 
Full Disclosure mailing list archives
Re: [FDSA] Notepad Highly Critical Cross-Site Scripting (XSS) Vulnerability
From: "worried security" <worriedsecurity () googlemail com>
Date: Thu, 17 Jan 2008 21:19:18 +0000
On Jan 17, 2008 6:40 PM, str0ke <str0ke () milw0rm com> wrote:
Fredrick Diggle wrote:####################################################################### ======= 3) Proof of Concept ======= 1. Open Notepad 2. Enter the following text <script>alert("xss");</script> 3. Save file as "exploit.html" 4. double click the payload file #######################################################################lmfao.
should we release the real exploit now? ok, there isn't one but there should be. good day for paranoids... i'll keep my eye on the milw0rm mailing list just incase. i guess we should just pass this off as a "funny" and not take the jack bauer federal attitude. the problem with these "funnies" is what was originally a "funny" can turn into a real security event because the tip off gets hackers looking at notepad and it can often uncover a vulnerability. not directly related to the "funny" post on full-disclosure but indirectly because it gets peoples taste buds and mind thought processes rolled into notepad exploitation mode. so while folks think the suggestion of watching out for notepad vulnerabilities in the next 48 hours etc may also seem like a "funny" it could in reality turn out to be an investment paid off. we should just hope its a "security researcher" who hits on notepad and not an "exploit hacker". i can see something like this get put into the "multi exploit attack of trusted sites" attack vector thats doing the rounds according to recent media reports. so while this is for the most part a "funny" and a "lmfao" it could actually trigger off a real life scenario that we should all be watching out for. valdis will back me up on this one because he like me we share the same mind thought continual on matters of the cyber security agenda threat risk analysis of inbound attacks and mailing list reports inaccurate or otherwise real. speculation is a healthy part of deciding who is a moron and who isn't, keep up the good work Fredrick Diggle or something. do you know the big boys are on the list, jack bauer is not impressed but has written up a report to log the incident incase of exploit runs appear or/and disclosures released in the near future under another name where multiple hosts get compromised. he'll be able to link back to this "funny" and point blame towards the "Fredrick Diggle" and ask for a subpoena to get your network connection data from your internet service provider to send the big boys over to have a word over your possible connections with a notepad virus/worm outbreak. moral of the story, you shouldn't do these things because you can end up getting into trouble even if your not to blame, because remember there are a lot of folks in jail who haven't actually commited a cyber crime, but as long as the government provide information in a carefully crafted way to the jury then its a 50/50 chance you could get jailed even through a false positive. this list used to be a kid about but increasingly there is a sense of zero tolerance hitting the air on full-disclosure as hacking takes a turn for the worst in 2008 as cyber terrorism on control systems becomes a real and immediate possibility in 2008. the feds are considering now weather to bring in laws to protect full-disclosure from attacks, and false positive reporting by aliases, where a takeover of the list, flooding of the list, continuous posting of spam and useless information will be seen as a criminal offence and chargable under the telephony communications act. full-disclosure is now going to be reclassifed as critical infrastructure as a key site of importance which is seen as a terrorist target, so will be protected under the weight of the law. thats not all, the full-disclosure list in the wake of the new cyber terrorism threat is readying to reclassify security researchers as cyber terrorist suspects and lists like this one will be seen as a key front line on the war on cyber terror. so, before you hit send on full-disclosure think about it the next time. there are all sorts of changes being made so posts like this one will be seen as "wasting police time" and "disrupting critical infrastucture of national importance" so these days of play arounds are finally coming to an end and we should be more careful before using full-disclosure as a way to get attention towards a cyber threat that doesn't even exist (yet). this is an international mailing list we shouldn't have people dancing around on it making funny posts when there is national secuirty at stake. i'm going to write more on this later on, on the n3td3v mailing list to save people having to read my further rants on these matters, but its a very serious subject that needs to be looked at, which i hope the government will look at as well. let's criminalize posts like fake security advisories. i think we should, let's do it! this is a grey area of the disruption of communications... it needs to be better clarified so Fredrick Diggle's of the world know the line not to cross and so the feds have powers to fine / or jail people who are purposely wasting police time. essentially, full-disclosure is reporting things to the police and it should be seen as such and not just "another hacker channel" to play around on. the biggest agencies of the land are on full-disclosure for one purpose, let's make things official so everyone knows where we stand. full-disclosure is no longer just a mailing list, it should be taken under full government control and the rules should be publically set out. this isn't about showing off anymore, there are media reports that hacking can shut down powers stations and other shit, so i think everyone including me (n3td3v) should stop posting on full-disclosure, including gadi evron whose posts are increasingly "unuseful" should stop posting, because national cyber security folks are getting frustrated, and you could be stopping or delaying a real cyber terrorism threat getting sent to the list. those with vested ego boosting posts and self promotion, full-disclosure is no longer for you, leave now, leave! i'm leaving, leave with me and leave the list for serious counter terrorism operations and let the feds get on with their work. full-disclosure is a crime scene, let's only have the criminals in it not the joke artists. i'm all for the department of homeland security putting their logos on the full-disclosure info page to scare the kiddiots away. full-disclosure looks too netural, they just don't realise the big boys are sitting on here and exactly the role this list plays in the fight against cyber crime and cyber terrorism. i guess bringing in new laws is the only way we can make them listen. uk is already banning security tools, united states is sure to follow. the scene is evolving in its nature, there are real dangers now, its not jsut about crashing 56k modems anymore, there is real economic and public saftey issues around for the feds to get to grips with and these fake security advisories are extremely unhelpful and counter productive. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [FDSA] Notepad Highly Critical Cross-Site	Scripting (XSS) Vulnerability Fredrick Diggle (Jan 17)
- Re: [FDSA] Notepad Highly Critical Cross-Site	Scripting (XSS) Vulnerability Nate McFeters (Jan 17)
- Re: [FDSA] Notepad Highly Critical Cross-Site Scripting (XSS) Vulnerability T Biehn (Jan 17)
- Re: [FDSA] Notepad Highly Critical Cross-Site Scripting (XSS) Vulnerability M . B . Jr . (Jan 17)
 
- Re: [FDSA] Notepad Highly Critical Cross-Site	Scripting (XSS) Vulnerability str0ke (Jan 17)
- Re: [FDSA] Notepad Highly Critical Cross-Site Scripting (XSS) Vulnerability worried security (Jan 17)
 
- Re: [FDSA] Notepad Highly Critical	Cross-Site	Scripting (XSS) Vulnerability Sascha Roeske (Jan 17)
- Re: [FDSA] Notepad Highly Critical Cross-Site Scripting (XSS) Vulnerability Fredrick Diggle (Jan 17)
 
- Re: [FDSA] Notepad Highly Critical Cross-Site	Scripting (XSS) Vulnerability BlackHawk (Jan 17)
- Re: [FDSA] Notepad Highly Critical Cross-Site Scripting (XSS) Vulnerability M . B . Jr . (Jan 17)
 
 
- Re: [FDSA] Notepad Highly Critical Cross-Site	Scripting (XSS) Vulnerability Nate McFeters (Jan 17)


