Re: [Full-disclosure] Php gif upload thumbnail creation remote exploit

Moritz, I understand your point here. I posted the description of the technique, because it is a threat actually. You describe that if the appropriate defensive configuration is in place the technique won't work. But this can be applied everywhere, it's like saying when you want to defend against

[Full-disclosure] New vulnerabilities in Adobe ColdFusion

Hello list! I want to warn you about new security vulnerabilities in Adobe ColdFusion (to previous SQL DB Structure Extraction, Full path disclosure and Cross-Site Scripting). These are Brute Force and Abuse of Functionality vulnerabilities. - Affected products:

[Full-disclosure] Bitcoin fun day!

In light of recent events in the bitcoin community I have decided that private disclosure of issues is doing nothing but making them more prevalent. In light of this decision I would like to report multiple CSRF vulnerabilities in http://clearcoin.appspot.com . This set of CSRFs are

Re: [Full-disclosure] Bitcoin fun day!

Message bounced due to lack of subscription the first time. Resending. Site has already been pulled as this was simultaneously sent to the bitcoin development list. On Jun 19, 2011, at 4:54 PM, Doug Huff wrote: In light of recent events in the bitcoin community I have decided that private

Re: [Full-disclosure] [Bitcoin-development] Bitcoin fun day!

Some of us take private disclosures of vulnerabilities very seriously. In any case, the ClearCoin CSRF vulnerability is fixed. Thank you for bringing it to my attention. On Sun, Jun 19, 2011 at 5:54 PM, Doug Huff dh...@jrbobdobbs.org wrote: In light of this decision I would like to report

Re: [Full-disclosure] [Bitcoin-development] Bitcoin fun day!

I know. Please do not take this as a personal attack. Blame MagicalTux's irresponsible behaviour as of late. :( On Jun 19, 2011 5:34 PM, Gavin Andresen gavinandre...@gmail.com wrote: Some of us take private disclosures of vulnerabilities very seriously. In any case, the ClearCoin CSRF

Re: [Full-disclosure] ZDI-11-208: Adobe Shockwave rcsL Parsing Remote Code Execution Vulnerability

I see numerous announcements from ZDI pointing to June 14th updates. Is that what big guys MS and Adobe missed in last week updates? If NO, then we need to stop ZDI from polluting our list with last year news. Anyway, I see repetitive announcements pretty often. Thank you Mikhail A. Utin,

[Full-disclosure] [SECURITY] [DSA 2265-1] perl security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2265-1 secur...@debian.org http://www.debian.org/security/Florian Weimer June 20, 2011

[Full-disclosure] CSRF and XSS vulnerabilities in ADSL modem Callisto 821+

Hello list! I want to warn you about new security vulnerabilities in ADSL modem Callisto 821+ (SI2000 Callisto821+ Router). These are Cross-Site Request Forgery and Cross-Site Scripting vulnerabilities. In April I've already drew attention of Ukrtelecom's representative (and this modem was bough

[Full-disclosure] INSECT Pro - Advisory 2011 0620 - Zero Day - XSS Persistent in EA Sports

Information Name : XSS Persistent in EA Sports Software : EA Sports Main site Vendor Homepage : http://www.ea.com Vulnerability Type : XSS Persistent Severity : Very High Researcher : Juan Sacco jsacco [at] insecurityresearch [dot] com Description --