You are so incompetent.. If you want proof why don't you do it yourself?
https://www.youtube.com/watch?v=G4EkgJtjDvU - Here is proof that the file
is saved and processed. If you want to question it come up with your real
name, stop hiding behind fake emails. Are you a Google employee? What's
# App : Trixbox all versions
# vendor : trixbox.com
# Author : i-Hmx
# mail : n0p1...@gmail.com
# Home : security arrays inc , sec4ever.com ,exploit4arab.net
Well well well , we decided to give schmoozecom a break and have a look @
fonality products
do you think they have better product than the
The thread starter is right about this. It is a vulnerability, and I think
Google should start considering this.
The JSON service responds to GET requests , and there is a good chance that the
service is also vulnerable to JSON Hijacking attacks.
As a professional penetration tester , I
I'm just a lurker on the list, which I have always found valuable.
But for what it's worth, this thread is an awful bore. Who cares
about people's credentials?
I'm not asking for administrative intervention, which I hate, but
rather that the various entrants in the pissing contest empty
Same here... It's like a train wreck, you know you shouldn't watch but it's
just so damned entertaining at this point that I can't stop...
Sent from my iPhone
On Mar 14, 2014, at 2:46 PM, Yvan Janssens i...@yvanj.me wrote:
Does anybody still have some popcorn left?
They ran out of it
It's amazing how much dumber I feel for having read your drivel.
Please for the love of $diety stop posting to this list.
--
W. Scott Lockwood III
AMST Tech (SPI)
GWB2009033817
http://www.shadowplayinternational.org/
There are four boxes to be used in defense of liberty: soap, ballot,
jury, and
Omg please for the love of all things human STFU!!!
Sent from my iPhone
On Mar 15, 2014, at 12:43 AM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
If you wish to talk seriously about the problem, please send me an email
privately. And we can talk about what we have found so far,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 03/15/2014 02:26, Nicholas Lemonias. wrote:
https://www.youtube.com/watch?v=G4EkgJtjDvU - Here is proof that
the file is saved and processed.
disclaimer
Compared to probably most of the folks on this list, I have absolutely
no idea what I'm
For the n00b guy in the room, Great post Chris!
Thanks for spelling it out clearly.
Message: 6
Date: Fri, 14 Mar 2014 16:00:02 -0400
From: Chris Thompson christhom7...@gmail.com
To: lem.niko...@googlemail.com, full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Fwd: Google
Just curious; what universities have hired you as a lecturer?
On Sat, Mar 15, 2014 at 1:09 AM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
You are too vague. Please keep this to a level.
Thank you.
*Best Regards,*
*Nicholas Lemonias*
*Advanced Information Security
Btw, not sure if someone already mentioned it, but you are really
reaching the level
of MustLive. That's actually a big achievement. Congratz.
I'm not sure if you got what lcamtuf is saying (I'm impressed he still
takes time to reply to you),
apparently not. You're still trying to convince us
I have been watching this thread for a while and I think some people are being
hostile here.
There is nothing to gain being on eithers side but for the sake of security. As
a penetration tester, writer, and malware analyst with a long and rewarding
career...it would be absurd to admit that
On Sat, Mar 15, 2014 at 5:43 AM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
People who do not have the facts have been, trying to attack the arguer,
on the basis of their personal beliefs.
Wow. I seriously can't tell if you're trolling or unbelievably narcissistic.
Your work has
That is not what this email says. You can't reply correct to criticism
and pretend it's praise.
On Sat, Mar 15, 2014 at 6:11 AM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
Correct.
The mime type can be circumvented. We can confirm this to be a valid
vulnerability.
For the PoC's
I believe Zalewski has explained very well why it isn't a vulnerability,
and you couldn't possibly be calling him hostile. :)
On Sat, Mar 15, 2014 at 11:20 AM, M Kirschbaum pr...@yahoo.co.uk wrote:
I have been watching this thread for a while and I think some people are
being hostile here.
On top of that, Google spent millions of dollars to buy Chrome exploits,
sandbox bypasses
and webapp bugs. So, if this was a REAL bug with some REAL security
impact, I don't think Google wouldn't have paid.
They have a REAL budget for that, they are not like Yahoo that sends you
a t-shirt.
The
Hello,
Multiple
cross-site request forgery (CSRF) vulnerabilities in OpenX 2.8.11and earlier
allows remote attackers to hijack the authentication of
administrators for requests that delete (1) users, (2) advertisers, (3) banners,
(4) campaigns, (5) channels, (6) websites or (7) zones via
Some of the replies in this thread are very unfair to the original poster.I have read the news story and have thoroughly read the proof of concepts which in my opinion indicate that this is surely a security vulnerability. I have worked for Lumension as a security consultant for more than a
Dear Mario,
There is nothing to gain being on either side. I have already read the thread
replies by M. Zalewski. I believe Google is false and does not honor the
security community.
Rgds,
M. Kirschbaum
On Saturday, 15 March 2014, 11:11, Mario Vilas mvi...@gmail.com wrote:
I
I. VULNERABILITY
-
Reflected XSS Attacks XSS vulnerabilities in Webmin 1.670
II. BACKGROUND
-
Webmin is a web-based interface for system administration for Unix.
Using any modern web browser, you can setup user accounts, Apache,
DNS, file
Hey,
I think the discussion digressed a little from the topic. Let's try to
steer it back on it.
What would make this a security vulnerability is one of the three standard
outcomes:
- information leak - i.e. leaking sensitive information that you normally
do not have access to
- remote code
Thank you. :)
On Sat, Mar 15, 2014 at 1:45 PM, Gynvael Coldwind gynv...@coldwind.plwrote:
Hey,
I think the discussion digressed a little from the topic. Let's try to
steer it back on it.
What would make this a security vulnerability is one of the three standard
outcomes:
- information
Sockpuppet much?
On Sat, Mar 15, 2014 at 2:35 PM, M Kirschbaum pr...@yahoo.co.uk wrote:
Gynvael Coldwind,
What Alfred has reiterated is that this is a security vulnerability
irrelevantly of whether it qualifies for credit.
It is an unusual one, but still a security vulnerability. Anyone
You must be new.
On Sat, Mar 15, 2014 at 3:43 PM, Thomas Williams tho...@trwilliams.me.ukwrote:
I signed onto this mailing list as an interested person in security - not
to see everyone moan. We will all have differences in opinion and we should
all respect that. This goes for everyone and I
As a professional penetration tester, [...]
The JSON service responds to GET requests , and there is a good chance that
the service is also vulnerable to JSON Hijacking attacks.
That's... not how XSSI works.
To have a script inclusion vulnerability, you need to have a vanilla
GET response
A hacker exploits a JSON (javascript) object that has information of interest
for example holding some values for cookies. A lot of times that exploits the
same policy origin. The JSON object returned from a server can be forged over
writing javascript function that create the object. This
Is this treated with the same way that says that Remote File Inclusion is not
a security issue ?
I'm not sure how RFI came into play on this thread - the original
report wasn't about RFI.
I don't have an agenda here; I'm just trying to get to the bottom of
it and make sure that we converge on
The thread read Google vulnerabilities with PoC. From my understanding it
was a RFI vulnerability on YouTube, and I voiced my support that this is a
vulnerability.
I don't think this is accurate, at least based on the standard
definition of RFI: a server-side scripting language - usually
Is it possible with the help of Godwin's law
this discussion moves offlist?
--
guninski
On Thu, Mar 13, 2014 at 10:43:50AM +, Nicholas Lemonias. wrote:
Google vulnerabilities uncovered...
How the hell did you ever think Google will honor this? By now they
could be fixing this issue, they hell don't care about you.
On 3/15/14, Georgi Guninski gunin...@guninski.com wrote:
Is it possible with the help of Godwin's law
this discussion moves offlist?
--
guninski
On Thu, Mar 13,
Title: Message
Running ... out ... of ... popcorn --
must .. resupply ...
Regards,
Stefan
31 matches
Mail list logo