lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 1 Jan 2013 19:51:36 +0000
From: Benji <me@...ji.com>
To: some one <s3cret.squirell@...il.com>
Cc: Full-Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: BF, CSRF,
	and IAA vulnerabilities in websecurity.com.ua

I was asking for your opinion.


On Tue, Jan 1, 2013 at 7:31 PM, some one <s3cret.squirell@...il.com> wrote:

> If you reread what i posted you will see that i do not give my opinion on
> the quality of his posts. I will keep that to myself, I just state that its
> better than dudes (and your) troll posts.
>
> Regards
> On Jan 1, 2013 3:04 PM, "Benji" <me@...ji.com> wrote:
>
>> So you would say, that you find the things he posts "of interest"?
>>
>> Please expand on how and why anti automation bugs in unknown cms's are
>> "of interest"?
>>
>>
>> On Mon, Dec 31, 2012 at 11:58 PM, some one <s3cret.squirell@...il.com>wrote:
>>
>>> If you do not like or find of interest what the guy posts is it not
>>> easier to just press delete or filter him out rather than try to make fun
>>> of him?
>>>
>>> Give the dude a break man, hes submitting more things of interest than
>>> you are and you just make yourself sound bitter and twisted.
>>>
>>> Its new year man, go out and drink a beer or eat some fireworks
>>> On Dec 31, 2012 5:17 PM, "Julius Kivimäki" <julius.kivimaki@...il.com>
>>> wrote:
>>>
>>>> Hello list!
>>>>
>>>> I want to warn you about multiple extremely severe vulnerabilities in
>>>> websecurity.com.ua.
>>>>
>>>> These are Brute Force and Insufficient Anti-automation vulnerabilities
>>>> in websecurity.com.ua. These vulnerability is very serious and could
>>>> affect million of people.
>>>>
>>>> -------------------------
>>>> Affected products:
>>>> -------------------------
>>>>
>>>> Vulnerable are all versions of websecurity.com.ua.
>>>>
>>>> ----------
>>>> Details:
>>>> ----------
>>>>
>>>> Brute Force (WASC-11):
>>>>
>>>> In ftp server (websecurity.com.ua:21) there is no protection from
>>>> Brute Force
>>>> attacks.
>>>>
>>>> Cross-Site Request Forgery (WASC-09):
>>>>
>>>> Lack of captcha in login form (http://websecurity.com.ua:21/) can be
>>>> used for
>>>> different attacks - for CSRF-attack to login into account (remote login
>>>> - to
>>>> conduct attacks on vulnerabilities inside of account), for automated
>>>> entering into account, for phishing and other automated attacks. Which
>>>> you
>>>> can read about in the article "Attacks on unprotected login forms"
>>>> (
>>>> http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html
>>>> ).
>>>>
>>>> Insufficient Anti-automation (WASC-21):
>>>>
>>>> In login form there is no protection against automated request, which
>>>> allow
>>>> to picking up logins in automated way by attacking on login function.
>>>> ------------
>>>> Timeline:
>>>> ------------
>>>>
>>>> 2012.06.28 - announced at my site about websecurity.com.ua.
>>>> 2012.06.28 - informed developers about the first part of
>>>> vulnerabilities in
>>>> websecurity.com.ua.
>>>> 2012.06.30 - informed developers about the second part of
>>>> vulnerabilities in
>>>> websecurity.com.ua.
>>>> 2012.07.26 - announced at my site about websecurity.com.ua.
>>>> 2012.07.28 - informed developers about vulnerabilities in
>>>> websecurity.com.ua
>>>> and reminded about previous two letters I had sent to them with carrier
>>>> pigeons.
>>>> 2012.07.28-2012.10.31 - multiple attempts to contact the owners of
>>>> websecurity.com.ua
>>>> were ignored by the owners.
>>>> 2012.11.02 - developers responded "fuck off and kill urself irl!".
>>>> 2012.12.31 - disclosed on the list
>>>>
>>>> Best wishes & regards,
>>>> MustLive
>>>> Security master extraordinaire, master sysadmin
>>>> http://websecurity.com.ua
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ