dekeeu

De vizit? poate

Cred c? un update la ultima versiune te-ar putea ajuta mai mult.

Po?i s? postezi xml-ul aici?

Ai topic separat, dar fie: Salut ! Ai fost invitat de dekeeu (dekeeu@*****.com) sa-ti creezi un cont pe filelist.ro, cea mai mare comunitate privata din Romania. Pentru a accepta invitatia, acceseaza adresa: http://filelist.ro/signup.php?k=a&e=b&u=c Daca nu accesezi aceasta adresa, invitatia va fi dezactivata in cateva zile. Daca nu esti interesat te rugam sa ignori acest mail. Verific? primul mail.

Numele t?u a fost foarte des vehiculat în ultimele zile ?i singurul lucru pe care l-ai f?cut a fost s? umpli forumul cu cacat. Nu aduci nimic nou, nu ar??i nimic inteligent , nu e?ti productiv. "Spargi" câte un forum de ceseu pe zi ?i ai o poz? cu Anonymous la avatar. Esti patetic.

Realizezi cât de patetic e?ti, nu ?

F?-?i un PoC: Random Security: Exploiting Insecure crossdomain.xml to Bypass Same Origin Policy (ActionScript PoC)

A raportat cineva vulnerabilit??i c?tre Vimeo: https://hackerone.com/vimeo ? Care a fost timpul aproximativ de r?spuns / fix ? Am o vulnerabilititate destul de important? trimis? de 2 luni la ei, care are în continuare statusul de "New (Open)" ?i care înc? func?ioneaz? (ca idee îmi permite s? v?d videoclipuri private/ascunse/protejate cu parol?). Am trimis 5 mesaje consecutive c?tre ei, în ultimul de acum 1 s?pt?mân? spunându-le c? o fac public? dac? nu primesc r?spuns, ?i desigur n-am primit.

F64 404 http://www.f64.ro/oferte-de-la-1-leu#tab_1_-_10_lei Bafta, @dekeeu_old

Dac? el se retrage (nu mai intr? 2 zile sau intr? cu alt username sau ca guest) asta nu înseamn? c? v? înceteaz? posibilitatea de comunicare, lol. Dac? v? întelegea?i atât de bine, putea s? v? transmit? pe Skype c? nu mai dore?te s? activeze în cadrul RST, nu cred c? era nevoie de topic separat, de 4 pagini care s? spameze feed-ul. Un simplu mesaj l?sat pe profilul personal cred c? ar fi fost de ajuns, eventual cu o adres? de contact pentru doritori. Asta e p?rerea mea, astfel de topicuri sunt ni?te copil?rii ?i nu au ce c?uta pe niciun forum dar fiecare este liber s? fac? ce vrea. @Elohim: Nu ai avut nicio treab? cu subiectul, nicio treab? cu rukov, te-ai b?gat ca musca-n ... Te-ai legat de semnatur?, de felul "moldovenesc" în care a fost scris textul, totul legat strict de persoana lui. Ce ar trebui s? în?eleg ?

Nu e penibil s? î?i faci ”Topicul plângerii” pe RST ? Poate nu înteleg eu atât de bine gravitatea situa?iei, dar tema topicului ?i ideea cu ”ur?rile de bine” mi se pare de cacat. De ce ai vrea s? faci un astfel de topic ? A? prefera dac? veni?i cu argumente s? nu fi?i atât de limita?i încat s? v? lega?i de semn?turi , ortografie and this kind of shits..

Încearc? s?-l ?tergi cu Revo Uninstaller : Revo Uninstaller Pro - Uninstall Software, Remove Programs easily, Forced Uninstall, Leftovers Uninstaller, Portable Uninstaller

Pentru c? se anuleaz? ideea de hacker. El nu se laud? cu ceea ce face pentru c? nu are nevoie de aprecierile/stima altora. Tot ceea ce face este pentru sine, pentru mândria personal?, pentru dep??irea propriilor limite ?i nu are nimic de-a face cu imaginea lui exterioar?. Un hacker adev?rat este acela care ?tie s? disimuleze care are limite extrem de bine stabilite între activitatea pe care o desf??oar? în mediul online ?i via?a lui personal?.

Niciodat? nu vei vedea un hacker s? vin? ?i s? spun? c? ?tie X,Y,Z limbaje de programare sau c? cine ?tie ce a f?cut la via?a lui . Deja dac? face asta ori e un hacker extrem de prost ori urm?re?te(ca mul?i al?ii de altfel) s? î?i fac? publicitate, urmând ca mai apoi s? fie angajat la NASA/Google/Facebook ?i alte companii necunoscute .

http://www.offensive-security.com/metasploit-unleashed/Main_Page

Ca alternativ? eu personal recomand Genymotion . ?i un tutorial de instalare a certificatului generat de Burp: nVisium: Android Assessments with GenyMotion + Burp

"Hello, Recently I found a vulnerability in Facebook which allowed me to read local files from Facebook's servers. The vulnerable part of Facebook was their Careers resume uploader, located at every job offer, for example this one. You can upload any extension there, so I decided to upload a .php file - one can always hope. Of course, it was not executed nor could I get file path, but contents of the file were returned, after being base64 encoded. Next thing I tried was to name my file /etc/passwd, "file:///etc/passwd" and couple others. None of these worked. Couple tries later I uploaded a zipped .php file, and the response contained unzipped, base64'd contents of .php. If you read Facebook's "Bounty hunter's guide" you will know where this leads. The guide describes how one researcher uploaded zip with symlink to /etc/passwd, and couple steps later Facebook returned few lines of /etc/passwd. I have done exactly the same, so: 1. create a symlink to /etc/passwd (or any other file you want to read) ln -s /etc/passwd link 2. zip the created link while preserving symlinks: zip --symlinks test.zip link 3. upload test.zip as your resume, system will unzip it 4. the response to POST will have details of (whole) /etc/passwd or other file. Here is a screenshot of response containing /etc/passwd: I have speculated about symlinking a directory, but never tried it. Neal from Facebook thought that this might get me contents of files from the directory, but not necessarily filenames. We shall never know. Here is a timeline of the bug report: Nov 30, 2014 09:45 - vulnerability reported Nov 30, 2014 17:58 - reply from Facebook's security (Neal) saying they cannot reproduce bug Nov 30, 2014 18:08 - update from Neal, they can reproduce it Nov 30, 2014 19:10 - temporary fix has been pushed, disabling resume uploads Dec 01, 2014 ~23:00 - more permanent fix pushed, now server no longer responds with contents of uploaded resume (Emrakul) Dec 05, 2014 18:15 - bounty of $5500 awarded (Neal). Dec 05, 2014 ~19:00 - objection about reward sent to Facebook's team Dec 06, 2014 ~23:30 - Neal from Facebook explains this is actually a third party system they run I'd like to ramble a bit about the award for this bug. When I found it, it looked like a critical bug that could allow me to read parts of Facebook's source. It turned out to actually be a third party software they used to analyse uploaded resumes, therefore I could not actually access any part of Facebook's internals. The network this system is hosted on was pretty locked down, too. Basically, this is a bug that looks really critical, but is much lower severity. It is an exact opposite to a low severity bug I found some time ago that turned out to be more dangerous. Lessons learned: Read all write-ups you can get your hands on. I would never think of uploading the zip with symlinks if I did not read Facebook's blog. Philippe has a good list of Facebook bugs here. Some bugs are not what they look like Huge thanks to researcher who first used ZIP with symlinks, and to Facebook for blogging about it, and their security team for being awesome as always, fixing the bug in 10 hours on Sunday." Source: Josip Franjkovi? - security blog: Reading local files from Facebook's server (fixed)

A vulnerability in the social login process from LinkedIn, Amazon and MYDIGIPASS allowed a malicious individual unauthorized access to accounts of online services adopting this authentication mechanism, without the need of a password. Social login authentication, also called single sign-on, consists in getting access to an online account based on information from an identity provider such as the ones mentioned above or a social network like Facebook and Google+. Multiple websites have resorted to this authentication method in order to make the login process more secure and easier for their clients. The attack is simple, but some conditions have to be met Or Peles and Roee Hay, researchers at IBM’s security arm X-Force, discovered a glitch in the system that allowed spoofing the credentials of a victim to access an online account. The attack is simple, and in their example, the social login service provided by LinkedIn was used to gain entrance into a Slashdot account. The registration process for LinkedIn requires the client to validate the email address by launching a confirmation link sent by the service to their inbox. The spoofing attack, dubbed SpoofedMe by the researchers, relied on the fact that the authentication token from LinkedIn for logging into a service was generated even if the provided email was not validated, making the sign-up procedure incomplete. As such, the intruder was able to create a LinkedIn account and impersonate the victim by using their email address. If the username was already in the database, the attack was no longer possible. Without confirming the ownership of the address, the malicious actor could then log into the website relying on the information from the identity provider. The only condition is to be signed into the LinkedIn account with the unverified email. “The relying website will check the user details asserted from the identity provider and log the attacker in to the victim’s account based on the victim’s email address value,” Or Peles wrote in a blog post. Identity providers have taken steps to mitigate the problem Important to note is the fact that LinkedIn promptly replied to the disclosure of the vulnerability and repaired the issue. Measures have been taken by Amazon too, as they appended information for developers describing how third-parties supporting their identity providing service can link local accounts correctly on their systems. A “verified email” scope is planned for the near future. Although MYDIGIPASS.com Secure Login relies on two-factor authentication (2FA), it was also vulnerable to the SpoofedMe attack. This was possible because the attacker could use their own physical device to receive the supplementary authentication code. In this case, the problem has been corrected too, and authentication on other websites can be done only when the MYDIGIPASS email is verified. The researchers have created a video (available below) demonstrating the SpoofedMe attack. Source: Social Login Abuse Gives Attacker Easy Access to a Victim’s Account - Softpedia

Zici ? Eu nu am mai primit niciun PM de la tine ?i nici administra?ia Filelist vreun mail.

Sincer , chiar nu stiu unde ai g?sit xss în browse.php având în vedere c? toate input-urile sunt filtrate, dar te-ar deranja dac? mi-ai da un PM cu link-ul vulnerabil s? fac push la un fix ? Mul?am.

Un prim pas ar fi s? ?tergi Acunetix-ul. Apoi, încearc? s? cau?i despre vulnerabilitatea asta pe Goag?l . Eventual dac? ai nel?muriri le po?i scrie aici, sau po?i folosi câmpul de c?utare deoarece s-a mai discutat despre asta de N ori.

Use this: mobile.de ma?ini noi ?i second-hand - Pia?a dvs. de vehicule din Europa

Dac? eu sunt de?in?torul site-ului XYZpul.acom ?i aflu c? pe platforma ta se vinde un RCE g?sit în site-ul meu, ?i eu fac plângere împotriva ta , cum î?i sus?ii nevinov??ia ? Fiecare membru e responsabil pentru ceea ce cumpara, publica si cum foloseste informatia de pe platforma. Nu cred c? asta ajunge, mai ales în RO. Dac? pic? 1 pic? mai to?i. Cred c? am avut ?i la noi pe forum un caz de genul ?sta, dac? vrei un exemplu concret.

Videoclipul respectiv nu mai exist? pe server: http://assets.acasatv.ro/assets/crimetime/2011/07/01/videos/9250/mexican.flv