Posted by Pete Herzog on Feb 25

Hi,

Hacking Passwords, Lesson 11 just released! It’s an ebook on hacking
and security written exclusively for young adults.

Free, open source download here:

http://hackerhighschool.org/lessons.html

Sincerely,
-pete.

Posted by Mark Koek on Feb 25

================================================================================
Information disclosure vulnerability in Apache Tomcat
================================================================================
Web version at:
http://www.qcsec.com/blog/CVE-2015-5345-apache-tomcat-vulnerability.html
================================================================================

On a pentest for a client we discovered a way to obtain…

Posted by Joey Maresca on Feb 25

According to Cisco it is CVE-2014-2120, which indicates that much like the
code sort of gave away, it is a bad attempt by a 1337 hax0r to push their
crappy ‘exploitpack.com’ instead of you know, finding anything useful.
Indeed it is a damn XSS with minimal utility. The crappy code is just the
icing on the cake that only tastes better when you realize he is over a
year late on his ‘0-Day’.

In fact, his code is so crappy it…

Posted by psy on Feb 25

===========================================================================

XSSer v1.7b: “ZiKA-47 Swarm!” – 2011/2016 – (GPLv3.0) -> by psy

———–

Cross Site “Scripter” is an automatic -framework- to detect, exploit and
report XSS vulnerabilities in web-based applications.

===========================================================================

…

Posted by Jernej Simončič on Feb 25

[snip]

Can’t reproduce – tested on Windows XP SP3, Windows 7 x64 SP1 and
Windows 10 x64 (10586.104), and I tested not only with
gimp-2.8.16-setup-1.exe, but also with gimp-2.8.14-setup-1.exe and
gimp-2.8.10-setup.exe – none of them triggered anything from
sentinel.dll/uxtheme.dll.

This is what I expected – the way Inno Setup works, the downloaded
executable installer has a stub which extracts the real installer to a
subdirectory of %TEMP%,…

Posted by Dominic Chen on Feb 25

Hello,

We’d like to report several vulnerabilities in embedded devices developed by D-Link and Netgear, which were discovered
using our FIRMADYNE framework for emulation and dynamic analysis of Linux-based embedded devices. For more information,
refer to our academic paper and open-source release at https://github.com/firmadyne/firmadyne.

Several Netgear devices include unauthenticated webpages that pass form input directly to the…

Posted by Alexandre Herzog on Feb 25

#############################################################

#

# COMPASS SECURITY ADVISORY http://www.csnc.ch/en/downloads/advisories.html

#############################################################

#

# CSNC ID: CSNC-2016-002

# Product: OpenAM [1]

# Vendor: ForgeRock

# Subject: Open Redirect

# Risk: Critical

# Effect: Remotely exploitable

# Author:…

Posted by Julien Ahrens on Feb 25

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
———————–
Product: Ubiquiti Networks UniFi
Vendor URL: www.ubnt.com
Type: Cross-Site Request Forgery [CWE-353]
Date found: 2015-03-19
Date published: 2016-02-23
CVSSv3 Score: 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
CVE: –

2. CREDITS
———-
This vulnerability was discovered and researched by Julien Ahrens from
RCE…

Posted by Sysdream Labs on Feb 25

Unauthenticated Remote Command Execution in Centreon Web Interface
==================================================================

Description
===========

Centreon is a popular monitoring solution.

A critical vulnerability has been found in the Centreon logging class
allowing remote users to execute arbitrary commands.

SQL injection leading to RCE
============================

Centreon logs SQL database errors in a log file using the…

Posted by Sysdream Labs on Feb 25

=====================================================================
Proxmox VE 3/4 Insecure Hostname Checking (Remote Root Exploit, XSS,
Privileges escalation)
=====================================================================

Description
===========

Proxmox is a popular virtualization solution based on KVM and Linux
containers.

A critical vulnerability has been found in Proxmox VE 3 (OpenVZ) and
Proxmox VE 4 beta 1 (LXC) in the
virtual…