: From: Mark Litchfield mark () securatary com
: As previously stated, I would post an update for Ektron CMS bypassing
: the security fix.
: A full step by step with the usual screen shots can be found at -
: http://www.securatary.com/vulnerabilities
Uh... you expect people to login to
: : From: Mark Litchfield mark () securatary com
:
: : As previously stated, I would post an update for Ektron CMS bypassing :
: the security fix.
:
: : A full step by step with the usual screen shots can be found at - :
: http://www.securatary.com/vulnerabilities
:
: Uh... you expect
: This is not the behavior of the site as of 48 hours ago.
: Let me check. Normal registration should also be available ? Infact I
: will remove the registration.
:
: The purpose of this whole registration in the first place was to allow
: for future postings I am going to make later this
http://seclists.org/fulldisclosure/2013/Jul/195
: - Release date: July 22th, 2013
: - Discovered by: Enrico Cinquini
: 1) UPLOAD PHP FILE INSIDE AVATAR:
Disclosed 2012-06-04 by Mark Hoopes (OSVDB 82811).
http://xync.org/2012/06/04/Arbitrary-File-Upload-in-Collabtive.html
: 2) ACCOUNT
What you describe is CVE-2006-5229. While the CVE description does not
explicitly say long passwords, it does cover the general idea. Read the
mail list posts associated with it and it shows people testing based on
minor differences in password length. Stands to reason that 39,000
characters
Seriously?
Your avast! issues weren't tested properly it seems. The command shell you
invoke is running with the same privileges as the user installing/running
the software.
There is no privilege escalation based on the 'exploit' you report. These
are not vulnerabilities.
: It is necessary.
: Waiting a week for a batched email to find out my software has
: vulnerabilities is not acceptable just because some people insist on
: reading email on their telephone.
You aren't reading these advisories I take it.
Several of them are reporting that Mandriva has finally
-- Forwarded message --
From: security curmudgeon jeri...@attrition.org
To: duk...@safe-mail.net
Cc: moderat...@osvdb.org
Date: Fri, 21 Dec 2012 04:32:31 -0600 (CST)
Subject: Re: [OSVDB Mods] Fwd: Internet Explorer Stack Exhaustion - Flag
[MSIE9]
On Fri, 21 Dec 2012, duk
: SecurityVulns ID: 11310.
: XSS (WASC-08):
:
:
http://site/console/forget.php?e_mail=%3Cscript%3Ealert(document.cookie)%3C/script%3Eseenform=y
How many times are you going to disclose this?
http://seclists.org/bugtraq/2010/Jun/189
http://seclists.org/fulldisclosure/2010/Aug/306
: 1. OVERVIEW
:
: The QtWeb Browser application is vulnerable to Insecure DLL Hijacking
: Vulnerability. Similar terms that describe this vulnerability have been
: come up with Remote Binary Planting, and Insecure DLL
: Loading/Injection/Hijacking/Preloading.
: 3. VULNERABILITY DESCRIPTION
://seclists.org/fulldisclosure/2009/Mar/0300.html
http://marc.info/?l=full-disclosurem=123753854425289w=2
http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2009-03/msg00300.html
http://www.opensubscriber.com/message/full-disclosure@lists.grok.org.uk/11725824.html
[..]
- security curmudgeon
On Fri, 14 Aug 2009, valdis.kletni...@vt.edu wrote:
: Of course, getting a CVE for that issue would have forced disclosure of
: the bug too, quite possibly before the vendors were ready to ship
Huh? Apparently you don't know how CVE assignment works.
If you request one from CVE, they can
: ZDI-09-007: Apple QuickTime Cinepak Codec MDAT Heap Corruption
: Vulnerability
: http://www.zerodayinitiative.com/advisories/ZDI-09-007
: January 21, 2009
:
: -- CVE ID:
: CVE-2009-2006
CVE-2009-0006 perhaps?
___
Full-Disclosure - We believe in
: I've created a list with contact information for various security teams:
:
:
http://skypher.com/wiki/index.php?title=List_of_security_teams_contact_information
: I hope this makes informing vendors about security issues easier. If you
: have any additional information or spot an error, let
: I usually keep the links of some interesting vulnerabilities posted in
: this mailing list. But when I try to access them after 6 months or so, I
: find that some of the links are invalid and some of them are pointing to
: different posts? Why does this happen?
When the list administrators
Hi Simon,
: SNOsoft has been legitimately and legally brokering exploits since early
: 2000, and we're still doing it very successfully. As a matter of policy
: we will not ever purchase items from careless developers, and will not
: sell to careless buyers or non US based buyers... With
: I wonder why we can't find Aditya K Sood in any of the security list
: even though he has made so many public disclosures.
:
: See:-
:
: http://www.google.com/search?hl=enq=site%3Asecunia.com+aditya+sood
:
: http://www.google.com/search?hl=enq=site%3Aosvdb.org+aditya+sood
:
: Is it
On Wed, 6 Jun 2007, Kradorex Xeron wrote:
: Illegal or not, this is still pretty damned shady.
:
:
: I will seldom touch on the legal side but I have a possible scenario:
:
: -- If David is no longer at that address, it could be said that his mail
: account was taken down and the mail sent
: A more ethical company would have sent HDM a polite note saying that
: the person no longer works there before curiosity got the best of them.
:
: Does your company do this for all former employee e-mail accounts?
No. But they also don't continue to accept mail to those accounts either.
:
: Was OpenBSD owned ... http://www.openbsd.org
I'd guess hosting problems:
http://www.openssh.org/
Forbidden
You don't have permission to access / on this server.
Apache/1.3.34 Server at www.openssh.org Port 80
http://www.openntpd.org/
Forbidden
You don't have permission to access / on
: It may not come as a shocker, but so far the Month of Rixstep Bugs
: has not netted a single bug.
: -- http://rixstep.com/1/20070115,00.shtml
:
: Maybe because nobody was looking?
http://osvdb.org/blog/?p=160
Month of .. who?!
Posted in General Vulnerability Info on January 15th, 2007 by
: There are a million books on phishing in borders book store, if the
: phishing phrase hadn't been coined, a lot of people wouldn't be
: millionaires right now.
:
: They brought in phishing in 2003. The actual act of phishing had been
: going on for years before the phrase was coined. Since
(I recommend you read the original, as many parts of the text are links to
other resources)
http://www.osvdb.org/blog/?p=104
US Government Studies Open Source Quality
US Government Studies Open Source Quality reads the SlashDot thread, and it
certainly sounds interesting. Reading deeper,
On Sun, 11 Dec 2005, Pavel Kankovsky wrote:
: Just for the info, they have also added Nmap as potentially unwanted
: application (http://vil.mcafeesecurity.com/vil/content/v_100955.htm)
: [...]
:
: Are we making a list?
: You can add Symantec reporting a copy of Netcat as a hacking tool.
A
Hi Tim,
Don't take this as anything but honest questions please! I am curious
about everyone's thoughts and opinions on this, as I have mostly seen
Renaud/Ron/Tenable pointing out some facts, and most replies being a bit
lacking in reason and explanation. I ask these questions to *anyone*
: Since its inception, supporting NT 3.0 beta and onward, I have been
: dealing with BSOD's. In total, there have been comparatively very few
: times were it was a direct fault of MS code. It has very commonly been
: in relation to 3rd party drivers that needed reworking or updating by
:
: I don't appreciate you changing caps in my name. I'm not 'spin'ing
: anything - I addressed a specific question with an honest real-world
: answer. I did not include propaganda nor did I denounce any alternate
: products. There's no need to be a disrespectful ass.
A decade of close
: You know, I wouldn't mind it IF the conversation was properly
: [re]directed in context. In fact it often leads to many fascinating
: discussions. But other times it feels like some people that
: contributing are schizophrenic.
Seems like the people that didn't catch that leap don't quite
: Not if the U.S security services decide to have a war on cyber terror
: sites.
You aren't from the US are you? The idea that U.S security services can
arbitrarily shut down a site outside the US, and that the FBI or anyone
else *would* shut down a site, even in the US is a bit silly. Almost
: Nahh if it comes to world domination my money is on Jericho Forget the
: defacement archive that's easy..Anyone who runs the site that has
: managed to keep a fairly complete record of who has been sleeping with
: who since 1996 includeing feds and a bunch of privacy freaks like
: hackers
:
http://australianit.news.com.au/articles/0,7204,16650762%5E15306%5E%5Enbv%5E,00.html
The obvious criticism:
The Mozilla family of browsers had the highest number of vulnerabilities
during the first six months of 2005, with 25, the Symantec report says.
Eighteen of these, or 72 per cent,
Hi Jerome,
: It is possible to remotely view the source code of web script files
: though a specially crafted WebDAV HTTP request. Only IIS 5.1 seems to be
: vulnerable. The web script file must be on a FAT or a FAT32 volume, web
: scripts located on a NTFS are not vulnerable.
:
: The
is a
marketing ploy and money maker. It is *not* in their best interest to
allow the credibility of their certification to be tarnished for any
reason, even when criminals are 'earning' it.
security curmudgeon
[0] https://www.isc2.org/cgi-bin/content.cgi?page=176
[1] http://en.wikipedia.org/wiki
: Here we go again, so called intelligent people talking utter rot!
[..]
: Come on people grow up, put your prejudices aside and look at the
: information provided, draw conclusions based on that, and be prepared to
: change that opinion when the information to hand dictates.
Did you read
34 matches
Mail list logo
