Jericho has some 'splaining to do!
c.f. QUANTUMSQUIRREL**
clearly the squirrel schwag is just cover for the _real_ rogue revenues...
** https://peertech.org/files/QUANTUMSQUIRREL.JPG
attachment: QUANTUMSQUIRREL.JPG___
Full-Disclosure - We believe in
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDVSA-2014:051
http://www.mandriva.com/en/support/security/
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDVSA-2014:052
http://www.mandriva.com/en/support/security/
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDVSA-2014:053
http://www.mandriva.com/en/support/security/
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDVSA-2014:054
http://www.mandriva.com/en/support/security/
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDVSA-2014:055
http://www.mandriva.com/en/support/security/
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
- -
Debian Security Advisory DSA-2877-1 secur...@debian.org
http://www.debian.org/security/ Michael Gilbert
March 12, 2014
# Exploit Title: Byte CMS Cross Site Scripting Vulnerabilities
# Date: 02/03/2014
# Exploit Author: projectzero labs
# Projectzero ID: projectzero2014-003-bytecmsxss
# Vendor Homepage: http://www.bitsnbytes.gr
# Software Link: N/A - Commercial
# Tested on: Kali Linux / Iceweasel v.22 Mac OS X
PowerArchiver: Uses insecure legacy PKZIP encryption when AES is
selected (CVE-2014-2319)
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2319
http://int21.de/cve/CVE-2014-2319-powerarchiver.html
http://www.powerarchiver.com/2014/03/12/powerarchiver-2013-14-02-05-released/
Be careful about those zip files. I haven't looked, but they may contain
the tibannebackoffice.exe wallet stealing malware. It has appeared in
other MtGox2014Leak.zip files.
http://www.reddit.com/r/Bitcoin/comments/200k30/the_tibannebackofficeexe_executable_is_wallet/
Mark M. Jaycox
Greetings
I'm one of the organizers of BSides Connecticut. We're seeking qualified,
intelligent, and engaging speakers to speak about, and show off the
information security topics or projects that you're passionate about
.BSides Connecticut is an awesome day long information security conference
Google vulnerabilities uncovered...
http://news.softpedia.com/news/Expert-Finds-File-Upload-Vulnerability-in-YouTube-Google-Denies-It-s-a-Security-Issue-431489.shtml
___
Full-Disclosure - We believe in it.
Charter:
Might have been helpful to attach the advisory.
Tim
--
Tim Brown
mailto:t...@nth-dimension.org.uk
http://www.nth-dimension.org.uk/
NDSA20140311.txt.asc
Description: PGP signature
signature.asc
Description: This is a digitally signed message part.
___
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDVSA-2014:056
http://www.mandriva.com/en/support/security/
Greetings,
We are glad to announce Capstone disassembly framework version 2.1.1!
This stable release fixes some bugs deep in the core. There is no update to
any architectures or bindings, so bindings version 2.1 can still be used
with this version 2.1.1 just fine.
Core changes:
- Fix a buffer
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDVSA-2014:057
http://www.mandriva.com/en/support/security/
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -
Debian Security Advisory DSA-2878-1 secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
March 13, 2014
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDVSA-2014:058
http://www.mandriva.com/en/support/security/
I think Adam was right replying that way, so that it's not a security bug.
You haven't found anything exploitable.
The only reasonable way to 'exploit' the bug is using youtube as a
personal storage uploading non-video files to your own profile: so what?
It's like saying that you have a normal
The only reasonable way to 'exploit' the bug is using youtube as a
personal storage uploading non-video files to your own profile: so what?
That would require a way to retrieve the stored data, which - as I
understand - isn't possible here (although the report seems a bit
hard-to-parse). From
If you were evil, you could upload huge blobs and just take up space on the
google servers. Who knows what will happen if you upload a couple hundred gigs
of files. They dont disappear, they are just unretrievable afaict. It is a
security risk in the sense that untrusted data is being persisted
If you were evil, you could upload huge blobs and just take up space on the
google servers.
Keep in mind that the upload functionality is there legitimately: you
can upload gigabytes of data to Youtube, Drive, Gmail, etc.
/mz
___
Full-Disclosure -
: you could upload huge blobs and just take up space on the google servers.
How many people upload gigabytes of crappy videos on google servers,
hourly? So far, the DDoS didn't happen for some reason, even
considering the amount of users. There is a small potential to exploit
this via a botnet,
Yes, these are legitimate points.
Sent from a computer
On Mar 13, 2014, at 12:43 PM, Źmicier Januszkiewicz ga...@tut.by wrote:
: you could upload huge blobs and just take up space on the google servers.
How many people upload gigabytes of crappy videos on google servers,
hourly? So far,
CarolinaCon-10 will be held on May 16th-18th, 2014 in Raleigh NC. For the
cheap price of your average movie admission with popcorn and a drink ($20) YOU
could get a full weekend of talks, hacks, contests, and parties.
We've selected as many presentations as we can fit into the lineup. Here
On Mar 13, 2014, at 10:33, Brandon Perry bperry.volat...@gmail.com wrote:
If you were evil, you could upload huge blobs and just take up space on the
google servers. Who knows what will happen if you upload a couple hundred
gigs of files. They dont disappear, they are just unretrievable
When did the ability to upload files of arbitrary types become a security
issue? If the file doesn't get executed, it's really not a problem.
(Besides from potentially breaking site layout standpoint.)
2014-03-13 12:43 GMT+02:00 Nicholas Lemonias. lem.niko...@googlemail.com:
Google
Keep in mind that YouTube allows files to be uploaded by definition. What
you have achieved is upload a file for an extension type that is not
allowed.
It is definitely a vulnerability but a low risk one since you haven't
demonstrated if it has any ill effects.
Can you somehow find the URL to
Here is your answer.
https://www.owasp.org/index.php/Unrestricted_File_Upload
On Thu, Mar 13, 2014 at 1:39 PM, Julius Kivimäki
julius.kivim...@gmail.comwrote:
When did the ability to upload files of arbitrary types become a security
issue? If the file doesn't get executed, it's really not a
*https://www.google.com/settings/takeout
https://www.google.com/settings/takeout *
*However the only problem would be to get past Content ID filtering. I
suppose encrypting an uploaded file, and obfuscating file headers may get
past YouTube's Content ID filtering. Youtube is not a File Transfer
I suggest you to read on Content Delivery Network Architectures .
YouTube.com populates and distributes stored files to multiple servers
through a CDN (Content Delivery Architecture), where each video uses more
than one machine (hosted by a cluster). Less populated video files are
normally
Did you even read that article? (Not that OWASP has any sort of credibility
anyways). From what I saw in your previous post you are both unable to
execute the files or even access them and thus unable to manipulate the
content-type the files are returned with, therefore there is no
vulnerability
*You are wrong about accessing the files. What has not been confirmed is
remote code execution. We are working on it.*
*And please, OWASP is recognised worldwide... *
*Files can be accessed through Google Take out with a little bit of skills.*
*https://www.google.com/settings/takeout
OWASP is recognized worldwide, so is CEH and a bunch of other morons. That
doesn't mean their publications are worth anything. Now tell me, why would
arbitrary file upload on a CDN lead to code execution (Besides for HTML,
which you have been unable to confirm)?
2014-03-13 18:16 GMT+02:00
Hello Julius,
I appreciate your interest to learn more. OWASP is quite credible, and has
gained some international recognition. It is a benchmark for many vendors.
I suggest you to read on OSI/7-Layer Model. A website may disallow uploads
of certain file types for security reasons, and let's
hahahaha
you also could send emails to yourself untill fill up the google storages.
of course its not a security issue.
On Thu, Mar 13, 2014 at 2:33 PM, Brandon Perry bperry.volat...@gmail.comwrote:
If you were evil, you could upload huge blobs and just take up space on
the google servers.
ActiVPN launches its security bug bounty.
Please check the latest terms and contact details, as they may get updated:
http://activpn.com/en/security/
Excerpt:
If you believe that you find a vulnerability in http://activpn.com or
the ActiVPN infrastructure, let's talk.
We will remunerate you
I don't see what OSI model has to do with anything here. Why is arbitrary
file upload to youtube CDN any worse than to google drive CDN? And how will
your self-executing encrypted virus like Cryptolocker end up getting
executed anyways? And cryptolocker was definitely not self-executing, but
So in terms of permissions. What's the different between
admin.youtube.comand a normal youtube user?
I assume that the admin has a full permission set. If that's the case, that
means it is a valid vulnerability for the reason being that the integrity
of the service is impacted. The youtube user
Julius Kivimaki, your disbelief in OWASP, CEH, Journalists and anything you
may, or may not be qualified to question amazes. But everyone's opinion is
of course respected.
I normally don't provide security lessons via e-mail and full-disclosure,
however you seem not to understand the security
Hello Zalewski,
The YouTube service is there to serve harmless media files. The upload
functionality is there to upload files legitimately. But what type of
files, and who can write those files?
What's the difference between a Youtube admin and a Youtube user in terms
of permissions sets ?
Why
I. VULNERABILITY
-
Reflected XSS Attacks vulnerabilities in WatchGuard XTM 11.8
II. BACKGROUND
-
WatchGuard builds affordable, all-in-one network and content security
solutions to provide defense in depth for corporate content, networks and
The YouTube service is there to serve harmless media files. The upload
functionality is there to upload files legitimately. But what type of
files, and who can write those files?
What's the difference between a Youtube admin (admin.youtube.com) and a
Youtube user in terms of permissions sets ?
We confirm this to be a valid vulnerability for the following reasons.
The access control subsystem is defeated, resulting to arbitrary write
access of any file of choice.
1. You Tube defines which file types are permitted to be uploaded.
2. Exploitation is achieved by circumvention of
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -
Debian Security Advisory DSA-2879-1 secur...@debian.org
http://www.debian.org/security/ Raphael Geissert
March 13, 2014
On 2014-03-14 10:56, andfarm wrote:
On Mar 13, 2014, at 10:33, Brandon Perry bperry.volat...@gmail.com
wrote:
If you were evil, you could upload huge blobs and just take up space
on the google servers. Who knows what will happen if you upload a
couple hundred gigs of files. They dont
Anyone know?
-- Forwarded message --
From: Kristian Erik Hermansen kristian.herman...@gmail.com
Date: Thu, Mar 13, 2014 at 1:13 PM
Subject: Hacking Exposed: Virtualization Cloud Computing: Secrets Solutions
To: dailydave dailyd...@lists.immunityinc.com,
Nicholas,
I remember my early years in the infosec community - and sadly, so do
some of the more seasoned readers of this list :-) Back then, I
thought that the only thing that mattered is the ability to find bugs.
But after some 18 years in the industry, I now know that there's an
even more
48 matches
Mail list logo