Resolved Bugs
1178908 – CVE-2014-9449 exiv2: buffer overflow in RiffVideo::infoTagsHandler
1178909 – CVE-2014-9449 exiv2: buffer overflow in RiffVideo::infoTagsHandler [fedora-21]<br
Security fix for CVE-2014-9449
Monthly Archives: January 2015
Fedora 20 Security Update: owasp-esapi-java-2.1.0-2.fc20
Fedora 21 Security Update: gcab-0.4-7.fc21
AOL Advertising Network Used To Distribute Malware
CES 2015: Sony Condemns 'Vicious' Cyber Attack
Re: [The ManageOwnage Series, part XI]: Remote code execution in ServiceDesk, Asset Explorer, Support Center and IT360
Posted by Pedro Ribeiro on Jan 07
Someone has asked me how CVE-2014-5302 can be exploited.
There are 3 things you got to have in mind:
1 – send a null byte (%00) after the file name
2 – send the request as mime type application/octet-stream
3 – send only ASCII data in the request body
Unfortunately it’s not as trivial as uploading an ASCII webshell to
the web root. Because of the way these applications are packaged, the
JSP compiler is not set automatically in the…
Pirelli ADSL2/2+ Wireless Router P.DGA4001N Information Disclosure
ADB BroadBand Pirelli ADSL2/2+ wireless router version P.DGA4001N suffers from multiple unauthenticated remote information disclosure vulnerabilities.
Kajona CMS 4.6 Cross Site Scripting
Kajona CMS version 4.6 suffers from a cross site scripting vulnerability.
McAfee ePolicy Orchestrator Authenticated XXE Credential Exposure
This Metasploit module will exploit an authenticated XXE vulnerability to read the keystore.properties off of the filesystem. This properties file contains an encrypted password that is set during installation. What is interesting about this password is that it is set as the same password as the database ‘sa’ user and of the admin user created during installation. This password is encrypted with a static key, and is encrypted using a weak cipher at that (ECB).
Sefrengo CMS 1.6.0 Cross Site Scripting
Sefrengo CMS version 1.6.0 suffers from a cross site scripting vulnerability.