lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CANAyTpi2AB4EkCV2mTS3cxK2tXpo36F5Lq_p0Q0g57NNd-x1bw@mail.gmail.com>
Date: Wed, 26 Mar 2014 10:26:52 +0100
From: Nico Le Moin <nicolemoin01@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Advisory : Persistent Internet Storage

Hello All,

I want to inform you about a vulnerability in critical internet
infrastructure.

It is possible for unauthenticated users to upload arbitrary files to the
internet whereafter it is not possible to delete these files from the
internet.

This vulnerability has been exploited in the past against Ms. Barbara
Streisand. However a CVE has not yet been rewarded.

I have discovered new attack vectors which aggravate this vulnerability. In
the use case of mailing lists
  - emails might contain code that can be used for RFI
  - emails might be stored as .html resulting in XSS
  - emails might be stored as .php files resulting in RCE

Sincerely,

Nico Lemoin, ass. PhD
CISSP - C|EH

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ