lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sun, 25 Jan 2009 10:27:09 +0000 (UTC)
From: security curmudgeon <jericho@...rition.org>
To: r3d.w0rm@...oo.com
Cc: bugtraq@...urityfocus.com
Subject: Re: munky-bliki lfi


On Fri, 15 Aug 2008, r3d.w0rm@...oo.com wrote:

(pardon the late reply)

: #!user/bin/python
: # -*- coding: cp1256 -*-
: #####################################################################################
: ####                               munky-bliki Lfi                               ####
: #####################################################################################
: #                                                                                   #
: #AUTHOR : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                                      #
: #Discovered by : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                               #
: #Our Site : Http://IRCRASH.COM                                                      #
: #IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr)                       #
: #####################################################################################
: #                                                                                   #
: #Script Download : http://kent.dl.sourceforge.net/sourceforge/munky/munky-bliki-0.01a.tar.gz

Googling for "munky-bliki" gets nothing but references to this post.

This is not the first 'sourceforge project' that doesn't exist within a 
month of a vulnerability disclosure.

http://sourceforge.net/search/?type_of_search=soft&words=munky-bliki

Search results in projects found for "munky-bliki"
Search Help
Results 1 - 0 of 0 

If you broaden the search for "munky", you get the page intended I think 
though?:

http://sourceforge.net/projects/munky/

But, you fail to specify:  Last Update: Jan 03 2005

So in essence, you are taking 3+ year old software, that was in version 
0.01a, and posting a vulnerability in it. You do not include the official 
project name (mUnky), home page, release date, affected script or anything 
else that would allow someone to easily validate this finding.

: #DORK : "Copyright © 2004 Dovid Kopel"                                              #

No hits on the first page.

How is it that so many posts to Bugtraq/F-D involve software that doesn't 
appear to exist, or be used by anyone reachable by Google?

: #####################################################################################
: #                           Site : Http://IRCRASH.COM                               #
: ###################################### TNX GOD ######################################

Yet, you can find the time to type in your domain/name at least 4 times in 
this post..

Someone recently pointed out that 'vulnerability disclosures' like this 
may actually be a form of covert broadcast designed to manipulate search 
engines.

Personally, I think any post to Bugtraq should now be screened, and if the 
vendor's home page is not included, drop the post.

How about you spend less time picking 'cool' nicknames, less time 
developing two web sites (ircrash.com, r3dw0rm.ir) and more time posting 
legitimate research that involves less ego.

Thanks!

- jericho

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ