-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2011:054
http://www.mandriva.com/security/
______________________________________________________________________

[ more ]  [ reply ]

Sense of Security - Security Advisory - SOS-11-003

Release Date. 28-Mar-2011
Last Update. -
Vendor Notification Date. 25-Mar-2011
Product. Wordpress Plugin BackWPup
Platform. Independent
Affected versions.

[ more ]  [ reply ]

##########################################################
# Exploit Title: SimplisCMS 1.0.3.0 Remote File Disclosure Vulnerability
# home : http://www.D99Y.com
# Date: 27/3/2011
# Author: NassRawI
# Software Link: http://modcove.com/index.php
# Demo : http://modcove.com/index.php?page=demo
# Versi

[ more ]  [ reply ]

------------------------------------------------------------------------
---
* xpdf : multiple vulnerabilities in t1lib *
* allow arbitrary remote code execution *
-
----------------------------------------------------------------------

[ more ]  [ reply ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c02770512
Version: 1

HPSBMA02649 SSRT100430 rev.1 - HP Diagnostics, Remote Cross Site Scripting (XSS)

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

[ more ]  [ reply ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
-
Debian Security Advisory DSA-2204-1 security (at) debian (dot) org [email concealed]
http://www.debian.org/security/ Steffen Joeris
March 27, 2011

[ more ]  [ reply ]

##########################################################
# Exploit Title: SimplisCMS 1.0.3.0 SQL injection / Cross Site Scripting
# home : http://www.D99Y.com
# Date: 27/3/2011
# Author: NassRawI
# Software Link: http://modcove.com/index.php
# Demo : http://modcove.com/index.php?page=demo
# Versi

[ more ]  [ reply ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
-
Debian Security Advisory DSA-2203-1 security (at) debian (dot) org [email concealed]
http://www.debian.org/security/ Moritz Muehlenhoff
March 26, 2011

[ more ]  [ reply ]

===========================================================
Ubuntu Security Notice USN-1093-1 March 25, 2011
linux-mvl-dove vulnerabilities
CVE-2010-2478, CVE-2010-2942, CVE-2010-2943, CVE-2010-2954,
CVE-2010-2955, CVE-2010-2960, CVE-2010-2962, CVE-2010-2963,
CVE-2010-3067, CVE-2010-3078,

[ more ]  [ reply ]

------------------------------------------------------------------

1. Summary:

Unidesk management appliance is prone to a forceful browsing vulnerability that allows an attacker access to administrator resources.

------------------------------------------------------------------

2. Description:

[ more ]  [ reply ]

===========================================================
Ubuntu Security Notice USN-1092-1 March 25, 2011
linux-source-2.6.15 vulnerabilities
CVE-2010-4076, CVE-2010-4077, CVE-2010-4158, CVE-2010-4162,
CVE-2010-4163, CVE-2010-4242
=======================================================

[ more ]  [ reply ]

Parallels Plesk 7.0 - 8.2 | Open URL Redirection Vulnerability

1. OVERVIEW

The Plesk versions from 7.0 to 8.2 are vulnerable to Open URL
Redirection when "Enable webuser (at) domain (dot) com [email concealed]" access format, a new
feature introduced in Plesk 7.0, is enabled in user preferences.

2. BACKGROUND

Parallels Pl

[ more ]  [ reply ]

On Wed, Mar 23, 2011 at 02:36:38PM -0400, J. Oquendo wrote:
> On 3/23/2011 2:13 PM, Theo de Raadt wrote:
> >> If *any* threat exists,
> >> that threat is increased by public exposure of unmitigated attack
> >> methodology
> > I think you have it wrong.
> >
> > Public exposure increases the visibilit

[ more ]  [ reply ]

High Risk Vulnerability in Cisco VPN client (Windows 64 bit)

25 March 2011

Gavin Jones of NGS Secure has discovered a High risk vulnerability in the Cisco VPN client (Windows 64 bit).

Impact: Privilege Escalation

Cisco has released a patch that addresses the issue. The announcement of this patch

[ more ]  [ reply ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ESA-2011-010: EMC Data Protection Advisor Collector arbitrary code execution with elevated privileges vulnerability

EMC Identifier: ESA-2011-010

CVE Identifier: CVE-2011-1420

Severity Rating: CVSS v2 Base Score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C

[ more ]  [ reply ]

===========================================================
Ubuntu Security Notice USN-1091-1 March 25, 2011
firefox, firefox-{3.0,3.5}, xulrunner-1.9.2 vulnerabilities
https://launchpad.net/bugs/741528
===========================================================

A security issue affects

[ more ]  [ reply ]

> A lot of people are failing to see the vendors customer side of things.
>  Industrial Control Systems (ICS), SCADA users, historically have their
> focus on availability (you don`t want you electricity/water/petrocehmicals
> being cut now do you) and safety (no one want to die making sure you get

[ more ]  [ reply ]

On 23/03/2011 6:13 PM, Theo de Raadt wrote:
>> If *any* threat exists,
>> that threat is increased by public exposure of unmitigated attack
>> methodology
> I think you have it wrong.
>
> Public exposure increases the visibility, and therefore customers
> install the patches quicker.
>
> Without pub

[ more ]  [ reply ]

Simple Nomad wrote:
> 2. Ensure that these systems, if they exist, are not accessible from
> either the Internet or even the local network where most of the users
> are.

Much easier said than done.

The really scary SCADA systems are small cogs in large facilities that
have been been built up o

[ more ]  [ reply ]

Vulnerability ID: HTB22901
Reference: http://www.htbridge.ch/advisory/sql_injection_in_syndeocms.html
Product: SyndeoCMS
Vendor: http://www.syndeocms.org/ ( http://www.syndeocms.org/ )
Vulnerable Version: 2.8.02
Vendor Notification: 10 March 2011
Vulnerability Type: SQL injection
Risk level: High

[ more ]  [ reply ]

> > If *any* threat exists,
> > that threat is increased by public exposure of unmitigated attack
> > methodology
>
> I think you have it wrong.
>
> Public exposure increases the visibility, and therefore customers
> install the patches quicker.
>
> Without public visibility, they will keep runni

[ more ]  [ reply ]

On 03/23/2011 03:01 PM, Jim Harrison wrote:
> BTW, now that you know about it and there is no defined mitigation, what
> exactly*will* you do about it?

This seems rather obvious, but....

1. Ensure none of the affected SCADA systems are present on my work's
network (BTW none are present on my hom

[ more ]  [ reply ]

Vulnerability ID: HTB22899
Reference: http://www.htbridge.ch/advisory/path_disclosure_in_syndeocms.html
Product: SyndeoCMS
Vendor: http://www.syndeocms.org/ ( http://www.syndeocms.org/ )
Vulnerable Version: 2.8.02
Vendor Notification: 10 March 2011
Vulnerability Type: Path disclosure
Risk level: L

[ more ]  [ reply ]

Vulnerability ID: HTB22896
Reference: http://www.htbridge.ch/advisory/blind_sql_injection_vulnerability_in_rip
e_website_manager.html
Product: Ripe website manager
Vendor: Ripe website manager Team ( http://www.ripewebsitemanager.com/ )
Vulnerable Version: 1.1 and probably prior versions
Vendor Noti

[ more ]  [ reply ]

The correct time for vendors to do their own homework on SCADA was
2003 - that was the wakeup call. Anyone who has programmed for SCADA
has always wondered what would happen if they started poking
undocumented values into undocumented registers, but may not have the
luxury of trying it out.

Having

[ more ]  [ reply ]

On Mon, 21 Mar 2011, J. Oquendo wrote:

> Reality: Car manufacturer was never made aware of the issue. How do you
> propose a manufacturer fix an issue?

Due dilligence. If you sell a car that falls apart when someone pokes it
with a finger--or a piece of mission-critical software where someone with

[ more ]  [ reply ]

On 3/23/2011 11:27 AM, Kent Borg wrote:
> Would I install a stack of SCADA upgrades to *my* functioning
> factory? Maybe not.
>
> Scary, scary stuff.
>
> Security needs to be designed in, implemented carefully each step
> along the way, and reviewed. Instead people with "security" in their
> job t

[ more ]  [ reply ]

Vulnerability ID: HTB22895
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_ripe_website_manage
r.html
Product: Ripe website manager
Vendor: Ripe website manager Team ( http://www.ripewebsitemanager.com/ )
Vulnerable Version: 1.1 and probably prior versions
Vendor Notification: 10 Mar

[ more ]  [ reply ]

Vulnerability ID: HTB22897
Reference: http://www.htbridge.ch/advisory/sql_injection_vulnerability_in_ripe_webs
ite_manager.html
Product: Ripe website manager
Vendor: Ripe website manager Team ( http://www.ripewebsitemanager.com/ )
Vulnerable Version: 1.1 and probably prior versions
Vendor Notificati

[ more ]  [ reply ]

Vulnerability ID: HTB22902
Reference: http://www.htbridge.ch/advisory/xss_in_syndeocms.html
Product: SyndeoCMS
Vendor: http://www.syndeocms.org/ ( http://www.syndeocms.org/ )
Vulnerable Version: 2.8.02
Vendor Notification: 10 March 2011
Vulnerability Type: XSS (Cross Site Scripting)
Risk level: Me

[ more ]  [ reply ]