On Fri, 13 Jul 2012 07:35:13 -0500, Fatherlaptop said:
> No...more like Yoda.
https://plus.google.com/photos/104234302931579992973/albums/5756965881020743937/5756965879525909730
pgpibzlz8hQW4.pgp
Description: PGP signature
___
Full-Disclosure - We bel
Hello list!
After seven previous vulnerabilities in Akismet, here are new holes. They
take place in plugin Akismet for WordPress and it's core-plugin (since
version WP 2.0), so these vulnerabilities concern WordPress itself. This is
the second in series of advisories concerning vulnerabilities in
On Fri, Jul 13, 2012 at 8:35 AM, Fatherlaptop wrote:
> No...more like Yoda.
>
Is Yoda you mean is from Star Wars?
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - h
On Fri, Jul 13, 2012 at 7:23 AM, Gokhan Muharremoglu
wrote:
> Ok. It seems i have to explain this vulnerability's effects with another
> scenario.
>
> This is a real life scenario and i wrote it in a Turkish article for
> National Information Security Portal which is run by TUBITAK.
>
> Article in
Precisely.
tim
On Fri, Jul 13, 2012 at 11:24:37AM -0700, Gage Bystrom wrote:
> Well if I understand Tim correctly you wouldn't need a CA. In the attack he
> mentioned not once do you ever actually look at the ssl content. He's
> talking about redirecting them to plain http and then setting the
Well if I understand Tim correctly you wouldn't need a CA. In the attack he
mentioned not once do you ever actually look at the ssl content. He's
talking about redirecting them to plain http and then setting the session
cookie and redirecting them back. Then when the victim logs on over ssl,
the se
For evil.js you can not open another web site according to policy.
Gökhan Muharremoğlu
On 13 Tem 2012, at 14:57, "Gage Bystrom" wrote:
> Exactly, a niche scenario. I never said it /wasn't/ a vulnerability,
> only that it doesn't warrant the severity you claim.
>
> Also again, a situation whe
Thank you for your interest.
But you are not talking about "the vulnerability". Is this a vulnerability?
YES
So, end of the conversation. I appreciate your suggestions.
I don't care about the scenarios or big fishes. This is a vulnerability and
i am making it to public. I am using it in my penet
No...more like Yoda.
>
>
> --
>
> Message: 1
> Date: Thu, 12 Jul 2012 23:43:31 +0200 (CEST)
> From: "Anonymous Remailer (austria)"
> Subject: [Full-disclosure] 0x00: MustntLive is now give out
> To: full-disclosure@lists.grok
# Exploit Title: Netcat 1.11 Crash POC
# crash:http://imageshack.us/photo/my-images/687/47003227.jpg/
# Date: July 13, 2012
# Author: coolkaveh
# coolka...@rocketmail.com
# https://twitter.com/coolkaveh
# Vendor Homepage: The NT version was written by Weld Pond
# Version: 1.11
# Tested on: window
-
"Speaking of xss your vuln page has one:
http://www.iosec.org/iosec_login_vulnerable.php?user=%3Cscript%3Ealert%28%22
Told%20ya%20so%22%29%3C/script%3E&failed=1"
---
Are you kidding? :) This is an intentionally placed vulnerability. Please
read in
Ok. It seems i have to explain this vulnerability's effects with another
scenario.
This is a real life scenario and i wrote it in a Turkish article for
National Information Security Portal which is run by TUBITAK.
Article in Turkish with scenario =>
http://www.iosec.org/oturum_oncesi_tanimli_cere
PS (is excuse my manner) is no take my message about your is nonsense
personal Tim. MusntLive is most respect Chicken Soldiers and Soldier
Chickens. MusntLive is never discriminate even is against poultry.
MusntLive is support PETA
___
Full-Disclosure -
On 7/13/2012 12:07 PM, Tim wrote:
> Suppose an application runs solely over HTTPS and assigns cookies
> with the secure flag. However, user sessions are assigned before
> login and they don't refresh their session cookies upon user login.
> In this case, users are still vulnerable to MitM:
This
See now this is something I can get behind, as that's a scenario where this
attack can achieve something that arbitary js normally could not do, or at
least I'm more uncertain if other methods would work in that situation, and
its a situation that is going to be reasonably common and not some super
I have not read the PoC. Nor do I care to. However, I do want to
point out one aspect of session fixation that I think many people
overlook, as I think has been indicated by some responses on this
thread. If this is not news to many of you, I appologize. Just
trying to raise awareness.
Suppos
Yes but you live in cave x
On Fri, Jul 13, 2012 at 3:56 PM, Григорий Братислава
wrote:
> On Fri, Jul 13, 2012 at 10:44 AM, Benji wrote:
>
>> Come to Europe, we show you how to party@#!
>
> Is that is what Greeks and Spaniards call this behaviour? Is funny, to
> me is similar to riot.
__
On Fri, Jul 13, 2012 at 10:44 AM, Benji wrote:
> Come to Europe, we show you how to party@#!
Is that is what Greeks and Spaniards call this behaviour? Is funny, to
me is similar to riot.
___
Full-Disclosure - We believe in it.
Charter: http://lists.gr
World is hard, big bully many places. Scary to think that I do nothing
to add to this informative, useful, and sometimes genuinely insightful
list where on a daily basis people restore my faith in humanity and
make me believe that common sense is not dead and that the word
'hacker' is not thrown ar
On Thu, Jul 12, 2012 at 9:15 AM, wrote:
> Benji,
>
> Do you write anything but scathing criticism? I've never seen you
> contribute anything of use to this list. You must be a real pleasure in
> person.
>
s#ritney#enji#g
http://www.youtube.com/watch?v=kHmvkRoEowc
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDVSA-2012:107
http://www.mandriva.com/security/
_
Yay comedy and drama.On Jul 13, 2012, at 02:54 AM, Benji wrote:x On Thu, Jul 12, 2012 at 2:15 PM, wrote: > Benji, > > Do you write anything but scathing criticism? I've never seen you > contribute anything of us
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDVSA-2012:106
http://www.mandriva.com/security/
_
Exactly, a niche scenario. I never said it /wasn't/ a vulnerability,
only that it doesn't warrant the severity you claim.
Also again, a situation where there are better things for an attack to do.
Yes you could do that to grab the session id, or whats stopping you
from writing "javascript;documen
Ok after playing around and re-reading the advisory I was finally able
to get the PoC to work. While it is interesting once your actually see
it work I simply do not believe it warrants the severity you have
described. The man reason why I say this is because any attacker in a
position to modify a
x
On Thu, Jul 12, 2012 at 2:15 PM, wrote:
> Benji,
>
> Do you write anything but scathing criticism? I've never seen you
> contribute anything of use to this list. You must be a real pleasure in
> person.
>
>
> Sent using Hushmail
>
Yes, god Jann, you're such a moron.
On Fri, Jul 13, 2012 at 9:46 AM, Gokhan Muharremoglu
wrote:
> You can find an example page and combined vulnerabilities below URL.
> This example login page is affected by Predefined Post Authentication
> Session ID Vulnerability.
> This vulnerability can lead
You can find an example page and combined vulnerabilities below URL.
This example login page is affected by Predefined Post Authentication
Session ID Vulnerability.
This vulnerability can lead a social engineering scenario or other hijacking
attack scenarios when mixed with other vulnerabilities (
On Wed, Jul 11, 2012 at 11:34:11AM +0300, Gokhan Muharremoglu wrote:
> Vulnerability Name: Predefined Post Authentication Session ID Vulnerability
> Type: Improper Session Handling
> Impact: Session Hijacking
> Level: Medium
> Date: 10.07.2012
> Vendor: Vendor-neutral
> Issuer: Gokhan Muharremoglu
In Re(action to): [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 15
suspicion of rootkit (Alexandru Balan)
On Thu, Jul 12, 2012 at 1:02 PM, phocean <0...@phocean.net> wrote:
>> * If only you stopped with this weird english.
After analysis of more than 2x(n-1) of MustntLive postings,
I d
http://attrition.org/security/rants/vulnerability-lab/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
31 matches
Mail list logo