Mailing List Archive

: From: Mark Litchfield <mark () securatary com>

: As previously stated, I would post an update for Ektron CMS bypassing
: the security fix.

: A full step by step with the usual screen shots can be found at -
: http://www.securatary.com/vulnerabilities

Uh... you expect people to login to your site with their Facebook or
Twitter credentials, to access these advisories?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

On 2/4/2014 2:51 PM, security curmudgeon wrote:
>
> : From: Mark Litchfield <mark () securatary com>
>
> : As previously stated, I would post an update for Ektron CMS
> bypassing : the security fix.
>
> : A full step by step with the usual screen shots can be found at - :
> http://www.securatary.com/vulnerabilities
>
> Uh... you expect people to login to your site with their Facebook or
> Twitter credentials, to access these advisories?

Errr no ?? Use the other option ?? And if you don't want to register,
don't bother !!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

: > : From: Mark Litchfield <mark () securatary com>
: >
: > : As previously stated, I would post an update for Ektron CMS bypassing :
: > the security fix.
: >
: > : A full step by step with the usual screen shots can be found at - :
: > http://www.securatary.com/vulnerabilities
: >
: > Uh... you expect people to login to your site with their Facebook or Twitter
: > credentials, to access these advisories?
:
: Errr no ?? Use the other option ?? And if you don't want to register, don't
: bother !!

Links from /vulnerabilities, directly from advisories off the Research
page, and even "Follow us on Twitter" all drop back to a login page asking
for authentication using either Facebook or Twitter.

This is not the behavior of the site as of 48 hours ago.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

On 2/4/2014 3:01 PM, security curmudgeon wrote:
> : > : From: Mark Litchfield <mark () securatary com>
> : >
> : > : As previously stated, I would post an update for Ektron CMS bypassing :
> : > the security fix.
> : >
> : > : A full step by step with the usual screen shots can be found at - :
> : > http://www.securatary.com/vulnerabilities
> : >
> : > Uh... you expect people to login to your site with their Facebook or Twitter
> : > credentials, to access these advisories?
> :
> : Errr no ?? Use the other option ?? And if you don't want to register, don't
> : bother !!
>
> Links from /vulnerabilities, directly from advisories off the Research
> page, and even "Follow us on Twitter" all drop back to a login page asking
> for authentication using either Facebook or Twitter.
>
> This is not the behavior of the site as of 48 hours ago.
Let me check. Normal registration should also be available ? Infact I
will remove the registration.

The purpose of this whole registration in the first place was to allow
for future postings I am going to make later this week that would only
be available to registered users. Not necessarily vulnerabilities, but
useful "stuff" for pentesting. Also all registered users would be given
a 48 hours head start on any new vulnerabilities that I post in the future.

All the best

Mark

Mark

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

: > This is not the behavior of the site as of 48 hours ago.

: Let me check. Normal registration should also be available ? Infact I
: will remove the registration.
:
: The purpose of this whole registration in the first place was to allow
: for future postings I am going to make later this week that would only
: be available to registered users. Not necessarily vulnerabilities, but
: useful "stuff" for pentesting. Also all registered users would be given
: a 48 hours head start on any new vulnerabilities that I post in the
: future.

Which is great, but I strongly recommend you allow a site-specific
registration for such purposes. Giving up one of the two dominant social
media accounts for it is excessive.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

s/with their Facebook or Twitter credentials//g


On Tue, Feb 4, 2014 at 10:51 PM, security curmudgeon
<jericho@attrition.org>wrote:

>
> : From: Mark Litchfield <mark () securatary com>
>
> : As previously stated, I would post an update for Ektron CMS bypassing :
> the security fix.
>
>
> : A full step by step with the usual screen shots can be found at - :
> http://www.securatary.com/vulnerabilities
>
> Uh... you expect people to login to your site with their Facebook or
> Twitter credentials, to access these advisories?
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>