Posted by David Leo on Jul 02
http://seclists.org/fulldisclosure/2015/Jun/109
Big Whale said:
“Tested on Google Chrome 43.0.2357.130 (64-bit) (Linux) and it works”
“clearly URL spoofing”
Thanks for testing!
http://seclists.org/oss-sec/2015/q3/0
0pc0deFR said:
“Work on Google Chrome Ubuntu”
Bonjour, thanks for testing!
http://seclists.org/oss-sec/2015/q2/824
Daniel Micay said:
“It does display a window with the oracle.com address”…
Johan Olofsson discovered an authentication bypass vulnerability in
Stunnel, a program designed to work as an universal SSL tunnel for
network daemons. When Stunnel in server mode is used with the redirect
option and certificate-based authentication is enabled with verify = 2
or higher, then only the initial connection is redirected to the hosts
specified with redirect
. This allows a remote attacker to bypass
authentication.
Remember when you used to make sure you were home at a certain time so you wouldn’t miss your favorite TV show? That was called “appointment television”, and those of you old enough to remember watching The X-Files or Friends when they originally aired know what I’m talking about. But, with the new USA Network show, Mr. Robot, it feels like those days are back again. Sure, I have my DVR set to record, but I will definitely watch it live. Since all my buddies are watching too, I will be itching to talk about it the next day.
Avast’s new Hack Chat video series brings back that around-the-watercooler discussion. Watch our debut episode here (10:13).
In episode 1 of Avast Hack Chat, host Ariana welcomes special guest, security researcher and software developer, Pedram Amini.
In the first half of the show, they discuss the pilot episode of USA Network’s new show, Mr. Robot. Ariana walks us through the highlights of the cyberthriller, and Pedram explains if these hacks are real-world or just Hollywood magic. You can also read our interview with Pedram on Are the hacks on Mr. Robot real?
One of the earliest hacking movies, War Games, starred Matthew Broderick as a young computer wiz who inadvertently finds a backdoor into the U.S. military’s central computer. The technology he used is intriguing even now, and Ariana and Pedram discuss this old-school method in the Time Machine section.
Back to current day, Pedram answers Ariana’s question about why the NSA would want to reverse engineer Avast software and if the I-have-nothing-to-hide attitude is the wisest one to take. You can also read what Avast’s CEO, Vince Steckler has to say on the subject on Avast CEO speaks out about U.S. and U.K. spy agencies.
Subscribe to the Avast Hack Chat YouTube channel and don’t miss a single weekly episode.
Original release date: July 01, 2015
Cisco has released a security update to address a vulnerability in versions of the Unified Communications Domain Manager Platform Software prior to 10.x. Exploitation of this vulnerability may allow a remote attacker to take control of the affected system.
US-CERT recommends that users review the Cisco Security Advisory and apply the necessary update.
This product is provided subject to this Notification and this Privacy & Use policy.
Directory traversal vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the tab parameter to admin/.
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect parameter to admin/nos/login.
Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.3.6 allow remote attackers to inject arbitrary web script or HTML via the (1) post-content or (2) post-title parameter to admin/edit.php.
Cross-site scripting (XSS) vulnerability in admin/filebrowser.php in GetSimple CMS before 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the func parameter.
An advisory from Akamai warns of a recent reflection style DDoS attack in which the deprecated RIPv1 routing protocol was leveraged against targets.
Pinterest recently fixed an issue in the API of its web app that could have allowed remote attackers to compromise emails and carry out session hijacking and phishing attacks.
