The iPhone uses proprietary protocols over USB for file operations, syncing
and the like -- only real authentication that I can recall (and I got it
working to begin with ;)) was that the session with lockdownd (kind of a
broker for starting services, etc.) eventually goes SSL... there is also
Truly? Wait, are you going through AFC or some other way? It was my
understanding that iPhone internal storage never comes up any other way...
Doesn't lockdownd require that your computer be paired before even going SSL
to start services?
On May 18, 2010 4:23 PM, Thor (Hammer of God)
There seem to be a few more problems with that script than just that XSS...
For example, going to the Application Search page root (the page that takes
you to that one, presumably) and selecting literally everything in the
Services listbox will net you an error reporting Incorrect syntax near ','
Wait, did you even try and replay them yet?
On Fri, May 28, 2010 at 7:22 PM, Justin Chang ktriv...@msn.com wrote:
What are the encoded_pw and encoded_pw_unicode cookies in blackboard?
These are passed clear text with username and I am trying to see if I can
get the password from this
So if Drupal and WordPress, etc. are so terrible, what would you all recommend?
-Zach
On Jul 29, 2010, at 4:16 PM, coderman coder...@gmail.com wrote:
On Thu, Jul 29, 2010 at 3:05 PM, Christian Sciberras uuf6...@gmail.com
wrote:
...
Please! Don't put Drupal and decent in the same sentence!
According to some of comex's tweets, the exploits he used are public; I also
saw one person on Slashdot explain that root was granted via an IOSurface
allocation error, while other sources claim part of the Spirit jailbreak was
reused in Star. And then, of course, is the PDF exploit (that
tl;dr everything is vulnerable to dll hijacking zomg we are all going to be
pwned.
Ye gods these are irritating. I suppose I should filter them but damn.
On Sep 12, 2010, at 3:53 PM, YGN Ethical Hacker Group li...@yehg.net wrote:
1. OVERVIEW
The gDoc Fusion application is vulnerable to
They do this so that people who are manually installing or updating software
can also verify that the package they are installing is, in fact, the exact
same one that the software packager released -- this reduces (but not
eliminates) the chance that someone malicious may have been able to slip
But it requires that the user/potential victim go to the URL and save it, you
say? That doesn't quite seem realistic at all in terms of an attack...
On Nov 14, 2010, at 9:56 AM, MustLive mustl...@websecurity.com.ua wrote:
Hello Full-Disclosure!
I want to warn you about Cross-Site Scripting
You would find an XSS against one of my favorite wikia wikis :(
-Zach
On Dec 21, 2010, at 5:33 PM, dave b db.pub.m...@gmail.com wrote:
Everyone loves wikia, so here have an xss against their site(s).
Trolls trolling trolls trolling trolls trolling trolls
On Dec 28, 2010, at 4:32 PM, Paul Schmehl pschmehl_li...@tx.rr.com wrote:
--On December 28, 2010 8:51:40 AM -0500 Григорий
Братислава musntl...@gmail.com wrote:
Is question: 'I is created code.c and I is release it. Paul Schmehl
Hmm. So you propose other measures of security as a way of circumventing the
requirement of patching vulnerable software. That's nice, but it occurs to me
that the vulnerable software is still vulnerable, and sandboxing (as you
mentioned in an example) isn't always possible or feasible -- maybe
generally worth it to patch for that extra assurance
against well-known flaws -- but, granted, only especially so after a given
period of time that sees many more and/or 'potentially fatal' flaws exposed to
the public.
Everything does make perfect sense though.
-Zach
On 1/11/2011 2:53 PM, Zach
:
[Combining Threads]
-Original Message-
From: Pete Herzog [mailto:li...@isecom.org]
Sent: Friday, January 14, 2011 10:19 AM
To: Thor (Hammer of God)
Cc: valdis.kletni...@vt.edu; phocean; full-disclosure@lists.grok.org.uk; Zach
C
Subject: Re: [Full-disclosure] Getting Off
At the risk of having the eyes of the spiteful turned on me...
It's kind of funny how these sorts of groups seem to be governed by a pursuit
of the lulz -- that is, personal amusement/schadenfreude at the expense of
someone else, usually as a result of their own actions. But ironically, if Mr.
Pretty much what the others said with the addition that if you can't trust
root, you simply cannot trust *any* command on that machine, including gpg,
since root can compromise them in many ways, too. Best bet is to download it
every session and clear it -- but be warned that even any method used
fucking *two days*? Is that even enough time for the vendor to acknowledge?
On Feb 17, 2011 9:20 AM, MustLive mustl...@websecurity.com.ua wrote:
Hello list!
I want to warn you about Insufficient Anti-automation vulnerability in
reCAPTCHA for Drupal.
In project MoBiC in 2007 I already wrote
...@gmail.comwrote:
It's either he floods f-d with his vulnerabilities or he has to go out
in the real world to farm dirt for export to the West.
On 02/17/2011 12:54 PM, Zach C. wrote:
fucking *two days*? Is that even enough time for the vendor to
acknowledge
Why yes it does. Shame on me for not reading so well.
On Feb 18, 2011 7:51 AM, Conor conor.l...@gmail.com wrote:
I'm definitely not trying to defend MustntLive, but his timeline shows
2010.12.14 to 2011.02.16. Which makes it 2 months and 2 days, not 2 days,
right?
On Feb 18, 2011 7:08 AM,
Okay, and also let me rephrase the question: what does your tool do that *
socat* doesn't?
On Sat, Mar 26, 2011 at 1:17 PM, GomoR go...@gomor.org wrote:
On Sat, Mar 26, 2011 at 08:10:47PM +0200, Anton Ziukin wrote:
What can your tool do that Ncat (http://nmap.org/ncat/guide/index.html)
Not to mention the extensions he's undoubtedly using, unless he seriously
implemented all the protocols and cryptographic functions in pure Perl
On Mar 28, 2011 12:07 AM, Michal Zalewski lcam...@coredump.cx wrote:
This one is from command line, maybe the next will be in
the server mode or
Lakitu Cloud Security, Inc. Heh. That is an awesome company name actually.
On Apr 1, 2011 8:46 AM, Nelson Elhage nelh...@ksplice.com wrote:
Advisory Name: Plumber Injection Attack in Bowser's Castle
Release Date: 2011-04-01
Application: Bowser's Castle
Versions: Super Mario Bros., Super Mario
That's your cue, guys who reported every single program using the same DLL
vulnerable to DLL hijacking! Find those bad certs and start reporting every
single application using Qt! THE WORLD IS COUNTING ON YOU TO INFORM US OF
THESE THREATS TO OUR SECURITY.
On Apr 12, 2011 10:19 AM,
That only seems to apply to Android 3.x, which is not even the most
prevalent Android version in the wild. In fact, I think it can only be found
on tablets at present, and presumably Google will release the source when
they have 3.x stuff workable in mobile phones as well.
On Wed, Apr 20, 2011 at
On Wed, Apr 20, 2011 at 6:04 PM, Marcio B. Jr. marcio.barb...@gmail.comwrote:
On Wed, Apr 20, 2011 at 9:45 PM, Zach C. fxc...@gmail.com wrote:
That only seems to apply to Android 3.x,
only seems to apply is a sloppy euphemism.
Correct sentence is: IT DOES APPLY.
I guess context
Heh -- did anyone else just get spammed by these jokers?
In any case: even if you change this setting where they tell you to, does
the code actually honor the change or is it just a farce for the user's
benefit? And, perhaps more importantly, why should I have to grab it,
blindly trust it and run
So if you try to sign up with a website and it tells you the username is
already taken, is that a login leakage vulnerability?
Just want to be clear.
On Apr 25, 2011 11:59 AM, MustLive mustl...@websecurity.com.ua wrote:
Hello Andrew!
You're kidding, right?
No, I'm serious - as I'm always
I had another question too -- this one a bit more general. With services
like deathbycaptcha, could CAPTCHA itself now be considered insufficient
anti-automation, and how would you address that?
On Apr 25, 2011 11:59 AM, MustLive mustl...@websecurity.com.ua wrote:
Hello Andrew!
You're kidding,
To warn us all about Theo's latest rootkits and collusions with the
governments of course.
On May 2, 2011 10:02 AM, Cal Leeming c...@foxwhisper.co.uk wrote:
Huh?
On Mon, May 2, 2011 at 10:43 AM, phocean 0...@phocean.net wrote:
OpenBSD 4.9 was released... where is Musn'tlive ??
:D
--
To borrow a mechanism from 'chan' boards...
not telling how everything works
expecting me to trust it blindly
false positives extremely possible
arrogant affirmation of probably inflated success rate and development
periods
anonymity-hostile
Lol wat
On Jun 9, 2011 6:21 PM,
Can I have some of what you're having?
On Jun 17, 2011 8:37 PM, RandallM randa...@fidmail.com wrote:
Only God has created the perfect laws that none have not broken.
Man has created in his finite way shadows of these. But not perfect. But
they are laws to regulate the good of all.
Lutz, you
On Mon, Jun 27, 2011 at 8:04 PM, YGN Ethical Hacker Group li...@yehg.netwrote:
The XSS results are from purely blackbox scan on Mambo 4.6.5.
Wait, so you're telling me that you're running some program to find these
and then just reporting the results to this list? If so, please give some
Hmm -- that's interesting. I wonder if it would be possible/feasible to
build a botnet in this fashion that would overtake legitimate bitcoin nodes
in terms of CPU power. (You probably know what would happen then)
On Jul 19, 2011 12:11 PM, Robin ro...@rbsec.net wrote:
Had to deal with a server
Telling people to move their criticisms off of the (unmoderated) public
forum and into the private forum that you control (and can freely censor as
you see fit) is ridiculous.
Now, if you really did as root said and just grabbed peoples' code from
various public outlets and put it into your GPL
Re: putting things in the public domain: Daniel J. Bernstein and Lawrence
Rosen (of Creative Commons fame, I believe) seem to disagree with you on
that: http://cr.yp.to/publicdomain.html
Plus, pretty much the only 'license' djb uses is public domain, so qmail,
djbdns, etc. are all public domain.
Indeed? Are they supposed to be taking pictures of events with handmade
cameras? Wearing clothes they made from the ground up? Not shaving or
shaving with crudely-fashioned makeshift blades from spare metal?
The usage of corporate products does not disqualify one from criticizing
those
think I'll let the threat of being a hypocrite stop me from
saying Apple sucks balls just because I own and no longer use an iPhone.
On Oct 12, 2011 2:17 PM, Paul Schmehl pschmehl_li...@tx.rr.com wrote:
--On October 12, 2011 11:00:32 AM -0700 Zach C. fxc...@gmail.com
wrote:
Indeed
Yet another note, this one ARP-related: while true that most devices on
your local network will respond to ARP, it's important to note (as the
wording of almost certain implies) that it is possible to purposely
suppress ARP responses to all but a few hosts. I know for certain that the
Linux kernel
On Jan 27, 2012 4:07 PM, valdis.kletni...@vt.edu wrote:
On Fri, 27 Jan 2012 18:06:28 GMT, Michael Schmidt said:
You want to be very careful with that line of thought. You are taking
the
creator the rightful owners profits, which they are entitled to if it
is a
product they created to be
Just to be clear, what's been done in the name of intellectual property
protection is fucking ridiculous. I just do not see how getting something
someone put a non-zero value of work and materials into without even so
much as asking or being given permission from the person who made it is
somehow
The original message reads thus:
i was working with cleaning up any to any on fw. ran across inside
ips doing netbios (NS) , and one using port 4330 to 7.8.0.106, or
.107.
a who is give .miil DoD Network Information Center.
?
we are just a manufacturing company. One ip is from a NAS
Solution: use DD-WRT? Or is that vulnerable too? (Or are there worse
problems? :))
On Feb 10, 2012 10:12 AM, Dan Kaminsky d...@doxpara.com wrote:
Fixing a vulnerability like this with all the bureoucratic, QA and legal
process wouldn't take no more than 2 weeks
If bureaucratic, QA, and legal
Even so, watch all the advisories pour in now for cookie-based SQL
injection. :/
On Mar 6, 2012 12:44 PM, valdis.kletni...@vt.edu wrote:
On Tue, 06 Mar 2012 14:28:51 CST, Adam Behnke said:
Unlike other parameters, cookies are not supposed to be handled by users.
Any site that designs its
Could he not use a trusted intermediary though? That is, find someone to
report the issue who can be entangled by ToS, will take screenshots, etc.
I suppose the biggest problem of this would be the trust part, though. :)
On Mar 18, 2012 9:14 AM, Jeffrey Walton noloa...@gmail.com wrote:
On Sun,
He also considers it a vulnerability to tell a new user that the username
they've picked out has been taken by another user.
On Sun, Mar 25, 2012 at 3:09 PM, InterN0T Advisories
advisor...@intern0t.net wrote:
Same type of vulnerabilities exist in 99,999...% of all web applications
including
Well, not cleanly... I would think though that a signed integer cast to a
size_t would have unpredictable results (but mostly just a larger value than
intended...). At least when size_t and int are both 32bit. Or am I wrong?
On Apr 21, 2012, at 2:33 PM, Jeffrey Walton noloa...@gmail.com wrote:
http://www.reactiongifs.com/wp-content/uploads/2011/05/THISGONBGUD.gif
On May 23, 2012, at 6:42 PM, Alex Buie ab...@kwdservices.com wrote:
This is gonna be fun.
___
Full-Disclosure - We believe in it.
Charter:
1.) The tool, Splunk, is designed to index logs
2.) Logs are arbitrary files.
Therefore,
3.) Splunk is designed to index arbitrary files.
Whether or not you could preview the file before indexing, there would
still be ways to gain access to the contents of the file once indexed. This
just happens
48 matches
Mail list logo