lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <509D21EE.8090401@calciumsec.com> Date: Fri, 09 Nov 2012 12:31:58 -0300 From: "Chris C. Russo" <chris@...ciumsec.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: A damn aweful facebook DOS On 09/11/2012 11:29 a.m., Bill Weiss wrote: > Chris C. Russo(chris@...ciumsec.com)@Thu, Nov 08, 2012 at 04:28:33AM -0300: >> Good news everyone! >> >> The last time I reported a security flaw to facebook, it took around 6 >> weeks until they replied, >> telling me that there was no flaw at all. Perhaps that's why I decided >> to make public any flaw on facebook from now on. > [cut some technical details for readability] >> (Properly replace the <EXTREMLY LONG MESSAGE HERE> before testing) >> >> This might not be the best vulnerability description ever, >> but I hope it helps solving the condition as soon as possible. Have fun. > What length of EXTREMELY LONG MESSAGE were you using in testing? 1K > bytes, 1M, 1G? > I couldn't tell, I started up with 1,000 chars and increased 1,000 by 1,000 until 100,000 with parallel connections. But certainly, even if you only full the text input using the regular UI from facebook, you'll crash any regular box, or tablet. Perhaps you should try with 1 Gb tho and see what happens, there's test users you can create from the facebook.com/whitehat. -- Success, *forward, quick.* Chris C. Russo Más de 100,000 Km recorridos, conservo direcciones, presiono con ambición, avanzo con delicadeza, flexibilizo para alcanzar, creo escenarios, cambio realidades. w: www.calciumsec.com e: chris@...ciumsec.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists