Full Disclosure
Posted by Scott Arciszewski on Apr 27
The author added a note on his page: http://klikki.fi/adv/wordpress2.html
Also, searching HackerOne does not reveal a public WordPress program, only
WP-API. Does this mean that WordPress was privately participating in
HackerOne for select hackers? If so, revealing that publicly is kind of
rude. 🙁
Posted by Fyodor on Apr 27
On Mon, Apr 27, 2015 at 8:55 AM, Anthony Ferrara <ircmaxell () gmail com>
wrote:
Apparently WordPress completely ignored all of their notification attempts.
Klikki just added this paragraph to the online version of their advisory (
http://klikki.fi/adv/wordpress2.html):
“WordPress has refused all communication attempts about our ongoing
security vulnerability cases since November 2014. We have tried to reach
them by email, via the…
Posted by Anthony Ferrara on Apr 27
Just for clarification, was the project given a chance to fix this or
notified in any way prior to public announcement?
Posted by Hanno Böck on Apr 27
As there is still no fix from upstream I created a quick’n’dirty fix
for it:
https://gist.github.com/hannob/a07f7b7e196c75c4c1a8
https://files.hboeck.de/wordpress-4.2-emergency-fix-xss.diff
It certainly doesn’t comply with any coding style or anything 🙂 but it
should protect you for now.
Posted by CORE Advisories Team on Apr 27
1. Advisory Information
Title: InFocus IN3128HD Projector Multiple Vulnerabilities
Advisory ID: CORE-2015-0008
Advisory URL: http://www.coresecurity.com/advisories/infocus-in3128hd-projector-multiple-vulnerabilities
Date published: 2015-04-27
Date of last update: 2015-04-22
Vendors contacted: InFocus
Release mode: User release
2. Vulnerability Information
Class: Authentication Bypass Using an Alternate Path or Channel [CWE-288], Missing…
Posted by Scott Arciszewski on Apr 27
Using MySQL column truncation to trick an XSS past their filter… clever.
I never would have thought to do that. 🙂
Posted by MustLive on Apr 27
Hello list!
There are Cross-Site Scripting and Cross-Site Request Forgery
vulnerabilities in ASUS Wireless Router RT-G32.
————————-
Affected products:
————————-
Vulnerable is the next model: ASUS RT-G32 with different versions of
firmware. I checked in ASUS RT-G32 with firmware versions 2.0.2.6 and
2.0.3.2.
Since Asus ignored vulnerabilities in their notebook, which I sent them in
2009, and previous…
Posted by PIN on Apr 26
TL;DR version:
/* really? can other people confirm this behavior pls?
*
* if the guess is off for you, by how many, and can you please
* indicate what compiler version and flags you used?
*
* ive tried with gcc 4.9.2 and 4.8.3 only on kernel 4.0.0 and glibc 2.20
* i suspect its going to be an issue with the loader and kernel and
sys_mmap.
*
* gcc -m64 -s -fpic -pie -o mmap mmap.c
*/
#include <stdio.h>
#include <stdlib.h>…
Posted by Jouko Pynnonen on Apr 26
*Overview*
Current versions of WordPress are vulnerable to a stored XSS. An
unauthenticated attacker can inject JavaScript in WordPress comments. The
script is triggered when the comment is viewed.
If triggered by a logged-in administrator, under default settings the
attacker can leverage the vulnerability to execute arbitrary code on the
server via the plugin and theme editors.
Alternatively the attacker could change the administrator’s…
Posted by Doug on Apr 26
Published here to resist censorship.
Surveillance system used for censorship in Europe
Censorship attack combines packet injection and Heartbleed
We all know there is censorship online. It happens in China. It happens
to “terrorists”. But we don’t believe it will happen to us.
As Eben Moglen[1] and Kaspersky[2] have pointed out, companies developing
crypto are prime targets no matter where they are. So you don’t have
to…