I'm sorry
On Monday 17 September 2007 13:26:36 Roger A. Grimes wrote:
> I'm sorry, we'll have to agree to disagree. I don't see the new attack
> vector here. I, the attacker, have to make you download my malicious
> trojan program, which you install on your computer.
Irrespective of the rest of what Roger says (which I agree with FTR), this bit
is simply wrong. Look at the PoC that has been made public:
https://strikecenter.bpointsys.com/articles/2007/08/26/vista-gadget-patches-in-ms07-048
Cc: bugtraq@securityfocus.com; tmb@65535.com; vuln-dev@securityfocus.com; webappsec@securityfocus.com
Subject: RE: Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API
"Roger A. Grimes" <roger@banneretcs.com> writes:
>I'm sorry, we'll have to agree to disagree. I don't see the new attack vector
>here. I, the attacker, have to make you download my malicious trojan program,
>which you install on your computer.
It's not so much the attack vector, it's the usability issue. This makes it
just too easy to convince users to download and execute untrusted content.
Anyway you cut it, UAC is worthless in this circumstance.
> The argument that owning a physical machine automatically means game over
> just isn't true. We should be able to say the same thing about a VM.
I'm sorry, but your expectations for the use and value of virtual machines
is very much out of step with reality.
--Arthur Corliss
Live Free or Die
it has not been a major concern.
> PS- My do not mean to flame you personally Shane. My frustration is
> directed at the ISC generally.
I'm sorry you're frustrated. There are a lot of ways you can change the
direction of ISC development. Firstly, you can submit source code - we like that
one especially. Secondly, you can fund development, and have us develop code
that you need or want done. Thirdly, you can join the BIND Forum and give us
recommendations and feedback there. Or forth, you can simply ask us.
i'm sorry, i just write some real sites to confirm the truth of my found, now , i remove it. and thanks for you.
Discuz! is prone to an cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Discuz! 6.0.0 is vulnerable; other versions may also be affected Discuz!
Home Page : http://www.discuz.com/
I'm sorry if im not on good list to ask this question, but any one know the security contact mail for Lexmark company?...
Thanks all
__________________________________________________________________
Make your browsing faster, safer, and easier with the new Internet Explorer® 8. Optimized for Yahoo! Get it Now for Free! at http://downloads.yahoo.com/ca/internetexplorer/
I'm sorry, but your screenshot actually leads me to not have much more
confidence. I noticed your titlebar is modified, so that tells me the
script is most likely modified in some way. Provide us with a pure
script, please. Also, on an unrelated note, why are you running
professional? Why did you blank out the bottom half of the window?
What are you hiding?
On Wed, 2008-08-20 at 20:56 -0600, beenudel1986@gmail.com wrote:
> ################################################################
> # .___ __ _______ .___ #
> Checkmarx Research Labs has identified a new critical vulnerability in
> Internet Explorer (other browsers are probably exposed the same way) that
> would allow hackers to easily compromise web applications.
I'm sorry if this response sounds harsh, but phrases such as "critical
vulnerability" and "compromise web applications" caught my eye.
The paper seems to focus on collecting information by navigating to
pages that will conditionally redirect the browser somewhere else
through certain types of client-side navigation (but as I understand
the same for any program downloaded in IE and run by the user, or for a
Sidebar gadget. IE-PM protects you from the stuff the browser downloads
when you surf to a web site, but not from anything you intentionally
install.
I'm sorry, we'll have to agree to disagree. I don't see the new attack
vector here. I, the attacker, have to make you download my malicious
trojan program, which you install on your computer.
I see a new piece of software that might entice users to download more
programs, but that's it. The only increased risk you have is that
I'm sorry ... this is not vulnerable. I confused the program
2008/10/22 Pepelux <pepelux@enye-sec.org>:
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> vshop - Axcoto cart <= 0.1alpha / Local File Inclusion Vulnerability
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
> $ Program: vshop - Axcoto cart
If One would like the XSS to be triggered directly on the site the user enters, One can prepend > after ">.
Example: (thanks to Rohit Bansal for this information)
http://www.website.tld/achievo/dispatch.php?atknodetype=&atkaction=">><script>alert(1)</script>&atklevel=-1&atkprevlevel =0&achievo=cgvuu4c9nv45ofdq8ntv1inm82
I'm sorry i didn't check other sites before submitting.
All of the best,
MaXe
Cc: bugtraq@securityfocus.com; tmb@65535.com; vuln-dev@securityfocus.com; webappsec@securityfocus.com
Subject: RE: Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API
"Roger A. Grimes" <roger@banneretcs.com> writes:
>I'm sorry, we'll have to agree to disagree. I don't see the new attack vector
>here. I, the attacker, have to make you download my malicious trojan program,
>which you install on your computer.
It's not so much the attack vector, it's the usability issue. This makes it
just too easy to convince users to download and execute untrusted content.
"Roger A. Grimes" <roger@banneretcs.com> writes:
>I'm sorry, we'll have to agree to disagree. I don't see the new attack vector
>here. I, the attacker, have to make you download my malicious trojan program,
>which you install on your computer.
It's not so much the attack vector, it's the usability issue. This makes it
just too easy to convince users to download and execute untrusted content.
>But if you're worried that your users will click past 3 to 5 warning messages
I'm sorry.
This system calls Small Pirate, not Small Pirates.
Mea culpa ;)
On Monday 17 September 2007 13:26:36 Roger A. Grimes wrote:
> I'm sorry, we'll have to agree to disagree. I don't see the new attack
> vector here. I, the attacker, have to make you download my malicious
> trojan program, which you install on your computer.
Irrespective of the rest of what Roger says (which I agree with FTR), this bit
is simply wrong. Look at the PoC that has been made public:
https://strikecenter.bpointsys.com/articles/2007/08/26/vista-gadget-patches-in-ms07-048
the same for any program downloaded in IE and run by the user, or for a
Sidebar gadget. IE-PM protects you from the stuff the browser downloads
when you surf to a web site, but not from anything you intentionally
install.
I'm sorry, we'll have to agree to disagree. I don't see the new attack
vector here. I, the attacker, have to make you download my malicious
trojan program, which you install on your computer.
I see a new piece of software that might entice users to download more
programs, but that's it. The only increased risk you have is that
Which made FireFox consume from 100mb ram to 250mb in less than 5-7 seconds. (I havent' been able to check how much more ressources it might consume if i ran it longer, but it would render my Windows installation at work useless).
This will ONLY work if FireFox does NOT know which program to use.
If FireFox knows the application and thereby wont ask, then the above script would only consume 15-25% of the CPU ressources, but no extra ram.
I'm sorry if this has already been reported for FireFox, I just stumbled over it.
If someone decides to make this a DoS vulnerability then I believe some credit (to me) is in order ;-) (I'll post it on my own website anyway, giving you credit too of course.)
Internet Explorer 7 version: 7.0.5730.13 will by the way consume up to 70% of the CPU if the same script is run. However it will not trigger a DoS condition in IE nor Windows, except if you might have a lot of other heavy programs running.
sure what the current algorithms are... please pardon my ignorance. If
BIND is reusing bound UDP ports for multiple queries in a row, then that
definitely reduces the entropy.
> I'm sorry you're frustrated. There are a lot of ways you can change the
> direction of ISC development. Firstly, you can submit source code - we like that
> one especially. Secondly, you can fund development, and have us develop code
> that you need or want done. Thirdly, you can join the BIND Forum and give us
> recommendations and feedback there. Or forth, you can simply ask us.
ran it longer, but it would render my Windows installation at work useless).
This will ONLY work if FireFox does NOT know which program to use.
If FireFox knows the application and thereby wont ask, then the above script
would only consume 15-25% of the CPU ressources, but no extra ram.
I'm sorry if this has already been reported for FireFox, I just stumbled
over it.
If someone decides to make this a DoS vulnerability then I believe some
credit (to me) is in order ;-) (I'll post it on my own website anyway,
giving you credit too of course.)
thanks for your suggestion. No, I didn't try this, because the servers
containing the DRAC4 cards are in productive use and I don't want to
enlarge downtimes. As in the advisory already described, the vendor seems
to be able to reproduce the issue.
I'm sorry, but for the moment I'm unable to do so anyway, because of the
new paragraph/law of combat of computer crime rate here in Germany. First
I would have to contact a lawyer to make sure, that these actions aren't
criminal at all.
This problem effects all versions of Puppet Dashboard.
When I reported this as a problem to Puppet Labs, their response was
also alarming:
"I'm sorry it took so long to get back to you. We definitely don't
recommend people put their Dashboards on public internet, but it's not
a code level security problem for us. I have instructed to docs
people here to update to reflect the recommendation more strongly."
Puppet Dashboard is wide open by default, has no built in security.
"Roger A. Grimes" <roger@banneretcs.com> writes:
>I'm sorry, we'll have to agree to disagree. I don't see the new attack vector
>here. I, the attacker, have to make you download my malicious trojan program,
>which you install on your computer.
It's not so much the attack vector, it's the usability issue. This makes it
just too easy to convince users to download and execute untrusted content.
>But if you're worried that your users will click past 3 to 5 warning messages
|
