Monthly Archives: September 2016

Bugtraq ID: 93257 Class: Input Validation Error CVE: CVE-2016-6607
CVE-2016-6607 Remote: Yes Local: No Published: Jul 07 2016 12:00AM Updated: Sep 30 2016 04:02PM Credit: Emanuel Bronshtein @e3amn2l Vulnerable: Typo3 phpMyAdmin 5.1.6
phpMyAdmin phpMyAdmin 4.6.2
phpMyAdmin phpMyAdmin 4.6.1
phpMyAdmin phpMyAdmin 4.6
phpMyAdmin phpMyAdmin 4.4.15
phpMyAdmin phpMyAdmin 4.4.13
phpMyAdmin phpMyAdmin 4.4.12
phpMyAdmin phpMyAdmin 4.4.11
phpMyAdmin phpMyAdmin 4.4.10
phpMyAdmin phpMyAdmin 4.4.9
phpMyAdmin phpMyAdmin 4.4.8
phpMyAdmin phpMyAdmin 4.4.7
phpMyAdmin phpMyAdmin 4.4.6
phpMyAdmin phpMyAdmin 4.4.5
phpMyAdmin phpMyAdmin 4.4.3
phpMyAdmin phpMyAdmin 4.4.2
phpMyAdmin phpMyAdmin 4.4.1
phpMyAdmin phpMyAdmin 4.4
phpMyAdmin phpMyAdmin 4.0.5
phpMyAdmin phpMyAdmin 4.0.4
phpMyAdmin phpMyAdmin 4.0.3
phpMyAdmin phpMyAdmin 4.0.2
phpMyAdmin phpMyAdmin 4.0.1
phpMyAdmin phpMyAdmin 4.0
phpMyAdmin phpMyAdmin 4.6.3
phpMyAdmin phpMyAdmin 4.4.6.1
phpMyAdmin phpMyAdmin 4.4.6.0
phpMyAdmin phpMyAdmin 4.4.15.7
phpMyAdmin phpMyAdmin 4.4.15.6
phpMyAdmin phpMyAdmin 4.4.15.5
phpMyAdmin phpMyAdmin 4.4.15.4
phpMyAdmin phpMyAdmin 4.4.15.3
phpMyAdmin phpMyAdmin 4.4.15.2
phpMyAdmin phpMyAdmin 4.4.15.1
phpMyAdmin phpMyAdmin 4.4.14.1
phpMyAdmin phpMyAdmin 4.4.14
phpMyAdmin phpMyAdmin 4.4.13.1
phpMyAdmin phpMyAdmin 4.4.1.1
phpMyAdmin phpMyAdmin 4.0.9
phpMyAdmin phpMyAdmin 4.0.8
phpMyAdmin phpMyAdmin 4.0.7
phpMyAdmin phpMyAdmin 4.0.6
phpMyAdmin phpMyAdmin 4.0.4.2
phpMyAdmin phpMyAdmin 4.0.4.1
phpMyAdmin phpMyAdmin 4.0.10.9
phpMyAdmin phpMyAdmin 4.0.10.8
phpMyAdmin phpMyAdmin 4.0.10.7
phpMyAdmin phpMyAdmin 4.0.10.6
phpMyAdmin phpMyAdmin 4.0.10.5
phpMyAdmin phpMyAdmin 4.0.10.4
phpMyAdmin phpMyAdmin 4.0.10.3
phpMyAdmin phpMyAdmin 4.0.10.2
phpMyAdmin phpMyAdmin 4.0.10.16
phpMyAdmin phpMyAdmin 4.0.10.15
phpMyAdmin phpMyAdmin 4.0.10.14
phpMyAdmin phpMyAdmin 4.0.10.13
phpMyAdmin phpMyAdmin 4.0.10.12
phpMyAdmin phpMyAdmin 4.0.10.11
phpMyAdmin phpMyAdmin 4.0.10.10
phpMyAdmin phpMyAdmin 4.0.10.1
phpMyAdmin phpMyAdmin 4.0.10 Not Vulnerable: phpMyAdmin phpMyAdmin 4.6.4
phpMyAdmin phpMyAdmin 4.4.15.8
phpMyAdmin phpMyAdmin 4.0.10.17


SecurityFocus Vulnerabilities

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

Yahoo Challenged on Claims Breach Was State-Sponsored Attack

September 29, 2016 , 2:15 pm

OpenSSL Fixes Critical Bug Introduced by Latest Update

September 26, 2016 , 10:45 am

500 Million Yahoo Accounts Stolen By State-Sponsored Hackers

September 22, 2016 , 3:47 pm

Yahoo Reportedly to Confirm Breach of Hundreds of Millions of Credentials

September 22, 2016 , 12:31 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Critical MySQL Vulnerability Disclosed

September 12, 2016 , 11:00 am

Keystroke Recognition Uses Wi-Fi Signals To Snoop

August 25, 2016 , 2:19 pm

PLC-Blaster Worm Targets Industrial Control Systems

August 5, 2016 , 4:49 pm

Android Patch Fixes Nexus 5X Critical Vulnerability

September 2, 2016 , 12:49 pm

WordPress Update Resolves XSS, Path Traversal Vulnerabilities

September 8, 2016 , 12:23 pm

Browser Address Bar Spoofing Vulnerability Disclosed

August 17, 2016 , 12:54 pm


Threatpost | The first stop for security news

The Arduino team is using Kickstarter to crowdfund their latest project: the ESLOV IoT Invention Kit.

ESLOV is a system of intelligent modules that can be connected in an endless variety of ways, and is meant to simplify the creation of Internet-connected devices.

Arduino's new open source kit makes creating IoT devices easy

The connected modules are plugged into a Wi-Fi and motion hub, which will connect the device (project) to the Internet. Then, the hub has to be connected to the user’s PC so that it can be programmed.

Programming it is extremely easy, though – in fact, no actual programming knowledge is required. By using the ESLOV’s visual code editor, which recognises the modules automatically, the user needs to simply draw connections between them, and the device is ready to be used.

Once the device is connected to the Arduino cloud, the user can control it and interact with it from anywhere, via a computer or smartphone, through a user-friendly interface.

The ESLOV kit consists of the wireless hub and 25 modules. The team welcomes third-party modules – design files and documentation for all modules will be made publicly available, to make it easier for creative people to design and create their own.

The ESLOV kit consists of the wireless hub and 25 modules

The Arduino team needs to raise $ 500,000 to finish the development and production of the ESLOV kit. Potential funders can choose to receive kits of different sizes, priced from $ 49 (you receive just the Wi-Fi hub) to $ 499 (PRO kit: Hub + 22 modules). The various kits can also be combined.

Delivery of the hardware to the backers is scheduled for June 2017.

More technical information can be head on the Kickstarter project page or this blog post.


Help Net Security

Bugtraq ID: 90864 Class: Failure to Handle Exceptional Conditions CVE: CVE-2016-4447 Remote: Yes Local: No Published: May 23 2016 12:00AM Updated: Sep 30 2016 12:02AM Credit: David Kilzer Vulnerable: XMLSoft Libxml2 2.9
XMLSoft Libxml2 2.7.8
XMLSoft Libxml2 2.7.7
XMLSoft Libxml2 2.7.6
XMLSoft Libxml2 2.7.5
XMLSoft Libxml2 2.7.4
XMLSoft Libxml2 2.7.3
XMLSoft Libxml2 2.7.2
XMLSoft Libxml2 2.7.1
XMLSoft Libxml2 2.7
XMLSoft Libxml2 2.6.32
XMLSoft Libxml2 2.6.31
XMLSoft Libxml2 2.6.30
XMLSoft Libxml2 2.6.26
XMLSoft Libxml2 2.6.24
XMLSoft Libxml2 2.6.23
XMLSoft Libxml2 2.6.22
XMLSoft Libxml2 2.6.21
XMLSoft Libxml2 2.6.20
XMLSoft Libxml2 2.6.18
XMLSoft Libxml2 2.6.17
XMLSoft Libxml2 2.6.16
XMLSoft Libxml2 2.6.15
XMLSoft Libxml2 2.6.14
XMLSoft Libxml2 2.6.13
XMLSoft Libxml2 2.6.12
XMLSoft Libxml2 2.6.11
XMLSoft Libxml2 2.6.9
XMLSoft Libxml2 2.6.8
XMLSoft Libxml2 2.6.7
XMLSoft Libxml2 2.6.6
XMLSoft Libxml2 2.6.5
XMLSoft Libxml2 2.6.4
XMLSoft Libxml2 2.6.3
XMLSoft Libxml2 2.6.2
XMLSoft Libxml2 2.6.1
XMLSoft Libxml2 2.5.11
XMLSoft Libxml2 2.5.10
XMLSoft Libxml2 2.5.8
XMLSoft Libxml2 2.5.4
XMLSoft Libxml2 2.5.1
XMLSoft Libxml2 2.4.30
XMLSoft Libxml2 2.4.29
XMLSoft Libxml2 2.4.28
XMLSoft Libxml2 2.4.27
XMLSoft Libxml2 2.4.26
XMLSoft Libxml2 2.4.24
XMLSoft Libxml2 2.4.23
XMLSoft Libxml2 2.4.22
XMLSoft Libxml2 2.4.21
XMLSoft Libxml2 2.4.20
XMLSoft Libxml2 2.4.19
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
XMLSoft Libxml2 2.4.18
XMLSoft Libxml2 2.4.17
XMLSoft Libxml2 2.4.16
XMLSoft Libxml2 2.4.15
XMLSoft Libxml2 2.4.14
XMLSoft Libxml2 2.4.13
XMLSoft Libxml2 2.4.12
XMLSoft Libxml2 2.4.11
XMLSoft Libxml2 2.4.10
XMLSoft Libxml2 2.4.9
XMLSoft Libxml2 2.4.8
XMLSoft Libxml2 2.4.7
XMLSoft Libxml2 2.4.6
XMLSoft Libxml2 2.4.5
XMLSoft Libxml2 2.4.4
XMLSoft Libxml2 2.4.3
XMLSoft Libxml2 2.4.2
XMLSoft Libxml2 2.3.14
XMLSoft Libxml2 2.3.13
XMLSoft Libxml2 2.3.12
XMLSoft Libxml2 2.3.10
XMLSoft Libxml2 2.3.8
XMLSoft Libxml2 2.3.7
XMLSoft Libxml2 2.3.6
XMLSoft Libxml2 2.3.5
XMLSoft Libxml2 2.3.4
XMLSoft Libxml2 2.2.11
XMLSoft Libxml2 2.2.10
XMLSoft Libxml2 2.2.7
XMLSoft Libxml2 2.2.6
XMLSoft Libxml2 2.2.5
XMLSoft Libxml2 2.2.4
XMLSoft Libxml2 2.2.3
XMLSoft Libxml2 1.8.14
XMLSoft Libxml2 1.8.10
XMLSoft Libxml2 1.8.9
XMLSoft Libxml2 1.8.5
XMLSoft Libxml2 1.8.4
XMLSoft Libxml2 1.8.3
XMLSoft Libxml2 1.8.1
XMLSoft Libxml2 1.8.1
XMLSoft Libxml2 1.7.4
XMLSoft Libxml2 1.7
XMLSoft Libxml2 2.9.3
XMLSoft Libxml2 2.9.2
XMLSoft Libxml2 2.9.1
XMLSoft Libxml2 2.6.29
XMLSoft Libxml2 2.6.28
XMLSoft Libxml2 2.6.27
XMLSoft Libxml2 2.6.25
XMLSoft Libxml2 2.6.0
XMLSoft Libxml2 2.5.7
XMLSoft Libxml2 2.5.0
XMLSoft Libxml2 2.4.25
XMLSoft Libxml2 2.4.1
XMLSoft Libxml2 2.3.3
XMLSoft Libxml2 2.3.2
XMLSoft Libxml2 2.3.11
XMLSoft Libxml2 2.3.1
XMLSoft Libxml2 2.3.0
XMLSoft Libxml2 2.2.9
XMLSoft Libxml2 2.2.8
XMLSoft Libxml2 2.2.2
XMLSoft Libxml2 2.2.1
XMLSoft Libxml2 2.2.0
XMLSoft Libxml2 2.1.1
XMLSoft Libxml2 2.1.0
XMLSoft Libxml2 2.0.0
XMLSoft Libxml2 1.8.7
XMLSoft Libxml2 1.8.6
XMLSoft Libxml2 1.8.16
XMLSoft Libxml2 1.8.13
XMLSoft Libxml2 1.7.3
XMLSoft Libxml2 1.7.2
XMLSoft Libxml2 1.7.1
Slackware Linux 14.1 x86_64
Slackware Linux 14.1
Slackware Linux 14.0 x86_64
Slackware Linux 14.0
Oracle VM Server for x86 3.4
Oracle VM Server for x86 3.3
Oracle Linux 7
Oracle Linux 6
IBM SmartCloud Entry 3.2 Fix Pack 19
IBM SmartCloud Entry 3.2 Fix Pack 18
IBM SmartCloud Entry 3.2 fix pack 14
IBM SmartCloud Entry 3.2 fix pack 13
IBM SmartCloud Entry 3.2 Fix Pack 11
IBM SmartCloud Entry 3.2 Appliance fix pack 2
IBM SmartCloud Entry 3.2 Appliance fix pack 1
IBM SmartCloud Entry 3.2
IBM SmartCloud Entry 3.1 FP 9
IBM SmartCloud Entry 3.1 fix pack 13
IBM SmartCloud Entry 3.1 Fix Pack 10
IBM SmartCloud Entry 3.1 Appliance fix pack 2
IBM SmartCloud Entry 3.1 Appliance fix pack 1
IBM SmartCloud Entry 3.1
IBM SmartCloud Entry 2.4 Fix Pack 2
IBM SmartCloud Entry 2.4 Appliance fix pack 6
IBM SmartCloud Entry 2.4 Appliance fix pack 4
IBM SmartCloud Entry 2.3 Fix Pack 2
IBM SmartCloud Entry 2.3 Fix Pack 1
IBM SmartCloud Entry 2.3 Appliance fix pack 6
IBM SmartCloud Entry 2.3 Appliance fix pack 4
IBM SmartCloud Entry 2.2 Fix Pack 2
IBM SmartCloud Entry 2.2 Fix Pack 1
IBM SmartCloud Entry 2.2 Appliance fix pack 6
IBM SmartCloud Entry 2.2 Appliance fix pack 4
IBM SmartCloud Entry 2.2
IBM SmartCloud Entry 3.2.0.4 FixPack 15
IBM SmartCloud Entry 3.2.0.4 FixPack 13
IBM SmartCloud Entry 3.2.0.4 fix pack 11
IBM SmartCloud Entry 3.2.0.4 Appliance FP
IBM SmartCloud Entry 3.2.0.4 Appliance FP
IBM SmartCloud Entry 3.2.0.4 Appliance FP
IBM SmartCloud Entry 3.2.0.4 Appliance FP
IBM SmartCloud Entry 3.2.0.4 Appliance FP
IBM SmartCloud Entry 3.2.0.4 Appliance FP
IBM SmartCloud Entry 3.2.0.4 Appliance FP
IBM SmartCloud Entry 3.2.0.4 Appliance FP
IBM SmartCloud Entry 3.2.0.4
IBM SmartCloud Entry 3.2.0.3
IBM SmartCloud Entry 3.2.0.2
IBM SmartCloud Entry 3.2.0.1
IBM SmartCloud Entry 3.2.0.0
IBM SmartCloud Entry 3.2.0 fix pack 9
IBM SmartCloud Entry 3.2.0 fix pack 8
IBM SmartCloud Entry 3.2.0 fix pack 10
IBM SmartCloud Entry 3.2 Appliance fixpac
IBM SmartCloud Entry 3.2 Appliance fixpac
IBM SmartCloud Entry 3.1.0.4 FixPack 15
IBM SmartCloud Entry 3.1.0.4 FixPack 12
IBM SmartCloud Entry 3.1.0.4 fix pack 10
IBM SmartCloud Entry 3.1.0.4 Appliance FP
IBM SmartCloud Entry 3.1.0.4 Appliance FP
IBM SmartCloud Entry 3.1.0.4 Appliance FP
IBM SmartCloud Entry 3.1.0.4 Appliance FP
IBM SmartCloud Entry 3.1.0.4 Appliance FP
IBM SmartCloud Entry 3.1.0.4 Appliance FP
IBM SmartCloud Entry 3.1.0.4 Appliance FP
IBM SmartCloud Entry 3.1.0.4 Appliance FP
IBM SmartCloud Entry 3.1.0.4
IBM SmartCloud Entry 3.1.0.3
IBM SmartCloud Entry 3.1.0.2
IBM SmartCloud Entry 3.1.0.1
IBM SmartCloud Entry 3.1.0.0
IBM SmartCloud Entry 3.1.0 fix pack 9
IBM SmartCloud Entry 3.1.0 fix pack 8
IBM SmartCloud Entry 3.1 FP 10
IBM SmartCloud Entry 3.1 Appliance fixpac
IBM SmartCloud Entry 3.1 Appliance fixpac
IBM SmartCloud Entry 2.4.0.5 JRE Update 5
IBM SmartCloud Entry 2.4.0.5 FixPack 5
IBM SmartCloud Entry 2.4.0.5 Appliance FP
IBM SmartCloud Entry 2.4.0.4 Appliance FP
IBM SmartCloud Entry 2.4.0.4 Appliance FP
IBM SmartCloud Entry 2.4.0.4 Appliance Fi
IBM SmartCloud Entry 2.4.0.4 Appliance Fi
IBM SmartCloud Entry 2.4.0.3 Appliance FP
IBM SmartCloud Entry 2.4.0.3 Appliance FP
IBM SmartCloud Entry 2.4.0 fix pack 1
IBM SmartCloud Entry 2.4.0
IBM SmartCloud Entry 2.3.0.4 Appliance FP
IBM SmartCloud Entry 2.3.0.4 Appliance FP
IBM SmartCloud Entry 2.3.0.4 Appliance Fi
IBM SmartCloud Entry 2.3.0.4 Appliance Fi
IBM SmartCloud Entry 2.3.0.3 JRE Update 5
IBM SmartCloud Entry 2.3.0.3 JRE Update 4
IBM SmartCloud Entry 2.3.0.3 FixPack 3
IBM SmartCloud Entry 2.3.0.3 Appliance FP
IBM SmartCloud Entry 2.3.0.3 Appliance FP
IBM SmartCloud Entry 2.3.0
IBM SmartCloud Entry 2.2.0.4 Appliance FP
IBM SmartCloud Entry 2.2.0.4 Appliance FP
IBM SmartCloud Entry 2.2.0.4 Appliance Fi
IBM SmartCloud Entry 2.2.0.4 Appliance Fi
IBM SmartCloud Entry 2.2.0.3 Appliance FP
IBM SmartCloud Entry 2.2.0.3 Appliance FP
IBM Security Privileged Identity Manager 2.0
IBM Security Network Protection 5.3.2
IBM Security Network Protection 5.3.1
IBM Security Network Protection 5.3.2.3
IBM Security Network Protection 5.3.2.2
IBM Security Network Protection 5.3.2.1
IBM Security Network Protection 5.3.1.9
IBM Security Network Protection 5.3.1.8
IBM Security Network Protection 5.3.1.7
IBM Security Network Protection 5.3.1.6
IBM Security Network Protection 5.3.1.5
IBM Security Network Protection 5.3.1.4
IBM Security Network Protection 5.3.1.3
IBM Security Network Protection 5.3.1.2
IBM Security Network Protection 5.3.1.1
IBM Security Guardium 10.1
IBM Security Guardium 10
IBM Security Access Manager for Web 8.0.1
IBM Security Access Manager for Web 8.0 3
IBM Security Access Manager for Web 8.0 2
IBM Security Access Manager for Web 8.0.1.4
IBM Security Access Manager for Web 8.0.1.3
IBM Security Access Manager for Web 8.0.1.2
IBM Security Access Manager for Web 8.0.1.1
IBM Security Access Manager for Web 8.0.1.0
IBM Security Access Manager for Web 8.0.0.5
IBM Security Access Manager for Web 8.0.0.4
IBM Security Access Manager for Web 8.0.0.0
IBM Security Access Manager for Web 7.0
IBM Security Access Manager for Mobile 8.0.1
IBM Security Access Manager for Mobile 8.0.1.4
IBM Security Access Manager for Mobile 8.0.1.3
IBM Security Access Manager for Mobile 8.0.1.2
IBM Security Access Manager for Mobile 8.0.1.1
IBM Security Access Manager for Mobile 8.0.0.5
IBM Security Access Manager for Mobile 8.0.0.4
IBM Security Access Manager for Mobile 8.0.0.3
IBM Security Access Manager for Mobile 8.0.0.2
IBM Security Access Manager for Mobile 8.0.0.1
IBM Security Access Manager for Mobile 8.0.0.0
IBM Security Access Manager for Mobile 8.0
IBM Security Access Manager 9.0.1.0
IBM Security Access Manager 9.0.0.1
IBM Security Access Manager 9.0
IBM Rational Systems Tester 3.3.0.7 Interim Fix
IBM Rational Systems Tester 3.3.0.7 Interim Fix
IBM Rational Systems Tester 3.3.0.7 Interim Fix
IBM Rational Systems Tester 3.3.0.7 Interim Fix
IBM Rational Systems Tester 3.3.0.7
IBM Rational Systems Tester 3.3.0.6
IBM Rational Systems Tester 3.3.0.5
IBM Rational Systems Tester 3.3.0.4
IBM Rational Systems Tester 3.3.0.3
IBM Rational Systems Tester 3.3.0.2
IBM Rational Systems Tester 3.3.0.1
IBM Rational Systems Tester 3.3
IBM RackSwitch G8332 7.7.23.0
IBM RackSwitch G8316 7.9.17.0
IBM RackSwitch G8264T 7.9.17.0
IBM RackSwitch G8264CS 7.8.14.0
IBM RackSwitch G8264 7.9.17.0
IBM RackSwitch G8264 7.11.7.0
IBM RackSwitch G8124/G8124-E 7.9.17.0
IBM RackSwitch G8124/G8124-E 7.11.7.0
IBM RackSwitch G8052 7.9.17.0
IBM RackSwitch G8052 7.11.7.0
IBM PowerKVM 3.1
IBM PowerKVM 2.1
IBM MQ Appliance M2001
IBM MQ Appliance M2000
IBM Lotus Protector for Mail Security 2.8 0
IBM Lotus Protector for Mail Security 2.8.1.0
IBM Lotus Protector for Mail Security 2.8.1
IBM DataPower Gateways 7.5.1.1
IBM DataPower Gateways 7.5.1.0
IBM DataPower Gateways 7.5.0.2
IBM DataPower Gateways 7.5.0.1
IBM DataPower Gateways 7.5.0.0
IBM DataPower Gateways 7.2.0.8
IBM DataPower Gateways 7.2.0.6
IBM DataPower Gateways 7.2.0.5
IBM DataPower Gateways 7.2.0.4
IBM DataPower Gateways 7.2.0.3
IBM DataPower Gateways 7.2.0.2
IBM DataPower Gateways 7.2.0.1
IBM DataPower Gateways 7.2.0.0
HP IceWall Federation Agent 3.0
eSignal eSignal 6.0.2
Bluecoat Security Analytics Platform 7.1
Bluecoat Security Analytics Platform 7.0
Bluecoat Security Analytics Platform 6.6
Bluecoat Proxysg 6.6
Bluecoat Proxysg 6.5
Bluecoat Norman Network Protection 5.3
Bluecoat Industrial Control Systems Network Scanner 5.3
Bluecoat Industrial Control System Protection 5.3
Bluecoat Director 6.1
Bluecoat AuthConnector 2.5
Bluecoat Advanced Secure Gateway 6.6
Apple watchOS 2.2.1
Apple watchOS 2.0.1
Apple watchOS 1.0.1
Apple watchOS 2.2
Apple watchOS 2.1
Apple watchOS 2.0
Apple watchOS 1.0
Apple Watch 0
Apple Mac Os X 10.11.3
Apple Mac Os X 10.11.2
Apple Mac Os X 10.11.1
Apple Mac Os X 10.11.5
Apple Mac Os X 10.11.4
Apple Mac Os X 10.11
Apple iTunes 12.3.2
Apple iTunes 12.3.1
Apple iTunes 11.2.1
Apple iTunes 11.1.5
Apple iTunes 11.1.4
Apple iTunes 11.1.3
Apple iTunes 11.1.2
Apple iTunes 11.1.1
Apple iTunes 11.0.5
Apple iTunes 11.0.4
Apple iTunes 11.0.2
Apple iTunes 10.6.3
Apple iTunes 10.6.1
Apple iTunes 10.5.1
Apple iTunes 10.1.2
Apple iTunes 9.2.1
Apple iTunes 9.0.2
Apple iTunes 9.0.1 .8
Apple iTunes 9.0.1
Apple iTunes 9.0
Apple iTunes 7.3.2
Apple iTunes 7.3.1
Apple iTunes 7.3
Apple iTunes 7.0.2
Apple iTunes 6.0.5
Apple iTunes 6.0.4
Apple iTunes 6.0.3
Apple iTunes 6.0.1
Apple iTunes 6.0
Apple iTunes 5.0
Apple iTunes 4.8
Apple iTunes 4.7
Apple iTunes 4.6
Apple iTunes 4.5
Apple iTunes 4.2 .72
Apple iTunes 9.2
Apple iTunes 9.1.1
Apple iTunes 9.1
Apple iTunes 9.0.3
Apple iTunes 8.2
Apple iTunes 8.1
Apple iTunes 8.0.2.20
Apple iTunes 7.4
Apple iTunes 12.4
Apple iTunes 12.3
Apple iTunes 12.2
Apple iTunes 12.0.1
Apple iTunes 11.2
Apple iTunes 11.1
Apple iTunes 11.0.3
Apple iTunes 11.0.1
Apple iTunes 11.0.0.163
Apple iTunes 11.0
Apple iTunes 10.7
Apple iTunes 10.6.1.7
Apple iTunes 10.6
Apple iTunes 10.5.3
Apple iTunes 10.5.2
Apple iTunes 10.5.1.42
Apple iTunes 10.5
Apple iTunes 10.4.1.10
Apple iTunes 10.4.1
Apple iTunes 10.4.0.80
Apple iTunes 10.4
Apple iTunes 10.3.1
Apple iTunes 10.3
Apple iTunes 10.2.2.12
Apple iTunes 10.2.2
Apple iTunes 10.2
Apple iTunes 10.1.1.4
Apple iTunes 10.1.1
Apple iTunes 10.1
Apple iTunes 10.0.1
Apple iTunes 10
Apple iPod Touch 0
Apple iPhone 0
Apple iPad 0
Apple iOS 5 0
Apple iOS 4 0
Apple iOS 9.3.2
Apple iOS 9.3.1
Apple iOS 9.2.1
Apple iOS 9.0.2
Apple iOS 9.0.1
Apple iOS 8.4.1
Apple iOS 7.2
Apple iOS 7.0.6
Apple iOS 7.0.5
Apple iOS 7.0.3
Apple iOS 7.0.2
Apple iOS 7.0.1
Apple iOS 6.3.1
Apple iOS 6.1.6
Apple iOS 6.1.4
Apple iOS 6.1.3
Apple iOS 4.2.1
Apple iOS 4.0.2
Apple iOS 4.0.1
Apple iOS 3.2.2
Apple iOS 3.2.1
Apple iOS 9.3
Apple iOS 9.2
Apple iOS 9.1
Apple iOS 9
Apple iOS 8.4
Apple iOS 8.3
Apple iOS 8.2
Apple iOS 8.1.3
Apple iOS 8.1.2
Apple iOS 8.1.1
Apple iOS 8.1
Apple iOS 8
Apple iOS 7.1.2
Apple iOS 7.1.1
Apple iOS 7.1
Apple iOS 7.0.4
Apple iOS 7
Apple iOS 6.1
Apple iOS 6.0.2
Apple iOS 6.0.1
Apple iOS 6
Apple iOS 5.1.1
Apple iOS 5.1
Apple iOS 5.0.1
Apple iOS 5
Apple iOS 4.3.5
Apple iOS 4.3.4
Apple iOS 4.3.3
Apple iOS 4.3.2
Apple iOS 4.3.1
Apple iOS 4.3
Apple iOS 4.2.9
Apple iOS 4.2.8
Apple iOS 4.2.7
Apple iOS 4.2.6
Apple iOS 4.2.5
Apple iOS 4.2.10
Apple iOS 4.2
Apple iOS 4.1
Apple iOS 4
Apple iOS 3.2
Apple iOS 3.1
Apple iOS 3.0
Apple iOS 2.1
Apple iOS 2.0 Not Vulnerable: XMLSoft Libxml2 2.9.4
IBM Security Privileged Identity Manager 2.0.2 Fixpack 8
IBM Security Network Protection 5.3.2.4
IBM Security Network Protection 5.3.1.10
Apple watchOS 2.2.2
Apple Mac Os X 10.11.6
Apple Mac Os X Security Update 2016
Apple iTunes 12.4.2
Apple iOS 9.3.3


SecurityFocus Vulnerabilities

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

Yahoo Challenged on Claims Breach Was State-Sponsored Attack

September 29, 2016 , 2:15 pm

OpenSSL Fixes Critical Bug Introduced by Latest Update

September 26, 2016 , 10:45 am

500 Million Yahoo Accounts Stolen By State-Sponsored Hackers

September 22, 2016 , 3:47 pm

Yahoo Reportedly to Confirm Breach of Hundreds of Millions of Credentials

September 22, 2016 , 12:31 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Keystroke Recognition Uses Wi-Fi Signals To Snoop

August 25, 2016 , 2:19 pm

Critical MySQL Vulnerability Disclosed

September 12, 2016 , 11:00 am

PLC-Blaster Worm Targets Industrial Control Systems

August 5, 2016 , 4:49 pm

Android Patch Fixes Nexus 5X Critical Vulnerability

September 2, 2016 , 12:49 pm

WordPress Update Resolves XSS, Path Traversal Vulnerabilities

September 8, 2016 , 12:23 pm

Browser Address Bar Spoofing Vulnerability Disclosed

August 17, 2016 , 12:54 pm


Information Security Podcasts

A group of researchers from Princeton University, Karlstad University and KTH Royal Institute of Technology have devised two new correlation attacks that can be leveraged to deanonymize Tor users.

Collectively dubbed DefecTor, the attacks improve the efficacy of existing website fingerprinting attacks through the attacker’s ability to observe DNS traffic from Tor exit relays. The attacks offer great-to-perfect results – the latter mostly when identifying visitors to infrequently visited sites.

DefecTor: DNS-enhanced correlation attacks against Tor users

“It is well understood that low-latency anonymity networks such as Tor cannot protect against so-called global passive adversaries [i.e. those that can monitor both network traffic that enters and exits the network],” says Phillip Winter, a postdoctoral researcher in computer science at Princeton University and one of the group behind this latest research.

DefecTor attacks, on the other hand, can be leveraged by “semi-global” adversaries.

One of the most notable ones is Google, as it operates public DNS servers that observe almost 40% of all DNS requests exiting the Tor network.

“Additionally, Google can monitor some network traffic that is entering the Tor network: for example, via Google Fiber, via guard relays that are occasionally run in Google’s cloud, and formerly via meek app engine, which is now defunct,” Winter explains.

The researchers also found that DNS requests often traverse autonomous systems that the TCP connections made via Tor don’t transit, and this enables them to gain information about Tor users’ traffic.

While Tor developers are already working on implementing techniques to make website fingerprinting attacks harder to execute, there are other actions that can be taken to prevent DefecTor attacks, such as Tor relay operators ensuring that the network maintains more diversity into how exit relays resolve DNS domains.

The researchers added that their paper has yet to be peer reviewed, but if you’re interested in replicating their research, they have provided code, data, and replication instructions here.


Help Net Security

My organization is exploring the idea of implementing our own public key infrastructure. What are the benefits...

of having our own internal PKI -- especially in terms of costs and management?

It's quite common for large enterprises to run their own public key infrastructure (PKI), acting as an internal certificate authority (CA) and installing their own root certificate in the trust stores of all the company's devices. The main benefit of having internal PKI is that internal services can be configured to only accept certificates from the enterprise's own CA chain, in theory making it harder for hackers to impersonate genuine users. Digital certificates are a vital part of PKI security technologies like signed and encrypted email, signed documents, VPN access and SSL authentication because they provide a means to establish the ownership of an encryption key. The other benefit is that self-issued certificates are free, and that it's a solution that scales well. However, reality is somewhat different.

Microsoft Certificate Services, for example, provides all the software and programs needed to run an internal PKI, and is included with Windows enterprise servers. The root certificate can also be distributed to all domain-connected objects based on group policies. However, adding it to the trusted store of every version of every app on every machine is a lot more challenging. The certificates themselves may be free, but the resources required to securely manage internal PKI have to be factored into the overall cost. Not that many enterprises have internal IT staff who are qualified and capable of properly managing and securing a PKI in accordance with standards like CA/Browser Forum Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates, or the Mozilla CA Certificate Policy.

The security and integrity of the root signing keys are critical and require physical as well as logical security controls to be deployed. The mission-critical nature of a PKI means enterprises must be able to provide a constant quality of service, and perform specialist tasks required in certificate lifecycle management and validation services, such as renewing certificates, maintaining and updating certificate revocation lists and running online certificate status protocol services.

Before deciding to implement internal PKI, carefully weigh the costs of the necessary hardware, staff and infrastructure against the costs of outsourcing. An in-house CA is only really useful for internal corporate use, as its certificates won't be trusted by devices and services outside of the organization. Internet-facing servers will still need a certificate from a publicly recognized CA. Most public CAs specializing in outsourcing now offer Active Directory integration and cost-effective certificate options for internal purposes, eliminating the hassle of managing an internal CA, while offering technical expertise and the latest in security technologies.

Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Find out how to address challenges in AWS Active Directory integration

Read about the fragmentation of common PKI approaches

Learn if the eDellRoot certificate vulnerability points to a larger problem

This was last published in September 2016

PRO+

Content

Find more PRO+ content and other member only offers, here.


SearchSecurity: Security Wire Daily News

========================================================================
| # Title : Exponent CMS versions 2.3.9 XSS vulnerability
| # Author : indoushka
| # email : [email protected]
| # Tested on : windows 8.1 FranASSais V.(Pro)
| # Version : 2.3.9
| # Vendor : https://sourceforge.net/projects/exponentcms/files/exponent-2.3.9.zip/download
| # Dork : n/a
========================================================================

poc :

This vulnerability affects :/source_selector.php.

Attack details :

URL encoded GET input time was set to 1485925200_947776'():;988077

The input is reflected inside <script> tag between single quotes.

poc :

/source_selector.php?action=showall&module=event&[email protected]&time=1485925200_947776'():;988077

Greetz : aua'>>a'1/2a'1/2a'dega'deg aua'degaua'degau a'>>a'*a'*auaua'>>------au-auau-a'deg a'degaua'degauPSaua'3a'>>au-------- aua'degauau!a'>>auau aua'degauaua'*oauaua'degau ------
|
jericho * Larry W. Cashdollar * moncet-1 * achraf.tn |
|
===================== pa'degaua'1/2a'>>au auauoauau aua'>>auauauauauauC/ =============================


Exploit Files ≈ Packet Storm

USN-3092-1: Samba vulnerability | Ubuntu

Jump to site nav

  • Jump to content
  • Cloud
    • Overview
    • Ubuntu OpenStack
    • Public cloud
    • Cloud tools
    • Cloud management
    • Ecosystem
    • Cloud labs
  • Server
    • Overview
    • Server management
    • Hyperscale
  • Desktop
    • Overview
    • Features
    • For business
    • For developers
    • Take the tour
    • Desktop management
    • Ubuntu Kylin
  • Phone
    • Overview
    • Features
    • Scopes
    • App ecosystem
    • Operators and OEMs
    • Carrier Advisory Group
    • Ubuntu for Android
  • Tablet
    • Design
    • Operators and OEMs
    • App ecosystem
  • TV
    • Overview
    • Experience
    • Industry
    • Contributors
    • Features and specs
    • Commercial info
  • Management
    • Overview
    • Landscape features
    • Working with Landscape
    • Return on investment
    • Compliance
    • Ubuntu Advantage
  • Download
    • Overview
    • Cloud
    • Server
    • Desktop
    • Ubuntu Kylin
    • Alternative downloads


Ubuntu Security Notices

  • info
  • discussion
  • exploit
  • solution
  • references
Aternity CVE-2016-5061 Multiple Cross Site Scripting Vulnerabilities

Bugtraq ID: 93210
Class: Input Validation Error
CVE: CVE-2016-5061
CVE-2016-5061
CVE-2016-5061
CVE-2016-5061
CVE-2016-5061
Remote: Yes
Local: No
Published: Sep 28 2016 12:00AM
Updated: Sep 29 2016 12:01AM
Credit: Matthew Benton and Richard Kelley.
Vulnerable: Aternity Aternity 9
Not Vulnerable:


SecurityFocus Vulnerabilities