Menu
▾
▴
Re: [SL] SQL-Ledger vulnerability CVE-2006-4244
|
From: Ian H. <li...@ho...> - 2006-09-07 23:23:47
|
George. while you might be technically savvy and understand the dangers of having a open installation on a public site, others may not be. this publicly disclosed vulnerability, is a major problem for them. why.. well imagine this pseudo code get list of sites showing SQL-ledger from google for each on the list try creating a cookie with a basic guess-able name.. (eg guest/demo/ admin/<list of 100,000 common names) for each one that works flag it for later exploitation by a human this would probably take about a minute (or less) for each exposed site.. I could get quite a couple vulnerable systems in a couple of hours. unfortunately the people with open installations are probably not subscribed to this list, and are probably not even aware that there is a vulnerability. This is why I hate full disclosure so much. he is doing a disservice to everyone by detailing the exploit on a public list. On 08/09/2006, at 9:01 AM, GeorgeOsvald wrote: > On Friday 08 September 2006 07:41, Christopher Murtagh wrote: > >> That is total BS. There are people who are using internet facing >> installations of SL, this can be demonstrated by a google search for >> 'SQL-Ledger version'. > > This is a total pile of crap. There is no way you could find my SQL- > Ledger > installation on the net. If anyone is so naive and is letting this > happen > then it is there fault but you should not say that every > installation of SL > is under threat. That is bullshit. > > ---------------------------------------------------------------------- > --- > Using Tomcat but need to do more? Need to support web services, > security? > Get stuff done quickly with pre-integrated technology to make your > job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel? > cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > sql-ledger-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sql-ledger-users -- Ian Holsman Ia...@Ho... join http://gypsyjobs.com the marketplace for django developers |
