Monthly Archives: June 2015

NVD

CVE-2015-4397

Cross-site request forgery (CSRF) vulnerability in the Node Template module for Drupal allows remote attackers to hijack the authentication of users with the “access node template” permission for requests that delete node templates via unspecified vectors.

Typo3

Arbitrary Code Execution in extension Job Fair (jobfair)

Release Date: June 15, 2015

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 1.0.0 and below

Vulnerability Type: Arbitrary Code Execution

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:O/RC:C (What’s that?)

CVE: not assigned yet

Problem Description: The extension jobfair offers the possibility to upload files. It was discovered that it was possible to upload files with specially crafted file extensions, which could be executed as PHP files on the server when using Apache as web server with mod_mime available (default). An uploaded file is stored in the extension upload folder and can be executed afterwards. Failing to check the uploaded file name against the fileDenyPattern pattern, jobfair is susceptible to arbitrary code execution.

Please also read an older bulletin and a blog article for further information about this issue in combination with Apache as web server.

 

Solution: An updated version 1.0.1 is available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/jobfair/1.0.1/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Torben Hansen who discovered and reported the issue.

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Security

US Navy Soliciting Zero Days

A RFP, which has since been taken down, surfaced last week from the Naval Supply Systems Command seeking operational exploits and vulnerability intelligence for commercial software from leading IT vendors.

CentOS

CEBA-2015:1099 CentOS 5 nss_ldap BugFix Update

CentOS Errata and Bugfix Advisory 2015:1099 

Upstream details at : https://rhn.redhat.com/errata/RHBA-2015-1099.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
b874bb191341b1943146a7535fa2f6785d7db275e210602aec73024612f6f625  nss_ldap-253-52.el5_11.2.i386.rpm

x86_64:
b874bb191341b1943146a7535fa2f6785d7db275e210602aec73024612f6f625  nss_ldap-253-52.el5_11.2.i386.rpm
bbcf34bb020af8572b121493a2934d4158fb0618f65943cd93c3bafeba910dd4  nss_ldap-253-52.el5_11.2.x86_64.rpm

Source:
ca8e11bebd5ceff8c91c9169ba553f29a0e9e3eefddbb5b7b566a59316318417  nss_ldap-253-52.el5_11.2.src.rpm
Apache

PC per la Scuola a 80 Euro

Non vedi il contenuto di questa email?
Clicca qui
http://campaign.r20.constantcontact.com/render?ca=3ed055bb-9a96-4f1d-9e7a-5c2327eba3c7&c=cd9eceb0-be9c-11e4-8f99-d4ae528eb986&ch=ce81b4a0-be9c-11e4-90fa-d4ae528eb986
Greetings!

Inotra questa email
http://ui.constantcontact.com/sa/fwtf.jsp?llr=9qmh7qdab&m=1103299326490&ea=broadcast%40simpaticotech.it&a=1121373228464





Questa mail è stata inviata a [email protected],
da parte di [email protected]

Aggiorna profilo/indirizzo e-mail
http://visitor.constantcontact.com/do?p=oo&m=001ppwvHtrFNf1h59YxsVHM6Q%3D%3D&ch=ce81b4a0-be9c-11e4-90fa-d4ae528eb986&ca=3ed055bb-9a96-4f1d-9e7a-5c2327eba3c7


Rimozione istantanea con SafeUnsubscribe(TM)
http://visitor.constantcontact.com/do?p=un&m=001ppwvHtrFNf1h59YxsVHM6Q%3D%3D&ch=ce81b4a0-be9c-11e4-90fa-d4ae528eb986&ca=3ed055bb-9a96-4f1d-9e7a-5c2327eba3c7


Informativa sulla privacy:
http://ui.constantcontact.com/roving/it/CCPrivacyPolicy.jsp





Online Marketing by
Constant Contact(R)
www.constantcontact.com



Simpatico Network srl | Via Volta 7 | BUCCINASCO | 20090 | Italy