[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Unbelivable, Pangolin 3.2.3 free edition released
- To: Rain Liu <yu.liu@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Unbelivable, Pangolin 3.2.3 free edition released
- From: Steven Pinkham <steve.pinkham@xxxxxxxxx>
- Date: Mon, 25 Apr 2011 11:31:22 -0400
Rain Liu wrote:
> Hi Steven Pinkham,
>
> I think this is an old questions that have been answered. You can make
> settings in Pangolin main panel.
>
> "Edit->Setting->Oracle", Change the "Remote Data URL" and "Remote Info
> URL" as you wish. Exit pangolin and run it again to take effects.
>
> Here is example settings
> http://www.nosec-inc.com/en/images/pangolin-oracle-setting.gif
>
> Wish you guys happy.
>
> BEST REGARDS TO YOU AND YOUR FAMILY
>
> Rain Liu
It's entirely possible that is all there is to it.
Let me be perfectly clear: For people in the real world to trust your
tool, those fields should be empty by default, and clear instructions
and demo code should be given on how to set that feature up on their own
servers. A poorly documented feature that sends your data to third
parties by default *is unacceptable*, and if you want professional users
to take you seriously data privacy needs to be the default.
There's still a lot of questions that are poorly documented like:
How does the feature you call "bypass firewall" work? What if any 3rd
parties are involved?
Can you certify that there no third parties involved in any action of
Pangolin besides the Oracle setting, or are there other undiscovered
pitfalls for the professional user? The existence of this poorly
documented, data stealing by default option completely undermines my
trust in your tool, and I would be VERY cautious in any use of said tool.
Personally, I'd rather stick to open source, auditable tools whenever
possible, and sqlmap is my sql injection tool of choice. Honestly, your
answers to these questions are not likely to make me switch(sqlmap is
*that good* in recent releases), but may serve to cut down on my abuse
of people who consider using your tool.
--
| Steven Pinkham, Security Consultant |
| http://www.mavensecurity.com |
| GPG public key ID CD31CAFB |
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/