| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1395827613.7767.19.camel@backup-server>
Date: Wed, 26 Mar 2014 10:53:33 +0100
From: Joxean Koret <joxeankoret@...oo.es>
To: Nico Le Moin <nicolemoin01@...il.com>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Advisory : Persistent Internet Storage
First troll mail. Now, it's real Full Disclosure!
El mié, 26-03-2014 a las 10:26 +0100, Nico Le Moin escribió:
> Hello All,
>
> I want to inform you about a vulnerability in critical internet
> infrastructure.
>
> It is possible for unauthenticated users to upload arbitrary files to the
> internet whereafter it is not possible to delete these files from the
> internet.
>
> This vulnerability has been exploited in the past against Ms. Barbara
> Streisand. However a CVE has not yet been rewarded.
>
> I have discovered new attack vectors which aggravate this vulnerability. In
> the use case of mailing lists
> - emails might contain code that can be used for RFI
> - emails might be stored as .html resulting in XSS
> - emails might be stored as .php files resulting in RCE
>
> Sincerely,
>
> Nico Lemoin, ass. PhD
> CISSP - C|EH
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists