Of course you guys support full-disclosure

[full-disclosure () lists netsys com (Rain Forest Puppy)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> "rfp the ripper" refers to the recent Novell advisory that
> accredits RFP with the discovery of a technique that, prima
> facie, was dropped by some ~el8 sympathizer in a rant on this
> list in order to point out what he/she/it considered a
> technical blunder on the part of RFP and other prominent
> whitehat web security figures. He/she/it alluded to the
> Phrack article wherein RFP made the blunder. If the
> vulnerability is related to the little useless bread crumb
> dropped by said poster, which some say is, then in all
> respects the technique was "ripped". Now I'm sure the
> poster is not suffering any degree of agony over this
> small incident, but it is still an amusing reflection of
> a larger pattern that has seen whitehats "leeching" and
> standing on the shoulders of higher beings...

Well, I'm honored that you'd care so much to make some public statement
about me, but lemme let you in on a few secrets:

- - That Novell bug was sent to them in June.  This list was created in
July.  Thus a bit tough for me to rip something said on this list.

- - That ~el8 sympathizer got it wrong.  It was not a blunder, and it still
holds true:

The Phrack article discusses how to pass parameters to a program exec'd
*FROM WITHIN* a CGI.  You can not pass POST parameter (STDIN) to these
applications because the parent CGI reads in and parses STDIN before the
sub-application is executed.  The ~el8 sympathizer was talking about
executing the CGI itself.  Two different things.

Perhaps you and the ~el8 sympathizer should go back and reread the
article.  And if you have questions in understanding it, please, feel free
to email me.

- - rfp

-----BEGIN PGP SIGNATURE-----
Comment: Public key at http://www.wiretrip.net/rfp/gpg-key.txt

iD8DBQE9a4Ck8z6qql3x7WgRAjmIAJ40iOsDGzsoNs9flnIxnyaDwN8W8ACeJOur
JanggeGY1WxcQXkWo9GmKWk=
=0+l5
-----END PGP SIGNATURE-----