[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Re: Google Groups e-mail disclosure in plain text

n3td3v wrote:

> I'm not anti corporate. I'm anti people working within them making bad
> security choices, like Yahoo do.  I'm anti Secunia, as they host FD,
> only because of the footer URL. If there was no footer URL, they
> wouldn't even have thought about hosting FD.

  Try and get causality the right way round in time.  If they hadn't thought
about hosting FD, there would be no footer URL.  Because there would be no
FD.

>> You're slighting Secunia.  At least Secunia does SOME original
>> research.
>
> Show me their original research. The list on their website is claimed
> to be, but isn't.

  Secunia original advisories: taken from
http://secunia.com/secunia_research/, and not from the main advisory list,
where they are intermingled with all the non-secunia advisories that they
archive.

 Secunia Research - 2006
      2006-22 Blazix Web Server JSP Source Code Disclosure Vulnerability
      2006-21 AN HTTPD Script Source Disclosure Vulnerability
      2006-20 Northern Solutions - RESERVED - Pending Disclosure
      2006-19 Quick 'n Easy/Baby Web Server ASP Code Disclosure
Vulnerability
      2006-18 New Atlanta Communications - RESERVED - Pending Disclosure
      2006-17 NOD32 Scheduled Scan Privilege Escalation Vulnerability
      2006-16 unalz Filename Handling Directory Traversal Vulnerability
      2006-15 RaidenHTTPD Script Source Disclosure Vulnerability
      2006-14 Deerfield.com - RESERVED - Pending Disclosure
      2006-13 Dwarf HTTP Server Source Disclosure and Cross-Site Scripting
      2006-12 IceWarp - RESERVED - Pending Disclosure
      2006-11 Orion Application Server JSP Source Disclosure Vulnerability
      2006-10 NetworkActiv Web Server Script Source Disclosure Vulnerability
      2006-9 Lighttpd Script Source Disclosure Vulnerability
      2006-8 America Online - RESERVED - Pending Disclosure
      2006-7 Microsoft Internet Explorer "createTextRange()" Code Execution
      2006-6 ArGoSoft Mail Server Pro viewheaders Script Insertion
      2006-5 NJStar Word Processor Font Name Buffer Overflow
      2006-4 Macallan Mail Solution IMAP Commands Directory Traversal
      2006-3 NeoMail neomail-prefs.pl Missing Session ID Validation
      2006-2 @Mail Webmail Attachment Upload Directory Traversal
      2006-1 E-Post Mail Server Products Multiple Vulnerabilities


Secunia Research - 2005
      2005-68 Adobe Document Server for Reader Extensions Multiple
Vulnerabilities
      2005-67 WinACE ARJ Archive Handling Buffer Overflow
      2005-66 Verity Keyview SDK Multiple Vulnerabilities
      2005-65 Visnetic AntiVirus Plug-in for MailServer Privilege Escalation
      2005-64 ADOdb Insecure Test Scripts Security Issues
      2005-63 TUGZip ARJ Archive Handling Buffer Overflow Vulnerability
      2005-62 IceWarp Web Mail Multiple File Inclusion Vulnerabilities
      2005-61 Pegasus Mail Buffer Overflow and Off-by-One Vulnerabilities
      2005-60 SpeedProject Products ZIP/UUE File Extraction Buffer Overflow
      2005-59 MailEnable Buffer Overflow and Directory Traversal
Vulnerabilities
      2005-58 Winmail Server Multiple Vulnerabilities
      2005-57 Opera Command Line URL Shell Command Injection
      2005-56 cPanel Entropy Chat Script Insertion Vulnerability
      2005-55 ATutor Multiple Vulnerabilities
      2005-54 ZipGenius Multiple Archive Handling Buffer Overflow
      2005-53 WinRAR Format String and Buffer Overflow Vulnerabilities
      2005-52 PHP-Fusion Two SQL Injection Vulnerabilities
      2005-51 MySource Cross-Site Scripting and File Inclusion
Vulnerabilities
      2005-50 PowerArchiver ACE/ARJ Archive Handling Buffer Overflow
      2005-49 ALZip Multiple Archive Handling Buffer Overflow
      2005-48 AhnLab V3 Antivirus ALZ/UUE/XXE Archive Handling Buffer
Overflow
      2005-47 HAURI Anti-Virus ALZ Archive Handling Buffer Overflow
      2005-46 Mantis "t_core_path" File Inclusion Vulnerability
      2005-45 7-Zip ARJ Archive Handling Buffer Overflow
      2005-44 SqWebMail Conditional Comments Script Insertion Vulnerability
      2005-43 AVIRA Antivirus ACE Archive Handling Buffer Overflow
      2005-42 Opera Mail Client Attachment Spoofing and Script Insertion
      2005-41 ALZip ACE Archive Handling Buffer Overflow
      2005-40 NOD32 Anti-Virus ARJ Archive Handling Buffer Overflow
      2005-39 SqWebMail HTML Emails Script Insertion Vulnerability
      2005-38 IBM Lotus Domino iNotes Client Script Insertion
Vulnerabilities
      2005-37 Lotus Notes ZIP File Handling Buffer Overflow
      2005-36 Lotus Notes UUE File Handling Buffer Overflow
      2005-35 SqWebMail Attached File Script Insertion Vulnerability
      2005-34 Lotus Notes TAR Reader File Extraction Buffer Overflow
      2005-33 HAURI Anti-Virus ACE Archive Handling Buffer Overflow
      2005-32 Lotus Notes HTML Speed Reader Link Buffer Overflows
      2005-31 NetworkActiv Web Server Cross-Site Scripting Vulnerability
      2005-30 Lotus Notes Multiple Archive Handling Directory Traversal
      2005-29 IBM - RESERVED - Pending Disclosure
      2005-28 Adobe Document/Graphics Server File URI Resource Access
      2005-27 MDaemon Content Filter Directory Traversal Vulnerability
      2005-26 Gossamer Threads Links Script Insertion Vulnerabilities
      2005-25 Opera Download Dialog Spoofing Vulnerability
      2005-24 HAURI Anti-Virus Compressed Archive Directory Traversal
      2005-23 Novell NetMail NMAP Agent "USER" Buffer Overflow Vulnerability
      2005-22 Mozilla Thunderbird Attachment Spoofing Vulnerability
      2005-21 Internet Explorer Suppressed "Download Dialog" Vulnerability
      2005-20 avast! Antivirus ACE File Handling Two Vulnerabilities
      2005-19 Opera Suppressed "Download Dialog" Vulnerability
      2005-18 Opera Image Dragging Vulnerability
      2005-17 Ahnlab V3 Antivirus Multiple Vulnerabilities
      2005-16 Netscape Property Manipulation Cross-Site Scripting
      2005-15 Mozilla / Firefox Property Manipulation Cross-Site Scripting
      2005-14 WhatsUp Small Business Report Service Directory Traversal
      2005-13 WhatsUp Professional "Login.asp" SQL Injection
      2005-12 Safari Dialog Origin Spoofing Vulnerability
      2005-11 Mozilla Products Dialog Origin Spoofing Vulnerability
      2005-10 Webroot Desktop Firewall Two Vulnerabilities
      2005-9 Microsoft Internet Explorer Dialog Origin Spoofing
Vulnerability
      2005-8 Opera Dialog Origin Spoofing Vulnerability
      2005-7 Microsoft Internet Explorer Keyboard Shortcut Processing
Vulnerability
      2005-6 Adobe Reader for Linux Insecure Temporary File Creation
      2005-5 Opera "javascript:" URLs Cross-Site Scripting
      2005-4 Opera 8 XMLHttpRequest Security Bypass
      2005-3 Mathopd Insecure Dump File Creation Vulnerability
      2005-2 Yahoo! Messenger File Transfer Filename Spoofing
      2005-1 Konqueror Download Dialog Source Spoofing


Secunia Research - 2004
      2004-21 Mozilla / Firefox "Save Link As" Download Dialog Spoofing
      2004-20 My Firewall Plus Arbitrary File Corruption Vulnerability
      2004-19 Opera Download Dialog Spoofing Vulnerability
      2004-18 MercuryBoard "title" Script Insertion Vulnerability
      2004-17 Ansel "image" SQL Injection and Script Insertion
Vulnerabilities
      2004-16 My Firewall Plus Privilege Escalation Vulnerability
      2004-15 Mozilla / Mozilla Firefox Download Dialog Source Spoofing
      2004-14 Spy Sweeper Enterprise Client Privilege Escalation
      2004-13 Multiple Browsers Window Injection Vulnerability
      2004-12 Microsoft Internet Explorer "createControlRange()" Memory
Corruption
      2004-11 Mozilla Firefox Download Dialog Spoofing Vulnerabilities
      2004-10 Multiple Browsers Tabbed Browsing Vulnerabilities
      2004-9 Pinnacle ShowCenter Skin File Cross-Site Scripting
Vulnerability
      2004-8 Microsoft Internet Explorer Multiple Vulnerabilities
      2004-7 Sun Java Plug-In Predictable File Location Weaknes
      2004-6 Yahoo! Messenger Audio Setup Wizard Privilege Escalation
      2004-5 StarOffice / OpenOffice Insecure Temporary File Creation
      2004-4 SquirrelMail Change_passwd Plugin Insecure Temporary File
Creation
      2004-3 GdkPixbuf BMP Image Handling Denial of Service Vulnerability
      2004-2 Opera Browser Address Bar Spoofing
      2004-1 IBM Net.Data Macro Name Cross-Site Scripting Vulnerability


Secunia Research - 2003
      2003-6 BRS WebWeaver Error Page Cross-Site Scripting Vulnerability
      2003-5 Xeneo Web Server URL Encoding Denial of Service
      2003-4 Opera browser filename extension buffer overflows
      2003-3 FTPServer/X Response Buffer Overflow Vulnerability
      2003-2 Alexandria-dev / sourceforge multiple vulnerabilities
      2003-1 Opera browser Cross Site Scripting


>  Its a purely scene whore website, with no Secunia
> original content. Maybe some folks reading the site haven't seen some
> content elsewhere, but thats more because Secunia don't state the
> original source, but they do state on their website at the bottom of
> advisories that their content is taken from third party websites,
> groups, researchers etc.

  No, it's because you're so fucking thick you didn't even look at the right
page where they'd filtered out their own, secunia-originated advisories.

>>  Further, the service that Secunia provides is one of centralization
>> and organization.  There are hundreds of points of delivery and
>> discussion for original research, Secunia itself being one of them.
>
> List your claim of their original research, thanks.

  Proven in spades, moron.

> Secunia do none of the above. Go research on what they actually do,
> than reading their carefully crafted wording on their website(s).

  You need to do more than just read that "carefully crafted wording".  You
need to actually try and *comprehend* it, you illiterate simpleton.  Secunia
are not to blame for the fact that you can't read plain english.  It makes
it perfectly clear that their advisories come from third-party sources
unless explicitly stated otherwise.

" Please note: The information, which this Secunia Advisory is based upon,
comes from third party unless stated otherwise."

  What part of that don't you understand?  "Carefully crafted"?  That's
plain bloody english, and you are just utterly blinded by your delusional
beliefs about what they say and do.  So blinded that you weren't even able
to click on a couple of links or do a halfway less than pathetic attempt to
research the matter.

> It is not free. Secunia have given FD so much money, for the hidden
> agenda of the URL in the footer message. If they are hosting FD and
> its secure, its very much to protect their illegal spamming of
> thousands of mail boxes.

  You're a paranoid kook.  There is no such organisation as FD.  It's a
mailing list.  How the hell can anyone give money to a mailing list?  And
how could anything be illegal spamming when you deliberately went and signed
up for it?  FD uses double-opt-in, it's an exemplar of good practice in
mailing-list management.

> You're the only one who doesn't seem to understand my stance and why
> it makes sense. Trust me, i'm not alone on this one. Folks I speak to
> everyday

  The voices in your head don't count.

  Now why don't you keep your word for the first time in your life and fuck
off like you said you would?

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/