Re: [Full-disclosure] Bug with .php extension?

2005-12-04 Thread Chris Umphress
On 12/4/05, Ron <[EMAIL PROTECTED]> wrote: > I'm not sure whether this is something that's well known, but I've never > seen anything about it, and I nearly got burned by it, so I figured I'd > post it here. > > In Apache 1.3.33 (untested on any other version), if you have a file > called file.php.

[Full-disclosure] Bug with .php extension?

2005-12-04 Thread Ron
I'm not sure whether this is something that's well known, but I've never seen anything about it, and I nearly got burned by it, so I figured I'd post it here. In Apache 1.3.33 (untested on any other version), if you have a file called file.php.bak, and you navigate to it in the browser, it wil

RE: [Full-disclosure] Google is vulnerable from XSS attack

2005-12-04 Thread Joseph Pierini
>Absolutely, I agree. But in this specifc case, its not all that useful. Please, for the love of god, do not get him riled up again. Can we all just say "N3td3v, thanks for the info. Wow, it must have been an exhaustive search to find that needle in a haystack. I'm sure Google appreciates your t

Re: [Full-disclosure] Google is vulnerable from XSS attack

2005-12-04 Thread InfoSecBOFH
"XSS is 'starting' to get fairly useful." Absolutely, I agree. But in this specifc case, its not all that useful. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - ht

Re: [Full-disclosure] Google is vulnerable from XSS attack

2005-12-04 Thread n3td3v
[drama] [wild imagination] ***Millions of e-mail addresses exposed to hackers*** *Hacker gets access to every group, made easier by his/her worm script (likely a hacker would do this) *Hacker harvests all e-mail addresses exposed and sells to spammer (likely a hacker would do this) *Hacker delete

[Full-disclosure] IT security professionals in demand in 2006

2005-12-04 Thread Ivan .
http://www.computerworld.com.au/index.php/id;923889191;fp;16;fpid;0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Format String Vulnerabilities in Perl Programs

2005-12-04 Thread Steven M. Christey
On Sat, 3 Dec 2005, Chris Umphress wrote: > Almost all of the statements refer to a number of programming > languages if thought is not put into the program. Security requires > thought. Agreed, but every once in a while we run across things that people don't usually think about. > >The pos

Re: [Full-disclosure] Re: Format String Vulnerabilities in Perl Programs

2005-12-04 Thread Steven M. Christey
It was mentioned this week, but not in my paper, so it didn't hurt for it to be mentioned again :) - Steve On Sun, 4 Dec 2005, Stan Bubrouski wrote: > On 12/3/05, Michael J. Pomraning <[EMAIL PROTECTED]> wrote: > > > For Perl projects, I'd also nominate syslog(), from the standard Sys::Syslog