Advisory: PHP Inventory 1.3.1 Remote (Auth Bypass) SQL
Injection Vulnerability
Advisory ID:INFOSERVE-ADV2011-08
Author: Stefan Schurtz
Contact:secur...@infoserve.de
Affected Software: Successfully tested on PHP Inventory 1.3.1
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -
Debian Security Advisory DSA-2354-1 secur...@debian.org
http://www.debian.org/security/ Yves-Alexis Perez
November 28, 2011
Hi List,
I found some major design flaws and vulnerabilities on a local webstore, but
now i would like to tell the owner nicely and maybe profit from it?!
Does anyone have some tips on how to inform a potential client of their
vulnerabilities?
Thanks in advance,
Miguel Lopes
Hmm, only a Windows installer, and no actual source code. Just who is
getting exploited here I wonder?
On 11/30/2011 02:00 PM, full-disclosure-requ...@lists.grok.org.uk wrote:
Hi,
I'm afraid all the download links in that webpage seem to be broken, except
for the Windows installer (which has
Hi everyone!
New issue of PenTest Magazine is out!
21 pages of free content, feat. full PainPill by Dean Bushmiller, where
Dean talks about penetration testing business and law - this is a must
for everyone in the business!
The link to download is below:
Hi Security Experts,
I have a question about the security track record of Indian IT vendors like
Infosys, TCS, Wipro etc. An article about Indian IT vendors by an
ex-employee of one of these companies is circulating in the different NITs
(National Institute of Technology) of India today.
My
From one of the earlier emails to the list:
Exploit Pack is an open source security framework developed by Juan
Sacco. It combines the benefits of a...
On Wed, Nov 30, 2011 at 10:58 PM, Gino g...@1337.io wrote:
Seems to have Juan Succo written all over it
On 11/30/11 1:49 AM, Mario Vilas
Indeed, Juan Sacco is the author. It's pretty clear from the about page
on the site, and the whois record on the domain. I don't think it's meant
to be a secret.
Now, I know his track record on this list is less than ideal, but let's try
to be professional and wait for the source code to show up
how not to do it:
http://www.securityweek.com/hungarian-man-pleads-guilty-hacking-marriott-systems-demanding-job-it-dept
http://www.infoworld.com/d/security-central/hungarian-man-charged-hacking-sony-ericsson-site-047
On Wed, Nov 30, 2011 at 11:56 AM, Miguel Lopes theoverb...@gmail.comwrote:
Hi
On Thu, 01 Dec 2011 07:24:14 +0530, Wonder Guy said:
What is the matter here? Indian software vendors are the best in the whole
world in security matters or Secunia simply doesn't care about Indian
software vendors?
Secunia doesn't care about little fish no matter which pond they're in.
If an
Everyone should remember that this software is made by the same people who make
Insect Pro.
Read into that what you will.
On Nov 30, 2011, at 7:49 AM, Samuel Lavitt samuel.lav...@ssh.com wrote:
Hmm, only a Windows installer, and no actual source code. Just who is
getting exploited here I
You are in a tough spot. In general, the level of access you granted yourself
in an unauthorized testing of the site would be considered illegal. You may
recall the whole 'or 1=1 thing. So your approach to the client is all he
would need to contact authorities if he so chose.
Arguably,
Send site owner/admin anon email and leave it at that.. as Thor mentioned
give em the info for free!
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -
Wonder guy, the basis of your conclusion are as ridiculous as your question.
Microsoft and Google are products companies. Atleast TCS and Wipro are not.
They are into offshore and managed business domains. Infosys is also into
making custom solutions and they are all closed source. And none of
I thought some of you may find this large password list useful, over 27
million entries.
http://dazzlepod.com/uniqpass/ (it's a paid list though, at $4.99)
___
Full-Disclosure - We believe in it.
Charter:
On 12/1/11 6:14 PM, Addy Yeow wrote:
I thought some of you may find this large password list useful, over 27
million entries.
http://dazzlepod.com/uniqpass/ (it's a paid list though, at $4.99)
Anyone linking a warez version (Why pay $4.99?) ?
-naif
Hi! I saw your message on FD and SF mailing list... So sorry for this..
But I didnt have the time to create the installer for win32, linux32/64
In fact.. I was playing my favourite MMORPG ( Lineage2 ) and they
opened a new server yesterday so haha that keep me busy :p
Anyway, that its planned to
dude, your meant to be PRO, i also tried to use your it to pull the
latest files, and nothing there mate.not since, awhile ago...
I also now have a copy of insectPRO , and am wondering, is your git
able to update this for me.. am alittle worried ;p
Altho on exploitpack.com/downloads/ there seems
On Wed, Nov 30, 2011 at 1:30 PM, Adam Behnke a...@infosecinstitute.com wrote:
Hello full disclosureites, a new tutorial is available at InfoSec Institute
...
Your thoughts?
who was this content plagiarized from?
___
Full-Disclosure - We believe in
Hello list!
I want to warn you about multiple vulnerabilities in RoundCube.
These are Brute Force, Content Spoofing, Cross-Site Scripting and
Clickjacking vulnerabilities. CS and XSS are in TinyMCE, which is included
with RoundCube.
-
Affected products:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -
Debian Security Advisory DSA-2356-1 secur...@debian.org
http://www.debian.org/security/Florian Weimer
December 01, 2011
On Thu, Dec 1, 2011 at 3:06 AM, valdis.kletni...@vt.edu wrote:
On Thu, 01 Dec 2011 07:49:28 +0530, David Blanc said:
A colleague of mine subscribed to FD recently and tried posting to it
but every time he gets this message:
The *list* isn't moderated. However, several *people* are, and
I saw your site got defaced today, mr your meant to be PRO.
Maybe time for less posting and more edumacation ?
On Thu, Dec 1, 2011 at 11:41 AM, xD 0x41 sec...@gmail.com wrote:
dude, your meant to be PRO,
___
Full-Disclosure - We believe in it.
InfoSec Southwest 2012 Call for Papers
March 30th through April 1st 2012, Austin, Texas
http://infosecsouthwest.com/cfp.html
The InfoSec Southwest staff are now soliciting papers to be presented at
our 2012 conference to be held March 30th through April 1st 2012 in
Austin, Texas.
Who Should
On Wed, Nov 30, 2011 at 11:05:08PM +0100, HI-TECH . wrote:
Hi lists,
sorry if I offended anyone with by referring to teso,
I really like teso as you might also.
all this happend because I was drunk hehe :
I hope you enjoy this release!
Am 30. November 2011 20:32 schrieb HI-TECH .
Hi,
No offence, I think you have a wrong perception with these companies, They
are not into Zero day !!! They are just vendor specific support companies.
you cannot expect an vendor specific support company to find Zero day and
handle operations support both at same time. Sorry buddy that aint
It was my first thought letting them know in anon e-mail but getting some extra
cash would be great too.
I guess i will stick with sending the e-mail alerting them of the situation.
thanks
A 2011/12/01, às 16:55, Thor (Hammer of God) escreveu:
You are in a tough spot. In general, the level
Thanks for the advice, the money was a long shot i will stick with the
anonymous e-mail, giving the information and tips to fix it.
A 2011/12/01, às 18:08, Chris L escreveu:
Depending on your country/local laws (no idea where you're from), how you
discovered the vulnerabilities and if you
Depending on your country/local laws (no idea where you're from), how you
discovered the vulnerabilities and if you actually tested them and gained
unauthorized access in the process then there is the possibility you're on
the wrong side of the law. If you haplessly stumbled across it and then
On Thu, Dec 1, 2011 at 10:37 PM, TAS p0wnsa...@gmail.com wrote:
Wonder guy, the basis of your conclusion are as ridiculous as your question.
Microsoft and Google are products companies. Atleast TCS and Wipro are not.
They are into offshore and managed business domains. Infosys is also into
Hi lists,
this is Kingcope
btw this exploit does not depend on the ProFTPd version
as illustrated in the youtube video below it will unlock
ProFTPd 1.3.4a too.
enjoy the hacktro!!
http://youtu.be/10uedlgNEJA
___
Full-Disclosure - We believe in it.
Awesome stuff =)
On 2 December 2011 09:17, HI-TECH .
isowarez.isowarez.isowa...@googlemail.com wrote:
Hi lists,
this is Kingcope
btw this exploit does not depend on the ProFTPd version
as illustrated in the youtube video below it will unlock
ProFTPd 1.3.4a too.
enjoy the hacktro!!
Hello,
Read the email below if you want to laugh a little. Especially the
answer to question 1 in the FAQ at the end of the email. No word on
how they were pirated or how many credit card numbers were stolen
though, but obviously I'm not the only who's received that email:
Hi everyone,
It's been over a month since we first announced the CFP for the SANS
AppSec Summit being held in Las Vegas, Nevada on April 30 - May 1, 2012.
We've received a number of great submissions so far but there's only two
months left until the deadline on February 1, 2012. If you'd like
There are many password lists already available for free out in the wild
but mostly lack the quality.
The minimal fee for UNIQPASS is necessary to help:
- keep ongoing effort to improve the quality of the list over time
- ensure frequent updates, i.e. when new leaked databases appear (existing
- reduce abuse
The concerning part is that you're serious. Tell me, how does someone
paying for a list of STOLEN passwords reduce abuse?
This email, your obsession with LulzSec and the disclaimer on your site
make it pretty clear where the information is coming from, so what kind of
abuse
Which country is UNIQPASS registered as a tm?
On Fri, Dec 2, 2011 at 1:47 AM, adam a...@papsy.net wrote:
- reduce abuse
The concerning part is that you're serious. Tell me, how does someone
paying for a list of STOLEN passwords reduce abuse?
This email, your obsession with LulzSec and the
Also, not to beat a dead horse, but..
- cover cost of upstream bandwidth, the list is currently at 64MB
compressed and new versions are likely to only get larger
Is also pretty ridiculous. Why? Because you're offering
hashes.txthttp://dazzlepod.com/site_media/txt/hashes.txt
, passwords.txt
This is what whitehats would probably class as a 'blackhat' , the sad
thing is, i bet NO blackhats, really like this.. not serious ones.
Its sad, your a pathetic person, resorting to online theft, to cover
your bs demands, as pointed out, what 'costs', for keeping, stolen
data... ? ONLY the cost,
22033538
whats this hash for
nothin.
hes a f00l.
altho, i dont like you, atleast, you see a fool as i do.
unfortunately, your not much better.
On 2 December 2011 13:05, adam a...@papsy.net wrote:
Also, not to beat a dead horse, but..
- cover cost of upstream bandwidth, the list is
In case you missed it, that's one of the other files he's hosting off that
website. Part of his plan to sell this groundbreaking .txt file, or
whatever.
On Thu, Dec 1, 2011 at 8:11 PM, xD 0x41 sec...@gmail.com wrote:
22033538
whats this hash for
nothin.
hes a f00l.
altho, i dont like
Fix defaced website or flip burgers to help mom with the rent, that's
tough dilemma for a script-kiddie.
Speaking of helping mom:
http://web.archive.org/web/20110129092551/http://crazycoders.com/
On Thu, Dec 1, 2011 at 3:47 PM, ghost gho...@gmail.com wrote:
I saw your site got defaced today,
As usual Xd is trolling .. and I shouldn't answer but he pisses me off ..
Gary B
On 12/01/2011 09:10 PM, xD 0x41 wrote:
This is what whitehats would probably class as a 'blackhat' , the sad
thing is, i bet NO blackhats, really like this.. not serious ones.
Its sad, your a pathetic person,
fail.
On 2 December 2011 13:25, Antony widmal antony.wid...@gmail.com wrote:
Fix defaced website or flip burgers to help mom with the rent, that's
tough dilemma for a script-kiddie.
Speaking of helping
mom: http://web.archive.org/web/20110129092551/http://crazycoders.com/
On Thu, Dec 1,
On Fri, 02 Dec 2011 13:10:14 +1100, xD 0x41 said:
Idiot
You are NO blackhat,and NO hacker.
xd
You know things are pretty screwed up when I'm +1'ing an xD rant. :)
pgp6MREtrth6e.pgp
Description: PGP signature
___
Full-Disclosure - We believe
If you want to respect the license of this code you cannot include the
exploit in your software.
And don't get me started about my patent on NOP sleds!
/mz
___
Full-Disclosure - We believe in it.
Charter:
I am at a lack of words for this, why pay $4.99 when you can just do
some simple googling? You can even search pastebin and get a mass
collection of password lists from dbases. Add a dash of awk and maybe
a pinch of sed and viola!
If you are like me I always download and store the various dbase
Or simply, use openwal.com who atleast do something and have an
oyutstanding os... they do not charge on that basis, and also the
socalled hash, if you look in the 3 offered fiiles, theyre all same
length of digits, i am not even sure what hes offering, because, i
assume that is a decrypted
Why did you rewrite metasploit?
On Tue, Nov 29, 2011 at 9:09 PM, nore...@exploitpack.com wrote:
Exploit Pack is an open source security tool that will help you test
the security of your computer or servers. It combines the benefits of a
Java GUI, Python as engine and the latest exploits on
Thats not the main one :P
Checkout INSECTPro tool ;) but, thats metasploit v2 nd v3 i
believe...and alot nicer than this,...same author... i have a copy,
but he wont let me know, if i can use my copy, to pull updates from
git ;'(
I assume that means, the pirated copy i have, must work fine,
The only one who has daily updates
Thats total crap... look like 3 posts away, he had to apologise for
playing with his new MMORPG game , instead of doing as he had said,
wich was, porting the latest freebsd PoC/exploit code, to his py, he
made even, exe installer, wich led nowhere... then, he
http://dazzlepod.com/site_media/txt/passwords.txt
hes put alo of passes here, and makes direct compares to JTR on
the website.. this seems to be the Point of sale also...so this domain
would shape the outcome..
On 2 December 2011 14:40, Richard Golodner rgolod...@infratection.com wrote:
52 matches
Mail list logo