Monthly Archives: June 2015

Drupal

Novalnet Payment Module Ubercart – Critical – SQL Injection – Unsupported – SA-CONTRIB-2015-116

Description

This module enables you add the Novalnet payment service provider to Ubercart.

The module fails to sanitize a database query by not using the database API properly, thereby leading to a SQL Injection vulnerability. Since the affected path is not protected against CSRF, a malicious user can exploit this vulnerability by triggering a request to a specially-crafted URL.

This vulnerability is mitigated by the fact that the malicious request must come from a specific Novalnet IP address.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • All versions of Novalnet Payment Module Ubercart module

Drupal core is not affected. If you do not use the contributed Novalnet Payment Module Ubercart module, there is nothing you need to do.

Solution

If you use the Novalnet Payment Module Ubercart module you should uninstall it.

Also see the Novalnet Payment Module Ubercart project page.

Reported by

Fixed by

Not applicable.

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
Drupal 6.x
Drupal 7.x
Avira

Are SOHO Routers A Hopeless Case?

I sure have one! It’s a nice little TP-Link, that’s doing what it’s supposed to do. Until now I felt pretty good and also kind of secure. Recently my feeling have changed though.

The Hungarian company Seach-Lab and some Spanish students, who are working at their master thesis, disclosed that there are quite a few SOHO routers (Small Office, Home Office routers) out there which are basically inviting cybercriminals to drop by and take a look at your data due to their vulnerabilities.

Search-Lab discovered 53 unique vulnerabilities on only 4 different D-Link devices, all running the latest firmware. According to their report “several vulnerabilities can be used by a remote attacker to execute arbitrary code and gain full control over the device”. They listed a few of the most critical findings’ problem areas in it as well so take a look at their paper if you want to know more.

The students published their findings on Full Disclosure and they lost more than 40 vulnerabilities in 22 different SOHO router models. The issues range from persistent and unauthenticated cross site scripting vulnerabilities and information leaks to Universal Plug and Play related vulnerabilities.

Routers which made it on the list are: Observa Telecom AW4062, RTA01N, Home Station BHS-RTA and VH4032N; Comtrend WAP-5813n, CT-5365, AR-5387un and 536+; Sagem LiveBox Pro 2 SP and Fast 1201; Huawei HG553 and HG556a; Amper Xavi 7968, 7968+ and ASL-26555; D-Link DSL-2750B and DIR-600; Belkin F5D7632-4; Linksys WRT54GL; Astoria ARV7510; Netgear CG3100D and Zyxel P 660HW-B1A.

Really, it doesn’t look good for SOHO router vendors. They either do not care or (even worse) do not know that their firmware is that insecure.

The post Are SOHO Routers A Hopeless Case? appeared first on Avira Blog.

Avast

Latest versions of Avast compatible with Windows 10

Image via TechRadar

The future of Windows is just around the corner. (Image via TechRadar)

Earlier this week, Microsoft confirmed that the Windows 10 official launch date will be on July 29 and will be available as a free upgrade to Windows 7 and Windows 8.1 users (for one year). This latest OS will be available to pre-order in the upcoming weeks when it launches in 190 different markets across the globe. In anticipation of Microsoft’s exciting new OS, this Techradar article takes a brief look at the operating system’s past:

With Windows 8 and today Windows 8.1, Microsoft tried – not entirely successfully – to deliver an operating system (OS) that could handle the needs of not only number-crunching workstations and high-end gaming rigs, but touch-controlled systems from all-in-one PCs for the family and thin-and-light notebooks down to slender tablets.

Now, Windows 10 has emerged as an operating system optimized for PCs, tablets and phones in unique ways – a truly innovative move from Microsoft’s side. Its big reveal is now quickly approaching, and tech enthusiasts everywhere are curious to see how this OS will measure up.

Will Avast be compatible with Windows 10?

In short, ensuring that Avast is compatible with Windows 10 is quite simple. Avast version V2015 R2 and newer are already compatible with Windows 10. Users who currently have V2015 R2 or newer installed and plan to update from Windows 7 or 8 to Windows 10 will automatically have Avast transferred to Windows 10 at the same time.

For users currently using older versions of Avast, we highly suggest updating your Avast product prior to updating to Windows 10 to ensure an easy, hassle-free transition.