Luca Ercoli

About Me

Currently living in a quiet town near the Italian coast, I work as Cyber Security Specialist employed by one of the largest hosting provider of the country.

During the course of my career, researching for new techniques and issues on the wider field of InfoSec, hence vulnerabilities that affects Operating Systems, Web Application Security, Penetration Testing, Reverse Engeenering, Malware Analisys and Digital Forensics, I was been acknowledged for reporting security flaws affected by widely recognized companies like IBM, Apache Foundation, MySQL and Microsoft.

Demonstrable experience approved by Harvard's Office of the Vice Provost for Advances in Learning, 3 Cisco certifications, develop and organization of 3 Ethical Hacking national level competitions, 20 security advisories and 2 books published.

Proud to have achieved the third position in the World Ranking for the years 2022 and 2023 in the 'OWASP Injection' category at HackerOne, the world's largest community of trusted ethical hackers.

My background includes project leading, design and implementation, system libraries and Linux Kernel modules programming, iOS mobile game development, studies of Search Engine Optimization and experience in design and implementation of communication systems using SDR technology.

In my leisure time enjoys building stuff with 3D printer and home made Milling Machines, prototyping projects and little inventions etching circuits or using Arduino platform, playing the piano and watching documentaries.

Security Vulnerabilities and Exploits



Third place in the 2023 World Ranking


Third place in the 2023 World Ranking in the 'OWASP Injection' category on HackerOne View the Leaderboard...

Third place in the 2022 World Ranking


Third place in the 2022 World Ranking in the 'OWASP Injection' category on HackerOne View the Leaderboard...

apache2 vulnerability

Apache server htdigest buffer overflow CVE-2005-1344

Buffer overflow in htdigest in Apache2 http server allow attackers to execute arbitrary code via a long realm argument due to improper bounds checking when copying user-supplied data into local buffers. Continue...

mysql vulnerability

MySQL server Denial of Service vulnerability CVE-2005-0799

MySQL 4.1.XX/4.0.XX/5.0.XX for Windows allows remote attackers to cause a denial of service via requests containing reserved MS-DOS devices name (AUX,CON,COM1,LPT1 and PRN). Continue...

Junos OS: J-Web Vulnerability

Junos OS: J-Web Vulnerability CVE-2021-0268

An Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') in J-web of Juniper Networks Junos OS allows an attacker to modify session cookies and carry out multiple types of attacks Continue...

mozilla firefox security flaw

Mozilla XBM file vulnerability CVE-2005-0215

Mozilla, the open-source Web browser developed by the Mozilla project, is vulnerable to a Denial of Service attack exploitable by a specially-crafted XBM (X BitMap) image file. Continue...

lg phone hack

LG U8120 Mobile Phone Denial of Service CVE-2005-1132

A security flaw in LG U8120 mobile phone allows remote attackers to block devices via a malformed MIDI file. Continue...

Maelstrom bug

Buffer overflow in Maelstrom CVE-2003-0325

Buffer overflow in Maelstrom 3.0.6, 3.0.5, and earlier allows local users to execute arbitrary code. Continue...

information security

Activity Monitor security flaw

A vulnerability has been discovered in Activity Monitor that may be exploited remotely to trig a denial of service condition. The problem occurs while handling data received from hosts that are not registered in the Activity Monitor ‘monitoring list’. Continue...

Format string explained

Format string attack against Crob FTPd

A remote format string vulnerability in Crob FTP server would allow an attacker to overwrite arbitrary locations in memory, ultimately allowing for the execution of arbitrary code. Continue...

directory traversal issue

Enceladus Server Suite Vulnerability

Enceladus fails to properly sanitize web requests and using directory traversal sequences, it is possible for a remote attacker to view and download sensitive resources located outside of the web root. Continue...

Format String howto

Format String in eXtremail server

A format string vulnerabilities exist in the logging routines of eXtremail, allowing remote attackers to gain root privileges. Continue...

Buffer Overflow howto

Crystal FTP Pro Client Buffer Overflow CVE-2004-1327

A remote, client-side buffer overflow vulnerability reportedly affects Crystal Art Crystal FTP. This issue is due to a failure of the application to properly validate the length of user-supplied strings prior to copying them into static process buffers. Continue...

client side bug

Piolet file sharing client flaw

An exception handling error was discovered in the Piolet file sharing client allowing a remote user to crash the target application. Continue...

CVE-2002-2229

Sapio WebReflex Directory Traversal Vulnerability CVE-2002-2229

Directory traversal vulnerability in Sapio Design Ltd. WebReflex allows remote attackers to read arbitrary files using directory traversal sequences via an HTTP request. Continue...

CMS backdoor

Backdoor component in Etomite source code CVE-2006-0325

Etomite source code contain a backdoor component that allow remote users to execute arbitrary code on the host that Etomite was installed on. Continue...

WinSCP bug

WinSCP Denial of Service

A malformed scp:// or sftp:// address embedded in a HTML tag causes the WinSCP application to exhaust CPU and Memory resources. Continue...

Chindi fail to handle exceptional condition

Chindi server is prone to a denial of service condition upon receipt of excessively long requests. Chindi will need to be restarted to regain normal functionality. Continue...

Portmon file arbitrary read/write access vulnerability CVE-2003-0448

Portmon suffer from a security problem that allows any local user to read/write protected files on the system. Continue...

Buffer Overflow in Vexira Antivirus

A buffer overflow vulnerability has been discovered in Vexira Antivirus which may result in privilege escalation. Continue...

XSS vulnerability in Bajie Http Web Server CVE-2003-1543

Bajie HTTP server does not sanitize HTML and script code from error output. Remote attackers could exploit this flaw to construct a malicious link that contains hostile HTML and script code. Continue...

OptiSoft Blubster remote DoS CVE-2003-0760

Blubster 2.5 allows remote attackers to cause a denial of service (crash) via a flood of connections to UDP port 701. Continue...

Floosietek FTGate memory corruption CVE-2005-3640

FTGate4 contains a security flaw in the IMAP server that leads to a memory corruption vulnerability, classified as very critical. Continue...

Get in Touch

Luca Ercoli home
Italy, IT
luca@lucaercoli.it
Ask me via contact form
Freelance Available

Contact Form