Full Disclosure

SQL injection vulnerability in articleFR CMS 3.0.5

January 21, 2015 007admin

Posted by Tien Tran Dinh on Jan 21

#Vulnerability title: SQL injection vulnerability in articleFR CMS 3.0.5

#Product: articleFR CMS

#Vendor: http://freereprintables.com

#Affected version: version 3.0.5

#Download link: https://github.com/articlefr/articleFR

#Fixed version: N/A

#Google dork: N/A

#Author: Tran Dinh Tien (tien.d.tran () itas vn) & ITAS Team (www.itas.vn)

::PROOF OF CONCEPT::

+ REQUEST:

POST /articlefr/register/ HTTP/1.1

Host: target.org

User-Agent:…

Mangallam SQL Injection

January 20, 2015 007admin

Sites powered by Mangallam suffer from a remote SQL injection vulnerability. Note that this finding houses site-specific data.

Full Disclosure

Arbitrary File Upload in articleFR CMS 3.0.5

January 20, 2015 007admin

Posted by Tien Tran Dinh on Jan 21

#Vulnerability title: Arbitrary File Upload in articleFR CMS 3.0.5

#Product: articleFR CMS

#Vendor: http://freereprintables.com

#Download link: https://github.com/articlefr/articleFR

#Affected version: version 3.0.5

#Fixed version: N/A

#Author: Tran Dinh Tien (tien.d.tran () itas vn) & ITAS Team (www.itas.vn)

::DESCRITION::

– Vulnerabilities related to the upload of unexpected file types is unique
in that the upload should quickly…

Vuln: ModSecurity 'mod_headers' module Security Bypass Vulnerability

January 20, 2015 007admin

ModSecurity ‘mod_headers’ module Security Bypass Vulnerability

Vuln: Apache HTTP Server Multiple Denial of Service Vulnerabilities

January 20, 2015 007admin

Apache HTTP Server Multiple Denial of Service Vulnerabilities

Vuln: Libxml2 Entity Substituton CVE-2014-0191 Denial of Service Vulnerability

January 20, 2015 007admin

Libxml2 Entity Substituton CVE-2014-0191 Denial of Service Vulnerability

US-CERT

Oracle Releases January 2015 Security Advisory

January 20, 2015 007admin

Original release date: January 20, 2015

Oracle has released its Critical Patch Update for January 2015 to address 169 vulnerabilities across multiple products.

This update contains the following security fixes:

8 for Oracle Database Server
36 for Oracle Fusion Middleware
10 for Oracle Enterprise Manager Grid Control
10 for Oracle E-Business Suite
6 for Oracle Supply Chain Products Suite
7 for Oracle PeopleSoft Products
1 for Oracle JD Edwards Products
17 for Oracle Siebel CRM
2 for Oracle iLearning
2 for Oracle Communications Applications
1 for Oracle Retail Applications
1 for Oracle Health Sciences Applications
19 for Oracle Java SE
29 for Oracle Sun Systems Products Suite
11 for Oracle Linux and Virtualization
9 for Oracle MySQL

US-CERT encourages users and administrators to review the Oracle January 2015 Critical Patch Update and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Debian Security Advisory 3133-1

January 20, 2015 007admin

Debian Linux Security Advisory 3133-1 – Multiple use-after-frees were discovered in Privoxy, a privacy-enhancing HTTP proxy.

Barracuda Load Balancer ADC Key Recovery / Password Reset

January 20, 2015 007admin

Barracuda Load Balancer ADC with firmware version 5.0.0.015 suffers from multiple security issues. There is an ability to recover the file system encryption keys via simil cold-boot attack, an off-line super user password reset via physical attack, hard-coded credential and hard-coded ssh key issues, and various other problems.

Prestashop 1.6.0.9 Cross Site Scripting

January 20, 2015 007admin

Prestashop version 1.6.0.9 suffers from a cross site scripting vulnerability.

Software and Security Information