[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Multiple vulnerabilities in SimpGB
- To: laurent.gaffie@xxxxxxxxx
- Subject: Re: [Full-disclosure] Multiple vulnerabilities in SimpGB
- From: "Cal Leeming [Simplicity Media Ltd]" <cal.leeming@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 7 Feb 2011 07:00:58 +0000
I think it's time for a group hug :|
On Sun, Feb 6, 2011 at 10:43 AM, Michele Orru <antisnatchor@xxxxxxxxx>wrote:
> ahaah.
> Nice reply Sparky.
> MustLive, seems you've been defaced :-)
>
> antisnatchor
>
> ------------------------------
>
> laurent gaffie <laurent.gaffie@xxxxxxxxx>
> February 5, 2011 3:36 AM
>
> Hey Sparky,
>
> One of the many many thing you didn't understand during the past 5 years is
> that you should probably try to identify and fix your stuff on *your*
> website, before spamming this ML with your crap.
> cf:
> http://www.zone-h.org/mirror/id/11367858
>
> e-tard.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> ------------------------------
>
> MustLive <mustlive@xxxxxxxxxxxxxxxxxx>
> February 4, 2011 10:49 PM
>
> Hello Laurent!
>
> You are very "intelligent" man, as I see from this and previous your letter
> (in 2010).
>
> You need to take into account the next:
>
> 1. I know better where to send.
>
> 2. If you write shitty stuff, then it doesn't mean that other do the same.
>
> 3. No need to think and state instead of other people - if it's not
> interesting for you, then it can be interesting for others.
>
> 4. The main and obvious thing it's that I write all my advisories from 2006
> for those people who are interested in them (and there are such people, as
> I
> know for sure). So if you or anybody else is not interested in them, just
> skip them (and don't need to write me nonsenses) - I'm writing my letters
> not for you, but for others who is interested in them and who thanks me for
> my work. It's strange that such "intelligent" man as you didn't understand
> it for last five years :-).
>
> 5. I don't need any not serious letters from you, so don't waste your time
> writing me anymore, because I've put your e-mail into blacklist. Spend your
> time for good things.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> ----- Original Message -----
> From: laurent gaffie
> To: MustLive
> Cc: full-disclosure@xxxxxxxxxxxxxxxxx ; bugtraq@xxxxxxxxxxxxxxxxx
> Sent: Wednesday, January 26, 2011 5:09 PM
> Subject: Re: [Full-disclosure] Multiple vulnerabilities in SimpGB
>
>
> Send your shitty stuff to bugtraq@xxxxxxxxxxxxxxxxx
>
> If it's not obvious, no one give a shit here, seriously.
>
>
>
> 2011/1/27 MustLive <mustlive@xxxxxxxxxxxxxxxxxx><mustlive@xxxxxxxxxxxxxxxxxx>
>
> Hello list!
>
> I want to warn you about Cross-Site Scripting, Brute Force, Insufficient
> Anti-automation and Abuse of Functionality vulnerabilities in SimpGB.
>
> -------------------------
> Affected products:
> -------------------------
>
> Vulnerable are SimpGB v1.49.02 and previous versions.
>
> ----------
> Details:
> ----------
>
> XSS (WASC-08):
>
> POST request at page http://site/guestbook.php in parameters poster,
> postingid and location in Preview function. If captcha is using in
> guestbook, then working code of the captcha is required for the attack. Or
> via GET request:
>
>
> http://site/guestbook.php?layout=Til&lang=en&mode=add&postingid=1&poster=%3Cscript%3Ealert(document.cookie)%3C/script%3E&input_text=111111111111111111111111111111&preview=preview
>
>
> http://site/guestbook.php?layout=Til&lang=en&mode=add&postingid=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&poster=1&input_text=111111111111111111111111111111&preview=preview
>
>
> http://site/guestbook.php?layout=Til&lang=en&mode=add&postingid=1&poster=1&location=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&input_text=111111111111111111111111111111&preview=preview
>
> Brute Force (WASC-11):
>
> http://site/admin/index.php
>
> Insufficient Anti-automation (WASC-21):
>
> http://site/admin/pwlost.php
>
> In this functionality there is no protection from automated requests
> (captcha).
>
> Abuse of Functionality (WASC-42):
>
> http://site/admin/pwlost.php
>
> In this functionality it's possible to retrieve logins.
>
> ------------
> Timeline:
> ------------
>
> 2010.11.17 - announced at my site.
> 2010.11.19 - informed developers.
> 2011.01.25 - disclosed at my site.
>
> I mentioned about these vulnerabilities at my site
> (http://websecurity.com.ua/4690/).
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> ------------------------------
>
> laurent gaffie <laurent.gaffie@xxxxxxxxx>
> January 26, 2011 4:09 PM
>
> Send your shitty stuff to bugtraq@xxxxxxxxxxxxxxxxx
>
> If it's not obvious, no one give a shit here, seriously.
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> ------------------------------
>
> MustLive <mustlive@xxxxxxxxxxxxxxxxxx>
> January 26, 2011 3:15 PM
>
> Hello list!
>
> I want to warn you about Cross-Site Scripting, Brute Force, Insufficient
> Anti-automation and Abuse of Functionality vulnerabilities in SimpGB.
>
> -------------------------
> Affected products:
> -------------------------
>
> Vulnerable are SimpGB v1.49.02 and previous versions.
>
> ----------
> Details:
> ----------
>
> XSS (WASC-08):
>
> POST request at page http://site/guestbook.php in parameters poster,
> postingid and location in Preview function. If captcha is using in
> guestbook, then working code of the captcha is required for the attack. Or
> via GET request:
>
>
> http://site/guestbook.php?layout=Til&lang=en&mode=add&postingid=1&poster=%3Cscript%3Ealert(document.cookie)%3C/script%3E&input_text=111111111111111111111111111111&preview=preview
>
>
> http://site/guestbook.php?layout=Til&lang=en&mode=add&postingid=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&poster=1&input_text=111111111111111111111111111111&preview=preview
>
>
> http://site/guestbook.php?layout=Til&lang=en&mode=add&postingid=1&poster=1&location=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&input_text=111111111111111111111111111111&preview=preview
>
> Brute Force (WASC-11):
>
> http://site/admin/index.php
>
> Insufficient Anti-automation (WASC-21):
>
> http://site/admin/pwlost.php
>
> In this functionality there is no protection from automated requests
> (captcha).
>
> Abuse of Functionality (WASC-42):
>
> http://site/admin/pwlost.php
>
> In this functionality it's possible to retrieve logins.
>
> ------------
> Timeline:
> ------------
>
> 2010.11.17 - announced at my site.
> 2010.11.19 - informed developers.
> 2011.01.25 - disclosed at my site.
>
> I mentioned about these vulnerabilities at my site
> (http://websecurity.com.ua/4690/).
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/