In a way a larger company (beyond idefense/tippingpoint) getting involved will
be to our advantage.
There hasn't been a high profile lawsuit against a vuln researcher for finding
and selling an 0day
at this point (that I can think of) and it's only a matter of time before it
happens. A company
On Monday 09 July 2007, [EMAIL PROTECTED] wrote:
> Message: 1
> Date: Sun, 8 Jul 2007 07:25:34 -0400
> From: "Paul Melson" <[EMAIL PROTECTED]>
> Subject: Re: [Full-disclosure] EXPLOITS FOR SALE (AUCTION SITE)
> To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> Cc: full-disclosure@lists.grok.org.uk
> Me
Joseph Hick wrote:
> This is the interim result of a proof of concept for
> Google Authentication issues posted in the threads...
>
> 1.)
> http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064143.html
> (Orkut Server Side Management Error by Susam Pal &
> Vipul Agarwal)
>
> 2.)
> http:/
If you sign into orkut.com then enter orkut in the
filter box then you will see some orkut cookies. Look
for orkut_state in www.orkut.com site.
It will work if you are logged in. if you log out
orkut_state cookie disappears but the session remains
active in orkut.com server. So a big problem is
ha
Joseph Hick wrote:
> If you sign into orkut.com then enter orkut in the
> filter box then you will see some orkut cookies. Look
> for orkut_state in www.orkut.com site.
>
> It will work if you are logged in. if you log out
> orkut_state cookie disappears but the session remains
> active in orkut.co
my firnd got my session cookie a day before yesterdy..
is there any method i can stop him by using my orkut account?
On 7/10/07, Deeþàn Chakravarthÿ <[EMAIL PROTECTED]> wrote:
Joseph Hick wrote:
> If you sign into orkut.com then enter orkut in the
> filter box then you will see some orkut cooki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDKSA-2007:143
http://www.mandriva.com/security/
___
Thor Larholm wrote:
> There is a URL protocol handler command injection vulnerability ...
> http://larholm.com/2007/07/10/internet-explorer-0day-exploit/
I wonder whether this is essentially different from:
Microsoft Internet Explorer 6 Protocol Handler Vulnerability
http://www.securityfocus
===
Ubuntu Security Notice USN-481-1 July 10, 2007
imagemagick vulnerabilities
CVE-2007-1667, CVE-2007-1797
===
A security issue affects the following Ubuntu releases:
Ubu
> I encourage everyone to research and release
exploits
> for every bug on the auction block. Remember: it is
> only consistent with REAL hacker ethics to sell bugs
> to terrorists, NAMBLA, and similar organizations
such
> as GOBBLES/n3td3v.
>
> J
Great job smartass,
with your ego driven post you
IBM AIX libodm ODMPATH Stack Overflow Vulnerability
iDefense Security Advisory 07.09.07
http://labs.idefense.com/intelligence/vulnerabilities/
Jul 09, 2007
I. BACKGROUND
AIX applications use libodm to access system settings and device
configuration data stored in the Object Database Manager. The
Annoyed of Fling popups everywere?
Play with 'em!
1) Go to Fling.com
2) User: [EMAIL PROTECTED]
3) Pwd: ">alert('I am lame')
Cheers.
--
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-cha
Well said. This class of attack has been known for a long time - got
public in 2004 as Paul's links indicated. Since then it's widely
understood and heavily assessed ... mms: mailto: HCP: notes: etc.
Thor's finding is a surprise - years passed and an extremely simple
vector of attack still works in
On Mon, 09 Jul 2007 18:23:49 EDT, [EMAIL PROTECTED] said:
> There hasn't been a high profile lawsuit against a vuln researcher for
> finding and selling an 0day at this point (that I can think of) and it's only
> a matter of time before it happens.
Given the number of highly regarded people who ha
An Orkut session cookie once stolen can be used by an attacker to mess
with the compromised account as long as the session associated with that
cookie remains alive at the server. Unfortunately, in case of Orkut, it
remains alive even after the user has logged out.
Joseph's experiment proves that
Folks,
I'm pleased to announce that I've finally got around to releasing PC/SC
support for RFIDIOt. This means you can use lower cost reader/writers
that are also much easier to find (although at the moment there are
limitations as to what you can do with them, so they are not a complete
alter
On Tue, 10 Jul 2007, Thor Larholm wrote:
> There is a URL protocol handler command injection vulnerability in Internet
Thor, thank you for sharing. Nice work.
To paraphrase Guninski, this is still not a 0day. It is a vulnerability
being disclosed.
> Explorer for Windows that allows you to exec
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDKSA-2007:144
http://www.mandriva.com/security/
___
You're just jealous because you didn't achieve anything in your e-
mail message!
J
On Tue, 10 Jul 2007 12:02:52 -0400 ene0toue ene0toue
<[EMAIL PROTECTED]> wrote:
>> I encourage everyone to research and release
>exploits
>> for every bug on the auction block. Remember: it is
>> only consistent w
Sorry guys, we apologize for sending this again, but some of the mailer
daemons are responding us that the mail has a virus.
Here is the link to the bug:
http://goodfellas.shellcode.com.ar/own/VULWAR200707101.txt
Goodfellas SRT.
___
Full-Disclosure - We
Microsoft Publisher 2007 Arbitrary Pointer Dereference
Release Date:
July 10, 2007
Date Reported:
February 16, 2007
Severity:
High (Remote Code Execution)
Vendor:
Microsoft
Vendor Software Affected:
Microsoft Office 2007 Small Business
Microsoft Office 2007 Professional
Microsoft Office 2007 U
http://www.eweek.com/article2/0,1895,2156528,00.asp
On 7/10/07 4:32 PM, "Joey Mengele" <[EMAIL PROTECTED]> wrote:
> You're just jealous because you didn't achieve anything in your e-
> mail message!
>
> J
>
> On Tue, 10 Jul 2007 12:02:52 -0400 ene0toue ene0toue
> <[EMAIL PROTECTED]> wrote:
>>>
Wachovia Bank website sends confidential information
(social security numbers, phone number, address, etc.)
over the Internet without encryption.
Horizon Network Security Security Advisory 07/10/2007
http://VerySecureLinux.com/
Jul 10, 2007
I. BACKGROUND
Wachovia Bank's official web site offers
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Maybe that's why they have the focus of some phishing attacks recently.
Easy to get the victims login,especially if they were redirected
through another site first.
MITM made easy 101?
Regards,
Scott
Bob Toxen wrote:
> Wachovia Bank website se
On Tue, 2007-07-10 at 20:20 -0400, Bob Toxen wrote:
> VI. VENDOR RESPONSE
>
> The vendor (Wachovia Bank) was notified via their customer service
> phone number on June 25. We were transferred to "web support". The
> person answering asked us to FAX the details to her and we did so,
> also on Jun
On 10-Jul-07, at 7:39 PM, Jim Popovitch wrote:
> On Tue, 2007-07-10 at 20:20 -0400, Bob Toxen wrote:
>> VI. VENDOR RESPONSE
>>
>> The vendor (Wachovia Bank) was notified via their customer service
>> phone number on June 25. We were transferred to "web support". The
>> person answering asked us
There is an XSS vulnerability in HomestayFinder's 'Dictionary.aspx'
script which is responsible for mirroring the content of Wikipedia. I
found this interesting because here a script injected in one website
exploits an XSS vulnerability in another website.
I am including only a short example to de
On Tue, 10 Jul 2007 21:39:33 EDT, Jim Popovitch said:
> 7 days? "industry practice"? Come on Bob I know you know that large
> corporations can't feed a cat in 7 days let alone make unscheduled
> website changes that fast. Change control approvals alone would include
> 14 or more days in most
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDKSA-2007:145
http://www.mandriva.com/security/
___
Jim Popovitch wrote:
> 7 days? "industry practice"? Come on Bob I know you know that large
> corporations can't feed a cat in 7 days let alone make unscheduled
> website changes that fast. Change control approvals alone would include
> 14 or more days in most enterprises. Why the rush to "sa
30 matches
Mail list logo
