| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CABuTHhMFpZLfGQF4c=gZSJxNka2fsmWpLvLdVWuJC1XhTy57vQ@mail.gmail.com> Date: Mon, 10 Jan 2022 18:07:38 +0100 From: "WebSec B.V." <websecinternational@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Full Disclosure DMCA.COM Exploitation Publisher: Joel Aviad Ossi Company: Pentest <https://websec.nl>company WebSec B.V. Vulnerabilities: Improper access Control, Stored Cross-Site Scripting and Improper Input Validation Description: It is possible to inject javascript code into any DMCA account and takeover the API Token in order to read support messages (It is also possible to inject such code into the support ticket in order to target administrators) Additionally it is possible to bypass any website domain verification and issue valid DMCA Protection certificates for any domain name. Writeup: https://websec.nl/blog/606ecfec2f798a048269340e/dmcacom%20hack%20full%20disclosure%20with%20proof-of-concept Security Risk: Critical _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists