lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4a66d85e0809251349x7e272a92vf1daa886802203b5@mail.gmail.com>
Date: Thu, 25 Sep 2008 16:49:21 -0400
From: "Security Teem" <superhax0rs@...il.com>
To: vuldb@...urityfocus.com, vuln@...unia.com, bugs@...uritytracker.com, 
	bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Worldwide SQL Protocol Advisory

+-++-++-++-++-++-++-++-++-++-++-++-++-++-++-++-++-++-++-++-++-++-+
TSUH-Security
     Security Advisory


Topic:          Multiple SQL Injections
Announced:  2008-09-25
Credits:        UberDuberHax0rx
Affects:        Teh Interweb




I.   Background

TeamSuperUber H@...rifickal a group of supercomputing collaborative
human superpower elite hackers with a clue has determined that there
are worldwide vulnerabilities surrounding vast implementations of
websites running SQL. It would seem in our efermal wisdumb of the
inner workings of the OSI layer we have discovered the potential to
inject multiple e-syringes into websites all over the world.

This persistent problem is relevant to programmers and webdevelopers
who cannot conform to our upper strategically placed of infinite
wisdumb associated with technology. We cannot be stopped nor we will
be hindered from disclosing to the world our intentions of Global
Security Domination in the security realm.


II.   Problem description

The problem exists with the usage of the apostrophe character which
will now be reffered to as "'" or '\'' if using certain shells. The
' character is an omen to escape and has provided malicious hackers,
crackers, slackers and hijackers with an attack vector to thereafter
flood your email with useless advisories.


III.  Impact

Hackers, crackers, slackers, hijackers and governments will in turn
compromise multiple dozens of hundreds and thousands of millions of
servers should the ' character continued to be used on the Internet.


IV.   Workaround

Develop a new character to replace the apostrophe


V.    Solution

Using a flat thin object preferrably a screwdriver, carefully pluck
the apostrophe from your keyboard. This will ensure that in the
event your machine - be it server, laptop or desktop - becomes
compromised, you do not aid anyone in performing SQL injections.

We are now forming a petition to the IEEE and other organizations
to remove the apostrophe as it is as useful as an American penny.
Many people do not know the function of pennies and financial
organizations will not accept pennies as curriences in hopes of
raping you financially on a microscale.

Billions of pennies sit in cars, desks, jars, drawers in unusable
fashion with millions of dollars in value solely because of the
machinations of the financial industry's conspiracy to avoid giving
you the face value of ten thousand pennies you're trying to
deposit. Same holds true for the apostrophe.


VI.   Apostrophe Project

Beginning now, we will scour and download every single program in
this world that uses SQL in order to audit the apostrophe attack
vector. We do so in hopes to not annoy you with utterly meaningless
advisories, sometimes up to twenty a day, but to fill your heart
with the warm thought that there are some superhero hackers left
in this world.

#!/bin/bash
# SLAPDATASS.sh
# Super Leet Apostrophe Project
# Definitely Addressing the Topic
# Always Supporting Security
# (c) 2008

printf "TeamSuperUber H@...rifickal... activate!"

wget http://www.freshcripts.com/ && cd www.freshcripts.com

for x in `echo TeamSuperUber H@...rifickal... activate\!`

	do

		for y in `find . |grep signin

			do

				echo "Ut oh spaghetti0 we bees founded a vuln" && genIdiotAdvisory

		done

done


VII.  Shoutouts

We wish to shout out all the uberhax0rrifickal superstars who
flood our inboxes with vulnerabilities time after time. It
takes a real genius to point us in the right direction and
gives us incentive to go forward facing in the hopes of being
able to properly direct corporations of proper security
posture.

Without all my fellow hax0rrrifickal comrades toiling 24/7
every day of the year, we would not be able to contain the
risk associated with Citibank using say phpBB or IBM using
PHPmyEjeetSuperThingAMajiggyFoofoo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ