Posted by MustLive on Mar 02

Hello list!

There are Abuse of Functionality and Brute Force vulnerabilities in
Hikvision DS-7204HWI-SH.

————————-
Affected products:
————————-

Vulnerable is the next model: Hikvision DS-7204HWI-SH with different
versions of firmware.

———-
Details:
———-

Abuse of Functionality (WASC-42):

Login is persistent: admin (only logins for users can be changed). Which
simplify Brute Force attack.

Brute…

Posted by Pablo on Mar 02

Hello,

I am seeing that Tor Browser 4.0.3 apparently has the configuration
of websocket of Firefox enabled (true) by default …. I think that this is
something that should have been corrected a long time ago (Tor bug 5741).
I think that this is a configuration bug. Am I wrong ?

Link:
http://picpaste.com/websocket_tor_config.png

Regards,
Pablo.

Posted by Peter Adkins on Mar 02

Discovered by:
—-
Peter Adkins <peter.adkins () kernelpicnic net>

Access:
—-
Local network; unauthenticated access.
Remote network; unauthenticated access*.
Remote network; ‘drive-by’ via CSRF.

Tracking and identifiers:
—-
CVE – Mitre contacted; not yet allocated.

Platforms / Firmware confirmed affected:
—-
D-Link DIR-820L (Rev A) – v1.02B10
D-Link DIR-820L (Rev A) – v1.05B03
D-Link DIR-820L (Rev B) – v2.01b02
TRENDnet…

Posted by Ron Gutierrez on Mar 02

GDS LABS ALERT: CVE-2015-2080
JetLeak Vulnerability Remote Leakage Of Shared Buffers In Jetty Web Server

SYNOPSIS
========
Gotham Digital Science discovered a critical information leakage
vulnerability in the Jetty web server that allows an unauthenticated remote
attacker to read arbitrary data from previous requests and responses
submitted to the server by other users.

The vulnerability was made public by the Jetty development team on the…

Posted by Matt on Mar 02

The SEC-T Organizers are pleased to announce the start of the 2015
SEC-T 0x08 Call For Papers.

The rules are pretty much the same as every year so save the deadline
date and get cracking. 😉 The SEC-T conference is an information
security conference strongly rooted in the technical realm. Talks on
technical subjects with no applicability to information security are
admissible as long as they are cool! Some topics we find interesting
are:

-…

Posted by halfdog on Mar 02

Although just reported to Ubuntu, this minor dev-branch issue was already made public. As the launchpad/lkml/…
feed-miners should not play all the games alone, and as others may want to learn how beginner errors still make it into
packages of quite large distributions, enjoy the power of

for session in /run/user/*/upstart/sessions/*
do
env $(cat $session) /sbin/initctl emit rotate-logs >/dev/null 2>&1 || true
done

executed as…

Posted by Ricardo Iramar dos Santos on Mar 02

It seems was fixed.

HTTP/1.1 200 OK
Date: Sun, 01 Mar 2015 22:21:31 GMT
Server: Apache-Coyote/1.1
Content-Disposition: attachment; filename=autocomplete.txt
Content-Type: application/x-suggestions+json;charset=UTF-8
Content-Language: en-US
Content-Length: 34
Keep-Alive: timeout=5, max=69
Connection: Keep-Alive

[“iramar%22%7C%7Ccalc%7C%7C”, []]

They inclued the header “Content-Disposition: attachment;…

Posted by William Costa on Mar 02

I. VULNERABILITY
————————-
XSS Reflected vulnerabilities in Fortimail version 5.2.1

II. BACKGROUND
————————-
Fortinet’s industry-leading, Network Security Platforms deliver Next
Generation Firewall (NGFW) security with exceptional throughput, ultra
low latency, and multi-vector threat protection.

III. DESCRIPTION
————————-
Has been detected two XSS Reflected vulnerability in FortiMail in “…