Re: [Full-Disclosure] @(#)Mordred Security Notice - exporing the hacking websites

From: morning_wood (se_cur_ity_at_hotmail.com)
Date: 05/06/03

  • Next message: morning_wood: "Re: [Full-Disclosure] Slow Internet?"
    To: "Sir Mordred" <mordred@s-mail.com>, <bugtraq@cgisecurity.net>
    Date: Mon, 5 May 2003 19:31:10 -0700
    

     Do not deny this man his freedom to speak his mind, especially about
    security flaws. The "errors" he pointed out are freely available to view, I
    have seen similar errors on many websites. Sir Mordred is meerly selecting
    from a plethora of servers that exhibit the same type of errors.

    Did we not just have a horrible war for FREEDOM? or did I dream of people
    being killed?

    my 2 bitz

    morning_wood
    http://exploit.wox.org
    ----- Original Message -----
    From: "Sir Mordred" <mordred@s-mail.com>
    To: <bugtraq@cgisecurity.net>
    Cc: <full-disclosure@lists.netsys.com>
    Sent: Monday, May 05, 2003 5:25 PM
    Subject: Re: [Full-Disclosure] @(#)Mordred Security Notice - exporing the
    hacking websites

    > Hi,
    >
    > >While this is amusing, I'm hoping you tell them befor eyou post these?
    >
    > Actually no. There are several reasons for this:
    > 1) I failed to contact with some of them, so decided to share the
    > common behavior for all of them (i.e. dont tell)
    > 2) This is a REAL world examples - that means you can see that the are
    > present, they should show the state of web app security (
    > you probably read enough pdf's on web app security, on sql injection ...
    > etc... )
    > If it has been fixed, who can tell that i am telling the truth about the
    > vulnerabilities?
    >
    > Again, reading this notice and the notices
    > which will be released in the near future, you may think -
    > damn, these guys gonna teaching me security?
    > even teaching web application security?
    > wait, what? they are releasing web app assesment tools and doing web app
    > assesment for the money? ...
    > Hmm, they should run these elite tools of their websites!
    >
    > >If you legally post
    > >this type of information knowing others will be abusing it you >might
    find
    > yourself in some legal
    > >trouble down the road.
    >
    > Well, i know that.
    > But what is better?
    > Let me freely to post such kind of information or see it on a
    > full-disclosure from some unkown subscriber/haxor?
    > Or don't know that someone already using these vulnerabilities for
    > months and owning website?
    >
    > Also i hope that the community will not use this information
    > for harm, only for fun maybe :-)...
    >
    > Best regards,
    > // Sir Mordred
    >
    >
    >
    >
    > ________________________________________________________________________
    > This letter has been delivered unencrypted. We'd like to remind you that
    > the full protection of e-mail correspondence is provided by S-mail
    > encryption mechanisms if only both, Sender and Recipient use S-mail.
    > Register at S-mail.com: http://www.s-mail.com
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html
    >
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: morning_wood: "Re: [Full-Disclosure] Slow Internet?"

    Relevant Pages

    • Re: How To: write to EventLog from .NET 2.0 web app?
      ... Yes this a security issue for sure: ... System.Diagnostics.EventLog.WriteEntry(String source, String message) at ... account or use the <impersonation ... error in my web app before it displays the default page. ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: Newbie Alert - Dumb Question of the Day!
      ... You can have one web application and bunches and bunches of site collections ... authentication methods, allowing anonymous access (first at the web app, ... you can force security and user account policies at the web ... why I would need to create a new sharepoint web application? ...
      (microsoft.public.sharepoint.windowsservices)
    • IIS Security Problem
      ... security issue that perhaps someone could shed some light on. ... So far, I've been able to set up the web app to query AD objects (users, ... server run under the security context of the user ID the web application is ...
      (microsoft.public.dotnet.languages.csharp)
    • Re: NetSec Breaking Apps Better Than AppSec
      ... and I don't see any value in arguing over which one is ... The archetypal "net" security guy who doesn't understand SOP or the ... consequences of -related mixed content when auditing a web app ... Information Assurance Certification Review Board ...
      (Pen-Test)
    • Re: Retrieving Users Groups from Active Directory using ASP.NET
      ... This is a security context problem that is very common in ASP.NET. ... The better approach is to look up group membership using tokenGroups. ... My web server and active directory servers are different machines. ... test by deploying the web app on the active directory machine it does ...
      (microsoft.public.dotnet.framework.aspnet.security)