El 26/03/12 13:37, Damien Cauquil escribió: > Hi klondike, > > > > PS: What I wonder now is, are the guys behind the CTF reading > Full-disclosure? > > I guess you now have your answer. > > > The guys have a cool XSS injection on the fake webmail service which > can be exploited with a properly crafted subject > > You're right, and it has been fixed during the prequals. No it wasn't, already made injections remained during the rest of the prequals on our account. > Anyway, this vulnerability is minor because teams couldn't send emails > to each others. It is minor if it weren't for the second vulnerability, you could have tried guessing passwords then and if lucky enough set a booby trap for the other participant. > For the last vuln mentionned, we were aware of it. I suppose you are also aware on how personal data protection laws are in France... El 26/03/12 13:42, majinboo escribió: > BTW last vuln' was also fixed during the prequals. That one I didn't check, was too busy with the godamned BMP.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/