SQL injection vulnerability in Rexroth Bosch BLADEcontrol-WebVIS 3.0.2 and earlier allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
Monthly Archives: July 2016
CVE-2016-4508
Cross-site scripting (XSS) vulnerability in Rexroth Bosch BLADEcontrol-WebVIS 3.0.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2016-4979
The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and mod_ssl are enabled, does not properly recognize the “SSLVerifyClient require” directive for HTTP/2 request authorization, which allows remote attackers to bypass intended access restrictions by leveraging the ability to send multiple requests over a single connection and aborting a renegotiation.
CVE-2016-6170
ISC BIND through 9.10.4-P1 allows primary DNS servers to cause a denial of service (secondary DNS server crash) via a large AXFR response, and possibly allows IXFR servers to cause a denial of service (IXFR client crash) via a large IXFR response and allows remote authenticated users to cause a denial of service (primary DNS server crash) via a large UPDATE message.
Announcing Release for Gluster 3.8 on CentOSLinux 7 x86_64
We are happy to announce the General Availability of Gluster 3.8 for CentOS Linux 7. Earlier versions (3.6 and 3.7) are still available and will keep receiving updates until the upstream Gluster Community marks them End-Of-Life. GlusterFS 3.8 brings many improvements and new functionalities. These are documented in the 3.8.0 release notes: https://github.com/gluster/glusterfs/blob/release-3.8/doc/release-notes/3.8.0.md To install GlusterFS 3.8, only two commands are needed: # yum install centos-release-gluster # yum install glusterfs-server The centos-release-gluster content comes from the centos-release-gluster38 package delivered via CentOS Extras repos. This contains all the metadata and dependancy information, needed to install GlusterFS 3.8. Deployments that have centos-release-gluster36 or -gluster37 installed will not automatically upgrade to version 3.8. These installations will continue to stick to their current stable version with minor updates. The existing quickstart guide will still work with the new version of Gluster. In fact, we do not expect to see any issues with use-cases that work on 3.7 already. Installation and configuration is the same in the new version: https://wiki.centos.org/SpecialInterestGroup/Storage/gluster-Quickstart More details about the packages that the Gluster project provides in the Storage SIG is available in the documentation: https://wiki.centos.org/SpecialInterestGroup/Storage/Gluster The centos-release-gluster* repositories offer additional packages that enhance the usability of Gluster itself. Users can request additional tools and applications to be provided, just send us an email with your suggestions. The current list of packages that is (planned to become) available can be found here: https://wiki.centos.org/SpecialInterestGroup/Storage/Gluster/Ecosystem-pkgs These Gluster repositories and packages are provided through the Storage SIG. General information about the SIG can be read in the wiki: https://wiki.centos.org/SpecialInterestGroup/Storage We welcome all feedback, comments and contributions. You can get in touch with the CentOS Storage SIG on the centos-devel mailing list ( https://lists.centos.org ) and with the Gluster developer and user communities at https://www.gluster.org/mailman/listinfo , we are also available on irc at #gluster on irc.freenode.net, and on twitter at < at >gluster . Cheers, Niels de Vos Storage SIG member & Gluster maintainer
Announcing Release for Gluster 3.8 on CentOSLinux 6 x86_64
We are happy to announce the General Availability of Gluster 3.8 for CentOS Linux 6. Earlier versions (3.6 and 3.7) are still available and will keep receiving updates until the upstream Gluster Community marks them End-Of-Life. GlusterFS 3.8 brings many improvements and new functionalities. These are documented in the 3.8.0 release notes: https://github.com/gluster/glusterfs/blob/release-3.8/doc/release-notes/3.8.0.md To install GlusterFS 3.8, only two commands are needed: # yum install centos-release-gluster # yum install glusterfs-server The centos-release-gluster content comes from the centos-release-gluster38 package delivered via CentOS Extras repos. This contains all the metadata and dependancy information, needed to install GlusterFS 3.8. Deployments that have centos-release-gluster36 or -gluster37 installed will not automatically upgrade to version 3.8. These installations will continue to stick to their current stable version with minor updates. The existing quickstart guide will still work with the new version of Gluster. In fact, we do not expect to see any issues with use-cases that work on 3.7 already. Installation and configuration is the same in the new version: https://wiki.centos.org/SpecialInterestGroup/Storage/gluster-Quickstart More details about the packages that the Gluster project provides in the Storage SIG is available in the documentation: https://wiki.centos.org/SpecialInterestGroup/Storage/Gluster The centos-release-gluster* repositories offer additional packages that enhance the usability of Gluster itself. Users can request additional tools and applications to be provided, just send us an email with your suggestions. The current list of packages that is (planned to become) available can be found here: https://wiki.centos.org/SpecialInterestGroup/Storage/Gluster/Ecosystem-pkgs These Gluster repositories and packages are provided through the Storage SIG. General information about the SIG can be read in the wiki: https://wiki.centos.org/SpecialInterestGroup/Storage We welcome all feedback, comments and contributions. You can get in touch with the CentOS Storage SIG on the centos-devel mailing list ( https://lists.centos.org ) and with the Gluster developer and user communities at https://www.gluster.org/mailman/listinfo , we are also available on irc at #gluster on irc.freenode.net, and on twitter at < at >gluster . Cheers, Niels de Vos Storage SIG member & Gluster maintainer
Re: Samsung SW Update – Insecure ACLs on SW Update Service Directory – EoP Vulnerability
Posted by Benjamin Gnahm on Jul 06
Hey guys,
I just want to correct a small mistake I made when publishing the
advisory here. The internal tracking number was wrongly stated as
BFS-SA-2016-003 but it actually is BFS-SA-2016-002. My apologies for any
confusion that I might have created with that typo.
Best regards,
Benjamin
Re: [oss-security] libical 0.47 SEGV on unknown address
Posted by Brandon Perry on Jul 06
I have gone ahead and just pushed my fuzzing results to Github. These were found with American Fuzzy Lop.
https://github.com/brandonprry/ical-fuzz <https://github.com/brandonprry/ical-fuzz>
While Mozilla lists information leaks as viable for a bug bounty [1], unless it straight up crashes Thunderbird (which
heap over reads may or may not do depending on the surrounding memory), it doesn’t seem they will care much and will
mark your…
Putty (beta 0.67) DLL Hijacking Vulnerability
Posted by Sachin Wagh on Jul 06
/*
Exploit Title: Putty DLL Hijacking Exploit ( UxTheme.dll or ntmarta.dll )
Vendor Homepage:https://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
Author: Sachin Wagh (@tiger_tigerboy)
Linkedin: https://in.linkedin.com/in/sachin-wagh-95b17555
Affected Version: beta 0.67
Tested on: Windows 7 Ultimate
*/
Proof-Of-Concept :
1. Create malicious dll file and save it as UxTheme.dll or ntmarta.dll in
your “Downloads” directory.
2….
PrinceXML PHP wrapper command injection
Posted by Brandon Perry on Jul 06
While grabbing a copy PrinceXML, I noticed the company also offered some wrapper classes in various languages for using
prince in server applications (web applications).
http://www.princexml.com/download/wrappers/ <http://www.princexml.com/download/wrappers/>
Taking a quick look at the PHP class, there are likely numerous command injection vulnerabilities. I was able to prove
a quick PoC out. Some quick googling yielded more results…