Heh -- did anyone else just get spammed by these jokers? In any case: even if you change this setting where they tell you to, does the code actually honor the change or is it just a farce for the user's benefit? And, perhaps more importantly, why should I have to grab it, blindly trust it and run it to find out?
Besides even that, assuming the change was actually honored, how would one go about creating a page that would work with it? On Mon, Apr 25, 2011 at 8:31 AM, Steven Pinkham <[email protected]>wrote: > Rain Liu wrote: > > Hi Steven Pinkham, > > > > I think this is an old questions that have been answered. You can make > > settings in Pangolin main panel. > > > > "Edit->Setting->Oracle", Change the "Remote Data URL" and "Remote Info > > URL" as you wish. Exit pangolin and run it again to take effects. > > > > Here is example settings > > http://www.nosec-inc.com/en/images/pangolin-oracle-setting.gif > > > > Wish you guys happy. > > > > BEST REGARDS TO YOU AND YOUR FAMILY > > > > Rain Liu > > It's entirely possible that is all there is to it. > Let me be perfectly clear: For people in the real world to trust your > tool, those fields should be empty by default, and clear instructions > and demo code should be given on how to set that feature up on their own > servers. A poorly documented feature that sends your data to third > parties by default *is unacceptable*, and if you want professional users > to take you seriously data privacy needs to be the default. > > There's still a lot of questions that are poorly documented like: > How does the feature you call "bypass firewall" work? What if any 3rd > parties are involved? > > Can you certify that there no third parties involved in any action of > Pangolin besides the Oracle setting, or are there other undiscovered > pitfalls for the professional user? The existence of this poorly > documented, data stealing by default option completely undermines my > trust in your tool, and I would be VERY cautious in any use of said tool. > > Personally, I'd rather stick to open source, auditable tools whenever > possible, and sqlmap is my sql injection tool of choice. Honestly, your > answers to these questions are not likely to make me switch(sqlmap is > *that good* in recent releases), but may serve to cut down on my abuse > of people who consider using your tool. > -- > | Steven Pinkham, Security Consultant | > | http://www.mavensecurity.com | > | GPG public key ID CD31CAFB | > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
