Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Re: Re: ExplorerXP : Directory Traversal and CrossSite

from [Dave Korn] Network Security [Permanent Link]
Subject: [Full-disclosure] Re: Re: ExplorerXP : Directory Traversal and CrossSiteScripting
Date: Thu, 30 Mar 2006 19:38:17 +0100 
Julien GROSJEAN - Proxiad wrote:

A simple Google search returns that :

http://www.phpscripts-fr.net/scripts/script.php?id=933


  That depends on what you mean by "simple".  I just put "ExplorerXP" into 
google, which I think is about as simple as you can get.  That website 
doesn't show up until the seventh page of results.  (And strangely enough it 
doesn't show up until the /eighth/ page of results at google.fr!)

  So unless you had prior knowledge that it was french (I suppose I could 
perhaps have guessed that from seeing the word 'chemin', but you can't 
assume it's french just because the people reporting the vuln are from 
france), or unless you somehow already knew that the correct spelling had 
"Explorer" and "XP" as two separate words, I think the point remains: *all* 
vuln announcements should say what the software is, where it comes from and 
who makes it.

  After all, for all you know there is /yet another/ php package out there 
called ExplorerXp, and it's /that/ one they were talking about.

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today.... 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] Root password change, Michael Holstein
Next by Date:  [Full-disclosure] Re: Root password change, Chris Adams
Previous by Thread:  Re: [Full-disclosure] Re: ExplorerXP : Directory Traversal and Cross SiteScripting, Julien GROSJEAN - Proxiad
Next by Thread:  [Full-disclosure] EzASPSite <= 2.0 RC3 Remote SQL Injection Exploit Vulnerability., Mustafa Can Bjorn IPEKCI
Indexes:  [Date] [Thread] [Top] [All Lists]