Re: [Full-disclosure] BF, CSRF, and IAA vulnerabilities in websecurity.com.ua
If you reread what i posted you will see that i do not give my opinion on the quality of his posts. I will keep that to myself, I just state that its better than dudes (and your) troll posts. Regards On Jan 1, 2013 3:04 PM, Benji m...@b3nji.com wrote: So you would say, that you find the things he posts of interest? Please expand on how and why anti automation bugs in unknown cms's are of interest? On Mon, Dec 31, 2012 at 11:58 PM, some one s3cret.squir...@gmail.comwrote: If you do not like or find of interest what the guy posts is it not easier to just press delete or filter him out rather than try to make fun of him? Give the dude a break man, hes submitting more things of interest than you are and you just make yourself sound bitter and twisted. Its new year man, go out and drink a beer or eat some fireworks On Dec 31, 2012 5:17 PM, Julius Kivimäki julius.kivim...@gmail.com wrote: Hello list! I want to warn you about multiple extremely severe vulnerabilities in websecurity.com.ua. These are Brute Force and Insufficient Anti-automation vulnerabilities in websecurity.com.ua. These vulnerability is very serious and could affect million of people. - Affected products: - Vulnerable are all versions of websecurity.com.ua. -- Details: -- Brute Force (WASC-11): In ftp server (websecurity.com.ua:21) there is no protection from Brute Force attacks. Cross-Site Request Forgery (WASC-09): Lack of captcha in login form (http://websecurity.com.ua:21/) can be used for different attacks - for CSRF-attack to login into account (remote login - to conduct attacks on vulnerabilities inside of account), for automated entering into account, for phishing and other automated attacks. Which you can read about in the article Attacks on unprotected login forms ( http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html ). Insufficient Anti-automation (WASC-21): In login form there is no protection against automated request, which allow to picking up logins in automated way by attacking on login function. Timeline: 2012.06.28 - announced at my site about websecurity.com.ua. 2012.06.28 - informed developers about the first part of vulnerabilities in websecurity.com.ua. 2012.06.30 - informed developers about the second part of vulnerabilities in websecurity.com.ua. 2012.07.26 - announced at my site about websecurity.com.ua. 2012.07.28 - informed developers about vulnerabilities in websecurity.com.ua and reminded about previous two letters I had sent to them with carrier pigeons. 2012.07.28-2012.10.31 - multiple attempts to contact the owners of websecurity.com.ua were ignored by the owners. 2012.11.02 - developers responded fuck off and kill urself irl!. 2012.12.31 - disclosed on the list Best wishes regards, MustLive Security master extraordinaire, master sysadmin http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] BF, CSRF, and IAA vulnerabilities in websecurity.com.ua
If you do not like or find of interest what the guy posts is it not easier to just press delete or filter him out rather than try to make fun of him? Give the dude a break man, hes submitting more things of interest than you are and you just make yourself sound bitter and twisted. Its new year man, go out and drink a beer or eat some fireworks On Dec 31, 2012 5:17 PM, Julius Kivimäki julius.kivim...@gmail.com wrote: Hello list! I want to warn you about multiple extremely severe vulnerabilities in websecurity.com.ua. These are Brute Force and Insufficient Anti-automation vulnerabilities in websecurity.com.ua. These vulnerability is very serious and could affect million of people. - Affected products: - Vulnerable are all versions of websecurity.com.ua. -- Details: -- Brute Force (WASC-11): In ftp server (websecurity.com.ua:21) there is no protection from Brute Force attacks. Cross-Site Request Forgery (WASC-09): Lack of captcha in login form (http://websecurity.com.ua:21/) can be used for different attacks - for CSRF-attack to login into account (remote login - to conduct attacks on vulnerabilities inside of account), for automated entering into account, for phishing and other automated attacks. Which you can read about in the article Attacks on unprotected login forms ( http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html ). Insufficient Anti-automation (WASC-21): In login form there is no protection against automated request, which allow to picking up logins in automated way by attacking on login function. Timeline: 2012.06.28 - announced at my site about websecurity.com.ua. 2012.06.28 - informed developers about the first part of vulnerabilities in websecurity.com.ua. 2012.06.30 - informed developers about the second part of vulnerabilities in websecurity.com.ua. 2012.07.26 - announced at my site about websecurity.com.ua. 2012.07.28 - informed developers about vulnerabilities in websecurity.com.ua and reminded about previous two letters I had sent to them with carrier pigeons. 2012.07.28-2012.10.31 - multiple attempts to contact the owners of websecurity.com.ua were ignored by the owners. 2012.11.02 - developers responded fuck off and kill urself irl!. 2012.12.31 - disclosed on the list Best wishes regards, MustLive Security master extraordinaire, master sysadmin http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] BF, CSRF, and IAA vulnerabilities in websecurity.com.ua
So you would say, that you find the things he posts of interest? Please expand on how and why anti automation bugs in unknown cms's are of interest? On Mon, Dec 31, 2012 at 11:58 PM, some one s3cret.squir...@gmail.comwrote: If you do not like or find of interest what the guy posts is it not easier to just press delete or filter him out rather than try to make fun of him? Give the dude a break man, hes submitting more things of interest than you are and you just make yourself sound bitter and twisted. Its new year man, go out and drink a beer or eat some fireworks On Dec 31, 2012 5:17 PM, Julius Kivimäki julius.kivim...@gmail.com wrote: Hello list! I want to warn you about multiple extremely severe vulnerabilities in websecurity.com.ua. These are Brute Force and Insufficient Anti-automation vulnerabilities in websecurity.com.ua. These vulnerability is very serious and could affect million of people. - Affected products: - Vulnerable are all versions of websecurity.com.ua. -- Details: -- Brute Force (WASC-11): In ftp server (websecurity.com.ua:21) there is no protection from Brute Force attacks. Cross-Site Request Forgery (WASC-09): Lack of captcha in login form (http://websecurity.com.ua:21/) can be used for different attacks - for CSRF-attack to login into account (remote login - to conduct attacks on vulnerabilities inside of account), for automated entering into account, for phishing and other automated attacks. Which you can read about in the article Attacks on unprotected login forms ( http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html ). Insufficient Anti-automation (WASC-21): In login form there is no protection against automated request, which allow to picking up logins in automated way by attacking on login function. Timeline: 2012.06.28 - announced at my site about websecurity.com.ua. 2012.06.28 - informed developers about the first part of vulnerabilities in websecurity.com.ua. 2012.06.30 - informed developers about the second part of vulnerabilities in websecurity.com.ua. 2012.07.26 - announced at my site about websecurity.com.ua. 2012.07.28 - informed developers about vulnerabilities in websecurity.com.ua and reminded about previous two letters I had sent to them with carrier pigeons. 2012.07.28-2012.10.31 - multiple attempts to contact the owners of websecurity.com.ua were ignored by the owners. 2012.11.02 - developers responded fuck off and kill urself irl!. 2012.12.31 - disclosed on the list Best wishes regards, MustLive Security master extraordinaire, master sysadmin http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] BF, CSRF, and IAA vulnerabilities in websecurity.com.ua
I was asking for your opinion. On Tue, Jan 1, 2013 at 7:31 PM, some one s3cret.squir...@gmail.com wrote: If you reread what i posted you will see that i do not give my opinion on the quality of his posts. I will keep that to myself, I just state that its better than dudes (and your) troll posts. Regards On Jan 1, 2013 3:04 PM, Benji m...@b3nji.com wrote: So you would say, that you find the things he posts of interest? Please expand on how and why anti automation bugs in unknown cms's are of interest? On Mon, Dec 31, 2012 at 11:58 PM, some one s3cret.squir...@gmail.comwrote: If you do not like or find of interest what the guy posts is it not easier to just press delete or filter him out rather than try to make fun of him? Give the dude a break man, hes submitting more things of interest than you are and you just make yourself sound bitter and twisted. Its new year man, go out and drink a beer or eat some fireworks On Dec 31, 2012 5:17 PM, Julius Kivimäki julius.kivim...@gmail.com wrote: Hello list! I want to warn you about multiple extremely severe vulnerabilities in websecurity.com.ua. These are Brute Force and Insufficient Anti-automation vulnerabilities in websecurity.com.ua. These vulnerability is very serious and could affect million of people. - Affected products: - Vulnerable are all versions of websecurity.com.ua. -- Details: -- Brute Force (WASC-11): In ftp server (websecurity.com.ua:21) there is no protection from Brute Force attacks. Cross-Site Request Forgery (WASC-09): Lack of captcha in login form (http://websecurity.com.ua:21/) can be used for different attacks - for CSRF-attack to login into account (remote login - to conduct attacks on vulnerabilities inside of account), for automated entering into account, for phishing and other automated attacks. Which you can read about in the article Attacks on unprotected login forms ( http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html ). Insufficient Anti-automation (WASC-21): In login form there is no protection against automated request, which allow to picking up logins in automated way by attacking on login function. Timeline: 2012.06.28 - announced at my site about websecurity.com.ua. 2012.06.28 - informed developers about the first part of vulnerabilities in websecurity.com.ua. 2012.06.30 - informed developers about the second part of vulnerabilities in websecurity.com.ua. 2012.07.26 - announced at my site about websecurity.com.ua. 2012.07.28 - informed developers about vulnerabilities in websecurity.com.ua and reminded about previous two letters I had sent to them with carrier pigeons. 2012.07.28-2012.10.31 - multiple attempts to contact the owners of websecurity.com.ua were ignored by the owners. 2012.11.02 - developers responded fuck off and kill urself irl!. 2012.12.31 - disclosed on the list Best wishes regards, MustLive Security master extraordinaire, master sysadmin http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] BF, CSRF, and IAA vulnerabilities in websecurity.com.ua
Hello list! I want to warn you about multiple extremely severe vulnerabilities in websecurity.com.ua. These are Brute Force and Insufficient Anti-automation vulnerabilities in websecurity.com.ua. These vulnerability is very serious and could affect million of people. - Affected products: - Vulnerable are all versions of websecurity.com.ua. -- Details: -- Brute Force (WASC-11): In ftp server (websecurity.com.ua:21) there is no protection from Brute Force attacks. Cross-Site Request Forgery (WASC-09): Lack of captcha in login form (http://websecurity.com.ua:21/) can be used for different attacks - for CSRF-attack to login into account (remote login - to conduct attacks on vulnerabilities inside of account), for automated entering into account, for phishing and other automated attacks. Which you can read about in the article Attacks on unprotected login forms ( http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html ). Insufficient Anti-automation (WASC-21): In login form there is no protection against automated request, which allow to picking up logins in automated way by attacking on login function. Timeline: 2012.06.28 - announced at my site about websecurity.com.ua. 2012.06.28 - informed developers about the first part of vulnerabilities in websecurity.com.ua. 2012.06.30 - informed developers about the second part of vulnerabilities in websecurity.com.ua. 2012.07.26 - announced at my site about websecurity.com.ua. 2012.07.28 - informed developers about vulnerabilities in websecurity.com.ua and reminded about previous two letters I had sent to them with carrier pigeons. 2012.07.28-2012.10.31 - multiple attempts to contact the owners of websecurity.com.ua were ignored by the owners. 2012.11.02 - developers responded fuck off and kill urself irl!. 2012.12.31 - disclosed on the list Best wishes regards, MustLive Security master extraordinaire, master sysadmin http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/