Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
ShifLOL
Posted by: 3ric
Date: July 18, 2007 03:01AM

How lame is that?

http://shiflett.org/csrf.php?csrf=javascript:alert(/I_AM_A_SECURITY_EXPERT/)

Execution on domain doesn't work for FF (only Safari, IE etc.), but anyways ...

Options: ReplyQuote
Re: ShifLOL
Posted by: WhiteAcid
Date: July 18, 2007 03:35AM

you're the 4th person I've seen to find this exact flaw, well... you simply copied Esser's PoC.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: ShifLOL
Posted by: 3ric
Date: July 18, 2007 04:38AM

WhiteAcid Wrote:
-------------------------------------------------------
> you're the 4th person I've seen to find this exact
> flaw, well... you simply copied Esser's PoC.

And? Does it make it less funny?

Options: ReplyQuote
Re: ShifLOL
Posted by: WhiteAcid
Date: July 18, 2007 04:39AM

<grumpy>Yes, it really does!
<foot action="put_down" />
:'(
</grumpy>

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: ShifLOL
Posted by: kuza55
Date: July 18, 2007 06:14AM

Who cares? I know its easy to jump up and down and scream 'secure your shit' like the defacers tend to do, to semi-justify their actions (not that I'm saying you're a defacer, or as bad as them, I'm just pointing it out), but it really doesn't say anything about the person other than that they were a bit careless once.

Do we really need to act like such vultures? Preying on people's every mistake. its really quite bad.

P.S. I know I'm prone to being an asshole and a vulture myself, but hopefully if I remind others, they'll remind me.

Options: ReplyQuote
Re: ShifLOL
Posted by: Anonymous User
Date: July 18, 2007 06:30AM

Quote

Do we really need to act like such vultures? Preying on people's every mistake. its really quite bad.

I agree - mistakes happen and a friendly mail pointing to that mistake is more than enough. But it seems some people to generate their senses of achievement around their unfriendly and arrogantly wrapped findings. Grinning disclosure - yes. But 'OMFg hOW st000pid he is!!!eleven' is just childish (I'm exaggerating a lil' bit - forgive me guys...).

Options: ReplyQuote
Re: ShifLOL
Posted by: ionic
Date: July 19, 2007 02:02AM

This is only one of many fuckups of the sooo great Shiflett.

There is a huge difference between a person that does a mistake once in a while. Everyone does that. But Shiflett does one mistake after another.

However the best one is still that he uploaded VULNERABLE example code with his talk to cvs.php.net which was then installed on talks.php.net and resulted in google finding these URLs and attacking the server. (Fileretrieval of the whole filesystem)

Hot Air is Hot Air is nothing more than Hot Air...

Options: ReplyQuote
Re: ShifLOL
Posted by: 3ric
Date: July 19, 2007 02:57AM

@kuza55 / .mario:

Guys, I don't get your ethics: You post one XSS after another from sites where people (who maybe never imagine that those attacks are possible) have coded hundreds when not thousands lines of code and you laugh your ass off if there is a code injection vulnerability or logical flaw.

And then you start complaining when someone finds it fancy that a well paid web security researcher who wrote an attack tool with like 10 lines of code makes it prone to XSS.

So is this point of view from the "new type of hackers"?

I mean, who when not guys like Shiflett should really know what they are doing. I don't really care if he secures his stuff or not. But it's just totally hilarious to blame developers for making an error and making a bigger error at the same time - even if the impact won't be very interesting.

Options: ReplyQuote
Re: ShifLOL
Posted by: Anonymous User
Date: July 19, 2007 03:13AM

Quote

and you laugh your ass off if there is a code injection vulnerability or logical flaw.

we do?

Options: ReplyQuote
Re: ShifLOL
Posted by: kuza55
Date: July 19, 2007 06:30AM

ionic Wrote:
-------------------------------------------------------
> This is only one of many fuckups of the sooo great
> Shiflett.

I'm not really a fan of Shiflett myself, but that doesn't mean I think we shouldn't be vindictive.

> There is a huge difference between a person that
> does a mistake once in a while. Everyone does
> that. But Shiflett does one mistake after
> another.

Alright, so find a bunch of examples and post a rant, I won't say anything, if you can show that he consistently screws up, I'm all for it. What I don't think is useless is the whole webappsec community posting about how they found an XSS hole in something someone did.

> However the best one is still that he uploaded
> VULNERABLE example code with his talk to
> cvs.php.net which was then installed on
> talks.php.net and resulted in google finding these
> URLs and attacking the server. (Fileretrieval of
> the whole filesystem)

3ric Wrote:
-------------------------------------------------------
> @kuza55 / .mario:
>
> Guys, I don't get your ethics: You post one XSS
> after another from sites where people (who maybe
> never imagine that those attacks are possible)
> have coded hundreds when not thousands lines of
> code and you laugh your ass off if there is a code
> injection vulnerability or logical flaw.

Actually, if you have a look, the only XSS's I've ever posted were the ones in MySpace, and vBulletin, and the only reason I posted them was because they were interesting, MySpace, because I came up with some undocumented ideas, or ideas that hadn't been considered, and the vBulletin one was an interesting vuln, and vBulletin probably found ut fairly quickly (I tried to sell it to them, but they didn't want to buy it, *shrug*)

I have _never_ EVER posted an XSS which is just someone forgetting to sanitize input. And I will most likely never do so unless its a non-custom app and other people run it and need to know, but I'm probably not *going* to find those flaws, since I don't look or test for them. I'm interested in filters, because they are an obvious attempt to protect themselves - its no fun doing the same thing over and over again.

> And then you start complaining when someone finds
> it fancy that a well paid web security researcher
> who wrote an attack tool with like 10 lines of
> code makes it prone to XSS.
>
> So is this point of view from the "new type of
> hackers"?
>
> I mean, who when not guys like Shiflett should
> really know what they are doing. I don't really
> care if he secures his stuff or not. But it's just
> totally hilarious to blame developers for making
> an error and making a bigger error at the same
> time - even if the impact won't be very
> interesting.

All I really wanted to say is that there's no need for us to laugh at people's mistakes, no matter how ironic they may be.

And even more importantly than that: Who the fuck cares? I honestly don't. Its a bit humorous, but its in no way new or interesting.

P.S. Sorry, if that doesn't make sense, I was just annoyed that so many people had considered this news.

Options: ReplyQuote
Re: ShifLOL
Posted by: shiflett
Date: August 03, 2007 01:07AM

"However the best one is still that he uploaded VULNERABLE example code with his talk to cvs.php.net which was then installed on talks.php.net and resulted in google finding these URLs and attacking the server."

For the record, this is an outright lie. (I don't think it's an honest mistake, because I know others have already corrected Stefan's misunderstanding.)

A few years ago, I gave a talk that described a tool someone might use to browse the filesystem on a shared server. Trying to claim that such a tool has a vulnerability is like trying to tell a gun manufacturer that their product isn't bullet-proof.

The "uploading" of this talk and the server misconfiguration that allowed all code samples in all talks to be accessed directly were someone else's doing. I hosted this same talk on my server for years without a problem.

Stefan excuses himself from XSS vulnerabilities on his own site but wants to blame me for vulnerabilities on sites I have nothing to do with.

Regarding the CSRF Redirector, WhiteAcid is the one I credit with discovering my mistake, because he's the one who bothered to let me know. I fixed it, said thanks, and moved on. I'm sure it's not the last mistake I'll make.

Most people here I respect. I'll continue to ignore the bad apples, and I hope you can do the same.

Options: ReplyQuote
Re: ShifLOL
Posted by: Gareth Heyes
Date: August 03, 2007 03:37AM

Chris are you still going on about this? We've all moved on I think. July 19, was the last post on this topic, what have you been doing? Fixing broken code?

and why are you telling everyone to ignore bad Apples? They might look nasty but they've got a juicy center, granted some will give you stomach ache now and again but in the end they make you stronger.

Regards
--A bad Apple

Options: ReplyQuote
Re: ShifLOL
Posted by: Anonymous User
Date: August 03, 2007 06:33AM

Yep - please let's not resurrect this discussion again. It smelled in its lifetime and it will smell even more when unburied... can s.o. please close this thread?

Options: ReplyQuote


Sorry, only registered users may post in this forum.