This Metasploit module exploits the unsecured User Manager REST API and a ZIP file path traversal in Apache Jetspeed-2, versions 2.3.0 and unknown earlier versions, to upload and execute a shell. Note: this exploit will create, use, and then delete a new admin user. Warning: in testing, exploiting the file upload clobbered the web interface beyond repair. No workaround has been found yet. Use this module at your own risk. No check will be implemented.

Debian

DSA-3538 libebml – security update

March 30, 2016 007admin

Several vulnerabilities were discovered in libebml, a library for
manipulating Extensible Binary Meta Language files.

Debian

DSA-3536 libstruts1.2-java – security update

March 30, 2016 007admin

It was discovered that libstruts1.2-java, a Java framework for MVC
applications, contains a bug in its multi-page validation code. This
allows input validation to be bypassed, even if MPV is not used
directly.

Debian

DSA-3537 imlib2 – security update

March 30, 2016 007admin

Several vulnerabilities were discovered in imlib2, an image
manipulation library.

Security

Metaphor Stagefright Implementation

March 30, 2016 007admin

Included in this archive is a whitepaper called Metaphor – A (real) real-life Stagefright exploit. It presents a thorough research on libstagefright and new techniques used to bypass ASLR. This archive also includes the Metaphor exploit that leverages CVE-2015-3864.

007 Software

Monthly Archives: March 2016

PHP 5.5.33 Invalid Memory Write

Axil CMS 0.1 SQL Injection

Axil CMS 3.0 Cross Site Scripting

Cybercriminals are overcoming language and time zone barriers to cooperate on making malware more dangerous – ZDNet

The Spreading Epidemic of Hospital Ransomware – Motherboard

Apache Jetspeed Arbitrary File Upload

DSA-3538 libebml – security update

DSA-3536 libstruts1.2-java – security update

DSA-3537 imlib2 – security update

Metaphor Stagefright Implementation

Software and Security Information