RIPA is finally being used to force people to hand over encryption keys...
http://news.bbc.co.uk/1/hi/technology/7102180.stm
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by
This is breaking news on all the UK television stations right now.
Tax Boss Quits After Records Vanish
http://news.sky.com/skynews/article/0,,70131-1293566,00.html
Discs with 15m bank details lost
http://news.bbc.co.uk/1/hi/uk_politics/7103566.stm
___
A remote attacker, with read access to the password database can gain
administrator rights.
This also applies to many other blog software and also every system with a
password database.
--
Francesco Vaj [CISSP - GIAC]
Senior Content Manipulation Consultant
mailto:[EMAIL PROTECTED]
aim: XSS
On Wed, Nov 21, 2007 at 03:48:06AM +1100, XSS Worm XSS Security Information
Portal wrote:
This also applies to many other blog software
In which case they are not storing their passwords properly.
What makes the Wordpress scheme vulnerable is that you can attack it
*without* brute forcing the
Steven J. Murdoch schrieb:
Wordpress Cookie Authentication Vulnerability
Original release date: 2007-11-19
...
Source: Steven J. Murdoch http://www.cl.cam.ac.uk/users/sjm217/
Could you elaborate why you consider this news? Most public SQL
injection exploits for Wordpress use this
On Tue, Nov 20, 2007 at 07:08:36PM +0100, Stefan Esser wrote:
Could you elaborate why you consider this news? Most public SQL
injection exploits for Wordpress use this cookie trick.
I couldn't find it on the Wordpress bug tracker and when I mentioned
it to the Wordpress security address, they
*Wordpress 0day: Hacking into computers now easier than previously believed,
says Heise
Securityhttp://xssworm.blogvis.com/21/xssworm/wordpress-0day-hacking-into-computers-now-easier-than-previously-believed-says-heise-security/
A design flaw in the WordPress http://wordpress.org/ blog
This is CVE-2007-6013 since 19th Nov including WordPress ticket #5367:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6013
- Juha-Matti
Steven J. Murdoch [EMAIL PROTECTED] kirjoitti:
On Tue, Nov 20, 2007 at 07:08:36PM +0100, Stefan Esser wrote:
Could you elaborate why you consider
Right this problem has existed for a long time, but it's not the end of
the world for someone to point it out again I suppose.
I think it's obvious that there's another main issue here and that's the
way WordPress handles its cookies in general. They are not temporary
sessions that expire or are
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200711-29
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200711-30
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Wordpress never knew how to deal with cookies!
On Nov 20, 2007 9:23 PM, Steven Adair [EMAIL PROTECTED] wrote:
Right this problem has existed for a long time, but it's not the end of
the world for someone to point it out again I suppose.
I think it's obvious that there's another main issue
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200711-31
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200711-32
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Thanks in advance.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
wtf
On 20/11/2007, The Security Community [EMAIL PROTECTED]
wrote:
Thanks in advance.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
According to OSVDB Vendor Dictionary it's
secure at websense.com
http://osvdb.org/vendor_dict.php?section=vendorid=1498c=W
- Juha-Matti
The Security Community [EMAIL PROTECTED] kirjoitti:
Thanks in advance.
___
Full-Disclosure - We believe in
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDKSA-2007:229
http://www.mandriva.com/security/
Hello folks,
I wonder why we don't see web applications use secure cookie recipes
like [1] and [2]. There are also existing secure password hashing
frameworks such as Solar's [3]. Are developers just unaware of these
secure schemes?.
Amusingly a proprietary web application I audited used static
On Wed, 21 Nov 2007 07:51:30 +0800, Eduardo Tongson said:
I wonder why we don't see web applications use secure cookie recipes
like [1] and [2]. There are also existing secure password hashing
frameworks such as Solar's [3]. Are developers just unaware of these
secure schemes?.
Browse the
--On November 20, 2007 7:21:29 PM -0500 [EMAIL PROTECTED] wrote:
On Wed, 21 Nov 2007 07:51:30 +0800, Eduardo Tongson said:
I wonder why we don't see web applications use secure cookie recipes
like [1] and [2]. There are also existing secure password hashing
frameworks such as Solar's [3].
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDKSA-2007:230
http://www.mandriva.com/security/
22 matches
Mail list logo