Penetration Testing mailing list archives
Re: WASC-Announcement: MX Injection - Capturing and Exploiting Hidden Mail Servers By Vicente Aguilera Diaz
From: "Thiago Zaninotti" <thiago () zaninotti net>
Date: Sun, 17 Dec 2006 00:25:38 -0200
Hi Marcelo, Part of this technique is not new and has been part of N-Stalker Web Application Security Scanner for a long time (SMTP Injection). There are also papers that would go further on exploiting specific frameworks such as CDONTS. For more information, see N-Stalker Free Edition tool at www.nstalker.com/free-edition Best regards, -- Thiago Zaninotti,Security+,CISSP-ISSAP,CISM Info Security Professional On 12/13/06, Marcelo Leão Caffaro <marcelocaffaro () gmail com> wrote:
I've talked with Felipe from Syhunt this morning and he said that Sandcat scanner has been updated to scan for this new vulnerability class. Does anybody have information of other web application security scanners that already scans for MX Injection vulnerabilities? WebInspect? Acunetix? Thanks Marcelo Caffaro -----Mensagem original----- De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Em nome de robert () webappsec org Enviada em: segunda-feira, 11 de dezembro de 2006 13:55 Para: pen-test () securityfocus com Assunto: WASC-Announcement: MX Injection - Capturing and Exploiting Hidden Mail Servers By Vicente Aguilera Diaz The Web Application Security Consortium is proud to present 'MX Injection: Capturing and Exploiting Hidden Mail Servers' written by Vicente Aguilera Diaz of Internet Security Auditors. In this article Vicente discusses how an attacker can inject additional commands into an online web mail application communicating with an IMAP/SMTP server. This document can be found at http://www.webappsec.org/projects/articles/ . Regards, - Robert Auger articles_at_webappsec.org http://www.webappsec.org ---------------------------------------------------------------------------- -------- Are you interested in writing a 'Guest Article' for the WASC? Additional information on article guidelines may be found at http://www.webappsec.org/articles/. Inquires can be sent to articles_at_webappsec.org "Contributed articles may include industry best practices, technical information about current issues, innovative defense techniques, etc. NO VENDOR PITCHES OR MARKETING GIMMICKS PLEASE. We are only soliciting concrete information from the experts on the front lines of the web application security field." <a href="http://www.webappsec.org">http://www.webappsec.org</a> ---------------------------------------------------------------------------- -------- ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=70160000 0008bOW ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- WASC-Announcement: MX Injection - Capturing and Exploiting Hidden Mail Servers By Vicente Aguilera Diaz robert (Dec 11)
- RES: WASC-Announcement: MX Injection - Capturing and Exploiting Hidden Mail Servers By Vicente Aguilera Diaz Marcelo Leão Caffaro (Dec 16)
- Re: WASC-Announcement: MX Injection - Capturing and Exploiting Hidden Mail Servers By Vicente Aguilera Diaz Thiago Zaninotti (Dec 16)
- RE: WASC-Announcement: MX Injection - Capturing and Exploiting Hidden Mail Servers By Vicente Aguilera Diaz Eyal Udassin (Dec 16)
- RES: WASC-Announcement: MX Injection - Capturing and Exploiting Hidden Mail Servers By Vicente Aguilera Diaz Marcelo Leão Caffaro (Dec 16)