lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20040304065437.26670.qmail@mail.securityfocus.com>
Date: Thu, 4 Mar 2004 01:10:29 -0600
From: "Alun Jones" <alun@...is.com>
To: "'security team 0seen'" <o5een@...mail.com>,
	<bugtraq@...urityfocus.com>
Subject: RE: Wftpd stat Command Remote Vulnerability Exploit


> -----Original Message-----
> From: security team 0seen [mailto:o5een@...mail.com] 
> Sent: Wednesday, March 03, 2004 2:37 AM
> 
> #!/usr/bin/python
> 
> #wftpd exploit, code by OYXin
> 
> #POC and lame python exploit, only test on WFTD pro 3.21.1.1 
> with win2000 cn sp4

Please test this against 3.21.2.1, released 2/29/2003, updated 3/3/2004.

What does your code have to offer over the code already irresponsibly
released by the previous poster?  Does it offer any more information, or is
it simply 
"a c001er crack"?  Please don't waste my time offering ever cooler cracks
for the same flaw, especially once the flaw has been patched.  Did you
bother to check and see if it was patched?  Apparently not.  Did you bother
to contact the vendor (me) first?  Definitely not.  In fact, you didn't even
try to contact me _at_all_.  Even the original poster did me that small
favour.

I'm busy trying to keep my users secure.  Either help me in that task, or
don't.  If you help me protect my users, I'll thank you.  If all you're
interested in doing is claiming bragging rights while simultaneously putting
my users at risk, I don't appreciate it in the slightest.

And, not to get on my high horse again, but really, Bugtraq moderators, do
you feel comfortable that you are not contributing to the protection of
users, but are actively involved in removing that protection?

My record speaks for itself, I do not need, and have never needed, the
"persuasion" of having vulnerabilities publicised, with full exploit code.
Vulnerabilities should always be revealed first to the vendor, and some time
given to allow for a reasoned response, rather than publishing the
vulnerabilities and forcing the vendor into a mad scramble to get any patch
out the door quickly.  [Quite frankly, even if my past behaviour _had_ been
shockingly poor, simple courtesy to my users suggests that you at least
_try_ to get my attention to the matter.]

Alun.
~~~~
-- 
Texas Imperial Software   | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place   | alun@...is.com.
Cedar Park TX 78613-1419  | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ