Full Disclosure mailing list archives
Re: Unbelivable, Pangolin 3.2.3 free edition released
From: "Zach C." <fxchip () gmail com>
Date: Mon, 25 Apr 2011 14:19:00 -0700
Heh -- did anyone else just get spammed by these jokers? In any case: even if you change this setting where they tell you to, does the code actually honor the change or is it just a farce for the user's benefit? And, perhaps more importantly, why should I have to grab it, blindly trust it and run it to find out? Besides even that, assuming the change was actually honored, how would one go about creating a page that would work with it? On Mon, Apr 25, 2011 at 8:31 AM, Steven Pinkham <steve.pinkham () gmail com>wrote:
Rain Liu wrote:Hi Steven Pinkham, I think this is an old questions that have been answered. You can make settings in Pangolin main panel. "Edit->Setting->Oracle", Change the "Remote Data URL" and "Remote Info URL" as you wish. Exit pangolin and run it again to take effects. Here is example settings http://www.nosec-inc.com/en/images/pangolin-oracle-setting.gif Wish you guys happy. BEST REGARDS TO YOU AND YOUR FAMILY Rain LiuIt's entirely possible that is all there is to it. Let me be perfectly clear: For people in the real world to trust your tool, those fields should be empty by default, and clear instructions and demo code should be given on how to set that feature up on their own servers. A poorly documented feature that sends your data to third parties by default *is unacceptable*, and if you want professional users to take you seriously data privacy needs to be the default. There's still a lot of questions that are poorly documented like: How does the feature you call "bypass firewall" work? What if any 3rd parties are involved? Can you certify that there no third parties involved in any action of Pangolin besides the Oracle setting, or are there other undiscovered pitfalls for the professional user? The existence of this poorly documented, data stealing by default option completely undermines my trust in your tool, and I would be VERY cautious in any use of said tool. Personally, I'd rather stick to open source, auditable tools whenever possible, and sqlmap is my sql injection tool of choice. Honestly, your answers to these questions are not likely to make me switch(sqlmap is *that good* in recent releases), but may serve to cut down on my abuse of people who consider using your tool. -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Unbelivable, Pangolin 3.2.3 free edition released Rain Liu (Apr 25)
- Re: Unbelivable, Pangolin 3.2.3 free edition released Steven Pinkham (Apr 25)
- Re: Unbelivable, Pangolin 3.2.3 free edition released Zach C. (Apr 25)
- Re: Unbelivable, Pangolin 3.2.3 free edition released Jacqui Caren-home (Apr 30)
- Re: Unbelivable, Pangolin 3.2.3 free edition released Steven Pinkham (Apr 25)