lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <17125820-E8EA-464A-9CF7-99AA283A8922@ariko-security.com>
Date: Wed, 1 Dec 2010 01:01:41 +0100
From: Maciej Gojny <vuln@...ko-security.com>
To: Reed Loden <reed@...dloden.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: new facebook apps SQL injection vulnerability

Yup it's true (app) - so the title was NEXT...

Wiadomość napisana przez Reed Loden w dniu 2010-12-01, o godz. 00:59:

> What I believe Benji is saying is that it looks (from the little
> information you posted) like you just found a SQL injection in a
> facebook app, which is not the same thing as finding a SQL injection in
> facebook.com's actual code. Apps are not run by facebook, so it's
> unsurprising that some random app would have a SQL injection
> vulnerability.
> 
> ~reed
> 
> On Wed, 1 Dec 2010 00:51:35 +0100
> Maciej Gojny <vuln@...ko-security.com> wrote:
> 
>> Benji@
>> 
>> I dont understand You, I have access to whole DB... so go to school.. bye
>> 
>> regards,
>> 
>> Maciej
>> 
>> Wiadomość napisana przez Benji w dniu 2010-12-01, o godz. 00:47:
>> 
>>> so if I upload a 'hacked by benji' html file to my google sites account, by your logic this would count as hacking Google.
>>> 
>>> Cant wait to see The Register report about this.
>>> 
>>> 2010/11/30 Maciej Gojny <vuln@...ko-security.com>
>>> Hello Full Disclosure !
>>> 
>>> Today i have found next SQL injection in facebook.com
>>> 
>>> Details:
>>> 
>>> http://blog.ariko-security.com/?p=82
>>> 
>>> Full advisory will be released soon!
>>> 
>>> Regards,
>>> 
>>> Maciej Gojny

Ariko-Security
Rynek Glowny 12
32-600 Oswiecim
tel:. +48 33 4741511 mobile: +48 784086818
(Mo-Fr 10.00-20.00 CET)

Ariko-Security Sp. z o.o. z siedzibą w Oświęcimiu , zarejestrowana przez Sąd Rejonowy dla m. Krakowa-Śródmieścia, XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS: 00000358273, NIP: 549-239-90-67, REGON 121262172









Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ