Re: [Full-disclosure] Mail Drives Security Considerations

Matthew Flaschen wrote: Why can't message signing offer backwards compatibility (assuming you use multipart/signed)? Matthew Flaschen Darkz wrote: Mail Drives Security Considerations === Author: Attila Gerendi (Darkz) Date: November 03, 2006

Re: [Full-disclosure] Internet Explorer 7 - Still Spyware Writers' Heaven

So all the malware writer has to do now is figure out how to do the initial exploit in the first place, that would then allow them to muck with path statements or place code in path executable areas. I mean, do you get it, yet? If the malware writer figures out how do the initial exploit, anything

Re: [Full-disclosure] Mail Drives Security Considerations

Just set it to only accept signed messages starting from a certain date. Matthew Flaschen Darkz wrote: Matthew Flaschen wrote: Why can't message signing offer backwards compatibility (assuming you use multipart/signed)? Matthew Flaschen Darkz wrote: Mail Drives Security

Re: [Full-disclosure] Firefox 1.5.0.7 Exploit

On Pi, 2006-11-03 at 09:35 +0100, Tyop? wrote: No problem on Mac OS X 10.4.8 with firefox 1.5.0.7. firefox 1.5.0.7 on FreeBSD 7.0(september) and on Linux debian 2.6.17-2-686, Not affected. PC-BSD's 1.5.0.7 PBI not affected. 1.5.0.7 on OpenSUSE 10.2 alpha5 not affected. Even up-to-date

[Full-disclosure] [x0n3-h4ck.org] PayPal vulnerable to XSS

Title: [x0n3-h4ck.org] PayPal vulnerable to XSS -=[ADVISORY---]=- PayPal.com Author:CorryL x0n3-h4ck.org -=[]=- -=[+] Application: PayPal.com -=[+] Version: -=[+] Vendor's URL: www.paypal.com -=[+]

[Full-disclosure] Microsoft Firefox?

http://www.msfirefox.com/microsoft-firefox/index.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-06-037: America Online ICQ ActiveX Control Code Execution Vulnerability

ZDI-06-037: America Online ICQ ActiveX Control Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-06-037.html November 6, 2006 -- CVE ID: CVE-2006-5650 -- Affected Vendor: America Online -- Affected Products: America Online ICQ 5.1 -- TippingPoint(TM) IPS

[Full-disclosure] [SECURITY] [DSA 1206-1] New php4 packages fix several vulnerabilities

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1206-1[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff November 6th, 2006

[Full-disclosure] Machoman / Macarena virus for OSX

Since most of the reporting out on OSX.Macerena is fairly minimal I thought I would point everyone to the original tutorial and PoC code by Roy G Biv of 29A incase you missed it. http://vx.netlux.org/lib/vrg01.html -KF ___ Full-Disclosure - We

[Full-disclosure] help

Flaschen [EMAIL PROTECTED], full-disclosure@lists.grok.org.uk Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061106/76d0ca99/attachment-0001.html

Re: [Full-disclosure] [x0n3-h4ck.org] PayPal vulnerable to XSS

On 04 Nov 06, at 11:39, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: this is a request, that I have passed server to the web, complete of the code that would allow the xss: GET / HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host:

Re: [Full-disclosure] [x0n3-h4ck.org] PayPal vulnerable to XSS

Dear Andrew Farmer, Is it? Look into Flash 8 raw http requests, you can trigger them client side. -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 ___ Full-Disclosure - We believe in it.

Re: [Full-disclosure] [x0n3-h4ck.org] PayPal vulnerable to XSS

That's not exploitable. Remember that the XS in XSS stands for cross-site: you have to be able to trigger the scripting using ordinary requests from another site. To generate this cookie, you'd need to already have scripting access to the paypal.com domain - in which case you don't care

[Full-disclosure] VulnDisco Pack for Metasploit is available

Hi All, I am glad to announce that free version of VulnDisco Pack for Metasploit Framework 2.7 is available for download. This release includes the following 0day exploits: vd_ldapinfo.pm - [0day] Query info from LDAP server vd_xlink.pm - [0day] Omni-NFS Enterprise remote exploit vd_openldap.pm

Re: [Full-disclosure] Microsoft Firefox?

Simon Smith wrote: http://www.msfirefox.com/microsoft-firefox/index.html Probably some joker playing mind games.; still -- Technical Contact: Whois Privacy Protection Service, Inc. Whois Agent ([EMAIL PROTECTED]) +1.4252740657 Fax: +1.4256960234 PMB 368, 14150 NE 20th St -

[Full-disclosure] [ MDKSA-2006:199 ] - Updated libx11 packages fix file descriptor leak vulnerability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:199 http://www.mandriva.com/security/

Re: [Full-disclosure] [x0n3-h4ck.org] PayPal vulnerable to XSS

I found a similar one long back in the Expect header but did not bother to post... However, this bug is not associated with the paypal application but rather with the Apache server *version* on which it is hosted. This kind of XSS are usually called as - Unfiltered Header Injection in Apache.

[Full-disclosure] DigiOz Guestbook version 1.7 Path Disclosure Vulnerability in list.php

DigiOz Guestbook version 1.7 Path Disclosure Vulnerability in list.php Description: The DigiOz Guestbook is a PHP driven guestbook system. The vulnerability exists in list.php script which allows remote attackers to obtain sensitive information via an HTTP request to list.php that contains

Re: [Full-disclosure] Microsoft Firefox?

On 11/7/06, Zachary Miller [EMAIL PROTECTED] wrote: On Nov 6, 2006, at 1:34 PM, imipak wrote: Simon Smith wrote: http://www.msfirefox.com/microsoft-firefox/index.html Probably some joker playing mind games.; still -- snip Google search for site:msfirefox.com and look at the cached