lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <e0h8is$fkd$1@sea.gmane.org>
Date: Thu Mar 30 19:39:08 2006
From: davek_throwaway at hotmail.com (Dave Korn)
Subject: Re: Re: ExplorerXP : Directory Traversal and
	CrossSiteScripting

Julien GROSJEAN - Proxiad wrote:
> A simple Google search returns that :
>
> http://www.phpscripts-fr.net/scripts/script.php?id=933

  That depends on what you mean by "simple".  I just put "ExplorerXP" into 
google, which I think is about as simple as you can get.  That website 
doesn't show up until the seventh page of results.  (And strangely enough it 
doesn't show up until the /eighth/ page of results at google.fr!)

  So unless you had prior knowledge that it was french (I suppose I could 
perhaps have guessed that from seeing the word 'chemin', but you can't 
assume it's french just because the people reporting the vuln are from 
france), or unless you somehow already knew that the correct spelling had 
"Explorer" and "XP" as two separate words, I think the point remains: *all* 
vuln announcements should say what the software is, where it comes from and 
who makes it.

  After all, for all you know there is /yet another/ php package out there 
called ExplorerXp, and it's /that/ one they were talking about.

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ