[VIM] Ioannis Pomonis aka dr_insane
Steven M. Christey
coley at linus.mitre.org
Tue Dec 13 01:29:24 EST 2005
An interesting thing that I noticed was that his site linked to RFPolicy,
but he doesn't have vendor disclosure timelines in his advisories and it's
hard to tell if he coordinated.
On Tue, 13 Dec 2005, security curmudgeon wrote:
> : Looks like dr_insane has changed homes from geocities or wherever he
> : was.
> : http://www.ipomonis.com/advisories.htm
> Yep, he contacted OSVDB about a few new issues. Some of them files were
> in a .tar format and once extracted appeared to contain no details. He
> has since fixed/verified they contain the data.
> Unfortunately, one of his issues (mdaemon) is really vague. The session
> ID weakness isn't clear if it can ONLY be used to log out a user, or for
> additional attacks such as reading their mail. By itself, guessing a 7
> character alphanumeric string just to log someone out of the system is a
> nuisance at best.
More information about the VIM