Full Disclosure mailing list archives
Files.com - Auth Bypass (Fat Client)
From: Balázs Hambalkó <hambalko.balazs () gmail com>
Date: Wed, 6 Jan 2021 11:37:16 +0100
Hi, Vendor: Files.com Product: Fat Client Tested version: 3.3.6 but newer version high likely also affected Credit: Balazs Hambalko, IT Security Consultant This vulnerability was identified and reported promptly to the vendor in April 2020. The answer was they do not see any risk here. Anyway I would like to share my POC video, only for learning purposes. According to the vendor, there is no risk here, on the other hand, I built up a playground and being a Domain Admin I could gain normal user's Files.com storage access. Personally I do not recommend using this solution in an environment where somebody can access your C drive (using Windows Domain or common machines - library, net coffee, and so on...) POC: https://youtu.be/Ay_iYFtPrcs Kind regards, Balazs Hambalko _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Files.com - Auth Bypass (Fat Client) Balázs Hambalkó (Jan 06)