We don't intentionally hunt for vulnerabilities. The following ones are some of what we came across. [more...]Surely enough, we are not the only ones who found such holes. Many security professionals may have found the same holes at the same time or so. According to hacker code of ethics, we never do any harm or damage to our tested target (Yes, to do damage is one further step that exploits found weakenesses). and make disclosure only after vendor has been reported. But some vendors don't even response;hence we assume that they ignore our reports. There is no patch for ignorance.

We always find it difficult to explain security-knowlege-lack-and-stubborn-to-fix developers about security risks, threats and vulnerabilities. There are always many common myths of security which provoke Today secure and Tomorrow hacked. That's why we can't tell you something like “ Hey, guy  This is a protection code - Use this and your life will be forever secure! ” Since July '09, we've now believed in FD (=full disclosure) after reporting numerous vulnerabilities to various vendors.Only a few ones take interest in fixing their security holes. Only FD will be a better force towards them to fix. It is the only way to harden or worsen the world.

• TinyBrowser (TinyMCE Editor Plugin) 1.41.6 <= Multiple Vulnerabilities
  Feature: OSVDB ID 56602, 56603, Secunia Advisory ID: 36031 , PacketStorm , milw0rm , SecurityReason
  July, 2009
  
  
• Google Mail (Gmail) | Fail to do Security Check Vulnerability
  July, 2009
  
  
• Rapidshare | Login Credential Leakage Vulnerability
  July, 2009
  
  
• Multiple vulnerabilities in PHP Support Tickets (PHP Help System) 2.2 <=
  July, 2009
  
  
• Multiple vulnerabilities in PhpMyAdmin <= 2.11.7
     - XSS in setup |  Cross-site Framing
     - XSRF:ConvertCharset |  XSRF:CreateDatabase
     - Incomplete HTTP Caching Directive |  XSRF:Font-size,Lang  
  Feature: CVE-2008-3457 | PMASA-2008-6
  July, 2008
  
  
• Ning.Com (Massive Social Network) | Captcha Protection Bypass Vulnerability  
  => We later found they haven't fixed it till now (= Mar-10-2010 ).
  Thus we release a sample exploit.
  Sample Exploit Code: ningspamexploitdefeating.user.js
  April, 2008
  
  
• XSS-Warning (Gecko Browser XSS Prevention Addon) | XSS Bypass Vulnerability
    [demo]
  March, 2008
  
  
• Multiple vulnerabilities in Gmail-lite (Gmail Mobile Interface/Gmail Lighter Interface)
     - Mass-mailing |   Cross-site Scripting
     - Shell Code Execution/Arbitrary File Upload
  March, 2008
  
  
• DOMPDF (PHP PDF Creator) | Apache Security Bypass/Arbitrary File Read Vulnerability
  => We have noticed the author found this page and learnt his DOMPDF vulnerability. He promised to give a patch in his web site but has not done it till now (= Mar-10-2010 ).
  Dec, 2007
  
  
• XSS Archive Screenshots
  Jan 03, 2008
  
  
• CodeIgniter PHP Framework | Global XSS Filtering Bypass Vulnerability
  Feature: SecReason
  December, 2007
  
  
• Burglish Chat | Input Flood Vulnerability
  Feb 23, 2006