Information
Advisory by Netsparker
Name: HTTP Header Injection in LiteSpeed Web Server
Affected Software : LiteSpeed Web Server
Affected Versions: v5.1.0 and possibly below
Vendor Homepage : https://www.litespeedtech.com/
Vulnerability Type : HTTP Header Injection
Severity : Me
Hi All,
I've noticed that mobile.facebook.com domain is not on HSTS preload
list or sending the Strict-Transport-Security header. All the others
domains like m.facebook.com is using HSTS properly.
I reported this to Facebook on 12/3/15 through the whitehat program
and got the answer below. I've ch
# Exploit Title: GRR <= 3.0.0-RC1 (all versions) RCE with privilege
escalation through file upload filter bypass (authenficated)
# Date: January 7th, 2016
# Exploit Author: kmkz (Bourbon Jean-marie) |
@kmkz_security
# Vendor Homepage: http://grr.devome.com/fr/
# Software Link:
http://grr.devome.co
About SeaWell Networks Spectrum
Session Delivery Control
SeaWell set out to improve the way operators control, monetize and scale
their IP video offerings, to meet the growing subscriber demands for video
delivered to smartphones, tablets and game consoles.
The result – Spectrum – is what we cal
ASUS wireless routers have an optional feature (beginning with firmware
3.0.0.4.374_5656, dated April 2014) to log the administrator out after a
period of idle time. While there are scenarios where you might want to keep
an idle logged-in session, remaining logged in makes it possible for a
malicio