@attritionorg @raesene I think if the successful IOC is coming back from the site a cleaner assumption is system is not patched vs data lies
-
-
Replying to @attritionorg
@attritionorg@mroytman@raesene original bug trap disclosure shows 3 get param RefXSS pocs. Broad sig + scanners?1 reply 0 retweets 0 likes -
Replying to @jjarmoc
@jjarmoc@mroytman@raesene it's entirely more complex. still abstracting notes... this gives an ideapic.twitter.com/QbA6amSPeR
1 reply 0 retweets 0 likes -
Replying to @attritionorg
@attritionorg@mroytman@raesene wow, that's sad. Still though, can it be targeted THAT much?2 replies 0 retweets 0 likes -
Replying to @attritionorg
@attritionorg@mroytman@raesene that's why I suspect any GET /?id=<XSS> attempt to be counting.1 reply 0 retweets 0 likes -
Replying to @attritionorg
@attritionorg@mroytman@raesene that's why I'm curious what sig or indicators the stat comes from.1 reply 0 retweets 0 likes -
Replying to @jjarmoc
@jjarmoc@mroytman@raesene@sushidude and analysis more complex. found a pafiledb 3.1 download. can abstract out per vuln PHP file...1 reply 0 retweets 0 likes
@jjarmoc @mroytman @raesene @sushidude so after a full audit, not counting a problematic 2004-04-27 disclosure...pic.twitter.com/5BQW2gr7ku
-
-
Replying to @attritionorg
@jjarmoc@mroytman@raesene@sushidude with that, the report is really in question. 'pafiledb.php' isn't *1* vuln at all. it's 12 or 13!0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.