[Dailydave] (no subject)
Charles Miller
cmiller at securityevaluators.com
Fri Jul 6 11:56:47 EDT 2007
Have you guys seen the public auction site selling 0-days:
http://www.wslabi.com/wabisabilabi/initPublishedBid.do?
Its probably not a good idea to give out so much information about
the vulnerabilities. The Squirrelmail GPG Plugin one says its a
command injection vulnerability. Shouldn't be too hard to rediscover
that. Looking at it for 10 minutes, it looks like the exec in
gpg_sign_attachment() where shell meta characters are in
$passphrase. I'm too lazy to install it and check. I guess I could
pay 1750 euros and find out! The MKPortal one looks pretty easy to
find too.
Its nice for someone to point these bugs out so we can go look for them!
Probably not the smartest way to run the site...
Charlie
More information about the Dailydave
mailing list