From: GeorgeOsvald <geo...@ya...> - 2006-09-08 05:45:08
|
On Friday 08 September 2006 09:15, Ian Holsman wrote: > George. > while you might be technically savvy and understand the dangers of > having a open > installation on a public site, others may not be. > > this publicly disclosed vulnerability, is a major problem for them. > > why.. well imagine this pseudo code > > get list of sites showing SQL-ledger from google And that was exaclty my point. That is what you have to avoid. There is no reason why your SQL-LEDGER server should be visible to robots. Unless you know exactly where to go or try to piggyback my connection you will simply not find my server. I can connect to it from home or anywhere but it is very not visible at all. > for each on the list > try creating a cookie with a basic guess-able name.. (eg guest/demo/ > admin/<list of 100,000 common names) > for each one that works flag it for later exploitation by a human > > this would probably take about a minute (or less) for each exposed > site.. I could get quite a couple vulnerable systems > in a couple of hours. > > unfortunately the people with open installations are probably not > subscribed to this list, and are probably not even > aware that there is a vulnerability. > > This is why I hate full disclosure so much. he is doing a disservice > to everyone by detailing the exploit on a public list. > > On 08/09/2006, at 9:01 AM, GeorgeOsvald wrote: > > On Friday 08 September 2006 07:41, Christopher Murtagh wrote: > >> That is total BS. There are people who are using internet facing > >> installations of SL, this can be demonstrated by a google search for > >> 'SQL-Ledger version'. > > > > This is a total pile of crap. There is no way you could find my SQL- > > Ledger > > installation on the net. If anyone is so naive and is letting this > > happen > > then it is there fault but you should not say that every > > installation of SL > > is under threat. That is bullshit. > > > > ---------------------------------------------------------------------- > > --- > > Using Tomcat but need to do more? Need to support web services, > > security? > > Get stuff done quickly with pre-integrated technology to make your > > job easier > > Download IBM WebSphere Application Server v.1.0.1 based on Apache > > Geronimo > > http://sel.as-us.falkag.net/sel? > > cmd=lnk&kid=120709&bid=263057&dat=121642 > > _______________________________________________ > > sql-ledger-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sql-ledger-users > > -- > Ian Holsman > Ia...@Ho... > join http://gypsyjobs.com the marketplace for django developers > > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > sql-ledger-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sql-ledger-users |