Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Oracle based personal data dumping attack on the nuit du hack CTF

From: klondike <klondike () xiscosoft es>
Date: Tue, 27 Mar 2012 18:12:49 +0200
El 26/03/12 13:37, Damien Cauquil escribió:

Hi klondike,



PS: What I wonder now is, are the guys behind the CTF reading

Full-disclosure?

I guess you now have your answer.


The guys have a cool XSS injection on the fake webmail service which

can be exploited with a properly crafted subject

You're right, and it has been fixed during the prequals.

No it wasn't, already made injections remained during the rest of the
prequals on our account.

Anyway, this vulnerability is minor because teams couldn't send emails
to each others.

It is minor if it weren't for the second vulnerability, you could have
tried guessing passwords then and if lucky enough set a booby trap for
the other participant.

For the last vuln mentionned, we were aware of it.

I suppose you are also aware on how personal data protection laws are in
France...

El 26/03/12 13:42, majinboo escribió:

BTW last vuln' was also fixed during the prequals.

That one I didn't check, was too busy with the godamned BMP.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: