On Thu, 24 Feb 2011 11:24:22 EST, jf said:
>(how come no one ever points out that rate-limiting failed logins is probably
> more important than password complexity?)
We once had an incident where after the guy whacked the box, he intentionally
spammed the box with more incorrect logins, just so wh
> I'm the first one among many who want to learn RE and low level things,
> but I think both of the sides are complex enough.
>
I am not sure if you follow the teachings of Fredrick Diggle but to
paraphrase you may imagine security as a disc. On one side you have web app
security (for illustrative
PHPShop 0.8.1 <= | Cross Site Scripting Vulnerability
1. OVERVIEW
The PHPShop 0.8.1 and lower versions are currently vulnerable to Cross
Site Scripting.
2. BACKGROUND
PHPShop is a PHP-powered shopping cart appli
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CA20110223-01: Security Notice for CA Host-Based Intrusion Prevention
System
Issued: February 23, 2011
Updated: February 24, 2011
CA Technologies support is alerting customers to a security risk
associated with CA Host-Based Intrusion Prevention
Hi,
Here's some details on glibc alloca()-based memory corruption that Cris
Neckar and I unearthed whilst looking into a Chromium bug last year:
http://scarybeastsecurity.blogspot.com/2011/02/i-got-accidental-code-execution-via.html
Cheers
Chris
___
F
RFC3986 marks both # and ! as reserved characters (sec 2.2); from a skim
read, # is used for fragment identification (somewhere in sec 3) and there
is a small note on ! ' and " at the end of the document. More a standards
issue than a security issue.
Also, what he'd quoted !# is not the "shebang"
It's change. And change is scary.
(Seriously, nothing wrong with hashbang, except perhaps a slightly
increased risk of CSRF from people forgetting, yes, the web's broken
session management is still broken even with client side JS page
assembly.)
On Wed, Feb 23, 2011 at 2:51 PM, Security Consciou
Could someone please have a look at these twitter posts:
http://twitter.com/#!/achitnis/status/40444144992260096
http://twitter.com/#!/achitnis/status/40447225658228736
http://twitter.com/#!/achitnis/status/40450742326140928
and explain why the presence of #! in URLs would freak out ANY securit
Greetings Full Disclosure:
Netragard, LLC is currently looking to introduce new researchers into the
Exploit Acquisition Program.
This program is designed to acquire viable and functional 0-day exploits and
vulnerability information
from the security community. We are only interested in work
So far off base you have on idea, check the email address and domain..
You have just been trolled fine sir and a lame troll at that..
-Original Message-
From: full-disclosure-boun...@lists.grok.org.uk
[mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Brandon McGinty
Sent:
On Thu, Feb 24, 2011 at 12:27:29PM -0500, jf wrote:
> On Thu, Feb 24, 2011 at 01:20:32PM -0800, Michal Zalewski wrote:
> > >> this is only true for remote attackers hitting network service auth.
> > > Mhmm, and runas, su et al couldn't benefit from this?
> >
> > Not a whole lot. You can likely t
On Thu, Feb 24, 2011 at 01:20:32PM -0800, Michal Zalewski wrote:
> >> this is only true for remote attackers hitting network service auth.
> > Mhmm, and runas, su et al couldn't benefit from this?
>
> Not a whole lot. You can likely tell a successful login from a failed
> one within several milis
>> this is only true for remote attackers hitting network service auth.
> Mhmm, and runas, su et al couldn't benefit from this?
Not a whole lot. You can likely tell a successful login from a failed
one within several miliseconds by watching /proc or so.
/mz
__
> this is only true for remote attackers hitting network service auth.
Mhmm, and runas, su et al couldn't benefit from this?
> better to assume they've got your hashes and you're racing the
> rainbows, dicts, and CUDAs for longevity...
Not that assuming you're popped/gonna get popped and acting
Este sábado se realizara la primer clase con doble modalidad Online y
Presencial para no dejar afuera a aquellos que no puedan acercarse al curso
Cuando? Este sábado 26 de Febrero
A que hora? Arrancamos 15:00hs y con horario de cierre 18:00hs
Curso: Penetration Testing Practico
Temas a tratar la
On Thu, Feb 24, 2011 at 8:24 AM, jf wrote:
> ... how come no one ever points out that rate-limiting failed logins is
> probably more important than password complexity?
this is only true for remote attackers hitting network service auth.
better to assume they've got your hashes and you're raci
> "Doing security" really isn't that hard. Behind all the fancy appliances
> and gee-whiz technology, the underlying principle is, don't unnecessarily
> expose your assets to attack.
eyeroll, thanks for the clarification.
> This boils down to a few simple things:
> 1) Don't allow users to cr
--On February 22, 2011 9:11:30 AM -0800 Michal Zalewski
wrote:
>> I mean, if these are the security industry's geniuses, why, what would
>> the writers of Stuxnet be?
>
> ...seriously?
>
>> Disclosing how their epic story simply involved SQLi, well, what about
>> the guys discovering 0days in na
Hello list!
I want to warn you about Cross-Site Scripting vulnerability in Cumulus for
Drupal.
-
Affected products:
-
Vulnerable are Cumulus 6.x-1.4 and previous versions and 5.x-1.1 and
previous versions.
--
Details:
--
This XSS
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDVSA-2011:037
http://www.mandriva.com/security/
_
On Wed, Feb 23, 2011 at 2:09 PM, Michele Orru wrote:
>
>
> --
>
>Chris Evans
> February 23, 2011 1:35 AM
>
> On Tue, Feb 22, 2011 at 2:42 PM, Michal Zalewski wrote:
>
>> > Also, I would say that even though randomly prodding exec arguments
>> > with As isn't so el
21 matches
Mail list logo