Re: [Full-disclosure] Ektron CMS TakeOver Part (2) - PaylPal-Forward.com demonstration
: From: Mark Litchfield mark () securatary com : As previously stated, I would post an update for Ektron CMS bypassing : the security fix. : A full step by step with the usual screen shots can be found at - : http://www.securatary.com/vulnerabilities Uh... you expect people to login to your site with their Facebook or Twitter credentials, to access these advisories? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ektron CMS TakeOver Part (2) - PaylPal-Forward.com demonstration
: : From: Mark Litchfield mark () securatary com : : : As previously stated, I would post an update for Ektron CMS bypassing : : the security fix. : : : A full step by step with the usual screen shots can be found at - : : http://www.securatary.com/vulnerabilities : : Uh... you expect people to login to your site with their Facebook or Twitter : credentials, to access these advisories? : : Errr no ?? Use the other option ?? And if you don't want to register, don't : bother !! Links from /vulnerabilities, directly from advisories off the Research page, and even Follow us on Twitter all drop back to a login page asking for authentication using either Facebook or Twitter. This is not the behavior of the site as of 48 hours ago. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ektron CMS TakeOver Part (2) - PaylPal-Forward.com demonstration
: This is not the behavior of the site as of 48 hours ago. : Let me check. Normal registration should also be available ? Infact I : will remove the registration. : : The purpose of this whole registration in the first place was to allow : for future postings I am going to make later this week that would only : be available to registered users. Not necessarily vulnerabilities, but : useful stuff for pentesting. Also all registered users would be given : a 48 hours head start on any new vulnerabilities that I post in the : future. Which is great, but I strongly recommend you allow a site-specific registration for such purposes. Giving up one of the two dominant social media accounts for it is excessive. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ektron CMS TakeOver Part (2) - PaylPal-Forward.com demonstration
On 2/4/2014 2:51 PM, security curmudgeon wrote: : From: Mark Litchfield mark () securatary com : As previously stated, I would post an update for Ektron CMS bypassing : the security fix. : A full step by step with the usual screen shots can be found at - : http://www.securatary.com/vulnerabilities Uh... you expect people to login to your site with their Facebook or Twitter credentials, to access these advisories? Errr no ?? Use the other option ?? And if you don't want to register, don't bother !! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ektron CMS TakeOver Part (2) - PaylPal-Forward.com demonstration
On 2/4/2014 3:01 PM, security curmudgeon wrote: : : From: Mark Litchfield mark () securatary com : : : As previously stated, I would post an update for Ektron CMS bypassing : : the security fix. : : : A full step by step with the usual screen shots can be found at - : : http://www.securatary.com/vulnerabilities : : Uh... you expect people to login to your site with their Facebook or Twitter : credentials, to access these advisories? : : Errr no ?? Use the other option ?? And if you don't want to register, don't : bother !! Links from /vulnerabilities, directly from advisories off the Research page, and even Follow us on Twitter all drop back to a login page asking for authentication using either Facebook or Twitter. This is not the behavior of the site as of 48 hours ago. Let me check. Normal registration should also be available ? Infact I will remove the registration. The purpose of this whole registration in the first place was to allow for future postings I am going to make later this week that would only be available to registered users. Not necessarily vulnerabilities, but useful stuff for pentesting. Also all registered users would be given a 48 hours head start on any new vulnerabilities that I post in the future. All the best Mark Mark ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ektron CMS TakeOver Part (2) - PaylPal-Forward.com demonstration
s/with their Facebook or Twitter credentials//g On Tue, Feb 4, 2014 at 10:51 PM, security curmudgeon jeri...@attrition.orgwrote: : From: Mark Litchfield mark () securatary com : As previously stated, I would post an update for Ektron CMS bypassing : the security fix. : A full step by step with the usual screen shots can be found at - : http://www.securatary.com/vulnerabilities Uh... you expect people to login to your site with their Facebook or Twitter credentials, to access these advisories? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Ektron CMS TakeOver Part (2) - PaylPal-Forward.com demonstration
As previously stated, I would post an update for Ektron CMS bypassing the security fix. A full step by step with the usual screen shots can be found at - http://www.securatary.com/vulnerabilities In this example, we use www.paypal-forward.com as a demonstration site. I would like to say that PayPal fixed this issue with their own workaround extremely quickly. Excellent work by their security / dev team. All the best Mark Litchfield www.securatary.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/