Re: [Full-disclosure] Cisco Phone 7940 remote DOS

Hello - This is Cisco's response to the message posted by Radu State to full- disclosure on Wednesday Dec 5 2007. Cisco greatly appreciates the opportunity to work with researchers on security vulnerabilities, and welcomes the opportunity to review and assist in product reports. Cisco co

Re: [Full-disclosure] Google / GMail bug, all accounts vulnerable

On Dec 7, 2007 9:41 PM, Joseph Hick <[EMAIL PROTECTED]> wrote: > could someone please explain how this PoC works? I wonder why simply loading > an image logs me out A paper will be presented next week on the topic of "Crowd SuRFing"...please wait until that time :-) -- Kristian Erik Hermansen "I

Re: [Full-disclosure] Google / GMail bug, all accounts vulnerable

could someone please explain how this PoC works? I wonder why simply loading an image logs me out Kristian Erik Hermansen <[EMAIL PROTECTED]> wrote: On Dec 7, 2007 7:40 AM, Aaron Katz wrote: > Could you please explain the vulnerability? When I test, and I submit > a correct response to the CAP

Re: [Full-disclosure] Google / GMail bug, all accounts vulnerable

It's just stopped working for me. -Alessandro On Dec 7, 2007 5:04 PM, Kristian Erik Hermansen < [EMAIL PROTECTED]> wrote: > On Dec 7, 2007 7:40 AM, Aaron Katz <[EMAIL PROTECTED]> wrote: > > Could you please explain the vulnerability? When I test, and I submit > > a correct response to the CAPTCH

[Full-disclosure] [USN-555-1] e2fsprogs vulnerability

=== Ubuntu Security Notice USN-555-1 December 08, 2007 e2fsprogs vulnerability CVE-2007-5497 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu

Re: [Full-disclosure] Google / GMail bug, all accounts vulnerable

On Dec 7, 2007 7:40 AM, Aaron Katz <[EMAIL PROTECTED]> wrote: > Could you please explain the vulnerability? When I test, and I submit > a correct response to the CAPTCHA, I'm presented with knowledge based > authentication. The bug, unless Google fixed it already, will have an affect on your GMai

Re: [Full-disclosure] TCP Port randomization paper

Vladimir, Our draft discusses many port randomization approaches. Some of them were taken from existing implementations (e.g., Algorithm 1 was taken from OpenBSD). However, Algorithm 3 was first described (AFAICT) in Michael Larsen's "port randomization" paper (the first version of our port rando

[Full-disclosure] Upload directory traversal in Easy File Sharing 4.5

### Luigi Auriemma Application: Easy File Sharing Web Server http://www.sharing-file.com Versions: <= 4.5 Platforms:Windows Bugs: A] upload directory traversal

[Full-disclosure] Multiple vulnerabilities in Firefly Media Server (mt-daapd) 2.4.1 / SVN 1699

### Luigi Auriemma Application: Firefly Media Server (mt-daapd) http://www.fireflymediaserver.org Versions: <= 2.4.1 and SVN <= 1699 Platforms:*nix, Windows, Mac and others Bug

[Full-disclosure] Two vulnerabilities in Simple HTTPD 1.38

### Luigi Auriemma Application: Simple HTTPD http://shttpd.sourceforge.net Versions: <= 1.38 Platforms:Windows, *nix, QNX, RTEMS only Windows seems vulnerable Bug

[Full-disclosure] Limited upload directory traversal in HTTP File Server 2.2a / 2.3 beta (build #146)

### Luigi Auriemma Application: HTTP File Server http://www.rejetto.com/hfs/ Versions: <= 2.2a and <= 2.3 beta (build #146) Platforms:Windows Bug: limited directory tr

[Full-disclosure] [ MDKSA-2007:240 ] - Updated libnfsidmap packages fix username lookup flaw

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:240 http://www.mandriva.com/security/ ___

Re: [Full-disclosure] MIT Kerberos 5: Multiple vulnerabilities

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Do you have any patches or reproducers for these issues? Thanks in advance. smithj -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.7 (GNU/Linux) iD8DBQFHWbx1CG91qXPaRekRAmJoAJ9aHoO9w9gqEVGlTRpqZbK5pkONDgCfVO7z wkED5u38YgIw9OTa5FiZSaM= =Ey

Re: [Full-disclosure] Google / GMail bug, all accounts vulnerable

Note that, by editing NoScript's whitelist, removing google.com, and adding mail.google.com, I can browse to http://www.kristian-hermansen.com without having my cookie killed. On Dec 7, 2007 2:59 PM, Aaron Katz <[EMAIL PROTECTED]> wrote: > Oh! OK. In that case, yeah, I can reproduce it, no pro

[Full-disclosure] Fwd: Google / GMail bug, all accounts vulnerable

Oh! OK. In that case, yeah, I can reproduce it, no problem :) -- Forwarded message -- From: Ed Carp <[EMAIL PROTECTED]> Date: Dec 7, 2007 2:57 PM Subject: Re: [Full-disclosure] Google / GMail bug, all accounts vulnerable To: Aaron Katz <[EMAIL PROTECTED]> Oh! You need to go t

Re: [Full-disclosure] Google / GMail bug, all accounts vulnerable

Wouldn't it be more beneficial (and maybe ethical as well) if one could just start putting PoCs or whatever inside the message's body? On 12/7/07, Aaron Katz <[EMAIL PROTECTED]> wrote: > > Could you please explain the vulnerability? When I test, and I submit > a correct response to the CAPTCHA,

[Full-disclosure] Sign the Downing Street E-Petition Submitted by Neil Stinchcombe of Infosecurity Europe

Sign a petition We the undersigned petition the Prime Minister to give the formation of a police central e-crime unit, as proposed by the Metropolitan and ACPO urgent priority. More details The consequences of, and reactions to, the loss of records by HM Revenue and Customs, make the creation of

[Full-disclosure] [SECURITY] [DSA 1423-1] New sitebar packages fix several vulnerabilities

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1423-1 [EMAIL PROTECTED] http://www.debian.org/security/ Steve Kemp December 07, 2007

Re: [Full-disclosure] Google / GMail bug, all accounts vulnerable

You don't need to submit anything, just viewing the page will log you out of gmail... On Dec 7, 2007 9:23 AM, worried security <[EMAIL PROTECTED]> wrote: > On Dec 7, 2007 3:54 PM, Mukul Dharwadkar <[EMAIL PROTECTED]> > wrote: > > Precisely. I don't see any vulnerability here unless the account ho

Re: [Full-disclosure] Google / GMail bug, all accounts vulnerable

On Dec 7, 2007 3:54 PM, Mukul Dharwadkar <[EMAIL PROTECTED]> wrote: > Precisely. I don't see any vulnerability here unless the account holder has > set it up incorrectly in which case it is not a bug / vulnerability but > rathe a user error Try viewing the image when you are logged into your gmail

[Full-disclosure] MIT Kerberos 5: Multiple vulnerabilities

Advisory: MIT Kerberos 5: Multiple vulnerabilities Severity: Normal DATE:Dec 7,2007 Vulnerable: ALL Vendor: MIT I.Synopsis Several vulnerabilites have been found in MIT Kerberos 5. II.DETAILS: -- Background MIT Kerberos 5 is a suite of applications that implement the Kerbe

[Full-disclosure] Heimdal ftpd uninitialized vulnerability

Heimdal ftpd uninitialized vulnerability Class: implementation Error DATE:11/12/2007 CVEID:CVE-2007-5939 Vulnerable: <=heimdal 0.7.2 Affected distribution: Gentoo <=heimdal-0.7.2-r3 ubuntu <=heimdal-0.7.2 Vendor: I.Synopsis A vulnerability has been discovered in He

[Full-disclosure] netkit-ftpd/ftp uninitialized vulnerability

netkit-ftpd/ftp uninitialized vulnerability Class: Design Error DATE:11/1/2007 CVEID:CVE-2007-5769 Vulnerable: netkit-ftpd-0.17/netkit-ftp-0.17 Vendor: I.Synopsis A vulnerability has been discovered in netkit-ftpd/ftp. II.DETAILS: -- Background netkit-ftpd is the Linux Netkit FT

Re: [Full-disclosure] Google / GMail bug, all accounts vulnerable

Precisely. I don't see any vulnerability here unless the account holder has set it up incorrectly in which case it is not a bug / vulnerability but rathe a user error On 12/7/07, Aaron Katz <[EMAIL PROTECTED]> wrote: > > Could you please explain the vulnerability? When I test, and I submit > a

Re: [Full-disclosure] Google / GMail bug, all accounts vulnerable

Could you please explain the vulnerability? When I test, and I submit a correct response to the CAPTCHA, I'm presented with knowledge based authentication. -- Aaron On Dec 7, 2007 1:58 AM, Kristian Erik Hermansen <[EMAIL PROTECTED]> wrote: > Proof of concept here... > http://www.kristian-hermans

[Full-disclosure] [SECURITY] [DSA 1422-1] New e2fsprogs packages fix arbitrary code execution

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1422[EMAIL PROTECTED] http://www.debian.org/security/ Steve Kemp December 07, 2007