[VIM] S at BUN posts

[Steven M. Christey]

On Thu, 21 Feb 2008, str0ke wrote:

> I can disclose vulnerable targets if it would help to figure out version
> / other information.  I don't have the time currently to keep tracking
> version information with the amount hes submitting in.  Maybe we can all
> help each other out :)

I'm not sure that listing vulnerable targets would be overly helpful,
since we can get them with the right Google query anyway.  Also, it would
be more directly exposing those sites to the issues.

>  The main problem is that im allowing his work in without version
> information and others will start following suit which will get even
> worse.

This is definitely a concern, but if researchers can't get through milw0rm
then they'll go somewhere else, and the VDB's will follow them to whatever
place they post to, so it's just moving the problem around.  And there's
always Full-Disclosure.

> Hes finding sql injections pretty quickly for widely used
> components/modules.  Betting hes using an automated sql injection
> scanner in the wild mostly because of the dorks and lack of information
> on the product when chatting with him.

If he's learning about these modules from specific sites, like some
massive Joomla! component list somewhere, then it would be great to know
what those sites are, since they probably have forward links to the
developer's site.  (This is what r0t was doing a couple years ago when he
found hundreds of issues).  It doesn't appear that S at BUN's using the
standard (English-language) module repositories.  But if S at BUN's just
randomly crawling the web, we might be out of luck.


Thanks!
Steve