Posted by 47 on Jul 06
WideImage Demo Code Cross Site Scripting (XSS)
Description:
WideImage is an object-oriented library for image manipulation.
It requires PHP 5.2+ with GD2 extension. The library provides a simple way to loading, manipulating and saving images
in the most common image formats.
Type of vulnerability:
Reflected XSS
Threat level:
Medium
Tested on:
Windows 8.1
Product:
WideImage – An Open Source PHP library for image manipulation….
Grant Wilcox, an ethical hacking degree candidate at the University of Northumbria in the U.K., said the Wassenaar Arrangement rules were one reason he decided not to publish exploits he developed for his dissertation.
Ad fraud malware is one of the more profitable specialties in the cybercrime world, and the attackers who use it often have to adapt their tactics in order to keep the money rolling in. One of the tactics that they have adopted in recent months is that of updating the version of Flash that’s installed on an infected machine.
We are pleased to announce the second public beta release of CentOS Linux 7 for the AArch64 platform. This release contains fixes and code updates provided in the RHELSA source code recently published to git.centos.org as well as rolling previous updates into the installer. We intend to have a 'Gold' release very soon unless a blocker bugs are reported, so please test this release. Improvements since the initial Beta =================================== The 4.1rc kernel has been removed in favor of the 3.19 kernel as it contains some additional functionality by default. The 4.x kernel will be available later as a -plus kernel. Installation/Everything ISO is now available. We're currently offering an Everything ISO that can be used for usb based installation if desired. This iso is currently too large for standard DVD media, and so is best used via usb media. Many updated packages, including core packages likebzip2, dbus, grub2, libaio, and more. Download ======== The full (unsigned) install tree is available at http://buildlogs.centos.org/centos/7/os/aarch64/ Everything-ISO is available at http://buildlogs.centos.org/centos/7/isos/aarch64/CentOS-7-aarch64-Everything-beta.iso Installation ============ Installation guides and documentation will be provided via the CentOS wiki, at http://wiki.centos.org/SpecialInterestGroup/AltArch/AArch64 Update procedures for existing installations ============================================ Because the kernel version has been rolled back from 4.x to 3.19, you will need to take some additional steps to update. 1. yum -y update 2. yum distro-sync # This will roll back the installed kernel packages 3. yum remove kernel-core kernel-modules # cleans up kernel leftovers. 4. reboot to new kernel ============ Contributing The AArch64 effort is meant to be a community effort as part of the AltArch SIG (http://wiki.centos.org/SpecialInterestGroup/AltArch), and we welcome enthusiasts and vendors to contribute patches, fixes, documentation, etc. In the AArch64 Extras repository, we have provided the mock package and dependencies so that community members can more easily contribute, as well as testing their own builds locally. Please submit patches, fixes, etc to the Arm-Dev list (http://lists.centos.org/mailman/listinfo/arm-dev) for discussion and acceptance. We encourage vendors to come and join this effort, we have a loose organization focused on the alternative architectures build process and welcome interaction at the group level. Please get in touch with me (jperrin< at >centos.org) or K Singh ( kbsingh< at >centos.org ) to find out more details. The wider CentOS Ecosystem is also welcome to engage with us, both at the project and code level. If you are working with a project that interfaces, manages or develops on top of CentOS, specially in the virtualization, cloud, container and infrastructure management areas - we would love to have you guys get involved. While we don't have a lot of resources, we are working with a few vendors to build up a community resource pool that we would encourage other projects to share their development, testing and delivery around CentOS Linux for aarch64.
Posted by CORE Advisories Team on Jul 06
1. Advisory Information
Title: AirLive Multiple Products OS Command Injection
Advisory ID: CORE-2015-0012
Advisory URL: http://www.coresecurity.com/advisories/airlive-multiple-products-os-command-injection
Date published: 2015-07-06
Date of last update: 2015-07-06
Vendors contacted: AirLive
Release mode: User release
2. Vulnerability Information
Class: OS Command Injection [CWE-78], OS Command Injection [CWE-78]
Impact: Code execution
Remotely…
CentOS Errata and Security Advisory 2015:1207 Critical Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1207.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) x86_64: f61ea750633f5b444eaae0e52cbc430febc0a68534166659d7ac8fcfac2c89e1 firefox-38.1.0-1.el7.centos.i686.rpm 2a8f94561cb77d12c8b02adcb7c689a36cd36b4b9f9e91328a5e4d287491049c firefox-38.1.0-1.el7.centos.x86_64.rpm Source: 1b7b07cf869c0b06c2b23f919d6ea9bab648c270f56ceea33da8c7453c80ab69 firefox-38.1.0-1.el7.centos.src.rpm
CentOS Errata and Security Advisory 2015:1207 Critical Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1207.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: b5882e3695d34f9318074874468b2c427eade13ad481866ae314f6edcadfb7db firefox-38.1.0-1.el6.centos.i686.rpm x86_64: b5882e3695d34f9318074874468b2c427eade13ad481866ae314f6edcadfb7db firefox-38.1.0-1.el6.centos.i686.rpm b7f8d8f7fe4dde69f71355177bd859e08551a11513e7f293ef7bb6beb094eb13 firefox-38.1.0-1.el6.centos.x86_64.rpm Source: 05d27d1ca3378334c19eeb53bc8b5a6a7a64dbae179a17da7841753d596bd430 firefox-38.1.0-1.el6.centos.src.rpm
Cross-site scripting (XSS) vulnerability in the template preview function in Foreman before 1.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted provisioning template.
Open redirect vulnerability in the Language Switcher Dropdown module 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a block.
Multiple cross-site scripting (XSS) vulnerabilities in the Tournament module 7.x-1.x before 7.x-1.2 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via an (1) account username, a (2) node title, or a (3) team entity title.