Hi
When Len and I created the Full-Disclosure list way back in July 2002,
we knew that we'd have our fair share of legal troubles along the way.
We were right. To date we've had all sorts of requests to delete
things, requests not to delete things, and a variety of legal threats
the text and a OK button. If it get's undelivered an actual sms will be
send.
Screen Shot:
http://i492.photobucket.com/albums/rr287/tribalmp/USSDSenderHacktool.jpg
Download:
http://www.firedrive.com/file/C961587BD8BCD4C9___
Full-Disclosure - We be
0zsz7Eyv7Whu7UUB3zkn
> lNEAnjuoLXknIuKXFrVQwhPFJmjLx6ln
> =wWkp
> -----END PGP SIGNATURE-
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored
the risk of leakage of
resources by the level of recursion.
References:
http://cxsecurity.com/issue/WLB-2014030108
Best regards,
CXSEC TEAM
http://cxsec.org/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-cha
t of, but Authentication bypass (INSUFFICIENT
ENTROPY/CVE-2014-2251) is the best.
Links:
http://scadastrangelove.blogspot.com/2014/03/all-your-plc-are-belong-to-us-2.html
More details are pending.
Regards,
SCADA StrangeLove team
___
Full-Discl
ern District of Florida approved an Order granting motion
for final approval of a Class Action Settlement Agreement, and filed a
motion for attorneys' fees and expenses, as well as for incentive
awards.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
ould contact Fiserv.
_______
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
n: keep-alive
35. Content-Type: application/x-www-form-urlencoded
36. Content-Length: 91
37.
38.
fromDate=03-19-2014&toDate=03-19-2014&freetext=&Severity=0&AuditType=12&user=Administrator
--
http://volatile-minds.blogspot.com -- blog
http://www.volatile
ZHm+XFOviiiX2L/NNpedwnn6
Ax8y38AvQ8gFYvDtY+0tP4vBRrRAwzvGIZgSKdmeNMK+CpUvr+hZX53zVpTCPA==
=sPV+
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secu
Mya+zOLq2rYOusH0S0Wh/Ytgui6vpHLNUF2UQ9Wp+mf2Q7hLw1T
5HMYoT+BmPXazenOFcjXGxUAWudI7Pg+0DdEN+ErEK/YmaaUKd+xEYKpIuG9dSDe
c7C5mlJEpi47ulyyGkH8djpdvQ9rJ/9HEpVzzTs/YGwYhThxKAa8dxRxCrzIY+pQ
qapI3+dGc58c7o3EjHL2
=VBtR
-END PGP SIGNATURE-
___
Full-Disc
ls, see http://capstone-engine.org/bot.html
This is mainly for fun, but hopefully it can be useful for those who are on
Twitter all the time :-)
Any suggestions, let us know.
Cheers,
Capstone Engine
_______
Full-Disclosure - We believe in it.
Charter: http:/
nderbird - http://www.enigmail.net/
iEYEAREKAAYFAlMnUIoACgkQO9j/K4B7F8H9qACg206K0zsz7Eyv7Whu7UUB3zkn
lNEAnjuoLXknIuKXFrVQwhPFJmjLx6ln
=wWkp
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-di
patch does disable this functionality, but in this case the
inconvenience is worth the security.
Thanks for reading, and I hope you enjoyed this report. I've been wanting
to make a report to this mailing list for a while now and was hoping it
would not be on one of my own projects, bu
-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
sic knowledge of how the CPU and operating systems work
>
> Kind Regard,
> Garage4Hackers Team
> Http://garage4hackers.com
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
ndaq.com/unitedstates/x/294324/Data+Protection+Privacy/Once+Again+Clapper+Defeats+Data+Breach+Class+Action
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
istianHermansen
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- basic knowledge of how the CPU and operating systems work
>
> Kind Regard,
> Garage4Hackers Team
> Http://garage4hackers.com
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
arate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
_______
Full-Disclosure - We believe in it.
Charter: http://l
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFTJuP1mqjQ0CJFipgRAhC+AJ9DRGJv63JJDYj1aOq2dGQ4gYtsJwCgl4VQ
E51kan9dXAlHxnPVzflibaY=
=MQUx
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http
son we separate military and the police: one fights
> the enemy of the state, the other serves and protects the people. When
> the military becomes both, then the enemies of the state tend to become the
> people.”
>
> ___
> Full-Disclos
ced it:
http://marc.info/?l=full-disclosure&m=139076233105401&w=2
>
> 2014-03-17 10:24 GMT+01:00 Pedro Ribeiro :
> >
> > On 16 Mar 2014 23:36, "T Imbrahim" wrote:
> >>
> >> The thread read Google vulnerabilities with PoC. From my understanding
i
istance with webcast , please contact sand...@garage4hackers.com
Kind Regards,
Garage4Hackers
http://garage4hackers.com
https://www.facebook.com/pages/Garage4Hackers/138904662794635
https://twitter.com/garage4hackers
_______
Full-Disclosure - We believe in it.
Charter
es of the state tend to become the people.”
_______
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
with exactly the same text.
>
> This is turning into a madhouse... I hope this guy doesn't have access to a
> gun.
>
> Regards
> Pedro
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclo
xean Koret
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
Date: Mon, 17 Mar 2014 12:27:27 +0100
Hi,
The only probable way of exploiting it I can see would be if the servers
at Google where the files are uploaded would perform some specific tasks
ure.asc
Description: This is a digitally signed message part
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
>> is true in security I support. Why you would Google my name ... ?
>>
>> Is the English language causing you ill effects?
>>
>> --- ped...@gmail.com wrote:
>>
>> From: Pedro Ribeiro
>> To: timbra...@techemail.com
>> Cc: full-disclosure@lis
hat is true in security I support. Why you would Google my name ... ? Is the English language causing you ill effects? --- ped...@gmail.com wrote:From: Pedro Ribeiro To: timbra...@techemail.comCc: full-disclosure@lists.grok.org.uk, Michal Zalewski , mvi...@gmail.com, gynv...@coldwind.plSubject:
From: Pedro Ribeiro
> To: timbra...@techemail.com
> Cc: full-disclosure@lists.grok.org.uk, Michal Zalewski <
> lcam...@coredump.cx>, mvi...@gmail.com, gynv...@coldwind.pl
>
> Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
> Date: Mon, 17 Mar 2014 09:24:08
urity matters.
>
> --- lcam...@coredump.cx wrote:
>
> From: Michal Zalewski
> To: timbra...@techemail.com
> Cc: pr...@yahoo.co.uk, full-disclosure
> Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
> Date: Sat, 15 Mar 2014 10:59:40 -0700
>
> > A
ber['mb_id']); }}?>==POC && EXP==1. Login as a member2. GET http://target/bbs/ajax.autosave.php?content=1&subject=1[inj_exp] {exp can be found on my server: http://pandas.pw/gnuboard.exp} 3. Page returns 1062 : D
he same text.
This is turning into a madhouse... I hope this guy doesn't have access to a
gun.
Regards
Pedro
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
LOL. boy oh boy you would have HATED the N3td3v years then...
I'm sure your delete key works doesn't it?
From: Full-Disclosure [mailto:full-disclosure-boun...@lists.grok.org.uk] On
Behalf Of Thomas Williams
Sent: Saturday, March 15, 2014 10:44 AM
To: Mario Vilas
Cc: full-
ating security that way, there are other
parties like NSA who welcome them happily.
--- lcam...@coredump.cx wrote:
From: Michal Zalewski
To: timbra...@techemail.com
Cc: M Kirschbaum , full-disclosure
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
Date: Sat, 15 Mar 2014 11:
rket or to some government.
The NSA maybe is happy to buy a RFI on Google, im sure they could make good use
of that. Google is very deceptive in security matters.
--- lcam...@coredump.cx wrote:
From: Michal Zalewski
To: timbra...@techemail.com
Cc: pr...@yahoo.co.uk, full-disclosure
Subject:
y if js execution it
different for two different sites.
Sincerely ,
T. Imbrahim
--- lcam...@coredump.cx wrote:
From: Michal Zalewski
To: M Kirschbaum
Cc: "full-disclosure@lists.grok.org.uk"
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
Date: Sat, 15 Mar 2014 09:46
e. I'm looking forward to seeing the RCE exploits (be it
> client or server side).
>
> Kind regards,
> Gynvael Coldwind
>
>
>
>
>
> --
> “There's a reason we separate military and the police: one fights the enemy
> of the state, the other serves
Definetely a security problem. http://resources.infosecinstitute.com/file-upload-vulnerabilities/ Are you a Techie? Get Your Free Tech Email Address Now! Visit http://www.TechEmail.com_______
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.u
either experience, nor job title, proves exploitability of a
*potential* bug. Working exploits do.
That's it from me. I'm looking forward to seeing the RCE exploits (be it client
or server side).
Kind regards,
Gynvael Coldwind_______
_
Get your free email @
http://www.xtcmail.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
INET->new(
Proto=> "tcp",
PeerAddr => "localhost",
PeerPort => $PORT
)
or die "cannot connect to port $PORT at localhost";
# RFC1179
printf($remote "%clp\n", 2); # rlpdaemon should log this
close($remote);
exit(0);
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
script or HTML via the videofile parameter to /includes/flvthumbnail.php.
POC:
http://SiteAddress/joomla/components/com_youtubegallery/includes/flvthumbnail.php?videofile=alert('XSS')___
Full-Disclosure - We believe in it.
Cha
and shut up.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
; On Thu, Mar 13, 2014 at 10:43:50AM +, Nicholas Lemonias. wrote:
>> Google vulnerabilities uncovered...
>>
>>
>> http://news.softpedia.com/news/Expert-Finds-File-Upload-Vulnerability-in-YouTube-Google-Denies-It-s-a-Security-Issue-431489.shtml
>
>> ___
in-YouTube-Google-Denies-It-s-a-Security-Issue-431489.shtml
> _______
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
___
and I
don't think they are met here), but if my understanding is wrong, I'd
really like to learn about the proposed attack.
/mz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
unfortunate that the thread has devolved into various
accusations and credential-slinging, because it reduces the likelihood
of such a productive outcome. Please feel free to ping me directly any
time, though - I'm happy to chat.
Cheers,
/mz
_____
et.) JSONP is a
different animal.
/mz
_______
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
appears in a block of code.
Last but not least, the final piece of the puzzle is that the response
must be served at a URL that can be guessed by third parties who don't
have access to your account.
/mz
_______
Full-Disclosure - We believe in it.
ience, nor job title, proves
>> exploitability of a *potential* bug. Working exploits do.
>>
>>
>> That's it from me. I'm looking forward to seeing the RCE exploits (be it
>> client or server side).
>>
>> Kind regards,
>> Gynvael Coldwind
>>
>>
>>
>
>
> --
> “
ind regards,
> Gynvael Coldwind
>
>
>
--
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
exploitability
of a *potential* bug. Working exploits do.
That's it from me. I'm looking forward to seeing the RCE exploits (be it
client or server side).
Kind regards,
Gynvael Coldwind
_______
Full-Disclosure - We believe in it.
Charter: http://l
e application and can be modified by the user,
before making any kind of transaction with them must be validated.
VIII. References
-
http://www.kb.cert.org/vuls/id/381692
http://www.webmin.com/changes.html
___
Full-Disclosu
threats by name and bank details.
>
>Rgds,
>M. Kirschbaum
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>
--
“There's a reason we separate military a
://www.xtcmail.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
regards.
OpenX CSRF Vulnerabilities Report.docx
Description: application/vnd.openxmlformats-officedocument.wordprocessingml.document
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored
hat Google
>> does not want to pay. And I bet any amount of money that the bug bounty
>> program is a way for filing potential threats by name and bank details.
>>
>> Rgds,
>> M. Kirschbaum
>>
>>
>> __
otential threats by name and bank details.
>
> Rgds,
> M. Kirschbaum
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
“There'
ecute some of
>>> the uploaded files (Social Engineering).
>>>
>>
>> Come on, seriously? Social Engineering can make him download this file
>> from pastebin just as well. That's a real stretch.
>>
>> IMHO it is not a security issue. You're upl
th, then the enemies of the state tend to become the people.”
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
for filing potential threats by name and bank details.
Rgds,
M. Kirschbaum ___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
gt;>> Can't you see that the advisory is about writing arbitrary files. If I
>>> was your boss I would fire you.
>>> -- Forwarded message --
>>> From: Nicholas Lemonias.
>>> Date: Fri, Mar 14, 2014 at 5:43 PM
>>> Subject:
ne, pal.
>>> ;)
>>>
>>>
>>> On Fri, Mar 14, 2014 at 6:44 PM, Nicholas Lemonias. <
>>> lem.niko...@googlemail.com> wrote:
>>>
>>>>
>>>> People can read the report if they like. Can't you even do basic things
>>
For the n00b guy in the room, Great post Chris!
Thanks for spelling it out clearly.
> Message: 6
> Date: Fri, 14 Mar 2014 16:00:02 -0400
> From: Chris Thompson
> To: lem.niko...@googlemail.com, full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] Fwd: Google vulne
b02pve5i7in6OoYBQj4m85KVzq+Pnvfowqo6VHzlLwfK3vaD4a
8sEm+i63N02VT6ItO9y7fCcv52pU0sjepGIoYV2aTHkIR3BaNmyxSEVaOZclDY37
6HFSdkWZP0rvkQefNY6QcUvMfBszxFfecQ5cGfIcbScx35iLChXQMYJpH9dmPao=
=Ngjk
-END PGP SIGNATURE-
_______
Full-Disclosure - We believe in it.
Charter: htt
t the advisory is about writing arbitrary files. If I was
>>> your boss I would fire you.
>>> -- Forwarded message --
>>> From: Nicholas Lemonias.
>>> Date: Fri, Mar 14, 2014 at 5:43 PM
>>> Subject: Re: [Full-disclosure] Google vulner
nse from the
>>>>>>>> API
>>>>>>>> to say the file you uploaded has been received and saved.
>>>>>>>>
>>>>>>>> Now, as you no doubt know, when you upload a regular movie to
>>>>>
We have many PoC's including video clips. We may upload for the security
>> world to see.
>>
>> However, this is not the way to treat security vulnerabilities. Attacking
>> the researcher and bringing you friends to do aswell, won't mitigate the
>
issing contest empty their
bladders elsewhere. Please!
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
believe that Google was false not to
award this.___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
happy as pig in $hit xD
Still need more??
you will notice that you're unable to reach this file due to the http
firewall
but actually there is simple and yet dirty trick that allow you to get pass
through it , and execute your command smothely as boat on the river ;)
And here come the challeng
gular movie to
>>>>>>> YouTube, once uploaded it goes away and does some post-processing,
>>>>>>> converting it to flash for example. What's to say that there isn't some
>>>>>>> verification aspect to this post-processing that checks if the
but nevertheless only
> processes those files as video - there is NO reason to suspect otherwise,
> and I'd like to be proven wrong here. Proven as in PoC.
>
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Can't you see that the advisory is about writing arbitrary files. If I
>>> was your boss I would fire you.
>>> -- Forwarded message --
>>> From: Nicholas Lemonias.
>>> Date: Fri, Mar 14, 2014 at 5:43 PM
>>> Subject: Re: [Full-disclosu
x27;t you see that the advisory is about writing arbitrary files. If I
>> was your boss I would fire you.
>> -- Forwarded message --
>> From: Nicholas Lemonias.
>> Date: Fri, Mar 14, 2014 at 5:43 PM
>> Subject: Re: [Full-disclosure] Google vulnerabil
to minimizing risk.
/mz
_______
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
f attack, you should analyze everything your application
>>> does with files and think carefully about what processing and interpreters
>>> are involved.
>>>
>>> Your POC kinda does that, but you didn't provide proof it's possible to
>>> e
example. What's to say that there isn't some
>>>>>>> verification aspect to this post-processing that checks if the file is
>>>>>>> intact a valid movie and if not removes it.
>>>>>>>
>>>>>>> If you could
doubt know, when you upload a regular movie to
>>>>>>>> YouTube, once uploaded it goes away and does some post-processing,
>>>>>>>> converting it to flash for example. What's to say that there isn't some
>>>>>>>> verification
e uploading a file to some kind of
processing queue that does not validate a file type, but nevertheless only
processes those files as video - there is NO reason to suspect otherwise,
and I'd like to be proven wrong here. Proven as in PoC.
_____
_____
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
oad for the security
> world to see.
>
> However, this is not the way to treat security vulnerabilities. Attacking
> the researcher and bringing you friends to do aswell, won't mitigate the
> problem.
>
>
>
> ___
>
x27;s including video clips. We may upload for the security
> world to see.
>
> However, this is not the way to treat security vulnerabilities. Attacking the
> researcher and bringing you friends to do aswell, won't mitigate the problem.
>
>
> _____
>
>>>> 2. You / we don't know what Google do with files once they have been
>>>> received from the API - maybe they process them and validate them - we
>>>> simply don't know.
>>>>
>>>> 3. You have hypothesized that you can retriev
>>>> simply don't know.
>>>>
>>>> 3. You have hypothesized that you can retrieve the file by manipulating
>>>> tokens etc and you may be right, but you have not demonstrated it as such.
>>>>
>>>> Because of this, you seem t
provide proof it's possible to
>> execute what you uploaded, either using social engineering or any other
>> method.
>>
>> Also, please don't say "verified by a couple of recognised experts
>> including OWASP" unless you actually spoke wit
ng social engineering or any other
>> method.
>>
>> Also, please don't say "verified by a couple of recognised experts
>> including OWASP" unless you actually spoke with someone @owasp and she
>> validated your findings.
>>
>>
>> On
D find a vuln though. Do you really want that? Go ahead, start
>> a crowdsourcing campaign!
>>
>>
>>
>>
>>
>> 2014-03-14 19:40 GMT+01:00 Nicholas Lemonias. > >:
>>
>>> We have many PoC's including video clips. We may upload for
an
>> unexpected file type.
>> 2. The file is persistent and has not been deleted by YouTube.
>> 3. It can be queried for information since it is assigned a unique
>> upload_id.
>> 4. It's successfully uploaded to youtube.com As you can see it give out
>> the total bytes written to the remote network.
>> 5. "content_type":"text/x-sh"}] ---> The file is a shell
>> script script named 'file'
>> 6. It can be enumerated by a non-authenticated user, remotely.
>>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
s-flaws-in.html
>
> _______
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
Grato,
J. Tozo
_
°v°
/(S)\
earcher and bringing you friends to do aswell, won't mitigate the
> problem.
>
>
>
> _______
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.
ot; wrote:
>>> We are on a different level perhaps. We do certainly disagree on those
>>> points.
>>> I wouldn't hire you as a consultant, if you can't tell if that is a
>>> valid
>>> vulnerability..
>>>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
I remember my early years in the infosec community - and sadly,
>> so do
>>>>>>> some of the more seasoned readers of this list :-) Back then, I
>>>>>>> thought that the only thing that matter
security issues.
___Full-Disclosure -
We believe in it.Charter:
http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and
sponsored by Secunia - http://secunia.com/
Nicholas Lemonias.
14 March 2014
18:16
Google is a
great service, but according to our proof of c
t; lem.niko...@googlemail.com> wrote:
>
>> The full-disclosure mailing list has really changed. It's full of lamers
>> nowdays aiming high.
>>
>>
>>
>>
>>
>> On Fri, Mar 14, 2014 at 5:58 PM, Nicholas Lemonias. <
>> lem.niko...@goog
e the pwd.cgi file
+ Set the file permissions to not-accessible ("chmod 000 pwd.cgi")
_______
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
1 - 100 of 59151 matches
Mail list logo
