|
|
Colapse all |
Post message
iDEFENSE Security Advisory 11.08.02b: Non-Explicit Path Vulnerability in QNX Neutrino RTOS 2002-11-08 David Endler (dendler idefense com) iDEFENSE Security Advisory 11.08.02a: File Disclosure Vulnerability in Simple Web Server 2002-11-08 David Endler (dendler idefense com) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 11.08.02a: http://www.idefense.com/advisory/11.08.02a.txt File Disclosure Vulnerability in Simple Web Server November 8, 2002 I. BACKGROUND As its name suggests, Peter Sandvik's Simple Web Server is a Linux-based web server. [ more ] [ reply ] Re: A technique to mitigate cookie-stealing XSS attacks 2002-11-08 Steven M. Christey (coley linus mitre org) For a small data point regarding the need to (somehow) address XSS vulnerabilities: according to CVE statistics, XSS issues are the second most frequently reported vulnerability type this year [1], behind buffer overflows (though new "flavors" of overflows help to maintain that #1 position.) Note: [ more ] [ reply ] Re: How to execute programs with parameters in IE - Sandblad advisory #10 2002-11-08 jelmer (jkuperus xs4all nl) Hi Adreas I just read his reply aswell and I dont agree with him on some points. Sure enough there are ways to execute code despite restictions such as you mention (not running activex components not marked safe for scripting) , like the http-equiv thingie where you drop a file (wich is really my i [ more ] [ reply ] Re: A technique to mitigate cookie-stealing XSS attacks 2002-11-08 Nick Simicich (njs scifi squawk com) (1 replies) At 10:44 AM 2002-11-05 -0800, Michael Howard wrote: >During the Windows Security Push in Feb/Mar 2002, the Microsoft Internet >Explorer team devised a method to reduce the risk of cookie-stealing >attacks via XSS vulnerabilities. If I understand the XSS vulnerability correctly, it is all based on [ more ] [ reply ] Help Please 2002-11-08 Mark Litchfield (mark ngssoftware com) Does any one have or know of a security contact within www.real.com, as I have a serious issue to report. Tried the website, only have technical support and the web forms don't allow for much content. Any help in this regard would be most appreciated. Regards Mark Litchfield NGS Software Ltd ht [ more ] [ reply ] Lotus Domino HTTP Server security issue 2002-11-07 Frank Perreault (frank harrystotle com) Lotus Domino http (version) banner will appear despite notes.ini 'DominoNoBanner=1' setting. To recreate: formulate a URL requesting a non-existing nsf database. Example: 'http://serverAddress/nosuchdb.nsf' Has been verified on Lotus Domino 5.0.8, 5.0.9 and 5.0.9a. IBM Support is documen [ more ] [ reply ] Re: Accesspoints disclose wep keys, password and mac filter (fwd) 2002-11-07 informatik koerfer web de Re: Yahoo Messenger: Invisible User Detect 2002-11-07 Chris Caydes (chris_caydes yahoo com) Hello, I have seen this bug a few months ago and have been using it every now and then since. Yet, if the user is online in invisible mode and you ask for his shared files, he will likely get a pop-up telling him that someone is trying to access his files. This probably depends on his security pre [ more ] [ reply ] RES: A technique to mitigate cookie-stealing XSS attacks 2002-11-06 AQBARROS BKB com br (1 replies) It is a very interesting idea, but it would take some years to start to take effect, as non-compatible browsers would still be on the market for a few years; Can't we find a solution that works on current browsers? Initially, I thought about encrypting cookie content with a server based key. But th [ more ] [ reply ] Re: RES: A technique to mitigate cookie-stealing XSS attacks 2002-11-08 Florian Weimer (Weimer CERT Uni-Stuttgart DE) Re: A technique to mitigate cookie-stealing XSS attacks 2002-11-06 Matthew Collins (Matthew Collins northernregistrars co uk) This seems the wrong way round to me. After all, how often do you access cookies from client side code? Personally, I've never done it. I would have IE disallow all access to cookies from scripts, unless either, it's disabled in security options (Allow scripts to access cookies) or the server passes [ more ] [ reply ] Vulnerability in Cutecast Forum v1.2 2002-11-07 Zero-X www.lobnan.de Team (zero-x linuxmail org) Vulnerability in Cutecast Forum v1.2 You can read passwords of all users. (Passwords in Plaintext) Exploit: http://www.website.com/cgi-bin/cutecast/members/<username>.user Zero X, member of www.lobnan.de -- ______________________________________________ http://www.linuxmail.org/ Now with POP3/ [ more ] [ reply ] [RHSA-2002:197-09] Updated glibc packages fix vulnerabilities in resolver 2002-11-07 bugzilla redhat com [SECURITY] [DSA 191-1] New squirrelmail packages fix cross site scripting bugs 2002-11-07 joey infodrom org (Martin Schulze) Yahoo Messenger: Invisible User Detect 2002-11-06 cringe (cringe 2600dfw com) Yahoo! has been informed of this information, but has not yet responded. Yahoo Messenger: Invisible User Detect Vulnerable Versions: Yahoo Messenger/MyYahoo Module 5,0,0,1046/3,0,0,423 5,0,0,1232/5,5,0,449 Note: These are the only versions tested, probably works on all versions. Information: [ more ] [ reply ] Re: Accesspoints disclose wep keys, password and mac filter (fwd) 2002-11-06 informatik koerfer web de RE: How to execute programs with parameters in IE - Sandblad advisory #10 2002-11-07 Thor Larholm (thor pivx com) Unless I am missing something, this is definitely not a vulnerability in itself but just a practical demonstration of the "assign method caching" vulnerability. Executing programs with or without parameters also become pointless once you have complete access to a local security zone (in this case, [ more ] [ reply ] |
|
Privacy Statement |
Hash: SHA1
iDEFENSE Security Advisory 11.08.02b:
http://www.idefense.com/advisory/11.08.02b.txt
Non-Explicit Path Vulnerability in QNX Neutrino RTOS
November 8, 2002
I. BACKGROUND
QNX Software Systems Ltd.'s Neutrino RTOS (QNX) is a real-time
operating system de
[ more ] [ reply ]