Re[4]: Informing Companies about security vulnerabilities...

From: Matthew Leeds (mleeds@theleeds.net)
Date: Fri Oct 06 2006 - 12:11:54 EDT

• Next message: Erin Carroll: "Informing Companies about security vulnerabilities..."
• Previous message: Chen, Xuan: "RE: auditing of chinese pwds"
• In reply to: none@none.com: "Re: RE: RE: Informing Companies about security vulnerabilities..."
• Next in thread: stillnone@none.com: "Re: RE: Informing Companies about security vulnerabilities..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I'm on a mailing list from a publishing company. They send out HTML formatted email, I use a POP client that can be toggled to not render HTML. Consequently I get something that looks like this:

==========snip==============

Adobe Adds Blogging to Contribute 4
<http://www.econtentmag.com/Articles/ArticleReader.aspx?ArticleID=18335>

Adobe Systems Incorporated has announced the immediate availability of
Adobe Contribute 4 software, a new version of its web publishing
solution designed for business, education, and government workers to
contribute content to the web without having to learn HTML.
[
http://www.econtentmag.com/Articles/ArticleReader.aspx?ArticleID=18335]
[ Back to Contents...]

==========snip==============

Now, clicking on the first link works correctly, however the second renders interesting results. Would my clicking on the second link be considered a trespass? A pen test? The form of the link is an artifact of the transmission of the email.

This is, of course, aside from the wisdom of displaying verbose error messages of the type found when clicking on this link.

----------
---Matthew
*********** REPLY SEPARATOR ***********

On 10/5/2006 at 9:06 PM none@none.com wrote:

>so sticking ' or 1=1 or any variant like that is all that it takes to
>conduct a pen test?
>
>or just sticking <script> tags into forms and seeing the response is a
>pen test?
>
>is using an web scanner that tests for XSS or SQL injection a pen test?
>
>running some BS web scanner against a site isnt a pen test even though
>alot of people on this list seem to think it is...
>
>------------------------------------------------------------------------
>This List Sponsored by: Cenzic
>
>Need to secure your web apps?
>Cenzic Hailstorm finds vulnerabilities fast.
>Click the link to buy it, try it or download Hailstorm for FREE.
>http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
>------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: Erin Carroll: "Informing Companies about security vulnerabilities..."
• Previous message: Chen, Xuan: "RE: auditing of chinese pwds"
• In reply to: none@none.com: "Re: RE: RE: Informing Companies about security vulnerabilities..."
• Next in thread: stillnone@none.com: "Re: RE: Informing Companies about security vulnerabilities..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:08 EDT