sends you over another email with your new credentials.
>
> > Let's see how it works:
>
>
> > wp-login.php:
> > ...[snip]
> > line 186:
> > function reset_password($key) {
> > global $wpdb;
>
> > $key = preg_replace('/[^a-z0-9]/i', '', $key);
>
> > if ( empty( $key ) )
> > return new WP_Error('invalid_key', __('Invalid key'));
>
> > $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users
> WHERE
> > user_activation_key = %s", $key));
> > if ( empty( $user ) )
> > return new WP_Error('invalid_key', __('Invalid key'));
> > ...[snip]
> > line 276:
> > $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
> > $errors = new WP_Error();
>
> > if ( isset($_GET['key']) )
> > $action = 'resetpass';
>
> > // validate action so as to default to the login screen
> > if ( !in_array($action, array('logout', 'lostpassword',
> 'retrievepassword',
> > 'resetpass', 'rp', 'register', 'login')) && false ===
> > has_filter('login_form_' . $action) )
> > $action = 'login';
> > ...[snip]
>
> > line 370:
>
> > break;
>
> > case 'resetpass' :
> > case 'rp' :
> > $errors = reset_password($_GET['key']);
>
> > if ( ! is_wp_error($errors) ) {
> > wp_redirect('wp-login.php?checkemail=newpass');
> > exit();
> > }
>
> > wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
> > exit();
>
> > break;
> > ...[snip ]...
>
> > You can abuse the password reset function, and bypass the first step and
> > then reset the admin password by submiting an array to the $key variable.
>
>
> > IV. PROOF OF CONCEPT
> > -
> > A web browser is sufficiant to reproduce this Proof of concept:
> > http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=
> > The password will be reset without any confirmation.
>
> > V. BUSINESS IMPACT
> > -
> > An attacker could exploit this vulnerability to compromise the admin
> account
> > of any wordpress/wordpress-mu <= 2.8.3
>
> > VI. SYSTEMS AFFECTED
> > -
> > All
>
> > VII. SOLUTION
> > -
> > No patch aviable for the moment.
>
> > VIII. REFERENCES
> > -
> > http://www.wordpress.org
>
> > IX. CREDITS
> > -
> > This vulnerability has been discovered by Laurent Gaffié
> > Laurent.gaffie{remove-this}(at)gmail.com
> > I'd like to shoot some greetz to securityreason.com for them great
> research
> > on PHP, as for this under-estimated vulnerability discovered by
> Maksymilian
> > Arciemowicz :
> > http://securityreason.com/achievement_securityalert/38
>
> > X. REVISION HISTORY
> > -
> > August 10th, 2009: Initial release
>
> > XI. LEGAL NOTICES
> > -
> > The information contained within this advisory is supplied "as-is"
> > with no warranties or guarantees of fitness of use or otherwise.
> > I accept no responsibility for any damage caused by the use or
> > misuse of this information.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-discl

Re: [Full-disclosure] WordPress <= 2.8.3 Remote admin reset password

2009-08-10 Thread ehmo

Very nice Laurent. That will hurt many ppl

laurent wrote,
> =
> - Release date: August 10th, 2009
> - Discovered by: Laurent Gaffié
> - Severity: Medium
> =

> I. VULNERABILITY
> -
> WordPress <= 2.8.3 Remote admin reset password

> II. BACKGROUND
> -
> WordPress is a state-of-the-art publishing platform with a focus on
> aesthetics, web standards, and usability.
> WordPress is both free and priceless at the same time.
> More simply, WordPress is what you use when you want to work with your
> blogging software, not fight it.

> III. DESCRIPTION
> -
> The way Wordpress handle a password reset looks like this:
> You submit your email adress or username via this form
> /wp-login.php?action=lostpassword ;
> Wordpress send you a reset confirmation like that via email:

> "
> Someone has asked to reset the password for the following site and username.
> http://DOMAIN_NAME.TLD/wordpress
> Username: admin
> To reset your password visit the following address, otherwise just ignore
> this email and nothing will happen

> http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
> "

> You click on the link, and then Wordpress reset your admin password, and
> sends you over another email with your new credentials.

> Let's see how it works:


> wp-login.php:
> ...[snip]
> line 186:
> function reset_password($key) {
> global $wpdb;

> $key = preg_replace('/[^a-z0-9]/i', '', $key);

> if ( empty( $key ) )
> return new WP_Error('invalid_key', __('Invalid key'));

> $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE
> user_activation_key = %s", $key));
> if ( empty( $user ) )
> return new WP_Error('invalid_key', __('Invalid key'));
> ...[snip]
> line 276:
> $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
> $errors = new WP_Error();

> if ( isset($_GET['key']) )
> $action = 'resetpass';

> // validate action so as to default to the login screen
> if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword',
> 'resetpass', 'rp', 'register', 'login')) && false ===
> has_filter('login_form_' . $action) )
> $action = 'login';
> ...[snip]

> line 370:

> break;

> case 'resetpass' :
> case 'rp' :
> $errors = reset_password($_GET['key']);

> if ( ! is_wp_error($errors) ) {
> wp_redirect('wp-login.php?checkemail=newpass');
> exit();
> }

> wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
> exit();

> break;
> ...[snip ]...

> You can abuse the password reset function, and bypass the first step and
> then reset the admin password by submiting an array to the $key variable.


> IV. PROOF OF CONCEPT
> -
> A web browser is sufficiant to reproduce this Proof of concept:
> http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=
> The password will be reset without any confirmation.

> V. BUSINESS IMPACT
> -
> An attacker could exploit this vulnerability to compromise the admin account
> of any wordpress/wordpress-mu <= 2.8.3

> VI. SYSTEMS AFFECTED
> -
> All

> VII. SOLUTION
> -
> No patch aviable for the moment.

> VIII. REFERENCES
> -
> http://www.wordpress.org

> IX. CREDITS
> -
> This vulnerability has been discovered by Laurent Gaffié
> Laurent.gaffie{remove-this}(at)gmail.com
> I'd like to shoot some greetz to securityreason.com for them great research
> on PHP, as for this under-estimated vulnerability discovered by Maksymilian
> Arciemowicz :
> http://securityreason.com/achievement_securityalert/38

> X. REVISION HISTORY
> -
> August 10th, 2009: Initial release

> XI. LEGAL NOTICES
> -
> The information contained within this advisory is supplied "as-is"
> with no warranties or guarantees of fitness of use or otherwise.
> I accept no responsibility for any damage caused by the use or
> misuse of this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] WordPress <= 2.8.3 Remote admin reset password

2009-08-10 Thread Jeremy Brown

I'm guessing your not a Wordpress administrator, Fabio. Nice find
Laurent, as usual.

On Mon, Aug 10, 2009 at 10:48 PM, laurent
gaffie wrote:
> Oh ok.
> Then, let's avoid that function.
> If it's useless to have a function who validate a reset passwd before
> resetting it, let's just avoid it smartass.
>
>
> 2009/8/10 Fabio N Sarmento [ Gmail ] 
>>
>> There is no risk on this.
>> It's just a little flaw, it doesn't broke anything or put your admin
>> access in risk.
>>
>> :-P to me , this vulnerability is more "BUZZ" then real deal. LOL
>>
>> 2009/8/10 laurent gaffie 
>>>
>>> Hi there,
>>>
>>> This wasn't tested on the 2.7* branch.
>>> It as been tested on the  2.8.* branch, with php 5.3.0 & php 5.2.9 as an
>>> Apache 2.2.12 module, on a linux env.
>>>
>>>
>>> Regards Laurent Gaffié
>>>
>>>
>>>
>>> 2009/8/10 Nicolas Valcárcel Scerpella 

 I don't see the issue with wp 2.7.1

 On Mon, 10 Aug 2009, laurent gaffie wrote:

 > Errata:
 >
 > "V. BUSINESS IMPACT
 > -
 > An attacker could exploit this vulnerability to compromise the admin
 > account
 > of any wordpress/wordpress-mu <= 2.8.3"
 >
 > -->
 >
 > "V. BUSINESS IMPACT
 > -
 > An attacker could exploit this vulnerability to reset the admin
 > account of
 > any wordpress/wordpress-mu <= 2.8.3"
 >
 >
 > Regards Laurent Gaffié
 >
 >
 > 2009/8/10 laurent gaffie 
 >
 > > =
 > > - Release date: August 10th, 2009
 > > - Discovered by: Laurent Gaffié
 > > - Severity: Medium
 > > =
 > >
 > > I. VULNERABILITY
 > > -
 > > WordPress <= 2.8.3 Remote admin reset password
 > >
 > > II. BACKGROUND
 > > -
 > > WordPress is a state-of-the-art publishing platform with a focus on
 > > aesthetics, web standards, and usability.
 > > WordPress is both free and priceless at the same time.
 > > More simply, WordPress is what you use when you want to work with
 > > your
 > > blogging software, not fight it.
 > >
 > > III. DESCRIPTION
 > > -
 > > The way Wordpress handle a password reset looks like this:
 > > You submit your email adress or username via this form
 > > /wp-login.php?action=lostpassword ;
 > > Wordpress send you a reset confirmation like that via email:
 > >
 > > "
 > > Someone has asked to reset the password for the following site and
 > > username.
 > > http://DOMAIN_NAME.TLD/wordpress
 > > Username: admin
 > > To reset your password visit the following address, otherwise just
 > > ignore
 > > this email and nothing will happen
 > >
 > >
 > >
 > > http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
 > > "
 > >
 > > You click on the link, and then Wordpress reset your admin password,
 > > and
 > > sends you over another email with your new credentials.
 > >
 > > Let's see how it works:
 > >
 > >
 > > wp-login.php:
 > > ...[snip]
 > > line 186:
 > > function reset_password($key) {
 > >     global $wpdb;
 > >
 > >     $key = preg_replace('/[^a-z0-9]/i', '', $key);
 > >
 > >     if ( empty( $key ) )
 > >         return new WP_Error('invalid_key', __('Invalid key'));
 > >
 > >     $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM
 > > $wpdb->users WHERE
 > > user_activation_key = %s", $key));
 > >     if ( empty( $user ) )
 > >         return new WP_Error('invalid_key', __('Invalid key'));
 > > ...[snip]
 > > line 276:
 > > $action = isset($_REQUEST['action']) ? $_REQUEST['action'] :
 > > 'login';
 > > $errors = new WP_Error();
 > >
 > > if ( isset($_GET['key']) )
 > >     $action = 'resetpass';
 > >
 > > // validate action so as to default to the login screen
 > > if ( !in_array($action, array('logout', 'lostpassword',
 > > 'retrievepassword',
 > > 'resetpass', 'rp', 'register', 'login')) && false ===
 > > has_filter('login_form_' . $action) )
 > >     $action = 'login';
 > > ...[snip]
 > >
 > > line 370:
 > >
 > > break;
 > >
 > > case 'resetpass' :
 > > case 'rp' :
 > >     $errors = reset_password($_GET['key']);
 > >
 > >     if ( ! is_wp_error($errors) ) {
 > >         wp_redirect('wp-login.php?checkemail=newpass');
 > >         exit();
 > >     }
 > >
 > >
 > > wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
 > >     exit();
 > >
 > > break;
 > > ...[snip ]...
 > >
 > > You can abuse the password reset function, and bypass the first step
 > > and
 > > then reset the admin password by submit

Re: [Full-disclosure] WordPress <= 2.8.3 Remote admin reset password

Oh ok.
Then, let's avoid that function.
If it's useless to have a function who validate a reset passwd before
resetting it, let's just avoid it smartass.


2009/8/10 Fabio N Sarmento [ Gmail ] 

There is no risk on this.
> It's just a little flaw, it doesn't broke anything or put your admin access
> in risk.
>
> :-P to me , this vulnerability is more "BUZZ" then real deal. LOL
>
>
> 2009/8/10 laurent gaffie 
>
>> Hi there,
>>
>> This wasn't tested on the 2.7* branch.
>> It as been tested on the  2.8.* branch, with php 5.3.0 & php 5.2.9 as an
>> Apache 2.2.12 module, on a linux env.
>>
>>
>> Regards Laurent Gaffié
>>
>>
>>
>> 2009/8/10 Nicolas Valcárcel Scerpella 
>>
>>> I don't see the issue with wp 2.7.1
>>>
>>> On Mon, 10 Aug 2009, laurent gaffie wrote:
>>>
>>> > Errata:
>>> >
>>> > "V. BUSINESS IMPACT
>>> > -
>>> > An attacker could exploit this vulnerability to compromise the admin
>>> account
>>> > of any wordpress/wordpress-mu <= 2.8.3"
>>> >
>>> > -->
>>> >
>>> > "V. BUSINESS IMPACT
>>> > -
>>> > An attacker could exploit this vulnerability to reset the admin account
>>> of
>>> > any wordpress/wordpress-mu <= 2.8.3"
>>> >
>>> >
>>> > Regards Laurent Gaffié
>>> >
>>> >
>>> > 2009/8/10 laurent gaffie 
>>> >
>>> > > =
>>> > > - Release date: August 10th, 2009
>>> > > - Discovered by: Laurent Gaffié
>>> > > - Severity: Medium
>>> > > =
>>> > >
>>> > > I. VULNERABILITY
>>> > > -
>>> > > WordPress <= 2.8.3 Remote admin reset password
>>> > >
>>> > > II. BACKGROUND
>>> > > -
>>> > > WordPress is a state-of-the-art publishing platform with a focus on
>>> > > aesthetics, web standards, and usability.
>>> > > WordPress is both free and priceless at the same time.
>>> > > More simply, WordPress is what you use when you want to work with
>>> your
>>> > > blogging software, not fight it.
>>> > >
>>> > > III. DESCRIPTION
>>> > > -
>>> > > The way Wordpress handle a password reset looks like this:
>>> > > You submit your email adress or username via this form
>>> > > /wp-login.php?action=lostpassword ;
>>> > > Wordpress send you a reset confirmation like that via email:
>>> > >
>>> > > "
>>> > > Someone has asked to reset the password for the following site and
>>> > > username.
>>> > > http://DOMAIN_NAME.TLD/wordpress
>>> > > Username: admin
>>> > > To reset your password visit the following address, otherwise just
>>> ignore
>>> > > this email and nothing will happen
>>> > >
>>> > >
>>> > >
>>> http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
>>> > > "
>>> > >
>>> > > You click on the link, and then Wordpress reset your admin password,
>>> and
>>> > > sends you over another email with your new credentials.
>>> > >
>>> > > Let's see how it works:
>>> > >
>>> > >
>>> > > wp-login.php:
>>> > > ...[snip]
>>> > > line 186:
>>> > > function reset_password($key) {
>>> > > global $wpdb;
>>> > >
>>> > > $key = preg_replace('/[^a-z0-9]/i', '', $key);
>>> > >
>>> > > if ( empty( $key ) )
>>> > > return new WP_Error('invalid_key', __('Invalid key'));
>>> > >
>>> > > $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users
>>> WHERE
>>> > > user_activation_key = %s", $key));
>>> > > if ( empty( $user ) )
>>> > > return new WP_Error('invalid_key', __('Invalid key'));
>>> > > ...[snip]
>>> > > line 276:
>>> > > $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
>>> > > $errors = new WP_Error();
>>> > >
>>> > > if ( isset($_GET['key']) )
>>> > > $action = 'resetpass';
>>> > >
>>> > > // validate action so as to default to the login screen
>>> > > if ( !in_array($action, array('logout', 'lostpassword',
>>> 'retrievepassword',
>>> > > 'resetpass', 'rp', 'register', 'login')) && false ===
>>> > > has_filter('login_form_' . $action) )
>>> > > $action = 'login';
>>> > > ...[snip]
>>> > >
>>> > > line 370:
>>> > >
>>> > > break;
>>> > >
>>> > > case 'resetpass' :
>>> > > case 'rp' :
>>> > > $errors = reset_password($_GET['key']);
>>> > >
>>> > > if ( ! is_wp_error($errors) ) {
>>> > > wp_redirect('wp-login.php?checkemail=newpass');
>>> > > exit();
>>> > > }
>>> > >
>>> > > wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
>>> > > exit();
>>> > >
>>> > > break;
>>> > > ...[snip ]...
>>> > >
>>> > > You can abuse the password reset function, and bypass the first step
>>> and
>>> > > then reset the admin password by submiting an array to the $key
>>> variable.
>>> > >
>>> > >
>>> > > IV. PROOF OF CONCEPT
>>> > > -
>>> > > A web browser is sufficiant to reproduce this Proof of concept:
>>> > > http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=
>>>

Re: [Full-disclosure] Ureleet is the Anti-Sec

You forgot to mention "her", nutface. Take that attitude to defcon 
and you may just get bitch slapped by one of the gorgeous ladies.

Now go ahead and filter us, resistance is futile. You are infidels 
and we are powerful.

They call us legion, because we are many. Muahahahaahahah!!!#!$#$%

Crash and burn bitches, crash and mother fucking burn.

On Mon, 10 Aug 2009 22:25:45 -0400 anti-scared- sheep 
 wrote:
>What's your problem list ?
>it's the same kid all the way, the ones who answer to this guy,  
>should
>wonder how dumb he's.
>Dont pay attention to him, make a simple filter like "*anti.*se.*" 
>and get
>back to work.
>
>He/They still get attention,and feel like he's/they're important 
>because of
>you prick, so shut the hell up.
>They/he sucks, OK ?!?
>We got rid of n3td3v, plz dont make him feel like he's usefull by 
>answering.
>
>
>
>2009/8/10 
>
>> Suck a dick bitch.
>>
>> On Mon, 10 Aug 2009 22:14:13 -0400 someone lawyer
>>  wrote:
>> >List,
>> >
>> >No good you part of slanderous.
>> >
>> >(T Biehn & Valdis Kletnieks)
>> >
>> >some...@lawyer.com
>> >
>> >  - Original Message -
>> >  From: valdis.kletni...@vt.edu
>> >  To: full-disclosure@lists.grok.org.uk
>> >  Subject: Re: [Full-disclosure] Ureleet is the Anti-Sec
>> >  Date: Mon, 10 Aug 2009 16:18:03 -0400
>> >
>> >
>> >  On Mon, 10 Aug 2009 12:07:24 EDT, T Biehn said:
>> >  > n3td3v, ureleet, and anti-sec are actually all Hitler, 
>posting
>> >  after
>> >  > being recently unfrozen from cryogenic sleep.
>> >
>> >  Conclusion: Keeping your brain on ice for 60 years makes you
>> >stupid.
>> >  Hitler
>> >  was a lot smarter than that. (Crazy, yes, evil, yes - but 
>would
>> >he
>> >  have gotten
>> >  as far as he did if he was only as smart as n3td3v and 
>ureleet?)
>> >  << 1.2.dat >>
>> >
>> >  ___
>> >  Full-Disclosure - We believe in it.
>> >  Charter: http://lists.grok.org.uk/full-disclosure-
>charter.html
>> >  Hosted and sponsored by Secunia - http://secunia.com/
>> >
>> >--
>> >Be Yourself @ mail.com!
>> >Choose From 200+ Email Addresses
>> >Get a Free Account at www.mail.com!
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] WordPress <= 2.8.3 Remote admin reset password

Hi there,

This wasn't tested on the 2.7* branch.
It as been tested on the  2.8.* branch, with php 5.3.0 & php 5.2.9 as an
Apache 2.2.12 module, on a linux env.


Regards Laurent Gaffié



2009/8/10 Nicolas Valcárcel Scerpella 

> I don't see the issue with wp 2.7.1
>
> On Mon, 10 Aug 2009, laurent gaffie wrote:
>
> > Errata:
> >
> > "V. BUSINESS IMPACT
> > -
> > An attacker could exploit this vulnerability to compromise the admin
> account
> > of any wordpress/wordpress-mu <= 2.8.3"
> >
> > -->
> >
> > "V. BUSINESS IMPACT
> > -
> > An attacker could exploit this vulnerability to reset the admin account
> of
> > any wordpress/wordpress-mu <= 2.8.3"
> >
> >
> > Regards Laurent Gaffié
> >
> >
> > 2009/8/10 laurent gaffie 
> >
> > > =
> > > - Release date: August 10th, 2009
> > > - Discovered by: Laurent Gaffié
> > > - Severity: Medium
> > > =
> > >
> > > I. VULNERABILITY
> > > -
> > > WordPress <= 2.8.3 Remote admin reset password
> > >
> > > II. BACKGROUND
> > > -
> > > WordPress is a state-of-the-art publishing platform with a focus on
> > > aesthetics, web standards, and usability.
> > > WordPress is both free and priceless at the same time.
> > > More simply, WordPress is what you use when you want to work with your
> > > blogging software, not fight it.
> > >
> > > III. DESCRIPTION
> > > -
> > > The way Wordpress handle a password reset looks like this:
> > > You submit your email adress or username via this form
> > > /wp-login.php?action=lostpassword ;
> > > Wordpress send you a reset confirmation like that via email:
> > >
> > > "
> > > Someone has asked to reset the password for the following site and
> > > username.
> > > http://DOMAIN_NAME.TLD/wordpress
> > > Username: admin
> > > To reset your password visit the following address, otherwise just
> ignore
> > > this email and nothing will happen
> > >
> > >
> > >
> http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
> > > "
> > >
> > > You click on the link, and then Wordpress reset your admin password,
> and
> > > sends you over another email with your new credentials.
> > >
> > > Let's see how it works:
> > >
> > >
> > > wp-login.php:
> > > ...[snip]
> > > line 186:
> > > function reset_password($key) {
> > > global $wpdb;
> > >
> > > $key = preg_replace('/[^a-z0-9]/i', '', $key);
> > >
> > > if ( empty( $key ) )
> > > return new WP_Error('invalid_key', __('Invalid key'));
> > >
> > > $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users
> WHERE
> > > user_activation_key = %s", $key));
> > > if ( empty( $user ) )
> > > return new WP_Error('invalid_key', __('Invalid key'));
> > > ...[snip]
> > > line 276:
> > > $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
> > > $errors = new WP_Error();
> > >
> > > if ( isset($_GET['key']) )
> > > $action = 'resetpass';
> > >
> > > // validate action so as to default to the login screen
> > > if ( !in_array($action, array('logout', 'lostpassword',
> 'retrievepassword',
> > > 'resetpass', 'rp', 'register', 'login')) && false ===
> > > has_filter('login_form_' . $action) )
> > > $action = 'login';
> > > ...[snip]
> > >
> > > line 370:
> > >
> > > break;
> > >
> > > case 'resetpass' :
> > > case 'rp' :
> > > $errors = reset_password($_GET['key']);
> > >
> > > if ( ! is_wp_error($errors) ) {
> > > wp_redirect('wp-login.php?checkemail=newpass');
> > > exit();
> > > }
> > >
> > > wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
> > > exit();
> > >
> > > break;
> > > ...[snip ]...
> > >
> > > You can abuse the password reset function, and bypass the first step
> and
> > > then reset the admin password by submiting an array to the $key
> variable.
> > >
> > >
> > > IV. PROOF OF CONCEPT
> > > -
> > > A web browser is sufficiant to reproduce this Proof of concept:
> > > http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=
> 
> > > The password will be reset without any confirmation.
> > >
> > > V. BUSINESS IMPACT
> > > -
> > > An attacker could exploit this vulnerability to compromise the admin
> > > account of any wordpress/wordpress-mu <= 2.8.3
> > >
> > > VI. SYSTEMS AFFECTED
> > > -
> > > All
> > >
> > > VII. SOLUTION
> > > -
> > > No patch aviable for the moment.
> > >
> > > VIII. REFERENCES
> > > -
> > > http://www.wordpress.org
> > >
> > > IX. CREDITS
> > > -
> > > This vulnerability has been discovered by Laurent Gaffié
> > > Laurent.gaffie{remove-this}(at)gmail.com
> > > I'd like to

Re: [Full-disclosure] Ureleet is the Anti-Sec

2009-08-10 Thread anti-scared- sheep

What's your problem list ?
it's the same kid all the way, the ones who answer to this guy,  should
wonder how dumb he's.
Dont pay attention to him, make a simple filter like "*anti.*se.*" and get
back to work.

He/They still get attention,and feel like he's/they're important because of
you prick, so shut the hell up.
They/he sucks, OK ?!?
We got rid of n3td3v, plz dont make him feel like he's usefull by answering.



2009/8/10 

> Suck a dick bitch.
>
> On Mon, 10 Aug 2009 22:14:13 -0400 someone lawyer
>  wrote:
> >List,
> >
> >No good you part of slanderous.
> >
> >(T Biehn & Valdis Kletnieks)
> >
> >some...@lawyer.com
> >
> >  - Original Message -
> >  From: valdis.kletni...@vt.edu
> >  To: full-disclosure@lists.grok.org.uk
> >  Subject: Re: [Full-disclosure] Ureleet is the Anti-Sec
> >  Date: Mon, 10 Aug 2009 16:18:03 -0400
> >
> >
> >  On Mon, 10 Aug 2009 12:07:24 EDT, T Biehn said:
> >  > n3td3v, ureleet, and anti-sec are actually all Hitler, posting
> >  after
> >  > being recently unfrozen from cryogenic sleep.
> >
> >  Conclusion: Keeping your brain on ice for 60 years makes you
> >stupid.
> >  Hitler
> >  was a lot smarter than that. (Crazy, yes, evil, yes - but would
> >he
> >  have gotten
> >  as far as he did if he was only as smart as n3td3v and ureleet?)
> >  << 1.2.dat >>
> >
> >  ___
> >  Full-Disclosure - We believe in it.
> >  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >  Hosted and sponsored by Secunia - http://secunia.com/
> >
> >--
> >Be Yourself @ mail.com!
> >Choose From 200+ Email Addresses
> >Get a Free Account at www.mail.com!
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ureleet is the Anti-Sec

Suck a dick bitch.

On Mon, 10 Aug 2009 22:14:13 -0400 someone lawyer 
 wrote:
>List,
>
>No good you part of slanderous.
>
>(T Biehn & Valdis Kletnieks)
>
>some...@lawyer.com
>
>  - Original Message -
>  From: valdis.kletni...@vt.edu
>  To: full-disclosure@lists.grok.org.uk
>  Subject: Re: [Full-disclosure] Ureleet is the Anti-Sec
>  Date: Mon, 10 Aug 2009 16:18:03 -0400
>
>
>  On Mon, 10 Aug 2009 12:07:24 EDT, T Biehn said:
>  > n3td3v, ureleet, and anti-sec are actually all Hitler, posting
>  after
>  > being recently unfrozen from cryogenic sleep.
>
>  Conclusion: Keeping your brain on ice for 60 years makes you 
>stupid.
>  Hitler
>  was a lot smarter than that. (Crazy, yes, evil, yes - but would 
>he
>  have gotten
>  as far as he did if he was only as smart as n3td3v and ureleet?)
>  << 1.2.dat >>
>
>  ___
>  Full-Disclosure - We believe in it.
>  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>
>-- 
>Be Yourself @ mail.com!
>Choose From 200+ Email Addresses
>Get a Free Account at www.mail.com!

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] WordPress <= 2.8.3 Remote admin reset password

Errata:

"V. BUSINESS IMPACT
-
An attacker could exploit this vulnerability to compromise the admin account
of any wordpress/wordpress-mu <= 2.8.3"

-->

"V. BUSINESS IMPACT
-
An attacker could exploit this vulnerability to reset the admin account of
any wordpress/wordpress-mu <= 2.8.3"


Regards Laurent Gaffié


2009/8/10 laurent gaffie 

> =
> - Release date: August 10th, 2009
> - Discovered by: Laurent Gaffié
> - Severity: Medium
> =
>
> I. VULNERABILITY
> -
> WordPress <= 2.8.3 Remote admin reset password
>
> II. BACKGROUND
> -
> WordPress is a state-of-the-art publishing platform with a focus on
> aesthetics, web standards, and usability.
> WordPress is both free and priceless at the same time.
> More simply, WordPress is what you use when you want to work with your
> blogging software, not fight it.
>
> III. DESCRIPTION
> -
> The way Wordpress handle a password reset looks like this:
> You submit your email adress or username via this form
> /wp-login.php?action=lostpassword ;
> Wordpress send you a reset confirmation like that via email:
>
> "
> Someone has asked to reset the password for the following site and
> username.
> http://DOMAIN_NAME.TLD/wordpress
> Username: admin
> To reset your password visit the following address, otherwise just ignore
> this email and nothing will happen
>
>
> http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
> "
>
> You click on the link, and then Wordpress reset your admin password, and
> sends you over another email with your new credentials.
>
> Let's see how it works:
>
>
> wp-login.php:
> ...[snip]
> line 186:
> function reset_password($key) {
> global $wpdb;
>
> $key = preg_replace('/[^a-z0-9]/i', '', $key);
>
> if ( empty( $key ) )
> return new WP_Error('invalid_key', __('Invalid key'));
>
> $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE
> user_activation_key = %s", $key));
> if ( empty( $user ) )
> return new WP_Error('invalid_key', __('Invalid key'));
> ...[snip]
> line 276:
> $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
> $errors = new WP_Error();
>
> if ( isset($_GET['key']) )
> $action = 'resetpass';
>
> // validate action so as to default to the login screen
> if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword',
> 'resetpass', 'rp', 'register', 'login')) && false ===
> has_filter('login_form_' . $action) )
> $action = 'login';
> ...[snip]
>
> line 370:
>
> break;
>
> case 'resetpass' :
> case 'rp' :
> $errors = reset_password($_GET['key']);
>
> if ( ! is_wp_error($errors) ) {
> wp_redirect('wp-login.php?checkemail=newpass');
> exit();
> }
>
> wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
> exit();
>
> break;
> ...[snip ]...
>
> You can abuse the password reset function, and bypass the first step and
> then reset the admin password by submiting an array to the $key variable.
>
>
> IV. PROOF OF CONCEPT
> -
> A web browser is sufficiant to reproduce this Proof of concept:
> http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=
> The password will be reset without any confirmation.
>
> V. BUSINESS IMPACT
> -
> An attacker could exploit this vulnerability to compromise the admin
> account of any wordpress/wordpress-mu <= 2.8.3
>
> VI. SYSTEMS AFFECTED
> -
> All
>
> VII. SOLUTION
> -
> No patch aviable for the moment.
>
> VIII. REFERENCES
> -
> http://www.wordpress.org
>
> IX. CREDITS
> -
> This vulnerability has been discovered by Laurent Gaffié
> Laurent.gaffie{remove-this}(at)gmail.com
> I'd like to shoot some greetz to securityreason.com for them great
> research on PHP, as for this under-estimated vulnerability discovered by
> Maksymilian Arciemowicz :
> http://securityreason.com/achievement_securityalert/38
>
> X. REVISION HISTORY
> -
> August 10th, 2009: Initial release
>
> XI. LEGAL NOTICES
> -
> The information contained within this advisory is supplied "as-is"
> with no warranties or guarantees of fitness of use or otherwise.
> I accept no responsibility for any damage caused by the use or
> misuse of this information.
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ureleet is the Anti-Sec

2009-08-10 Thread someone lawyer

 List,

No good you part of slanderous.

(T Biehn & Valdis Kletnieks)

some...@lawyer.com

  - Original Message -
  From: valdis.kletni...@vt.edu
  To: full-disclosure@lists.grok.org.uk
  Subject: Re: [Full-disclosure] Ureleet is the Anti-Sec
  Date: Mon, 10 Aug 2009 16:18:03 -0400


  On Mon, 10 Aug 2009 12:07:24 EDT, T Biehn said:
  > n3td3v, ureleet, and anti-sec are actually all Hitler, posting
  after
  > being recently unfrozen from cryogenic sleep.

  Conclusion: Keeping your brain on ice for 60 years makes you stupid.
  Hitler
  was a lot smarter than that. (Crazy, yes, evil, yes - but would he
  have gotten
  as far as he did if he was only as smart as n3td3v and ureleet?)
  << 1.2.dat >>

  ___
  Full-Disclosure - We believe in it.
  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  Hosted and sponsored by Secunia - http://secunia.com/

-- 
Be Yourself @ mail.com!
Choose From 200+ Email Addresses
Get a Free Account at www.mail.com!

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] WordPress <= 2.8.3 Remote admin reset password

=
- Release date: August 10th, 2009
- Discovered by: Laurent Gaffié
- Severity: Medium
=

I. VULNERABILITY
-
WordPress <= 2.8.3 Remote admin reset password

II. BACKGROUND
-
WordPress is a state-of-the-art publishing platform with a focus on
aesthetics, web standards, and usability.
WordPress is both free and priceless at the same time.
More simply, WordPress is what you use when you want to work with your
blogging software, not fight it.

III. DESCRIPTION
-
The way Wordpress handle a password reset looks like this:
You submit your email adress or username via this form
/wp-login.php?action=lostpassword ;
Wordpress send you a reset confirmation like that via email:

"
Someone has asked to reset the password for the following site and username.
http://DOMAIN_NAME.TLD/wordpress
Username: admin
To reset your password visit the following address, otherwise just ignore
this email and nothing will happen

http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
"

You click on the link, and then Wordpress reset your admin password, and
sends you over another email with your new credentials.

Let's see how it works:


wp-login.php:
...[snip]
line 186:
function reset_password($key) {
global $wpdb;

$key = preg_replace('/[^a-z0-9]/i', '', $key);

if ( empty( $key ) )
return new WP_Error('invalid_key', __('Invalid key'));

$user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE
user_activation_key = %s", $key));
if ( empty( $user ) )
return new WP_Error('invalid_key', __('Invalid key'));
...[snip]
line 276:
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
$errors = new WP_Error();

if ( isset($_GET['key']) )
$action = 'resetpass';

// validate action so as to default to the login screen
if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword',
'resetpass', 'rp', 'register', 'login')) && false ===
has_filter('login_form_' . $action) )
$action = 'login';
...[snip]

line 370:

break;

case 'resetpass' :
case 'rp' :
$errors = reset_password($_GET['key']);

if ( ! is_wp_error($errors) ) {
wp_redirect('wp-login.php?checkemail=newpass');
exit();
}

wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
exit();

break;
...[snip ]...

You can abuse the password reset function, and bypass the first step and
then reset the admin password by submiting an array to the $key variable.


IV. PROOF OF CONCEPT
-
A web browser is sufficiant to reproduce this Proof of concept:
http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=
The password will be reset without any confirmation.

V. BUSINESS IMPACT
-
An attacker could exploit this vulnerability to compromise the admin account
of any wordpress/wordpress-mu <= 2.8.3

VI. SYSTEMS AFFECTED
-
All

VII. SOLUTION
-
No patch aviable for the moment.

VIII. REFERENCES
-
http://www.wordpress.org

IX. CREDITS
-
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com
I'd like to shoot some greetz to securityreason.com for them great research
on PHP, as for this under-estimated vulnerability discovered by Maksymilian
Arciemowicz :
http://securityreason.com/achievement_securityalert/38

X. REVISION HISTORY
-
August 10th, 2009: Initial release

XI. LEGAL NOTICES
-
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Salted passwords

Thank you for the thoughtful analysis Raid. The hash and salt are both
known to the attacker :)
It looks like I'm going to have to settle with confounding efforts by
the man via increased hash computation cost.

-Travis

On Mon, Aug 10, 2009 at 6:53 PM,  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Travis,
>
> On Mon, 10 Aug 2009 22:50:32 +0200 T Biehn  wrote:
>>I don't have control over the set. Sorry I wasn't more explicit
>>about
>>this. Although, it should have been obvious that the solution
>>needed
>>to satisfy the conditions:
>>Data to one way hash.
>>The set has 9,999,999,999 members.
>
> if these are the only two conditions, I wonder why a static salt
> does not satisfy your requirements? If the salt is not publicly
> known, the procedure is secure in respect to the hash-function in
> use...
>
> So, suppose the third condition is the salt may be publicly known.
>
> Suppose, we have plaintext (alphabet E, length of alphabet s = |E|)
> with fixed length, say 'c' chars. So if you insert the salt at a
> random position, there are c+1 possibilities for the position of
> the salt. So the bruteforce attacker has to run c more tests than
> having the salt in a fixed position.
>
> Comparing the two procedures under a theoretically view, there isnt
> a significant difference in terms of runtime complexity:
>
> If the salt is not publicly known and at a fixed position,
> complexity (means: number of possible plaintexts) is at O(s**c).
> Your method only rises complexity by a constant factor: It's at O(
> (c+1) * s**c).
>
> Theoretically this is negligible: If it takes me 2 hours to
> bruteforce procedure 1 (fixed position), why bother about 20 hours
> computing for procedure 2?
>
> Practically it depends on your overall requirements.
>
> Besides, your procedure lowers the latch for DoS... at least
> slightly (same argument as above).
>
> So far, my two cents...
>
> raid
> -BEGIN PGP SIGNATURE-
> Charset: UTF8
> Version: Hush 3.0
> Note: This signature can be verified at https://www.hushtools.com/verify
>
> wpwEAQMCAAYFAkqApOoACgkQ/WWNsggjSSFjgAP/Wr/yus6Zf8e/nkegfMw4AeRS5Xz4
> GP91CUbwEEgy0qMsL7HvrAc7oo7dt5PpEZIePVkBF8ea9WeW9RlX1YK7ZlkkIP6ZLKx2
> XgT515eGNeTMbcKSmAOWlIkL4JtKRBxh7YLb0QP0yi3pCY7MGl4ZAtcGN25vx3Nkkq18
> WMoO6VQ=
> =UN3m
> -END PGP SIGNATURE-
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
pgp http://pastebin.com/f6fd606da pgp

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Salted passwords

2009-08-10 Thread raid

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Travis,

On Mon, 10 Aug 2009 22:50:32 +0200 T Biehn  wrote:
>I don't have control over the set. Sorry I wasn't more explicit
>about
>this. Although, it should have been obvious that the solution
>needed
>to satisfy the conditions:
>Data to one way hash.
>The set has 9,999,999,999 members.

if these are the only two conditions, I wonder why a static salt
does not satisfy your requirements? If the salt is not publicly
known, the procedure is secure in respect to the hash-function in
use...

So, suppose the third condition is the salt may be publicly known.

Suppose, we have plaintext (alphabet E, length of alphabet s = |E|)
with fixed length, say 'c' chars. So if you insert the salt at a
random position, there are c+1 possibilities for the position of
the salt. So the bruteforce attacker has to run c more tests than
having the salt in a fixed position.

Comparing the two procedures under a theoretically view, there isnt
a significant difference in terms of runtime complexity:

If the salt is not publicly known and at a fixed position,
complexity (means: number of possible plaintexts) is at O(s**c).
Your method only rises complexity by a constant factor: It's at O(
(c+1) * s**c).

Theoretically this is negligible: If it takes me 2 hours to
bruteforce procedure 1 (fixed position), why bother about 20 hours
computing for procedure 2?

Practically it depends on your overall requirements.

Besides, your procedure lowers the latch for DoS... at least
slightly (same argument as above).

So far, my two cents...

raid
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQMCAAYFAkqApOoACgkQ/WWNsggjSSFjgAP/Wr/yus6Zf8e/nkegfMw4AeRS5Xz4
GP91CUbwEEgy0qMsL7HvrAc7oo7dt5PpEZIePVkBF8ea9WeW9RlX1YK7ZlkkIP6ZLKx2
XgT515eGNeTMbcKSmAOWlIkL4JtKRBxh7YLb0QP0yi3pCY7MGl4ZAtcGN25vx3Nkkq18
WMoO6VQ=
=UN3m
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 1859-1] New libxml2 packages fix several issues

2009-08-10 Thread Nico Golde

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA-1859-1secur...@debian.org
http://www.debian.org/security/ Nico Golde
August 10th, 2009   http://www.debian.org/security/faq
- --

Package: libxml2
Vulnerability  : several
Problem type   : local (remote)
Debian-specific: no
CVE IDs: CVE-2009-2416 CVE-2009-2414

Rauli Kaksonen, Tero Rontti and Jukka Taimisto discovered several
vulnerabilities in libxml2, a library for parsing and handling XML data
files, which can lead to denial of service conditions or possibly arbitrary
code execution in the application using the library.  The Common
Vulnerabilities and Exposures project identifies the following problems:

An XML document with specially-crafted Notation or Enumeration attribute
types in a DTD definition leads to the use of a pointers to memory areas
which have already been freed (CVE-2009-2416).

Missing checks for the depth of ELEMENT DTD definitions when parsing
child content can lead to extensive stack-growth due to a function
recursion which can be triggered via a crafted XML document (CVE-2009-2414).


For the oldstable distribution (etch), this problem has been fixed in
version 2.6.27.dfsg-6+etch1.

For the stable distribution (lenny), this problem has been fixed in
version 2.6.32.dfsg-5+lenny1.

For the testing (squeeze) and unstable (sid) distribution, this problem
will be fixed soon.


We recommend that you upgrade your libxml2 packages.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- ---

Debian (oldstable)
- --

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, 
mipsel, powerpc, s390 and sparc.

Source archives:

  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg.orig.tar.gz
Size/MD5 checksum:  3416175 5ff71b22f6253a6dd9afc1c34778dec3
  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-6+etch1.dsc
Size/MD5 checksum:  913 09efeb00dc3ad837c65ed86a2270261b
  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-6+etch1.diff.gz
Size/MD5 checksum:   147012 e5df821d4cc929b2ef8c7100059715d5

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-doc_2.6.27.dfsg-6+etch1_all.deb
Size/MD5 checksum:  1322916 726ca29b7ee850c407ac321f2ea112c7

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-6+etch1_alpha.deb
Size/MD5 checksum:   917136 f4cfcb4f316490b18974cecd8868aced
  
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-6+etch1_alpha.deb
Size/MD5 checksum:   184768 e475a83dc482cf3763af2f06cd00e7e1
  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-6+etch1_alpha.deb
Size/MD5 checksum:   882132 5573e7841564516216b7ac6bb2d8cf63
  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-6+etch1_alpha.deb
Size/MD5 checksum:37990 5ab687646663b3719626727176029ba8
  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-6+etch1_alpha.deb
Size/MD5 checksum:   821362 fd53ce835d76a42bd2adcffad97fe4a6

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-6+etch1_amd64.deb
Size/MD5 checksum:36920 dceee52173b5c868003e83884eed8b7e
  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-6+etch1_amd64.deb
Size/MD5 checksum:   891488 9871349948186c2c2abb61a74628877e
  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-6+etch1_amd64.deb
Size/MD5 checksum:   797442 07005f45dcc655a7aac198b8ef177565
  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-6+etch1_amd64.deb
Size/MD5 checksum:   746350 5af6719d16da6860f581346997577139
  
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-6+etch1_amd64.deb
Size/MD5 checksum:   184048 77365844e9195b07ac51b98d9ffde0b8

arm architecture (ARM)

  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-6+etch1_arm.deb
Size/MD5 checksum:34680 86beed99d8058d792

[Full-disclosure] [SECURITY] [DSA 1858-1] New imagemagick packages fix several vulnerabilities

2009-08-10 Thread Luciano Bello

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

-
Debian Security Advisory DSA-1858-1 secur...@debian.org
http://www.debian.org/security/Luciano Bello
August 10, 2009 http://www.debian.org/security/faq
-

Package: imagemagick
Vulnerability : multiple
Problem type : local(remote)
Debian-specific: no
CVE Id(s) : CVE-2007-1667 CVE-2007-1797 CVE-2007-4985 CVE-2007-4986
CVE-2007-4987 CVE-2007-4988 CVE-2008-1096 CVE-2008-1097
CVE-2009-1882
Debian Bug : 418057 412945 444267 530838

Several vulnerabilities have been discovered in the imagemagick image
manipulation programs which can lead to the execution of arbitrary code,
exposure of sensitive information or cause DoS. The Common Vulnerabilities
and Exposures project identifies the following problems:

CVE-2007-1667

Multiple integer overflows in XInitImage function in xwd.c for
ImageMagick, allow user-assisted remote attackers to cause a denial of
service (crash) or obtain sensitive information via crafted images with
large or negative values that trigger a buffer overflow. It only affects
the oldstable distribution (etch).

CVE-2007-1797

Multiple integer overflows allow remote attackers to execute arbitrary
code via a crafted DCM image, or the colors or comments field in a
crafted XWD image. It only affects the oldstable distribution (etch).

CVE-2007-4985

A crafted image file can trigger an infinite loop in the ReadDCMImage
function or in the ReadXCFImage function. It only affects the oldstable
distribution (etch).

CVE-2007-4986

Multiple integer overflows allow context-dependent attackers to execute
arbitrary code via a crafted .dcm, .dib, .xbm, .xcf, or .xwd image file,
which triggers a heap-based buffer overflow. It only affects the
oldstable distribution (etch).

CVE-2007-4987

Off-by-one error allows context-dependent attackers to execute arbitrary
code via a crafted image file, which triggers the writing of a '\0'
character to an out-of-bounds address. It affects only the oldstable
distribution (etch).

CVE-2007-4988

A sign extension error allows context-dependent attackers to execute
arbitrary code via a crafted width value in an image file, which
triggers an integer overflow and a heap-based buffer overflow. It
affects only the oldstable distribution (etch).

CVE-2008-1096

The load_tile function in the XCF coder allows user-assisted remote
attackers to cause a denial of service or possibly execute arbitrary
code via a crafted .xcf file that triggers an out-of-bounds heap write.
It affects only to oldstable (etch).

CVE-2008-1097

Heap-based buffer overflow in the PCX coder allows user-assisted remote
attackers to cause a denial of service or possibly execute arbitrary
code via a crafted .pcx file that triggers incorrect memory allocation
for the scanline array, leading to memory corruption. It affects only to
oldstable (etch).

CVE-2009-1882

Integer overflow allows remote attackers to cause a denial of service
(crash) and possibly execute arbitrary code via a crafted TIFF file,
which triggers a buffer overflow.

For the old stable distribution (etch), these problems have been fixed in
version 7:6.2.4.5.dfsg1-0.15+etch1.

For the stable distribution (lenny), these problems have been fixed in
version 7:6.3.7.9.dfsg2-1~lenny3.

For the upcoming stable distribution (squeeze) and the unstable
distribution (sid), these problems have been fixed in version
7:6.5.1.0-1.1.

We recommend that you upgrade your imagemagick packages.

Upgrade instructions
-

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch
- ---

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips,
mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-0.15+etch1.tar.gz
Size/MD5 checksum: 5202678 cbb51d6956c6dd68f7dfaa068d0b416b

http://security.debian.org/pool/updates/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-0.15+etch1.dsc
Size/MD5 checksum: 958 6c8ffe1f0d0efab6652070aabd8fab8d

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/i/imagemagick/libmagick++9c2a_6.2.4.5.dfsg1-0.15+etch1_alpha.deb
Size/MD5 checks

Re: [Full-disclosure] Salted passwords

Valdis,
I don't have control over the set. Sorry I wasn't more explicit about
this. Although, it should have been obvious that the solution needed
to satisfy the conditions:
Data to one way hash.
The set has 9,999,999,999 members.

Thanks for your input sweetie!

-Travis

On Mon, Aug 10, 2009 at 4:26 PM,  wrote:
> On Sun, 09 Aug 2009 20:14:57 EDT, T Biehn said:
>> Soliciting random suggestions.
>> Lets say I have data to one-way-hash.
>> The set has 9,999,999,999 members.
>
> Actually, if you're using a 10-digit decimal field, you probably have 10**10
> possible members - all-zeros counts too (unless there's *other* reasons zero
> isn't a legal ID).  It's those little off-by-one errors that tend to get you.
> ;)
>
>> It's relatively easy to brute force this, or create precomp tables.
>
> That's because you only have 10M billion members to brute force against.
>
>> So you add a salt to each.
>
> A better idea cryptographically would be to fix the 10**10 member limit, so
> that the set *could* have a much higher possible number of members.  Even
> staying at 10 characters, but allowing [A-Za-z0-9] (62 possible chars) raises
> your space to 62**10 or about 8.3*10**17 (or almost 10M times the difficuly).
> That's why most symmetric crypto algorithms use at least 64-bit or even larger
> keys, and even larger for RSA and similar public-key systems.
>
>



-- 
pgp http://pastebin.com/f6fd606da pgp

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Salted passwords

2009-08-10 Thread Valdis . Kletnieks

On Sun, 09 Aug 2009 20:14:57 EDT, T Biehn said:
> Soliciting random suggestions.
> Lets say I have data to one-way-hash.
> The set has 9,999,999,999 members.

Actually, if you're using a 10-digit decimal field, you probably have 10**10
possible members - all-zeros counts too (unless there's *other* reasons zero
isn't a legal ID).  It's those little off-by-one errors that tend to get you.
;)

> It's relatively easy to brute force this, or create precomp tables.

That's because you only have 10M billion members to brute force against.

> So you add a salt to each.

A better idea cryptographically would be to fix the 10**10 member limit, so
that the set *could* have a much higher possible number of members.  Even
staying at 10 characters, but allowing [A-Za-z0-9] (62 possible chars) raises
your space to 62**10 or about 8.3*10**17 (or almost 10M times the difficuly).
That's why most symmetric crypto algorithms use at least 64-bit or even larger
keys, and even larger for RSA and similar public-key systems.



pgpxfFD7reDIg.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ureleet is the Anti-Sec

2009-08-10 Thread Valdis . Kletnieks

On Mon, 10 Aug 2009 12:07:24 EDT, T Biehn said:
> n3td3v, ureleet, and anti-sec are actually all Hitler, posting after
> being recently unfrozen from cryogenic sleep.

Conclusion: Keeping your brain on ice for 60 years makes you stupid. Hitler
was a lot smarter than that. (Crazy, yes, evil, yes - but would he have gotten
as far as he did if he was only as smart as n3td3v and ureleet?)


pgpEaaF0hxuST.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Hindustan Times epaper Server Hacked

2009-08-10 Thread webDEViL

Maa Ki Kirkiri
Congrats to Sky for finding "architectural flaws" in a paper which costs Rs
2.50. Wow, thanks! you saved me $1.5 per month. I owe you one! ;) Btw, my
local area library will get me HT papers dated before 2004.

If you are against HT "looting" people, why the hell ask them to contact you
to correct the "flaws"? Hypocrite

"I would like to dedicate this hack towards Club Calvin @
http://www.clubcalv.in and all cute kids"
Very Pedo...hahaha



wD


On Sun, Aug 9, 2009 at 8:56 AM, Sky  wrote:

> Hindustan Times epaper Server Hacked
> http://sky.net.in/hindustan-times-epaper-server-hacked/
>
> Hindustan Times (HT) is India’s leading newspaper, published since 1924
> with roots in the independence movement. In 2008, the newspaper reported
> that with a (circulation of over 1.14 million) ranking them as the third
> largest circulatory daily English Newspaper in India. The Mumbai edition was
> launched on 14 July 2005. HT has a readership of (6.6 million) ranking them
> as the second most widely read English Newspaper after Times of India.
> (Source: Wikipedia article on Hindustan Times) -
> http://en.wikipedia.org/wiki/Hindustan_Times
>
> HindustanTimes + Hindustan epaper Server Hacked
>
> http://lh4.ggpht.com/_gbWPSul_tCM/Sn5UNhLLVYI/ASM/JY9bc67HV14/s800/hindustan_times_hacked.jpg
>
> Why was Hindustan Times (HT) epaper Server Hacked ?
>
> Many people think that Hindustan Times (HT) (English Edition) + Hindustan
> (Hindi Edition) is available on the internet free of cost, HT Media has made
> it compulsory to register on their website in order to read the daily online
> edition of their published newspapers, on completion of registration HT
> Media provides you instant access to read daily edition, the CATCH is – you
> can only read the daily edition + past seven days editions (from the current
> date) as a free user, whileas if you wanna read any edition beyond seven
> days, you will have to pay a huge (rip off) amount to HT Media (in the name
> of digital archive subscription)
>
>
> Registration Information Collected by HindustanTimes
>
> http://lh6.ggpht.com/_gbWPSul_tCM/Sn5WIrsZxcI/ASs/Lc6NaQzxEfk/s800/HT_registration.jpg
>
> Free HindustanTimes Editions
>
> http://lh6.ggpht.com/_gbWPSul_tCM/Sn5UN35Yx5I/ASU/6THfLaMu00M/s800/HT_free_editions.jpg
>
> Restricted Access to HindustanTimes epaper Archives
>
> http://lh4.ggpht.com/_gbWPSul_tCM/Sn5UN5umsJI/ASY/5_SfNzOEm7w/s800/HT_newspaper_subscribe.jpg
>
> Archive Subscription Charges for HindustanTimes is a total Rip Off
>
> http://lh4.ggpht.com/_gbWPSul_tCM/Sn5ViIwx2aI/ASo/6TMgKDuc6Vg/s800/HT_archive_charges.jpg
>
>
> As a hacker, i think its not fair (for anyone) to loot common people and
> sell (publicly gained) information in such a way, so i decided to peek
> inside the server and find some bugs / architectural flaws which would allow
> me to access past newspaper (Images / PDF) editions for free
>
> Within a couple of hours, i managed to find some bugs / architectural flaws
> (& vulnerabilities) which gave out free access to the past (Images / PDF)
> newspaper editions
>
> Calvin and Hobbes publishing error
>
> I used to search the newspaper (HT hard copy) every morning for technology
> related news (hoping any Indian journalist must have written some piece)
> that went on for like weeks and then i started reading Calvin and Hobbes
> (the comic strip) every day published in HT Cafe
>
> On 2nd / 4th / 9th June, Hindustan Times (HT) published the same Calvin and
> Hobbes strip, how should i react against this publishing error by Hindustan
> Times, as a fan of Calvin and Hobbes, i expect new comic strip every day
>
> Checkout the exact same Calvin and Hobbes strip published thrice on various
> days in the single month of June (2009)
>
> 2nd June
>
> http://epaper.hindustantimes.com/Web/HTMumbai/Article/2009/06/02/538/02_06_2009_538_013.jpg
>
> 9th June
>
> http://epaper.hindustantimes.com/Web/HTMumbai/Article/2009/06/09/538/09_06_2009_538_002.jpg
>
> 4th June
>
> http://epaper.hindustantimes.com/Web/HTMumbai/Article/2009/06/04/538/04_06_2009_538_006.jpg
>
> Informing the privileged authorities
>
> On 10th July 2009, i informed the editor and other top most authorities @
> HindustanTimes via email regarding the serious bugs / flaws (&
> vulnerabilities) on their ePaper Server which can be exploited to compromise
> data and cause financial losses for HT Media
>
> My email to HindustanTimes
>
> http://lh5.ggpht.com/_gbWPSul_tCM/Sn5WJt3UKGI/AS0/KOnhjTtBNnk/s800/my_email_hindustan_times.jpg
>
> Rashmi Chugh's reply to me
>
> http://lh4.ggpht.com/_gbWPSul_tCM/Sn5W9mSD0pI/ATI/O5hazb5IIY4/s800/rashmi_livemint_reply.jpg
>
> Although i received a reply from Rashmi Chugh (Business Head and Publisher,
> LIVEMINT) within 3 minutes, i waited for 24 hours to receive other
> recipients reply (as i wanted to know what they thought about the issue) but
> sadly no one replied back except Rashmi Chug

[Full-disclosure] AntiSec PHHEER #3

AntiSec wants to thank all of the retards that made making fun of 
retards possible! Without all of the childish ideas of that AntiSec 
was founded on, we wouldn't be poking fun of every aspect that they 
claim is real! lulz!

Pantone Colors

According to "Standard Shades of the Korean Flag 1997-10", issued 
by the Ministry of Information in 1997, the officially recommended 
colours are red 186C and blue 294C in the Pantone Matching System.

Symbolism of the flag

The Korean national flag is called Taegukki. The meaning of Korean 
National Flag is very philosophical. The origin comes from the old 
oriental philosophy called the theory of Um-Yang, in Chinese 
pronunciation Yin-Yang. Yin means dark and cold, while Yang means 
bright and hot. The idea of Yin-Yang is supposed to be originated 
from the old Korean philosophy of Samshin meaning three gods. A 
very old book called Chuyok or Iching in Chinese, which was written 
by (a) Chinese several thousands years ago, claims all objects and 
events in the world are expressed by the movement of yin and yang. 
For example, the moon is yin while the sun is yang; the earth is 
yin and the heaven is yang; a woman is yin and a man is yang; the 
night is yin and the day is yang; the winter is yin and the summer 
is yang, etc. Yin and yang are relative. Therefore, A can be yin 
with respect to B while A can also be yang with respect to C. For 
instance, the spring is yin w.r.t. the summer and it is at the same 
time yang w.r.t. the winter. Yin and yang are opposite and struggle 
each other while they cooperate in harmony. The harmonious state of 
the movement of yin and yang is called Taeguki, or Taikukkki, 
Taichi in Chinese, which is also the name of the Korean national 
flag, i.e. Taegukki. Ki means a flag. (See the similarity between 
the concept of Yin-Yang-Taichi and the dialectics of thesis-
antithesis-synthesis.) The upper half circle, red, of Taeguk means 
yang and the lower half circle, blue, means yin. They stand for the 
state of harmony of yin and yang.

The symbols, called Kwae, in the four corners, mean the principle 
of movement and harmony. Basically, each Kwae consists of three 
bars that can be either broken or unbroken bars. A broken bar 
stands for yin while an unbroken bar stands for yang. For example, 
the upper left Kwae, called Kun, is composed of three solid 
unbroken bars. And the lower left Kwae, called Yi, is composed of 
two unbroken bars and one broken bar in between. Since one bar can 
be either broken or unbroken, i.e. same concept as bit as in the 
binary computer world, three bars can express 23 = 8 combinations. 
If you use four bars you can express 24=64 combinations; 10 bars, 
210=1024, etc. Therefore the more bars you use the more different 
situation you can express with Kwae. Among so many states of Kwae, 
i.e. principle of movement of objects and events, four basic Kwae 
are used in the Korean National Flag. Those are Kun meaning heaven, 
Yi meaning fire, Kam meaning water, and Kon meaning earth. Each of 
them symbolizes a different state of movement.
___ ___ _ _ _ _
Kun ___ Yi  _ _ Kam ___ Kon _ _
___ ___ _ _ _ _

The white color of background stands for the peace and the purity 
of the Korean people who have loved to wear white colored clothes. 
Therefore, the Korean people have been called the white-clad nation.

To conclude, the symbols, Yin, Yang, Kun, Yi, Kam, and Kon, express 
the principle of the movement of all objects in the universe and 
the movement of the universe itself. It also stands for peace and 
harmony.

The white field represents the people's purity and their desire for 
peace, while the central emblem is the red and blue yin-yang 
symbol, depicting the concepts of creation and development through 
duality and balance. Surrounding this are four black KWAE symbols, 
which are taken from the I CHING and represent the four seasons, 
the four compass points, the four elements, and the sun, moon, 
earth, and heaven. They denote the process of yin and yang going 
through a spiral of change and growth.

The Korean flag is called taegukki. Its design symbolizes the 
principles of the yin and yang in Oriental philosophy. The circle 
in the center of the flag is divided into two equal parts. The 
upper red section represents the positive cosmic forces of the 
yang. Conversely, the lower blue section represents the negative 
cosmic forces of the yin. The two forces together embody the 
concepts of continual movement and the balance and harmony that 
characterize the sphere of infinity. The circle is surrounded by 
four trigrams, one in each corner. Each trigram symbolizes one of 
the four universal elements: heaven, earth, fire and water."

Use and abuse of the flag

The concept of "Nation" or "Country" in eastern society is 
completely different from that of western society. If there are 
some

Re: [Full-disclosure] AntiSec Owns Microsoft

We are accepting applications right now sunjestor! All you have to 
do is speak in the language in which you are fluent in which you 
will be immediately accepted upon doing 3 out of the 5 standard 
AntiSec procedures:

1. Suck off Mitnick.
2. Suck off Aitel (Travis is one up on you!).
3. Suck off Wozniak.
4. Suck off yourself (This should be no problem because of all the 
practice!).
5. Suck off everyone who thinks non-disclosure is a viable option 
(Many, many illiterates to choose from!).

3 out of the 5 will earn you a silver star, 4 or more will make you 
the new leader.

Good luck to all participants!

On Sun, 09 Aug 2009 19:33:03 -0400 sunjester 
 wrote:
>W0w, m4n much resp3ct 1 wi5h 1 c0uld 0wn microsh4f8 t00!! d4mn j00 
>l33t
>antifags so l33t. so l33t. 1 w4nnbe ju5t lik3s y0u
>
>-- 
>Founder/Activist
>http://fusecurity.com/ | "Free Security Technology"

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Salted passwords

I'm flattered; If you only knew what it was for...
IHBT?

-Travis

On Mon, Aug 10, 2009 at 12:08 PM,  wrote:
> AntiSec would like to approach you by telling you to keep you
> whitehat filty ass off our list, Travis.
>
> Have a nice day sucking off Aitel.
>
> On Sun, 09 Aug 2009 20:14:57 -0400 T Biehn  wrote:
>>Soliciting random suggestions.
>>Lets say I have data to one-way-hash.
>>The set has 9,999,999,999 members.
>>It's relatively easy to brute force this, or create precomp
>>tables.
>>So you add a salt to each.
>>Still easy to brute force.
>>If you were to create it in such a way that the hash could exist
>>anywhere in the set member, does this increase the cost of
>>computation
>>enough?
>>
>>That is, consider a member 'abcdefg' with salt 329938255.
>>When authenticating against the server, it must permute over all
>>possible combinations of the salt and the set member in order to
>>determine the validity of the password.
>>
>>If anyone has a better approach, or would like to approach me off
>>list, or knows of a list more suited to these queries please feel
>>free
>>to redirect me :)
>>
>>-Travis
>>
>>___
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>Hosted and sponsored by Secunia - http://secunia.com/
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Salted passwords

AntiSec would like to approach you by telling you to keep you 
whitehat filty ass off our list, Travis.

Have a nice day sucking off Aitel.

On Sun, 09 Aug 2009 20:14:57 -0400 T Biehn  wrote:
>Soliciting random suggestions.
>Lets say I have data to one-way-hash.
>The set has 9,999,999,999 members.
>It's relatively easy to brute force this, or create precomp 
>tables.
>So you add a salt to each.
>Still easy to brute force.
>If you were to create it in such a way that the hash could exist
>anywhere in the set member, does this increase the cost of 
>computation
>enough?
>
>That is, consider a member 'abcdefg' with salt 329938255.
>When authenticating against the server, it must permute over all
>possible combinations of the salt and the set member in order to
>determine the validity of the password.
>
>If anyone has a better approach, or would like to approach me off
>list, or knows of a list more suited to these queries please feel 
>free
>to redirect me :)
>
>-Travis
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ureleet is the Anti-Sec

n3td3v, ureleet, and anti-sec are actually all Hitler, posting after
being recently unfrozen from cryogenic sleep. He is using this as part
of his black magic scheme to bring back nazi occultism and rule the
world once again.

Careful review of all posts shows the superstructure of a subconscious
mind-virus, waiting for a trigger event deep in the recesses of our
collective minds.

When you want to go to it
Relax don't do it
When you want to come

-Travis

On Sun, Aug 9, 2009 at 12:20 AM,  wrote:
> n3td3v is our exploit coder. pheer infidelz.
>
> On Sat, 08 Aug 2009 19:31:26 -0400 someone lawyer
>  wrote:
>>List,
>>
>>Ureleet is the Anti-Sec he been trying to slander n3td3v
>>(legitimate
>>security researcher) the whole time.
>>
>>some...@lawyer.com
>>
>>--
>>Be Yourself @ mail.com!
>>Choose From 200+ Email Addresses
>>Get a Free Account at www.mail.com!
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Hindustan Times epaper Server Hacked

While your publications are slightly pretentious (who am I to talk?) I
applaud your idealism in an age of rampant cynicism.

Don't log into any US Government systems looking to liberate secret
UFO docs tho, that gets you extradited.

A small suggestion, do not use a consistent pseudonym, post completely
anonymously. It's difficult to keep the ego from making mistakes.

-Travis

On Sun, Aug 9, 2009 at 1:56 AM, Sky wrote:
> Hindustan Times epaper Server Hacked
> http://sky.net.in/hindustan-times-epaper-server-hacked/
>
> Hindustan Times (HT) is India’s leading newspaper, published since 1924 with
> roots in the independence movement. In 2008, the newspaper reported that
> with a (circulation of over 1.14 million) ranking them as the third largest
> circulatory daily English Newspaper in India. The Mumbai edition was
> launched on 14 July 2005. HT has a readership of (6.6 million) ranking them
> as the second most widely read English Newspaper after Times of India.
> (Source: Wikipedia article on Hindustan Times) -
> http://en.wikipedia.org/wiki/Hindustan_Times
>
> HindustanTimes + Hindustan epaper Server Hacked
> http://lh4.ggpht.com/_gbWPSul_tCM/Sn5UNhLLVYI/ASM/JY9bc67HV14/s800/hindustan_times_hacked.jpg
>
> Why was Hindustan Times (HT) epaper Server Hacked ?
>
> Many people think that Hindustan Times (HT) (English Edition) + Hindustan
> (Hindi Edition) is available on the internet free of cost, HT Media has made
> it compulsory to register on their website in order to read the daily online
> edition of their published newspapers, on completion of registration HT
> Media provides you instant access to read daily edition, the CATCH is – you
> can only read the daily edition + past seven days editions (from the current
> date) as a free user, whileas if you wanna read any edition beyond seven
> days, you will have to pay a huge (rip off) amount to HT Media (in the name
> of digital archive subscription)
>
>
> Registration Information Collected by HindustanTimes
> http://lh6.ggpht.com/_gbWPSul_tCM/Sn5WIrsZxcI/ASs/Lc6NaQzxEfk/s800/HT_registration.jpg
>
> Free HindustanTimes Editions
> http://lh6.ggpht.com/_gbWPSul_tCM/Sn5UN35Yx5I/ASU/6THfLaMu00M/s800/HT_free_editions.jpg
>
> Restricted Access to HindustanTimes epaper Archives
> http://lh4.ggpht.com/_gbWPSul_tCM/Sn5UN5umsJI/ASY/5_SfNzOEm7w/s800/HT_newspaper_subscribe.jpg
>
> Archive Subscription Charges for HindustanTimes is a total Rip Off
> http://lh4.ggpht.com/_gbWPSul_tCM/Sn5ViIwx2aI/ASo/6TMgKDuc6Vg/s800/HT_archive_charges.jpg
>
>
> As a hacker, i think its not fair (for anyone) to loot common people and
> sell (publicly gained) information in such a way, so i decided to peek
> inside the server and find some bugs / architectural flaws which would allow
> me to access past newspaper (Images / PDF) editions for free
>
> Within a couple of hours, i managed to find some bugs / architectural flaws
> (& vulnerabilities) which gave out free access to the past (Images / PDF)
> newspaper editions
>
> Calvin and Hobbes publishing error
>
> I used to search the newspaper (HT hard copy) every morning for technology
> related news (hoping any Indian journalist must have written some piece)
> that went on for like weeks and then i started reading Calvin and Hobbes
> (the comic strip) every day published in HT Cafe
>
> On 2nd / 4th / 9th June, Hindustan Times (HT) published the same Calvin and
> Hobbes strip, how should i react against this publishing error by Hindustan
> Times, as a fan of Calvin and Hobbes, i expect new comic strip every day
>
> Checkout the exact same Calvin and Hobbes strip published thrice on various
> days in the single month of June (2009)
>
>     2nd June
>
> http://epaper.hindustantimes.com/Web/HTMumbai/Article/2009/06/02/538/02_06_2009_538_013.jpg
>
>     9th June
>
> http://epaper.hindustantimes.com/Web/HTMumbai/Article/2009/06/09/538/09_06_2009_538_002.jpg
>
>     4th June
>
> http://epaper.hindustantimes.com/Web/HTMumbai/Article/2009/06/04/538/04_06_2009_538_006.jpg
>
> Informing the privileged authorities
>
> On 10th July 2009, i informed the editor and other top most authorities @
> HindustanTimes via email regarding the serious bugs / flaws (&
> vulnerabilities) on their ePaper Server which can be exploited to compromise
> data and cause financial losses for HT Media
>
> My email to HindustanTimes
> http://lh5.ggpht.com/_gbWPSul_tCM/Sn5WJt3UKGI/AS0/KOnhjTtBNnk/s800/my_email_hindustan_times.jpg
>
> Rashmi Chugh's reply to me
> http://lh4.ggpht.com/_gbWPSul_tCM/Sn5W9mSD0pI/ATI/O5hazb5IIY4/s800/rashmi_livemint_reply.jpg
>
> Although i received a reply from Rashmi Chugh (Business Head and Publisher,
> LIVEMINT) within 3 minutes, i waited for 24 hours to receive other
> recipients reply (as i wanted to know what they thought about the issue) but
> sadly no one replied back except Rashmi Chugh, so i sent her a reply the
> other day
>
> My reply to Rashmi Chugh, LIVEMINT
> http://lh3.ggpht.c

Re: [Full-disclosure] Salted passwords