| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 4 Nov 2003 10:37:39 -0600 (CST) From: Ron DuFresne <dufresne@...ternet.com> To: advisory@...fiweb.de Cc: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>, "full-disclosure@...ts.netsys.com" <full-disclosure@...ts.netsys.com> Subject: Re: Re: Virginity Security Advisory 2003-002 : Tritanium Bulletin Board - Read and write from/to internal (protected) Threads Yes, but, you had to expect this, it had to comeup as the 'group' name was being decided upon. Of course, the debate of virgin state of computers is certainly not a null nor moot issue either, do you know where yer laptop plays afterdark?! Anyways, thanks for the laugh, I look forward to more ribbing as the 'group' parses out more virgins. Thanks, Ron DuFresne On 4 Nov 2003 advisory@...fiweb.de wrote: > Just look for "Virginity Security Advisory 2003-001" > > Besides: We do not secure virgins, our group name is just > Virginity Security Research Center what has nothing to do with the human virginity but with the virginity of computers!! > > Am 03.11.2003 17:53:03, schrieb Ron DuFresne <dufresne@...ternet.com> : > > > > > When did we start securing virgins?!? > > > > Thanks, > > > > Ron DuFresne > > > > On 31 Oct 2003, Virginity Security wrote: > > > > > > > > > > > - - - -------------------------------------------------------------------- > > > Virginity Security Advisory 2003-002 > > > - - - -------------------------------------------------------------------- > > > DATE : 2003-10-31 22:59 GMT > > > TYPE : remote > > > VERSIONS AFFECTED : <== Tritanium Bulletin Board 1.2.3 (http://www.tritanium-scripts.com/) > > > AUTHOR : Virginity > > > - - - -------------------------------------------------------------------- > > > > > > > > > Description: > > > > > > I found a security bug in Tritanium Bulletin Board: > > > Normal Users can read the content of Threads to which they have no access rights! > > > (and can answer to it which may be a problem if the internal forum has the right to insert html code) > > > > > > Author of the Software has been notified. > > > > > > - - - -------------------------------------------------------------------- > > > > > > > > > Example: > > > > > > http://[target].com/[path]/index.php?faction=reply&thread_id=[ID OF THE THREAD TO READ]&forum_id=[ID OF FORUM]&sid=[your sid] > > > > > > Shows the window where The Attacker can answer to the topic and below that a window with the content of the thread!!! > > > The Attacker can easily read all protected Threads since the thread_id is counted for every forum newly so just put from 1 on upwards :-) > > > > > > - - - -------------------------------------------------------------------- > > > > > > > > > Solution: > > > Hey sorry this time i had no time for a solution :-) > > > > > > - - - -------------------------------------------------------------------- > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > "Cutting the space budget really restores my faith in humanity. It > > eliminates dreams, goals, and ideals and lets us get straight to the > > business of hate, debauchery, and self-annihilation." -- Johnny Hart > > ***testing, only testing, and damn good at it too!*** > > > > OK, so you're a Ph.D. Just don't touch anything. > > > > > > > > ------- > Gesendet mit > Konfiweb.de > >und du siehst die Dinge anders > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists