lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTik2NKK-ED3OVyz42kx7mO5rar0pu2cN7p0Uiic9@mail.gmail.com>
Date: Thu, 17 Feb 2011 10:29:12 -0800
From: "Zach C." <fxchip@...il.com>
To: Eyeballing Weev <eyeballing.weev@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Vulnerability in reCAPTCHA for Drupal

Well, just playing devil's advocate here, mind you, I think much of the
irritation from MustLive's postings comes from the following three reasons:

1.) MustLive is primarily a web-application specialist (for the sake of
argument)
2.) The vulnerabilities he finds are of a class of vulnerabilities that are
most common in his field. (Consider: someone searching for vulnerabilities
in internet services directly and doing the binary analysis will primarily
be finding buffer or stack overflows, right? In web security, XSS and SQL
injection (as well as others I'm undoubtedly forgetting -- I am *NOT*
counting "not using a CAPTCHA" here, see next item) are the most common
vulnerabilities, given the lack of binary code to overwrite)
3.) Every so often he posts a vulnerability of questionable risk in the form
of "anti-automation" which is essentially a fancy way of saying "ha ha they
don't use CAPTCHA." I don't consider that a vulnerability so much as an
opening for annoyance; I suppose your mileage may vary.

My guess is that there's a thought that web apps are far easier to crack at
than binaries, so vulnerabilities are easier to find, therefore don't waste
time finding something that's "useless." That may be, in some cases, but
sometimes a vulnerability in the web app destroys the entire chain, so to
speak.

Thoughts?

-Zach

(P.S. Still just playing devil's advocate; sometimes they get to annoy the
crap out of me too.)



On Thu, Feb 17, 2011 at 9:57 AM, Eyeballing Weev
<eyeballing.weev@...il.com>wrote:

> It's either he floods f-d with his "vulnerabilities" or he has to go out
> in the real world to farm dirt for export to the West.
>
> On 02/17/2011 12:54 PM, Zach C. wrote:
> > fucking *two days*? Is that even enough time for the vendor to
> acknowledge?
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ