Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Purple Paper: Exegesis Of Virtual Hosts Hacking

From: "Craig Wright" <cwright () bdosyd com au>
Date: Wed, 8 Mar 2006 06:04:40 +1100

Hello,
A quick peer review of the paper. First it is too simplistic. 
 
You have not provided a detailed methidology nor any way of repeating/verifying the data.
 
You have defined no method of detailing where virtual hosts are on separate virtual machines, CHROOT environments, 
hardware cards, through accelerators etc.
 
"All these techniques are absolutely legal." Without detailing the techniques this can not be determined. Also 
accessing a host without permission even if they have not secured is still illegal (right or wrong)
 
Your conclusion may be one I agree with, but for the wrong reasons. The conclusion does not follow from the evidence in 
the paper.
 
Lastly the tools you have used included have a high level of false positives. No mention of this nor of any measures to 
reduce error have been mentioned.
 
Regards
Craig

        -----Original Message----- 
        From: unknown.pentester () gmail com [mailto:unknown.pentester () gmail com] 
        Sent: Wed 8/03/2006 4:53 AM 
        To: bugtraq () securityfocus com 
        Cc: 
        Subject: Purple Paper: Exegesis Of Virtual Hosts Hacking
        
        
        What: Purple paper on discovery and exploitative vhost hacking techniques.
        
        Whom (target audience): pentesters.
        
        Where:
        http://public.gnucitizen.org/papers/exegesis.pdf <http://public.gnucitizen.org/papers/exegesis.pdf> 
        http://www.ikwt.com/projects/exegesis.pdf <http://www.ikwt.com/projects/exegesis.pdf> 


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.  

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.
Previous By Date Next
Previous By Thread Next

Current thread: