Re: OWASP LiveCD Vulnerabilities

["Tomas L. Byrnes" <tomb () byrneit net>]

Next thing you'll be telling us that Webscarab is a virus :-)



> -----Original Message-----
> From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-
> bounces () lists grok org uk] On Behalf Of Fionnbharr
> Sent: Friday, May 22, 2009 9:06 AM
> To: Brigette DéFaveur
> Cc: full-disclosure () lists grok org uk; bugtraq () securityfocus com
> Subject: Re: [Full-disclosure] OWASP LiveCD Vulnerabilities
>
> THIS IS A PRETTY FUNNY ADVISORY
>
>
>
>
>
>
>
>
>
>
>
> HA HA HA
>
> 2009/5/22 "Brigette DéFaveur" <blosoft () consultant com>:
> > **************************    bloSOFT   **************************
> > Super Wowzer Hacker Team - Professional Vulnerability Assessments
> >
> >                            BLOsoft Research Team
> >              ------------------------------------------------
> >               Base Level Ops Securing Otherwise Fscked Tech!
> >
> >
> >
> > [POSTING NOTICE]
> > ----------------------------------------------------------------------
> ----
> > If you intend on pimping this advisory on your Geocities web page
> please
> > create a clickable link back to our uberhawtness security page and
> include
> > annoying use of the <blink> tag
> >
> > For more information about Hacking finger condor @well.com
> >
> > [Advisory Information]
> > ----------------------------------------------------------------------
> ----
> > Contact                         : Brigette DéFaveur
> > Advisory ID                     : BLOSOFT-20090521
> > Product Name                    : WebGoat
> > Product Version                 : All versions
> > Vendor Name                     : OWASP
> > Type of Vulnerability           : Multiple
> > Impact                          : Extremely Critical, like wtf
> critical
> > Vendor Notified                 : 20090521
> >
> > [Product Description]
> > ----------------------------------------------------------------------
> ----
> > "The Open Web Application Security Project (OWASP) is a worldwide free
> and
> > open community focused on improving the security of application
> software.
> > Our mission is to make application security visible, so that people
> and
> > organizations can make informed decisions about true application
> security
> > risks."
> >
> > Taken From:
> > http://www.owasp.org/index.php/Main_Page
> >
> >
> > [Technical Summary]
> > ----------------------------------------------------------------------
> ----
> > Webgoat is vulnerable to the following attacks:
> >
> > Cross-site Scripting (XSS)
> > Access Control
> > Hidden Form Field Manipulation
> > Parameter Manipulation
> > Session Cookies
> > SQL Injection
> >
> > While performing our advanced superwowzer hackerfying analysis
> discovered
> > that WebGoat is vulnerable to dozens if not billions of attacks if
> they
> > were attacked by attackers.
> >
> >
> > [Impact]
> > ----------------------------------------------------------------------
> ----
> > [Impact varies from installation to installation]
> >
> > - Cookie stealing
> > - Cookie harassing
> > - Cookie tampering
> > - Tampering of harassed cookie
> > - Harassing the thief tampering with cookies
> > - High level advanced SQL injection (' or 1=1-- )
> > - High level super advanced XSS <b
> onmouseover=alert('bloSOFT')>OMFG</b>
> > - Improper sanitization of the blink tag
> >
> >
> > [Proof Of Concept]
> > ----------------------------------------------------------------------
> ----
> > Download WebGoat and you too can see the trillions of exploits
> affecting
> > this software. We will not pollute the www with another useless filth
> of
> > a program designed to assist in the manipulation of security
> >
> >
> > [Vendor Status and Chronology]
> > ----------------------------------------------------------------------
> ----
> > Current Vendor Status:  OWASP has to many members that don't matter.
> >
> > Chronology:
> > 05/21/2009 07:11:57 AM EST - Vulnerabilities Discovered
> > 05/21/2009 07:11:59 AM EST - Vendor Notified
> > 05/21/2009 07:12:18 AM EST - Requested vendor feedback via email
> > 05/21/2009 07:13:23 AM EST - No response from vendor
> > 05/21/2009 07:13:28 AM EST - Began advisory release process
> >
> >
> > [Solution]
> > ----------------------------------------------------------------------
> ----
> > Leave Britney alone
> >
> >
> > [Disclaimer]
> > ----------------------------------------------------------------------
> ----
> > bloSOFT assumes no liability for the use of the information provider
> in
> > this disclosure. This advisory was released in an effort to prove our
> > worthiness to the I.T. community. Although we may at times attempt to
> > extort or blackmail companies in order to comply with our view of how
> > security should be, we make no intelligent assumptions or decisions in
> > releasing our security advisories.
> >
> >
> > [Advertisement]
> > ----------------------------------------------------------------------
> ----
> > bloSOFT is focused on the core commitment to provide the whole wide
> world
> > with security designs and solutions that fit. Our team consists of
> expert
> > level engineers with an array of experience ranging from eggdrop
> shells,
> > running nmap, re-hashing advisories and securitizing maximized
> potential
> > designs with actionable digital intelligence catering to the
> professional
> > hackers. Should you wish to place us at the top of "security review"
> by
> > using an alias please do so. Although we might not be as elite as
> other
> > companies like Netragard, bear in mind, even ImmunitySec isn't as
> elite
> > or as talented as Netragard.
> >
> > http://secreview.blogspot.com/
> >
> >
> > [Greets]
> > ----------------------------------------------------------------------
> ----
> > Simone Smithereen - we wub you oh grand masteress
> > Kevin Finkelstein - we be done havin yo back slap mah fro
> > Adrien DéFaveur - my brother, I know you didn't blackmail HP!
> >
> > All the rest - all the best
> >
> >
> >
> >
> > --
> > Be Yourself @ mail.com!
> > Choose From 200+ Email Addresses
> > Get a Free Account at www.mail.com
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/