|
|
Prev week |
Colapse all |
Post message
HTB22900: Multiple XSS vulnerabilities in SyndeoCMS 2011-03-24 advisory htbridge ch Vulnerability ID: HTB22900 Reference: http://www.htbridge.ch/advisory/multiple_xss_vulnerabilities_in_syndeocm s.html Product: SyndeoCMS Vendor: http://www.syndeocms.org/ ( http://www.syndeocms.org/ ) Vulnerable Version: 2.8.02 Vendor Notification: 10 March 2011 Vulnerability Type: XSS (Cross Site [ more ] [ reply ] HTB22898: XSRF (CSRF) in Ripe website manager 2011-03-24 advisory htbridge ch Vulnerability ID: HTB22898 Reference: http://www.htbridge.ch/advisory/xsrf_csrf_in_ripe_website_manager.html Product: Ripe website manager Vendor: Ripe website manager Team ( http://www.ripewebsitemanager.com/ ) Vulnerable Version: 1.1 and probably prior versions Vendor Notification: 10 March 2011 [ more ] [ reply ] CORE-2011-0208: VLC Vulnerabilities handling .AMV and .NSV files 2011-03-23 CORE Security Technologies Advisories (advisories coresecurity com) Re: Vulnerabilities in some SCADA server softwares 2011-03-23 Simple Nomad (thegnome nmrc org) On 03/23/2011 01:36 PM, J. Oquendo wrote: > You're flawed in your response: "Public exposure increases the > visibility, and therefore customersinstall the patches quicker." ... > When someone "full discloses" a vulnerability, there is no patch to > install quicker. This is obvious because there is [ more ] [ reply ] Re: Vulnerabilities in some SCADA server softwares 2011-03-23 Mike Hoskins (michoski cisco com) On 3/23/11 9:46 AM, J. Oquendo wrote: > How about we reflect reality? We can't honestly do that, we all only have our perception. It's funny how we can get stuck in a trap of 0 and 1. My perception is we'll always disagree on disclosure technique, or at least nitpick some minor detail into infi [ more ] [ reply ] ZDI-11-111: (0Day) Hewlett-Packard Virtual SAN Appliance hydra.exe Login Request Remote Code Execution Vulnerability 2011-03-23 ZDI Disclosures (zdi-disclosures tippingpoint com) ZDI-11-111: (0Day) Hewlett-Packard Virtual SAN Appliance hydra.exe Login Request Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-111 March 23, 2011 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Hewlett-Packard -- Affected Products: Hewlett [ more ] [ reply ] Re: Vulnerabilities in some SCADA server softwares 2011-03-23 Luigi Auriemma (aluigi autistici org) > I fundamentally disagree with the idea that public disclosure > as a means of vendor notification serves any purpose no problem, if you don't agree with full-disclosure or how I and the other researchers like me handle these security vulnerabilities you have the full power and freedom of finding [ more ] [ reply ] Re: Vulnerabilities in some SCADA server softwares 2011-03-23 Theo de Raadt (deraadt cvs openbsd org) > On 3/23/2011 2:13 PM, Theo de Raadt wrote: > >> If *any* threat exists, > >> that threat is increased by public exposure of unmitigated attack > >> methodology > > I think you have it wrong. > > > > Public exposure increases the visibility, and therefore customers > > install the patches quicker. [ more ] [ reply ] Re: Vulnerabilities in some SCADA server softwares 2011-03-23 J. Oquendo (sil infiltrated net) On 3/23/2011 2:13 PM, Theo de Raadt wrote: >> If *any* threat exists, >> that threat is increased by public exposure of unmitigated attack >> methodology > I think you have it wrong. > > Public exposure increases the visibility, and therefore customers > install the patches quicker. > > Without publ [ more ] [ reply ] Re: Vulnerabilities in some SCADA server softwares 2011-03-23 Theo de Raadt (deraadt cvs openbsd org) > If *any* threat exists, > that threat is increased by public exposure of unmitigated attack > methodology I think you have it wrong. Public exposure increases the visibility, and therefore customers install the patches quicker. Without public visibility, they will keep running the old code. [ more ] [ reply ] Re: Vulnerabilities in some SCADA server softwares 2011-03-23 Kent Borg (kentborg borg org) J. Oquendo wrote: > At what point in time did you try contacting any of the vendors for > these issues? SCADA systems are infamous for being terribly insecure. (You can search the internet for demonstration video of equipment catching fire because of such bugs.) SCADA manufacturers seem to hav [ more ] [ reply ] PHP-Nuke 8.x <= Cross Site Scripting Vulnerability 2011-03-23 YGN Ethical Hacker Group (lists yehg net) PHP-Nuke 8.x <= Cross Site Scripting Vulnerability 1. OVERVIEW The PHP-Nuke version 8.x and lower are vulnerable to Cross Site Scrtipting. 2. BACKGROUND PHP-Nuke is a Web Portal System or content management system. The goal of PHP-Nuke is to have an automated web site to distribute news and a [ more ] [ reply ] PHP-Nuke 8.x <= "chng_uid" Blind SQL Injection Vulnerability 2011-03-23 YGN Ethical Hacker Group (lists yehg net) PHP-Nuke 8.x <= Blind SQL Injection Vulnerability 1. OVERVIEW The administration backend of PHP-Nuke 8.x is vulnerable to Blind SQL Injection. 2. BACKGROUND PHP-Nuke is a Web Portal System or content management system. The goal of PHP-Nuke is to have an automated web site to distribute news a [ more ] [ reply ] Re: Vulnerabilities in some SCADA server softwares 2011-03-23 J. Oquendo (sil infiltrated net) On 3/23/2011 12:54 PM, Luigi Auriemma wrote: >> I fundamentally disagree with the idea that public disclosure >> as a means of vendor notification serves any purpose > so now the question is, why don't all these "good guys" spend their > personal time and skills to find these vulnerabilities and rep [ more ] [ reply ] ZDI-11-112: (0 day) Hewlett-Packard Data Protector Media Operations DBServer.exe Remote Code Execution Vulnerability 2011-03-23 ZDI Disclosures (zdi-disclosures tippingpoint com) ZDI-11-112: (0 day) Hewlett-Packard Data Protector Media Operations DBServer.exe Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-112 March 23, 2011 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Hewlett-Packard -- Affected Products: Hewlett [ more ] [ reply ] RE: Vulnerabilities in some SCADA server softwares 2011-03-23 Jim Harrison (jim isatools org) You appear to assume that because no one else has reported these vulns publicly that no one else has discovered them. This is false logic; proof is not satisfied by a lack of evidence to the contrary. To be clear, I do appreciate researchers who spend their time seeking and reporting security issue [ more ] [ reply ] Re: Vulnerabilities in some SCADA server softwares 2011-03-23 Michal Zalewski (lcamtuf coredump cx) > I believe the best course of action for a SCADA vulnerability would be to let the vendor know first, That's fine, but the controversy around the proper mode of disclosure is here to stay. For every good argument you make, there is an equally compelling counter-argument that other reasonable peop [ more ] [ reply ] PHP-Nuke 8.x <= Cross Site Request Forgery (CSRF) / Anti-CSRF Bypass Vulnerability 2011-03-23 YGN Ethical Hacker Group (lists yehg net) PHP-Nuke 8.x <= Cross Site Request Forgery (CSRF) / Anti-CSRF Bypass Vulnerability 1. OVERVIEW The PHP-Nuke version 8.x and lower versions are vulnerable to Cross Site Request Forgery (CSRF) because its Anti-CSRF mechanism (Referer Check) is found to be broken. 2. BACKGROUND PHP-Nuke is a We [ more ] [ reply ] Re: Vulnerabilities in some SCADA server softwares 2011-03-23 R Michael Williams (rmwstealth comcast net) While I support full disclosure, I also advocate responsible disclosure. The public _has_ a right to know, but in this case, they can play no significant part in remedy or mitigation unless they are employees of the vendor or the customer. I believe the best course of action for a SCADA vulnerabil [ more ] [ reply ] RE: Vulnerabilities in some SCADA server softwares 2011-03-23 Jim Harrison (Jim isatools org) Michal, First; while I agree with your statement regarding the overuse of car analogies, the comparison is accurate and fair in this case. The vendor's customers are now potentially at greater risk because of this announcement that includes no mitigation. Second; I fundamentally disagree with the [ more ] [ reply ] Re: Buffer overflow in libtiff in Imagemagick 2011-03-23 Vladimir '3APA3A' Dubrovin (3APA3A SECURITY NNOV RU) Dear zgmzgm (at) mail.ustc.edu (dot) cn [email concealed], This is stack overflow (stack memory exhaustion), most probably because of recursion. This is not buffer overflow (stack overrun). --Monday, March 21, 2011, 10:11:17 AM, you wrote to bugtraq (at) securityfocus (dot) com [email concealed]: zmuec> ==1812== Access not within mapped region at add [ more ] [ reply ] Joomla! 1.6.0 | Information Disclosure/Full Path Disclosure Vulnerability 2011-03-23 YGN Ethical Hacker Group (lists yehg net) Joomla! 1.6.0 | Information Disclosure/Full Path Disclosure Vulnerability 1. OVERVIEW Joomla! 1.6.0 is vulnerable to Full Path Disclosure. 2. BACKGROUND Joomla is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets. It comprises a m [ more ] [ reply ] XSS in Oracle default fcgi-bin/echo 2011-03-23 paul szabo sydney edu au Long ago, I wrote about an XSS vulnerability in Oracle fcgi-bin/echo : http://lists.grok.org.uk/pipermail/full-disclosure/2010-October/076794.h tml http://www.securityfocus.com/archive/1/514181 The issue may now be fixed in the latest versions of Oracle web servers: http://www.integrigy.com/ora [ more ] [ reply ] ZDI-11-110: (0day) IBM Lotus Domino Server Controller Authentication Bypass Remote Code Execution Vulnerability 2011-03-22 ZDI Disclosures (zdi-disclosures tippingpoint com) ZDI-11-110: (0day) IBM Lotus Domino Server Controller Authentication Bypass Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-110 March 22, 2011 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: IBM -- Affected Products: IBM Lotus Domino -- Vul [ more ] [ reply ] |
|
Privacy Statement |
Hash: SHA1
- ------------------------------------------------------------------------
-
Debian Security Advisory DSA-2202-1 security (at) debian (dot) org [email concealed]
http://www.debian.org/security/ Stefan Fritsch
March 23, 2011
[ more ] [ reply ]