Full Disclosure mailing list archives
NSRG-Security SaS Encryption cracked
From: Paul Tinsley <pdt () jackhammer org>
Date: Wed, 15 Oct 2003 01:55:10 -0500
-------------------------------------------------------------------------------- Product: SaS (Security Application Server) Vendor: NSRG (No Secure Root Group Security Research) Lorenzo Hernandez Garcia-Hierro <lorenzohgh () nsrg-security com> Impact: Intellectual property disclosure Bulletin-ID: PT.2003.0001 -------------------------------------------------------------------------------- Product Description (From Vendor Website): We are happy to announce that sas website is now ( again ) online in this server by accessing sas.nsrg-security.com , migrate your links to this server. The portal version is the latest of phpWebSite. We trust in phpWebSite , a very secure solution in this last version ( old versions are affected by SQL Injections , XSS attacks and PD attacks , discovered by Lorenzo H G-H/trulux ). Method of Disclosure: If you have the GET script installed: GET http://www.nsrg-security.com | lorenzo_decode.pl > outfile.html If you have wget: wget http://www.nsrg-security.com -O enc.html lorenzo_decode.pl < enc.html > outfile.html Background: After the veritable cornucopia of website exploits posted today on full-disclosure it inspired me to audit a few websites myself. I started with the author of all the IMHO frivolous postings and found that he "encrypted" his website with something called SaS that his group wrote. I figured man this Lorenzo guy has lots of free time to pick apart everybody's websites, his must be top notch. "Exploit" code is attached and also available at: http://jackhammer.org/exploits/lorenzo_decode.pl Cheers, Paul Tinsley
Attachment:
lorenzo_decode.pl
Description:
Current thread:
- NSRG-Security SaS Encryption cracked Paul Tinsley (Oct 15)
- Re: NSRG-Security SaS Encryption cracked John Sage (Oct 15)
- Re: NSRG-Security SaS Encryption cracked Valdis . Kletnieks (Oct 15)
- <Possible follow-ups>
- Re: NSRG-Security SaS Encryption cracked Paul Tinsley (Oct 15)