lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <4F71E701.3030306@xiscosoft.es> Date: Tue, 27 Mar 2012 18:12:49 +0200 From: klondike <klondike@...cosoft.es> To: full-disclosure@...ts.grok.org.uk Subject: Re: Oracle based personal data dumping attack on the nuit du hack CTF El 26/03/12 13:37, Damien Cauquil escribió: > Hi klondike, > > > > PS: What I wonder now is, are the guys behind the CTF reading > Full-disclosure? > > I guess you now have your answer. > > > The guys have a cool XSS injection on the fake webmail service which > can be exploited with a properly crafted subject > > You're right, and it has been fixed during the prequals. No it wasn't, already made injections remained during the rest of the prequals on our account. > Anyway, this vulnerability is minor because teams couldn't send emails > to each others. It is minor if it weren't for the second vulnerability, you could have tried guessing passwords then and if lucky enough set a booby trap for the other participant. > For the last vuln mentionned, we were aware of it. I suppose you are also aware on how personal data protection laws are in France... El 26/03/12 13:42, majinboo escribió: > BTW last vuln' was also fixed during the prequals. That one I didn't check, was too busy with the godamned BMP. Content of type "text/html" skipped Download attachment "signature.asc" of type "application/pgp-signature" (263 bytes) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists