Wait, so "remote code execution by social engineering" wasn't a troll? I'm
confused.
2014-03-14 21:28 GMT+02:00 Nicholas Lemonias. :
> Then that also means that firewalls and IPS systems are worthless. Why
> spend so much time protecting the network layers if a user can send any
> file of choice
Dude, seriously. Just stop.
2014-03-14 20:02 GMT+02:00 Nicholas Lemonias. :
> You can't even find a cross site scripting on google.
>
> Find a vuln on Google seems like a dream to some script kiddies.
>
>
> On Fri, Mar 14, 2014 at 6:00 PM, Nicholas Lemonias. <
> lem.niko...@googlemail.com> wrote
olas Lemonias.
> Date: Thu, Mar 13, 2014 at 7:47 PM
> Subject: Re: [Full-disclosure] Google vulnerabilities with PoC
> To: Julius Kivimäki
>
>
> Julius Kivimaki, your disbelief in OWASP, CEH, Journalists and anything
> you may, or may not be qualified to question amazes. But ev
ile to the remote network.
>> That also means that we get past their firewall, since the communication is
>> through HTTP (port 80). CDN nodes are deployed to multiple colocation
>> (thousands of nodes and thousands of servers across the world). The files
>> are cached deep in the
> *https://www.google.com/settings/takeout
> <https://www.google.com/settings/takeout> *
>
>
>
>
> On Thu, Mar 13, 2014 at 4:09 PM, Julius Kivimäki <
> julius.kivim...@gmail.com> wrote:
>
>> Did you even read that article? (Not that OWASP has any sort of
w.owasp.org/index.php/Unrestricted_File_Upload
>
>
> On Thu, Mar 13, 2014 at 1:39 PM, Julius Kivimäki <
> julius.kivim...@gmail.com> wrote:
>
>> When did the ability to upload files of arbitrary types become a security
>> issue? If the file doesn't get executed, it's really
When did the ability to upload files of arbitrary types become a security
issue? If the file doesn't get executed, it's really not a problem.
(Besides from potentially breaking site layout standpoint.)
2014-03-13 12:43 GMT+02:00 Nicholas Lemonias. :
> Google vulnerabilities uncovered...
>
>
>
>
Saying that the malleability thing is an issue with bitcoins is like saying
that sql injection is an issue with mysql.
2014-03-07 15:58 GMT+02:00 Meaux, Kirk :
> More to the point, has the transaction malleability issue been fixed
> that caused Magic's downfall?
>
> Even though most exchanges j
Pretty sure this is like the 50th time this year you send an email
regarding a vulnerability without actually specifying the vulnerability,
are you sure your client isn't cutting out parts of your messages?
2013/12/8 MustLive
> Hello list!
>
> Earlier I wrote about one vulnerability in WordPres
If you're going to start posting this shit. I suggest you visit
http://www.exploit-db.com/google-dorks/ and try appending site:edu to all
of them.
2013/8/29 Vulnerability Lab
> Title:
> ==
> UTA EDU University ENG - SQL Injection Vulnerability
>
>
> Date:
> =
> 2013-08-28
>
>
> Referenc
Heard of flash m8?
2013/8/22
> **
>
> That's a nice trick and all, but I don't see how it's valuable. In order
> to trigger the XSS you need to modify your browser headers, therefore any
> victim who you are trying to get to a page to execute your XSS would need
> to also modify THEIR browser h
So, what exactly is this "advisory" supposed to be about? The lack of your
camera skills? Or perhaps about the fact that google sent you a letter?
Oh, and I really wonder how you calculated your CVSS. The NVD calculator
comes up with 0 for me.
2013/8/16 Vulnerability Lab
> Title:
> ==
> Go
Undoubtedly a case of untrained staff and pre-written email responses.
2013/8/13 Jeffrey Walton
> On Tue, Aug 13, 2013 at 7:22 AM, Julius Kivimäki
> wrote:
> > All of the domains involved just happen to be registered on markmonitor
> by
> > PayPal. Really doubt this ha
All of the domains involved just happen to be registered on markmonitor by
PayPal. Really doubt this has anything to do with phishing.
2013/8/13 Jeffrey Walton
> It looks like Paypal has suffered a break-in and phishing attempts are
> being made on its users.
>
> Time to sell you stock (or buy i
Why am I not surprised vulnlab is the first one to post here to advertise
themselves?
2013/7/24 Vulnerability Lab
> http://www.evolution-sec.com
> International Team, Top Researchers and Consultants, Certified
> Consultants, Public References and Information.
>
> ~bkm
>
> --
> VULNERABILITY LAB
Swap out tripwire/ossec/whatever you use?
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
So basically this results in client sending HTTP GET requests very slowly.
How will that lead to DoS? (We aren't in 1980 anymore)
2013/6/27 MustLive
> **
> *Hello Ryan!*
>
> Attack exactly overload web sites presented in endless loop of redirects.
> As I showed in all cases of Looped DoS vulner
So you made a perl script to make GET requests on a list of URLs? Brilliant.
2013/6/18 MustLive
> Hello participants of Mailing List.
>
> If you haven't read my article (written in 2010 and last week I wrote about
> it to WASC list) Advantages of attacks on sites with using other sites
> (http:
Well, they don't exactly state that they're going to pay you either.
2013/5/29 Źmicier Januszkiewicz
> Hmm, interesting.
>
> For some reason I fail to find the mentioned "age requirements" at the
> official bug bounty page located at
> https://www.paypal.com/us/webapps/mpp/security/reporting-se
I went and dug out my PS3 and tested this. Results: particularly crappy
HTML execution, useless. I don't know what world you live in, but calling
this a security vulnerability would be a wild exaggeration.
2013/5/21 Vulnerability Lab
> Title:
> ==
> Sony PS3 Firmware v4.31 - Code Execution
Doubt it, PS3 doesn't really seem to have the concept of "system commands".
2013/5/22 Milan Berger
> Hi,
>
> > So, wanna tell me what exactly is critical about you being able to
> > inject marquee tags into your savefile names?
>
> didn't test the POC yet, but I guess the fun is here:
>
> >> [P
So, wanna tell me what exactly is critical about you being able to inject
marquee tags into your savefile names?
2013/5/21 Vulnerability Lab
> Title:
> ==
> Sony PS3 Firmware v4.31 - Code Execution Vulnerability
>
>
> Date:
> =
> 2013-05-12
>
>
> References:
> ===
> http://www.v
Many ISPs do this, usually they hijack DoD ranges. It shouldn't cause any
issues.
2013/5/17 kyle kemmerer
> So today when trying to access a device on my network (172.30.x.x range) I
> was taken to the web interface of a completely different device. This
> baffled me at first, but after a bit
Yeah it is when you are in the business of selling exploits.
2013/4/19
> VUPEN Security Research wrote in
> http://www.securityfocus.com/archive/1/526402
> :
> > X. DISCLOSURE TIMELINE
> > 2012-02-15 - Vulnerability Discovered by VUPEN
> > 2013-03-06 - Vulnerability Exploited At Pwn2Own 2013 a
I really wonder if they even read the lists they spam
2013/4/19 l3thal
> looks like you are still at it heh...
>
>
> On Fri, Apr 19, 2013 at 11:12 AM, wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> ___
>>
But sending 10 emails in a row is necessary?
2013/4/10 Erik Falor
> On Wed, Apr 10, 2013 at 11:44:22AM +0100, Peter W-S wrote:
> > Is it really necessary to spam the list with a separate email for every
> issue you want to report? Perhaps one email a week with a link to the full
> report would
Why exactly is this a bug?
2013/3/15
> n.runs AG
> http://www.nruns.com/
> security(at)nruns.com
> n.runs-SA-2013.001 15-Mar-2013
> ___
> Vendor: Polycom, http://www.polyc
If you as you say 'discovered' the exploit, how come you weren't the first
ones to publish it? And why did someone else publish it on the day you
claim you discovered it?
2013/2/18 Vulnerability Lab
> Title:
> ==
> Apple iOS v6.1 (10B143) - Code Lock Bypass Vulnerability #2
>
>
> Date:
> ===
This is normal
2013/1/22 Dan Dart
> https://gist.github.com/4596868
>
> Regards
> Dan
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
How is Omnivox's security relevant when this kid is running DoS tools on
their sites? (Acunetix is a nice database heavy HTTP flood tool.)
>
>
2013/1/22 Jeffrey Walton
> On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse
> wrote:
> > Moreover, he ran it again after reporting it to see if it was
Hello list!
I want to warn you about multiple extremely severe vulnerabilities in
websecurity.com.ua.
These are Brute Force and Insufficient Anti-automation vulnerabilities in
websecurity.com.ua. These vulnerability is very serious and could affect
million of people.
-
Af
Full path disclosure, vulnerability?
Ahahahahaha, good joke! You made my day.
2012/12/29 MustLive
> Hello list!
>
> Earlier I've wrote to the list about multiple vulnerabilities in multiple
> themes for WordPress (http://seclists.org/fulldisclosure/2012/Dec/236). In
> that later I've mentioned 1
After the demise of BS and TP, HTP isn't the only group that makes zines
anymore? (You just blew my mind)
On Dec 23, 2012 1:19 PM, wrote:
> anyone seen this yet? its been floating around irc tonight. supposed to be
> Dyne.org (the people who make the Dyne_Bolic OS) hacked. good thing i use
> BSD!
Aren't you a true master hacker trying (and failing) to DDoS sites and
posting XSS vulnerabilities on random sites to FD.
2012/12/22 tig3rhack
> Onion Bazaar is an online auction site, exploits are filled in by those
> who want to sell them, for hacktalk exploiting my dick.
>
> Ooops your site i
United States law is opt-in for Fortune 500 companies.
2012/12/14 Jeffrey Walton
> On Thu, Dec 13, 2012 at 7:52 AM, Philip Whitehouse
> wrote:
> > I restate my email's second point.
> >
> > Google is indexing robots.txt because (from all the examples I can see)
> > robots.txt doesn't contain a
Dear all, I'd like to inform you that this exploit is vulnerable to a *
critical* XSS attack that can be used against users of the exploit.
Vendor did not respond to inquiries regarding this *severe* vulnerability.
Regards,
Hot Acid security research team.
Greetz 2:
Mustlive
Vulnerability Lab
20
Is a privilege escalation vulnerability in Linux not a vulnerability if it
requires authentication?
2012/11/22 Gary Driggs
> On Nov 22, 2012, Manu wrote:
>
> > Authenticate and browse to
>
> How is this a vulnerability if it's behind an authentication wall?
> I've seen several SOHO routers and
Am I the only one who noticed the linux local root exploit written in
whitespace?
2012/11/15 mohit tyagi
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia -
Next to nothing, creating facebook accounts en masse is trivial. It doesn't
even use captchas for registration.
2012/10/31 Georgi Guninski
> We are discussing this question:
>
> How much a million facebook passwords + lusernames would cost?
>
>
> ___
Would you consider software that is used to open local documents and
crashes when you feed it corrupt data defective?
2012/10/29 Jeffrey Walton
> On Mon, Oct 29, 2012 at 1:35 PM, Peter Ferrie
> wrote:
> >> How can i make sure a crash is not exploitable? (( The short answer is
> >> simple assume
It reminds me my question from GNAA Security Team when i got seek
from their exploitions.
How can i make sure a software is not exploitable? (( The short answer is
simple assume every software is exploitable and remove it. ))
2012/10/29 kaveh ghaemmaghami
> It reminds me my question from VUPEN S
In fact, it's not a vulnerability in malware. It's a vulnerability in a
tool used to control computers infected by malicious software. But I can't
see that being relevant at all.
2012/10/11
> On Wed, 10 Oct 2012 23:25:50 +0200, Pascal Ernster said:
>
> > I suppose it turns into a 0 day when you
{*} samba 3.x remote root by {*}
Give some credit to the guy who actually made this.
2012/9/24
>
> Massive 0day hide all your printers.
>
> http://pastebin.com/AwpsBWVQ
>
>
>1. # finding targets 4 31337z:
>2. # gdb /usr/sbin/smbd `ps auwx | grep smbd | grep -v grep | head -n1
>| awk
Did you guys seriously just send five different advisories on five
different vulnerable parameters on one vulnerable script?
2012/9/17 HTTPCS
> **
> HTTPCS Advisory : HTTPCS100
> Product : FreeWebshop
> Version : 2.2.9
> Date : 2012-09-17
> Criticality level : Highly Critical
> Description : A
Seriously?
2012/8/25 kaveh ghaemmaghami
> Exploit Title: yahoo messenger 11.5.0 (d3d10.dll) DLL Hijacking Exploit
> Date: 2012-08-23
> Author: coolkaveh
> coolka...@rocketmail.com
> Https://twitter.com/coolkaveh
> Vendor Homepage: http://www.yahoo.com/
> Version: 11.5.0228-us
> Tested on: window
Where exactly is the vulnerability here? I am unable to see it myself, it
appears that you are using an eval function to evaluate code which isn't
exactly a security issue.
2012/8/17 research
> Summary
> ===
>
> There is an arbitrary command execution vulnerability in the scriptfu
> network
This vulnerability appears to be extremely serious and should be patched
ASAP, it appears that it has great potential to be remotely exploited.
2012/6/6 Григорий Братислава
> Hello full disclosure!! !! (is I forget another !!)
>
> I want to warn you about is vulnerability in OpenBSD and is maybe
This man knows too much, we'll have to get rid of him.
2012/5/31 RandallM
> ..if flame was hidden in angry birds
>
> --
> been great, thanks
> RandyM
> a.k.a System
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-
Where's the csrf? All I see here is an useless bruteforce attack.
2012/5/17 Fernando A. Lagos B.
> LinkedIn uses a Token into the login form which can be used many times
> for different usernames. You can do it using the same IP or differents
> IP, the token will not be verified.
>
>
>
> I. Step
What's the payload?
16. maaliskuuta 2012 18.01 kyle kemmerer kirjoitti:
> Not my code, just sharing it here.
>
>
> http://pastebin.com/UzDKcCQy
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.ht
Someone who likes all the three things being compromised at the same time.
16. maaliskuuta 2012 18.30 Jerry dePriest kirjoitti:
> **
> They had a DoS of mail, www and shell. They state a switch went out. who
> runs mail, www and shell on the same switch?
>
> (This might be a trick question, thin
You mean a concept.
-- Edelleenlähetetty viesti --
Lähettäjä: Erik Falor
Päiväys: 7. maaliskuuta 2012 20.54
Aihe: Re: [Full-disclosure] Full disclosure is arrest of Sabu
Vastaanottaja: full-disclosure@lists.grok.org.uk
On Wed, Mar 07, 2012 at 10:45:45AM +1100, Ivan .Heca wrote:
Go back to your elite hacker club anonops then. Come back with something
real these kids have done.
29. helmikuuta 2012 18.57 Dan Dart kirjoitti:
> > Are you perhaps implying that these kids would be capable of things
> other than ordering some pizzas to people?
> Much, much more. Mwahahahah
What "list" are you talking about? Are you perhaps implying that these kids
would be capable of things other than ordering some pizzas to people?
29. helmikuuta 2012 18.16 Dan Dart kirjoitti:
> The sort of people who are responsible for these arrests are going on
> "the list" I'd imagine.
>
> __
Yes but nobody gives a fuck, they are just people who could not secure
themselves while playing the "save the world and cure corruption by
defacing sites" game.
29. helmikuuta 2012 17.46 Dan Dart kirjoitti:
> There are arrests? Sorry, I've been living in a hole.
>
> _
Oh, in that case he should totally use
while true; do wget target; done
28. helmikuuta 2012 14.07 rancor kirjoitti:
> I just thought we where name dropping stuff =(
>
>
>
>
>
> 2012/2/28 Julius Kivimäki :
> > I hope you guys are not
I hope you guys are not seriously suggesting these.
-- Edelleenlähetetty viesti --
Lähettäjä: rancor
Päiväys: 28. helmikuuta 2012 13.28
Aihe: Re: [Full-disclosure] Best DoS Tool
Vastaanottaja: Ramo
Kopio: full-disclosure@lists.grok.org.uk
LOIC is old... HOIC is their new toy
So, it appears that Sprint and T-Mobile are using 25.*.*.* and 28.*.*.* as
their phone network internal IPs.
This causes a ton of security issues, why would they do this?
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-discl
http://www.indianapolissuperbowl.com/view-release.php?id=42
2012/2/10 resea...@vulnerability-lab.com
> Title:
> ==
> Indianapolis Superbowl 2012 - SQL Injection Vulnerabilities
>
>
> Date:
> =
> 2012-02-06
>
>
>
> VL-ID:
> =
> 418
>
>
> Abstract:
> =
> Alexander Fuchs discove
And down goes exploitpack.com
2012/2/6
> This is purely spamming for the reason of trying to get someone to buy
> this product. I haven't seen any value added from this account.
>
> John Cartwright - isn't this in the charter that pure spamming will
> cause your name to get removed from the lis
You do know that anyone can create a new archive format that antiviruses
will not detect... Right?
2012/2/2 Michel
> hello,
>
> Multiple vendor antivirus .kz archive format evasion/bypass vulnerability.
>
> DESCRIPTION
> .kz is a proprietary archive format from an Asian editor KuaiZip:
> http:/
Here is a short step by step guide on how to make a honeypot.
1.Acquire a pot, refer to some other guide on how to do this.
2.Acquire some honey, refer to some other guide on how to do this.
3.Put honey in pot, refer to some other guide on how to do this.
4.Congratulations you now have a honeypot!
DDoS their boats.
2012/1/28 Laurelai
> On 1/28/2012 3:13 PM, Julius Kivimäki wrote:
>
> Of course I wouldn't, downloading a car would be like stealing a car.
> Piracy is horrible and all the boats used by the pirate scum should be
> taken away.
>
> 2012/1/28 Laurelai
Of course I wouldn't, downloading a car would be like stealing a car.
Piracy is horrible and all the boats used by the pirate scum should be
taken away.
2012/1/28 Laurelai
> On this topic i saw this
> https://thepiratebay.org/torrent/6960965/1970_Chevelle_Hot-Rod_3d_model
> , real question is wo
How does this compete with already existing tools?
2012/1/28 sandeep k
>
> This is an automatic SQL Injection tool called as FatCat, Use of FatCat
> for testing your web application and exploit your application more deeper.
> FatCat Features that help you to extract the Database information, Tab
I am pretty sure their host is gonna be suspending them after the DDoS that
just hit them.
(their real host that is, not the proxy.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored
Anonymous is definitely not a group (as in a group that has actual
members), you should know better.
2012/1/25 karma cyberintel
> *UPDATE* After attacking several government sites to protest
> controversial US legislation in past weeks, hacktivist group Anonymous is
> setting its sights on one
Bandwidth bills.
2012/1/25 karma cyberintel
> Anonymous deletes CBS.com, solicits opinions on who to hack nextsources
> form karmacyberintel.net
>
> for more details
>
>
> http://www.karmacyberintel.net/2012/01/anonymous-deletes-cbs-com-solicits-opinions-on-who-to-hack-next/
>
>
> __
Funny but no, this does not need a non-installed wordpress.
2012/1/25 Benji
> Dear full-disclosure
>
> I wrote to you to tell you about serious serious vulnerability in all
> Windows versions.
>
> If you turn machine on before system is configured, then you be able to
> set user password yoursel
Oh god, my linux server buried underground with five feet of concrete just
got rooted. This box has no internet connection, coincidence? I think not.
(Also I'm a derpcat and can't into mailinglists with gmail)
2012/1/23 Laurelai
> On 1/23/12 9:34 AM, Julius Kivimäki wrote:
>
&g
He is a god-tier hecker, like better than Chippy1337. ICMP remote root 0day
imo.
2012/1/23 Laurelai
> On 1/23/12 7:14 AM, Ian Hayes wrote:
> > On Mon, Jan 23, 2012 at 4:37 AM, Julius Kivimäki
> > wrote:
> >> Wat
> >>
> >>
> >> 2012/1/23
Wat
2012/1/23 RandallM
> Piracy retaliation taken on UFC.com
>
> Pinging ufc.com [50.116.87.24] with 32 bytes of data:
>
> Reply from 50.116.87.24: bytes=32 time=48ms TTL=52
> Reply from 50.116.87.24: bytes=32 time=49ms TTL=52
> Reply from 50.116.87.24: bytes=32 time=48ms TTL=52
> Reply from 50.
72 matches
Mail list logo