RE: Purple Paper: Exegesis Of Virtual Hosts Hacking
Hello,
A quick peer review of the paper. First it is too simplistic.
You have not provided a detailed methidology nor any way of repeating/verifying
the data.
You have defined no method of detailing where virtual hosts are on separate
virtual machines, CHROOT environments, hardware cards, through accelerators etc.
"All these techniques are absolutely legal." Without detailing the techniques
this can not be determined. Also accessing a host without permission even if
they have not secured is still illegal (right or wrong)
Your conclusion may be one I agree with, but for the wrong reasons. The
conclusion does not follow from the evidence in the paper.
Lastly the tools you have used included have a high level of false positives.
No mention of this nor of any measures to reduce error have been mentioned.
Regards
Craig
-----Original Message-----
From: unknown.pentester@xxxxxxxxx [mailto:unknown.pentester@xxxxxxxxx]
Sent: Wed 8/03/2006 4:53 AM
To: bugtraq@xxxxxxxxxxxxxxxxx
Cc:
Subject: Purple Paper: Exegesis Of Virtual Hosts Hacking
What: Purple paper on discovery and exploitative vhost hacking
techniques.
Whom (target audience): pentesters.
Where:
http://public.gnucitizen.org/papers/exegesis.pdf
<http://public.gnucitizen.org/papers/exegesis.pdf>
http://www.ikwt.com/projects/exegesis.pdf
<http://www.ikwt.com/projects/exegesis.pdf>
Liability limited by a scheme approved under Professional Standards Legislation
in respect of matters arising within those States and Territories of Australia
where such legislation exists.
DISCLAIMER
The information contained in this email and any attachments is confidential. If
you are not the intended recipient, you must not use or disclose the
information. If you have received this email in error, please inform us
promptly by reply email or by telephoning +61 2 9286 5555. Please delete the
email and destroy any printed copy.
Any views expressed in this message are those of the individual sender. You may
not rely on this message as advice unless it has been electronically signed by
a Partner of BDO or it is subsequently confirmed by letter or fax signed by a
Partner of BDO.
BDO accepts no liability for any damage caused by this email or its attachments
due to viruses, interference, interception, corruption or unauthorised access.