corben.io

corben.io


infosec write-ups and ramblings

Tags


cybersecurity

Remote Code Execution in AT&T

I was pentesting AT&T to see if I could find a vulnerability (as one does), around 4-5 days after CVE-2017-5638 was released.   Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 are vulnerable to Server-Side Template Injection, which allows attackers to execute commands on any vulne…

Corben Leo Corben Leo

XSS in mail.aol.com

I got bored one day and somehow thought of AOL for some reason, so I decided to see if I could find any vulnerabilities in mail.aol.com. Initially I tried looking in the signature, since it allowed HTML. I did find an XSS there, but it was self-xss, because when you sent an email with the malicious…

Corben Leo Corben Leo