[Full-disclosure] SEC Consult SA-20121017-0 :: ModSecurity multipart/invalid part ruleset bypass

2012-10-17 Thread SEC Consult Vulnerability Lab
SEC Consult Vulnerability Lab Security Advisory 20121017-0 === title: ModSecurity multipart/invalid part ruleset bypass product: ModSecurity vulnerable version: = 2.6.8 fixed version: 2.7.0

[Full-disclosure] SEC Consult SA-20121017-1 :: Unirgy uStoreLocator SQL Injection - Magento extension

2012-10-17 Thread SEC Consult Vulnerability Lab
SEC Consult Vulnerability Lab Security Advisory 20121017-1 === title: SQL Injection product: Unirgy uStoreLocator - Magento extension vulnerable version: =2.0.0 fixed version: =2.0.1

[Full-disclosure] [IMF 2013] 3rd Call for Papers: Deadline Extended

2012-10-17 Thread Oliver Goebel
Dear all, the deadline for the submission of papers has been extended. Accepted papers will be published in IEEE Computer Society's Conference Proceedings Series and be available in the IEEE online Digital Library. Please excuse possible cross-postings.

[Full-disclosure] SEC Consult SA-20121017-2 :: Multiple vulnerabilities in Oracle WebCenter Sites (former FatWire Content Server)

2012-10-17 Thread SEC Consult Vulnerability Lab
SEC Consult Vulnerability Lab Security Advisory 20121017-2 === title: Multiple vulnerabilities in Oracle WebCenter Sites product: Oracle WebCenter Sites (former FatWire Content Server) vulnerable

[Full-disclosure] [waraxe-2012-SA#092] - Multiple Vulnerabilities in Wordpress Slideshow Plugin

2012-10-17 Thread Janek Vind
[waraxe-2012-SA#092] - Multiple Vulnerabilities in Wordpress Slideshow Plugin === Author: Janek Vind waraxe Date: 17. October 2012 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-92.html Description of

Re: [Full-disclosure] Multiple 0-days in Dark Comet RAT

2012-10-17 Thread Hertz, Jesse
Agreed, it is very probably illegal to actually do so. This attack is purely theoretical and should only be attempted after obtaining competent legal counseling. Myself, Matasano, and my other researches DO NOT endorse actually counter-hacking. But its certainly pretty awesome that you could On

[Full-disclosure] Credentials leaks in Legrand-003598 / Bticino-F454 SCS Web Gateway

2012-10-17 Thread sxpert
1. OVERVIEW Credential leaks lead to complete compromise of home automation system 2. BACKGROUND The 2 devices are identical, and act as an IP gateway between the SCS home automation bus, and an IP network. The devices uses https for the web-front, and is also open on port 2 with an semi

[Full-disclosure] [waraxe-2012-SA#093] - Multiple Vulnerabilities in Wordpress Social Discussions Plugin

2012-10-17 Thread Janek Vind
[waraxe-2012-SA#093] - Multiple Vulnerabilities in Wordpress Social Discussions Plugin == Author: Janek Vind waraxe Date: 17. October 2012 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-93.html

[Full-disclosure] [Security-news] SA-CORE-2012-003 - Drupal core - Arbitrary PHP code execution and Information disclosure

2012-10-17 Thread security-news
View online: http://drupal.org/node/1815912 * Advisory ID: DRUPAL-SA-CORE-2012-003 * Project: Drupal core [1] * Version: 7.x * Date: 2012-October-17 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure, Arbitrary PHP code execution