Full Disclosure mailing list archives
Re: Oracle based personal data dumping attack on the nuit du hack CTF
From: klondike <klondike () xiscosoft es>
Date: Tue, 27 Mar 2012 18:12:49 +0200
El 26/03/12 13:37, Damien Cauquil escribió:
Hi klondike,PS: What I wonder now is, are the guys behind the CTF readingFull-disclosure? I guess you now have your answer.The guys have a cool XSS injection on the fake webmail service whichcan be exploited with a properly crafted subject You're right, and it has been fixed during the prequals.
No it wasn't, already made injections remained during the rest of the prequals on our account.
Anyway, this vulnerability is minor because teams couldn't send emails to each others.
It is minor if it weren't for the second vulnerability, you could have tried guessing passwords then and if lucky enough set a booby trap for the other participant.
For the last vuln mentionned, we were aware of it.
I suppose you are also aware on how personal data protection laws are in France... El 26/03/12 13:42, majinboo escribió:
BTW last vuln' was also fixed during the prequals.
That one I didn't check, was too busy with the godamned BMP.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Permanent XSS on the nuit du hack webmail service klondike (Mar 23)
- Re: Oracle based personal data dumping attack on the nuit du hack CTF klondike (Mar 23)
- Re: Oracle based personal data dumping attack on the nuit du hack CTF Damien Cauquil (Mar 26)
- Re: Oracle based personal data dumping attack on the nuit du hack CTF majinboo (Mar 26)
- Re: Oracle based personal data dumping attack on the nuit du hack CTF klondike (Mar 27)
- Re: Oracle based personal data dumping attack on the nuit du hack CTF Damien Cauquil (Mar 26)
- Re: Oracle based personal data dumping attack on the nuit du hack CTF klondike (Mar 23)