lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAPMrQTQLYi0s7+Tv6v0BWtchOWj1GAiUp9anZViOEfAoPToB_Q@mail.gmail.com>
Date: Wed, 25 Jan 2012 18:11:18 +0200
From: Julius Kivimäki <julius.kivimaki@...il.com>
To: Benji <me@...ji.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: TWSL2012-002: Multiple Vulnerabilities in
	WordPress

Funny but no, this does not need a non-installed wordpress.

2012/1/25 Benji <me@...ji.com>

> Dear full-disclosure
>
> I wrote to you to tell you about serious serious vulnerability in all
> Windows versions.
>
> If you turn machine on before system is configured, then you be able to
> set user password yourself, big gaping hole!!!!
>
> I make big large botnet to fully utilise this impressive vulnerability!
> thegrugq said i could sell this for liike 3 ferrari's and 1 russian wife, i
> say nay though! Big time russian mobster offer me diamond, i say nay! I
> like report vuln of this size responsibility in so hope to make more
> money^H^H^H^H^H^H^Hsecure world.
>
> Please full-disclosure, this vuln is serious and i plead you shut down all
> windows now.
>
> I wrote metasploit module! It find new installs turned off machine, WOL
> and i go to house and enter password! FULL SYSTEM OWNED! Big botnets! Many
> wifes!
>
>
>
>
> On Wed, Jan 25, 2012 at 2:49 PM, Tim Brown <tmb@...35.com> wrote:
>
>> On Wednesday 25 Jan 2012 15:22:39 Henri Salo wrote:
>>
>> > There is A LOT of these open installation pages in the Internet. It is
>> not
>> > uncommon to leave those open by accident. Some people also do this,
>> > because they just don't understand the risks. I am wondering if
>> WordPress
>> > would apply patch if we create one as a collaborative effort. I would be
>> > more than happy to help creating a patch for this if this is the case.
>>
>> I may have missed something, but does simply having the file exposed make
>> you
>> vulnerable.  From looking at it, it starts of with a bunch of
>> file_exists(),
>> which essentially evaluate if you've installed or not and wp_die() if you
>> have.
>>
>> Tim
>> --
>> Tim Brown
>> <mailto:tmb@...35.com>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ