Next Page >>
Best Wishes
issues in that application. Our official recommendation for
SQL-Ledger users is to restrict access to database relations to the
least privelege necessary. While this does not entirely solve the
issues, it does limit the damage considerably.
Best Wishes,
Chris Travers
If anyone is still using LedgerSMB 1.1.x, this is an excellent reason
to upgrade.....
I can confirm this problem for the versions mentioned.
Best Wishes,
Chris Travers
vendors about many vulnerabilities, which I'll disclose in the future. So
they are informed for long time in advance :-). And so you have no need to
worry, because with every day they become more and more "informed long time
ago" and have more and more days to fix these holes.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message -----
I haven't been been able to find a CVE listing for this yet. Secunia
has assigned this the id of SA45649 for LedgerSMB. I expect to send a
full disclosure email discussing the vulnerability in a week.
Best Wishes,
Chris Travers
Also I wrote to Ruben Reguero two days ago, and told him that it was strange
that in Firefox 3.5 he had no problems (with this exploit). And maybe he has
last Firefox 3.5.1. After that he answered me and confirmed it.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
> -----Original Message-----
> http://e107.org/e107_files/downloads/e107_v0.7.17_full.zip
Looks like the e107 team has removed this file, and reviewing the code
in the cvs repository this code does not appear there.
Best Wishes,
Chris Travers
P.S.
Different people have different signatures ;-). It's like: show me your
signature and I'll tell you who you are.
Best wishes & regards,
Eugene Dokukin aka MustLive
Security auditor and security researcher
http://websecurity.com.ua
----- Original Message -----
> they are informed for long time in advance :-). And so you have no need to
> worry, because with every day they become more and more "informed long
> time
> ago" and have more and more days to fix these holes.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> ----- Original Message -----
> doubts received all my letters in 2007-2010 and would receive all future
> letters. But as said, I'll not be more informing them about DoS holes.
> This
> decision I made in August 2009 and it's final decision.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> ----- Original Message -----
3. Admins of web sites.
4. Developers of the browsers.
Which must give you a ground for thoughts.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message -----
# For Contact : RxH@HotMail.iT
# Note : Alwayse Don,t See In The Top To Feeling Pain In Your Neck !!!
Best Wishes
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
# For Contact : RxH@HotMail.iT
# Note : Alwayse Don,t See In The Top To Feeling Pain In Your Neck !!!
Best Wishes
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
I do think we need some sort of HTTP status or other header
information that would tell a browser to clear the auth cache and not
try again.
Best Wishes,
Chris Travers
> every admin and web developer a chance to fix (I use advanced responsible
> disclosure in 99%). And in most cases they just do lame things, like
> ignoring and not fixing, or badly fixing, or hiddenly fixing without
> thanking me, like it was with securityfocus.com in 2006 and many others.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> ----- Original Message ----- From: "Susan Bradley" <sbradcpa@pacbell.net>
If anyone is listing
http://secunia.com/advisories/cve_reference/CVE-2009-3580/ as open,
now would be a good time to close it. Any further XSRF
vulnerabilities should probably have their own advisories.
Best Wishes,
Chris Travers
LedgerSMB Core Team
Metatron Technology Consulting
ensuring that sql injection issues do not pose the privilege
escalation issues that are present in prior versions. Thus the impact
of an attack like this is greatly limited. The impact on the
pre-releases should be seen as moderate.
Best Wishes,
Chris Travers
in last advisories (that have this hole). But concerning CB Captcha if it
works in Joomla 1.0 and Mambo, it doesn't work in Joomla 1.5, because it
uses another method to work with sessions and for it another code must be
used (for clearing of session).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message -----
# For Contact : RxH@HotMail.iT
# Note : Yesterday I Help You !! Tomorrow Fuck Me !!! Fuck All Snitches !!! But Do You Know What !!! That,s Is My Mistake
Best Wishes
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
P.S.
Different people have different signatures ;-). It's like: show me your
signature and I'll tell you who you are.
Best wishes & regards,
Eugene Dokukin aka MustLive
Security auditor and security researcher
http://websecurity.com.ua
----- Original Message -----
every admin and web developer a chance to fix (I use advanced responsible
disclosure in 99%). And in most cases they just do lame things, like
ignoring and not fixing, or badly fixing, or hiddenly fixing without
thanking me, like it was with securityfocus.com in 2006 and many others.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message -----
3D user cloud for Joomla (mod_democbusr3dcloud, mod_cbusr3dcloud and
mod_usr3dcloud). It's commercial module with three versions - one free (demo
version) and two paid ones. And the hole in 3D user cloud module (in all its
versions) is still not fixed.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message -----
> 3. Admins of web sites.
> 4. Developers of the browsers.
>
> Which must give you a ground for thoughts.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> ----- Original Message ----- From: "Susan Bradley" <sbradcpa@pacbell.net>
powerful enough, then this attack on IE8 and even on IE6 and IE7 can be not
so effective (because it's resource consumption in case of IE as I wrote),
as it can be at not powerful computers. And many people in the world have
not so powerful computers.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message -----
significant burdens on employees so the proper value should be
determined by each customer. The current default value (3600) which
sets the default value to one hour is way to high though. This issue
will be documented as an issue in future versions of LedgerSMB.
Best Wishes,
Chris Travers
Thanks, I don't need help with informing browser vendors. They with no
doubts received all my letters in 2007-2010 and would receive all future
letters. But as said, I'll not be more informing them about DoS holes. This
decision I made in August 2009 and it's final decision.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message -----
As I wrote before, my IE6 isn't affected by that hole in Chrome. Does your
IE7 is affected by my Chrome exploit, or only by your AIM exploit? Because
if there is mentioned hole, then it must be affected by both exploits.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message -----
different versions of Vista as with XP, where XP Home and XP Professional
have different situations with default admin accounts. Which leads to
vulnerability in XP Home. So I'm planning to investigate different versions
of Windows Vista to be sure.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message -----
> have different situations with default admin accounts. Which leads to
> vulnerability in XP Home. So I'm planning to investigate different
> versions
> of Windows Vista to be sure.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> ----- Original Message ----- From: "Susan Bradley" <sbradcpa@pacbell.net>
(http://securityvulns.ru/Udocument911.html) and Cross-browser Code Execution
via XSS (http://securityvulns.ru/Udocument941.html), which I wrote in 2008
concerning this kind of vulnerabilities in browsers. How the attack can be
elevated from XSS to CE.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message -----
http://site/simpnews/news.php?layout=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/simpnews/news.php?lang=en&layout=layout2&sortorder=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Next Page>>
|
