Re: [Full-disclosure] Defense in depth -- the Microsoft way (part 9): erroneous documentation

I am truly shocked that seemingly, stuff like this needs to be said in the year of 2013. Completely right! I'd have supposed that things like these should be known by *anyone* doing anything even remotely similar to software development *at least* since the end of the 8.3 filename era 15

[Full-disclosure] list of vulnerabilities discovered by realpentesting

HI all! I'm part of realpentesting members and although these vulnerability was published some moths ago, now we can publicity with these CVEs identifiers. Also you can get more information about the vulnerablities which we discovered in http://realpentesting.blogspot.com.es/p/advisories.html

[Full-disclosure] DotNetNuke (DNNArticle Module) SQL Injection Vulnerability

Title: DotNetNuke (DNNArticle Module) SQL Injection Vulnerability References: CVE-2013-5117 Discovered by: Sajjad Pourali Vendor http://www.zldnn.com/ , http://www.dnnarticle.com/‎ Vendor advisory: http://www.zldnn.com/Support/tabid/643/ctl/RecordList/mid/1691/ItemID/2979/Default.aspx (Ticket

[Full-disclosure] DotNetNuke (DNN) Cross-Site Scripting Vulnerability !!!!

Title: DotNetNuke (DNN) Cross-Site Scripting Vulnerability References: CVE-2013-4649 Discovered by: Sajjad Pourali , Nasser Salim Al-Hadhrami Vendor http://dnnsoftware.com/ Vendor advisory: http://www.dnnsoftware.com/Platform/Manage/Security-Bulletins (2013-07) Vendor contact: 2013-06-23 Vendor

Re: [Full-disclosure] list of vulnerabilities discovered by realpentesting

With all due respect, good sir... where's the root cause analysis? Proof-of-concept files? Anything? Windbg dump doesn't really count as a proof, you know, since anyone can fake it. 2013/9/2 Pedro Guillen pgn.pedroguil...@gmail.com HI all! I'm part of realpentesting members and although

[Full-disclosure] Mikrotik RouterOS 5.* and 6.* sshd remote preauth heap corruption

Hello lists, here you find the analysis of a vulnerability I recently discovered. Mikrotik RouterOS 5.* and 6.* sshd remote preauth heap corruption http://kingcope.wordpress.com/2013/09/02/mikrotik-routeros-5-and-6-sshd-remote-preauth-heap-corruption/ Additionally it includes a way to drop

[Full-disclosure] [SECURITY] [DSA 2749-1] asterisk security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2749-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff September 02, 2013

[Full-disclosure] Permanent XSS and user enumeration on campus-party.eu

It's possible to do a permanent XSS injection on the campus-party.eu website. For this when you register in the website through https://www.campus-party.eu/webapp/participante/personalData?to= you need to put your code in the name field taking into account that it will be converted into caps when

[Full-disclosure] [ MDVSA-2013:224 ] libtiff

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:224 http://www.mandriva.com/en/support/security/

[Full-disclosure] [ MDVSA-2013:225 ] libdigidoc

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:225 http://www.mandriva.com/en/support/security/

[Full-disclosure] Remote Command Injection in fog-dragonfly-0.8.2 Ruby Gem

TITLE:Remote Command Injection in fog-dragonfly-0.8.2 Ruby GemCredit: Larry W. Cashdollar, @_larry0Date: 8/16/2013CVE: 2013-5671Download: https://rubygems.org/gems/fog-dragonflyDescription:"Dragonfly is an on-the-fly Rack-based image handling framework. It is suitable for use with Rails, Sinatra