|Main Archive Page > Month Archives > full-disclosure-uk archives|
On 5/22/07, Amit Klein <email@example.com> wrote:
> Fair enough. Still, I expect at least the websecurity mailing list to
> give credit where credit is due...
Hmm, good point, No argument, but...as we see more of this character encoding set awareness I wonder:
If you look at the VX'er history they dealt with many of the same issues independent of network and appsec, yet we don't credit any of them... (probably because they largely wrote in Russian and Polish).
3. The reality is that we are going to see stuff like Cert advisories for
that are (or should be) pretty damn obvious, and redundant, as people start to understand charsets and encoding types more. Let's say I found a web-based
triple-decode shellcode canonicalization recently: is that a "new vuln"?
Unix Shellcode --> Hex URL --> HTML Hexdecimal Reference --> raw text
Should I publish a Cert advisory on this? I'm pretty sure their IDS isn't gonna catch it. In fact, I am pretty sure no one's is.
Who do I credit?
Not trying to escape responsibility by any means; I am having trouble getting my head around the depth of this hole though.
Thanks, -- Arian Evans software security stuff "Diplomacy is the art of saying "Nice doggie" until you can find a rock." -- Will Rogers
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/