Posted by Pedro Ribeiro on Jan 28
Hi,
This is part 12 of the ManageOwnage series. For previous parts, see [1].
This time we have an arbitrary file download, directory content
disclosure and blind SQL injection vulnerabilities in ManageEngine
OpManager, Applications Manager and IT360.
I’ve pushed two new Metasploit modules into the framework that exploit
the file download and the content disclosure [2], these should
hopefully be accepted soon.
The full advisory text is…
Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka “GHOST.”
Recent events have shown that the technology industry is starting to address the gender gap, but what can women do to get ahead in one of the most competitive business environments?
This year at SXSW 2015, Judith Bitterli will be giving expert advice to women looking to forge a career in technology.
Whether a building career roadmap, mentoring advice or hard lessons learned, Judith will share her experiences and answer questions.
If you are planning to attend SXSW this year, we’d love for you to come by and share your views.
Experts urge system administrators to patch the Ghost vulnerability in glibc immediately, but counter that as well that exploiting the bug may be challenging.
So what is Data Protection Day? It’s a holiday proclaimed by the Council of Europe on January 28, 2007. The goal is to raise awareness and promote privacy and data protection best practices.
It is globally celebrated and in the U.S. often referred to as Data Privacy and Protection Day, but it’s still a holiday! So tell your boss, and take a day to yourself. In the words of Madonna, rather the spirit, perhaps we should “Celebrate.”
If we took a data day, took some time to celebrate,
Just one data out of life
It would be, it would be so nice
Everybody spread the word… We’re gonna have a celebration
All across the world, In every nation
It’s time for the good data practices… Forget about the bad, oh yeah…
We need a holiday…
On this anniversary of Data Protection Day, the promise is matched only by the tension. In the past year, we’ve seen unprecedented data hacks, continued instances of government surveillance, and an ongoing tide of commercial data collection and use practices that don’t always bode well for consumers.
This is amplified by real concerns for people’s safety, life, and liberty. Criminal enterprises continue to engage in identity theft and financial fraud. Terrorist attacks, like those recently in France, further fuel our fears and heighten the impulse to use more invasive state surveillance techniques.
Add to this the sea-change in the landscape created by mobile devices, which will look like nothing compared to the changes ushered in by the Internet of Things. We have more data, more collection points, more providers, more sensitive information, and growing commercial and state appetites to use the data that define our lives.
So why celebrate? Well, a set of forces seems to be converging that indicates a corresponding change in attitude to better protect consumers and change the pH of the ecosystem so it’s more habitable for businesses and users alike.
The FTC released a thoughtful report on IoT that gives us a framework to get ahead of the changes. President Obama recently proposed new cyber-security and data breach legislation that is promising, provided the voices of civil society advocates like CDT and the EFF remain engaged.
The EU continues to work on updating the data protection act to address both the technological and societal changes that have occurred since it was first drafted. More importantly though, the heat in this space has been turned up. There is more debate. More industry leaders are devoting increasingly more mind share. Notions of choice, transparency, control, and reasonable defaults – the very threads that weave the fabric of trust that we depend upon – are no longer dirty words.
While these may seem like concepts beyond your desktop, there is a lot each of us can do to take back some of our privacy. Today, I actively managed my privacy settings in iOS. I disabled location services for all those apps where it didn’t make sense. Why for example do the camera or ADP (payroll) apps need to use my location in the background when I’m not using them? Something doesn’t seem right.
Some apps, I was pleasantly surprised to find, like Google Maps and ESPN’s SportsCenter, do give me the option to turn location services on only “while using.” This makes sense to me and is an example of privacy forward design that gives users better and more refined choices. The fact that the interface exists at all is an example of transparency that didn’t exist in earlier versions of iOS, and a good sign that things are changing.
All this is to say – the tide is shifting. In this transition, there is more opportunity than we can imagine. We don’t believe that users have to trade privacy and security to benefit from the wealth of data-enabled services available now and soon to come.
Today there is growing interest in shaping a future that is more people-centric than device-centric, and that properly reflects the human rights that we expect. I am optimistic that there is more future than there is past. That’s something to celebrate.
VMware Security Advisory 2015-0001 – VMware vCenter Server, ESXi, Workstation, Player and Fusion address several security issues.
Certify enables you to automatically issue PDF certificates to users upon completion of a set of conditions.
The module does not sufficiently check node access when showing (and creating) the PDF certificates. This can lead to users seeing certificates they should not have access to.
This vulnerability is mitigated by the fact that an attacker must have completed the conditions of the certificate.
Drupal core is not affected. If you do not use the contributed Certify module,
there is nothing you need to do.
Install the latest version:
Also see the Certify project page.
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
FreeBSD has patched a handful of vulnerabilities in its kernel code that could have enabled an attacker to crash the system, execute arbitrary code, or disclose sensitive kernel memory.
20 million usernames and email addresses for a popular Russian dating website have been leaked, according to Bloomberg. Techworld highlights the targeted website as Topface, which has 91.5 million users. Anti-fraud firm Easy Solutions claimed that of the leaked users, 50 percent were Russian citizens, and 40 percent from the EU. Seven million of the logins
The post 20 million dating site profiles targeted by hacker appeared first on We Live Security.
Node Invite module enables you to invite people to RSVP on node types that have been configured to represent events.
The module doesn’t sufficiently sanitize the titles of nodes in some listings, allowing a malicious user to inject code, thereby leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that the attacker must have permission to create or edit nodes configured to be used for RSVP.
Additionally, some URLs are not protected against CSRF. A malicious user can cause a user with the “node_invite_can_manage_invite” permission to re-enable node invitations by getting his browser to make a request to a specially-crafted URL.
Lastly, the module is not checking that some destination parameters are internal URLs, thereby leading to an Open Redirect vulnerability.
Drupal core is not affected. If you do not use the contributed Node Invite module,
there is nothing you need to do.
Install the latest version:
Also see the Node Invite project page.
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
