lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <2df3b0cb0702220500i7c6ee881rdd1aa9316ef77659@mail.gmail.com>
Date: Thu, 22 Feb 2007 10:00:47 -0300
From: M.B.Jr. <marcio.barbado@...il.com>
To: "Andres Riancho" <andres.riancho@...il.com>, 
	full-disclosure@...ts.grok.org.uk
Subject: Re: phishing sites examples "source code"

On 2/19/07, Juergen Fiedler <juergen@...dlerfamily.net> wrote:
>
> you can't readily get to the source
> code for the form action because it is done in some sort of server
> side scripting (CGI, PHP, ASP, whatever...) that can't readily be
> viewed from the client side.


Can't readily be viewed BUT that part is sort of not-the-problem.

Those obvious server-side scripts Juergen mentioned would most probably
consist in a MVC-like design with persistence function code storing
collected data the simple way: in clear text... Since those fine illegal
gentlemen ain't gathering someone's Internet banking passwork in order to
encipher them and protect them from this bloodthirsty world...

Thus, concerning traditional phishing sites, the code itself is not really
an issue.
Code starts being problematic by the moment potential damaging load-time
scripts -- say AJAX techniques -- spread.

That said, I have run into one or two phishers who compromise a site
> (or create a throwaway site themselves), upload their scripts in a
> tarball, install them - and then leave the tarball around for
> posterity to analyze. I kid you not.
> Unfortunately, the only good way to get to that source code is by
> asking the administrator of a compromised site whether they found
> anything that they would be willing to share; going in and poking
> around yourself may put you into a legal position that you'd rather
> not be in.
>
> HTH,
> --j
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
> iD8DBQFF2brEvKOJTPSBKa0RAr72AKC3NUDFCA2AbvCtZxLerx0KMekzagCfdTo6
> eNUf9cXUllk9i5eatnCyGM0=
> =9wg4
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
Marcio Barbado, Jr.
==============
==============

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ