[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Unbelivable, Pangolin 3.2.3 free edition released

To: Steven Pinkham <steve.pinkham@xxxxxxxxx>
Subject: Re: [Full-disclosure] Unbelivable, Pangolin 3.2.3 free edition released
From: "Zach C." <fxchip@xxxxxxxxx>
Date: Mon, 25 Apr 2011 14:19:00 -0700

Heh -- did anyone else just get spammed by these jokers?

In any case: even if you change this setting where they tell you to, does
the code actually honor the change or is it just a farce for the user's
benefit? And, perhaps more importantly, why should I have to grab it,
blindly trust it and run it to find out?

Besides even that, assuming the change was actually honored, how would one
go about creating a page that would work with it?

On Mon, Apr 25, 2011 at 8:31 AM, Steven Pinkham <steve.pinkham@xxxxxxxxx>wrote:

> Rain Liu wrote:
> > Hi Steven Pinkham,
> >
> > I think this is an old questions that have been answered. You can make
> > settings in Pangolin main panel.
> >
> > "Edit->Setting->Oracle", Change the "Remote Data URL" and "Remote Info
> > URL" as you wish. Exit pangolin and run it again to take effects.
> >
> > Here is example settings
> > http://www.nosec-inc.com/en/images/pangolin-oracle-setting.gif
> >
> > Wish you guys happy.
> >
> > BEST REGARDS TO YOU AND YOUR FAMILY
> >
> > Rain Liu
>
> It's entirely possible that is all there is to it.
> Let me be perfectly clear: For people in the real world to trust your
> tool, those fields should be empty by default, and clear instructions
> and demo code should be given on how to set that feature up on their own
> servers.  A poorly documented feature that sends your data to third
> parties by default *is unacceptable*, and if you want professional users
> to take you seriously data privacy needs to be the default.
>
> There's still a lot of questions that are poorly documented like:
> How does the feature you call "bypass firewall" work?  What if any 3rd
> parties are involved?
>
> Can you certify that there no third parties involved in any action of
> Pangolin besides the Oracle setting, or are there other undiscovered
> pitfalls for the professional user?  The existence of this poorly
> documented, data stealing by default option completely undermines my
> trust in your tool, and I would be VERY cautious in any use of said tool.
>
> Personally, I'd rather stick to open source, auditable tools whenever
> possible, and sqlmap is my sql injection tool of choice.  Honestly, your
> answers to these questions are not likely to make me switch(sqlmap is
> *that good* in recent releases), but may serve to cut down on my abuse
> of people who consider using your tool.
> --
>  | Steven Pinkham, Security Consultant    |
>  | http://www.mavensecurity.com           |
>  | GPG public key ID CD31CAFB             |
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Re: [Full-disclosure] Unbelivable, Pangolin 3.2.3 free edition released
  - From: Rain Liu
- Re: [Full-disclosure] Unbelivable, Pangolin 3.2.3 free edition released
  - From: Steven Pinkham

Prev by Date: [Full-disclosure] Released Xfire Password Decryptor – Xfire Password Recovery Software
Next by Date: [Full-disclosure] inject sql in juventud.gov.ar
Previous by thread: Re: [Full-disclosure] Unbelivable, Pangolin 3.2.3 free edition released
Next by thread: [Full-disclosure] [TOOL RELEASE] T50 - an Experimental Mixed Packet Injector ( v5.3)
Index(es):
- Date
- Thread