[Full-disclosure] Dates for the opening of registration for Rooted CON 2014
Hello dudes, We announce that on *Monday January 13*, the registration form will be open to purchase your tickets for the next edition of Rooted CON, the fifth, which will be celebrated in *March, from 6th to 8th*. Here are the sections of tickets by type (*Student, Professional, Professional with Discount*): Date rangeStudentsProfessionalProfessional with discount *January 13 2014* → *January 31 2014*40€90€80€ *February 1 2014* → *February 13 2014* 60€120€110€ *February 14 2014* → *February 28 2014*80€160€140€ *March 1 2014* → *March 5 2014*140€320€280€ *Sale in congress*180€400€340€ We recommend you to *carefully read the general conditions* since the past year a number of restrictions on the purchase of tickets with student discount was added. Specifically, as student we will only accept people who are NOT active in some form and prove their student status with the *registration for the current course* (we won’t accept student ID cards). And above all, we will not issue invoices to people who have registered as a student. New this year, after many requests from you, *the payment of the ticket will be possible during the process of registration and by credit card*. Link: http://www.rootedcon.es/index.php/dates-for-the-opening-of-registration-for-rooted-con-2014/?lang=en Best Regards, --- RootedCON V (2014) - www.rootedcon.es @omarbv ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Updated [CVE-2013-6398] CloudStack Virtual Router stop/start modifies firewall rules allowing additional access
Issued: November 27, 2013 Updated: January 10, 2014 [CVE-2013-6398] CloudStack Virtual Router stop/start modifies firewall rules allowing additional access Product: Apache CloudStack Vendor: Apache Software Foundation Vulnerability type: Bypass Vulnerable Versions: Apache CloudStack 4.1.0, 4.1.1, 4.2.0 CVE References: CVE-2013-2136 Risk Level: Low CVSSv2 Base Scores: 2.8 (AV:N/AC:M/Au:M/C:P/I:N/A:N) Description: The Apache CloudStack Security Team was notified of a an issue in the Apache CloudStack virtual router that failed to preserve source restrictions in firewall rules after a virtual router had been stopped and restarted. Mitigation: Upgrading to CloudStack 4.2.1 or higher will mitigate this issue. References: https://issues.apache.org/jira/browse/CLOUDSTACK-5263 Credit: This issue was identified by the Cloud team and Schuberg Philis ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Updated [CVE-2014-0031] CloudStack ListNetworkACL API discloses ACLs for other users
Issued: January 9, 2014 Updated: January 10, 2014 [CVE-2014-0031] CloudStack ListNetworkACL API discloses ACLs for other users Product: Apache CloudStack Vendor: Apache Software Foundation Vulnerability type: Information Disclosure Vulnerable Versions: Apache CloudStack 4.2.0 CVE References: CVE-2014-0031 Risk Level: Low CVSSv2 Base Scores: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N) Description: The Apache CloudStack Security Team was notified of a an issue in Apache CloudStack which permits an authenticated user to list network ACLs for other users. Mitigation: Upgrading to CloudStack 4.2.1 or higher will mitigate this issue. References: https://issues.apache.org/jira/browse/CLOUDSTACK-5145 Credit: This issue was identified by Marcus Sorensen ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2841-1] movabletype-opensource security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2841-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff January 11, 2014 http://www.debian.org/security/faq - - Package: movabletype-opensource Vulnerability : cross-site scripting Problem type : remote Debian-specific: no CVE ID : CVE-2014-0977 Debian Bug : 734304 A cross-site scripting vulnerability was discovered in the rich text editor of the Movable Type blogging engine. For the oldstable distribution (squeeze), this problem has been fixed in version 4.3.8+dfsg-0+squeeze4. For the stable distribution (wheezy), this problem has been fixed in version 5.1.4+dfsg-4+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 5.2.9+dfsg-1. We recommend that you upgrade your movabletype-opensource packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlLRifgACgkQXm3vHE4uylrqQwCgs7od6yQXHC55MagOjjx+HNhC nQkAoJH9jVxEbne55TIYoCHXEN5hMMQT =DItV -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Yahoo Bug Bounty Program Vulnerability #2 Open Redirect
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Advisory: Yahoo Bug Bounty Program Vulnerability #2 Open Redirect Advisory ID:SSCHADV2013-YahooBB-002 Author: Stefan Schurtz Affected Software: Successfully tested on ads.yahoo.com Vendor URL: http://yahoo.com Vendor Status: informed == Vulnerability Description == The 'piggyback'-Parameter on http://ads.yahoo.com; is prone to an Open Redirect == PoC-Exploit == http://ads.yahoo.com/pixel?id=2454131t=2piggyback=http%3a//www.google.de_msig=10r7s21mtrmxbkn=26_cbv=187571889 == Solution == - - == Disclosure Timeline == 13-Dec-2013 - vendor informed by contact form (Yahoo Bug Bounty Program) 31-Dec-2013 - next message to the Yahoo Security Contact 04-Jan-2014 - feedback from vendor 04-Jan-2014 - vendor informed again about the three vulnerabilities 06-Jan-2014 - Feedback from vendor - Open redirects are no longer in scope of the Bug Bounty program == Credits == Vulnerability found and advisory written by Stefan Schurtz. == References == http://yahoo.com http://www.darksecurity.de/advisories/BugBounty2013/yahoo/SSCHADV2013-YahooBB-002.tx -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlLRyDsACgkQg3svV2LcbMBPlwCfYNo3J5YH+dkNKJ4fv/sOwdFA nLMAnA8quOpgxEvymEgRJS029/Rzr2OR =tDuT -END PGP SIGNATURE- 0x62DC6CC0.asc Description: application/pgp-keys ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
