Full Disclosure mailing list archives
Re: Vulnerability in reCAPTCHA for Drupal
From: "Zach C." <fxchip () gmail com>
Date: Thu, 17 Feb 2011 10:29:12 -0800
Well, just playing devil's advocate here, mind you, I think much of the irritation from MustLive's postings comes from the following three reasons: 1.) MustLive is primarily a web-application specialist (for the sake of argument) 2.) The vulnerabilities he finds are of a class of vulnerabilities that are most common in his field. (Consider: someone searching for vulnerabilities in internet services directly and doing the binary analysis will primarily be finding buffer or stack overflows, right? In web security, XSS and SQL injection (as well as others I'm undoubtedly forgetting -- I am *NOT* counting "not using a CAPTCHA" here, see next item) are the most common vulnerabilities, given the lack of binary code to overwrite) 3.) Every so often he posts a vulnerability of questionable risk in the form of "anti-automation" which is essentially a fancy way of saying "ha ha they don't use CAPTCHA." I don't consider that a vulnerability so much as an opening for annoyance; I suppose your mileage may vary. My guess is that there's a thought that web apps are far easier to crack at than binaries, so vulnerabilities are easier to find, therefore don't waste time finding something that's "useless." That may be, in some cases, but sometimes a vulnerability in the web app destroys the entire chain, so to speak. Thoughts? -Zach (P.S. Still just playing devil's advocate; sometimes they get to annoy the crap out of me too.) On Thu, Feb 17, 2011 at 9:57 AM, Eyeballing Weev <eyeballing.weev () gmail com>wrote:
It's either he floods f-d with his "vulnerabilities" or he has to go out in the real world to farm dirt for export to the West. On 02/17/2011 12:54 PM, Zach C. wrote:fucking *two days*? Is that even enough time for the vendor toacknowledge?_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Vulnerability in reCAPTCHA for Drupal MustLive (Feb 17)
- Re: Vulnerability in reCAPTCHA for Drupal Zach C. (Feb 17)
- Re: Vulnerability in reCAPTCHA for Drupal Eyeballing Weev (Feb 17)
- Re: Vulnerability in reCAPTCHA for Drupal Zach C. (Feb 17)
- Re: Vulnerability in reCAPTCHA for Drupal Michele Orru (Feb 17)
- Re: Vulnerability in reCAPTCHA for Drupal Valdis . Kletnieks (Feb 17)
- Re: Vulnerability in reCAPTCHA for Drupal Charles Morris (Feb 18)
- Message not available
- Message not available
- Re: Vulnerability in reCAPTCHA for Drupal Conor (Feb 18)
- Re: Vulnerability in reCAPTCHA for Drupal Zach C. (Feb 18)
- Re: Vulnerability in reCAPTCHA for Drupal Eyeballing Weev (Feb 17)
- Re: Vulnerability in reCAPTCHA for Drupal Zach C. (Feb 17)
- Re: Vulnerability in reCAPTCHA for Drupal Valdis . Kletnieks (Feb 18)
- Re: Vulnerability in reCAPTCHA for Drupal Charles Morris (Feb 18)
- Re: Vulnerability in reCAPTCHA for Drupal Ulisses Montenegro (Feb 19)