[FD] Shakacon 2015 Last Call for Papers (July 6-9 2015, Honolulu, Hawaii)

2015-02-12 Thread Jonathan Brossard
Shakacon VII - Honolulu, Hawaii Sun, Surf, and C Shells CALL FOR PAPERS www.shakacon.org/CFP2015.html Who: Shakacon Crew What:Shakacon VII When:

[FD] Reflecting XSS vulnerabitlies, unrestricted file upload and underlaying CSRF in Landsknecht Adminsystems CMS v. 4.0.1 (DEV, beta version)

2015-02-12 Thread Steffen Rösemann
Advisory: Reflecting XSS vulnerabitlies, unrestricted file upload and underlaying CSRF in Landsknecht Adminsystems CMS v. 4.0.1 (DEV, beta version) Advisory ID: SROEADV-2015-14 Author: Steffen Rösemann Affected Software: Landsknecht Adminsystems CMS v. 4.0.1 (DEV, beta version) Vendor URL:

[FD] Followup on CVE-2014-6412

2015-02-12 Thread Scott Arciszewski
Since my last post, I have learned from Andrew Nacin (the lead developer of WordPress and security team member that I was corresponding with) that my emails weren't ignored, they were lost to an aggressive spam filter. Despite this, he has admitted fault for not following up on the bug report.

[FD] NetGear WNDR Authentication Bypass / Information Disclosure

2015-02-12 Thread Peter Adkins
NetGear WNDR Authentication Bypass / Information Disclosure Reported by: Peter Adkins peter.adkins () kernelpicnic.net Access: Local network; unauthenticated access. Remote network; unauthenticated access*. Tracking and identifiers: CVE - Mitre contacted; not yet allocated.

[FD] CVE-2014-8753 Cit-e-Net Multiple XSS (Cross-Site Scripting) Security Vulnerabilities

2015-02-12 Thread Jing Wang
*CVE-2014-8753 Cit-e-Net Multiple XSS (Cross-Site Scripting) Security Vulnerabilities* Exploit Title: Cit-e-Net Multiple XSS (Cross-Site Scripting) Security Vulnerabilities Product: Cit-e-Access Vendor: Cit-e-Net Vulnerable Versions: Version 6 Tested Version: Version 6 Advisory Publication: Feb

[FD] CVE-2014-9469 vBulletin XSS (Cross-Site Scripting) Security Vulnerabilities

2015-02-12 Thread Jing Wang
*CVE-2014-9469 vBulletin XSS (Cross-Site Scripting) Security Vulnerabilities* Exploit Title: vBulletin XSS (Cross-Site Scripting) Security Vulnerabilities Product: vBulletin Forum Vendor: vBulletin Vulnerable Versions: 5.1.3 5.0.5 4.2.2 3.8.7 3.6.7 3.6.0 3.5.4 Tested Version: 5.1.3

Re: [FD] CVE-2014-6412 - WordPress (all versions) lacks CSPRNG

2015-02-12 Thread Paul McMillan
Seen this? https://github.com/altf4/untwister http://www.irongeek.com/i.php?page=videos/bsideslasvegas2014/bg04-untwisting-the-mersenne-twister-how-i-killed-the-prng-moloch -Paul On Tue, Feb 10, 2015 at 4:50 PM, Scott Arciszewski sc...@arciszewski.me wrote: Ticket opened: 2014-06-25 Affected

Re: [FD] Facebook Bug Bounty #23 - Session ID CSRF Vulnerability

2015-02-12 Thread Alfie John
On Thu, Feb 12, 2015, at 02:10 AM, Scott Arciszewski wrote: Security Risk: == The security risk of the security vulnerability in the facebook framework is estimated as critical. (CVSS 9.1) Care to run that calculation by us? If this does work, you'd be able to enumerate

[FD] Vanilla forum Stored XSS on any private message / thread post

2015-02-12 Thread W S
The vulnerability is related to the insufficient filtration in HTMLawed. Existing filter can be bypassed and paste into the HTML tag img onerror event, that leads to stored XSS. I notified the developers of existing vulnerabilities and they closed it in version 2.1.1 proof:

Re: [FD] Major Internet Explorer Vulnerability - NOT Patched

2015-02-12 Thread Dan Ballance
Does anyone know if Microsoft have patched this yet? On Wed Feb 04 2015 at 09:05:26 David Leo david@deusen.co.uk wrote: Microsoft was notified on Oct 13, 2014. Joey thank you very much for your words. Kind Regards, On 2015/2/3 4:53, Joey Fowler wrote: Hi David, nice is an

Re: [FD] Facebook Bug Bounty #23 - Session ID CSRF Vulnerability

2015-02-12 Thread Julius Kivimäki
Even though deleting everything is kind of a big deal, it still does not get you anywhere near that CVSS score. Here's my very generous calculator inputs: http://puu.sh/fQVB5/76c526ed5d.png ___ Sent through the Full Disclosure mailing list