> Date: Wed, 28 Nov 2007 03:32:51 +
> From: cocoruder. <[EMAIL PROTECTED]>
> Subject: Re: [Full-disclosure] ZDI-07-069: CA BrightStor
> ARCserve Backup Message Engine Insecure Method Expos
> To: , <[EMAIL PROTECTED]>
>
> it is so amazing that the vendor's advisory has been released
is it real ?
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
hi all,
you are cordially invited to the final DC4420 meet of 2007, which will
be held on Tuesday the 11th December, at the usual location - Charing
Cross Sports Club, Charing Cross Hospital:
http://www.multimap.com/map/browse.cgi?lat=51.4857&lon=-0.2194&scale=5000&icon=x
more info here:
h
Phioust means business with his real name and all those philosopher (H),
CISSP and MCSE (lol) degrees ... see for urself in his dangerously sexy
email ... in response to our spam threat :)
-- Forwarded message --
From: phioust <[EMAIL PROTECTED]>
Date: Nov 30, 2007 9:33 PM
Subj
I know of many commercial security products which still utilize MD5 to
prove integrity of the data they distribute to customers. This should
no longer be considered appropriate. Now that tools are readily
available to exploit newer MD5 collision research, I think it is safe
to say that the public
Firefox 2.0.0.11 File Focus Stealing vulnerability:
Sorry Mozilla, but the recent file focus fix was not enough. I think
Mozilla made another mistake while fixing the previous file/label
issue. Because now I embed a file field and a textfield inside one
label. When this happens, and you type only
>
>
> There you have it. Surely a GPL'd tool implementing this attack style
> will be available shortly. And since Chinese researchers have been
> attacking SHA-1 lately, should SHA-256 be considered the proper
> replacement? I am unsure :-(
Yes, it would probably be a good idea. I think this
Netscape Navigator version 9.0.0.4 is affected too. Test done with PoC-type URL
mentioned on Mac OS X 10.4.10 fully patched.
Vendor was contacted on 1st Dec 2007.
- Juha-Matti
carl hardwick <[EMAIL PROTECTED]> wrote:
> Firefox 2.0.0.11 File Focus Stealing vulnerability:
>
> Sorry Mozilla, but
rPath Security Advisory: 2007-0255-1
Published: 2007-11-30
Products:
rPath Linux 1
Rating: Minor
Exposure Level Classification:
Local Weakness
Updated Versions:
[EMAIL PROTECTED]:1/239-9.2-1
rPath Issue Tracking System:
https://issues.rpath.com/browse/RPL-1913
References:
htt
> translation: let's discuss how to discern high degree and/or vulnerable
> nodes in critical infrastructure networks.
Correct.
>> 1. To bring like minded people together while operating under the
>> strategy of 'leaderless resistance'
>> (http://en.wikipedia.org/wiki/Leaderless_resistance)
>
> *
And the Mozilla bugzilla number is?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Juha-Matti Laurio
Sent: 01 December 2007 15:25
To: carl hardwick; full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Firefox 2.0.0.11 File Focus Stealing
v
Forgot to tack these onto the last post. The wikipedia entry
http://en.wikipedia.org/wiki/Submarine_communications_cable has some
amusing links in it's reference section:
http://www.telegeography.com/products/map_cable/images/sub_cable_2007_large.jpg
http://www1.alcatel-lucent.com/submarine/refs/W
More than likely all the gecko based browsers will be vulnerable to this.
So that would include Mozilla, Camino, SeaMonkey... possibly even things
like Thunderbird if you could get it to render.
Nice find guys!
Nate
On 12/1/07, Juha-Matti Laurio <[EMAIL PROTECTED]> wrote:
>
> Netscape Navigator
I agree! It should be changed and i have no idea why people still use it!
On Dec 1, 2007 4:20 PM, Steven Adair <[EMAIL PROTECTED]> wrote:
> >
> >
> > There you have it. Surely a GPL'd tool implementing this attack style
> > will be available shortly. And since Chinese researchers have been
> >
because they perform risk-analysis:
- what are the threats to my assets?
- which role does MD5 play there?
- any subsequent risk then from using it?
- high priority risk? mitigating controls or risk acceptance?
would you be so kind to show me a real-world attack against a VPN using MD5
hashing? .
> because they perform risk-analysis:
> - what are the threats to my assets?
> - which role does MD5 play there?
> - any subsequent risk then from using it?
> - high priority risk? mitigating controls or risk acceptance?
Don't kid yourself. Very few businesses in my experience think about
this st
Doesn't work in Gran Paradiso 3.0a7
On Dec 1, 2007 12:37 PM, Nate McFeters <[EMAIL PROTECTED]> wrote:
>
> More than likely all the gecko based browsers will be vulnerable to this.
> So that would include Mozilla, Camino, SeaMonkey... possibly even things
> like Thunderbird if you could get it to
I found that Firefox 2.0.0.10 will inherit the charset of the parent
page, when that had been selected manually (does not inherit the charset
specified in headers or meta). I found this inheritance to work both
with [a href] links and [iframe src] in the parent page.
See also:
http://www.mozilla.o
--On December 1, 2007 2:20:21 PM -0500 Tim
<[EMAIL PROTECTED]> wrote:
>> because they perform risk-analysis:
>> - what are the threats to my assets?
>> - which role does MD5 play there?
>> - any subsequent risk then from using it?
>> - high priority risk? mitigating controls or risk acceptance?
>
Phioust, we love you .. google your name for the christmas gift !!!
-- Forwarded message --
From: phioust <[EMAIL PROTECTED]>
Date: Dec 1, 2007 2:33 PM
Subject: Re: spam?
To: Gobbles is back <[EMAIL PROTECTED]>
Why are you doing this ? i dont even know you. i would appriciate if y
Phioust, we love you .. google your name for the christmas gift !!!
-- Forwarded message --
From: phioust < [EMAIL PROTECTED]>
Date: Dec 1, 2007 2:33 PM
Subject: Re: spam?
To: Gobbles is back <[EMAIL PROTECTED]>
why are you doing this ? i dont even know you. i would appreciate if
> --
>
> Message: 6
> Date: Fri, 30 Nov 2007 23:44:07 +0100
> From: "Max Moser" <[EMAIL PROTECTED]>
> Subject: [Full-disclosure] 27Mhz based wireless security insecurities
> - Aka - "We know what you typed last summer"
> To: [EMAIL PROTECTED], [EMAIL PROTECTED],
On Dec 1, 2007 5:06 AM, Kristian Erik Hermansen
<[EMAIL PROTECTED]> wrote:
> [MD5 is dead like WEP]
yup.
> And since Chinese researchers have been
> attacking SHA-1 lately, should SHA-256 be considered the proper
> replacement?
SHA2 is good. (so 256 or 512). the design differs from SHA1 and
a
On Dec 1, 2007 8:09 AM, gmaggro <[EMAIL PROTECTED]> wrote:
> ...
> Why not advocate? If you did get in trouble for this post, I don't think
> adding a caveat like "of course not advocation" would help you much, if
> at all. Like those quips in Phrack or Paladin Press books "For
> educational purpos
N/A unfortunately, but BID26669 points to entries
https://bugzilla.mozilla.org/show_bug.cgi?id=258875
and
https://bugzilla.mozilla.org/show_bug.cgi?id=56236
via this older one advisory: http://www.securityfocus.com/bid/18308/references
Link: http://www.securityfocus.com/bid/26669/discuss
(Probab
On Sat, 01 Dec 2007 05:06:36 PST, Kristian Erik Hermansen said:
> I know of many commercial security products which still utilize MD5 to
> prove integrity of the data they distribute to customers. This should
> no longer be considered appropriate. Now that tools are readily
> available to exploit
On Dec 1, 2007 7:08 PM, <[EMAIL PROTECTED]> wrote:
> Admittedly, MD5 is on its last legs. However, please note that the current
> state of the art for MD5 collisions is "create two plaintexts that collide
> with the same (but unpredictable) MD5 hash". That's what these binaries
> demonstrate.
C
> (in telco land, one SONET span over aerial transport and the other buried
> plant is considered sufficient "path diversity/redundancy". never mind that
> the same right of way is used...)
Ah yes, I remember an old story not too dissimilar... multiple redundant
lines, all severed at the same tim
On Sat, 01 Dec 2007 23:13:31 EST, gmaggro said:
> Ah yes, I remember an old story not too dissimilar... multiple redundant
> lines, all severed at the same time with the same backhoe. Idiots.
To be fair, it's often not "idiots". First, you have to find 2 providers
that can get fiber from point A
On Dec 1, 2007 7:08 PM, <[EMAIL PROTECTED]> wrote:
> ...
> (Note that strictly speaking, what you *really* want is a PGP-signed or
> otherwise authenticated MD5/SHA-256 hash. Otherwise, if I'm an attacker,
> I can just splat a new binary up, and a new MD5SUMS file that lists the
> MD5 sum for the
On Dec 1, 2007 9:12 PM, Goebbels Amadeus <[EMAIL PROTECTED]> wrote:
> ...
> Have you ever considered your future in their hands? You've
> been working for 50 years, your liver and kidneys start failing,
> creating visible symptoms, stains in your skin. You can't handle
> life in the same way anymor
31 matches
Mail list logo