Re: new facebook SQL injection vulnerability

[Reed Loden <reed () reedloden com>]

What I believe Benji is saying is that it looks (from the little
information you posted) like you just found a SQL injection in a
facebook app, which is not the same thing as finding a SQL injection in
facebook.com's actual code. Apps are not run by facebook, so it's
unsurprising that some random app would have a SQL injection
vulnerability.

~reed

On Wed, 1 Dec 2010 00:51:35 +0100
Maciej Gojny <vuln () ariko-security com> wrote:

> Benji@
>
> I dont understand You, I have access to whole DB... so go to school.. bye
>
> regards,
>
> Maciej
>
> Wiadomość napisana przez Benji w dniu 2010-12-01, o godz. 00:47:
>
> > so if I upload a 'hacked by benji' html file to my google sites account, by your logic this would count as hacking 
> > Google.
> >
> > Cant wait to see The Register report about this.
> >
> > 2010/11/30 Maciej Gojny <vuln () ariko-security com>
> > Hello Full Disclosure !
> >
> > Today i have found next SQL injection in facebook.com
> >
> > Details:
> >
> > http://blog.ariko-security.com/?p=82
> >
> > Full advisory will be released soon!
> >
> > Regards,
> >
> > Maciej Gojny

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/