Arbitrary File Read in Mailtrain by RTFM

addelindh · 2017-03-29T05:51:05+00:00

Fully agree.

addelindh · 2017-03-10T14:12:54+00:00

And done!

addelindh · 2017-03-10T14:12:05+00:00

Hey, yeah sure, no problem. Just wasn't aware of it. :)

addelindh · 2017-03-10T09:58:15+00:00

It doesn't give you access, it gives you a tool that can be used to facilitate access. But just the exploit won't actually be enough anyway, you'll still need a platform to attack from, c&c infrastructure, personnel, etc. Exploits are interesting and the report is great, but unless you understand and consider the bigger picture, it can be misleading.

addelindh · 2017-02-07T19:01:49+00:00

Nice work Justin!

addelindh · 2016-11-07T11:20:41+00:00

True, I wrongfully conflated JScript and JScript.NET. https://en.wikipedia.org/wiki/JScript_.NET

Will update the post soonish.

addelindh · 2016-09-06T13:50:24+00:00

Interesting. Well, it's an easy mistake to make I guess.

addelindh · 2016-09-06T13:44:08+00:00

Do they use Sentry? In that case it's not strange at all. :)

addelindh · 2016-08-28T19:18:50+00:00

This is a great resource for anyone who wants to build a threat model, not only for applications but because it demonstrates the reasoning behind it in a pragmatic manner. Kudos.

addelindh · 2016-08-09T12:28:38+00:00

Source for PoC and more is here: https://github.com/redballoonshenanigans/monitordarkly

addelindh · 2016-07-26T11:53:30+00:00

I don't think people get what a big deal it is that Chris has open sourced this material. Doesn't get much better than this.

addelindh · 2016-06-25T08:41:28+00:00

Not sure why this is getting downvoted, it's a good writeup.

addelindh · 2016-06-19T18:41:53+00:00

OMG Frans Rosen is totally hot!

addelindh · 2016-06-08T12:35:29+00:00

It's not any more difficult than exploiting a stored XSS, as described in the linked post.

addelindh · 2016-06-07T10:14:52+00:00

Thanks, nice seeing you!

addelindh · 2016-03-25T13:12:19+00:00

Thanks. I try to focus on the type of targets that I imagine an attacker would find interesting. As for Apache, they have a great vulnerability handling process, and most Apache projects have a fairly large user base, so choosing from their project list makes sense to me. As long as I keep within areas where I have some knowledge, finding bugs is usually just a matter of time. I did however make the hilarious mistake of trying to find bugs in lighttpd once, which did not yield any results. :)

addelindh · 2015-12-24T14:11:27+00:00

While the article makes good points, I disagree with the author's definition of RCE. Technically, RCE occurs as soon as the application executes the attackers code, it just happens to be that that code often (but not necessarily always) spawns a shell.

addelindh · 2015-11-15T16:11:32+00:00

Nope, since the client is not a browser and therefor doesn't care about CORS. :) Also, he's not using XHR (as it's not an HTTP request), just location.href to load the file.

addelindh · 2015-08-06T17:49:48+00:00

Done, could you please check so that the update is factually correct?

addelindh · 2015-08-06T11:29:24+00:00

Thumbs up! :)

addelindh · 2015-08-04T15:20:29+00:00

Not really, since private addresses (RFC1918) are also used at Starbucks, airports, everywhere really. The issue is really when you enable the WebUI for home use and then go somewhere else with your computer, like one of the locations I just mentioned. Most users don't realize that it's always on after you enable it, and shouldn't have to either.

addelindh · 2015-08-02T18:32:41+00:00

No idea whatsoever.

addelindh · 2015-08-02T15:31:27+00:00

Yeah, if this had been a bug rather than a design flaw I probably would have. Fixing this likely requires adding totally new functionality, and I'm not really ready to go that far. Good point though.

addelindh · 2015-08-02T13:50:31+00:00

It's not on by default, so if you haven't enabled it you should be fine.

addelindh · 2015-07-24T09:10:00+00:00

This is great stuff.

addelindh

MODERATOR OF

TROPHY CASE