Fixes for Siemens S7 1500 PLC are published.
Thanks to Yury Goltsev https://twitter.com/ygoltsev, Ilya Karpov, Alexey
Osipov https://twitter.com/GiftsUngiven, Dmitry
Serebryannikovhttps://twitter.com/dsrbrand Alex
Timorin https://twitter.com/atimorin.
There are a lot of, but Authentication bypass
Kaspersky has released updated for first PoC presented here
http://www.youtube.com/watch?v=joa_9IS7U90 (
http://seclists.org/fulldisclosure/2014/Mar/166)
but there are still many combinations of evil patterns. For exmaple next
PoC2 is available here
https://www.youtube.com/watch?v=9PYtL0zck3I
http://thehackernews.com/2014/03/watch-out-scammers-targeting-google.html
2014-03-17 20:44 GMT+01:00 The Doctor dr...@virtadpt.net:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 03/15/2014 02:52 PM, Stefan Jon Silverman wrote:
Running ... out ... of ... popcorn -- must .. resupply
What is USSD?
USSD stands for Unstructured Supplementary Service Data and it's mostly use to
make requests to a mobile operator. If you want to check how much money you
have on your mobile sim card you can use a USSD Command for that. Entering for
example *#100# to the vodafone network, you
Hi
When Len and I created the Full-Disclosure list way back in July 2002,
we knew that we'd have our fair share of legal troubles along the way.
We were right. To date we've had all sorts of requests to delete
things, requests not to delete things, and a variety of legal threats
both valid
Emergency patch for ShadowIRCd versions 6.3+ and Elemental-IRCd 6.5+
A vulnerability has been discovered in Elemental-IRCd/ShadowIRCd all the
way back to version 6.3. If a client does a SASL authentication before the
server is ready for it, a race condition will be met and the ircd will
segfault
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 03/15/2014 02:52 PM, Stefan Jon Silverman wrote:
Running ... out ... of ... popcorn -- must .. resupply ...
While this inspiring and amusing thread has been going on, what
happened that we missed because we were too busy watching the fur fly?
Hi,
We are running CEbot, a tool that lets you reverse hexcode from your own
Twitter!
How? Do this in 2 easy steps:
- Tweet your hex string with either hashtag #2ce (read as:
To-Capstone-Engine), or #cebot.
- Wait 1~2 seconds, the assembly code will be sent back, also via Twitter.
Be sure to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- cut here
***
CALL FOR PRESENTATIONS
***
LACSEC 2014
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
=== Details ===
Advisory: http://www.quantumleap.it/vlc-reflected-xss-vulnerability/
Affected Product: VLC
Version: 2.1.3 (older versions may be affected too)
=== Executive Summary ===
Using a specially crafted HTTP request, it is possible to
1. Cloud SSO is vuln to unauthed XSS in the authentication audit form:
2.
1. https://twitter.com/BrandonPrry/status/445969380656943104
2.
1.
2. McAfee Asset Manager v6.6 multiple vulnerabilities
3.
4. http://www.mcafee.com/us/products/asset-manager.aspx
5.
6.
* Kristian Erik Hermansen:
Anyone have security contact at Bank of the West?
Is this an issue with their online banking? Then here's a hint:
/**
**
* Copyright ©2005 Corillian
On Mon, Mar 17, 2014 at 12:37 PM, Jeffrey Walton noloa...@gmail.com wrote:
On Mon, Mar 17, 2014 at 12:15 PM, Kristian Erik Hermansen
kristian.herman...@gmail.com wrote:
Just wanted to post a follow-up to this and provide some context to
make it known:
* Bank of the West was contacted in 2011
On 16 Mar 2014 23:36, T Imbrahim timbra...@techemail.com wrote:
The thread read Google vulnerabilities with PoC. From my understanding
it was a RFI vulnerability on YouTube, and I voiced my support that this
is a vulnerability.
I also explained a JSON Hijacking case as a follow up, and you
==Advisory: GNUboard SQL Injection VulnerabilityAuthor: claepo.w...@dbappsecurity.com.cnAffected Version: GNUboard5(the latest version)Vendor URL: http://sir.co.kr/Vendor Status: Unfixed(I know little about Korean, so i do not know how to describe this vul to the
Please stop changing hats, it's embarrasing.
On Sat, Mar 15, 2014 at 7:36 PM, T Imbrahim timbra...@techemail.com wrote:
Is this treated with the same way that says that Remote File Inclusion is
not a security issue ?
You don't follow? Implying ?
I understand why nobody likes Google. If I
ROFL
[image: Inline image 1]
On Mon, Mar 17, 2014 at 11:07 AM, T Imbrahim timbra...@techemail.comwrote:
What drugs are you on Pedro Ribeiro I wonder ...?
I express my views, if you don't like don't watch them. You responses so
far have only been assy speculations so don't tell me Im wrong
What drugs are you on Pedro RibeiroI wonder...?I express myviews, if you don't like don't watch them. You responses so farhave only been assy speculations so don't tell me Im wrong, and please don't say thing like that. I don't know who the other peopleis,but what is true in security I support.
Ooh goodie, where and what happened to N3td3v, he used to crack me up :D :D
On 3/17/14, Mario Vilas mvi...@gmail.com wrote:
ROFL
[image: Inline image 1]
On Mon, Mar 17, 2014 at 11:07 AM, T Imbrahim
timbra...@techemail.comwrote:
What drugs are you on Pedro Ribeiro I wonder ...?
I
Hi,
The only probable way of exploiting it I can see would be if the servers
at Google where the files are uploaded would perform some specific tasks
with such files that could result in exploiting a vulnerability in any
of the used software (and this is something the discoverer failed to
probe).
Hey,
At least to me I am security paranoid. Remote File Inclusion of files to a
trusted network, seems like a well backed up vulnerability. I think we are
talking about Google here not your favourite's pizza website. I personally
congratulate to the author for finding it, whether probing it or
Especially considering that all three use Tor to post on the list. I wonder why.
Other header/content details can be interesting as well...
2014-03-17 10:24 GMT+01:00 Pedro Ribeiro ped...@gmail.com:
On 16 Mar 2014 23:36, T Imbrahim timbra...@techemail.com wrote:
The thread read Google
On Mon, Mar 17, 2014 at 2:25 PM, T Imbrahim timbra...@techemail.com wrote:
I definitely would patch my computer if I discovered that somebody could
upload files to my computer, even thought if couldn't 'probe' them.
1) I don't think you understood the meaning of the word probe in this
Few hr Left to Start Webcast.
Data, data, data! I can't make bricks without clay
Thanks you member of Mailing List for registering for
Garage4hacker'shttp://www.garage4hackers.com/showthread.php?t=5875p=13159Ranchoddas
Series. Below are details for the online presentation.
*Speaker*: Gynvael
On 17 Mar 2014 13:39, Źmicier Januszkiewicz ga...@tut.by wrote:
Especially considering that all three use Tor to post on the list. I
wonder why.
Other header/content details can be interesting as well...
Good catch, I didn't even remember checking the headers.
Have a look at the comments
Let's try some scenarios and if those can be pulled out then I'd say it's
safe to assume this is an issue:
1. Upload a webshell (in a war, php, asp[x], jsp or similar file) and have
it executed by YouTube;
2. Upload a malicious file (pdf, swf, jar or similar file which exploits a
known or unknown
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDVSA-2014:062
http://www.mandriva.com/en/support/security/
On Mon, Mar 17, 2014 at 3:11 PM, Ulisses Montenegro
ulisses.montene...@gmail.com wrote:
Should YouTube restrict file uploads to known valid mime types? Sure, but
that's only how you got the data in there to begin with. It's what happens
after the data is in that will make all the difference.
Hello all,
There is less than 1 hour now remaining for the start of the webinar.
Catch it at http://www.garage4hackers.com/pages.php?pageid=4
QA will handled through :
1. IRC at #g4h on freenode
2. @garage4hackers on twitter
3. mail to sand...@garage4hackers.com
On Fri, Mar 7, 2014 at 5:35
Just wanted to post a follow-up to this and provide some context to
make it known:
* Bank of the West was contacted in 2011 to report a security issue
* No response for 2 years
* In late 2013, I receive a breach notification saying my own
sensitive personal information was compromised via the
On Mon, Mar 17, 2014 at 12:15 PM, Kristian Erik Hermansen
kristian.herman...@gmail.com wrote:
Just wanted to post a follow-up to this and provide some context to
make it known:
* Bank of the West was contacted in 2011 to report a security issue
* No response for 2 years
* In late 2013, I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDVSA-2014:063
http://www.mandriva.com/en/support/security/
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDVSA-2014:064
http://www.mandriva.com/en/support/security/
Dear All, There has been a issue with hangout service as the Google
servers. Hence use below given link to join the webinar. Apologies for the
inconvenience and delay.
We have changed webcast link.
please join us : http://www.twitch.tv/gyndream/
On Fri, Mar 7, 2014 at 5:35 PM, Sandeep Kamble
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -
Debian Security Advisory DSA-2880-1 secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
March 17, 2014
The CVE-2013-5956 has been assigned for this vulnerability.
Best Regards.
On Saturday, March 15, 2014 2:07 PM, Mahmoud Ghorbanzadeh md...@yahoo.com
wrote:
Hello,
Cross-site
scripting (XSS) vulnerability in the Youtube Gallery 3.4.0 component for
Joomla! allows remote attackers to inject
#!/opt/perl5/bin/perl -w
# HP-UX rlpdaemon local exploit
# Bulletin HPSBUX0111-176 (November 2001)
#
# For use only on machines where you have legitimate root.
# This attempts to add junk (including localhost +) to /.rhosts.
# Obvious variants could include /etc/passwd.
use IO::Socket;
$PORT =
Some of the replies in this thread are very unfair to the original poster.
I have read the news story and have thoroughly read the proof of concepts which
in my opinion indicate that this is surely a security vulnerability. I have
worked for Lumension as a security consultant for more than
Gynvael Coldwind,
What Alfred has reiterated is that this is a security vulnerability
irrelevantly of whether it qualifies for credit.
It is an unusual one, but still a security vulnerability. Anyone who says
otherwise is blind, has little or no experience in hands on security, or either
Hello... I am an IT security expert for the Emirates National Oil Company. Google is my favourite search engine by far. Now I just read the report about the unrestricted upload issue and I think that the author is right that it is a securityproblem.This is a vulnerability because file name
I signed onto this mailing list as an interested person in security - not to
see everyone moan. We will all have differences in opinion and we should all
respect that. This goes for everyone and I feel I speak for a lot of people
here, everyone needs to grow up, and shut up.
Email scanned
Hello,
I am a security professional and risk manager in UAE. I support that the remote
file upload on YouTube is a vulnerability, and I am sure about this. Not the
slightest doubts...
There is a different between a vulnerability and an exploit. The vulnerability
here is the lack of any file
Is this treated with the same way that says that Remote File Inclusion is not a
security issue ?
You don't follow? Implying ?
I understand why nobody likes Google. If I 've found a vulnerability and been
treated like that for trying to help, I would rather sell it to the black
market or to
The thread read Google vulnerabilities with PoC. From my understanding it was
a RFI vulnerability on YouTube, and I voiced my support that this is a
vulnerability.
I also explained a JSON Hijacking case as a follow up, and you said you didn't
follow. So I am just saying that treating
LOL. boy oh boy you would have HATED the N3td3v years then...
I'm sure your delete key works doesn't it?
From: Full-Disclosure [mailto:full-disclosure-boun...@lists.grok.org.uk] On
Behalf Of Thomas Williams
Sent: Saturday, March 15, 2014 10:44 AM
To: Mario Vilas
Cc:
You are so incompetent.. If you want proof why don't you do it yourself?
https://www.youtube.com/watch?v=G4EkgJtjDvU - Here is proof that the file
is saved and processed. If you want to question it come up with your real
name, stop hiding behind fake emails. Are you a Google employee? What's
# App : Trixbox all versions
# vendor : trixbox.com
# Author : i-Hmx
# mail : n0p1...@gmail.com
# Home : security arrays inc , sec4ever.com ,exploit4arab.net
Well well well , we decided to give schmoozecom a break and have a look @
fonality products
do you think they have better product than the
The thread starter is right about this. It is a vulnerability, and I think
Google should start considering this.
The JSON service responds to GET requests , and there is a good chance that the
service is also vulnerable to JSON Hijacking attacks.
As a professional penetration tester , I
I'm just a lurker on the list, which I have always found valuable.
But for what it's worth, this thread is an awful bore. Who cares
about people's credentials?
I'm not asking for administrative intervention, which I hate, but
rather that the various entrants in the pissing contest empty
Same here... It's like a train wreck, you know you shouldn't watch but it's
just so damned entertaining at this point that I can't stop...
Sent from my iPhone
On Mar 14, 2014, at 2:46 PM, Yvan Janssens i...@yvanj.me wrote:
Does anybody still have some popcorn left?
They ran out of it
It's amazing how much dumber I feel for having read your drivel.
Please for the love of $diety stop posting to this list.
--
W. Scott Lockwood III
AMST Tech (SPI)
GWB2009033817
http://www.shadowplayinternational.org/
There are four boxes to be used in defense of liberty: soap, ballot,
jury, and
Omg please for the love of all things human STFU!!!
Sent from my iPhone
On Mar 15, 2014, at 12:43 AM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
If you wish to talk seriously about the problem, please send me an email
privately. And we can talk about what we have found so far,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 03/15/2014 02:26, Nicholas Lemonias. wrote:
https://www.youtube.com/watch?v=G4EkgJtjDvU - Here is proof that
the file is saved and processed.
disclaimer
Compared to probably most of the folks on this list, I have absolutely
no idea what I'm
For the n00b guy in the room, Great post Chris!
Thanks for spelling it out clearly.
Message: 6
Date: Fri, 14 Mar 2014 16:00:02 -0400
From: Chris Thompson christhom7...@gmail.com
To: lem.niko...@googlemail.com, full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Fwd: Google
Just curious; what universities have hired you as a lecturer?
On Sat, Mar 15, 2014 at 1:09 AM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
You are too vague. Please keep this to a level.
Thank you.
*Best Regards,*
*Nicholas Lemonias*
*Advanced Information Security
Btw, not sure if someone already mentioned it, but you are really
reaching the level
of MustLive. That's actually a big achievement. Congratz.
I'm not sure if you got what lcamtuf is saying (I'm impressed he still
takes time to reply to you),
apparently not. You're still trying to convince us
I have been watching this thread for a while and I think some people are being
hostile here.
There is nothing to gain being on eithers side but for the sake of security. As
a penetration tester, writer, and malware analyst with a long and rewarding
career...it would be absurd to admit that
On Sat, Mar 15, 2014 at 5:43 AM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
People who do not have the facts have been, trying to attack the arguer,
on the basis of their personal beliefs.
Wow. I seriously can't tell if you're trolling or unbelievably narcissistic.
Your work has
That is not what this email says. You can't reply correct to criticism
and pretend it's praise.
On Sat, Mar 15, 2014 at 6:11 AM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
Correct.
The mime type can be circumvented. We can confirm this to be a valid
vulnerability.
For the PoC's
I believe Zalewski has explained very well why it isn't a vulnerability,
and you couldn't possibly be calling him hostile. :)
On Sat, Mar 15, 2014 at 11:20 AM, M Kirschbaum pr...@yahoo.co.uk wrote:
I have been watching this thread for a while and I think some people are
being hostile here.
On top of that, Google spent millions of dollars to buy Chrome exploits,
sandbox bypasses
and webapp bugs. So, if this was a REAL bug with some REAL security
impact, I don't think Google wouldn't have paid.
They have a REAL budget for that, they are not like Yahoo that sends you
a t-shirt.
The
Hello,
Multiple
cross-site request forgery (CSRF) vulnerabilities in OpenX 2.8.11and earlier
allows remote attackers to hijack the authentication of
administrators for requests that delete (1) users, (2) advertisers, (3) banners,
(4) campaigns, (5) channels, (6) websites or (7) zones via
Some of the replies in this thread are very unfair to the original poster.I have read the news story and have thoroughly read the proof of concepts which in my opinion indicate that this is surely a security vulnerability. I have worked for Lumension as a security consultant for more than a
Dear Mario,
There is nothing to gain being on either side. I have already read the thread
replies by M. Zalewski. I believe Google is false and does not honor the
security community.
Rgds,
M. Kirschbaum
On Saturday, 15 March 2014, 11:11, Mario Vilas mvi...@gmail.com wrote:
I
I. VULNERABILITY
-
Reflected XSS Attacks XSS vulnerabilities in Webmin 1.670
II. BACKGROUND
-
Webmin is a web-based interface for system administration for Unix.
Using any modern web browser, you can setup user accounts, Apache,
DNS, file
Hey,
I think the discussion digressed a little from the topic. Let's try to
steer it back on it.
What would make this a security vulnerability is one of the three standard
outcomes:
- information leak - i.e. leaking sensitive information that you normally
do not have access to
- remote code
Thank you. :)
On Sat, Mar 15, 2014 at 1:45 PM, Gynvael Coldwind gynv...@coldwind.plwrote:
Hey,
I think the discussion digressed a little from the topic. Let's try to
steer it back on it.
What would make this a security vulnerability is one of the three standard
outcomes:
- information
Sockpuppet much?
On Sat, Mar 15, 2014 at 2:35 PM, M Kirschbaum pr...@yahoo.co.uk wrote:
Gynvael Coldwind,
What Alfred has reiterated is that this is a security vulnerability
irrelevantly of whether it qualifies for credit.
It is an unusual one, but still a security vulnerability. Anyone
You must be new.
On Sat, Mar 15, 2014 at 3:43 PM, Thomas Williams tho...@trwilliams.me.ukwrote:
I signed onto this mailing list as an interested person in security - not
to see everyone moan. We will all have differences in opinion and we should
all respect that. This goes for everyone and I
As a professional penetration tester, [...]
The JSON service responds to GET requests , and there is a good chance that
the service is also vulnerable to JSON Hijacking attacks.
That's... not how XSSI works.
To have a script inclusion vulnerability, you need to have a vanilla
GET response
A hacker exploits a JSON (javascript) object that has information of interest
for example holding some values for cookies. A lot of times that exploits the
same policy origin. The JSON object returned from a server can be forged over
writing javascript function that create the object. This
Is this treated with the same way that says that Remote File Inclusion is not
a security issue ?
I'm not sure how RFI came into play on this thread - the original
report wasn't about RFI.
I don't have an agenda here; I'm just trying to get to the bottom of
it and make sure that we converge on
The thread read Google vulnerabilities with PoC. From my understanding it
was a RFI vulnerability on YouTube, and I voiced my support that this is a
vulnerability.
I don't think this is accurate, at least based on the standard
definition of RFI: a server-side scripting language - usually
Is it possible with the help of Godwin's law
this discussion moves offlist?
--
guninski
On Thu, Mar 13, 2014 at 10:43:50AM +, Nicholas Lemonias. wrote:
Google vulnerabilities uncovered...
How the hell did you ever think Google will honor this? By now they
could be fixing this issue, they hell don't care about you.
On 3/15/14, Georgi Guninski gunin...@guninski.com wrote:
Is it possible with the help of Godwin's law
this discussion moves offlist?
--
guninski
On Thu, Mar 13,
Title: Message
Running ... out ... of ... popcorn --
must .. resupply ...
Regards,
Stefan
Webcast Reminder
Data, data, data! I can't make bricks without clay
Thanks for registering for
Garage4hacker'shttp://garage4hackers.us3.list-manage.com/track/click?u=3bbddc138252bc94f75024ab7id=8f7c43f38fe=672cdb4173Ranchoddas
Series. Below are details for the online presentation.
*Speaker*:
Hi
I concur that we are mainly discussing a terminology problem.
In the context of a Penetration Test or WAPT, this is a Finding.
Reporting this finding makes sense in this context.
As a professional, you would have to explain if/how this finding is a
Weakness*, a Violation (/Regulations,
Zakewski,
Thank you for your e-mail. I welcome all opinions, that are backed up by
evidences.
I am not just a security researcher, I am also an academic in the field and
lecturer.
All right :-) Thank you for the overview of CIA triad. I don't think
there's a good probability that our
On Thu, Mar 13, 2014 at 10:30 PM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
We confirm this to be a valid vulnerability for the following reasons.
The access control subsystem is defeated, resulting to arbitrary write
access of any file of choice.
1. You Tube defines which file
==Advisory: GNUboard SQL Injection Vulnerability
Author: claepo.w...@dbappsecurity.com.cn
Affected Version: GNUboard5(the latest version)
Vendor URL: http://sir.co.kr/
Vendor Status: Unfixed(I know little about Korean,so i do not know how to describe this vul to the
MacOSX Safari Firefox Kaspersky RegExp Remote/Local Denial of Service
http://cxsecurity.com/
0. Where is the problem?
Some time ago I have reported vulnerabilities in regcomp() in BSD
implementation (CVE-2011-3336) and GNU libc implementation (CVE-2010-4051
CVE-2010-4052).
Now is the
Look, you keep calling it a vulnerability with 0 evidence that it's even
exploitable. Until you can prove otherwise this is like speculating the
potential security repercussions of uploading files to EC2 (Which would
probably have potential to be much more severe than what you're discussing
here
We confirm this to be a valid vulnerability for the following reasons.
The access control subsystem is defeated, resulting to arbitrary write
access of any file of choice.
1. You Tube defines which file types are permitted to be uploaded.
2. Exploitation is achieved by circumvention of
Here's my evidence.
Live Proof Of Concept
==
http://upload.youtube.com/?authuser=0upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aworigin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw
Zakewski,
Thank you for your e-mail. I welcome all opinions, that are backed up by
evidences.
I am not just a security researcher, I am also an academic in the field and
lecturer.
However, from an academic perspective, when it comes to certain
security designs the mere existence of unvalidated
Hi Jerome,
Thank you for agreeing on access control, and separation of duties.
However successful exploitation permits arbitrary write() of any file of
choice.
I could release an exploit code in C Sharp or Python that permits multiple
file uploads of any file/types, if the Google security team
Thanks Michal,
We are just trying to improve Google's security and contribute to the
research community after all. If you are still on EFNet give me a shout
some time.
We have done so and consulted to hundreds of clients including Microsoft,
Nokia, Adobe and some of the world's biggest
Are you a Google employee...I wonder?
There is nothing else to be said regarding this. Our research for remote
code execution continues and will let you and Google know once that is
confirmed; through the coordinated security program.
And please OWASP, is recognised worldwide.
Best Regards,
# App : Trixbox all versions
# vendor : trixbox.com
# Author : i-Hmx
# mail : n0p1...@gmail.com
# Home : security arrays inc , sec4ever.com ,exploit4arab.net
Well well well , we decided to give schmoozecom a break and have a look @
fonality products
do you think they have better product than the
You're still missing the attack vector (and the point of the discussion
too, but that's painfully obvious).
On Fri, Mar 14, 2014 at 4:21 AM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
Here's my evidence.
Live Proof Of Concept
==
On 13 Mar 2014 14:30, Nicholas Lemonias. lem.niko...@googlemail.com
wrote:
I suggest you to read on Content Delivery Network Architectures .
YouTube.com populates and distributes stored files to multiple servers
through a CDN (Content Delivery Architecture), where each video uses more
than
But do you have all the required EH certifications? Try this one from the
Institute for
Certified Application Security Specialists: http://www.asscert.com/
On Fri, Mar 14, 2014 at 7:41 AM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
Thanks Michal,
We are just trying to improve
We are on a different level perhaps. We do certainly disagree on those
points.
I wouldn't hire you as a consultant, if you can't tell if that is a valid
vulnerability..
Best Regards,
Nicholas Lemonias.
On Fri, Mar 14, 2014 at 10:10 AM, Mario Vilas mvi...@gmail.com wrote:
But do you have all
Nicholas Lemonias. wrote:
Hi Jerome,
Thank you for agreeing on access control, and separation of duties.
However successful exploitation permits arbitrary write() of any file of
choice.
I could release an exploit code in C Sharp or Python that permits multiple
file uploads of any
Jerome of Mcafee has made a very valid point on revisiting separation of
duties in this security instance.
Happy to see more professionals with some skills. Some others have also
mentioned the feasibility for Denial of Service attacks. Remote code
execution by Social Engineering is also a
Live Proof Of Concept
==
http://upload.youtube.com/?authuser=0upload_id=
AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--
uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aworigin=
CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDVSA-2014:059
http://www.mandriva.com/en/support/security/
Dear Nicholas Lemonias,
I don't use to get in these scrapy discussions, but yeah you are in a
completetly different level if you compare yourself with Mario.
You are definitely a Web app/metasploit-user guy and pick up a discussion with
a binary and memory corruption ninja exploit writter like
Go to sleep.
-- Forwarded message --
From: Nicholas Lemonias. lem.niko...@googlemail.com
Date: Fri, Mar 14, 2014 at 2:16 PM
Subject: Re: [Full-disclosure] Google vulnerabilities with PoC
To: Sergio 'shadown' Alvarez shad...@gmail.com
Go to sleep
On Fri, Mar 14, 2014 at 1:50
1 - 100 of 53572 matches
Mail list logo