[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] OWASP LiveCD Vulnerabilities
- To: "Fionnbharr" <thouth@xxxxxxxxx>, Brigette DéFaveur <blosoft@xxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] OWASP LiveCD Vulnerabilities
- From: "Tomas L. Byrnes" <tomb@xxxxxxxxxxx>
- Date: Sat, 23 May 2009 17:22:18 -0700
Next thing you'll be telling us that Webscarab is a virus :-)
>-----Original Message-----
>From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx [mailto:full-disclosure-
>bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Fionnbharr
>Sent: Friday, May 22, 2009 9:06 AM
>To: Brigette DéFaveur
>Cc: full-disclosure@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
>Subject: Re: [Full-disclosure] OWASP LiveCD Vulnerabilities
>
>THIS IS A PRETTY FUNNY ADVISORY
>
>
>
>
>
>
>
>
>
>
>
>HA HA HA
>
>2009/5/22 "Brigette DéFaveur" <blosoft@xxxxxxxxxxxxxx>:
>> ************************** bloSOFT **************************
>> Super Wowzer Hacker Team - Professional Vulnerability Assessments
>>
>> BLOsoft Research Team
>> ------------------------------------------------
>> Base Level Ops Securing Otherwise Fscked Tech!
>>
>>
>>
>> [POSTING NOTICE]
>> ----------------------------------------------------------------------
>----
>> If you intend on pimping this advisory on your Geocities web page
>please
>> create a clickable link back to our uberhawtness security page and
>include
>> annoying use of the <blink> tag
>>
>> For more information about Hacking finger condor @well.com
>>
>> [Advisory Information]
>> ----------------------------------------------------------------------
>----
>> Contact : Brigette DéFaveur
>> Advisory ID : BLOSOFT-20090521
>> Product Name : WebGoat
>> Product Version : All versions
>> Vendor Name : OWASP
>> Type of Vulnerability : Multiple
>> Impact : Extremely Critical, like wtf
>critical
>> Vendor Notified : 20090521
>>
>> [Product Description]
>> ----------------------------------------------------------------------
>----
>> "The Open Web Application Security Project (OWASP) is a worldwide free
>and
>> open community focused on improving the security of application
>software.
>> Our mission is to make application security visible, so that people
>and
>> organizations can make informed decisions about true application
>security
>> risks."
>>
>> Taken From:
>> http://www.owasp.org/index.php/Main_Page
>>
>>
>> [Technical Summary]
>> ----------------------------------------------------------------------
>----
>> Webgoat is vulnerable to the following attacks:
>>
>> Cross-site Scripting (XSS)
>> Access Control
>> Hidden Form Field Manipulation
>> Parameter Manipulation
>> Session Cookies
>> SQL Injection
>>
>> While performing our advanced superwowzer hackerfying analysis
>discovered
>> that WebGoat is vulnerable to dozens if not billions of attacks if
>they
>> were attacked by attackers.
>>
>>
>> [Impact]
>> ----------------------------------------------------------------------
>----
>> [Impact varies from installation to installation]
>>
>> - Cookie stealing
>> - Cookie harassing
>> - Cookie tampering
>> - Tampering of harassed cookie
>> - Harassing the thief tampering with cookies
>> - High level advanced SQL injection (' or 1=1-- )
>> - High level super advanced XSS <b
>onmouseover=alert('bloSOFT')>OMFG</b>
>> - Improper sanitization of the blink tag
>>
>>
>> [Proof Of Concept]
>> ----------------------------------------------------------------------
>----
>> Download WebGoat and you too can see the trillions of exploits
>affecting
>> this software. We will not pollute the www with another useless filth
>of
>> a program designed to assist in the manipulation of security
>>
>>
>> [Vendor Status and Chronology]
>> ----------------------------------------------------------------------
>----
>>
>> Current Vendor Status: OWASP has to many members that don't matter.
>>
>> Chronology:
>> 05/21/2009 07:11:57 AM EST - Vulnerabilities Discovered
>> 05/21/2009 07:11:59 AM EST - Vendor Notified
>> 05/21/2009 07:12:18 AM EST - Requested vendor feedback via email
>> 05/21/2009 07:13:23 AM EST - No response from vendor
>> 05/21/2009 07:13:28 AM EST - Began advisory release process
>>
>>
>> [Solution]
>> ----------------------------------------------------------------------
>----
>> Leave Britney alone
>>
>>
>> [Disclaimer]
>> ----------------------------------------------------------------------
>----
>> bloSOFT assumes no liability for the use of the information provider
>in
>> this disclosure. This advisory was released in an effort to prove our
>> worthiness to the I.T. community. Although we may at times attempt to
>> extort or blackmail companies in order to comply with our view of how
>> security should be, we make no intelligent assumptions or decisions in
>> releasing our security advisories.
>>
>>
>> [Advertisement]
>> ----------------------------------------------------------------------
>----
>> bloSOFT is focused on the core commitment to provide the whole wide
>world
>> with security designs and solutions that fit. Our team consists of
>expert
>> level engineers with an array of experience ranging from eggdrop
>shells,
>> running nmap, re-hashing advisories and securitizing maximized
>potential
>> designs with actionable digital intelligence catering to the
>professional
>> hackers. Should you wish to place us at the top of "security review"
>by
>> using an alias please do so. Although we might not be as elite as
>other
>> companies like Netragard, bear in mind, even ImmunitySec isn't as
>elite
>> or as talented as Netragard.
>>
>> http://secreview.blogspot.com/
>>
>>
>> [Greets]
>> ----------------------------------------------------------------------
>----
>> Simone Smithereen - we wub you oh grand masteress
>> Kevin Finkelstein - we be done havin yo back slap mah fro
>> Adrien DéFaveur - my brother, I know you didn't blackmail HP!
>>
>> All the rest - all the best
>>
>>
>>
>>
>> --
>> Be Yourself @ mail.com!
>> Choose From 200+ Email Addresses
>> Get a Free Account at www.mail.com
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/