Re: Report OWASP WAF Naxsi bypass Vulnerability

Tracked through issue 65 (http://code.google.com/p/naxsi/issues/detail?id=65), fixed at check-in R545 (http://code.google.com/p/naxsi/source/detail?spec=svn545&r=545). On Mon, Mar 25, 2013 at 10:00 PM, wrote: > OWASP WAF Naxsi bypass Vulnerability > > Certain unspecified input is not properly ha

Apple and Wifi Hotspot Credentials Management Vulnerability

This vulnerability was published to the OWASP Mobile Security list as a research paper by Andreas Kurtz, Daniel Metz and Felix Freiling. See "Cracking iOS personal hotspots using a Scrabble crossword game word list," http://lists.owasp.org/pipermail/owasp-mobile-security-project/2013-June/000640.h

Re: Apple and Wifi Hotspot Credentials Management Vulnerability

On Mon, Jun 17, 2013 at 3:35 PM, Jeffrey Walton wrote: > > ... > It appears Apple Wifi hotspot passwords are generated using a wordlist > consisting of 1842 words. The authors built a customer cracker to aide > in recovery of the Wifi hotspot passwords. My bad. The application est

Re: Facebook Information Disclosure

On Fri, Jun 21, 2013 at 5:40 PM, Packet Storm wrote: > Worth Reading: > > http://packetstormsecurity.com/news/view/22713/Facebook-Where-Your-Friends-Are-Your-Worst-Enemies.html > > https://www.facebook.com/notes/facebook-security/important-message-from-facebooks-white-hat-program/10151437074840766

Re: MiniUPnPd Information Disclosure (CVE-2013-2600)

On Fri, Jul 12, 2013 at 2:16 PM, wrote: > ... > > This issue was addressed on April 26, 2013 as noted in the changelog: > http://miniupnp.free.fr/files/changelog.php?file=miniupnpd-1.8.20130607.tar.gz > > 2013/04/26: > Correctly handle truncated snprintf() in SSDP code > > The problem is illus

Re: [Full-disclosure] [SE-2012-01] New Reflection API affected by a known 10+ years old attack

On Thu, Jul 18, 2013 at 12:50 AM, Security Explorations wrote: > > Hello All, > > We discovered yet another indication that new Reflection API introduced > into Java SE 7 was not a subject to a thorough security review (if any). I'm kind or surpised some of these bugs exist for so long. Allowing t

Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure

On Sat, Aug 10, 2013 at 6:10 AM, Gichuki John Chuksjonia wrote: > One thing u gotta remember most of the Admins who handle webservers in > a network are also developers since most of the organizations will > always need to cut on expenses, and as we know, most of the developers > will just look in

Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure

On Mon, Aug 12, 2013 at 1:28 PM, Coderaptor wrote: > I have been a silent spectator to this drama, and could not resist adding a > few thoughts of my own: > > 1. All software, especially webservers, should ship with secure defaults. > Period. It is a fundamental mistake to assume all admins who

Re: [Full-disclosure] Defense in depth -- the Microsoft way (part 8): execute everywhere!

Hi Stefan, > ... administrative rights for every user account Hmmm... XP/x64 appears to have a bug such that the second user also needs to be admin (perhaps XP/x86, too). XP does not recognize the first account as admin, so the second account cannot be limited (at least on my test box). Vista and

iOS: List of available trusted root certificates

>From "iOS: List of available trusted root certificates", http://support.apple.com/kb/HT5012. There's no reason to allow some of this to occur in 2013. As a proxy-relying-party, Apple is responsible for this stuff because users are not allowed to make the decisions or modify the Trust Store. For

Re: [FD] [oss-security] Bug in bash <= 4.3 [security feature bypassed]

> 2014-06-03 16:16 GMT+02:00 Hector Marco : > > Hi everyone, > > Recently we discovered a bug in bash. After some time after reporting > it to bash developers, it has not been fixed. > > We think that this is a security issue because in some circumstances > the bash security feature could be bypass

Re: [Full-disclosure] pidgin OTR information leakage

On Mon, Feb 27, 2012 at 3:21 PM, Rich Pieri wrote: > On Feb 27, 2012, at 2:37 PM, Michele Orru wrote: >> I think you didn't understood the content of the advisory. >> If there are 10 non-root users in an Ubuntu machine for example, >> if user 1 is using pidgin with OTR compiled with DBUS, then use

Fwd: [cryptography] Apple Legacy filevault barn door...

Interesting reading from the cryptography mailing list -- Forwarded message -- From: David I. Emery Date: Fri, May 4, 2012 at 8:40 PM Subject: [cryptography] Apple Legacy filevault barn door... To: cryptogra...@randombit.net        As someone said here recently, carefully built c

Ubuntu, Linux Mint, and the Guest Account

I know there's not much new here, but I am amazed that Ubuntu, Linux Mint and friends ship with a Guest account present and enabled. The Guest account is surreptitiously added through a lightdm configuration file, and is not part of the standard user database. Because its not part of the standard

Re: [Full-disclosure] [SE-2012-01] information regarding recently discovered Java 7 attack

Hi, > found as part of our SE-2012-01 Java SE security research project [3]. Well, it seems Oracle did not feel the issues Security Explorations shared were a priority. Blogging about these things has not produced optimal results either. Have you reported the issues to US Cert? Will you be discl

Re: [Full-disclosure] MySQL (Linux) Heap Based Overrun PoC Zeroday

Hi Kingcope, # As seen below $edx and $edi are fully controlled, # the current instruction is # => 0x83a6b24 : mov(%edx),%edi # this means we landed in a place where 4 bytes can be controlled by 4 bytes # with this function pointers and GOT entries can be rewritten to execute arbritrary code

Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday

Hi Kingcope, MySQL Server exploitable stack based overrun Ver 5.5.19-log for Linux and below (tested with Ver 5.1.53-log for suse-linux-gnu too) unprivileged user (any account (anonymous account?), post auth) as illustrated below the instruction pointer is overwritten with 0x4141414

Hidden backdoor API to root privileges in Apple OS X

https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/ The Admin framework in Apple OS X contains a hidden backdoor API to root privileges. It’s been there for several years (at least since 2011), I found it in October 2014 and it can be exploited to esca

CVE for Apple's ECDHE-ECDSA SecureTransport bug?

Does anyone know if Apple's ECDHE-ECDSA SecureTransport bug was assigned a CVE? It affected OS X and iOS. Effectively, the bug was an implementation error that cause interoperability failures. To mostly counter it, the cipher suites had to be disabled, which resulted in a loss of security. If the

Re: Perfect PDF products distributed with vulnerable MSVC++ libraries

On Tue, Jun 21, 2011 at 7:22 AM, Brad Hards wrote: > On Sunday 19 June 2011 11:37:33 Stefan Kanthak wrote: >> soft Xpansion distributes their (freeware) >> products "Perfect PDF 7 Master" and "Perfect PDF 7 Reader" (the >> current files are dated 2011-05-10) with OUTDATED and VULNERABLE >> Visual

Ubuntu: reseed(8), random.org, and HTTP request

Ubuntu's reseed(8) can be used to seed the PRNG state of a host. The script is run when the package installed, and anytime su executes the script. reseed(8) performs a unsecured HTTP request to random.org for its bits, despite random.org offering HTTPS services. The Ubuntu Security Team took no i

Re: Vulnerabilities in trading and SCADA softwares

On Wed, Sep 14, 2011 at 5:13 AM, wrote: Please take this constructively... > The so called vulnerability in ScadaPro does not apply when the Windows > firewall is enabled and under normal circumstances the TCP-IP port is not > used to communicate with the ScadaPro service. Measuresoft should

Re: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission

On Thu, Sep 15, 2011 at 7:11 PM, Michael Schmidt wrote: > Someone’s just not reading the bulletins – Note the term “Remote” – > including webdav, so a share that could be fully controlled by the > exploiter. At least that is what I am understanding. > > > > Updates released on September 13, 2011 >

iwconfig and recent patches?

Hi All, I was reading http://security.ece.cmu.edu/aeg/aeg-current.pdf. Is anyone aware of recent patches to iwconfig for a buffer overrun? I did not find any recent CVEs covering iwconfig. Jeff

Re: OpenBSD CARP Hash Vulnerability

On Fri, Dec 17, 2010 at 10:08 PM, Sam Banks wrote: > Hello Bugtraq, > > I disclosed this bug to the BSDs and no one is interested in fixing it > so here you go. The two files attached are as follows: > > [SNIP] > > The OpenBSD CARP implementation (and all derivatives, such as FreeBSD > and NetBSD)

Re: [FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM

On Fri, Feb 9, 2018 at 1:01 PM, Stefan Kanthak wrote: > Hi @ll, > > since about two or three years now, Microsoft offers Skype as > optional update on Windows/Microsoft Update. > > JFTR: for Microsoft's euphemistic use of "update" see > > > On

Asserts considered harmful (or GMP spills its sensitive information)

The GMP library uses asserts to crash a program at runtime when presented with data it did not anticipate. The library also ignores user requests to remove asserts using Posix's -DNDEBUG. Asserts are a debugging aide intended for developement, and using them in production software ranges from quest

Re: Re[2]: Regular Expression Denial of Service

Hi Thierry, > With all due respect - this is known to be a vulnerability > class since over a century. The referenced web page is titled, "ReDoS (Regular Expression Denial of Service) Revisited". The authors cite work as early as 2003 in their paper. > Can we please stop the attitude of invent

Re: 3rd party patch for XP for MS09-048?

Hi Aras, > Given that M$ has officially shot-down all current Windows XP users by not > issuing a patch for a DoS level issue, Can you cite a reference? Unless Microsoft has changed their end of life policy [1], XP should be patched for security vulnerabilities until about 2014. Both XP Home and

Re: 3rd party patch for XP for MS09-048?

position papers! * http://support.microsoft.com/gp/lifepolicy * http://support.microsoft.com/gp/lifeselect Jeff On Tue, Sep 15, 2009 at 5:24 PM, Susan Bradley wrote: > Read the bulletin.  There's no patch.  It is deemed by Microsoft to be of > low impact and thus no patch has been buil

Re: Re: Back door trojan in acajoom-3.2.6 for joomla

> ... or the developers were stupid enough to develop with old code. Stupid may be a bit harsh. I find 'Software Security' is also a frame of mind that *must* be backed by education. Perhaps the developers lack the knowledge they need to model the threats and incorporate a secure architecture. Jef

Fwd: Follow-up: Heartland CEO on Data Breach: QSAs Let Us Down

>From the folks at Attrition and the DatalossDB. -- Forwarded message -- From: security curmudgeon Date: Aug 12, 2009 4:22 PM Subject: Follow-up: Heartland CEO on Data Breach: QSAs Let Us Down To: dataloss-disc...@datalossdb.org, datal...@datalossdb.org http://www.csoonline.com/a

Re: Norman Internet Update Deamon sends cleartext license key on update

Hi Stefan, > linux norman internet update deamon (niu) sends our > corporate license key in cleartext over http when the > first update is triggered. Similar problems (use of insecure channels) was reported on June 9, 2009 with their Windows software. Jeff On Tue, Sep 1, 2009 at 3:00 AM, Stefan