lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <70D072392E56884193E3D2DE09C097A91F3F6C@pascal.zaphodb.org>
Date: Sat, 23 May 2009 17:22:18 -0700
From: "Tomas L. Byrnes" <tomb@...neit.net>
To: "Fionnbharr" <thouth@...il.com>,
	Brigette DéFaveur <blosoft@...sultant.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: OWASP LiveCD Vulnerabilities

Next thing you'll be telling us that Webscarab is a virus :-)



>-----Original Message-----
>From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-
>bounces@...ts.grok.org.uk] On Behalf Of Fionnbharr
>Sent: Friday, May 22, 2009 9:06 AM
>To: Brigette DéFaveur
>Cc: full-disclosure@...ts.grok.org.uk; bugtraq@...urityfocus.com
>Subject: Re: [Full-disclosure] OWASP LiveCD Vulnerabilities
>
>THIS IS A PRETTY FUNNY ADVISORY
>
>
>
>
>
>
>
>
>
>
>
>HA HA HA
>
>2009/5/22 "Brigette DéFaveur" <blosoft@...sultant.com>:
>> **************************    bloSOFT   **************************
>> Super Wowzer Hacker Team - Professional Vulnerability Assessments
>>
>>                            BLOsoft Research Team
>>              ------------------------------------------------
>>               Base Level Ops Securing Otherwise Fscked Tech!
>>
>>
>>
>> [POSTING NOTICE]
>> ----------------------------------------------------------------------
>----
>> If you intend on pimping this advisory on your Geocities web page
>please
>> create a clickable link back to our uberhawtness security page and
>include
>> annoying use of the <blink> tag
>>
>> For more information about Hacking finger condor @well.com
>>
>> [Advisory Information]
>> ----------------------------------------------------------------------
>----
>> Contact                         : Brigette DéFaveur
>> Advisory ID                     : BLOSOFT-20090521
>> Product Name                    : WebGoat
>> Product Version                 : All versions
>> Vendor Name                     : OWASP
>> Type of Vulnerability           : Multiple
>> Impact                          : Extremely Critical, like wtf
>critical
>> Vendor Notified                 : 20090521
>>
>> [Product Description]
>> ----------------------------------------------------------------------
>----
>> "The Open Web Application Security Project (OWASP) is a worldwide free
>and
>> open community focused on improving the security of application
>software.
>> Our mission is to make application security visible, so that people
>and
>> organizations can make informed decisions about true application
>security
>> risks."
>>
>> Taken From:
>> http://www.owasp.org/index.php/Main_Page
>>
>>
>> [Technical Summary]
>> ----------------------------------------------------------------------
>----
>> Webgoat is vulnerable to the following attacks:
>>
>> Cross-site Scripting (XSS)
>> Access Control
>> Hidden Form Field Manipulation
>> Parameter Manipulation
>> Session Cookies
>> SQL Injection
>>
>> While performing our advanced superwowzer hackerfying analysis
>discovered
>> that WebGoat is vulnerable to dozens if not billions of attacks if
>they
>> were attacked by attackers.
>>
>>
>> [Impact]
>> ----------------------------------------------------------------------
>----
>> [Impact varies from installation to installation]
>>
>> - Cookie stealing
>> - Cookie harassing
>> - Cookie tampering
>> - Tampering of harassed cookie
>> - Harassing the thief tampering with cookies
>> - High level advanced SQL injection (' or 1=1-- )
>> - High level super advanced XSS <b
>onmouseover=alert('bloSOFT')>OMFG</b>
>> - Improper sanitization of the blink tag
>>
>>
>> [Proof Of Concept]
>> ----------------------------------------------------------------------
>----
>> Download WebGoat and you too can see the trillions of exploits
>affecting
>> this software. We will not pollute the www with another useless filth
>of
>> a program designed to assist in the manipulation of security
>>
>>
>> [Vendor Status and Chronology]
>> ----------------------------------------------------------------------
>----
>>
>> Current Vendor Status:  OWASP has to many members that don't matter.
>>
>> Chronology:
>> 05/21/2009 07:11:57 AM EST - Vulnerabilities Discovered
>> 05/21/2009 07:11:59 AM EST - Vendor Notified
>> 05/21/2009 07:12:18 AM EST - Requested vendor feedback via email
>> 05/21/2009 07:13:23 AM EST - No response from vendor
>> 05/21/2009 07:13:28 AM EST - Began advisory release process
>>
>>
>> [Solution]
>> ----------------------------------------------------------------------
>----
>> Leave Britney alone
>>
>>
>> [Disclaimer]
>> ----------------------------------------------------------------------
>----
>> bloSOFT assumes no liability for the use of the information provider
>in
>> this disclosure. This advisory was released in an effort to prove our
>> worthiness to the I.T. community. Although we may at times attempt to
>> extort or blackmail companies in order to comply with our view of how
>> security should be, we make no intelligent assumptions or decisions in
>> releasing our security advisories.
>>
>>
>> [Advertisement]
>> ----------------------------------------------------------------------
>----
>> bloSOFT is focused on the core commitment to provide the whole wide
>world
>> with security designs and solutions that fit. Our team consists of
>expert
>> level engineers with an array of experience ranging from eggdrop
>shells,
>> running nmap, re-hashing advisories and securitizing maximized
>potential
>> designs with actionable digital intelligence catering to the
>professional
>> hackers. Should you wish to place us at the top of "security review"
>by
>> using an alias please do so. Although we might not be as elite as
>other
>> companies like Netragard, bear in mind, even ImmunitySec isn't as
>elite
>> or as talented as Netragard.
>>
>> http://secreview.blogspot.com/
>>
>>
>> [Greets]
>> ----------------------------------------------------------------------
>----
>> Simone Smithereen - we wub you oh grand masteress
>> Kevin Finkelstein - we be done havin yo back slap mah fro
>> Adrien DéFaveur - my brother, I know you didn't blackmail HP!
>>
>> All the rest - all the best
>>
>>
>>
>>
>> --
>> Be Yourself @ mail.com!
>> Choose From 200+ Email Addresses
>> Get a Free Account at www.mail.com
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ