Re: [Full-disclosure] [OT] the nigger said: "American people understand that not everybody's been following the rules"

2011-10-07 Thread Adrian Lewis
Just because you've written "no offence intended" doesn't mean people aren't going to take offense! Considering how global and singular everything is these days, isolating ANYONE out (not just "minorities") because they are "different" is both pointless and archaic. It's just depressing that this

Re: [Full-disclosure] [OT] the nigger said: "American people understand that not everybody's been following the rules"

2011-10-07 Thread Pete Smith
You're an idiot... "no offence intended" On 7 October 2011 17:29, Georgi Guninski wrote: > On Thu, Oct 06, 2011 at 06:31:46PM -0500, Elly_Tran_Ha wrote: > > Racists posts like the one that started this thread give me the safe > feeling > > that we are winning the good fight. > > > > you have mi

Re: [Full-disclosure] [OT] the nigger said: "American people understand that not everybody's been following the rules"

2011-10-07 Thread Georgi Guninski
On Fri, Oct 07, 2011 at 08:32:24AM +0100, Adrian Lewis wrote: > Just because you've written "no offence intended" doesn't mean > people aren't going to take offense! Considering how global and singular > everything is these days, isolating ANYONE out (not just > "minorities") because they are "diff

[Full-disclosure] eFront Enterprise Edition v3.6.9 - SQL Injection Vulnerability

2011-10-07 Thread resea...@vulnerability-lab.com
Title: == eFront Enterprise Edition v3.6.9 - SQL Injection Vulnerability Date: = 2011-10-07 References: === http://www.vulnerability-lab.com/get_content.php?id=230 VL-ID: = 230 Introduction: = Tailored with larger organizations in mind, eFront Enterprise offe

[Full-disclosure] [SECURITY] [DSA 2318-1] cyrus-imapd-2.2 security update

2011-10-07 Thread Nico Golde
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA-2318-1secur...@debian.org http://www.debian.org/security/ Nico Golde Oct 6, 2011

[Full-disclosure] Secunia Research: Autonomy Keyview Ichitaro QLST Integer Overflow Vulnerability

2011-10-07 Thread Secunia Research
== Secunia Research 07/10/2011 - Autonomy Keyview Ichitaro QLST Integer Overflow Vulnerability - == Table of Contents Affected Softwar

[Full-disclosure] Secunia Research: Autonomy Keyview Ichitaro Text Parsing Buffer Overflow

2011-10-07 Thread Secunia Research
== Secunia Research 07/10/2011 - Autonomy Keyview Ichitaro Text Parsing Buffer Overflow - == Table of Contents Affected Software..

[Full-disclosure] Secunia Research: Autonomy Keyview Ichitaro Object Reconstruction Logic Vulnerability

2011-10-07 Thread Secunia Research
== Secunia Research 07/10/2011 - Autonomy Keyview - - Ichitaro Object Reconstruction Logic Vulnerability - ==

[Full-disclosure] 2nd CfP: ICIMP 2012 || May 27 - June 1, 2012 - Stuttgart, Germany

2011-10-07 Thread Cristina Pascual
INVITATION: = Please, consider to contribute to and/or forward to the appropriate groups the following opportunity to submit and publish original scientific results to ICIMP 2012. The submission deadline is set to January 5, 2012. In addition, authors of selected papers will be

Re: [Full-disclosure] OT Nigger - georgi+guninski+nigger+full-disclosure

2011-10-07 Thread Antony widmal
Didn't know you could flip burgers and use your smartphone while working at Mc-Donald. On Thu, Oct 6, 2011 at 3:24 PM, xD 0x41 wrote: > “, the Indians were somewhat persecuted :) “ > > > By that I take it you mean, systematic genocide? Where I grew up the school > mascot (high school) was Benj

Re: [Full-disclosure] OT Nigger - georgi+guninski+nigger+full-disclosure

2011-10-07 Thread Antony widmal
Thing is, you bring shit, stupidity, troll on this mailing list. Most people here would agree. How about you start another shit/off-topic thread about Israel vs Palestinian this time ? Could be a fucking great topic on a IT sec mailing list. On Thu, Oct 6, 2011 at 3:53 PM, xD 0x41 wrote: > Oh,

Re: [Full-disclosure] [OT] the nigger said: "American people understand that not everybody's been following the rules"

2011-10-07 Thread Adrian Lewis
Try many rather than some. And I didn't read it simply because i'm not interested in off topic stuff. On Fri, Oct 7, 2011 at 9:42 AM, Georgi Guninski wrote: > On Fri, Oct 07, 2011 at 08:32:24AM +0100, Adrian Lewis wrote: > > Just because you've written "no offence intended" doesn't mean > > peop

[Full-disclosure] Apple Website - Non Persistent Cross Site Scripting Vulnerability

2011-10-07 Thread resea...@vulnerability-lab.com
Title: == Apple Website - Non Persistent Cross Site Vulnerability Date: = 2011-10-07 References: === http://www.vulnerability-lab.com/get_content.php?id=289 VL-ID: = 289 Introduction: = Our communities are filled with thousands of Mac, iPod, iPhone and iPad u

[Full-disclosure] Medium severity flaw with Ark

2011-10-07 Thread Tim Brown
I recently discovered that the Ark archiving tool is vulnerable to directory traversal via malformed. When attempts are made to view files within the malformed Zip file in Ark's default view, the wrong file may be displayed due to incorrect construction of the temporary file name. Whilst this

[Full-disclosure] Low severity flaw in various applications including KSSL, Rekonq, Arora, Psi IM

2011-10-07 Thread Tim Brown
I recently discovered that various Qt applications including KSSL (the KDE class library responsible for SSL negotiation), Rekonq, Arora and Psi IM are vulnerable to UI spoofing due to their use of QLabel objects to render externally controlled security critical information. The primary area of

[Full-disclosure] Verizon Wireless DNS Tunneling

2011-10-07 Thread Marshall Whittaker
I recently noticed that you can tunnel TCP through DNS (I used iodine) to penetrate Verizon Wireless' firewall. You can connect, and if you can hold the connection long enough to make a DNS tunnel, then the connection stays up, then use SSH -D to create a proxy server for your traffic. Bottom line

Re: [Full-disclosure] Verizon Wireless DNS Tunneling

2011-10-07 Thread Dan Kaminsky
Works mostly everywhere. It's apparently enough of a pain in the butt to deal with, and abused so infrequently, that it's left alone. On Fri, Oct 7, 2011 at 3:32 AM, Marshall Whittaker < marshallwhitta...@gmail.com> wrote: > I recently noticed that you can tunnel TCP through DNS (I used iodine)

Re: [Full-disclosure] Verizon Wireless DNS Tunneling

2011-10-07 Thread BH
This comes in handy when travelling, I also found a few places where ICMP tunnelling works well. On 7/10/2011 6:35 PM, Dan Kaminsky wrote: > Works mostly everywhere. It's apparently enough of a pain in the butt > to deal with, and abused so infrequently, that it's left alone. > > On Fri, Oct 7, 2

Re: [Full-disclosure] [OT] the nigger said: "American people understand that not everybody's been following the rules"

2011-10-07 Thread Darren Martyn
So much butthurt and anger... Can't we all get a bong? On Fri, Oct 7, 2011 at 10:16 AM, Adrian Lewis wrote: > Try many rather than some. > > And I didn't read it simply because i'm not interested in off topic stuff. > > > On Fri, Oct 7, 2011 at 9:42 AM, Georgi Guninski wrote: > >> On Fri, Oct 07

Re: [Full-disclosure] Verizon Wireless DNS Tunneling

2011-10-07 Thread Marshall Whittaker
Yes, I've found that DNS tunneling works well at the college I go to on their WIFI. I've never gotten ICMP tunneling to work myself (outside of a virtual machine), but I have some code laying around somewhere that can do it just in case I need it for something sometime. Just thought it would be

Re: [Full-disclosure] Vmware Web-Site Persistence and Non-Persistence Cross-Site Scripting

2011-10-07 Thread asish agarwalla
Password to access the file is : *dr0tooow *Regards Asish On Fri, Oct 7, 2011 at 4:47 PM, asish agarwalla wrote: > Hi, > > I have report a Persistence and a Non-Persistence Cross-Site Scripting to > Vmware and they have patched those vulnerability. > > Please find the attached file describing

Re: [Full-disclosure] LinkedIn_User Account Delete using Click jacking

2011-10-07 Thread asish agarwalla
Password to access the report is: *8nj98F4h9AW* * * Regards Asish On Fri, Oct 7, 2011 at 5:18 PM, asish agarwalla wrote: > Hi, > > LinkedIn_User Account Delete using Click jacking. > > This Vulnerability is accepted by LinkedIn they are in a process > to patched it but not yet patched. > > Pleas

Re: [Full-disclosure] Verizon Wireless DNS Tunneling

2011-10-07 Thread Dan Kaminsky
One major reason it sticks around is -- what are you supposed to do, return bad data until the user is properly logged in? It might get cached -- and while operating systems respect TTL, browsers most assuredly do not ("well, it MIGHT take us somewhere good"). It's not like there's a magic off sw

Re: [Full-disclosure] [OT] the nigger said: "American people understand that not everybody's been following the rules"

2011-10-07 Thread Valdis . Kletnieks
On Fri, 07 Oct 2011 09:29:22 +0300, Georgi Guninski said: > i am by no way a racist. > the OP specifically wrote "no offence intended". > being a non-native speaker if someone is offended about skin colour it is a > language mistake of mine. Ya know, Georgi, you can't have it both ways. I realiz

Re: [Full-disclosure] Verizon Wireless DNS Tunneling

2011-10-07 Thread Dan Kaminsky
Yeah, the problem is the bad data doesn't flush after authentication. So you try to go to Google, you're redirected to 10.0.0.1, you get authenticated, but the browser still tries to go to 10.0.0.1. You try handling those support calls. So instead most places give you real DNS, and hijack at IP/

Re: [Full-disclosure] Verizon Wireless DNS Tunneling

2011-10-07 Thread James Wright
That would probably explain why the Comcast service page downloads an executable to authenticate you. At that point they have control over the end user's machine and can either clear the DNS cache or force a reboot. Their (Comcast, other traditional ISP's) authentication is a bit static and works

Re: [Full-disclosure] Verizon Wireless DNS Tunneling

2011-10-07 Thread Valdis . Kletnieks
On Fri, 07 Oct 2011 10:36:39 EDT, James Wright said: > That would probably explain why the Comcast service page downloads an > executable to authenticate you. At that point they have control over the > end user's machine and can either clear the DNS cache or force a reboot. That must suck if you

Re: [Full-disclosure] Verizon Wireless DNS Tunneling

2011-10-07 Thread Valdis . Kletnieks
On Fri, 07 Oct 2011 10:47:13 EDT, Terrence said: > To the guy saying that comcast requires an executable to authenticate you. > Ha. You should prolly wipe your install. And that's true even if you actually trusted the Comcast binary. If they were able to get a binary to get run, probably others

Re: [Full-disclosure] Verizon Wireless DNS Tunneling

2011-10-07 Thread James Wright
Why do you say that? I don't doubt that there are other ways, but it has been that way for a while, I've used them as my home ISP for a few years now. I don't prefer that method, but you can remove their program after and you do not lose connectivity or anything. It just validates your account n

Re: [Full-disclosure] Verizon Wireless DNS Tunneling

2011-10-07 Thread James Wright
I wouldn't say I blindly clicked it, but truth be told, I was not overly concerned about it (annoyed, but not concerned). The machine gets wiped and reinstalled every few months, doing so does not disable my Internet access. It is dedicated to another purpose, it's not for email, banking, etc. Som

Re: [Full-disclosure] Verizon Wireless DNS Tunneling

2011-10-07 Thread James Wright
Actually, yes, they could provide bad data. I believe (perhaps erroneously) that Comcast does this. Probably other service providers do too. Until you are authenticated to use their network you are redirected to a service page that can help authenticate you. If you have connectivity issues (lik

Re: [Full-disclosure] LinkedIn_User Account Delete using Click jacking

2011-10-07 Thread BH
Why would you post this as a word document? Thanks but no thanks. On 7/10/2011 7:52 PM, asish agarwalla wrote: > Password to access the report is: *8nj98F4h9AW* > * > * > Regards > Asish > > On Fri, Oct 7, 2011 at 5:18 PM, asish agarwalla > mailto:asishagarwa...@gmail.com>> wrote: > > Hi, > >

Re: [Full-disclosure] LinkedIn_User Account Delete using Click jacking

2011-10-07 Thread Gary Baribault
I doubt if anyone on this list is dumb enough to open a .docx attachment! Gary Baribault Courriel: g...@baribault.net GPG Key: 0x685430d1 Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 On 10/07/2011 11:33 AM, BH wrote: > Why would you post this as a word document? > > Thanks but no

Re: [Full-disclosure] LinkedIn_User Account Delete using Click jacking

2011-10-07 Thread xD 0x41
Screw you dude, attaching executable doc files , and then pushing out a few *0days* I wont be looking at *any* thing attached as a doc, thats just common sense. nowdays, and there is abs NO need on this list for it, it is FD, your meant to put it in the BODY of email, or atleast maybe next time, ch

Re: [Full-disclosure] [OT] the nigger said: "American people understand that not everybody's been following the rules"

2011-10-07 Thread xD 0x41
How about we all agree that the word itself, should not be used ever, it is not a very nice thing to call people, i mean, you dont see chinese people calling each other yellies... skin color should have no place on the list, so how about just, forgive and forget it is abit easier, or, rather ju

Re: [Full-disclosure] [OT] the nigger said: "American people understand that not everybody's been following the rules"

2011-10-07 Thread xD 0x41
On the whole security topc... apparently *some* VPNs claim to be indestructible... Which VPN Providers Really Take Anonymity Seriously? http://feed.torrentfreak.com/~r/Torrentfreak/~3/9l5B4f6Fkbw/ Thru rss feed... interesting read. ___ Full-Disclosure -

Re: [Full-disclosure] LinkedIn_User Account Delete using Click jacking

2011-10-07 Thread Peter Dawson
if I get it right this dude is supposed to be " - Senior Security Analyst at iViZ Techno Solutions Pvt. Ltd. Whatever happened on protocol's for responsible disclosure ? On Fri, Oct 7, 2011 at 3:05 PM, xD 0x41

Re: [Full-disclosure] LinkedIn_User Account Delete using Click jacking

2011-10-07 Thread xD 0x41
Hi, Another security expert... sheesh... and they cannot do simplest of tasks, makes me wonder really how do they get anything atall coded, but then again i doubt there is code... I bet theyre all some persistent xss etc... wich would req some fuzz tool... well, cewrtainly see better people like kc

Re: [Full-disclosure] Verizon Wireless DNS Tunneling

2011-10-07 Thread Hartley, Christopher
I would think that at minimum, thresholds could be set on how many names to resolve, and permitted types for unauthenticated users. Prohibit NULL and TXT records for unauthenticated hosts - or just whitelist A and CNAMEs, reject others. Reject the 50th (or whatever) query from an unauthenticat

Re: [Full-disclosure] Verizon Wireless DNS Tunneling

2011-10-07 Thread Dan Kaminsky
You never know what you'll be breaking, but you always know you'll be paying for support calls. On Fri, Oct 7, 2011 at 12:38 PM, Hartley, Christopher wrote: > I would think that at minimum, thresholds could be set on how many names to > resolve, and permitted types for unauthenticated users. Pro

Re: [Full-disclosure] LinkedIn_User Account Delete using Click jacking

2011-10-07 Thread Laurelai
On 10/7/2011 4:48 AM, asish agarwalla wrote: Hi, LinkedIn_User Account Delete using Click jacking. This Vulnerability is accepted by LinkedIn they are in a process to patched it but not yet patched. Please find the document describing the vulnerability. Regards Asish _

Re: [Full-disclosure] LinkedIn_User Account Delete using Click jacking

2011-10-07 Thread Laurelai
On 10/7/2011 12:30 PM, xD 0x41 wrote: Hi, Another security expert... sheesh... and they cannot do simplest of tasks, makes me wonder really how do they get anything atall coded, but then again i doubt there is code... I bet theyre all some persistent xss etc... wich would req some fuzz tool...

Re: [Full-disclosure] LinkedIn_User Account Delete using Click jacking

2011-10-07 Thread Laurelai
On 10/7/2011 12:30 PM, xD 0x41 wrote: Hi, Another security expert... sheesh... and they cannot do simplest of tasks, makes me wonder really how do they get anything atall coded, but then again i doubt there is code... I bet theyre all some persistent xss etc... wich would req some fuzz tool...

Re: [Full-disclosure] LinkedIn_User Account Delete using Click jacking

2011-10-07 Thread Ferenc Kovacs
> The document appears to be password protected as well. Ive tried to open it > in a VM and it prompts for a password. it seems that you missed it: "Password to access the report is: 8nj98F4h9AW" -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-D

Re: [Full-disclosure] Verizon Wireless DNS Tunneling

2011-10-07 Thread Marshall Whittaker
I suppose now that I think about it, it would also be possible to write a program for your cell phone to do this (to get access from the phone alone, without a computer tethered). I don't know enough about cell phone programming to do it myself though. On Fri, Oct 7, 2011 at 4:51 PM, Dan Kaminsky

Re: [Full-disclosure] LinkedIn_User Account Delete using Click jacking

2011-10-07 Thread Naresh Jha
Guys - Correct me if I am wrong but wouldn't macro enabled document be like .docm as per Word 2007+??? I mean its a docx file right like zip file ... we can extract the contents after changing it into zip ...can't we ??? JT On Fri, Oct 7, 2011 at 5:41 PM, Ferenc Kovacs wrote: > > The docum

[Full-disclosure] eFront Enterprise v3.6.9 - Arbitrary Download Vulnerability

2011-10-07 Thread resea...@vulnerability-lab.com
Title: == eFront Enterprise v3.6.9 - Arbitrary Download Vulnerability Date: = 2011-10-08 References: === http://www.vulnerability-lab.com/get_content.php?id=290 http://www.vulnerability-lab.com/get_content.php?id=230 VL-ID: = 290 Introduction: = Tailored with

Re: [Full-disclosure] [OT] the nigger said: "American people understand that not everybody's been following the rules"

2011-10-07 Thread Jeffrey Walton
On Thu, Oct 6, 2011 at 1:21 PM, Georgi Guninski wrote: > "American people understand that not everybody's been > following the rules," he said. "These days, a lot of folks > doing the right thing are not rewarded. A lot of folks who > are not doing the right thing are rewarded." > >From the articl

Re: [Full-disclosure] Verizon Wireless DNS Tunneling

2011-10-07 Thread Valdis . Kletnieks
On Fri, 07 Oct 2011 12:51:19 PDT, Dan Kaminsky said: > You never know what you'll be breaking, but you always know you'll be paying > for support calls. Collorary: The more likely a proposal is to introduce hard-to-diagnose failure modes, the less likely the person making the proposal has spent a

Re: [Full-disclosure] Verizon Wireless DNS Tunneling

2011-10-07 Thread Terrence
To the guy saying that comcast requires an executable to authenticate you. Ha. You should prolly wipe your install. On Oct 7, 2011 10:41 AM, wrote: > On Fri, 07 Oct 2011 10:36:39 EDT, James Wright said: > > > That would probably explain why the Comcast service page downloads an > > executable to

Re: [Full-disclosure] LinkedIn_User Account Delete using Click jacking

2011-10-07 Thread Zachary Hanna
Funny.. On 10/7/11 9:23 AM, "Gary Baribault" wrote: >I doubt if anyone on this list is dumb enough to open a .docx attachment! > >Gary Baribault >Courriel: g...@baribault.net >GPG Key: 0x685430d1 >Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 > > >On 10/07/2011 11:33 AM, BH wrote:

Re: [Full-disclosure] Verizon Wireless DNS Tunneling

2011-10-07 Thread xD 0x41
Interesting thread... issues of privacy are again raping the tech world.. please assist in exposing comcast if this is indeed true. Either someone has been playing admin and put up some kind of fake login page although thats highly unlikely,proof of the actual deployment of an exe by the isp is a h

Re: [Full-disclosure] LinkedIn_User Account Delete using Click jacking

2011-10-07 Thread Laurelai
On 10/7/2011 3:23 PM, Naresh Jha wrote: Guys - Correct me if I am wrong but wouldn't macro enabled document be like .docm as per Word 2007+??? I mean its a docx file right like zip file ... we can extract the contents after changing it into zip ...can't we ??? JT On Fri, Oct 7, 2011 at

[Full-disclosure] Mohammad Hajali left a message for you...

2011-10-07 Thread Badoo
Mohammad Hajali left a message for you... Its sender and content will be shown only to you and you can delete it at any time. You can instantly reply to it, using the message exchange system. To find out what's in the message, just follow this link: http://eu1.badoo.com/mohajali/in/ss0iq3E1f3s/?

Re: [Full-disclosure] Mohammad Hajali left a message for you...

2011-10-07 Thread Douglas Huff
Your wish is our command No more messages will be sent to full-disclosure@lists.grok.org.uk. But when you change your mind, come on back. We'll be waiting for you. On Oct 7, 2011 8:45 PM, "Badoo" wrote: > ** >See this email in > Deutsch