FYI: You can use a customized block page in /custom that does not display
the URL, such as creating a "Sorry, This URL is Blocked" page with your
company's logo. Heck, you can also just edit the "master.html" block page in
the /default dir to remove the URL displayed field.

-Greg

-----Original Me

[ more ]  [ reply ]

In-Reply-To: <B8E0DD78-1AD0-11D8-BDB4-000393754328 (at) veedev (dot) de [email concealed]>

Apple released a security update today (12/5/2003) to fix the

cookie theft vulnerability. Safari version now 1.1.1 (v100.1)

[ more ]  [ reply ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
--
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- ------------------------------------------------------------------------
--

PACKAGE : kernel
SUMMARY : Fix for local do_brk() vulne

[ more ]  [ reply ]

Martin,
I've run into this, and my solution for MSSQL was to use Java
PreparedStatements). It ties the data to a particular
field, so you can pass in whatever you'd like, extra quotes, slashes,
escape characters, and it doesn't make a difference. I actually pass
that into a stored procedure, but

[ more ]  [ reply ]

Title: Yahoo Messenger Flaw allows injection of JavaScript into IM Windows

Author: Chet Simpson (secure (at) ytunnelpro (dot) com [email concealed])

Date: December 5th, 2003

Host Platforms tested: WindowsME and WindowsXP (sp1a)

Target Applications tested: Yahoo Messenger 5.5 (Build 1249)

Yahoo

[ more ]  [ reply ]

In-Reply-To: <86ekvlkvmn.fsf (at) home.nest (dot) cx [email concealed]>

>>>>>> "Bruno" == Bruno Lustosa <bruno (at) lustosa (dot) net [email concealed]> writes:

>

> Bruno> ... whenever someone will launch XMLSpy, the

> Bruno> program will try to connect to Altova's servers, send some

> Bruno> user info through a POST to a web server, and wait

[ more ]  [ reply ]

IMPORTANT INFORMATION FOR ALL DEVELOPERS OF PHP.

I recommend that never leave to insert special characters in input box.
Normally in Input Box only is necessary numeric or alphanumeric data

For solution this SQL Injection you can use these functions:

ctype_alnum -- Check for alphanumeric charact

[ more ]  [ reply ]

~*~*~*~*~*~*~
Introduction
~*~*~*~*~*~*~

Jason Maloney's Guestbook is a simple CGI script which
is both an easy to use and easy to setup guestbook
script. The script fails to carefully sanitize user
input, such as certain dangerous metacharacters,
resulting in an XSS vulnerability.

~*~*~*~*~*~*~

[ more ]  [ reply ]

Buffalo WBR-G54 (Firmware 1.30) is not vulnerable. It answers with "bad
request" and the http server continues working without problems.

---- clip ---
[stnz@starship stnz]# nc 192.168.11.1 80
GET
HTTP/1.0 400 Bad Request
Server: micro_httpd
Date: Tue, 01 Jan 2002 06:04:15 GMT
Content-Type: text/ht

[ more ]  [ reply ]

Advisory Name: Cross Site Scripting in VP-ASP
Release Date: December 05st, 2003
Application: VP-ASP
Version Affected: < 4.50
Platform: ASP
Severity: Low
Discover: Xnuxer Research Lab. (xnuxer (at) linux (dot) net [email concealed], xnuxer (at) yahoo (dot) com [email concealed])
Vendor URL: http://www.vp-asp.com

[ more ]  [ reply ]

-------- Original Message --------
Subject: Security Alert; possible buffer overflow in all Mathopd versions
Date: Thu, 4 Dec 2003 22:33:26 +0100 (CET)
From: Michiel Boland <michiel (at) boland (dot) org [email concealed]>
To: mathopd (at) mathopd (dot) org [email concealed]

Hi.

During some testing, I came across a rather stupid and embarassing buffer
ov

[ more ]  [ reply ]

I am a little behind on the web page update but regardless here is the
*necessary* information. Technical details will be available by the
weekend.
-KF

[ more ]  [ reply ]

This affects versions 6.3.1 and lower.

It will say 'Appleshare IP FTP server.'

But, there is a problem with it, Im not quite sure why, that when you login as an anonymous user, and type RMD / the system freezes. My bet is that because Non-OSX macs dont use slashes for directories, that the

[ more ]  [ reply ]

Hi!

I have 5 NS500 boxes here with these details:

Hardware Version: 4110(0)
Software Version:
4.0.3r4.0 (Firewall+VPN)

using netscreen's web UI on management,
with the Idle timeout set to 15 minutes or if I
want to logout, Internet Explorer would prompt me

"The Web page you are viewing is

[ more ]  [ reply ]

Greetings,

I've written a linux kernel module that can be used to hot fix a
Linux system for the bug in do_brk. It scans the
kernel space and replaces jmp and calls to do_brk
to point to a wrapper routine instead. It also maps
the symbol table to point to the wrapper. This only
works on x86 and

[ more ]  [ reply ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandrake Linux Security Update Advisory
_______________________________________________________________________

Package name: rsync
Advisory ID:

[ more ]  [ reply ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

We have released a paper covering technical details of the do_brk() bug
and the results of our research done while writing the exploit code.
It also describes the numerous techniques we have used to create a very
effective exploit code that leads

[ more ]  [ reply ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
Red Hat Security Advisory

Synopsis: New rsync packages fix remote security vulnerability
Advisory ID: RHSA-2003:398-01
Issue date: 2003-12-

[ more ]  [ reply ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
--
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- ------------------------------------------------------------------------
--

PACKAGE : rsync
SUMMARY : Fix for remote vulnerability

[ more ]  [ reply ]

~*~*~*~*~*~*~*
Introduction
~*~*~*~*~*~*~*

4inarow is a small network compatible Linux 4-in-a-row
clone for two player. There's a few bugs in the
client program which may allow an attacker to execute
commands or run arbitrary code via a buffer overflow.
4inarow is not SUID or SGID 'games' by defa

[ more ]  [ reply ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
--
GENTOO LINUX SECURITY ANNOUNCEMENT 200312-02
- ------------------------------------------------------------------------
--

GLSA: 200312-02
package: kernel
summary:

[ more ]  [ reply ]

- ------------------------------------------------------------------------
---
GENTOO LINUX SECURITY ANNOUNCEMENT 200312-03
- ------------------------------------------------------------------------
---

GLSA: 200312-03
summary: exploitable heap overflow in rsync
severity: high
date:

[ more ]  [ reply ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

+-----------------------------------------------------------------------
-+
| Guardian Digital Security Advisory December 04, 2003 |
| http://www.guardiandigital.com ESA-20031204-032 |
|

[ more ]  [ reply ]

Yesterday, we found an interesting case of SQL Injection.

The application was developed under PHP 4.2.1, Apache and MSSQL.

We started our tests by adding a ' (single quote) to the POST info.

Since PHP escapes ' and " , turning the ' into a \' but SQL Server uses 2
single quotes ('') to escape a q

[ more ]  [ reply ]

-----BEGIN PGP SIGNED MESSAGE-----

________________________________________________________________________
______

SUSE Security Announcement

Package: rsync
Announcement-ID: SuSE-SA:2003:050
Date: Thursday, De

[ more ]  [ reply ]

On Dec 03, 2003, at 01:52, Eugene Tsyrklevich wrote:
> indeed, it should

This has been patched to use /dev/urandom in v1.4, which also fixes a
couple of other issues.

> have you seen http://synflood.at/contrapolice/? your paper did not
> mention
> this.

We didn't find this when we did our relat

[ more ]  [ reply ]