Web Application Security Mode:
(Page 2 of 330)  < Prev  1 2 3 4 5 6 7 8 9 10 11  Next >
RE: Smarter Mail All Versions - Privilege Escalation 2014-02-04
Martin O'Neal (martin oneal corsaire com)

> Maybe they should consider a more different
> approach to people trying to report security issues

Hi Mark,

These probably don't need to be cross posted to all the lists. How about jut keeping it to bugtraq where most people drop their vulns?

Martin...

This list is sponsored by Cenzic
--

[ more ]  [ reply ]
Smarter Mail All Versions - Privilege Escalation 2014-02-03
Mark Litchfield (mark securatary com)
This attack will allow a regular SmarterMail user to elevate their
privileges to Domain Administrator.

I tried to contact Smartmail with the usual security email aliases,
apparently they do not have any. I posted to their forum for a contact
and all I got was an email stating check you are runn

[ more ]  [ reply ]
Ektron CMS TakeOver Part (2) - PaylPal-Forward.com demonstration 2014-02-03
Mark Litchfield (mark securatary com)
As previously stated, I would post an update for Ektron CMS bypassing
the security fix.

A full step by step with the usual screen shots can be found at -
http://www.securatary.com/vulnerabilities

In this example, we use www.paypal-forward.com as a demonstration site.
I would like to say that P

[ more ]  [ reply ]
Ektron CMS Take Over - Hijacking Accounts 2014-01-30
Mark Litchfield (mark securatary com)
I have detailed a vulnerability within Ektron CMS that allows an
unauthenticated user to hijack any account. The clear targets of choice
for this CMS would be the builtin or admin account.

Whilst I found this issue back in 2012, it appears that around 65% are
still vulnerable and should be patc

[ more ]  [ reply ]
Yahoo SiteBuilder RCE 2014-02-01
Mark Litchfield (mark securatary com)
Full details posted at http://www.securatary.com/vulnerabilities with
the usual screen shots.

Apparently this vulnerability never existed the POC now produces a 404,
nothing to do with the fact that it has already been fixed of course.

I hope other researchers are not experiencing the same type

[ more ]  [ reply ]
Vulnerabilities within Mura CMS / Sitecore MCS / SmarterMail 2014-01-28
Mark Litchfield (mark securatary com)
These vulnerabilities allow for a complete take over giving full
administrative access as well as remote shells on the servers that they
are installed on.

Each of these suffer from Insecure Direct Object Reference Vulnerabilities.

Due to the details of the attack and screen shots, they can be fo

[ more ]  [ reply ]
nullcon Blackshield Awards 2014 2014-01-10
nullcon (nullcon nullcon net)
Dear All,

Its the time of the year, while we all are busy fighting against the
dark side of the cyber world, contributing our bits and bytes to make
the world a better & secure place, keeping our skills and armours
shining to defend against the Darks Arts, to take a pause and reflect
back.

Lets ta

[ more ]  [ reply ]
SpiderFoot 2.1.0 released 2014-01-05
Steve Micallef (steve binarypool com)
Hi everyone,

SpiderFoot 2.1.0 is now available, a major update over 2.0.5 which was
released back in September.

Major improvements are as follows:

- Identifies sites co-hosted on IPs of your target.
- Checks whether your target, affiliates or co-hosts have a bad
reputation (PhishTank, Google

[ more ]  [ reply ]
CFP - IEEE Co-sponsored CyberSec2014 - Lebanon Section 2014-01-01
The Third International Conference on Cyber Security, Cyber Warfare, and Digital Forensic (cyb2014 sdiwc net)
All the registered papers will be submitted to IEEE for potential
inclusion to IEEE Xplore as well as other Abstracting and Indexing (A&I)
databases.

TITLE: The Third International Conference on Cyber Security, Cyber
Warfare, and Digital Forensic (CyberSec2014)

EVENT VENUE: Lebanese University, Le

[ more ]  [ reply ]
Arachni v0.4.6-0.4.3 has been released (Open Source Web Application Security Scanner Framework) 2014-01-01
Tasos Laskos (tasos laskos gmail com)
Hey folks,

There's a new version of Arachni, an Open Source, modular and
high-performance Web Application Security Scanner Framework written in Ruby.

Brief list of changes:

Framework
----------
* Massively decreased RAM consumption.
* Amount of performed requests cut down by 1/3 -- and thus 1/3 d

[ more ]  [ reply ]
DEFCON DCG Kerala Information Security Meet 2014 CFP is Open Now. 2013-12-27
Ajin Abraham (ajin25 gmail com)
About DEFCON DCG Kerala
=================

Defcon DCG Kerala (DC0497) is a Defcon USA Registered group for
promoting and demonstrating research and development in the field of
Information Security. We are a group of Information Security
Enthusiasts actively interested in promoting information securi

[ more ]  [ reply ]
WebSurgery v1.1 released (Web application security testing suite) 2013-11-11
John Stamatakis (srgn ml googlemail com)
Overview
========
Sunrise is proudly announces WebSurgery v1.1!

WebSurgery is a suite of tools for security testing of web applications. It
is designed to address the ongoing needs of security auditors so to
facilitate them with web application planning and exploitation. Suite
currently contains a

[ more ]  [ reply ]
[CVE-2013-2751, CVE-2013-2752] NETGEAR ReadyNAS Remote Root 2013-10-22
Craig Young (vuln-report secur3 us)
NETGEAR ReadyNAS with firmware 4.2.x before 4.2.24 and 4.1.x before
4.1.12 is prone to command injection from an unauthenticated HTTP GET
request. This vulnerability can lead to complete root access as
outlined on the Tripwire blog:
http://www.tripwire.com/state-of-security/vulnerability-management

[ more ]  [ reply ]
Re: OWASP Vulnerable Web Applications Directory Project 2013-10-18
psiinon (psiinon gmail com)
And in converting my original email to text format the link got lost ;)

The project is here:
https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Direct
ory_Project

Simon

On Fri, Oct 18, 2013 at 4:04 PM, psiinon <psiinon (at) gmail (dot) com [email concealed]> wrote:
> The OWASP Vulnerable Web Applications Direct

[ more ]  [ reply ]
OWASP Vulnerable Web Applications Directory Project 2013-10-18
psiinon (psiinon gmail com)
The OWASP Vulnerable Web Applications Directory (VWAD) Project is a
comprehensive and well maintained registry of all known vulnerable web
applications currently available. These vulnerable web applications
can be used by web developers, security auditors and penetration
testers to put in practice t

[ more ]  [ reply ]
OWASP Xenotix XSS Exploit Framework 4.5 is Relesed 2013-10-15
Ajin Abraham (ajin25 gmail com)
Hello,
OWASP Xenotix XSS Exploit Framework V4.5 is Released.

OWASP Xenotix XSS Exploit Framework is an advanced Cross Site
Scripting (XSS) vulnerability detection and exploitation framework. It
provides Zero False Positive scan results with its unique Triple
Browser Engine (Trident, WebKit

[ more ]  [ reply ]
ImmuniWeb® Self-Fuzzer 2013-10-02
ImmuniWeb® Self-Fuzzer (self-fuzzer htbridge com)
ImmuniWeb® Self-Fuzzer is a simple Firefox browser extension designed to
detect Cross-Site Scripting (XSS) and SQL Injection vulnerabilities in
web applications.

It demonstrates how rapidly and easily these two most common types of
web vulnerabilities can be found even by a person who is not fa

[ more ]  [ reply ]
Arachni v0.4.5.1-0.4.2 has been released (Open Source Web Application Security Scanner Framework) 2013-09-14
Tasos Laskos (tasos laskos gmail com)
Hey folks,

There's a new version of Arachni, an Open Source, modular and
high-performance Web Application Security Scanner Framework written in Ruby.

Brief list of changes:

* Optimized pattern matching to use less resources by grouping patterns to only
be matched against the per-platform pay

[ more ]  [ reply ]
secure cookies 2013-09-12
saghar estehghari (s estehghari gmail com)
Hi,

In the system that i'm working on, we are having some session cookies
on the client side that we need to protect against the replay attack !
So I find the following paper
http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf and I
really like the way that they put thing together. Ther

[ more ]  [ reply ]
OWASP Zed Attack Proxy 2.2.0 2013-09-11
psiinon (psiinon gmail com)
Hi folks,

ZAP 2.2.0 is now available from http://code.google.com/p/zaproxy/downloads/list

This includes support for scripts embedded in ZAP components like the
active and passive scanners as well as support for Zest - a new
security focused scripting language from the Mozilla security team.
It als

[ more ]  [ reply ]
CBC Byte Flipping Attack 101 Approach 2013-09-10
Danux (danuxx gmail com)
Nothing new, just a 101 approach of this attack:

http://danuxx.blogspot.com/2013/09/cbc-byte-flipping-attack-101-approach
.html

--
DanUx

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck

[ more ]  [ reply ]
Administrivia: Limited list admin for a little while 2013-09-05
Andrew van der Stock (vanderaj greebo net)
Hi there,

I will be off the grid for the next 10 days. Therefore, there will be
limited (i.e. none! nada! zip! zero!) posts approved until I get back.
This will the first time in 24 years that I've been away from the
Internet for this long.

Wish me luck!

thanks,
Andrew

This list is sponsored b

[ more ]  [ reply ]
SpiderFoot 2.0.4 released 2013-09-01
Steve Micallef (steve binarypool com)
Hi everyone,

I'm pleased to announce the release of SpiderFoot 2.0.4. SpiderFoot is a
free, multi-platform open-source footprinting and intelligence gathering
tool.

Since 2.0.0 was released in May, there have been a number of subsequent
releases not announced to these lists, so if you are upgra

[ more ]  [ reply ]
Checkout Passive Web Application Firewall (WAF) Testing Framework (like mod_security , naxsi etc) 2013-08-27
Bhaumik Merchant (wof bhaumik merchant gmail com)
Hello All,

Created one framework for Passively evaluating Web Application
Firewalls without
touching existing infrastructure and Web Application Firewall vendor
independent. Sniffing
(Passive mode) support for each and every Web Application Firewall
like mod_security. Code coming soon ! Checkout Ha

[ more ]  [ reply ]
Re: Forgotten Password 2013-08-21
saghar estehghari (s estehghari gmail com) (1 replies)
Hi list,

Thanks for the all the replies :)

@Clemens :The system is semi-trusted. This implies that we can't
access to user's data while he is offline (the data is encrypted at
rest). This is because the client is considered as a weakest link and
it is complicated for him to handle the keys secure

[ more ]  [ reply ]
Re: Forgotten Password 2013-08-21
Amol Arakh (amolarakh yahoo co in)
Samsung DVR authentication bypass 2013-08-20
Andrea Fabrizi (andrea fabrizi gmail com)
**************************************************************
Title: Samsung DVR authentication bypass
Version affected: firmware version <= 1.10
Vendor: Samsung - www.samsung-security.com
Discovered by: Andrea Fabrizi
Email: andrea.fabrizi (at) gmail (dot) com [email concealed]
Web: http://www.andreafabrizi.it
Twitter: @andre

[ more ]  [ reply ]
Forgotten Password 2013-08-20
saghar estehghari (s estehghari gmail com)
Hi,

In the system that I'm currently working on, the users authenticate
themselves using username and password. As this is kind of a secure
file sharing system, each user has a key that is drived from his
password and all of his data and files are encrypted using this key.

Since the password is no

[ more ]  [ reply ]
Awareness, Techniques, Careers 2013-08-13
Tom Brennan - OWASP (tomb owasp org)
Pardon the interruption;

OWASP Foundation presents,

AppSecUSA 2013

Http://www.appsecusa.org

Nov 18th - 21st, Time Square, NYC

Now back to your fuzzin

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Web

[ more ]  [ reply ]
Arachni v0.4.4-0.4.2 has been released (Open Source Web Application Security Scanner Framework) 2013-08-12
Tasos Laskos (tasos laskos gmail com)
Hey folks,

There's a new version of Arachni, an Open Source, modular and
high-performance Web Application Security Scanner Framework written in Ruby.

The change-log is quite sizeable but some bullet points follow.

For the Framework (v0.4.4):

* New checks
* Source code disclosure (source_

[ more ]  [ reply ]
(Page 2 of 330)  < Prev  1 2 3 4 5 6 7 8 9 10 11  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus