[Full-disclosure] HP Virtual Rooms WebHPVCInstall Control Multiple Buffer Overflows

Who: Hewlett-Packard What: HP Virtual Rooms is a suite of online collaboration, training and support tools. How: HP uses an ActiveX control to install the Virtual Rooms client. Several properties including AuthenticationURL, PortalAPIURL, cabroot are vulnerable to a buffer overflow. hpvirtual

[Full-disclosure] [ MDVSA-2008:019 ] - Updated cairo packages fix vulnerability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:019 http://www.mandriva.com/security/ ___

Re: [Full-disclosure] congenital idiots(dont u know who nick fitzgerald is?(now I KNOW why I never post in my real name)) Re: [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

Sorry man, I'm missing the riddle... I guess I need a reepex64 decoder to read and understand this one :) On 1/21/08, reepex <[EMAIL PROTECTED]> wrote: > > a ... you are first of probably many to miss the intention of why i > called out that line and that particular 'U' > > one day it will com

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

Since I saw no response from XSS fans... PHNjcmlwdD5hbGVydCgncHduMzMgcjFkMycpOzwvc2NyaXB0Pg== On 1/21/08, reepex <[EMAIL PROTECTED]> wrote: > > On Jan 21, 2008 10:50 PM, Nick FitzGerald <[EMAIL PROTECTED]> > wrote: > > > Think pre-MIME/Base64 and U should be able to suss it out... > > > > nice a

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

Very nice, and no, I will not resort to German. I think the point was made in my original post. How silly of me to overlook such common and simple (yes, albeit old) technologies. For those of you out there that are a bit lost and want to follow along at home: Make a simple file called uu.txt, ente

Re: [Full-disclosure] congenital idiots(dont u know who nick fitzgerald is?(now I KNOW why I never post in my real name)) Re: [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

a ... you are first of probably many to miss the intention of why i called out that line and that particular 'U' one day it will come to you :) On Jan 21, 2008 11:10 PM, bugtraq user <[EMAIL PROTECTED]> wrote: > Anklebiters getting rather deep arent they Nick? > > >a bugtraq follower(cam

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

On Jan 21, 2008 10:50 PM, Nick FitzGerald <[EMAIL PROTECTED]> wrote: > Think pre-MIME/Base64 and U should be able to suss it out... > nice aol speak noob ;) it shar would be a pity if people didnt get this ___ Full-Disclosure - We believe in it. Charte

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

Pat wrote: > All I could find was a loose relation to PGP? I might research this one a > bit later tonight... The hint (for anyone who ever saw much of this) is the obviously non- Base64, but still 7-bit sub-set, character set that includes lots of punctuation chars and no lowercase. Think pre-

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

All I could find was a loose relation to PGP? I might research this one a bit later tonight... Nothing like learning something new, as I mentioned in my Base-64 encoded message. On 22/01/2008, Nick FitzGerald <[EMAIL PROTECTED]> wrote: > > Pat wrote: > > > > SSBkb25cJ3QgdW5kZXJzdGFuZCB3aGF0IHRoZS

Re: [Full-disclosure] [Professional IT Security Providers -Exposed] PlanNetGroup ( F )

Guys please! The overwhelming majority of the list was clearly already baffled by the uber leet base64... Let's not give them a brain freeze by continuing. Pretty soon someone will start writing in binary or rot13 at this rate. Nate Sent via BlackBerry from T-Mobile -Original Message-

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

R2VuYXUh PaulM On Jan 21, 2008 10:50 PM, Pat <[EMAIL PROTECTED]> wrote: > SSBkb25cJ3QgdW5kZXJzdGFuZCB3aGF0IHRoZSBiaWcgaXNzdWUgaXMuIFNvIHdoYXQgaWYgcGVvcGxlIGRvblwndCB1bmRlcnN0YW5kLi4uPw0KU29tZSBwZW9wbGUsIGFuZCB0aG9zZSB0aGF0IHRoaXMgaXMgb2J2aW91c2x5IHJlbGV2YW50IHRvLCB3aWxsIGxvb2sgYXQgdGhlIGFib3ZlIHN

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

Pat wrote: > SSBkb25cJ3QgdW5kZXJzdGFuZCB3aGF0IHRoZSBiaWcgaXNzdWUgaXMuIFNvIHdoYXQgaWYgcGVvcGxlIGRvblwndCB1bmRlcnN0YW5kLi4uPw0KU29tZSBwZW9wbGUsIGFuZCB0aG9zZSB0aGF0IHRoaXMgaXMgb2J2aW91c2x5IHJlbGV2YW50IHRvLCB3aWxsIGxvb2sgYXQgdGhlIGFib3ZlIHN0cmluZywgb3IgZXZlbiB0aGlzIG9uZSwgYW5kIGtub3cgd2hhdCBpdCBpcyB0a

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

SSBkb25cJ3QgdW5kZXJzdGFuZCB3aGF0IHRoZSBiaWcgaXNzdWUgaXMuIFNvIHdoYXQgaWYgcGVvcGxlIGRvblwndCB1bmRlcnN0YW5kLi4uPw0KU29tZSBwZW9wbGUsIGFuZCB0aG9zZSB0aGF0IHRoaXMgaXMgb2J2aW91c2x5IHJlbGV2YW50IHRvLCB3aWxsIGxvb2sgYXQgdGhlIGFib3ZlIHN0cmluZywgb3IgZXZlbiB0aGlzIG9uZSwgYW5kIGtub3cgd2hhdCBpdCBpcyB0aGF0IHdlIGFyZSB

Re: [Full-disclosure] [Professional IT Security Providers -Exposed] PlanNetGroup ( F )

I'm not a stack smasher but I typed in base64 ascii converter in google, and found the string within a few minutes> you can pay us to whore your company%a%0 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, January

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

c2h1dCB1cCBoaXBwaWU= On Jan 21, 2008 9:50 PM, Pat <[EMAIL PROTECTED]> wrote: > SSBkb25cJ3QgdW5kZXJzdGFuZCB3aGF0IHRoZSBiaWcgaXNzdWUgaXMuIFNvIHdoYXQgaWYgcGVvcGxlIGRvblwndCB1bmRlcnN0YW5kLi4uPw0KU29tZSBwZW9wbGUsIGFuZCB0aG9zZSB0aGF0IHRoaXMgaXMgb2J2aW91c2x5IHJlbGV2YW50IHRvLCB3aWxsIGxvb2sgYXQgdGhlIGFib3

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

umm, who said I even bothered... and if you'd ever even looked at ldap password hashes you'd have a clue... but I'm sure you're too old-skool for that, huh? reepex wrote: > On Jan 21, 2008 8:39 PM, Harry Hoffman <[EMAIL PROTECTED] > > wrote: > > Is this anything m

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

heh, anything more then a passing glimpse on this list is asking alot... funny string and all, but blah... to answer your guestion about who would recognize this type of string, anyone who's dealt with ldap and moving user passwords to ldap would recognize... doesn't even necessarily have to be

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

On Jan 21, 2008 8:39 PM, Harry Hoffman <[EMAIL PROTECTED]> wrote: > Is this anything more then a base64 encoded password hash? > "base64 encoded password hash" - lol - what security for dumbies book did you get this phrase from? also after identifying it as base64 could you really not decode it t

Re: [Full-disclosure] [Professional IT Security Providers -Exposed] PlanNetGroup ( F )

Agreed. Sent via BlackBerry from T-Mobile -Original Message- From: reepex <[EMAIL PROTECTED]> Date: Mon, 21 Jan 2008 21:25:48 To:Maxim <[EMAIL PROTECTED]>, full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

you said it was 'fun' implying that you felt happy after you had accomplished the task ( decoding the string in this case ). so unless you naturally have fun decoding simple strings, then this must of been a new experience for you/challenging one to solve On Jan 21, 2008 9:28 PM, Maxim <[EMAIL PRO

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

On Mon, 21 Jan 2008 21:39:08 EST, Harry Hoffman said: > Is this anything more then a base64 encoded password hash? So close, and yet so far :) pgpOUvXNYWoUg.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://list

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

Harry Hoffman wrote: > Ok, I'll give... > > Is this anything more then a base64 encoded password hash? Nope, it's not _even_ that. You were half right though -- for half-credit you can try again... (Hint: You'd have to be pretty stellar to not need to deode it to get the answer!) Regards,

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

reepex wrote: > if base64 was challenging for you then maybe you should switch fields of > work Yes -- I guess he could try whatever it is you do... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/f

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

... if base64 was challenging for you then maybe you should switch fields of work On Jan 21, 2008 9:04 PM, Maxim <[EMAIL PROTECTED]> wrote: > that was fun ... :-) > > stuff like that should be on people's job interviews. > > On Mon, 2008-01-21 at 21:59 -0500, [EMAIL PROTECTED] wrote: > > Remembe

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

that was fun ... :-) stuff like that should be on people's job interviews. On Mon, 2008-01-21 at 21:59 -0500, [EMAIL PROTECTED] wrote: > Remember that although 99.98% of the Internet population ends up using it, > 99.97% are totally unaware of the fact because they have point-n-drool GUI > interf

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

Ok, I'll give... Is this anything more then a base64 encoded password hash? Nick FitzGerald wrote: > [EMAIL PROTECTED] wrote: > >> Cute, but probably lost on the half of the list that couldn't >> figure out what it was. :) > > Wow -- you think that _many_ understood it?? > > > Regards, > >

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

On Mon, 21 Jan 2008 20:48:29 CST, Nate McFeters said: > I mean, it is used all over the place... it'd seem like half of the list > could know. Remember that although 99.98% of the Internet population ends up using it, 99.97% are totally unaware of the fact because they have point-n-drool GUI inte

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

I mean, it is used all over the place... it'd seem like half of the list could know. On 1/21/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > On Mon, 21 Jan 2008 23:32:00 -0300, damncon said: > > Come on ... that == pretty much says what it is > > OK, I'll bite - where would the average nmap/n

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

On Mon, 21 Jan 2008 23:32:00 -0300, damncon said: > Come on ... that == pretty much says what it is OK, I'll bite - where would the average nmap/nessus/XSS ankle-biter (both amateur and professional) have a need to learn what it means? pgpLDD2YZaOnU.pgp Description: PGP signature ___

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

Come on ... that == pretty much says what it is On Jan 21, 2008 11:22 PM, Nick FitzGerald <[EMAIL PROTECTED]> wrote: > [EMAIL PROTECTED] wrote: > > > Cute, but probably lost on the half of the list that couldn't > > figure out what it was. :) > > Wow -- you think that _many_ understood it?? > > >

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

[EMAIL PROTECTED] wrote: > Cute, but probably lost on the half of the list that couldn't > figure out what it was. :) Wow -- you think that _many_ understood it?? Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists

[Full-disclosure] [ MDVSA-2008:018 ] - Updated gFTP packages fix vulnerabilities

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:018 http://www.mandriva.com/security/ ___

[Full-disclosure] [SECURITY] [DSA 1473-1] New scponly packages fix arbitrary code execution

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1473[EMAIL PROTECTED] http://www.debian.org/security/ Florian Weimer January 21, 2008

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

On Mon, 21 Jan 2008 13:04:52 EST, "J. Oquendo" said: > eW91IGNhbiBwYXkgdXMgdG8gd2hvcmUgeW91ciBjb21wYW55Cg== Cute, but probably lost on the half of the list that couldn't figure out what it was. :) pgpYeb9638WcT.pgp Description: PGP signature ___ Full-

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

SecReview wrote: Nate, Your email was constructive and much appreciated. We'll go over the review a second time and incorporate some of your suggestions. Thank you for taking the time to provide so much good feedback. Hey all, I'd like to get into reviewing security companies as well. B

[Full-disclosure] [SECURITY] [DSA 1472-1] New xine-lib packages fix arbitrary code execution

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1472-1 [EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff January 21, 2008

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

eW91IGNhbiBwYXkgdXMgdG8gd2hvcmUgeW91ciBjb21wYW55Cg== The interesting thing is that they don't seem to be reviewing large companies... perhaps they are interested in extorting the smaller ones??? Just a thought, not an accusation. Nate On 1/21/08, J. Oquendo <[EMAIL PROTECTED]> wrote: > > SecRev

[Full-disclosure] [SECURITY] [DSA 1471-1] New libvorbis packages fix several vulnerabilities

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1471-1 [EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff January 21, 2008

Re: [Full-disclosure] [Professional IT Security Providers -Exposed] PlanNetGroup ( F )

nice to see some have mlk off and nothing better to do - Original Message - From: "SecReview" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: Sent: Monday, January 21, 2008 10:40 AM Subject: Re: [Full-disclosure] [Professional IT Security Providers -Exposed] PlanNetGroup ( F ) > Nate,

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

Nate, Your email was constructive and much appreciated. We'll go over the review a second time and incorporate some of your suggestions. Thank you for taking the time to provide so much good feedback. On Mon, 21 Jan 2008 02:07:50 -0500 Nate McFeters <[EMAIL PROTECTED]> wrote: >SecReview,

[Full-disclosure] Pass-The-Hash Toolkit v1.2 released.

Pass-The-Hash Toolkit v1.2 is available. What is Pass-The-Hash Toolkit? The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding

[Full-disclosure] WifiZoo v1.3 released (minor release)

WifiZoo v1.3 is out there. this is a minor release, it basically addresses some minor functionality issues and stuff: New/fixed in WifiZoo v1.3 == -Some changes in the GUI in general. The info is presented a little bit better. -new parameters: -i , -c pcap_capture. Yes you

[Full-disclosure] RIAA site hacked. Again

http://www.realtechnews.com/posts/5287 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] old junk

old junk from 2007. roll on 2008! cb payload busted in rshd exploit. enjoy. http://rapidshare.com/files/85400481/prdelka-vs-GNU-citadel.tar.gz.html http://rapidshare.com/files/85400619/prdelka-vs-MS-rshd.tar.gz.html __ Sent from Yahoo

[Full-disclosure] Call Jacking: Phreaking the BT Home Hub

http://www.gnucitizen.org/blog/call-jacking * Call Jacking: Phreaking the BT Home Hub * OK, this is a bit of a funny attack - although it could also be used for criminal purposes! After playing with the BT Home Hub for a while (again!) [1], pdp and I discovered that attackers can steal/hijack VoI