Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Unbelivable, Pangolin 3.2.3 free edition released

From: "Zach C." <fxchip () gmail com>
Date: Mon, 25 Apr 2011 14:19:00 -0700
Heh -- did anyone else just get spammed by these jokers?

In any case: even if you change this setting where they tell you to, does
the code actually honor the change or is it just a farce for the user's
benefit? And, perhaps more importantly, why should I have to grab it,
blindly trust it and run it to find out?

Besides even that, assuming the change was actually honored, how would one
go about creating a page that would work with it?

On Mon, Apr 25, 2011 at 8:31 AM, Steven Pinkham <steve.pinkham () gmail com>wrote:


Rain Liu wrote:

Hi Steven Pinkham,

I think this is an old questions that have been answered. You can make
settings in Pangolin main panel.

"Edit->Setting->Oracle", Change the "Remote Data URL" and "Remote Info
URL" as you wish. Exit pangolin and run it again to take effects.

Here is example settings
http://www.nosec-inc.com/en/images/pangolin-oracle-setting.gif

Wish you guys happy.

BEST REGARDS TO YOU AND YOUR FAMILY

Rain Liu


It's entirely possible that is all there is to it.
Let me be perfectly clear: For people in the real world to trust your
tool, those fields should be empty by default, and clear instructions
and demo code should be given on how to set that feature up on their own
servers.  A poorly documented feature that sends your data to third
parties by default *is unacceptable*, and if you want professional users
to take you seriously data privacy needs to be the default.

There's still a lot of questions that are poorly documented like:
How does the feature you call "bypass firewall" work?  What if any 3rd
parties are involved?

Can you certify that there no third parties involved in any action of
Pangolin besides the Oracle setting, or are there other undiscovered
pitfalls for the professional user?  The existence of this poorly
documented, data stealing by default option completely undermines my
trust in your tool, and I would be VERY cautious in any use of said tool.

Personally, I'd rather stick to open source, auditable tools whenever
possible, and sqlmap is my sql injection tool of choice.  Honestly, your
answers to these questions are not likely to make me switch(sqlmap is
*that good* in recent releases), but may serve to cut down on my abuse
of people who consider using your tool.
--
 | Steven Pinkham, Security Consultant    |
 | http://www.mavensecurity.com           |
 | GPG public key ID CD31CAFB             |

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: