Re: [Full-disclosure] Filezilla's silent caching of user's credentials
Hi Ryan, No inline comments. Sorry (I wanted to reorder topics). I just wanted to gauge the FD community on this issue, because with enough backing and explanation from the security community as to why this is a problem, this issue may finally be resolved (it's been doing this for years now) This is an alarming trend in open source software, and diametrically opposed to the claims of more eyes equates to more secure, open source software is more secure, and open source software fixes bugs faster than other software models. Is also blows away the theory of Darwinian Software Evolution: good, robust, secure software thrives and lesser software dies. Filezilla and the Python example below are proofs by counter example. It appears the model in use is greatly influenced by popularity, which makes it more appropriate for politicians (who tend to lie for a living) ;) I do not see any harm in storing credentials as long as the rest of your system is properly secure as it should be. Source:(http://forum.filezilla-project.org/viewtopic.php?f=3t=17932) That should earn the project a Pwnie Award nomination for lamest vendor response (http://pwnies.com/). To me this is not only concerning, but also completely un-acceptable. Agreed. Other recent similar examples of this sort of response by open source projects include Python ssl handling could be better..., where the Python Standard Library did not (still does not?) verify the hostname in the certificate with CN or SubAlt name (http://seclists.org/fulldisclosure/2010/Sep/381). The python bug was filed in 2007 (http://bugs.python.org/issue1589). Jeff On Thu, Oct 7, 2010 at 11:10 PM, Ryan Sears rdse...@mtu.edu wrote: Hi all, As some of you may or may not be aware, the popular (and IMHO one of the best) FTP/SCP program Filezilla caches your credentials for every host you connect to, without either warning or ability to change this without editing an XML file. There have been quite a few bug and features requests filed, and they all get closed or rejected within a week or so. I also posted something in the developer forum inquiring about this, and received this response: I do not see any harm in storing credentials as long as the rest of your system is properly secure as it should be. Source:(http://forum.filezilla-project.org/viewtopic.php?f=3t=17932) To me this is not only concerning, but also completely un-acceptable. The passwords all get stored in PLAIN TEXT within your %appdata% directory in an XML file. This is particularly dangerous in multi-user environments with local profiles, because as we all know physical access to a computer means it's elementary at best to acquire information off it. Permissions only work if your operating system chooses to respect them, not to mention how simple it is *even today* to maliciously get around windows networks using pass-the-hash along with network token manipulation techniques. There has even been a bug filed that draws out great ways to psudo-mitigate this using built-in windows API calls, but it doesn't seem to really be going anywhere. This really concerns me because a number of my coworkers and friends were un-aware of this behavior, and I didn't even know about it until I'd been using it for a year or so. All I really want to see is at the very least just some warning that Filezilla does this. Filezilla bug report:(http://trac.filezilla-project.org/ticket/5530) My feelings have been said a lot more eloquently than I could ever hope to in that bug report: Whoever keeps closing this issue and/or dismissing its importance understands neither security nor logical argument. I apologize for the slam, but it is undeniably true. Making the same mistake over and over does not make it any less of a mistake. The fact that a critical deficiency has existed for years does not make it any less critical a deficiency. Similarly, the fact that there are others (pidgin) who indulge in the same faulty reasoning does not make the reasoning any more sound. ~btrower While it's true you can mitigate this behavior, why should it even be enabled by default? The total lapse in security for such a feature-rich, robust piece of software is quite disturbing, and I don't understand how the developers don't think this is an issue. I just wanted to gauge the FD community on this issue, because with enough backing and explanation from the security community as to why this is a problem, this issue may finally be resolved (it's been doing this for years now). Regards, Ryan Sears ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MGCP - Crafting of Packets
Looking out for some crafting utility code/cli based utility. Which can help to customize the MGCP Request - Response packet. -- Srinivas Naik ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Filezilla's silent caching of user's credentials
Fillzilla stores the credentials with no warning, default behavior. Fillzilla does not have an option to disable this. Fillzilla will clear private data, but forensics will of course find it. Yucky behavior. Bad developer. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MGCP - Crafting of Packets
On Fri, Oct 8, 2010 at 08:42, Srinivas Naik naik.sr...@gmail.com wrote: Looking out for some crafting utility code/cli based utility. Which can help to customize the MGCP Request - Response packet. http://www.secdev.org/projects/scapy/ ? Marek ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Filezilla's silent caching of user's credentials
On Thu, Oct 7, 2010 at 11:10 PM, Ryan Sears rdse...@mtu.edu wrote: Hi all, As some of you may or may not be aware, the popular (and IMHO one of the best) FTP/SCP program Filezilla caches your credentials for every host you connect to, without either warning or ability to change this without editing an XML file. There have been quite a few bug and features requests filed, and they all get closed or rejected within a week or so. I also posted something in the developer forum inquiring about this, and received this response: I do not see any harm in storing credentials as long as the rest of your system is properly secure as it should be. Source:(http://forum.filezilla-project.org/viewtopic.php?f=3t=17932) [SNIP] I just wanted to gauge the FD community on this issue, because with enough backing and explanation from the security community as to why this is a problem, this issue may finally be resolved (it's been doing this for years now). Am I the only person who finds it ironic that the same measures leveraged against closed source projects have to be employed against some open source projects? Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Barracuda Networks Spam Virus Firewall = 4.1.1.021 Remote Configuration Retrieval
I can't take the credit for this: http://www.exploit-db.com/exploits/15130/ The Barracuda Spam Virus Firewall is a hardware device designed to filter out spam from email. Basically a Linux (Mandrake) device running Postfix, Spamassassin, Clam-AV, Apache and AmavisNew. Configuration of the unit is by way of a GUI (Apache derived local website) listening on port 8000. If the owner has this open to the outside world the unit is seriously at risk to remote exploit. If not the exploit is usable locally only. The exploit will allow the entire configuration to be viewed in plain text with no encryption. Potentially this is huge as the database contains usernames/passwords/back end server details/ldap active directory credentials to name but a few. Because it contains a number of MTA's it can be used as an SMTP proxy to send spam with one simple config change (which I won't detail). Given the purpose of the unit, is somewhat ironic. This may have been fixed in newer firmwares, but there are a ton of these units out there without the ability to update because of lapsed subscriptions and Barracuda's unwillingness to allow second hand units to be upgraded. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Tool Update Announcement] inspathx - Path Disclosure Finder
UPDATE Check it out at svn checkout http://inspathx.googlecode.com/svn/trunk/ inspathx-read-only For those who don't know inspathx https://code.google.com/p/inspathx/ _ WHAT¶ A tool that uses local source tree to make requests to the url and search for path inclusion error messages. It's ever a common problem in PHP web applications that we're hating to see for ever. We hope this tool triggers no path disclosure flaws any more. See our article about path disclosure. http://yehg.net/lab/pr0js/view.php/path_disclosure_vulnerability.txt WHY¶ Web application developers sometimes fail to add safe checks against authentications, file inclusion ..etc are prone to reveal possible sensitive information when those applications' URLs are directly requested. Sometimes, it's a clue to File Inclusion vulnerability. For open-source applications, source code can be downloaded and checked to find such information. This script will do this job. 1. First you have to download source archived file of your desired OSS. 2. Second, extract it. 3. Third, feed its path to inspath The inspath takes * -d or --dir argument as source directory (of application) * -u or --url arguement as the target base URL (like http://victim.com) * -t or --threads argument as the number of threads concurrently to run (default is 10) * -l argument as your desired language php,asp,aspx,jsp,all? (default is all) * -x argument as your desired extensions separated with | character (default : php4|php5|php6|php|asp|aspx|jsp|jspx) - make sure to enclose multiple extensions with double quotes - See Examples Read the related text: http://yehg.net/lab/pr0js/view.php/path_disclosure_vulnerability.txt Similar terms: Full Path Disclosure, Internal Path Leakage SUPPORTED LANGUAGES¶ * PHP * ASP(X) * JSP(X) HOW¶ ruby inspathx.rb -d /sources/phpmyadmin -u http://localhost/phpmyadmin -t 20 ruby inspathx.rb -d c:/sources/phpmyadmin -u http://localhost/phpmyadmin -t 20 ruby inspathx.rb -d c:/sources/dotnetnuke -u http://localhost/dotnetnuke -t 20 -l aspx ruby inspathx.rb -d c:/sources/jspnuke -u http://localhost/jspnuke -t 20 -l jsp -x jsp|jspx SAMPLE LOGS¶ Mambo 4.6.5 http://inspathx.googlecode.com/svn/trunk/sample_logs/localhost_mambo_.log WordPress 3.0.1 http://inspathx.googlecode.com/svn/trunk/sample_logs/localhost_wp_.log REFERENCES¶ http://www.owasp.org/index.php/Full_Path_Disclosure http://projects.webappsec.org/Information-Leakage http://cwe.mitre.org/data/definitions/209.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WikiLeaks
Sorry but I find the whole subject incredibly boring, as do quite a few other people (again, each to their own). Because, when it comes down to it, breaches happen all the time, and cryptome/wikileaks is no different. It's really is *just another website*, despite what it is used for and despite the publicity surrounding them. This is no different to someone posting a link on here to a defaced popular site. I mean, come on. I understand why everyone *thinks* they are important and must be gossiped about, but I don't agree with it in the slightest. (imo) On 07/10/2010 21:47, Harry Behrens wrote: Am 07.10.2010 22:37, schrieb Cal Leeming [Simplicity Media Ltd]: Yeah, you both have valid points. In this case though, I really just don't see why everyone is so hyped up about the wikileaks / cryptome stuff. :S If you don't understand why something like Wikileaks being down with no obvious reason or explanation is an issue - then I guess continue sleeping... And security or disclosure is not just bits and bytes ... -h ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WikiLeaks
On Fri, Oct 8, 2010 at 6:57 AM, Cal Leeming [Simplicity Media Ltd] cal.leem...@simplicitymedialtd.co.uk wrote: Sorry but I find the whole subject incredibly boring, as do quite a few other people (again, each to their own). To play devils advocate: if two folks find the topic boring, would it not NOT be discussed? If so, how would each know the other finds it boring? [SNIP] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Filezilla's silent caching of user's credentials
No one really cares about session keys or credentials: http://www.google.com/search?q=%22Apache+Server+Status+for%22+%22Server+Version%22+-%22How+to%22+-Guide+-Tuninghl=enbiw=1430bih=789ei=KQOvTPv-Oo_Jswb7oJHTDQstart=10sa=N 27,800 hits.. This is a missconfiguration done by the administrator. So i like that quote: I do not see any harm in storing credentials as long as the rest of your system is properly secure as it should be. Let He Who Is Without Sin Cast The First Stone --- Jeffrey Walton noloa...@gmail.com schrieb am Fr, 8.10.2010: Von: Jeffrey Walton noloa...@gmail.com Betreff: Re: [Full-disclosure] Filezilla's silent caching of user's credentials An: Ryan Sears rdse...@mtu.edu CC: full-disclosure full-disclosure@lists.grok.org.uk Datum: Freitag, 8. Oktober, 2010 02:25 Uhr Hi Ryan, No inline comments. Sorry (I wanted to reorder topics). I just wanted to gauge the FD community on this issue, because with enough backing and explanation from the security community as to why this is a problem, this issue may finally be resolved (it's been doing this for years now) This is an alarming trend in open source software, and diametrically opposed to the claims of more eyes equates to more secure, open source software is more secure, and open source software fixes bugs faster than other software models. Is also blows away the theory of Darwinian Software Evolution: good, robust, secure software thrives and lesser software dies. Filezilla and the Python example below are proofs by counter example. It appears the model in use is greatly influenced by popularity, which makes it more appropriate for politicians (who tend to lie for a living) ;) I do not see any harm in storing credentials as long as the rest of your system is properly secure as it should be. Source:(http://forum.filezilla-project.org/viewtopic.php?f=3t=17932) That should earn the project a Pwnie Award nomination for lamest vendor response (http://pwnies.com/). To me this is not only concerning, but also completely un-acceptable. Agreed. Other recent similar examples of this sort of response by open source projects include Python ssl handling could be better..., where the Python Standard Library did not (still does not?) verify the hostname in the certificate with CN or SubAlt name (http://seclists.org/fulldisclosure/2010/Sep/381). The python bug was filed in 2007 (http://bugs.python.org/issue1589). Jeff On Thu, Oct 7, 2010 at 11:10 PM, Ryan Sears rdse...@mtu.edu wrote: Hi all, As some of you may or may not be aware, the popular (and IMHO one of the best) FTP/SCP program Filezilla caches your credentials for every host you connect to, without either warning or ability to change this without editing an XML file. There have been quite a few bug and features requests filed, and they all get closed or rejected within a week or so. I also posted something in the developer forum inquiring about this, and received this response: I do not see any harm in storing credentials as long as the rest of your system is properly secure as it should be. Source:(http://forum.filezilla-project.org/viewtopic.php?f=3t=17932) To me this is not only concerning, but also completely un-acceptable. The passwords all get stored in PLAIN TEXT within your %appdata% directory in an XML file. This is particularly dangerous in multi-user environments with local profiles, because as we all know physical access to a computer means it's elementary at best to acquire information off it. Permissions only work if your operating system chooses to respect them, not to mention how simple it is *even today* to maliciously get around windows networks using pass-the-hash along with network token manipulation techniques. There has even been a bug filed that draws out great ways to psudo-mitigate this using built-in windows API calls, but it doesn't seem to really be going anywhere. This really concerns me because a number of my coworkers and friends were un-aware of this behavior, and I didn't even know about it until I'd been using it for a year or so. All I really want to see is at the very least just some warning that Filezilla does this. Filezilla bug report:(http://trac.filezilla-project.org/ticket/5530) My feelings have been said a lot more eloquently than I could ever hope to in that bug report: Whoever keeps closing this issue and/or dismissing its importance understands neither security nor logical argument. I apologize for the slam, but it is undeniably true. Making the same mistake over and over does not make it any less of a mistake. The fact that a critical deficiency has existed for years does not make it any less critical a deficiency. Similarly, the fact that there are others (pidgin) who indulge in the same faulty reasoning does not make the reasoning any more sound. ~btrower While it's true you can mitigate this
Re: [Full-disclosure] WikiLeaks
Yeah, I think I've managed to inadvertently done the very thing I was complaining about to begin with. Last post on this from me! On 08/10/2010 12:39, Jeffrey Walton wrote: On Fri, Oct 8, 2010 at 6:57 AM, Cal Leeming [Simplicity Media Ltd] cal.leem...@simplicitymedialtd.co.uk wrote: Sorry but I find the whole subject incredibly boring, as do quite a few other people (again, each to their own). To play devils advocate: if two folks find the topic boring, would it not NOT be discussed? If so, how would each know the other finds it boring? [SNIP] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] XSS in Oracle default fcgi-bin/echo
Paul, list, On 10/08/2010 12:18 AM, paul.sz...@sydney.edu.au wrote: Many Oracle web server installations have a fcgi-bin/echo script left over from default demo (google for inurl:fcgi-bin/echo). That script seems vulnerable to XSS. (PoC exploit and explanation of impact withheld now.) I asked secur...@oracle.com and they said that ... this issue has been resolved in an earlier Critical Patch Update. They said the same to me one year ago. regards, -- Nahuel Grisolia - C|EH Information Security Consultant Bonsai Information Security Project Leader http://www.bonsai-sec.com/ (+54-11) 4777-3107 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Filezilla's silent caching of user's credentials
On Thu, Oct 7, 2010 at 11:10 PM, Ryan Sears rdse...@mtu.edu wrote: Hi all, As some of you may or may not be aware, the popular (and IMHO one of the best) FTP/SCP program Filezilla caches your credentials for every host you connect to, without either warning or ability to change this without editing an XML file. There have been quite a few bug and features requests filed, and they all get closed or rejected within a week or so. I also posted something in the developer forum inquiring about this, and received this response: I do not see any harm in storing credentials as long as the rest of your system is properly secure as it should be. Source:(http://forum.filezilla-project.org/viewtopic.php?f=3t=17932) To me this is not only concerning, but also completely un-acceptable. The passwords all get stored in PLAIN TEXT within your %appdata% directory in an XML file. This is particularly dangerous in multi-user environments with local profiles, because as we all know physical access to a computer means it's elementary at best to acquire information off it. Permissions only work if your operating system chooses to respect them, not to mention how simple it is *even today* to maliciously get around windows networks using pass-the-hash along with network token manipulation techniques. I reported a similar issue in a certain SSH client a few years ago, it was keeping the passphrase as cleartext in memory for the duration of the session as well as an arbitrarily long period after you disconnect but keep the window open. They added protections like a simple encoding for the credentials where they are stored, and nulling out the region when you ended the session. They still wanted to keep the credentials intact during the session in order to quickly create new terminal windows. This issue was much less serious than storing the cleartext in a file, and they thought it appropriate to add protections. I just wanted to gauge the FD community on this issue, because with enough backing and explanation from the security community as to why this is a problem, this issue may finally be resolved (it's been doing this for years now). It IS an issue. Plain and simple. That type of developer response really gets me. Personally I won't be allowing Filezilla on any of my systems even if they do eventually patch this issue.. who knows what else is lurking behind the scenes? Cheers, Charles ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WikiLeaks
Harry Behrens wrote: If you don't understand why something like Wikileaks being down with no obvious reason or explanation is an issue - then I guess continue sleeping... And it is indeed a security issue - in fact of international proportions.. Oh please. The world does not stop for Wikileaks going down in fact, I guarantee you that in over 90% of the places you will visit this week, no one will know or even care that Wikileaks is down. Security issue of international proportions my ass. Life goes on, people go on, no government, agency, official, business nor individual stopped functioning, living, breathing because Wikileaks went down. Reality is, outside of a very small segment of individuals, no one cares to be quite frank. To prove this point, ask the next 10 people you say: Do you know Wikileaks is down!? and study their response. Wanna bet 99% will respond something similar to one of the following: So? What's Wikileaks? Why would Wikipedia be down? Who cares What do they do? Why should I care And this has what to do with me? -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x5CCD6B5E ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WikiLeaks
I've been reading the list of emails with some mild interest and Mr Oquendo couldn't have hit a better answer. If I had to pick one, I'd vote for Why would Wikipedia be down? Anyway, let me say one thing. What happened to all the fuss about dll hijack exploits? Did they live up to their name? When will we have executable Kamikaze? Want a piece of my mind? Read Schneier article on the 'SCADA' virus... Cheers, Chris. On Fri, Oct 8, 2010 at 3:41 PM, J. Oquendo s...@infiltrated.net wrote: Harry Behrens wrote: If you don't understand why something like Wikileaks being down with no obvious reason or explanation is an issue - then I guess continue sleeping... And it is indeed a security issue - in fact of international proportions.. Oh please. The world does not stop for Wikileaks going down in fact, I guarantee you that in over 90% of the places you will visit this week, no one will know or even care that Wikileaks is down. Security issue of international proportions my ass. Life goes on, people go on, no government, agency, official, business nor individual stopped functioning, living, breathing because Wikileaks went down. Reality is, outside of a very small segment of individuals, no one cares to be quite frank. To prove this point, ask the next 10 people you say: Do you know Wikileaks is down!? and study their response. Wanna bet 99% will respond something similar to one of the following: So? What's Wikileaks? Why would Wikipedia be down? Who cares What do they do? Why should I care And this has what to do with me? -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x5CCD6B5E ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WikiLeaks
On 10/8/2010 9:41 AM, J. Oquendo wrote: Harry Behrens wrote: And it is indeed a security issue - in fact of international proportions.. ... Security issue of international proportions my ass. If I may try to interpret what's going on here (and apologies to both parties if I get it wrong), I think Harry Behrens and J. Oquendo see the world in very different ways, and they mean two very different things by the term security issue in this context. H. believes that Wikileaks is doing critical work to protect democracy, civil rights, freedom, etc. around the world. To him, for Wikileaks to be down is not a security issue in the sense of an opportunity for people's PC's to get rooted and turned into a zombie botnet, but rather a security issue in that the lack of a functioning site such as Wikileaks threatens our lives and liberties in real life. J. is not so sanguine about the mission of Wikileaks and/or how well it fulfills it and/or how important it is for protecting our lives and liberties. As we see from this comment: Life goes on, people go on, no government, agency, official, business nor individual stopped functioning, living, breathing because Wikileaks went down. As for this comment: Reality is, outside of a very small segment of individuals, no one cares to be quite frank. H. would probably respond something to the effect of, Yes, you're right, most people don't care that their essential liberties are being taken away, and that people's very lives are being threatened by the kind of misdeeds on which Wikileaks shines the light of day. It's likely that most of us on this list fall somewhere between the two extremes of opinion I've postulated here, and again I apologize if I'm mischaracterizing anyone's views. In any case, if I'm right that this is the kind of security issue that J. was referring to, then I agree with others who have said that this discussion does not belong on full-disclosure, and this will be my first and last message on the topic. jik ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WikiLeaks
Jonathan Kamens wrote: J. is not so sanguine about the mission of Wikileaks and/or how well it fulfills it and/or how important it is for protecting our lives and liberties. As we see from this comment: How well it protects who's liberties. Show me some factual information on where it saved anything for anyone. Or please explain to me and perhaps the thousands of soldiers from ALL SORTS of countries in Afghanistan, etc, how its protecting them by outing information with regards to military operations. Give me a break, I've been there, done that and to be honest, I grew up a while ago so spare the give me Wikileaks or give me death speech. Wikileaks wasn't the first, nor will it be the last. In any case, if I'm right that this is the kind of security issue that J. was referring to, then I agree with others who have said that this discussion does not belong on full-disclosure, and this will be my first and last message on the topic. 1) Security regarding network and or computing related capabilities, contexts, etc There is no purpose to the initial message and or thread 2) Security regarding wikileaks defending against ANYTHING other than someone's own pockets... Is also irrelevant. Perception and reality are two different equations to any interpretation of fact/story/etc. while you and others like you believe Wikileaks! - Defender of Justice I see Wikiwhore - Take the money and run Again, been there done that when I ran, Politrix way before wikileaks became a site, been there done that with JYA/Cryptome, been there done that with J Orlin Grabbe (RIP) and the list goes on. Spare me and the list the dramatics. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x5CCD6B5E ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Filezilla's silent caching of user's credentials
food for thought: https://bugzilla.mozilla.org/show_bug.cgi?id=602181 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-10-194: IBM Tivoli Provisioning Manager for OS Deployment TCP to ODBC Remote Code Execution Vulnerability
ZDI-10-194: IBM Tivoli Provisioning Manager for OS Deployment TCP to ODBC Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-194 October 8, 2010 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: IBM -- Affected Products: IBM Tivoli Provisioning Manager -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10516. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary SQL queries on vulnerable installations of Tivoli Provisioning Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the TCP to ODBC gateway component which listens by default on TCP port 2020. Authentication is not required to issue SQL queries to the service. A remote attacker can abuse this to read, modify, or create records within the database. -- Vendor Response: IBM has issued an update to correct this vulnerability. More details can be found at: http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/index.jsp?topic=%2Fcom.ibm.tivoli.tpm.osd.doc%2Finstall%2Ftosd_setmsacessdbpwd.html -- Disclosure Timeline: 2010-07-06 - Vulnerability reported to vendor 2010-10-08 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * AbdulAziz Hariri -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WikiLeaks
Christian Sciberras wrote: Want a piece of my mind? Read Schneier article on the 'SCADA' virus... Cheers, Chris. Wait. You wrote that article? I always figured Schneier had ghostwriters. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/