NVD

CVE-2016-9956

February 22, 2017 007admin

The route manager in FlightGear before 2016.4.4 allows remote attackers to write to arbitrary files via a crafted Nasal script.

NVD

CVE-2014-4677

February 22, 2017 007admin

The installPackage function in the installerHelper subcomponent in Libmacgpg in GPG Suite before 2015.06 allows local users to execute arbitrary commands with root privileges via shell metacharacters in the xmlPath argument.

NVD

CVE-2016-9400

February 22, 2017 007admin

The CClient::ProcessServerPacket method in engine/client/client.cpp in Teeworlds before 0.6.4 allows remote servers to write to arbitrary physical memory locations and possibly execute arbitrary code via vectors involving snap handling.

Drupal

Timezone Detect – Moderately Critical – Cross Site Request Forgery – SA-CONTRIB-2017-020

February 22, 2017 007admin

Advisory ID: DRUPAL-SA-CONTRIB-2017-020
Project: Timezone Detect (third-party module)
Version: 7.x
Date: 2017-February-22
Security risk: 13/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All
Vulnerability: Cross Site Request Forgery

Description

This module enables sites to automatically detect and set user timezones via JavaScript.

The module does not sufficiently protect against Cross-Site Request Forgery (CSRF): an attacker could use this vulnerability to manipulate a user’s timezone setting. The security implication of this issue depends on the site. It can range from minor annoyance to some level of a bigger bug on a site that relies on the timezone for some more important purpose.

CVE identifier(s) issued

A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

Timezone Detect 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Timezone Detect module, there is nothing you need to do.

Solution

Install the latest version:

If you use the Timezone Detect module for Drupal 7.x, upgrade to Timezone Detect 7.x-1.2

Also see the Timezone Detect project page.

Reported by

Greg Knaddison of the Drupal Security Team

Fixed by

Jordan Magnuson the module maintainer

Coordinated by

Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Full Disclosure

Synology NAS "Auto Block IP" bypass and hide real IP in Synology logs

February 22, 2017 007admin

Posted by bashis on Feb 22

Greetings,

1. Seems to be possible bypass the default enabled “Auto Block of IP address” functionality in Synologic’s NAS by using
only one single space (x20) to the HTTP header “X-FORWARDED-FOR”
(If already Auto Blocked, this bypass will _not_ work)

Generates in /var/log/messages: 2017-02-21T20:39:13+02:00 VirtualDSM_8451 login.cgi: login.c:1039 login.c (1039)Bad
parameter :”
Bypassing whole function that…

Full Disclosure