Salut, Harry,
On Wed, 06 Feb 2008 14:22:10 -0500, Harry Hoffman wrote:
> Sadly, it seems that more and more mail servers are RFC-apathetic :-(
>
> And the admins even more so... It almost seems the larger the company
> the less likely to follow RFCs (IME).
>
> There there's people like spamcop
your 'disclosure' is lame and so is your site. Could you please never email
here again
On Feb 6, 2008 1:06 PM, SkyOut <[EMAIL PROTECTED]> wrote:
> I know its basic, but I am a supporter of FD and therefore
> planetluc.com has to be
> blamed now! I checked their script MyNews in version 1.6.4 toda
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200802-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200802-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - -
secreview wrote:
We do take a few points away from Layer 9 because they resell third
party hardware and software. We feel that companies who resell third
party technologies become bias towards selling those technologies even
if a better technology solution exists. This might not stand true for
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDVSA-2008:036
http://www.mandriva.com/security/
___
This will be our shortest review yet. We've spent the past three weeks
trying to get hold of the Layer 9 Corporation. We've placed several
telephone calls (well over a dozen), and sent multiple emails all of
which to no avail. As a result, this review is being done strictly on
the information that
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
-
Debian Security Advisory DSA-1483-1[EMAIL PROTECTED]
http://www.debian.org/security/ Noah Meyerhans
February 06, 2008 h
rPath Security Advisory: 2008-0046-1
Published: 2008-02-06
Products:
rPath Linux 1
Rating: Minor
Exposure Level Classification:
Indirect User Deterministic Unauthorized Access
Updated Versions:
[EMAIL PROTECTED]:1/2.0.33-4.6-1
rPath Issue Tracking System:
https://issues.rpath.com/
ZDI-08-003: Symantec Backup Exec Remote File Upload Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-003.html
February 6, 2008
-- CVE ID:
CVE-2008-0457
-- Affected Vendor:
Symantec
-- Affected Products:
Backup Exec System Recovery Manager 7.0
Backup Exec System Recovery Manager
###
Luigi Auriemma
Application: WS_FTP Server Manager
http://www.wsftp.com
Versions: WS_FTP Server <= 6.1.0.0
Platforms:Windows
Bugs: A] authorization bypassing in log
###
Luigi Auriemma
Application: TinTin++ / WinTin++
http://tintin.sourceforge.net
Versions: <= 1.97.9
Platforms:Windows, Linux and Mac
Bugs: A] chat buffer-overflow
Sadly, it seems that more and more mail servers are RFC-apathetic :-(
And the admins even more so... It almost seems the larger the company
the less likely to follow RFCs (IME).
There there's people like spamcop who think that RFCs are ok for some
things but not for others :-(
--Harry
Paul
iDefense Security Advisory 02.04.08
http://labs.idefense.com/intelligence/vulnerabilities/
Feb 04, 2008
I. BACKGROUND
HP Network Node Manager is a network mapping and management application
that allows administrators to monitor and control their networks. The
ovtopmd process listens, in a default
I know its basic, but I am a supporter of FD and therefore
planetluc.com has to be
blamed now! I checked their script MyNews in version 1.6.4 today and
then some
other versions, all are vulnerable to HTML and JS injection.
--- ADVISORY ---
|| WWW.SMASH-THE-STACK.N
On Feb 6, 2008 5:40 PM, Paul Schmehl <[EMAIL PROTECTED]> wrote:
> BTW, privately I was informed that the *real* address is [EMAIL PROTECTED]
>
> Who knew.
everyone knew...
http://security.yahoo.com
http://security.yahoo.com/all_topics.html
http://security.yahoo.com/article.html;_ylc=X3oDMTFwdDk
rPath Security Advisory: 2008-0043-1
Published: 2008-02-06
Products:
rPath Linux 1
Rating: Minor
Exposure Level Classification:
Indirect User Deterministic Unauthorized Access
Updated Versions:
[EMAIL PROTECTED]:1/3.4-5.1-1
rPath Issue Tracking System:
https://issues.rpath.com/bro
It's true that with MITM you could "poison" the javascript to steal the
key (cookie stealing style) but I think that it's a reasonable risk due
to the "non-enterprise" environment, in which the suite has been thought
for. Stealing the key requires a targeted attack MITM, in a precise moment.
I
You just need to take it a step further :-)
...
rcpt to: <[EMAIL PROTECTED]>
250 recipient <[EMAIL PROTECTED]> ok
data
354 go ahead
Testing
.
554 delivery error: dd This user doesn't have a yahoo.com account
([EMAIL PROTECTED]) [0] -
mta367.mail.mud.yahoo.com
421 Service not available, closing
On Wed, 06 Feb 2008 10:44:10 CST, Paul Schmehl said:
> RCPT TO: <[EMAIL PROTECTED]>
> 250 recipient <[EMAIL PROTECTED]> ok
% telnet f.mx.mail.yahoo.com 25
...
rcpt to: <[EMAIL PROTECTED]>
250 recipient <[EMAIL PROTECTED]> ok
Yee. Hah. They 250 for a probably-nonexistent account (unless that
one
--On Wednesday, February 06, 2008 12:25:19 -0500 Harry Hoffman
<[EMAIL PROTECTED]> wrote:
> You just need to take it a step further :-)
>
> ...
> rcpt to: <[EMAIL PROTECTED]>
> 250 recipient <[EMAIL PROTECTED]> ok
> data
> 354 go ahead
> Testing
> .
>
> 554 delivery error: dd This user doesn't ha
[EMAIL PROTECTED] wrote on 06.02.2008 at 16:42:
> Sure. So you e-mail the shared secret in a PGP or S/MIME encrypted
> mail.
>
> So saying that it doesn't work because there's no secure secret
> exchange
> is disingenuous as well.
If you are able to use PGP/GPG/S/Mime you HAVE already an impl
--On Wednesday, February 06, 2008 11:58:31 +0100 Vincent van Scherpenseel
<[EMAIL PROTECTED]> wrote:
>
> So, what do you do when you want to report something like this? In fact
> I'm doing them a favor by reporting but all I got is this lousy
> response. I'll have to think twice about reporting so
On Wed, 06 Feb 2008 17:23:49 +0100, Christoph Gruber said:
> If you are able to use PGP/GPG/S/Mime you HAVE already an implemented
> PKI. Why should someone use PKI to initialize another?
There's this thing called "The Real World", where often you end up doing
stuff like this because something
Shut up Valdis!
On 2/6/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
> On Wed, 06 Feb 2008 03:59:30 PST, coderman said:
>
> > since psk without key distribution nor secure secret exchange does not
> > solve the problems that HTTPS solves, to say this is useful in
> > situations where HTTPS is
On Wed, 06 Feb 2008 03:59:30 PST, coderman said:
> since psk without key distribution nor secure secret exchange does not
> solve the problems that HTTPS solves, to say this is useful in
> situations where HTTPS is not available is disingenuous.
Sure. So you e-mail the shared secret in a PGP or S
Probably you are pointing to this advisory:
http://kb.adobe.com/selfservice/viewContent.do?externalId=kb403079&sliceId=1
Secunia sees these as Remote type SA28802
http://secunia.com/advisories/28802/
FrSIRT as Remote type FrSIRT/ADV-2008-0425
http://www.frsirt.com/english/advisories/2008/0425
an
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I think the adress is
[EMAIL PROTECTED]
Cheers
Ferdinand from Germany
Am 06.02.2008 um 11:58 schrieb Vincent van Scherpenseel:
> Their abuse policy of course!
>
> Last week a client's server was being attacked (some old Tomcat5 vuln)
> and used to
On Feb 6, 2008 3:21 AM, Gerardo Di Giacomo <[EMAIL PROTECTED]> wrote:
> ...
> The PSK is never sent, neither by the client neither by the server.
apologies, i will be more clear:
since psk without key distribution nor secure secret exchange does not
solve the problems that HTTPS solves, to say t
> (MITM makes this useless)
Uhm... tell me why.
The PSK is never sent, neither by the client neither by the server.
But of course, this is an open project if you find bugs please report
them ;)
Bye,
Gerardo
signature.asc
Description: OpenPGP digital signature
mitm doesn't make this useless, btw. As stated its symmetric
encryption, one has to check the javascript source to see that the key
isn't being SENT of course.
On Feb 6, 2008 6:34 AM, T Biehn <[EMAIL PROTECTED]> wrote:
> SYNCHRONICITY
>
>
>
> On Feb 6, 2008 5:18 AM, coderman <[EMAIL PROTECTED]> wr
SYNCHRONICITY
On Feb 6, 2008 5:18 AM, coderman <[EMAIL PROTECTED]> wrote:
> On Feb 5, 2008 3:23 PM, Gerardo Di Giacomo <[EMAIL PROTECTED]> wrote:
> > JaPCrypt means Javascript and PHP Encryption.
>
> and pwned by eve
>
> (MITM makes this useless)
>
> fun code though. should have read crypto 101
On Feb 6, 2008 3:05 AM, worried security <[EMAIL PROTECTED]> wrote:
>
> On Feb 6, 2008 3:01 AM, coderman <[EMAIL PROTECTED]> wrote:
> > holy shit, someone actually email'ed me off list asking for details of
> > this "explioit" !!!
>...
> You FOOL!!
>
> Youre playing with fire. Fire that cannot be p
Their abuse policy of course!
Last week a client's server was being attacked (some old Tomcat5 vuln)
and used to attack other servers (ssh login guessing). The results of
these dictionary attack were being mailed to the address
'[EMAIL PROTECTED]':
cat vuln.txt |mail -s "Lame Gang Us Roots" [EM
holy shit, someone actually email'ed me off list asking for details of
this "explioit" !!!
bwahahaha... heheh.. *snif*
god, my side hurts.
please, before giving further conniptions, refer yourself kindly to rfc
particularly "...://:@:/" for uri's...
On Feb 6, 2008 2:28 AM, coderman <[EMAIL
On Feb 4, 2008 1:25 PM, reepex <[EMAIL PROTECTED]> wrote:
> ... all you have triggered is normal
> behavior for auto logging into .htaccess protected
they apparently cannot hear you, reepex.
perhaps if you had IM and E-mail contact with some of Yahoo's top
security advisors and security engineers
On Feb 5, 2008 3:23 PM, Gerardo Di Giacomo <[EMAIL PROTECTED]> wrote:
> JaPCrypt means Javascript and PHP Encryption.
and pwned by eve
(MITM makes this useless)
fun code though. should have read crypto 101 before spending so much time...
best regards,
_
JaPCrypt means Javascript and PHP Encryption.
JaPCrypt is a PHP class which purpose is to give encrypted
communications over HTTP by using server and client side scriptng like
PHP and Javascript.
This project has been started because not every hosting provider gives
HTTPS access, thus not ha
rPath Security Advisory: 2008-0040-1
Published: 2008-02-05
Products:
rPath Linux 1
Rating: Minor
Exposure Level Classification:
Deterministic Weakness
Updated Versions:
[EMAIL PROTECTED]:1/5.0.51a-0.2-1
[EMAIL PROTECTED]:1/5.0.51a-0.2-1
[EMAIL PROTECTED]:1/5.0.51a-0.2-1
rPath
39 matches
Mail list logo