|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Charles Miller (cmiller
securityevaluators.com)
Date: Mon Jul 09 2007 - 08:46:29 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>
> Isn't that always the point when you sell a vulnerability in an
> open source
> software? If I want to sell you a lighttpd remote exploit and you
> trust me
> than you know that such a thing exists and you will most probably
> invest
> more time in finding it yourself. The knowledge that something
> exploitable
> really exists is a good motivation to find it.
The problem extends beyond open source.
But anyway, there is a big difference between saying there is a
remote exploit in IIS and saying there is a command injection
vulnerability in SquirrelMail GPG Plugin. I can probably rediscover
the SquirrelMail one in an hour but I may never find the IIS one.
Also, the vulnerability Nicob pointed out was pre-auth (mine was post-
auth). I'm dying to know if version 2.1 patched the exploit they are
trying to sell!
Charlie
ps. Sorry about the (No Subject)
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]