Monthly Archives: December 2014
Several Vulnerabilities Found in Google App Engine
A group of security researchers in Poland say they have discovered a long list of vulnerabilities in the Google App Engine, some of which enable an attacker to escape the Java sandbox.
One Billion More: Kaspersky Lab Reports on Cyber Threats in 2014
Identity theft – six tips to help keep yours safe
Private data such as addresses and social security numbers can be just as valuable to cybercriminals as valid credit card details can be to thieves – if not more so. Lock yours down with our tips.
The post Identity theft – six tips to help keep yours safe appeared first on We Live Security.
Multiple vulnerabilities in extension phpMyAdmin (phpmyadmin)
Release Date: December 8, 2014
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: 4.18.x (prior to 4.18.5)
Vulnerability Type: Cross-Site Scripting, Denial of Service, Local File Inclusion
Severity: High
Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:C/I:C/A:P/E:ND/RL:O/RC:C
References: PMASA-2014-13 (XSS), PMASA-2014-14 (LFI), PMASA-2014-17 (DoS),
Related CVE: CVE-2014-8958 (XSS), CVE-2014-8959 (LFI), CVE-2014-9218 (DoS)
Problem Description: By not validating user input, phpMyAdmin is susceptible to Cross-Site Scripting and Local File Inclusion. Due to insufficient handling of long passwords during authentication, phpMyAdmin is susceptible to Denial Of Service.
Solution: An updated version 4.18.5 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/phpmyadmin/4.18.5/t3x/. Users of the extension are advised to update the extension as soon as possible.
Credits: The vendor of the phpMyAdmin upstream software credits Johannes Dahse, Javier Nieto and Andres Rojas. Thanks to Andreas Beutel for providing a TYPO3 extension package with an updated phpMyAdmin version.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.
CVE-2013-2810 (dl_8000_remote_terminal_unit, dl_8000_remote_terminal_unit_firmware, roc_800_remote_terminal_unit, roc_800_remote_terminal_unit_firmware, roc_800l_remote_terminal_unit, roc_800l_remote_terminal_unit_firmware)
Emerson Process Management ROC800 RTU with software 3.50 and earlier, DL8000 RTU with software 2.30 and earlier, and ROC800L RTU with software 1.20 and earlier allows remote attackers to execute arbitrary commands via a TCP replay attack.
CVE-2014-1693 (erlang/otp)
Multiple CRLF injection vulnerabilities in the FTP module in Erlang/OTP R15B03 allow context-dependent attackers to inject arbitrary FTP commands via CRLF sequences in the (1) user, (2) account, (3) cd, (4) ls, (5) nlist, (6) rename, (7) delete, (8) mkdir, (9) rmdir, (10) recv, (11) recv_bin, (12) recv_chunk_start, (13) send, (14) send_bin, (15) send_chunk_start, (16) append_chunk_start, (17) append, or (18) append_bin command.
CVE-2014-3616 (nginx)
nginx 0.5.6 through 1.7.4, when using the same shared ssl_session_cache or ssl_session_ticket_key for multiple servers, can reuse a cached SSL session for an unrelated context, which allows remote attackers with certain privileges to conduct “virtual host confusion” attacks.
CVE-2014-3797 (vcenter_server_appliance)
Cross-site scripting (XSS) vulnerability in VMware vCenter Server Appliance (vCSA) 5.1 before Update 3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2014-4631 (rsa_adaptive_authentication_on-premise)
RSA Adaptive Authentication (On-Premise) 6.0.2.1 through 7.1 P3, when using device binding in a Challenge SOAP call or using the RSA Adaptive Authentication Integration Adapters with Out-of-Band Phone (Authentify) functionality, conducts permanent device binding even when authentication fails, which allows remote attackers to bypass authentication.