Hi,
This is regarding multiple XSS (Cross Site Scripting) Vulnerabilities in
Apache Archiva 1.3.4 (and previous versions). The following is the
disclosure document
Project: Apache Archiva
Severity: High
Versions: 1.3.0 - 1.3.4. The unsupported versions Archiva 1.0 - 1.2.2
are also affected.
Hi,
This is regarding multiple CSRF (Cross Site Request Forgery)
Vulnerabilities in Apache Archiva 1.3.4 (and previous versions). The
following is the disclosure document
Title: Multiple CSRF Vulnerabilities in Apache Archiva 1.3.4
forticlientsslvpn suffers from an insecure lock file creation issue.
Upon starting the forticlientsslvpn, the file 'forticlientsslvpn.lock'
is created under the /tmp directory with octal permissions
0666.
The client does not first check if this file exists, or if it is even
currently owned by
Just saw this earlier:
http://www.un.org/chinese/News/archive.asp?month=5year=2010'
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
On Sun, 29 May 2011 18:47:28 EDT, magikh0e said:
Create a symlink from /tmp/forticlientsslvpn.lock
to /some/file/owned_by_root as a non-root user. Then run the
forticlientsslvpn client as root and the file you pointed at will then
be overwritten upon execution.
Gaah. People are *still*
Call for papers for Paranoia 2011, November 10th.
Link: http://paranoia.watchcom.no/index.php?page=40
Potential speakers are invited to submit topics and summary abstracts for the
6th annual PARANOIA conference in Oslo, Norway.
This one-day event attracts 600+ attendees and vendors providing
SEE ENGLISH VERSION BELOW
Auf der Zielgeraden zur IPC Spring möchten wir Euch schon jetzt
einladen, Eure Themen, Ideen, Vorschläge für die International PHP
Conference im Oktober einzureichen. Die International PHP Conference
findet vom 9. bis 12. Oktober 2011 in der Rheingoldhalle in Mainz statt
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
It seems that quite a few backup applications are (or were) vulnerable
to special combined symlink/timing attacks on pathname components before
the last one (so O_NOFOLLOW does not help). E.g. when backup is run as
root and crawls though directory
coq developers appear to do forensics this way:
http://article.gmane.org/gmane.science.mathematics.logic.coq.club/6228
the academic approach (detached from current implementations imho) is:
How to Believe a Machine-Checked Proof, Robert Pollack
Hi all,
We have just released new tool, IncrediMail Password Decryptor to
instantly recover passwords from IncrediMail client.
IncrediMail stores all the configured mail account passwords in
registry in an encrypted format at following location.
Wait, encrypted or encoded?
Chris.
On Mon, May 30, 2011 at 4:52 PM, Nagareshwar Talekar tnagaresh...@gmail.com
wrote:
Hi all,
We have just released new tool, IncrediMail Password Decryptor to
instantly recover passwords from IncrediMail client.
IncrediMail stores all the configured
Hello list!
I want to warn you about security vulnerabilities in ADSL modem Callisto
821+ (SI2000 Callisto821+ Router). These are Predictable Resource Location
and Brute Force vulnerabilities.
SecurityVulns ID: 11700.
-
Affected products:
-
Hello list!
I want to warn you about security vulnerabilities in ADSL modem Callisto
821+ (SI2000 Callisto821+ Router).
These are Cross-Site Request Forgery and Cross-Site Scripting
vulnerabilities. In April I've already drew attention of Ukrtelecom's
representative (and this modem was bough
On Mon, 30 May 2011 17:09:10 +0200, Christian Sciberras said:
Wait, encrypted or encoded?
As Skylarov discovered, they're the same thing in the US for DMCA purposes.
pgpQ2f6Idl3qM.pgp
Description: PGP signature
___
Full-Disclosure - We believe in
Yep ;) I was a bit surprised about how they went out of the way to
create the existence of this one. This problem was solved in mkstemp
with the release of glibc 2.0.7. That was released May 22 1998...
Just in case they stumble upon this thread or for others that do not yet
understand this...
Over year in DB multiple..
http://www.vs-db.info/?s=un.org
MG.
Wiadomość napisana przez Sihan w dniu 2011-05-30, o godz. 03:50:
Just saw this earlier:
http://www.un.org/chinese/News/archive.asp?month=5year=2010'
___
Full-Disclosure - We
Hello,
regarding http://www.ubuntu.com/usn/usn-1140-1/ posted today (originally
documented as http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3435),
what
the notices do not mention is that this attack, under certain circumstances,
can lift enough key material from a private DSA key to
From http://h-online.com/-1251556
Allied Telesis http://www.alliedtelesis.com/ accidentally put
information about the backdoors present in all of its products into the
support area on its web site.
Didn't see this yet in FD, so I thought it is worth to post it...
Gsunde
hi guys
What happened?nessus online register has colsed ?
http://www.nessus.org/register says :
The requested page could not be found
thksBest Regards
... http://7bits.nl/projects/pamenv-dsakeys/pamenv-dsakeys.html
Seems to me that CVE-2010-3435 may allow users to determine also:
password in /etc/lilo.conf
secret in /etc/bind/named.conf /etc/bind/rndc.conf /etc/bind/rndc.key
bits of /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_rsa_key
On Mon, May 30, 2011 at 6:56 AM, halfdog m...@halfdog.net wrote:
...
It seems that quite a few backup applications are (or were) vulnerable
to special combined symlink/timing attacks on pathname components before
the last one (so O_NOFOLLOW does not help).
...
Please let me know, if ... you
On 2011-05-30, at 16:27, coderman wrote:
On Mon, May 30, 2011 at 6:56 AM, halfdog m...@halfdog.net wrote:
It seems that quite a few backup applications are (or were) vulnerable
to special combined symlink/timing attacks on pathname components before
the last one (so O_NOFOLLOW does not
On Mon, May 30, 2011 at 5:09 PM, Andrew Farmer andf...@gmail.com wrote:
LVM snapshots have some nasty gotchas, though:
https://bugs.launchpad.net/lvm2/+bug/360237
there are also corner cases depending on filesystem used on top of the
logical volumes, there is often no fail-safe behavior
On Mon, May 30, 2011 at 6:16 PM, coderman coder...@gmail.com wrote:
...
there are also [lots of concerns and caveats with using volume snapshots ...]
someone asked, then why use snapshots for backups if difficult?
a backup is represented as a collection of data at a specific point in
time.
On Mon, May 30, 2011 at 5:09 PM, Andrew Farmer andf...@gmail.com wrote:
...
They also don't solve the problem of restoring a fragment of data (e.g, a
single accidentally deleted file) from a backup...
if you meant using your backup software for specific restoration,
there is no reason you
INSECT Pro 2.6.1 is here! This penetration security auditing and
testing software solution is designed to allow organizations of all
sizes mitigate, monitor and manage the latest security threats
vulnerabilities and implement active security policies by performing
penetration tests across
On May 31, 2011, at 12:48 AM, paul.sz...@sydney.edu.au wrote:
... http://7bits.nl/projects/pamenv-dsakeys/pamenv-dsakeys.html
Seems to me that CVE-2010-3435 may allow users to determine also:
password in /etc/lilo.conf
secret in /etc/bind/named.conf /etc/bind/rndc.conf /etc/bind/rndc.key
27 matches
Mail list logo