Dailydave mailing list archives
Re: SquirrelMail GPG Plugin vuln
From: Charles Miller <cmiller () securityevaluators com>
Date: Mon, 9 Jul 2007 08:46:29 -0500
Isn't that always the point when you sell a vulnerability in an open source software? If I want to sell you a lighttpd remote exploit and you trust me than you know that such a thing exists and you will most probably invest more time in finding it yourself. The knowledge that something exploitable really exists is a good motivation to find it.
The problem extends beyond open source. But anyway, there is a big difference between saying there is a remote exploit in IIS and saying there is a command injection vulnerability in SquirrelMail GPG Plugin. I can probably rediscover the SquirrelMail one in an hour but I may never find the IIS one. Also, the vulnerability Nicob pointed out was pre-auth (mine was post- auth). I'm dying to know if version 2.1 patched the exploit they are trying to sell! Charlie ps. Sorry about the (No Subject) _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: SquirrelMail GPG Plugin vuln Stefan Esser (Jul 09)
- Re: SquirrelMail GPG Plugin vuln Charles Miller (Jul 09)
- Re: SquirrelMail GPG Plugin vuln Nicob (Jul 09)
- Re: SquirrelMail GPG Plugin vuln James Matthews (Jul 09)
- Re: SquirrelMail GPG Plugin vuln bob jones (Jul 09)
- Re: SquirrelMail GPG Plugin vuln Nicolas RUFF (Jul 17)
- Re: SquirrelMail GPG Plugin vuln Nicob (Jul 09)
- Re: SquirrelMail GPG Plugin vuln Charles Miller (Jul 09)