[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] OWASP LiveCD Vulnerabilities
- To: Brigette DéFaveur <blosoft@xxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] OWASP LiveCD Vulnerabilities
- From: Fionnbharr <thouth@xxxxxxxxx>
- Date: Sat, 23 May 2009 02:06:08 +1000
THIS IS A PRETTY FUNNY ADVISORY
HA HA HA
2009/5/22 "Brigette DéFaveur" <blosoft@xxxxxxxxxxxxxx>:
> ************************** bloSOFT **************************
> Super Wowzer Hacker Team - Professional Vulnerability Assessments
>
> BLOsoft Research Team
> ------------------------------------------------
> Base Level Ops Securing Otherwise Fscked Tech!
>
>
>
> [POSTING NOTICE]
> --------------------------------------------------------------------------
> If you intend on pimping this advisory on your Geocities web page please
> create a clickable link back to our uberhawtness security page and include
> annoying use of the <blink> tag
>
> For more information about Hacking finger condor @well.com
>
> [Advisory Information]
> --------------------------------------------------------------------------
> Contact : Brigette DéFaveur
> Advisory ID : BLOSOFT-20090521
> Product Name : WebGoat
> Product Version : All versions
> Vendor Name : OWASP
> Type of Vulnerability : Multiple
> Impact : Extremely Critical, like wtf critical
> Vendor Notified : 20090521
>
> [Product Description]
> --------------------------------------------------------------------------
> "The Open Web Application Security Project (OWASP) is a worldwide free and
> open community focused on improving the security of application software.
> Our mission is to make application security visible, so that people and
> organizations can make informed decisions about true application security
> risks."
>
> Taken From:
> http://www.owasp.org/index.php/Main_Page
>
>
> [Technical Summary]
> --------------------------------------------------------------------------
> Webgoat is vulnerable to the following attacks:
>
> Cross-site Scripting (XSS)
> Access Control
> Hidden Form Field Manipulation
> Parameter Manipulation
> Session Cookies
> SQL Injection
>
> While performing our advanced superwowzer hackerfying analysis discovered
> that WebGoat is vulnerable to dozens if not billions of attacks if they
> were attacked by attackers.
>
>
> [Impact]
> --------------------------------------------------------------------------
> [Impact varies from installation to installation]
>
> - Cookie stealing
> - Cookie harassing
> - Cookie tampering
> - Tampering of harassed cookie
> - Harassing the thief tampering with cookies
> - High level advanced SQL injection (' or 1=1-- )
> - High level super advanced XSS <b onmouseover=alert('bloSOFT')>OMFG</b>
> - Improper sanitization of the blink tag
>
>
> [Proof Of Concept]
> --------------------------------------------------------------------------
> Download WebGoat and you too can see the trillions of exploits affecting
> this software. We will not pollute the www with another useless filth of
> a program designed to assist in the manipulation of security
>
>
> [Vendor Status and Chronology]
> --------------------------------------------------------------------------
>
> Current Vendor Status: OWASP has to many members that don't matter.
>
> Chronology:
> 05/21/2009 07:11:57 AM EST - Vulnerabilities Discovered
> 05/21/2009 07:11:59 AM EST - Vendor Notified
> 05/21/2009 07:12:18 AM EST - Requested vendor feedback via email
> 05/21/2009 07:13:23 AM EST - No response from vendor
> 05/21/2009 07:13:28 AM EST - Began advisory release process
>
>
> [Solution]
> --------------------------------------------------------------------------
> Leave Britney alone
>
>
> [Disclaimer]
> --------------------------------------------------------------------------
> bloSOFT assumes no liability for the use of the information provider in
> this disclosure. This advisory was released in an effort to prove our
> worthiness to the I.T. community. Although we may at times attempt to
> extort or blackmail companies in order to comply with our view of how
> security should be, we make no intelligent assumptions or decisions in
> releasing our security advisories.
>
>
> [Advertisement]
> --------------------------------------------------------------------------
> bloSOFT is focused on the core commitment to provide the whole wide world
> with security designs and solutions that fit. Our team consists of expert
> level engineers with an array of experience ranging from eggdrop shells,
> running nmap, re-hashing advisories and securitizing maximized potential
> designs with actionable digital intelligence catering to the professional
> hackers. Should you wish to place us at the top of "security review" by
> using an alias please do so. Although we might not be as elite as other
> companies like Netragard, bear in mind, even ImmunitySec isn't as elite
> or as talented as Netragard.
>
> http://secreview.blogspot.com/
>
>
> [Greets]
> --------------------------------------------------------------------------
> Simone Smithereen - we wub you oh grand masteress
> Kevin Finkelstein - we be done havin yo back slap mah fro
> Adrien DéFaveur - my brother, I know you didn't blackmail HP!
>
> All the rest - all the best
>
>
>
>
> --
> Be Yourself @ mail.com!
> Choose From 200+ Email Addresses
> Get a Free Account at www.mail.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/