Electronic Frontier Foundation Media Release
For Immediate Release: Monday, November 01, 2004
Contact:
Cindy Cohn
Legal Director
Electronic Frontier Foundation
[EMAIL PROTECTED]
+1 415 436-9333 x108 (office), +1 415 307-2148 (cell)
Matt Zimmerman
Staff Attorney
Electronic Frontier Found
I have tested,but i don't find the the vulnerability.(Win2000 professional + XDICT
2005)
Sent via the WebMail system at mail.netpower.com.cn
___
Full-Disclos
Since nobody else posted an exploit I figured I might aswell slap the BoF together
with my default exploit JavaScript for the scriptkiddies to rejoice and the sysadmins
to worry about.
The JavaScript creates a large amount of heap-blocks filled with 0x0D byte nopslides
followed by the shellcod
Luke Macken writes:
> The pppd server improperly verifies header fields, making it vulnerable
> to denial of service attacks.
>
> Impact
> ==
>
> An attacker can cause the pppd server to access memory that it isn't
> allowed to, causing the server to crash. No code execution is possible
> wi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandrakelinux Security Update Advisory
___
Package name: netatalk
Advisory ID:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandrakelinux Security Update Advisory
___
Package name: perl-MIME-tools
Adviso
...so why are we surprised he can't talk the native tongue, or eat a
pretzel without choking?
http://www.georgewbush.com/Secure/BushTeamLeaderSignUp.aspx
"You have attempted to establish a connection with
"www.georgebush.com". However, the security certificate
presented
--On Sunday, October 31, 2004 12:46:56 PM +0100 yossarian
<[EMAIL PROTECTED]> wrote:
You mean the US became the enemy when the russians left afghanistan and
Osama was still on the CIA payroll, at the time that G.W. turned from coke
to God, and daddy bush was supplying arms to saddam? How ungratefu
ROFL:
- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, November 01, 2004 19:27
Subject: failure notice
> Hi. This is the qmail-send program at lists2.securityfocus.com.
> I'm afraid I wasn't able to deliver your message to the following addresses.
> T
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandrakelinux Security Update Advisory
___
Package name: MySQL
Advisory ID:
--On Sunday, October 31, 2004 09:59:55 PM -0600 "J.A. Terranson"
<[EMAIL PROTECTED]> wrote:
As Nader supporters continually point out, Kerry is a compromised,
centrist Democrat,
Calling Kerry a centrist Democrat is akin to calling pigs flamingos.
You know the rest...
Paul Schmehl ([EMAIL PROTECTED
I can imagine security right now if only the inventor of the internet
had been elected the last time around instead of Bush.
On Mon, 1 Nov 2004 22:59:18 +, n3td3v <[EMAIL PROTECTED]> wrote:
> Vote bush out or the world will sky dive into an apocalyse.
>
> (i don't care if this is off topic,
===
Ubuntu Security Notice USN-15-1 November 01, 2004
lvm10 vulnerability
CAN-2004-0972
===
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
--On Monday, November 01, 2004 03:41:58 AM +0100 Thorsten Peter
<[EMAIL PROTECTED]> wrote:
being german, and i am sure the french will very much agreethis
couldn't be a more typical bush-republican-style phrase.
yea man, we, old-europe need a strong and stupid bull riding, golf
playing cowboy
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandrakelinux Security Update Advisory
___
Package name: mod_ssl/apache2-mod_ssl
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandrakelinux Security Update Advisory
___
Package name: mpg123
Advisory ID:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandrakelinux Security Update Advisory
___
Package name: gaim
Advisory ID:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandrakelinux Security Update Advisory
___
Package name: perl-Archive-Zip
Advis
Vote bush out or the world will sky dive into an apocalyse.
(i don't care if this is off topic, this relates to security of
everyone, not just geeks on the internet who have found a
bufferoverflow in X product)
Thanks,
n3td3v
[ security enthusiast ]
[ http://www.geocities.com/n3td3v ]
___
Moving sideward from the specific case of Microsoft's RPC-over-HTTPS to the
case of XML-over-HTTPS used for Web Services, here are some thoughts from
the "Web Services Security" world:
I find that people start from a standpoint of thinking "firewalls are
oblivious to XML" but then realize that a f
I don't see how getting yourself a private email address that is spam
free is such a hard problem. I probably have 8-10 email addresses on
different email providers. 3 of which are private and remain between
me and friends/family and don't receive any spam, except for the
accounts that belong to
Paul Schmehl wrote:
Now, PLEASE keep the damn politics off this list, because I assure
you, I will not sit idly by and allow this kind of unadulterated crap
to be spewed on this list without responding.
All replies to /dev/null.
That's kind of contradictory, wouldn't you say? First you'll resp
Hugo van der Kooij <[EMAIL PROTECTED]> writes:
> Sendmail logs also show a significant number of false recipients which
> are known to be part of worms that are by now over 6 months old. Like:
>
> Nov 1 07:16:06 gandalf sendmail[17575]: iA16G3QU017575: ruleset=check_rcpt,
> arg1=<[EMAIL PROTECTE
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Yo Nayana!
On Mon, 1 Nov 2004, Nayana Somaratna wrote:
> However, when browsing the web, I found an article which said that "it
> requires an expert to lockdown php" (Sorry, but I can't quite recall
> the URL).
Saying PHP in insecure is like saying
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200411-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - -
===
Ubuntu Security Notice USN-13-1November 1, 2004
groff utility vulnerability
CAN-2004-0969
===
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty
===
Ubuntu Security Notice 14-1November 1, 2004
xpdf vulnerabilities
CAN-2004-0888, CAN-2004-0889
===
A security issue affects the following Ubuntu releases:
Ubuntu 4.10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200411-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - -
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 580-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
November 1st, 2004
- Original Message Follows -
> Hi full-disclosure!
>
> ntpd 1:4.2.0a-11 (as in debian testing/sarge and unstable/sid)
> segfaults when accessing ntp servers on IPv6 hosts. I don't know
> whether this bug is exploitable. But such a server on
> pool.ntp.org might DoS many servers.
There
On Mon, 1 Nov 2004, Chintan Trivedi wrote:
> GET / HTTP/1.0\n
> [space] x 8000\n
> [space] x 8000\n
> [space] x 8000\n
> .
> .
> 8000 times
> I created 25 threads (connections) and send the above request to one
> webserver.
This is circa 1.5 GB of data (61 MB per connection), at which point you
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 579-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
November 1st, 2004
I had tested first time on vmware image and it had crashed.(Its not
having unnecessary modules installed. )
The other tests which i did was on office mate's machine. That guy is
running http apache server with (Mandrake Linux/6mdk) mod_ssl
OpenSSL/0.9.7c DAV/2 PHP/4.3.4 Server. His machine had com
I made a Linux version of your PoC and attack an Apache 2.0.52 +
Mod_security + Mod_ssl + Mod_proxy and couldn't reproduce the DoS.
50 threads for more than 5 minutes throw Internet (not in the local
network).
Regards, Mauro Flores
On Mon, 2004-11-01 at 06:57, Chintan Trivedi wrote:
> Hi,
>
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 578-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
November 1st, 2004
You should check out 'study in scarlet' also, which points out some of the
common programming/configuration mistakes:
http://www.securereality.com.au/studyinscarlet.txt
Meder
On Mon, Nov 01, 2004 at 07:13:14PM +0530, Sandeep Sengupta wrote:
> Hi Nayana,
>
> 1) All BUGS on PHP are listed here.
Hi Nayana,
no, you don't need a security expert to secure your php scripts. But you
also don't need to be a security expert to exploit php issues... =)
Have a look at this:
http://www.hardened-php.net/
HTH
Nayana Somaratna wrote:
Hi everyone,
I've been tasked with creating a learning management s
Hi full-disclosure!
ntpd 1:4.2.0a-11 (as in debian testing/sarge and unstable/sid)
segfaults when accessing ntp servers on IPv6 hosts. I don't know
whether this bug is exploitable. But such a server on
pool.ntp.org might DoS many servers.
There is a fixed version available.
For more details see
Hi Nayana,
1) All BUGS on PHP are listed here. So you can have good idea of the bug-stat.
http://bugs.php.net/bugstats.php
Total bug entries in system: 30352
Closed: 17087 Open: 1267 Critical: 4
-
Some more resources ---
2) http://www.developer.com/lang/article.php/918141
On the S
Hi everyone,
I've been tasked with creating a learning management system for my
University. Given that we're only handling a few handred students, I'd
typically want to create it using linux/apache/mysql/php.
However, when browsing the web, I found an article which said that "it
requires an exper
Hi,
I was doing some testing on Apache webserver ver 2.0.52 (unix) and
previous versions. Just found that a special type of request consumes
lot of CPU usage and hangs the webserver. It even hangs other services
like ssh, ftp ..
For Apache 2.0.52 a request like
GET / HTTP/1.0\n
[space] x 80
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> David.vincent
> Sent: Monday, November 01, 2004 9:40 AM
> To: Full-disclosure
> Subject: [Full-Disclosure] Re: Hi
>
> :))
>
>
___
Full-Disclosure -
All,
The new SCC Newsletter will be posted in a few hours to
alt.gap.international.sales, which can be viewed from
any usenet server or groups.google.com. Highlights are:
-new source code
-price changes
-private members
Do not respond to this email.
-BEGIN PGP PUBLIC KEY BLOCK-
Version
43 matches
Mail list logo
