[Dailydave] SquirrelMail GPG Plugin vuln
Charles Miller
cmiller at securityevaluators.com
Mon Jul 9 09:46:29 EDT 2007
>
> Isn't that always the point when you sell a vulnerability in an
> open source
> software? If I want to sell you a lighttpd remote exploit and you
> trust me
> than you know that such a thing exists and you will most probably
> invest
> more time in finding it yourself. The knowledge that something
> exploitable
> really exists is a good motivation to find it.
The problem extends beyond open source.
But anyway, there is a big difference between saying there is a
remote exploit in IIS and saying there is a command injection
vulnerability in SquirrelMail GPG Plugin. I can probably rediscover
the SquirrelMail one in an hour but I may never find the IIS one.
Also, the vulnerability Nicob pointed out was pre-auth (mine was post-
auth). I'm dying to know if version 2.1 patched the exploit they are
trying to sell!
Charlie
ps. Sorry about the (No Subject)
More information about the Dailydave
mailing list