[Full-disclosure] nullcon Goa 2010 International Security & Hacking Conference

Hi All, null is proud to announce the launch of it's security & hacking conference nullcon Goa 2010 nullcon Goa 2010, India's first 'community' driven security & hacking conference will bring together Security Researchers, security professionals, vendors, CXOs, Law Enforcements agencies from all o

[Full-disclosure] Google Maps XSS (currently unpatched)

Google Maps XSS (currently unpatched) Discovered By - Pratul Agrawal (pratu...@gmail.com) Gaurav Baruah (baruah.gau...@gmail.com) PoC - http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=%3Cscript%3Ealert(%22Google%20Sucks%20!%22)%3C/script%3E&vps=1&sll=28.613554,77.20906&sspn=0.00913

Re: [Full-disclosure] Google Maps XSS (currently unpatched)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Your PoC generates: " *Google* Sorry... We're sorry... ... but your computer or network may be sending automated queries. To protect our users, we can't process your request right now. See Google Help

Re: [Full-disclosure] Google Maps XSS (currently unpatched)

We're sorry.. but your computer or network may be sending automated queries. To protect our users, we can't process your request right now. :-/ On Tue, Jan 12, 2010 at 12:20 PM, gaurav baruah wrote: > Google Maps XSS (currently unpatched) > > Discovered By - > Pratul Agrawal (pratu...@gmail

Re: [Full-disclosure] Google Maps XSS (currently unpatched)

I tried the PoC and it works as advertised, however due to the amount of requests to the same url, I suppose Google noticed something fishy... Regards, Chris. On Tue, Jan 12, 2010 at 1:58 PM, Michael Lenz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Your PoC generates: > > " > *

Re: [Full-disclosure] Google Maps XSS (currently unpatched)

Looks like a realy quick fix from google. directly after i got the PoC it worked. Now it doesn't Am 12.01.2010 13:58, schrieb Michael Lenz: > Your PoC generates: > > " > *Google* > Sorry... > > > We're sorry... > > ... but your computer or network may be sending automated queries. To

Re: [Full-disclosure] Google Maps XSS (currently unpatched)

Google was quick on that one! It worked an hour and a half ago. - Robin From: gaurav baruah To: full-disclosure@lists.grok.org.uk Sent: Tue, January 12, 2010 6:20:32 AM Subject: [Full-disclosure] Google Maps XSS (currently unpatched) Google Maps XSS (currentl

Re: [Full-disclosure] Google Maps XSS (currently unpatched)

ah, Google... the only company in IT that can have an unpatched vulnerability released to the world and get good publicity out of it. Don't get me wrong, I'm not in the GoogleSucksAndIsEvil crowd... I have friends that work for them, and I like to see a company like them doing well. Still, I can

Re: [Full-disclosure] Google Maps XSS (currently unpatched)

Exact same here worked then came back from lunch and seems to be patched or filtering requests now. -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of NSO Research Sent: 12 January 2010 13:03 To: full-disclo

[Full-disclosure] CORELAN-10-003 - Udisk FTP Basic Edition Remote pre-auth DOS Advisory

Hello, Just advising of a vulnerability in U-Disk FTP server (Basic Edition). Please see attached advisory for details. Kind regards, mr_me _ Time for a new car? Sell your old one fast! h

Re: [Full-disclosure] Google Maps XSS (currently unpatched)

I try the POC and I get a javascritp alert with the text "Google Sucks" :P On Tue, Jan 12, 2010 at 2:02 PM, NSO Research wrote: > Looks like a realy quick fix from google. > > directly after i got the PoC it worked. Now it doesn't > > > > Am 12.01.2010 13:58, schrieb Michael Lenz: > > Your PoC g

[Full-disclosure] BackTrack 4 Final Released

The BackTrack Dev Team is happy to announce the release of BT4 Final. This is by far our best version yet, and signifies over a year of development work from the team and the community. In the first 12 hours of the release, we've had over 10,000 downloads, 2 server crashes, and one of the larges

Re: [Full-disclosure] XSS vulnerabilities in 34 millions flash files

Firefox automatically filters unsafe XSS and there are reports this doesn't work in google chrome? >From what i understand the implication of this vuln are purely social, no maliciousness possible? On Tue, Jan 12, 2010 at 1:44 AM, Jeff Williams wrote: > Yo MustDie, > > Post your shit here: > htt

Re: [Full-disclosure] XSS vulnerabilities in 34 millions flash files

On Tue, 12 Jan 2010 18:56:53 +0200, Marko Jakovljevic said: > Firefox automatically filters unsafe XSS I wasn't aware that Firefox was able to look inside Flash files and flag the embedded Javascript for unsafe XSS. When did they add *that* feature? pgpFrhN8GQbZb.pgp Description: PGP signature

Re: [Full-disclosure] MacOS X 10.5/10.6 libc/strtod(3) buffer overflow

On Mon, Jan 11, 2010 at 12:26 PM, Maksymilian Arciemowicz < c...@securityreason.com> wrote: > Could you check perl PoC ? > It should overwrite esi and edi register > > esi=0x41414141 > edi=15 > > The perl PoC worked on 10.4.11 fully patched. http://securityreason.com/achievement_securityalert/63

[Full-disclosure] 133-54D Re: MacOS X 10.5/10.6 libc/strtod(3) buffer overflow

On Tue, Jan 12, 2010 at 12:54 PM, Joshua Levitsky wrote: > On Mon, Jan 11, 2010 at 12:26 PM, Maksymilian Arciemowicz < > c...@securityreason.com> wrote: > >> > > Could you check perl PoC ? >> It should overwrite esi and edi register >> >> esi=0x41414141 >> edi=15 >> >> > The perl PoC worked on 10.

[Full-disclosure] [ MDVSA-2010:003 ] sendmail

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:003 http://www.mandriva.com/security/

[Full-disclosure] [CORELAN-10-004] TurboFTP Server 1.00.712 remote DoS

|--| | __ __ | | _ / /___ _ / / _ ___ | | / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | | / /__/ /_/ / / / __

Re: [Full-disclosure] XSS vulnerabilities in 34 millions flash files

@Jeff Of course they like XSS: the DB maintained by muts et al. is the "prosecution" of milw0rm, since str0ke gives up to mantain it. I remember that str0ke didn't allowed to publish advisories ONLY RELATED to xss (especially reflected ones, as they are so common), but by the way I think is OK to

[Full-disclosure] [USN-881-1] Kerberos vulnerability

=== Ubuntu Security Notice USN-881-1 January 12, 2010 krb5 vulnerability CVE-2009-4212 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04

[Full-disclosure] [RE:] XSS vulnerabilities in 34 millions flash files

And still nobody cares, it's sad. -- Founder/Activist http://fusecurity.com/ | "Free Security Technology" ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://sec

Re: [Full-disclosure] Google Maps XSS (currently unpatched)

I agree with google's "if you have to hide yourself, your doing something we don't care for" approach. They obviously care about security if this was found and patched in less than a day. Google PWNS all again. -- Founder/Activist http://fusecurity.com/ | "Free Security Technology" __

[Full-disclosure] ZDI-10-002: Oracle Secure Backup observiced.exe Remote Code Execution Vulnerability

ZDI-10-002: Oracle Secure Backup observiced.exe Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-002 January 12, 2010 -- CVE ID: CVE-2010-0072 -- Affected Vendors: Oracle -- Affected Products: Oracle Secure Backup -- Vulnerability Details: This vulnerabili

Re: [Full-disclosure] Google Maps XSS (currently unpatched)

On Tue, 12 Jan 2010 14:45:30 PST, sunjester said: > I agree with google's "if you have to hide yourself, your doing something we > don't care for" approach. They obviously care about security if this was > found and patched in less than a day. Google PWNS all again. You're confusing "security" an

Re: [Full-disclosure] Google Maps XSS (currently unpatched)

No I am not confusing the two. People want to separate them but fail to notice they are both one in the same when you are "surfing the web". Being secluded from danger (behind a firewall) or being hidden from the view others (behind a firewall) sounds to similar for me to separate the two. Your se

Re: [Full-disclosure] Google Maps XSS (currently unpatched)

On Tue, Jan 12, 2010 at 6:23 PM, sunjester wrote: > No I am not confusing the two. People want to separate them but fail to > notice they are both one in the same when you are "surfing the web". Being > secluded from danger (behind a firewall) or being hidden from the view > others (behind a firew

[Full-disclosure] iDefense Security Advisory 01.12.10: Adobe Reader and Acrobat JpxDecode Memory Corruption Vulnerability

iDefense Security Advisory 01.12.10 http://labs.idefense.com/intelligence/vulnerabilities/ Jan 12, 2010 I. BACKGROUND Adobe Reader and Acrobat are Portable Document Format (PDF) reader and processors. For more information, please visit following pages: http://www.adobe.com/products/reader/ http: