Home page logo
  • Nmap Security Scanner
  • Security Lists
  • Security Tools
  • Site News
  • Advertising
  • About/Contact
  • Sponsors:

    Acunetix



/
fulldisclosure logo
Full Disclosure Mailing List

A lightly moderated high-traffic forum for disclosure of security information. Fresh vulnerabilities sometimes hit this list many hours before they pass through the Bugtraq moderation queue. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. Unfortunately, most of the posts are worthless drivel, so finding the gems takes patience.

List Archives

JanFebMarAprMayJunJulAugSepOctNovDec
2014194273333
2013282162290263227259277303187294222224
2012611477390382323428394393210277236280
2011590687439561572565367393370995466511
2010637502564453408631417445414523342696
2009979380465318282292550455421339386502
2008615496600821681403591559639531739635
2007593629573744555661662530709935582641
200699274018658677891058770771578678545495
2005939676950666678437766107889067710651531
200413581534149911531451103113701314109111741424731
200350540529650042189212511942176318061123782
2002314835685381456313

Latest Posts

Administrivia: The End John Cartwright (Mar 19)
Hi

When Len and I created the Full-Disclosure list way back in July 2002,
we knew that we'd have our fair share of legal troubles along the way.
We were right. To date we've had all sorts of requests to delete
things, requests not to delete things, and a variety of legal threats
both valid or otherwise. However, I always assumed that the turning
point would be a sweeping request for large-scale deletion of
information that some...

USSD Sender Hacktool 1.0 AWeber Test (Mar 19)
What is USSD?
USSD stands for Unstructured Supplementary Service Data and it's mostly use to make requests to a mobile operator. If
you want to check how much money you have on your mobile sim card you can use a USSD Command for that. Entering for
example *#100# to the vodafone network, you will receive an USSD message as a result.

USSD Sender Hacktool is a complex tool that let any web user to send a text message in a USSD command to any...

Re: [SPAM] [Bayesian][bayesTestMode] Re: Google vulnerabilities with PoC Leutnant Steiner (Mar 19)
http://thehackernews.com/2014/03/watch-out-scammers-targeting-google.html

2014-03-17 20:44 GMT+01:00 The Doctor <drwho () virtadpt net>:

Kaspersky 14.0.0.4651 RegExp Remote Denial of Service PoC2 [CXSEC] (Mar 19)
Kaspersky has released updated for first PoC presented here

http://www.youtube.com/watch?v=joa_9IS7U90 (
http://seclists.org/fulldisclosure/2014/Mar/166)

but there are still many combinations of evil patterns. For exmaple next
PoC2 is available here

https://www.youtube.com/watch?v=9PYtL0zck3I

code:
https://devilteam.pl/regex2.html

------
<HTML>
<HEAD>
<TITLE>RegExp Resource Exhaustion </TITLE>
</HEAD>
<BODY...

All your PLC are belong to us (2) scadastrangelove (Mar 19)
Fixes for Siemens S7 1500 PLC are published.
Thanks to Yury Goltsev <https://twitter.com/ygoltsev>, Ilya Karpov, Alexey
Osipov <https://twitter.com/GiftsUngiven>, Dmitry
Serebryannikov<https://twitter.com/dsrbr>and Alex
Timorin <https://twitter.com/atimorin>.
There are a lot of, but Authentication bypass (INSUFFICIENT
ENTROPY/CVE-2014-2251) is the best.

Links:...

Re: Bank of the West security contact? Jeffrey Walton (Mar 18)
I might just stand corrected here (if it withstands appeal):

http://www.slyck.com/story2351_Data_Breach_Settlement_Class_Action_Lawsuit_Wins_Appeal_in_Court:

With so many recent data breaches and lacking security measures in
place, we know that there are likely to be many more lawsuits
forthcoming. However, in what’s believed to be a first win for a class
action lawsuit as a result of a data breach where none of the
plaintiffs suffered...

Re: Bank of the West security contact? Florian Weimer (Mar 18)
* Kristian Erik Hermansen:

Is this an issue with their online banking? Then here's a hint:

/**********************************************************
* *
* Copyright ©2005 Corillian Corporation *
* *
* All rights reserved. *
*...

McAfee Cloud SSO and McAfee Asset Manager vulns Brandon Perry (Mar 18)
1. Cloud SSO is vuln to unauthed XSS in the authentication audit form:
2.

1. https://twitter.com/BrandonPrry/status/445969380656943104
2.

1.
2. McAfee Asset Manager v6.6 multiple vulnerabilities
3.
4. http://www.mcafee.com/us/products/asset-manager.aspx
5.
6. Authenticated arbitrary file read
7. An unprivileged authenticated user can download arbitrary files with
the permissions of the web server using the...

[Quantum Leap Advisory] #QLA140216 - VLC Reflected XSS vulnerability Francesco Perna (Mar 18)
=== Executive Summary ===
Using a specially crafted HTTP request, it is possible to exploit a lack
in the neutralization[1] of the error pages output which includes the
user submitted content. Successful exploitation of the vulnerabilities,
results in the execution of arbitrary HTML and script code in user?s
browser in context of the vulnerable website trough a ?Reflected XSS?

=== Proof of Concept ===
It has been discovered a reflected XSS...

(CFP) LACSEC 2014: Cancun, Mexico. May 7-8, 2014 (EXTENDED DEADLINE) Fernando Gont (Mar 18)
---- cut here ----
***********************************************************************
CALL FOR PRESENTATIONS
***********************************************************************
LACSEC 2014
9th Network Security Event for Latin America and the Caribbean
May 4-9, 2014, Cancun, Mexico
http://www.lacnic.net/en/web/eventos/lacnic21

LACNIC (...

CEbot: disasm from your Twitter account Capstone Engine (Mar 18)
Hi,

We are running CEbot, a tool that lets you reverse hexcode from your own
Twitter!

How? Do this in 2 easy steps:

- Tweet your hex string with either hashtag #2ce (read as:
"To-Capstone-Engine"), or #cebot.
- Wait 1~2 seconds, the assembly code will be sent back, also via Twitter.
Be sure to check the "Notifications" tab if you do not see it soon enough.

Few examples on tweets accepted by CEbot:

x32 909090 #2ce...

Re: [SPAM] [Bayesian][bayesTestMode] Re: Google vulnerabilities with PoC The Doctor (Mar 18)
While this inspiring and amusing thread has been going on, what
happened that we missed because we were too busy watching the fur fly?

Emergency patch for ShadowIRCd versions 6.3+ and Elemental-IRCd 6.5+ Sam Dodrill (Mar 18)
Emergency patch for ShadowIRCd versions 6.3+ and Elemental-IRCd 6.5+

A vulnerability has been discovered in Elemental-IRCd/ShadowIRCd all the
way back to version 6.3. If a client does a SASL authentication before the
server is ready for it, a race condition will be met and the ircd will
segfault to an address out of bounds error. The attached exploit, ku.py is
pasted below:

#!/usr/bin/python2
# Live exploit for ShadowIRCd 6.3+, remote...

[SECURITY] [DSA 2880-1] python2.7 security update Moritz Muehlenhoff (Mar 17)
-------------------------------------------------------------------------
Debian Security Advisory DSA-2880-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
March 17, 2014 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : python2.7
CVE ID : CVE-2013-4238 CVE-2014-1912...

Re: Garage4Hackers Ranchoddas Series - Part 2 on Reverse Engineering - Free Webinar Sandeep Kamble (Mar 17)
Dear All, There has been a issue with hangout service as the Google
servers. Hence use below given link to join the webinar. Apologies for the
inconvenience and delay.

We have changed webcast link.

please join us : http://www.twitch.tv/gyndream/

On Fri, Mar 7, 2014 at 5:35 PM, Sandeep Kamble <sandeepk.l337 () gmail com>wrote:

More Lists

Dozens of other network security lists are archived at SecLists.Org.


[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]