From: Thiago Zaninotti (thiago@zaninotti.net)
Date: Sat Dec 16 2006 - 21:25:38 EST
Hi Marcelo,
Part of this technique is not new and has been part of N-Stalker Web
Application Security Scanner for a long time (SMTP Injection).
There are also papers that would go further on exploiting specific
frameworks such as CDONTS.
For more information, see N-Stalker Free Edition tool at
www.nstalker.com/free-edition
Best regards,
-- Thiago Zaninotti,Security+,CISSP-ISSAP,CISM Info Security Professional On 12/13/06, Marcelo Lećo Caffaro <marcelocaffaro@gmail.com> wrote: > I've talked with Felipe from Syhunt this morning and he said that Sandcat > scanner has been updated to scan for this new vulnerability class. Does > anybody have information of other web application security scanners that > already scans for MX Injection vulnerabilities? WebInspect? Acunetix? > Thanks > Marcelo Caffaro > > -----Mensagem original----- > De: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] Em > nome de robert@webappsec.org > Enviada em: segunda-feira, 11 de dezembro de 2006 13:55 > Para: pen-test@securityfocus.com > Assunto: WASC-Announcement: MX Injection - Capturing and Exploiting Hidden > Mail Servers By Vicente Aguilera Diaz > > The Web Application Security Consortium is proud to present 'MX Injection: > Capturing and Exploiting > Hidden Mail Servers' written by Vicente Aguilera Diaz of Internet Security > Auditors. In this article > Vicente discusses how an attacker can inject additional commands into an > online web mail application > communicating with an IMAP/SMTP server. > > > This document can be found at http://www.webappsec.org/projects/articles/ . > > Regards, > > - Robert Auger > > articles_at_webappsec.org > http://www.webappsec.org > > ---------------------------------------------------------------------------- > -------- > Are you interested in writing a 'Guest Article' for the WASC? Additional > information > on article guidelines may be found at http://www.webappsec.org/articles/. > Inquires > can be sent to articles_at_webappsec.org > > "Contributed articles may include industry best practices, technical > information about > current issues, innovative defense techniques, etc. NO VENDOR PITCHES OR > MARKETING > GIMMICKS PLEASE. We are only soliciting concrete information from the > experts on the > front lines of the web application security field." > http://www.webappsec.org > ---------------------------------------------------------------------------- > -------- > > > ------------------------------------------------------------------------ > This List Sponsored by: Cenzic > > Need to secure your web apps? > Cenzic Hailstorm finds vulnerabilities fast. > Click the link to buy it, try it or download Hailstorm for FREE. > http://www.cenzic.com/products_services/download_hailstorm.php?camp=70160000 > 0008bOW > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > This List Sponsored by: Cenzic > > Need to secure your web apps? > Cenzic Hailstorm finds vulnerabilities fast. > Click the link to buy it, try it or download Hailstorm for FREE. > http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:28 EDT