| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 23 Jul 2007 00:39:11 +0530 From: "Debasis Mohanty" <debasis.mohanty.listmails@...il.com> To: warl0ck@...aeye.org Cc: full-disclosure@...ts.grok.org.uk, websecurity@...appsec.org Subject: Re: [CVE 2007-3816] [Advisory] Vulnerability Facts Related JWIG Advisory >> Hence kindly do not entertain any more bogus from secniche, also i don't understand >> what in the world are the CVE maintainers doing. this is not first time a CVE been assigned to a fake claims. Since FD has become a short cut to fame, history has proven that many clowns in the past had their fake claim promoted by getting a CVE tagged. It is understood that with more are more exponentially replicating clowns in the industry it is hard for mitre to validate all vague claims. -d On 7/22/07, Pranay Kanwar <warl0ck@...aeye.org> wrote: > Reply from the developer of JWIG regarding "Hack Annotations in JWIG" by secniche.org > > > Hi Pranay (cc to "SecNiche"), > > Thank you for bringing this to our attention. I have now read this document "Hack Annotations in JWIG", and I must admit that I have never seen so > much bogus in so few pages ever before. Is this a (bad) joke?? It seems that the author Aditya K Sood (a.k.a. Bubba Gump?) has completely > misunderstood the processing model of web communication in general and JWIG in particular. JWIG is a research project exploring new ways of > programming web applications. JWIG programs run on the server, and the JWIG system obviously does not by itself provide any means for attackers to > control which code is being executed on the server. This means that all the example "attacks" described in this report seem to assume that the > attacker is the service programmer, which clearly doesn't make much sense. > I hope that anyone reading a report like "Hack Annotations in JWIG" quickly will see that it is all bogus. However, I would naturally prefer that > "SecNiche" would withdraw these absurd claims whereever they have been published. > > Regards, > Anders > > > Pranay Kanwar wrote: > > Hello, > > > > > > I would like to bring to your notice the following claims regarding the bogus > > security problems in JWIG. > > > > > > http://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064768.html > > http://www.securityfocus.com/archive/1/474156/30/0/threaded > > http://www.webappsec.org/lists/websecurity/archive/2007-07/msg00022.html > > http://www.secniche.org/papers/HackAnnotationsInJWIG.pdf > > > > Kindly comment on these, I would request this as this makes wrong assumptions > > and will hinder the usage of JWIG technology. > > > > I have also negated the claims myself. > > > > Regards > > > > warl0ck // MSG > > > -- > Anders Moeller > amoeller@...cs.dk > http://www.brics.dk/~amoeller > > Hence kindly do not entertain any more bogus from secniche, also i don't understand what in the > world are the CVE maintainers doing. > > > warl0ck // MSG > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists