| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20031015181008.GA7805@SDF.LONESTAR.ORG>
From: petard at sdf.lonestar.org (petard)
Subject: Supposed SaS "encryption" weak - Coments and Infor about wrong claims
On Wed, Oct 15, 2003 at 07:05:35PM +0200, Lorenzo Hernandez Garcia-Hierro wrote:
> Dear Paul,
> I've testing your exploit ( good one ) for the supposed html encryption weak
> of SaS.
> I think yo toke the exploit/perl script from a developers site because SaS
> is using an standard of encoding,
> here is the proof :
> variables for function _fwk_filter_encrypt($content)
> $table = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_@";
> $xor = 165;
> as you see it's not encryption , so , you didn't cracked nothing....
> you decoded it !
Then perhaps you'd like to correct your site. In your source code, you write:
<!-- Web Site desing by Lorenzo Hernandez Garcia-Hierro--><!-- Encrypted using S
ecurity Application Server of No Secure Root Group Security Research -->
It would appear that Paul was only quoting your term ("encryption" was enclosed
in quotation marks within his mail) rather than indicating that he really
considered it to be encryption.
FWIW, it's completely useless to encode your content in this way. Try an
even simpler exercise:
[my version of the "exploit", if you will]
1. Visit your site in a browser (I used Mozilla 1.5)
2. Choose "Select All" from the "Edit" menu.
3. Right-click and choose "View Selection Source".
regards,
petard
Powered by blists - more mailing lists