| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 11 May 2010 02:47:21 +0300 From: "MustLive" <mustlive@...security.com.ua> To: "Salvatore Fresta aka Drosophila" <drosophilaxxx@...il.com> Cc: <bugtraq@...urityfocus.com> Subject: Re: Vulnerabilities in Sebo - webstore Hello Salvatore! In my letter to Bugtraq (http://www.securityfocus.com/archive/1/511023), which was mentioned in my advisory (you can read that letter, if you didn't read it yet), I wrote about importance of making separate advisories of vulnerabilities in software which are using CaptchaSecurityImages.php. And reading of it is very recommending before writing me anything about issues related to CaptchaSecurityImages. > Still the same "bugs"?! Yes, still the same. Same holes in different web application. As it clearly stated in my advisory. With this vulnerabilities in one script which is using (the script itself or its code) in multiple webapps, which makes them vulnerable, I used the same approach as with vulnerabilities in WP-Cumulus. And I already reported to security mailing lists about vulnerabilities in WP-Cumulus and in other web applications which are using tagcloud.swf in the end of 2009 and in 2010. So why not you, nor other readers of the list are asking the question (aka moaning) about the same vulnerabilities in these webapps - which all are using vulnerable tagcloud.swf? Why you and others are only moaning about webapps with CaptchaSecurityImages.php, but not webapps with tagcloud.swf? And there are a lot of sites (so there are many webapps) with tagcloud.swf, as it clear from my article XSS vulnerabilities in 34 millions flash files (http://www.webappsec.org/lists/websecurity/archive/2010-01/msg00035.html). The question is rhetorical and the answer is obvious - it's double standards. And I wrote in details about double standards in my letter to Full-disclosure (http://lists.grok.org.uk/pipermail/full-disclosure/2010-April/074124.html). And I recommend for you (and for anyone who has similar position) to read that letter first, before writing anything concerning the topic of vulnerabilities related to CaptchaSecurityImages. I already wrote about it in my answer to Terry White last week, which I also CC to Bugtraq. But it was not published to the list by moderator - maybe because the letter was to long :-) (and it had additional argumentation against different not serious statements regarding my advisories). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ----- Original Message ----- From: "Salvatore Fresta aka Drosophila" <drosophilaxxx@...il.com> To: "MustLive" <mustlive@...security.com.ua> Cc: "Bugtraq" <bugtraq@...urityfocus.com> Sent: Monday, May 10, 2010 10:13 PM Subject: Re: Vulnerabilities in Sebo - webstore > 2010/5/8 MustLive <mustlive@...security.com.ua>: >> Hello Bugtraq! >> >> I want to warn you about security vulnerabilities in e-commerce system >> Sebo - webstore. >> >> In this advisory I'm continue to inform readers of mailing lists about >> vulnerable web applications which are using CaptchaSecurityImages.php. >> > > Still the same "bugs"?! A question: if you find (ad absurdum) a bug in > the printf C function, will you send an e-mail for each software that > uses it? > > -- > Salvatore Fresta aka Drosophila > http://www.salvatorefresta.net > CWNP444351
Powered by blists - more mailing lists