The PayPal Inc shipping application suffered form a cross site scripting vulnerability.
Monthly Archives: October 2014
SA-CONTRIB-2014-098 – CKEditor – Cross Site Scripting (XSS)
- Advisory ID: DRUPAL-SA-CONTRIB-2014-098
- Project: CKEditor – WYSIWYG HTML editor (third-party module)
- Version: 6.x, 7.x
- Date: 2014-October-15
- Security risk: 16/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All
- Vulnerability: Cross Site Scripting
Description
The CKEditor module (and its predecessor, FCKeditor module) allows Drupal to replace textarea fields with CKEditor 3.x/4.x (FCKeditor 2.x in case of FCKeditor module) – a visual HTML editor, sometimes called WYSIWYG editor.
Both modules define a function, called via an ajax request, that filters text before passing it into the editor, to prevent certain cross site scripting attacks on content edits (that the JavaScript library might not handle). Because the function did not check a CSRF token for anonymous users, it was possible to perform reflected XSS against anonymous users via CSRF.
The problem existed in CKEditor/FCKeditor modules for Drupal, not in JavaScript libraries with the same names.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
- CKEditor 7.x-1.x versions prior to 7.x-1.15.
- CKEditor 6.x-1.x versions prior to 6.x-1.14.
- FCKeditor 6.x-2.x versions prior to 6.x-2.3.
Drupal core is not affected. If you do not use the contributed CKEditor – WYSIWYG HTML editor module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the CKEditor module for Drupal 7.x, upgrade to CKEditor 7.x-1.16
- If you use the CKEditor module for Drupal 6.x, upgrade to CKEditor 6.x-1.15
- If you use the FCKeditor module for Drupal 6.x, upgrade to FCKeditor 6.x-2.4
Also see the CKEditor – WYSIWYG HTML editor project page.
Reported by
Fixed by
- Wiktor Walc the module maintainer
- Nguyễn Hải Nam the module maintainer
- Matt Vance of the Drupal Security Team
Coordinated by
- Greg Knaddison of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Drupal version:
SEC Consult SA-20141015-0 :: Potential Cross-Site Scripting in ADF Faces
Posted by SEC Consult Vulnerability Lab on Oct 15
SEC Consult Vulnerability Lab Security Advisory < 20141015-0 >
=======================================================================
title: Potential Cross-Site Scripting
product: ADF Faces
vulnerable version: 12.1.2.0
fixed version: versions with CPU Oct-2014 patch applied
impact: low
homepage: http://www.oracle.com/adf
found: 2014-05-01
by: W….
Operation Windigo: “Good job, ESET!†says malware author
Following the recognition at Virus Bulletin 2014 of ESET’s research on Operation Windigo, I took the opportunity to ask Marc-Etienne Léveillé – who worked directly on the Operation Windigo report a few questions. Marc-Etienne is a malware researcher at ESET.
The post Operation Windigo: “Good job, ESET!” says malware author appeared first on We Live Security.
Mozilla Releases Security Updates for Firefox and Thunderbird
Original release date: October 15, 2014
The Mozilla Foundation has released security updates to address multiple vulnerabilities in Firefox and Thunderbird. Exploitation of these vulnerabilities may allow an attacker to obtain sensitive information, bypass same-origin policy and key pinning, cause an exploitable crash, conduct a man-in-the-middle attack, or execute arbitrary code.
The following updates are available:
- Firefox 33
- Firefox ESR 31.2
- Thunderbird 31.2
Users and administrators are encouraged to review the Security Advisories for Firefox, Firefox ESR and Thunderbird to determine which updates should be applied to mitigate these risks.
Â
This product is provided subject to this Notification and this Privacy & Use policy.
Seven million Dropbox passwords may have been compromised
Recently, it would appear that there is no Internet service whose users’ data hasn’t been compromised.
Now it’s the turn of Dropbox, the cloud storage service, which has had hundreds of its users’ passwords leaked and it’s claimed that many more could be published. Specifically, up to seven million users’ data may have been hacked, with the consequent threat to the privacy of the users who store their data on the platform.
These claims come from a user of Pastebin, a text sharing site used by hackers and IT security specialists, who boasts to have obtained seven million Dropbox passwords and, supposedly as proof, has published some of them on the site.
On its official blog, Dropbox was quick to deny that its services have been hacked, claiming that the passwords had been stolen from other services and then used to access the file storage platform.
Dropbox urges users not to employ the same password for various services and to enable two-step authentication.
Gmail: Five million passwords stolen
What has happened to Dropbox also happened to Gmail in September, when 5 million passwords were leaked. Neither Dropbox nor Gmail were hacked. The data was taken from other websites.
With this data in their hands, cyber-criminals can try the same password for other services such as Facebook, Dropbox, Gmail or Twitter.
More | How to create strong passwords
The post Seven million Dropbox passwords may have been compromised appeared first on MediaCenter Panda Security.
The Changing Landscape of BYOD
“Bring your own device†has become increasingly common in the workplace as employees use their own tablets and phones for work-related activities, and their own laptops from home or the local Starbucks. Increasingly the lines are blurred with regards to privacy and questions of data ownership.
A recently passed California law has perhaps shown the way that the future holds. Little commented on when passed in August, this law has real-world implications and may have many ramifications with regard to privacy, security and data. (See ruling here)
In Colin Cochran v. Schwan’s Home Service, Inc., the California Court of Appeals in August reversed a Superior Court in Los Angeles County and ruled that “when employees must use their personal cell phones for work-related calls, Labor Code section 2802 requires the employer to reimburse them.”
The Order points out the purpose of the California Statute is “to prevent employers from passing their operating expenses on to their employees.” Specifically, it notes the following:
Pursuant to section 2802, subdivision (a), “an employer shall indemnify his or her employee for all necessary expenditures or losses incurred by the employee in direct consequence of the discharge of his or her duties, or of his or her obedience to the directions of the employer.”
The key question in the case was this:
Does an employer always have to reimburse an employee for the reasonable expense of the mandatory use of a personal cell phone, or is the reimbursement obligation limited to the situation in which the employee incurred an extra expense that he or she would not have otherwise incurred absent the job?
The Court’s answer was “that reimbursement is always required. Otherwise, the employer would receive a windfall because it would be passing its operating expenses onto the employee.” The Court ruled as follows:
Thus, to be in compliance with section 2802, the employer must pay some reasonable percentage of the employee’s cell phone bill. Because of the differences in cell phone plans and [work]-related scenarios, the calculation of reimbursement must be left to the trial court and parties in each particular case.
Time of course will tell how the expenses of purchase, maintenance and usage of employee-owned tablets, laptops, and home computers used for business are impacted by courts that follow the ruling in this case.
The court’s opinion is limited to reimbursement under California law. It doesn’t specifically mention privacy. I’d hate to speculate on any legal matter, but one can naturally wonder that if an employer must now pay for certain usage of devices, then is that employer entitled to all the information on that device?
To put it plainly, if the employer is paying for your tablet, does the employer get to look at all your emails and contact information? Who owns the data and intellectual copyright?
These questions no doubt will be settled as more cases come to court. But we’ve seen that when it comes to technology, legal precedent often lags behind technology.
In the meantime, it’s essential for businesses to have clear agreements, notices and policies, including a BYOD policy. See AVG’s eBook on BYOD for a good overview on the benefits, issues, risks and how to better protect your company’s data in the BYOD world.
Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation
A vulnerability within Microsoft Bluetooth Personal Area Networking module, BthPan.sys, can allow an attacker to inject memory controlled by the attacker into an arbitrary location. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile.
Lynis Auditing Tool 1.6.3
Lynis is an auditing tool for Unix (specialists). It scans the system and available software to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes. This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems.