Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] Re: phpBB 2.0.17 (and other BB systems as well).

from [Valdis . Kletnieks] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] Re: phpBB 2.0.17 (and other BB systems as well).
Date: Wed, 26 Oct 2005 02:45:17 -0400 
On Wed, 26 Oct 2005 00:18:23 CDT, Matthew Murphy said:


It is unclear to me if this is an SP2-only issue.  If it is, it can be
effectively mitigated by setting "Open files by content, not file
extension" to "Disable".  At the very least, Microsoft should turn off
this disastrous mistake of a "feature" in XP SP3.  Perhaps sooner...
like in the next IE critical update.


Never happen.  There's probably *so* many sites that are coded for this
specific "sometimes by content, sometimes by MIME type sent by web server,
sometimes by extension" dain bramage that Microsoft actually *fixing* this
would finally be the event that will cause the customers to rise up and
storm Microsoft HQ with torches and pitchforks.

And Microsoft *knows* they'd be under attack, which is why they haven't fixed 
it.

I'm not sure they can even fix this in Vista - they're going to have *enough*
backward-combatability problems slowing down corporate uptake of Vista as it
is, the last thing they need is adding to it. (Of course, an equal number of
sites won't upgrade to Vista if it ships and this stuff is *still* not fixed,
so Microsoft is caught between a rock and a hard place....)

Attachment: pgpAxmTbFiv3D.pgp
Description: PGP signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] Re: phpBB 2.0.17 (and other BB systems as well)., Matthew Murphy
Next by Date:  [Full-disclosure] [SECURITY] [DSA 872-1] New koffice packages fix arbitrary code execution, Martin Schulze
Previous by Thread:  Re: [Full-disclosure] Re: phpBB 2.0.17 (and other BB systems as well)., Matthew Murphy
Next by Thread:  [Full-disclosure] Re: phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit., Nicob
Indexes:  [Date] [Thread] [Top] [All Lists]