Hello, n3td3v wrote:
> I have exploit code for this issue, which the list won't be getting > > hold of. The disclosure was to show that I can ask the slurp robot to > cache an account on the public index,... bla,... There's no need at all to cache anything at all. http://mtf.news.yahoo.com/mailto?prop=mycstore&locale=us&h2=n3td3v will give you the same result as http://66.218.69.11/search/cache?ei=UTF-8&p=n3td3v&fr=sfp&u=mtf.news.yahoo.com/mailto%3Furl%3Dhttp%253A//e.my.yahoo.com/config/cstore%253F.opt%3Dcontent%2526.node%3D1%2526.sid%3D171771%26title%3DChoose+Content%26prop%3Dmycstore%26locale%3Dus%26h1%3Dymessenger+at+Yahoo%21+Groups%26h2%3Dn3td3v%26h3%3Dhttp%253A//my.yahoo.com&w=n3td3v&d=U5wy1m1aMbOe&icp=1&.intl=us (your "Concept"). Sorry to tell you, but there is no vulnerability involved here (except maybe a lame XSS, didn't try that though). -- Bernhard _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
