| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 25 Jan 2012 22:19:27 +0000 From: Dave <mrx@...pergander.org.uk> To: full-disclosure@...ts.grok.org.uk Subject: Re: Faux Anonymous hackers to Facebook: 'We're not playing' -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 25/01/2012 20:16, adam wrote: > If we cared, we'd visit that site of our own volition. Secondly, even if we > were interested: most of the people on these lists are intelligent enough > not to click on links from spammers. Third, even if the content were > interesting, even if this were the place for it and even if you hadn't > spammed: "pay and register" is incentive enough for me *not* to join and * > not* to ever visit that site again. > > Short version: this purpose of this list isn't for you to spam your new > state-of-the-art website. Instead, it's typically to discuss/disclose > issues/concepts related to computer/network security. Once in a while, > there are discussions about the overflowing stupidity that some site > owners/coders have. For example, people that stupidly (and blindly) inject > code (e.g. for tracking purposes) into every single file on their site, > regardless of extension: > > http://www.karmacyberintel.net/robots.txt > > Another one is blatantly disclosing paths in robots.txt that aren't even > linked to and would never be found anyway (at least by bots that honor > robots.txt, which ends up being the exact opposite of the desired effect). > An example of how/why this can be a problem: > > md5sum of tiny_mce.js off your server is 9754385dabfc67c8b6d49ad4acba25c3, > if we perform a simple Google search - we can determine that you're likely > running version 3.3.1 of Wordpress. From there, we have enough information > to perform a targeted attack on your server. Except, we don't need to > because you've already made it more than easy enough for us. > > Pretty much every single field on http://www.karmacyberintel.net/pay/ is > vulnerable to SQL injection, which could easily allow anyone to completely > compromise the database and possibly the entire site. On top of that, > register.php also allows for session fixation attacks, as a result of > header/cookie manipulation. If that weren't bad enough, the admin section > for your karma theme is also vulnerable to cross-site scripting. > > Not to mention, all the problems with with how you've configured SSL and > everything else. If you're going to spam, at least make sure the website > you're spamming has been tested and determined to be *somewhat* secure. > Thanks for the smile. If one is not certain that ones own house is not made of glass, it's best to not throw stones. D > > On Tue, Jan 24, 2012 at 11:31 PM, karma cyberintel < > karmacyberintel1@...il.com> wrote: > >> *UPDATE* After attacking several government sites to protest >> controversial US legislation in past weeks, hacktivist group Anonymous is >> setting its sights on one of the Internet's biggest targets: Facebook. Or >> maybe not. >> >> Sources Form karmacyberintel.net >> >> for more details >> >> >> http://www.karmacyberintel.net/2012/01/faux-anonymous-hackers-to-facebook-were-not-playing/ >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTyB/77Ivn8UFHWSmAQLoYAf8CbOtPVtl7nyo+ujnkf1qeWf7hGzjU5lJ xWr8kd/N37n50u3a6PXfy9p7TC+wQ2MNoJCZ6Y02sPZ6KxlUXXOC/K8iXigFK1yh rVrNaDLSR8+WgfOdskl7mYZXvHG7n2u8p3MNOll0D9MG1vn179P/oV3JXawSyHMZ EhhWPjjiJZfNwPhPBTQnQMhg3HoWYsJKrVR5CIu/EKiAPaS2xG7l+DojADZmPsIU B9BvSqLzJoVFUQ5zVF3KzPJLqIimqgH6HmK18Nmhs/kcBaxjVRL88XcfP1bYtl/Y kg22lkaRU5IIxDviy5ztxkBERKu7SyuBjcrE6B23rBia9xeCrloMdQ== =U0gT -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists