lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 9 Nov 2012 16:41:57 +0000 From: Bacon Zombie <baconzombie@...il.com> To: "Chris C. Russo" <chris@...ciumsec.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: A damn aweful facebook DOS There seem to be a hard limit via the main website interface but I have not check modifying the post or using another means { raw, API, Facebook App, etc}. "Status updates must be less than 63,206 characters. You have entered 73,979 characters here. Notes can be much longer. Would you like to edit and post your update as a Note instead?" Regards, -- ฤ๊๊๊๊๊็็็็็๊๊๊๊๊็็็็ ฮ้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้ ฦ้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้ BaconZombie LOAD "*",8,1 On 9 November 2012 15:31, Chris C. Russo <chris@...ciumsec.com> wrote: > On 09/11/2012 11:29 a.m., Bill Weiss wrote: >> Chris C. Russo(chris@...ciumsec.com)@Thu, Nov 08, 2012 at 04:28:33AM -0300: >>> Good news everyone! >>> >>> The last time I reported a security flaw to facebook, it took around 6 >>> weeks until they replied, >>> telling me that there was no flaw at all. Perhaps that's why I decided >>> to make public any flaw on facebook from now on. >> [cut some technical details for readability] >>> (Properly replace the <EXTREMLY LONG MESSAGE HERE> before testing) >>> >>> This might not be the best vulnerability description ever, >>> but I hope it helps solving the condition as soon as possible. Have fun. >> What length of EXTREMELY LONG MESSAGE were you using in testing? 1K >> bytes, 1M, 1G? >> > > I couldn't tell, I started up with 1,000 chars and increased 1,000 by > 1,000 until 100,000 with parallel connections. But certainly, even if > you only full the text input using the regular UI from facebook, you'll > crash any regular box, or tablet. > Perhaps you should try with 1 Gb tho and see what happens, there's test > users you can create from the facebook.com/whitehat. > > -- > Success, *forward, quick.* Chris C. Russo > > Más de 100,000 Km recorridos, conservo direcciones, presiono con > ambición, avanzo con delicadeza, flexibilizo para alcanzar, creo > escenarios, cambio realidades. > > w: www.calciumsec.com > e: chris@...ciumsec.com > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- ฤ๊๊๊๊๊็็็็็๊๊๊๊๊็็็็ ฮ้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้ ฦ้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้ BaconZombie LOAD "*",8,1 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists