[Full-disclosure] Vulnerability is in response



Hello full-disclosure!!

I is like to warn you about rhetoric and annoyance nuisance. Is once
upon a time MustLive has maybe is one exploit to is make me say "черт
возьми!" howisever MustLive is how you say? pička in Crotia.

Is I top post for annoy:

1) MustLive is lonely pička with is one to many copy of cracked
Accunetix is run in background to report to full disclosure (hi is
look at me, I find vuln no one is care about!!)

2) Is vuln he find are old news to many who choose is not to release
lame advisory (is especially those future advisory of his)

3) Is every so often I is want to kick him in teeth and say "is shut
up puto sucio"

Your guess is wrong. MustLive is point and click-kiddiot (&TM;) who is
never discovery real vulnerability and is not even know what is EAX
(is hint not to be confused with is LAX airport)

4) Is stop feeding troll

On Thu, Feb 17, 2011 at 1:29 PM, Zach C. <fxchip@xxxxxxxxx> wrote:
Well, just playing devil's advocate here, mind you, I think much of the
irritation from MustLive's postings comes from the following three reasons:

1.) MustLive is primarily a web-application specialist (for the sake of
argument)
2.) The vulnerabilities he finds are of a class of vulnerabilities that are
most common in his field. (Consider: someone searching for vulnerabilities
in internet services directly and doing the binary analysis will primarily
be finding buffer or stack overflows, right? In web security, XSS and SQL
injection (as well as others I'm undoubtedly forgetting -- I am *NOT*
counting "not using a CAPTCHA" here, see next item) are the most common
vulnerabilities, given the lack of binary code to overwrite)
3.) Every so often he posts a vulnerability of questionable risk in the form
of "anti-automation" which is essentially a fancy way of saying "ha ha they
don't use CAPTCHA." I don't consider that a vulnerability so much as an
opening for annoyance; I suppose your mileage may vary.

My guess is that there's a thought that web apps are far easier to crack at
than binaries, so vulnerabilities are easier to find, therefore don't waste
time finding something that's "useless." That may be, in some cases, but
sometimes a vulnerability in the web app destroys the entire chain, so to
speak.

Thoughts?

-Zach

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • RE: Fwd: Terminal services and remote programs.
    ... Our team regularly breaks into Terminal Servers ... Need to secure your web apps NOW? ... Cenzic finds more, "real" vulnerabilities ...
    (Pen-Test)
  • Re: Vulnerabilities in Dunia Soccer
    ... disclosure approach for informing admins and web developers about ... But in this time I used responsible full disclosure. ... lists) of vulnerabilities in CaptchaSecurityImages (a captcha script which ... it's single site issue in custom made captcha. ...
    (Bugtraq)
  • RE: Fwd: Terminal services and remote programs.
    ... "help/about vulnerabilities" that were mentioned here a few days ago. ... TerminalServices and RemoteApp deployments, including ... Need to secure your web apps NOW? ...
    (Pen-Test)
  • Re: [Full-disclosure] Vulnerability in reCAPTCHA for Drupal
    ... full path disclosure IS an information disclosure, ... Vulnerabilities exist at pages:http://site/user/,http://site/user/1/edit, ... reCAPTCHA for Drupal. ... Vulnerable are all versions of reCAPTCHA plugin for Captcha module ...
    (Full-Disclosure)
  • Re: Pen testing techniques
    ... login form, its far more difficult to secure an app's internals. ... tight on time, and there are no apparent vulnerabilities to target, be ... For web apps I prefer a web app vulnerability scanner ...
    (Pen-Test)