SOLDIERX.COM Nobody Can Stop Information Insemination

Posted by scadastrangelove on May 28

New tools and special PHDays releases.

Tools:
- profinet_scanner.py
- profinet_set_fuzzer.py
- s7_password_hashes_extractor.py

Slides:

“How to build your own Stuxnet” by SCADA StrangeLove team
“Industrial protocols for pentesters” by Alexander Timorin and Dmitry Efanov

http://scadastrangelove.blogspot.com/2013/05/scada-strangelove-positive-hack-days.html

Chao

Posted by Jeffrey Walton on May 28

Well, I suppose they are going to fix the issue pointed out by Kugler
(and the additional issues from Parker).

Do you think PayPal trolls lemonade stands run by children and takes
their lemonade without paying to avoid possible legal problems?

Jeff

Posted by Kirils Solovjovs on May 28

I suppose PayPal just wants to stay clear of any possible legal
trouble/issues/complications. It's easier that way.

Posted by Zachary Cutlip on May 28

It may also be that in many countries, including the US where PayPal is based, it can be difficult to enter into a
legally binding contract with a minor. In many cases (with exceptions) a minor can void or exit a contract as they see
fit, so you enter into a contract with a minor at your own peril. Sometimes a way around this is for a parent to enter
into the contract on behalf of, or in addition to, the minor.

Zach

Posted by Daniël W . Crompton on May 28

I'm pretty sure that a 17 year old can have a fulltime job in most
countries in the world, besides there are plenty of examples of countries,
including most EU countries, that allow parttime work for kids in their
teens; paper routes; shelf stackers; etc.

D.

blaze your trail

Posted by Jeffrey Walton on May 28

I'm probably splitting hairs here, but there appears to be a cultural
bias built in. At 17+, Robert would have been of age if he was
Japanese under "Kazoe" year-counting.

The humor was not lost upon me that politicians and lawyers are trying
to legislate morality. How ironic!

FTW: https://www.google.com/search?q=teenage+science+competition?

Jeff

Posted by Dan Kaminsky on May 28

Heya Robert,

So there's this pile of law around the world around work and kids; it's
a rather recent development that <18 year olds can find problems that
multibillion dollar interests are willing to pay bounties for. The laws
are all trying to protect you from being made to pick berries or sew
t-shirts instead of going to class and playing outside.

Law may be code, but it compiles VERY slowly.

In general, you can talk...

Posted by John Parker on May 28

Dear Sir,

I recently found out 13 more XSS vulnerabilities and Paypal shows no
response. I am not a bad guy. But please make them aware about this issue
before any skid play with this.

Regards,
Un0wn_X
Hello I saw about the paypal XSS vulnerability and I researched more and more. I found out that 13 more countries are
affected with this xss attack.

https://www.paypal.com/ch/cgi-bin/searchscr?cmd=_sitewide-search...

Posted by Jeffrey Walton on May 27

Hi Robert,

Interesting. The Bug Bounty page
(https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues)
does not state there's an age restriction or minimum.

It appears PayPal is sending the message that its best to sell the bug
privately, rather than participate in responsible disclosure (despite
what their Bug Bounty page states).

Has anyone written about the issue? For example, an established
researcher? I'd like to...

Posted by MustLive on May 27

Hello participants of Full-Disclosure!

Today I wrote to WASC mailing list about my backdoor scanners testing
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-May/008832.html).

Last week I've published the article with results of the testing. I was
planning to made this testing already in December, after I've released my
Backdoored Web Application (BWA) - a reference test of backdoors scanners
(...

Posted by Robert Kugler on May 27

On the 29.03.2014 :)

Posted by Daniela Hermina on May 27

Posted by c0c0n International Information Security Conference on May 27

c0c0n 2013 CFP - Extended Deadline: 9 June, 2013

Thanks to everyone for all the paper submissions. The CFP Review Committee
will be evaluating the same for selection. Based on the requests received,
we are extending the CFP deadline to June 9, 2013 in the hope of receiving
few more paper submissions.

/ _ \ / _ \ |__ \ / _ \/_ |___ \
___| | | | ___| | | |_ __ ) | | | || | __) |
/ __| | | |/ __| | | | '_ \ /...

Posted by Tony Naggs on May 27

The theme of the month is crypto, with 2 great talks for you ...

Primary Speaker:

Bjoern Paul Richard Schwabe, Freelancer

Title:

"Encryption in the cloud"

Synopsis:

SaaS cloud models for data storage such as Dropbox and Box have been
around for a long time. Zero-Knowledge SaaS did not get much attention
in the media and public, even though many ToC of traditional SaaS hold
sentences like these: "...In these cases, will...

Posted by Rene Gielen on May 27

The Apache Struts group is pleased to announce that Struts 2.3.14.2 is
available as a "General Availability" release. The GA designation is
our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.

A critical security issue was...

Posted by Vulnerability Lab on May 27

Title:
======
Barracuda SSL VPN 680 2.2.2.203 - Redirect Web Vulnerability

Date:
=====
2013-05-25

References:
===========
http://www.vulnerability-lab.com/get_content.php?id=755

Barracuda Networks Security ID (BNSEC): 731

VL-ID:
=====
755

Common Vulnerability Scoring System:
====================================
1.3

Introduction:
=============
The Barracuda SSL VPN is an integrated hardware and software solution enabling secure, clientless...

Posted by Vulnerability Lab on May 27

Hallo Julius,
after our team was reading your messages in the morning, i want to
respond shortly with some facts.

It was a file object code execution to use it as html injection was only
one attack vector and you have choosen the smallest.
Your view on the issue is restricted to see also other exploitation
vectors because you do not want to grant the researcher
the disclosure of the awesome vulnerability.

A Command injection (file|path) in the...

Posted by security on May 27

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2013:168
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : python-httplib2
Date : May 27, 2013
Affected: Business Server 1.0
_______________________________________________________________________

Problem Description:...

Posted by security on May 27

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2013:167
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : openvpn
Date : May 27, 2013
Affected: Business Server 1.0, Enterprise Server 5.0
_______________________________________________________________________

Problem...

Posted by Tony Naggs on May 27

[Repost, as my first try seems to be caught in the moderation queue
due to gmail / googlemail spelling issues.]

The theme of the month is crypto, with 2 great talks for you ...

Primary Speaker:

Bjoern Paul Richard Schwabe, Freelancer

Title:

"Encryption in the cloud"

Synopsis:

SaaS cloud models for data storage such as Dropbox and Box have been
around for a long time. Zero-Knowledge SaaS did not get much attention
in the media and...