Joomla SecurityCheck extension – Multiple vulnerabilities

Posted by Gökmen GÜREŞÇİ on Jun 01

Information
——————————
Advisory by ADEO Security Team
Name: Stored XSS and SQL Injection in Joomla SecurityCheck extension
Affected Software : SecurityCheck and SecurityCheck Pro
Vulnerable Versions: 2.8.9 (possibly below)
Vendor Homepage : https://securitycheck.protegetuordenador.com
Vulnerabilities Type : XSS and SQL Injection
Severity : High
Status : Fixed

Technical Details
——————————
PoC URLs for SQL…

Defense in depth — the Microsoft way (part 40): seven+ year old "blended" threat still alive and kicking

Posted by Stefan Kanthak on Jun 01

Hi @ll,

a looong time ago Microsoft “addressed” a so called “blended”
threat: Internet Explorer loaded and executed DLLs placed on
the user’s desktop.

See <https://technet.microsoft.com/en-us/library/953818>
(titled “Blended Threat from Combined Attack Using Apple’s
Safari on the Windows Platform”) plus
<…

Opening hours – Moderately Critical – XSS – SA-CONTRIB-2016-031

Description

This module enables you to enter opening hours for locations in a highly detailed way.

The module doesn’t sufficiently escape input data from user input.

This vulnerability is mitigated by the fact that an attacker must be able to edit opening hours by having a role with the permission “Edit opening hours for content”, or have permissions to edit taxonomy terms.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • Opening Hours 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed Opening hours module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Opening hours project page.

Reported by

Fixed by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

On Children’s Day, teach your kids how to stay safe online

Happy International Children's Day from Avast!

Happy International Children’s Day! Celebrate this year’s holiday by keeping your kids safe in the digital world. As the trusted authority in your home, you are the go-to resource to help keep the Internet a safe place for your family.

To protect your children from inappropriate online behavior, people with bad intentions and unsuitable content, you need to stay informed about current issues and understand the social networks and devices that your children use. Avast Free Antivirus and Avast Mobile Security can help you stay safe while using each of your devices.

Children whose parents talk to them regularly about what they do online will likely use responsible behavior when on their own.

Most company training programs leave out important IT security information. Are you at risk?

formacion_FOTO1

Workers are the first and the weakest link in the security chain (including your boss), especially if they have not received adequate training to defend themselves against cyber-attackers. Sadly, if malware were to sieve into an employee’s Smartphone or mobile device it could potentially cost a company more than 8,000 euros. This is the beginning of the end, and opens the door for cyber-thieves to steal massive amounts of sensitive information from your company.

 

There are some basic tips that every company should give their employees to keep their personal data and computers protected against cybercriminals, like: confirming the identity of anyone requesting information, keeping passwords secure, and backing up their computer. Alarmingly, organizations are neglecting to share this security-related knowledge with their employees, as seen in a recent study.

 

46% of the companies who participated in the study assumed that this type of preparation or formation would be obligatory for all employees. But in fact, only 60% of the companies that have fallen victim to information theft oblige their workers to go through a learning period, which would educate them on internet security and ensure that confidential data will not be compromised.

 

As shown in a study, less than half of companies assumed that IT security training is obligatory for businesses

 

Sadly, for the companies who do have “training” programs, there is a lot of important information left out. In fact, many security training periods only educate workers about basic IT procedures. Approximately 43% of the surveyed companies offer a basic course for their employees, and usually they do not address many of the risks that often lead to cyber-attacks.

 

Phishing and social engineering are two main threats in our cyber-sphere, but only a small fraction (49%) of companies review them in their security courses. In addition, two significant topics that are barely talked about (if they’re talked about at all) at these training programs are: mobile device security (38% of courses include this subject) and Cloud security accounts (29%).

 

Knowledge is power. It is the greatest barrier against these type of internet-related attacks; the nightmare of a cyber-attack can be easily prevented if employees are taught how to use the internet in a responsible manner. Bots or no bots, when it comes to cyber-security strategies, humans are still a company’s greatest weakness or their greatest strength. Everything depends on the level of training that is available to them.

The post Most company training programs leave out important IT security information. Are you at risk? appeared first on Panda Security Mediacenter.