-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -
Debian Security Advisory DSA-2199-1 secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
March 23, 2011
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -
Debian Security Advisory DSA-2200-1 secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
March 23, 2011
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -
Debian Security Advisory DSA-2201-1 secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
March 23, 2011
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -
Debian Security Advisory DSA-2202-1 secur...@debian.org
http://www.debian.org/security/Stefan Fritsch
March 23, 2011
Vulnerability ID: HTB22900
Reference:
http://www.htbridge.ch/advisory/multiple_xss_vulnerabilities_in_syndeocms.html
Product: SyndeoCMS
Vendor: http://www.syndeocms.org/ ( http://www.syndeocms.org/ )
Vulnerable Version: 2.8.02
Vendor Notification: 10 March 2011
Vulnerability Type: XSS (Cross
Vulnerability ID: HTB22895
Reference:
http://www.htbridge.ch/advisory/xss_vulnerability_in_ripe_website_manager.html
Product: Ripe website manager
Vendor: Ripe website manager Team ( http://www.ripewebsitemanager.com/ )
Vulnerable Version: 1.1 and probably prior versions
Vendor Notification: 10
On 3/23/2011 11:27 AM, Kent Borg wrote:
Would I install a stack of SCADA upgrades to *my* functioning
factory? Maybe not.
Scary, scary stuff.
Security needs to be designed in, implemented carefully each step
along the way, and reviewed. Instead people with security in their
job title so
Vulnerability ID: HTB22902
Reference: http://www.htbridge.ch/advisory/xss_in_syndeocms.html
Product: SyndeoCMS
Vendor: http://www.syndeocms.org/ ( http://www.syndeocms.org/ )
Vulnerable Version: 2.8.02
Vendor Notification: 10 March 2011
Vulnerability Type: XSS (Cross Site Scripting)
Risk level:
Vulnerability ID: HTB22897
Reference:
http://www.htbridge.ch/advisory/sql_injection_vulnerability_in_ripe_website_manager.html
Product: Ripe website manager
Vendor: Ripe website manager Team ( http://www.ripewebsitemanager.com/ )
Vulnerable Version: 1.1 and probably prior versions
Vendor
On Mon, 21 Mar 2011, J. Oquendo wrote:
Reality: Car manufacturer was never made aware of the issue. How do you
propose a manufacturer fix an issue?
Due dilligence. If you sell a car that falls apart when someone pokes it
with a finger--or a piece of mission-critical software where someone with
Vulnerability ID: HTB22898
Reference:
http://www.htbridge.ch/advisory/xsrf_csrf_in_ripe_website_manager.html
Product: Ripe website manager
Vendor: Ripe website manager Team ( http://www.ripewebsitemanager.com/ )
Vulnerable Version: 1.1 and probably prior versions
Vendor Notification: 10 March
The correct time for vendors to do their own homework on SCADA was
2003 - that was the wakeup call. Anyone who has programmed for SCADA
has always wondered what would happen if they started poking
undocumented values into undocumented registers, but may not have the
luxury of trying it out.
On 03/23/2011 03:01 PM, Jim Harrison wrote:
BTW, now that you know about it and there is no defined mitigation, what
exactly*will* you do about it?
This seems rather obvious, but
1. Ensure none of the affected SCADA systems are present on my work's
network (BTW none are present on my
If *any* threat exists,
that threat is increased by public exposure of unmitigated attack
methodology
I think you have it wrong.
Public exposure increases the visibility, and therefore customers
install the patches quicker.
Without public visibility, they will keep running the old
Vulnerability ID: HTB22899
Reference: http://www.htbridge.ch/advisory/path_disclosure_in_syndeocms.html
Product: SyndeoCMS
Vendor: http://www.syndeocms.org/ ( http://www.syndeocms.org/ )
Vulnerable Version: 2.8.02
Vendor Notification: 10 March 2011
Vulnerability Type: Path disclosure
Risk level:
Vulnerability ID: HTB22901
Reference: http://www.htbridge.ch/advisory/sql_injection_in_syndeocms.html
Product: SyndeoCMS
Vendor: http://www.syndeocms.org/ ( http://www.syndeocms.org/ )
Vulnerable Version: 2.8.02
Vendor Notification: 10 March 2011
Vulnerability Type: SQL injection
Risk level:
Vulnerability ID: HTB22896
Reference:
http://www.htbridge.ch/advisory/blind_sql_injection_vulnerability_in_ripe_website_manager.html
Product: Ripe website manager
Vendor: Ripe website manager Team ( http://www.ripewebsitemanager.com/ )
Vulnerable Version: 1.1 and probably prior versions
Vendor
Simple Nomad wrote:
2. Ensure that these systems, if they exist, are not accessible from
either the Internet or even the local network where most of the users
are.
Much easier said than done.
The really scary SCADA systems are small cogs in large facilities that
have been been built up
On 23/03/2011 6:13 PM, Theo de Raadt wrote:
If *any* threat exists,
that threat is increased by public exposure of unmitigated attack
methodology
I think you have it wrong.
Public exposure increases the visibility, and therefore customers
install the patches quicker.
Without public
A lot of people are failing to see the vendors customer side of things.
Industrial Control Systems (ICS), SCADA users, historically have their
focus on availability (you don`t want you electricity/water/petrocehmicals
being cut now do you) and safety (no one want to die making sure you get
20 matches
Mail list logo