[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <7e325f890905231746w2c70d85cg9af146c5fb9ac9b7@mail.gmail.com>
Date: Sat, 23 May 2009 20:46:08 -0400
From: "Herman A. Junge" <herman.junge@...il.com>
To: "Tomas L. Byrnes" <tomb@...neit.net>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: OWASP LiveCD Vulnerabilities
LOL, I thought that the point of that live cd was training for pen-testing.
very funny.
Haj.-
2009/5/23 Tomas L. Byrnes <tomb@...neit.net>
> Next thing you'll be telling us that Webscarab is a virus :-)
>
>
>
> >-----Original Message-----
> >From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-
> >bounces@...ts.grok.org.uk] On Behalf Of Fionnbharr
> >Sent: Friday, May 22, 2009 9:06 AM
> >To: Brigette DéFaveur
> >Cc: full-disclosure@...ts.grok.org.uk; bugtraq@...urityfocus.com
> >Subject: Re: [Full-disclosure] OWASP LiveCD Vulnerabilities
> >
> >THIS IS A PRETTY FUNNY ADVISORY
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >HA HA HA
> >
> >2009/5/22 "Brigette DéFaveur" <blosoft@...sultant.com>:
> >> ************************** bloSOFT **************************
> >> Super Wowzer Hacker Team - Professional Vulnerability Assessments
> >>
> >> BLOsoft Research Team
> >> ------------------------------------------------
> >> Base Level Ops Securing Otherwise Fscked Tech!
> >>
> >>
> >>
> >> [POSTING NOTICE]
> >> ----------------------------------------------------------------------
> >----
> >> If you intend on pimping this advisory on your Geocities web page
> >please
> >> create a clickable link back to our uberhawtness security page and
> >include
> >> annoying use of the <blink> tag
> >>
> >> For more information about Hacking finger condor @well.com
> >>
> >> [Advisory Information]
> >> ----------------------------------------------------------------------
> >----
> >> Contact : Brigette DéFaveur
> >> Advisory ID : BLOSOFT-20090521
> >> Product Name : WebGoat
> >> Product Version : All versions
> >> Vendor Name : OWASP
> >> Type of Vulnerability : Multiple
> >> Impact : Extremely Critical, like wtf
> >critical
> >> Vendor Notified : 20090521
> >>
> >> [Product Description]
> >> ----------------------------------------------------------------------
> >----
> >> "The Open Web Application Security Project (OWASP) is a worldwide free
> >and
> >> open community focused on improving the security of application
> >software.
> >> Our mission is to make application security visible, so that people
> >and
> >> organizations can make informed decisions about true application
> >security
> >> risks."
> >>
> >> Taken From:
> >> http://www.owasp.org/index.php/Main_Page
> >>
> >>
> >> [Technical Summary]
> >> ----------------------------------------------------------------------
> >----
> >> Webgoat is vulnerable to the following attacks:
> >>
> >> Cross-site Scripting (XSS)
> >> Access Control
> >> Hidden Form Field Manipulation
> >> Parameter Manipulation
> >> Session Cookies
> >> SQL Injection
> >>
> >> While performing our advanced superwowzer hackerfying analysis
> >discovered
> >> that WebGoat is vulnerable to dozens if not billions of attacks if
> >they
> >> were attacked by attackers.
> >>
> >>
> >> [Impact]
> >> ----------------------------------------------------------------------
> >----
> >> [Impact varies from installation to installation]
> >>
> >> - Cookie stealing
> >> - Cookie harassing
> >> - Cookie tampering
> >> - Tampering of harassed cookie
> >> - Harassing the thief tampering with cookies
> >> - High level advanced SQL injection (' or 1=1-- )
> >> - High level super advanced XSS <b
> >onmouseover=alert('bloSOFT')>OMFG</b>
> >> - Improper sanitization of the blink tag
> >>
> >>
> >> [Proof Of Concept]
> >> ----------------------------------------------------------------------
> >----
> >> Download WebGoat and you too can see the trillions of exploits
> >affecting
> >> this software. We will not pollute the www with another useless filth
> >of
> >> a program designed to assist in the manipulation of security
> >>
> >>
> >> [Vendor Status and Chronology]
> >> ----------------------------------------------------------------------
> >----
> >>
> >> Current Vendor Status: OWASP has to many members that don't matter.
> >>
> >> Chronology:
> >> 05/21/2009 07:11:57 AM EST - Vulnerabilities Discovered
> >> 05/21/2009 07:11:59 AM EST - Vendor Notified
> >> 05/21/2009 07:12:18 AM EST - Requested vendor feedback via email
> >> 05/21/2009 07:13:23 AM EST - No response from vendor
> >> 05/21/2009 07:13:28 AM EST - Began advisory release process
> >>
> >>
> >> [Solution]
> >> ----------------------------------------------------------------------
> >----
> >> Leave Britney alone
> >>
> >>
> >> [Disclaimer]
> >> ----------------------------------------------------------------------
> >----
> >> bloSOFT assumes no liability for the use of the information provider
> >in
> >> this disclosure. This advisory was released in an effort to prove our
> >> worthiness to the I.T. community. Although we may at times attempt to
> >> extort or blackmail companies in order to comply with our view of how
> >> security should be, we make no intelligent assumptions or decisions in
> >> releasing our security advisories.
> >>
> >>
> >> [Advertisement]
> >> ----------------------------------------------------------------------
> >----
> >> bloSOFT is focused on the core commitment to provide the whole wide
> >world
> >> with security designs and solutions that fit. Our team consists of
> >expert
> >> level engineers with an array of experience ranging from eggdrop
> >shells,
> >> running nmap, re-hashing advisories and securitizing maximized
> >potential
> >> designs with actionable digital intelligence catering to the
> >professional
> >> hackers. Should you wish to place us at the top of "security review"
> >by
> >> using an alias please do so. Although we might not be as elite as
> >other
> >> companies like Netragard, bear in mind, even ImmunitySec isn't as
> >elite
> >> or as talented as Netragard.
> >>
> >> http://secreview.blogspot.com/
> >>
> >>
> >> [Greets]
> >> ----------------------------------------------------------------------
> >----
> >> Simone Smithereen - we wub you oh grand masteress
> >> Kevin Finkelstein - we be done havin yo back slap mah fro
> >> Adrien DéFaveur - my brother, I know you didn't blackmail HP!
> >>
> >> All the rest - all the best
> >>
> >>
> >>
> >>
> >> --
> >> Be Yourself @ mail.com!
> >> Choose From 200+ Email Addresses
> >> Get a Free Account at www.mail.com
> >>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >
> >_______________________________________________
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists