Full Disclosure: Re: new facebook SQL injection vulnerability

[Benji <me () b3nji com>]

http://apps.facebook.com/buysalepals/viewuser.php?u=100000423643201'



2010/11/30 Reed Loden <reed () reedloden com>

> What I believe Benji is saying is that it looks (from the little
> information you posted) like you just found a SQL injection in a
> facebook app, which is not the same thing as finding a SQL injection in
> facebook.com's actual code. Apps are not run by facebook, so it's
> unsurprising that some random app would have a SQL injection
> vulnerability.
>
> ~reed
>
> On Wed, 1 Dec 2010 00:51:35 +0100
> Maciej Gojny <vuln () ariko-security com> wrote:
>
> > Benji@
> >
> > I dont understand You, I have access to whole DB... so go to school.. bye
> >
> > regards,
> >
> > Maciej
> >
> > Wiadomość napisana przez Benji w dniu 2010-12-01, o godz. 00:47:
> >
> > > so if I upload a 'hacked by benji' html file to my google sites
> account, by your logic this would count as hacking Google.
> > > Cant wait to see The Register report about this.
> > >
> > > 2010/11/30 Maciej Gojny <vuln () ariko-security com>
> > > Hello Full Disclosure !
> > >
> > > Today i have found next SQL injection in facebook.com
> > >
> > > Details:
> > >
> > > http://blog.ariko-security.com/?p=82
> > >
> > > Full advisory will be released soon!
> > >
> > > Regards,
> > >
> > > Maciej Gojny
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/