SQL injection vulnerability in the insert function in application/controllers/admin/dataentry.php in LimeSurvey 2.06+ allows remote authenticated users to execute arbitrary SQL commands via the closedate parameter.
Monthly Archives: June 2015
CVE-2014-6198
Cross-site request forgery (CSRF) vulnerability in IBM Security Network Protection 5.3 before 5.3.1 allows remote attackers to hijack the authentication of arbitrary users.
CVE-2015-0989
PACTware 4.1 SP3 allows remote attackers to cause a denial of service (application crash) via a crafted file that triggers an internal error.
CVE-2015-4174
Cross-site scripting (XSS) vulnerability in the integrated web server on the Siemens Climatix BACnet/IP communication module with firmware before 10.34 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
Fedora EPEL 6 Security Update: directfb-1.4.11-3.el6
Fedora EPEL 7 Security Update: openvas-gsa-6.0.3-4.el7,openvas-manager-6.0.3-3.el7,openvas-scanner-5.0.3-5.el7,openvas-cli-1.4.1-2.el7,openvas-libraries-8.0.3-2.el7
Resolved Bugs
1169170 – openvas-manager: SQL injection related to the timezone parameter [fedora-all]<br
Update to OpenVAS8.
Fixing several bugs in previous versions.
Businessman hackers brought down in USA and Europe
Cybercrooks run their organizations like businesses these days. They have multinational offices, marketing departments, business development, and technical support teams. Maybe they also need some security…
Major cybercrooks taken down
Malware entrepreneur sentenced to 57 months in prison
One such malware entrepreneur, Alex Yucel, sold malware through a website that he operated, to other hackers. The Blackshades malware allowed hackers to remotely control their victims’ computers. They could do such things as log the victim’s keystrokes, spy through webcams, and steal usernames and passwords for email and other services. They could also turn their computers into bots which were used to perform Distributed Denial of Service (DDoS) attacks on other computers, without the knowledge of the victim.
Manhattan U.S. Attorney Preet Bharara said: “Alex Yucel created, marketed, and sold software that was designed to accomplish just one thing – gain control of a computer, and with it, a victim’s identity and other important information. This malware victimized thousands of people across the globe and invaded their lives. But Yucel’s computer hacking days are now over.” See the Department of Justice press release here.
Yucel sold the software for as little as $40 on PayPal and various black market forums. The profits from sales of the malware is estimated to be at $350,000. Yusel plead guilty to computer hacking and was sentenced to almost five years in a New York prison. Last year more than 100 customers of Blackshades were arrested in massive raids in Europe and Australia.
Cybercrooks business dismantled in Ukraine
In Europe, a joint investigation team brought down a major cybercriminal group in Ukraine. These high-level cybercrooks are suspected of developing, exploiting, and distributing well-known banking Trojans Zeus and SpyEye. The malware they developed attacked online banking systems in Europe and elsewhere. The damages are estimated to be over 2 million euros.
Their business was organized into specialty groups. Some ran a network of tens of thousands of computers, others harvested victims banking credentials such as passwords and account numbers, and others laundered their ill-gotten gains through money mule networks. This group of cybercrooks also had a marketing team that advertised on underground forums, sold their hacking services to other cybercrooks, and had a business development department seeking cooperation partners.
It took investigators and judicial authorities from six different European countries, supported by Eurojust and Europol, to stop this major cybercrime organization.
“In one of the most significant operations coordinated by the agency in recent years Europol worked with an international team of investigators to bring down a very destructive cybercriminal group,” said Rob Wainwright, Director of Europol.
CEBA-2015:1191 CentOS 5 irqbalance BugFix Update
CentOS Errata and Bugfix Advisory 2015:1191 Upstream details at : https://rhn.redhat.com/errata/RHBA-2015-1191.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: 0ec224e1af235b81234eea49486b3cf28562457ce4c67ae3da06cdc7e5f4ba37 irqbalance-0.55-16.el5_11.i386.rpm x86_64: 818235db375a8409016a5bf4a3c27765adbf4a44dfea7b9a0bbbc6c7c6a959ab irqbalance-0.55-16.el5_11.x86_64.rpm Source: b233e7b4dfe9720ddad886936804055e2c92ae57a5ee83ff3324eff85de0c719 irqbalance-0.55-16.el5_11.src.rpm
CVE-2015-4199
Race condition in the IPv6-to-IPv4 functionality in Cisco IOS 15.3S in the Performance Routing Engine (PRE) module on UBR devices allows remote attackers to cause a denial of service (NULL pointer free and module crash) by triggering intermittent connectivity with many IPv6 CPE devices, aka Bug ID CSCug47366.
CVE-2015-4225
Cisco Application Policy Infrastructure Controller (APIC) 1.0(1.110a) and 1.0(1e) on Nexus 9000 devices does not properly implement RBAC health scoring, which allows remote authenticated users to obtain sensitive information via unspecified vectors, aka Bug ID CSCuq77485.