[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTik2NKK-ED3OVyz42kx7mO5rar0pu2cN7p0Uiic9@mail.gmail.com>
Date: Thu, 17 Feb 2011 10:29:12 -0800
From: "Zach C." <fxchip@...il.com>
To: Eyeballing Weev <eyeballing.weev@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Vulnerability in reCAPTCHA for Drupal
Well, just playing devil's advocate here, mind you, I think much of the
irritation from MustLive's postings comes from the following three reasons:
1.) MustLive is primarily a web-application specialist (for the sake of
argument)
2.) The vulnerabilities he finds are of a class of vulnerabilities that are
most common in his field. (Consider: someone searching for vulnerabilities
in internet services directly and doing the binary analysis will primarily
be finding buffer or stack overflows, right? In web security, XSS and SQL
injection (as well as others I'm undoubtedly forgetting -- I am *NOT*
counting "not using a CAPTCHA" here, see next item) are the most common
vulnerabilities, given the lack of binary code to overwrite)
3.) Every so often he posts a vulnerability of questionable risk in the form
of "anti-automation" which is essentially a fancy way of saying "ha ha they
don't use CAPTCHA." I don't consider that a vulnerability so much as an
opening for annoyance; I suppose your mileage may vary.
My guess is that there's a thought that web apps are far easier to crack at
than binaries, so vulnerabilities are easier to find, therefore don't waste
time finding something that's "useless." That may be, in some cases, but
sometimes a vulnerability in the web app destroys the entire chain, so to
speak.
Thoughts?
-Zach
(P.S. Still just playing devil's advocate; sometimes they get to annoy the
crap out of me too.)
On Thu, Feb 17, 2011 at 9:57 AM, Eyeballing Weev
<eyeballing.weev@...il.com>wrote:
> It's either he floods f-d with his "vulnerabilities" or he has to go out
> in the real world to farm dirt for export to the West.
>
> On 02/17/2011 12:54 PM, Zach C. wrote:
> > fucking *two days*? Is that even enough time for the vendor to
> acknowledge?
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists