lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <0H6Z006DZ5DRHN@smtp2.clear.net.nz>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: CORE-20021005: Vulnerability Report For Li

AARG! Anonymous <remailer@...g.net> wrote:

> At 08:10 PM 12/10/02 -0300, CORE Advisories wrote:
> >Many Linksys' network appliances have a remote administration and
> >configuration interface via HTTP, either from the local network,
> >or, if it's enabled, from any host across the internet.
> 
> I just want to make sure I've got this right:
> 
> It comes with secure defaults.
> 
> But if I decide to open it up, it's not secure any more.
> 
> Gee, I wonder what other products could be configured into an
> insecure state and boilerplated into an advisory?
> 
> And would iDefense pay me for them?

I don't see why not.

It seems iDefense staff have very short memories and cannot even run
Google searches of obvious terms from the advisories they are
apparently so eager to buy.  For example, their recent Eudora 
advisory was obviously a trivial rehash (either unintentional or 
otherwise I'll leave to others to decide) of one from much earlier 
this year, as acknowledged in an updated advisory posted the next 
day.  But the updated advisory did not go further and point out that 
in fact, both are really only minor updates to a series of advisories 
dating back at least two years, and possibly longer (I got tired of 
Googling after finding essentially similar advisories from early 2000 
but am fairly sure I recall discussion of similar issues related to 
the predicability of the (default) Eudora "detach" directory name 
from early 1999 if not even earlier).


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ