Flayedskin

Bringing the issue to everyones attention is one thing, in the same breath posting a link to another site that has a tool which SOUL purpose is to exploit this type of vulnerability...that is something else.

The site rules state this specifically:

"D. Criminal Law: Don’t post instructions on how to build a drug lab, an explosive device, or any other information that if used would result in a crime. Never link to pages containing this type of information."

"E. Civil Law: Do not post anything that would violate any NDA, user agreement of any game, or information about how to "hack," "cheat," or “exploit” any game. Do not post anything that violates anyone else’s copyright, trademark or other intellectual property rights."

The link he posted in his post was to a TOOL that is used specifically for hacking purposes. He further stated that the vulnerability he listed was exploitable by using the tool he linked. The linked page would not be used for legitimate purpose period since its used for hashing passwords so the user can illegally enter someone else's web site. This IS a criminal act. The site rules expressly forbid this. There are many different ways Vorfu could have stated his information that WOULD have been in compliancy with the site rules. I will give an example:

This post that I quoted is NOT in violation of the site rules and puts out the same information that the first one the user did (actually it puts out more information).

Use of the information provided by the link violates US Civil Copyright protection. I will quote the portion of the The Digital Millennium Copyright Act of 1998 for those that have no clue where to find such information (http://www.copyright.gov/legislation/dmca.pdf).

The reason why LFG has the site rule for links is (According to the DMCA) he is liable to civil liability since:

LFG is subject to liability because he does benefit financially from having links posted on his site since he receives advertising revenue for banner ads displayed on his site.

So since I had to draw the legal reasons WHY this violated the site rules LFG's site rules should be enforced

gm9

I'm no native English speaker but you sir must be from another planet. Your post is basically random words. Did you even read what you posted? None of your quotes even goes with your text, and your text does not make a lot of sense in the first place.

__________________

Pinski

Actually use of the OP is perfectly legal, provided you are using it strictly for testing purposes and on your own systems.

Did you know, that PoC's are actually perfectly legal as well, and in fact every security test users them in a legal capability, even though they can be used in an illegal manner? Oh, wait, what's that, PoC's are legal? No way!

Seriously, go look at security websites and look how many actually post links or actual PoC's on them, you'll find they all do it, soo yah.

__________________
How many times do you hear it? It goes on all day long
Everyone knows everything And no one's ever wrong
Until later...
Who can you believe? It's hard to play it safe
But apart from a few good friends We don't take anything on faith
Until later..

the_mo

he did not post a link to whereever but instead posted a simple PoC-code-sniplet, which someone with php+sql-knowledge could use to reproduce the bug

while i dont think its against any rules to do so, because its actually public knowledge and you can find the same information publically on multiple vulnerability databases... its still not a good idea to post this here, because there are some strange guys frequenting these forums (see nagafen-boards for details), who wouldnt receive RSS-updates or security newsletters to secure their stuff but instead use any information publically available here against someone else, who angered them

Flayedskin

Every quote I made went with the text I typed. I made 5 quotes, 4 in quotation comments. The first was quoting the post I was responding to. The second quote I did not break into a quote field was stating LFG's site policy. The third was making the quote that could have opened this thread in a way that did not violate the site rules. The fourth and fifth quotes are direct quotations from The Digital Millennium Copyright Act of 1998. Something LFG must abide by if he is a US citizen. In either case, since the server eq2flames runs on is in the UK he must abide by the UK laws as illustrated in the The Intellectual Property (Enforcement, etc.) Regulations 2006 (The Intellectual Property (Enforcement, etc.) Regulations 2006), the Copyright, Designs and Patents Act 1988, and the Copyright and Rights in Databases Regulations Act of 1997. There are also other UK laws involved but I won't go too much further into them since it will bore most on this forum.

Pinski

So every security vulnerability site violates the DMCA, thanks for your charming bit of information.

__________________
How many times do you hear it? It goes on all day long
Everyone knows everything And no one's ever wrong
Until later...
Who can you believe? It's hard to play it safe
But apart from a few good friends We don't take anything on faith
Until later..

Flayedskin

I post a link to a hacker site that has tools for security testing, and the tools are completely legal to use for testing of their own site. What this user did however was provide a link to a site which has the "Hack" to enter ANY eqdkp database's password protected sections and view password protected information. This is a violation of US and EU database copyright laws.

The is no difference between this and posting a link for manufacturing a bomb, drug or chemical (like ricin), if the intended us is for ILLEGAL ACTIVITIES.

Flayedskin

There is a difference between having a tool to test your password security and having a tool for gathering "hashes" for creating a better password hacking system. That is the ONLY use of this tool the OP posted....period.

Pinski

I can get those hashes without the tool if I have access to the database. The purpose of the tool can be said that it is there to test whether you are vulnerable, and how weak your user's passwords are. Which is perfectly valid to do so.

You must think that bittorrent violates the DMCA as well.

__________________
How many times do you hear it? It goes on all day long
Everyone knows everything And no one's ever wrong
Until later...
Who can you believe? It's hard to play it safe
But apart from a few good friends We don't take anything on faith
Until later..

gm9

The only problem is that the OP never posted any tool at all, he just posted a static php script that output a static text string in a serialized hexadecimal representation.

__________________