Category: Vulnerabilities

Hello everyone,

So I’ve been checking ESET’s Official Website and I came across something really interesting related to some of their Forms such as:
http://www.eset.com/us/business/contact/
http://www.eset.com/me/support/contact/
http://www.eset.com/int/support/contact/
http://www.eset.com/kh/about/contact/
http://www.eset.com/ci/acheter/formulaire-de-contact/
https://store.esetme.com/ (What’s in it)

These forms have no Email Checker, IP Checker or Captcha, which means that anyone have the capability of using them over and over again and the problem is that ESET’s Automatic Replier will send a Message straight to your inbox whenever you use one of these Forms.
So, I have decided to write a simple script in Python that uses one of these forms threw a Loop which will, literally, transform ESET’s Mail Server to a “Mail Bombing Tool”.
There’s only one requirement for this Script and that would be the victim’s email address.
Continue reading “Vulnerability in ESET’s Forms – Explained and Revealed”