lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: lorenzohgh at nsrg-security.com (Lorenzo Hernandez Garcia-Hierro)
Subject: Supposed SaS "encryption" weak - Coments and Infor about wrong claims

Thanks for the info.
Yeah , i will correct the encoded header ( comment ) now.
But , it's easy to identify the encoding in first view:
1.-browsers doesn't support real time page encryption
because for it you must choose javascript...so
currently are not available fast methods to encrypt pages
in real time and keep the key of encryption secure.
There are libraries like MD5-JS,SHA1-JS , etc for do
encryption in one way: client->client not server->client.
2.-The javascript functions uses simple encoding standard code , that can be
identified with a minimal JS Knowledge.

Best regards to all ;-) ,
PS: I'm working in a md5 file hash system for pages
( yo keep the md5 hashes in a secure file and a script
compares the hashes to the file hashes for check
hacked pages or trojaniced php scripts , a new form
to attack servers that i will to explain in my next paper UWAHCK ).

----- Original Message ----- 
From: "petard" <petard@....lonestar.org>
To: "Lorenzo Hernandez Garcia-Hierro" <lorenzohgh@...g-security.com>
Cc: "Full-Disclosure" <full-disclosure@...ts.netsys.com>
Sent: Wednesday, October 15, 2003 8:10 PM
Subject: Re: [Full-Disclosure] Supposed SaS "encryption" weak - Coments and
Infor about wrong claims


> On Wed, Oct 15, 2003 at 07:05:35PM +0200, Lorenzo Hernandez Garcia-Hierro
wrote:
> > Dear Paul,
> > I've testing your exploit ( good one ) for the supposed html encryption
weak
> > of SaS.
> > I think yo toke the exploit/perl script from a developers site because
SaS
> > is using an standard of encoding,
> > here is the proof :
> > variables for function _fwk_filter_encrypt($content)
> > $table =
"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_@";
> >   $xor = 165;
> > as you see it's not encryption , so , you didn't cracked nothing....
> > you decoded it !
> Then perhaps you'd like to correct your site. In your source code, you
write:
> <!-- Web Site desing by Lorenzo Hernandez Garcia-Hierro--><!-- Encrypted
using S
> ecurity Application Server of No Secure Root Group Security Research -->
>
> It would appear that Paul was only quoting your term ("encryption" was
enclosed
> in quotation marks within his mail) rather than indicating that he really
> considered it to be encryption.
>
> FWIW, it's completely useless to encode your content in this way. Try an
> even simpler exercise:
> [my version of the "exploit", if you will]
> 1. Visit your site in a browser (I used Mozilla 1.5)
> 2. Choose "Select All" from the "Edit" menu.
> 3. Right-click and choose "View Selection Source".
>
> regards,
> petard
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ