Full Disclosure Mailing List

Full Disclosure Mailing List

A lightly moderated high-traffic forum for disclosure of security information. Fresh vulnerabilities sometimes hit this list many hours before they pass through the Bugtraq moderation queue. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. Unfortunately, most of the posts are worthless drivel, so finding the gems takes patience.

List Archives

Latest Posts

[SECURITY] [DSA 2476-1] pidgin-otr security update Jonathan Wiltshire (May 19)
-------------------------------------------------------------------------
Debian Security Advisory DSA-2476-1 security () debian org
http://www.debian.org/security/ Jonathan Wiltshire
May 19, 2012 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : pidgin-otr
Vulnerability : format string vulnerability...

Re: FW: Curso online - Profesional pentesting - Promocion ( 25% de descuento ) Charles Morris (May 19)
stop flexing

FW: Curso online - Profesional pentesting - Promocion ( 25% de descuento ) Thor (Hammer of God) (May 19)
Hello Juan.

After multiple requests for you to remove me from your unsolicited (and illegal) emails, I see you have refused to do
so. This indicates and illustrates your acceptance of a "default opt-in until explicit opt-out" policy notwithstanding
the fact you do not honor the opt-out.

Though I still do not wish to receive your mails, I see you are offering penetration testing services. I find this
interesting. In order to...

Re: Google Accounts Security Vulnerability Thor (Hammer of God) (May 19)
I tried, and it didn't work (couldn't repro).

None of this matters - if you have username and password, you can check mail via POP3 or IMAP. Last time I checked,
that was "by design." If anyone is saying this is some sort of vulnerability because someone "happens across your
username and password" then they are in the wrong business.

Michael - for you to make these claims, get Google involved, and post their...

Re: Google Accounts Security Vulnerability Jeffrey Walton (May 18)
"Two-channel breached: a milestone in threat evaluation, and a floor
on monetary value,"
http://financialcryptography.com/mt/archives/001349.html.

Re: Checking out backdoor shells Kai (May 18)
Dear Mr. MustLive#2,

hello and welcome to the full-disclosure mailing list.

Faithfully yours

On Fri, 18 May 2012 15:50:04 -0500, Adam Behnke wrote:

Checking out backdoor shells Adam Behnke (May 18)
A backdoor shell can be a PHP, ASP, JSP, etc. piece of code which can be
uploaded on a site to gain or retain access and some privileges on a
website. Once uploaded, it allows the attacker to execute commands through
the shell_exec () function, upload/delete/modify/download files from the web
server, and many more. For defacers, it allows them to navigate easily to
the directory of the public_html or /var/www and modify the index of the
page....

Re: Google Accounts Security Vulnerability Dan Kaminsky (May 18)
Surely you can create a sock puppet for debugging purposes.

Re: Google Accounts Security Vulnerability coderman (May 18)
++

best thread on list all month. :)

now if only Google's two factor auth could use tamper resistant tokens.
i trust my phone even less than my browser... :(

H2HC Brazil 9th Edition - Call for Papers Rodrigo Rubira Branco (BSDaemon) (May 18)
CALL FOR PAPERS - Hackers 2 Hackers Conference 9th edition

The call for papers for H2HC 9th edition is now open. H2HC is a hacker
conference taking place in Sao Paulo, Brazil, from 18 to 23 October 2012.

[ - Introduction - ]

For the ninth consecutive year and past success we have been having,
the annual Hackers 2 Hackers Conference will be held again in Sao Paulo,
from 18 to 23 October 2012 and aims to get together industry,
government,...

SEC Consult SA-20120518 :: Memory overwrite vulnerability in libwpd (OpenOffice.org) - CVE-2012-2149 SEC Consult Vulnerability Lab (May 18)
SEC Consult Vulnerability Lab Security Advisory < 20120518-0 >
=======================================================================
title: libwpd WPXContentListener::_closeTableRow() memory
overwrite
product: OpenOffice.org
vulnerable version: 3.3.0/3.4 Beta 1 and probably earlier versions
fixed version: 3.4
CVE: CVE-2012-2149
impact: high...

Re: LinkedIn CSRF: Login Brute Force Mario Vilas (May 18)
It's a capcha bypass, not a CSRF as claimed. I'm also not quite sure
if the capcha has really been bypassed at all as the blog post in
spanish says you have to enter it manually from time to time...

"Si linkedin nos pone problemas con el captcha, lo que debemos hacer
es ingresar via web con una cuenta valida, capturar nuevamente el
Token e intentarlo nuevamente con ese token."

This line is quite funny: "Nota: LinkedIn...

Re: Google Accounts Security Vulnerability Michael Gray (May 18)
I'm not interested in providing that information. You can reproduce it
without knowing my user name.

Re: LinkedIn CSRF: Login Brute Force Julius Kivimäki (May 18)
Where's the csrf? All I see here is an useless bruteforce attack.

2012/5/17 Fernando A. Lagos B. <fernando () zerial org>

Vulnerabilities on Cryptographp Lu33Y (May 18)
During a security assessment, I’ve found that my target was using Cryptographp which is a PHP script used for generate
« captchas ».

It was easily noticeable when I’ve found the following URL:

http://WWWW/cryptographp.inc.php?cfg=XX&sn=YYYY&ZZZZ

So I've decided to take a look at the source code and I’ve found 2 vulnerabilities.

The first one has already been disclosed but hasn’t been corrected. This vulnerability...

More Lists

Dozens of other network security lists are archived at SecLists.Org.