[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2FE3228499A87F47ADF0B903A063D7450577A47E@bdo-syd-nt-02.bdonsw.local>
Date: Wed, 8 Mar 2006 06:04:40 +1100
From: "Craig Wright" <cwright@...syd.com.au>
To: <unknown.pentester@...il.com>, <bugtraq@...urityfocus.com>
Subject: RE: Purple Paper: Exegesis Of Virtual Hosts Hacking
Hello,
A quick peer review of the paper. First it is too simplistic.
You have not provided a detailed methidology nor any way of repeating/verifying the data.
You have defined no method of detailing where virtual hosts are on separate virtual machines, CHROOT environments, hardware cards, through accelerators etc.
"All these techniques are absolutely legal." Without detailing the techniques this can not be determined. Also accessing a host without permission even if they have not secured is still illegal (right or wrong)
Your conclusion may be one I agree with, but for the wrong reasons. The conclusion does not follow from the evidence in the paper.
Lastly the tools you have used included have a high level of false positives. No mention of this nor of any measures to reduce error have been mentioned.
Regards
Craig
-----Original Message-----
From: unknown.pentester@...il.com [mailto:unknown.pentester@...il.com]
Sent: Wed 8/03/2006 4:53 AM
To: bugtraq@...urityfocus.com
Cc:
Subject: Purple Paper: Exegesis Of Virtual Hosts Hacking
What: Purple paper on discovery and exploitative vhost hacking techniques.
Whom (target audience): pentesters.
Where:
http://public.gnucitizen.org/papers/exegesis.pdf <http://public.gnucitizen.org/papers/exegesis.pdf>
http://www.ikwt.com/projects/exegesis.pdf <http://www.ikwt.com/projects/exegesis.pdf>
Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.
DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.
Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.
BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.
Powered by blists - more mailing lists