RE: Full-disclosure Digest unsubscribed

["herbert hay" <herbert_d_hay () msn com>]

unsubscribed


Herbert Darrell Hay





> From: full-disclosure-request () lists grok org uk
> Reply-To: full-disclosure () lists grok org uk
> To: full-disclosure () lists grok org uk
> Subject: Full-disclosure Digest, Vol 7, Issue 37
> Date: Sat, 17 Sep 2005 12:00:11 +0100 (BST)
>
> Send Full-Disclosure mailing list submissions to
>         full-disclosure () lists grok org uk
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.grok.org.uk/mailman/listinfo/full-disclosure
> or, via email, send a message with subject or body 'help' to
>         full-disclosure-request () lists grok org uk
>
> You can reach the person managing the list at
>         full-disclosure-owner () lists grok org uk
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Full-Disclosure digest..."
>
>
> Note to digest recipients - when replying to digest posts, please trim your 
> post appropriately. Thank you.
>
>
> Today's Topics:
>
>    1. Re: Forensic help? (Paul Robertson)
>    2. Re: FileZilla (client) public     credentials     vulnerability
>       (Tobias Ulmer)
>    3. [CIRT.DK - Advisory 37] TAC Vista Webstation 3.0  Directory
>       Traversal bug in webinterface (CIRT.DK Advisory)
>    4. Re: FireFox Host: Buffer Overflow is not just     exploitable on
>       FireFox (Juha-Matti Laurio)
>    5. Search Results w/Trojan? ('FoR ReaLz' E. Balansay)
>    6. Re: Search Results w/Trojan? (Fergie (Paul Ferguson))
>    7. Greyhats Security back online (Paul)
>    8. RE: PGPNet Upgrade path ? (Gary E. Miller)
>    9. RE: Search Results w/Trojan? (Madison, Marc)
>   10. RE: Search Results w/Trojan? ('FoR ReaLz' E. Balansay)
>   11. Greyhats Security fixed (Paul)
>   12. Re: Search Results w/  Trojan? (Dyke, Tim)
>   13. Re: Re: Search Results w/  Trojan? ('FoR ReaLz' E. Balansay)
>   14. Re: Search Results w/ Trojan? (craig () getvirushelp com)
>   15. RE: Search Results w/Trojan? (fd () ew nsci us)
>   16. Ethics and ramblins on Full DissClosure (J. Oquendo)
>   17. Web Application Security Analyzer for     PHP-Nuke/phpBB CMS
>       (Paul Laudanski)
>   18. SA Security Bulletin: Unique attack vector        uncovered during
>       packet analysis (sasb () Safe-mail net)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 16 Sep 2005 14:05:25 -0400
> From: Paul Robertson <compuwar () gmail com>
> Subject: Re: [Full-disclosure] Forensic help?
> To: nick () virus-l demon co uk
> Cc: full-disclosure () lists grok org uk
> Message-ID: <63cec55305091611057c1b8367 () mail gmail com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On 9/12/05, Nick FitzGerald <nick () virus-l demon co uk> wrote:
> > Anyway, much as I am an _only very occasional_ user of Ghost, I don't
> > think I've ever used it NOT to make a sector-level, or raw disk image,
> > style drive copy.  However, as I last used it so long ago, I decided to
> > check I was not mis-remembering -- two seconds at Google turned up this
> > URL discussing "...the Ghost switches to use for forensic imaging or
> > for creating raw images (sector copies)..." (URL may wrap):
> >
> > http://service1.symantec.com/SUPPORT/ghost.nsf/docid/2001111413481325?Op
> > en&src=&docid=19
>
> G'day Nick,
>
> While you *can* use Ghost to get a complete image, the switches change
> from version to version and it's really a PITA to test what does what
> when.  Most folks I know if the field have decided there's too much
> room for error with Ghost.  Also, it means more to document, which is
> bad for the lazy ;).
>
> Paul
> --
> www.compuwar.net
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 16 Sep 2005 20:13:53 +0200
> From: Tobias Ulmer <tobiasu () tmux org>
> Subject: Re: [Full-disclosure] FileZilla (client) public        credentials
>         vulnerability
> To: full-disclosure () lists grok org uk
> Message-ID: <432B0B61.9 () tmux org>
> Content-Type: text/plain; charset="iso-8859-1"
>
> PASTOR ADRIAN wrote:
> > Title:    FileZilla (client) public credentials vulnerability
> > Risk:    Medium
> > Versions affected: <=2.2.15
> > Credits:  pagvac (Adrian Pastor)
> > Date found:  10th September, 2005
> > Homepage:  www.ikwt.com  www.adrianpv.com
> > E-mail:   m123303 [ - a t - ] richmond.ac.uk
> >
>
> [...]
>
> > Regards,
> > pagvac (Adrian Pastor)
> > Earth, SOLAR SYSTEM
> >
>
> I don't know why I even reply... But anyway, I attached a screen shot
> especially for you. Please read it.
>
> a) FileZilla Users most probably are the only user of the computer. This
> is why the default makes sense (They "work" as administrator anyways).
>
> b) There is a "secure mode" witch prevents you from saving any password
> at all witch is the best solution if you want to be on the safe side.
>
> c) There is an option to save the settings in the registry and ignore
> the xml file. Settings are stored in HKEY_CURRENT_USER witch is in fact
> under X:\%homepath%\username\NTUSER.DAT and is protected by the
> filesytem ACL.
>
> Tobias
>
>
>
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: filezilla_setup.png
> Type: image/png
> Size: 12444 bytes
> Desc: not available
> Url : 
> http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050916/125fae2c/filezilla_setup-0001.png
>
> ------------------------------
>
> Message: 3
> Date: Fri, 16 Sep 2005 21:04:33 +0200
> From: "CIRT.DK Advisory" <advisory () cirt dk>
> Subject: [Full-disclosure] [CIRT.DK - Advisory 37] TAC Vista
>         Webstation 3.0  Directory Traversal bug in webinterface
> To: "Full-Disclosure@Lists. Netsys. Com"
>         <full-disclosure () lists grok org uk>,   "News@Securiteam. Com"
>         <news () securiteam com>, "Submissions@Packetstormsecurity. Org"
>         <submissions () packetstormsecurity org>,         "Vuln@Secunia. Com"
>         <vuln () secunia com>,    "Bugs@Securitytracker. Com"
>         <bugs () securitytracker com>
> Message-ID: <000001c5baf1$7a2e8180$0201a8c0@Furion>
> Content-Type: text/plain;       charset="us-ascii"
>
>
> TAC Vista is based on open technologies, TAC VistaR is one of the most
> advanced software solutions for building automation.
> TAC Vista efficiently and economically controls, checks and analyzes all
> building operations, allowing system operators to control and monitor 
> entire
> systems on site or from remote locations.
>
> The Web application is running on a Microsoft IIS 5.0 Server in this case.
>
> The problem is occurring in the input field of where the Template is 
> called,
> resulting in the possibility to traverse into other parts of the system.
>
> Read the full Advisory at http://www.cirt.dk
>
>
>
> ------------------------------
>
> Message: 4
> Date: Fri, 16 Sep 2005 22:28:59 +0300 (EEST)
> From: Juha-Matti Laurio <juha-matti.laurio () netti fi>
> Subject: Re: [Full-disclosure] FireFox Host: Buffer Overflow is not
>         just    exploitable on FireFox
> To: milw0rm () gmail com
> Cc: full-disclosure () lists grok org uk, berendjanwever () gmail com,
>         bugtraq () securityfocus com, security () mozilla org
> Message-ID:
>         <10097833.1126898939988.JavaMail.juha-matti.laurio () netti fi>
> Content-Type: text/plain; Charset=iso-8859-1; Format=Flowed
>
> > This problem also effects Thunderbird (tested) and im guessing
> > Netscape's Mail client (untested) which it really can't do much except
> > cause Thunderbird/Netscape to crash without javascript.
> >
> > Include the linked source in an email for your testing.
> >
> > http://www.milw0rm.com/down.php?id=1204
> >
> > /str0ke
>
> Only the newest 7.x version 7.2 has an internal Mail client. Version
> 8.0.3.3 is browser-only version. Version 7.2 has unpatched, confirmed
> vulnerabilities due to older codebase like we know. Version 8 was
> released to fix them.
> Your report will never reach Netscape due to non-working security [at]
> netscape.org (please read instructions to contact the vendor below).
>
> > On 9/13/05, Juha-Matti Laurio <juha-matti.laurio () netti fi> wrote:
> > > >Hi all,
> > > >Research and development has let to a ~90% reliable working exploit
> for the
> > > >IDN Heap Buffer overrun in FireFox on WinXP and Win2k3 as long as DEP 
> is
> > > >turned off and JavaScript is enabled. Some tweaking might yield an 
> even
> > > >higher success ratio. It has also revealed that not only FireFox is
> > > >vulnerable to this vulnerability, but the exact same exploit works on 
> the
> > > >latest releases of all these products based on the Mozilla engine:
> > > >- Mozilla FireFox 1.0.6 and 1.5beta,
> > > >- Mozilla Browser 1.7.11,
> > > >- Netscape 8.0.3.3 <http://8.0.3.3>.
> > > >Recommendations for this vulnerability:
> > > >- FireFox and Mozilla: Install the workaround for (
> > > https://addons.mozilla.org/messages/307259.html).
> > > >- Netscape: hope they'll respond to this email and release a 
> workaround.
> > > >- Wait for a patch and install it asap.
> > > >Recommendations to make it harder to exploit any FireFox 
> vulnerability:
> > > >- Turn on DEP (Data Execution Prevention),
> > > >- Turn off JavaScript,
> > > >- Switch to another browser,
> > > >- Do not browse untrusted sites,
> > > >- Do not browse the web at all,
> > > >- Unplug your machine from the web,
> > > >- Wear a tinfoil hat.
> > > >Cheers,
> > > >SkyLined
> > >
> > > BTW: From where is that security [at] netscape.org address?
> > > 1)
> > > An official security URL to Netscape is "Netscape Browser Bug 
> Submission
> > > Form" at
> > > http://browser.netscape.com/ns8/support/bugreport.jsp
> > > (www.netscape.org redirects to home.netscape.com/ , of course they 
> have
> > > netscape.org, netscape.net etc.)
> > >
> > > For version 7.2 (and 7.x?) it is the following:
> > > http://wp.netscape.com/browsers/7/feedback/problem.html
> > > Two separate addresses due to different developer teams, according to
> > > my knowledge. Is there any new information?
>
> ---clip---
>
> Please report your Netscape Mail client test results to Netscape with
> submission forms mentioned above.
>
> - Juha-Matti
>
>
>
> ------------------------------
>
> Message: 5
> Date: Fri, 16 Sep 2005 12:40:12 -0700 (PDT)
> From: "'FoR ReaLz' E. Balansay" <edgardo () u washington edu>
> Subject: [Full-disclosure] Search Results w/Trojan?
> To: full-disclosure () lists grok org uk
> Message-ID:
>         <Pine.A41.4.63a.0509161121530.33508 () aagaard01 u washington edu>
> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
>
> Hello all!
>
> My systems relevant info:
> Windows XP SP2 fully patched
> Mcafee VirusScan 7.1 Engine 4.4 Definition 4581
>
>
> Using XP SP2s Internet Explorer, in Google, i used the following search
> query:
>
> mcafee "driver packet received from the i/o subsystem" "patch 11"
>
> When the results return from google a trojan comes along as well, as
> detected by McAfee AV.
>
> I'm aware that browsing to malicious sites can pass malware to users who
> visit those sites, but this is new to me:  Trojans being passed through
> google results.
>
> Are passing of malicious programs through search engine results common?
>
> Goodbye!
> Edgardo
> (not the same newbie "Edgardo" from a couple threads ago  =) )
>
>
> ------------------------------
>
> Message: 6
> Date: Fri, 16 Sep 2005 19:43:21 GMT
> From: "Fergie (Paul Ferguson)" <fergdawg () netzero net>
> Subject: Re: [Full-disclosure] Search Results w/Trojan?
> To: edgardo () u washington edu
> Cc: full-disclosure () lists grok org uk
> Message-ID: <20050916.124404.14562.458455 () webmail24 lax untd com>
> Content-Type: text/plain
>
> Get in line:
>
>  http://www.eeye.com/html/research/upcoming/20050915.html
>
> More:
>
>  http://www.eeye.com/html/research/upcoming/index.html
>
> - ferg
>
>
> -- "'FoR ReaLz' E. Balansay" <edgardo () u washington edu> wrote:
>
> Hello all!
>
> My systems relevant info:
> Windows XP SP2 fully patched
> Mcafee VirusScan 7.1 Engine 4.4 Definition 4581
>
>
> Using XP SP2s Internet Explorer, in Google, i used the following search
> query:
>
> mcafee "driver packet received from the i/o subsystem" "patch 11"
>
> When the results return from google a trojan comes along as well, as
> detected by McAfee AV.
>
> I'm aware that browsing to malicious sites can pass malware to users who
> visit those sites, but this is new to me:  Trojans being passed through
> google results.
>
> Are passing of malicious programs through search engine results common?
>
> Goodbye!
> Edgardo
> (not the same newbie "Edgardo" from a couple threads ago  =) )
>
> --
> "Fergie", a.k.a. Paul Ferguson
>  Engineering Architecture for the Internet
>  fergdawg () netzero net or fergdawg () sbcglobal net
>  ferg's tech blog: http://fergdawg.blogspot.com/
>
>
>
> ------------------------------
>
> Message: 7
> Date: Fri, 16 Sep 2005 16:06:13 -0400
> From: "Paul" <pvnick () gmail com>
> Subject: [Full-disclosure] Greyhats Security back online
> To: "Full Disclosure" <full-disclosure () lists grok org uk>,
>         <bugtraq () securityfocus com>
> Message-ID: <002001c5bafa$a3728970$6401a8c0@pauls1337laptop>
> Content-Type: text/plain; charset="iso-8859-1"
>
> It's been a while, but I have decided that because a lot of valuable 
> information is hosted on greyhatsecurity.org, that it is within everyone's 
> best interest to share the material.
>
> Some things that have changed:
> - The layout. The navigation system looks a lot cooler now (IMHO) and is 
> easier to follow/more categorical.
> - Bias is gone. No more criticism to either Microsoft nor Mozilla will be 
> found on my website unless I deem it necissary for the progress of computer 
> security.
>
> You can find Greyhats Security at its old address, 
> http://greyhatsecurity.org.
>
> Kind regards,
> Paul
> Greyhats Security
> http://greyhatsecurity.org
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: 
> http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050916/74e260a5/attachment-0001.html
>
> ------------------------------
>
> Message: 8
> Date: Fri, 16 Sep 2005 13:24:00 -0700 (PDT)
> From: "Gary E. Miller" <gem () rellim com>
> Subject: RE: [Full-disclosure] PGPNet Upgrade path ?
> To: adityad2005 () users sourceforge net
> Cc: full-disclosure () lists grok org uk
> Message-ID: <Pine.LNX.4.63.0509161318570.31963 () catbert rellim com>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Yo Aditya!
>
> On Fri, 16 Sep 2005, Aditya Deshmukh wrote:
>
> > > > What alternatives are there to pgpnet ?
> > >
> > > Have a look at OpenVPN.
> >
> > Thanks Martijn, but isn`t that a SSL vpn ? And from what I
> > have read about PGPnet I need a IPSEC VPN that uses
> > PGP keys to do the auth.
>
> IPSEC has nothing to do with PGP.  Also there is really no such thing
> as a PGP key.  PGP uses what ever key scheme you ask it to use.  IPSEC
> is the same way.  Both use keys, but are not themselves key standards.
>
> OpenVPN similarly can use what ever key scheme you wish.  Since it is
> based on the OpenSSL crupto libs it is very flexible that way.  For
> simple setups you can use pre-shared keys.  For more complex setups
> you can use public/private key pairs of any type that OpenSSL understands.
>
> On top of that you can layer on other aith schemes like username/passwords
> and such.
>
> IMHO, if OpenVPN does not do what you want then you misunderstand the
> problem.
>
>
> RGDS
> GARY
> - 
> ---------------------------------------------------------------------------
> Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
>         gem () rellim com  Tel:+1(541)382-8588 Fax: +1(541)382-8676
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
> iD8DBQFDKyni8KZibdeR3qURAv9tAJ9YxZiCL/QUCpM2ciZV2apCuj8MSgCffY1s
> qOCCYwH7H5Ts0B2iL525tm4=
> =+8Dj
> -----END PGP SIGNATURE-----
>
>
>
> ------------------------------
>
> Message: 9
> Date: Fri, 16 Sep 2005 15:40:28 -0500
> From: "Madison, Marc" <mmadison () fnni com>
> Subject: RE: [Full-disclosure] Search Results w/Trojan?
> To: "'FoR ReaLz' E. Balansay" <edgardo () u washington edu>,
>         full-disclosure () lists grok org uk
> Message-ID:
>         <DEDFD939A181F94AAF3D965C58B7AADC01FCE4DE () 001fntcex01 fnb fnni com>
> Content-Type: text/plain; charset=us-ascii
>
> What Trojan does McAfee report?
>
> -----Original Message-----
> From: full-disclosure-bounces () lists grok org uk
> [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of 'FoR
> ReaLz' E. Balansay
> Sent: Friday, September 16, 2005 2:40 PM
> To: full-disclosure () lists grok org uk
> Subject: [Full-disclosure] Search Results w/Trojan?
>
> Hello all!
>
> My systems relevant info:
> Windows XP SP2 fully patched
> Mcafee VirusScan 7.1 Engine 4.4 Definition 4581
>
>
> Using XP SP2s Internet Explorer, in Google, i used the following search
> query:
>
> mcafee "driver packet received from the i/o subsystem" "patch 11"
>
> When the results return from google a trojan comes along as well, as
> detected by McAfee AV.
>
> I'm aware that browsing to malicious sites can pass malware to users who
> visit those sites, but this is new to me:  Trojans being passed through
> google results.
>
> Are passing of malicious programs through search engine results common?
>
> Goodbye!
> Edgardo
> (not the same newbie "Edgardo" from a couple threads ago  =) )
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
> ------------------------------
>
> Message: 10
> Date: Fri, 16 Sep 2005 13:55:48 -0700 (PDT)
> From: "'FoR ReaLz' E. Balansay" <edgardo () u washington edu>
> Subject: RE: [Full-disclosure] Search Results w/Trojan?
> To: "Madison, Marc" <mmadison () fnni com>
> Cc: full-disclosure () lists grok org uk
> Message-ID:
>         <Pine.A41.4.63a.0509161351450.33508 () aagaard01 u washington edu>
> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
>
> On Fri, 16 Sep 2005, Madison, Marc wrote:
>
> > What Trojan does McAfee report?
>
> Exploit-URLSpoof.gen
>
> McAfee link:
> http://vil.nai.com/vil/content/v_100927.htm
>
> Goodbye!
> Edgardo
>
>
> ------------------------------
>
> Message: 11
> Date: Fri, 16 Sep 2005 17:22:55 -0400
> From: "Paul" <pvnick () gmail com>
> Subject: [Full-disclosure] Greyhats Security fixed
> To: "Full Disclosure" <full-disclosure () lists grok org uk>
> Message-ID: <006601c5bb04$d2c275f0$6401a8c0@pauls1337laptop>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Firefox navigation bug fixed (sorry about that)
>
> Paul
> Greyhats Security
> http://greyhatsecurity.org
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: 
> http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050916/8db1ea76/attachment-0001.html
>
> ------------------------------
>
> Message: 12
> Date: Fri, 16 Sep 2005 14:36:56 -0700
> From: "Dyke, Tim" <Tim.Dyke () worksafebc com>
> Subject: [Full-disclosure] Re: Search Results w/  Trojan?
> To: <full-disclosure () lists grok org uk>
> Message-ID:
>         <260C8053DAB7FC44BB58A4D6F16CB2C506B621 () MSXP02 wcbbc wcbmain com>
> Content-Type: text/plain; charset="us-ascii"
>
> I Noticed the following on the McAffee site
>
> -- Update July 16, 2004 --
> An Incorrect Identification of Exploit-URLSpoof.gen has been found when
> scanning files associated with the eBay Toolbar. The file being detected
> as Exploit-URLSpoof.gen is wsasc.xml. If you are seeing this specific
> detection, please download the extra.dat files below which will correct
> the Incorrect Identification.
>
> Could this be a similar issue with your google search
>
> Thanks
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: 
> http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050916/29d31294/attachment-0001.html
>
> ------------------------------
>
> Message: 13
> Date: Fri, 16 Sep 2005 17:08:56 -0700 (PDT)
> From: "'FoR ReaLz' E. Balansay" <edgardo () u washington edu>
> Subject: Re: [Full-disclosure] Re: Search Results w/  Trojan?
> To: "Dyke, Tim" <Tim.Dyke () worksafebc com>
> Cc: full-disclosure () lists grok org uk
> Message-ID:
>         <Pine.A41.4.63a.0509161703260.33508 () aagaard01 u washington edu>
> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
>
> Hello!
>
> I noticed the same message as well =), we're not using the ebay toolbar.
>
> I have just verified these results from a Win2k3 fully patched machine
> with no additional applications installed, except for McAfee 7.1.
>
> Would someone else like to search google for those terms and verify as
> well?  Search terms:
>
> mcafee "driver packet received from the i/o subsystem" "patch 11"
>
> Goodbye!
> Edgardo
>
> On Fri, 16 Sep 2005, Dyke, Tim wrote:
>
> > I Noticed the following on the McAffee site
> >
> > -- Update July 16, 2004 --
> > An Incorrect Identification of Exploit-URLSpoof.gen has been found when
> > scanning files associated with the eBay Toolbar. The file being detected
> > as Exploit-URLSpoof.gen is wsasc.xml. If you are seeing this specific
> > detection, please download the extra.dat files below which will correct
> > the Incorrect Identification.
> >
> > Could this be a similar issue with your google search
> >
> > Thanks
> >
> >
>
>
> ------------------------------
>
> Message: 14
> Date: Fri, 16 Sep 2005 20:32:13 -0400
> From: craig () getvirushelp com
> Subject: [Full-disclosure] Re: Search Results w/ Trojan?
> To: full-disclosure () lists grok org uk
> Message-ID:
>         <S389476AbVIQAcN/20050917003213Z+48879 () ams006 ftl affinity com>
> Content-Type: text/plain; format=flowed; charset="iso-8859-1"
>
> This is an accurate detection.  Google returns results that contain a
> hyperlink that contains the exploit.
>
> I've verified both the detection and exploit.
>
> Craig
>
> ======
> Using XP SP2s Internet Explorer, in Google, i used the following search
> query:
>
> mcafee "driver packet received from the i/o subsystem" "patch 11"
>
> When the results return from google a trojan comes along as well, as
> detected by McAfee AV.
>
>
>
>
> ------------------------------
>
> Message: 15
> Date: Fri, 16 Sep 2005 17:30:46 -0700 (PDT)
> From: fd () ew nsci us
> Subject: RE: [Full-disclosure] Search Results w/Trojan?
> To: "'FoR ReaLz' E. Balansay" <edgardo () u washington edu>
> Cc: full-disclosure () lists grok org uk
> Message-ID:
>         <Pine.LNX.4.50.0509161729460.7883-100000 () kegger national-security net>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
>
> On Fri, 16 Sep 2005, 'FoR ReaLz' E. Balansay wrote:
>
> > On Fri, 16 Sep 2005, Madison, Marc wrote:
> >
> > > What Trojan does McAfee report?
> >
> > Exploit-URLSpoof.gen
>
> See the %00? That is probably wat mcafee calls a Exploit-URLSpoof.gen.  I
> would hardly call it a trojan ... still, it is interesting to see this
> show up in a googling.
>
> www.spotlight.de%00 () www google de/zforen/sec/m/sec-1123333130-8756.html
>
> -Eric
>
> >
> > McAfee link:
> > http://vil.nai.com/vil/content/v_100927.htm
> >
> > Goodbye!
> > Edgardo
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
>
> --
> Eric Wheeler
> Vice President
> National Security Concepts, Inc.
> PO Box 3567
> Tualatin, OR 97062
>
> http://www.nsci.us/
> Voice: (503) 293-7656
> Fax:   (503) 885-0770
>
>
>
> ------------------------------
>
> Message: 16
> Date: Fri, 16 Sep 2005 21:01:26 -0400 (EDT)
> From: "J. Oquendo" <sil () infiltrated net>
> Subject: [Full-disclosure] Ethics and ramblins on Full DissClosure
> To: full-disclosure () lists grok org uk
> Message-ID: <Pine.GSO.4.58.0509162059080.28233 () kungfunix net>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
>
>
> Youo know I was thinking about how ironic it is that one should mention
> "Full Disclosure" and "responsibility" in the same paragraph. How many
> more redundant threads will one have to parse through regarding the
> irresponsibilities of vendors who won't release a fix in a timely manner.
> Then read more threads on how irresponsible people are for disclosing
> vulnerabilities without contacting a vendor, or not waiting long enough
> before releasing their disclosure.
>
> Look it does not take a rocket scientist to figure out that vendors need
> at least one or two years to fix their problems. Far too many times
> though, people in the computer security industry wrongfully think that
> corporations like Microsloth, Scam-mantec, Crisco, Oralckle, Crapafee and
> others are solely after something as trivial as money or investments via
> stock markets.
>
> Let's be honest and forthright about the whole security industry nowadays.
> It has not become a multibillion dollar industry filled with companies
> gobbling up other companies, injecting FUD into the market to sell an
> insecure product and make millions. Nope. The real answer is that
> companies are creating wonderful products that are "powered by the
> systems that take you where you want to go today". Those products often
> don't have real issues its those god awful hackers, crackers, slackers and
> open source people who are the real problem in this industry.
>
> Someone should create a consortium to eradicate those who tinker and break
> these wonderful products. Perhaps a "clean up squad" to ensure that no one
> maliciously posts information that could break the Interweb and leak out
> the kind of information that could lead to my indentity from being stolen.
> I mean, its not like I have to worry about anyone outside of those
> companies in the technology field to do something stupid like leak my
> information [1][2][3][4].
>
> The perfect consortium would consist of trustworthy companies like
> Microsloth, Oralckle, Crisco, Scam-mantec, Crapafee. Their task would be
> to ensure enough money and resources are available to bury someone in the
> legal system with lawsuits, threats, even military-like "wet ops" to
> ensure nothing is ever broken in the technology field again.
>
> [1] http://www.msnbc.msn.com/id/8119720/
> [2] 
> http://news.com.com/Bank+of+America+loses+a+million+customer+records/2100-1029_3-5590989.html
> [3] http://www.vnunet.com/vnunet/news/2138274/credit-card-hack-sets-record
> [4] 
> http://www.infoworld.com/articles/hn/xml/01/03/06/010306hnbiblio.html?0306alert
> [5] 
> http://www.cbc.ca/story/business/national/2005/06/17/equifax-050617.html
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> GPG Key ID 0x97B43D89
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89
>
> "Just one more time for the sake of sanity tell me why
>  explain the gravity that drove you to this..." Assemblage
>
>
> ------------------------------
>
> Message: 17
> Date: Fri, 16 Sep 2005 21:05:12 -0400 (EDT)
> From: Paul Laudanski <zx () castlecops com>
> Subject: [Full-disclosure] Web Application Security Analyzer for
>         PHP-Nuke/phpBB CMS
> To: bugs () securitytracker com, <bugtraq () securityfocus com>,
>         <full-disclosure () lists grok org uk>, <moderators () osvdb org>,
>         <news () securiteam com>, <vuln () secunia com>, <vulnwatch () vulnwatch org>,
>         <webappsec () securityfocus com>
> Message-ID:
>         <Pine.LNX.4.44.0509162058190.22130-100000 () bugsbunny castlecops com>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
>
> With all the discussions surrounding the PHP-Nuke CMS wrapping phpBB2 as
> its forums, I've released an application called Analyzer (version 2.0)
> available from Download.com.
>
> It checks the following versions and reports if newer versions exist:
>
> mysql
> php
> apache
> phpnuke
> phpbb
>
> It also checks certain settings in the php.ini file such as
> register_globals and provides the full path.
>
> Also assists in debugging the installation of the application.
>
> Available here:
> http://www.download.com/Analyzer/3000-2648_4-10397073.html
>
> The script itself is written in PHP.
>
> ref: http://en.wikipedia.org/wiki/Php-nuke
>
> --
> Paul Laudanski, Microsoft MVP Windows-Security
> CastleCops(SM), http://castlecops.com
>
>
>
> ________ Information from Computer Cops, L.L.C. ________
> This message was checked by NOD32 Antivirus System for Linux Mail Server.
>
>   part000.txt - is OK
> http://castlecops.com
>
>
> ------------------------------
>
> Message: 18
> Date: Sat, 17 Sep 2005 03:20:36 -0400
> From: sasb () Safe-mail net
> Subject: [Full-disclosure] SA Security Bulletin: Unique attack vector
>         uncovered during packet analysis
> To: full-disclosure () lists grok org uk
> Message-ID: <N1-a4DUvVDA17 () Safe-mail net>
> Content-Type: text/plain; charset=UTF-8
>
> __________________________________________________________________
>
>                          Sexy Action Security Bulletin
>
>                                 SASB-2005-09-17-GR8-2B-EL8
>
>                 Packet Analysis Uncovers Unique Attack Vector
>
>     __________________________________________________________________
>
>
>
> Executive Summary:
>
> As an enterprise security professional, I insist on maintaining the highest 
> degree of personal hygeine. At 10:38AM AEST, packet capture (sniffing)
> tests revealed that my Gandalf Lord of the Rings t-shirt had been 
> compromised...
>
> Problem Statement:
>
> For some months now I have deployed Nivea deoderant, version 'Aqua Cool', 
> as a personal firewall. Its vendor promises 'revitalising freshness and
> mild care' , while ensuring 24hr performance, reliable protection, and a 
> 'stimulating masculine scent' .
>
> While vendors are as trustworthy as a German sewerage plant operator, and 
> the only thing released more often on the internet than German scheisse
> porn are exploits for personal firewalls, careful searching turned up no 
> current issues with Nivea 'Aqua Cool'.
>
> This morning, as a preventative measure, I enabled promiscuous mode on my 
> left nostril. This is something I rarely do -  whenever I allow my
> nostril to become promiscous it inevitably accosts American soldiers, 
> demanding two dollars for "sucky, sucky". However, as a professional and a
> champion Tony Hawk 2 player, I must accede to these demands in the name of 
> Security.
>
> I picked up my Lord of the Rings t-shirt, sniffed, and captured a packet 
> exuding from the right armpit production server. Not any boring old IP
> packet, no - this was a DECNET phase IV  packet, transported via x.25. You 
> could have tickled me pink and called me Jesus; I'd assumed DECnet
> had gone the way of the triceratops, stegasaurus, and hats.
>
> "Why", I asked myself, "is my right armpit running DECnet? It's certainly 
> not a normal state of affairs. Hackers must be involved. They always are.
> DECnet smells like stale sweat and hackers must have bypassed the Nivea 
> firewall to install it on my t-shirt. It's the only way this could have
> happened.
>
> Because of hackers I had to wear my Gollum Lord of the Rings t-shirt to 
> work today. This is unacceptable - Gollum is not suitable for an enterprise
> security environment. Gollum is for informal occasions. Gandalf, the white 
> wizard, commands respect and awe; without Gandalf, I fear that
> co-workers do not respect my authority.
>
> Fix:
>
> Users may apply more firewall, however this is only a preventative measure. 
> As yet I am unsure exactly how to patch a smelly t-shirt.
>
>
> ------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> End of Full-Disclosure Digest, Vol 7, Issue 37
> **********************************************


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/