PWNSecurity

Blog

  • Imgur XSS

    Imgur is an online image hosting service founded by Alan Schaaf in 2009 in Athens, Ohio. Imgur describes itself as “the home to the web’s most popular image content, curated in real time by a dedicated community through commenting, voting and sharing.
    I spotted a cross site scripting vulnerability in http://imgur.com/ on 6 FEB 2013 .

    I reported the issue to them on the very day I found it and the same day they replied. After 2-3 days the bug was fixed.

  • Don’t Get Trapped

    This just an awareness for my blog readers . Think of the bad time when you go to your nearest ATM and find out that your bank balance is NILL. Because someone (a bad guy) hacked your account and transferred all your HARD EARNED money. The thing is that if you get hacked its your mistake even !!!. Hacking is not a voodoo magic that someone twitches his wand and empties your bank account. They either exploit a flaw or make your fool and take away your credential from you only. One of such process is called PHISHING.

    In Phishing what a bad guys simple does is create a fake login page which resembles the real login page of your bank website’s customer login page but ITS HOSTED ON HIS OWN SERVER. So when you logging in such types of fake login pages the user name and password gets saved into his logs and thus he has all your passwords .

    Today I got a mail by one of such bad guy.

    at first it might look a real mail from RESERVE BANK OF INDIA . You can see the email is from no-reply@rbi.org.in . But actually it not so. The email system we used today has a flaw that allows anyone to send mail with anyone address. That is called email spoofing . That I will discuss some other day . And you might notice there is a link .
    when I opened the link it got redirected to

    http://www.classic-gallery.ru/images/smilies/RBI-EDITED/RBI-EDITED/RBI/index.htm

    and when clicked over any banks link . It will ask you your bank user id and password .

    But if you actually see the link. The login mechanism is being served from http://www.classic-gallery.ru
    A Russian domain !!! which is in no way associated to RBI or any other INDIAN bank. So NEVER EVERY TRY TO LOGIN TO THESE TYPES OF FAKE PAGES.

    So the best way to avoid your self from getting hacked is to check the URL bar before logging in . And be sure to check that ITS YOUR BANK WEBSITE in which you are logging in not any other.

  • Capture The Xss

    Every one is aware of the CTF and many of you might have been or still are active warriors of CTF. I spotted one XSS in their blog and they fixed it the very day .

    It was just a random hit as I was reading their blog and then observed the old version of the plupload file which had a know xss bug .

    This what actually happens when you get the bad habit of xssing every where πŸ˜›

    Anyways they were happy and even Β I am πŸ™‚

  • Heroku Directory Transversal

    Long back I spotted a Directory Traversal bug in Heroku.

    “Heroku is a cloud platform is a cloud application platform – a new way of building and deploying web apps.. Heroku was acquired by Salesforce.com in 2010”
    They were quite quick and fixed it without delays
    Later they even started their hall of fame page and included my name there πŸ™‚
    https://www.heroku.com/policy/security-hall-of-fame

  • Oracle XSS

    Every one knows about ORACLE . Oracle Corporation is an American multinational computer technology corporation headquartered in Redwood City, California, United States.

    I spotted some security issues in their website and finally they have fixed it . One of them was cross site scripting issue in oracle’s sub-domain http://education.oracle.com

    they took a long time in fixing but after the fix they acknowledged me on there website.

    Oracle Critical Patch Update Advisory – January 2013 – Beta Oracle CVRF
    http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/1841213.xml

    And
    Oracle Critical Patch Update Advisory – July 2013 – Beta Oracle CVRF
    http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/1841215.xml

    cheers πŸ™‚

  • LFI in Nokia Maps

    Well this is my first blog-post and I am going to share a Local File inclusion bug which I spotted in Nokia maps.

    http://maps.nokia.com/services/file:///etc/passwd

    reported on 2nd Β JAN 2013
    Nokia fixes it on 20th JAN 2013

    And I received an awesome RED NOKIA LUMIA 920 πŸ™‚

  • Nokia Email App Pwnage

    This was an interesting bug which I found in Nokia email app for Symbian mobiles in MARCH 2013.
    The email app was not filtering the JavaScripts in the body part of the mail and thereby leading to JavaScript execution via mail.

    THE VERSION OF NOKIA MAIL : 10.2.0.29(main)
    NOKIA 5233 FIRMWARE COMPLETE DETAILS
    software version : v51.1.002
    software version date : 19-10-2011
    custom version : 51.1.002.C01.01
    custom version date : 19-10-2011
    language set : 21
    Model : 5233
    type: Rm-625

    This bug took a longer time in fixing but finally when they did πŸ˜‰ I got a mail from nokia

    TRIBUTE TO MY OLD PAL “NOKIA 5233” who passed away recently breaking its screen , sound system and everything after slipping off from my hand in bathroom πŸ™