[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-disclosure] new facebook SQL injection vulnerability
From:       Reed Loden <reed () reedloden ! com>
Date:       2010-11-30 23:59:28
Message-ID: 20101130155928.25b5cea6 () angelo ! pretender ! us
[Download RAW message or body]

What I believe Benji is saying is that it looks (from the little
information you posted) like you just found a SQL injection in a
facebook app, which is not the same thing as finding a SQL injection in
facebook.com's actual code. Apps are not run by facebook, so it's
unsurprising that some random app would have a SQL injection
vulnerability.

~reed

On Wed, 1 Dec 2010 00:51:35 +0100
Maciej Gojny <vuln@ariko-security.com> wrote:

> Benji@
> 
> I dont understand You, I have access to whole DB... so go to school.. bye
> 
> regards,
> 
> Maciej
> 
> Wiadomość napisana przez Benji w dniu 2010-12-01, o godz. 00:47:
> 
> > so if I upload a 'hacked by benji' html file to my google sites account, by your logic this \
> > would count as hacking Google. 
> > Cant wait to see The Register report about this.
> > 
> > 2010/11/30 Maciej Gojny <vuln@ariko-security.com>
> > Hello Full Disclosure !
> > 
> > Today i have found next SQL injection in facebook.com
> > 
> > Details:
> > 
> > http://blog.ariko-security.com/?p=82
> > 
> > Full advisory will be released soon!
> > 
> > Regards,
> > 
> > Maciej Gojny

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread]