Full Disclosure
Posted by Asterisk Security Team on Apr 08
Asterisk Project Security Advisory – AST-2015-003
Product Asterisk
Summary TLS Certificate Common name NULL byte exploit
Nature of Advisory Man in the Middle Attack
Susceptibility Remote Authenticated Sessions
Severity Major…
Posted by Levon Kayan on Apr 08
Hi,
Today, nullsecurity released a new tool: smalisca.
[ DESCRIPTION ]
Static Code Analysis tool for Smali files.
If you ever have looked at Android applications you know to appreciate
the ability of analyzing your target at the most advanced level. Dynamic
programm analysis will give you a pretty good overview of your
applications activities and general behaviour. However sometimes you’ll
want to just analyze your application *without*…
Posted by Gsunde Orangen on Apr 08
Thanks, Matthew, for having spotted this.
As only current versions of Appweb (4 & 5) have been addressed so far,
but legacy versions (see http://embedthis.com/appweb/download.html) were
not mentioned yet in https://github.com/embedthis/appweb/issues/413 :
– Appweb V3: vulnerable, too
— Source code audit on Appweb 3.4.2:
The vulnerable code is not in the parseRange() function in
paks/http/httpLib.c, but similarly in http/request.c
–…
Posted by Pedro Ribeiro on Apr 08
Hi,
I’ve found a reported an unrestricted file upload vulnerability in
Novell ZenWorks Configuration Management which can be abused to
achieve remote code execution.
The full advisory text is below, and can also be obtained from my repo
[1]. A Metasploit module has been submitted and should hopefully be
accepted soon [2].
Regards,
Pedro
=================================================================================
Disclosure:…
Posted by Bhadresh Patel on Apr 08
Title:
====
HotExBilling Manager – Cross-site scripting (XSS) vulnerability
Credit:
======
Name: Bhadresh Patel
Company/affiliation: HelpAG
Website: www.helpag.com
CVE:
=====
CVE-2015-2781
Date:
====
12-03-2015 (dd/mm/yyyy)
Vendor:
======
Hotspot Express has been in the billing solution business since 1997 in its earlier name EasyBrowsing. Initially, it
designed billing solution to address Internet Café. Till today we have more 10000…
Posted by Securify B.V. on Apr 07
————————————————————————
Reflected Cross-Site Scripting vulnerability in asdoc generated
documentation
————————————————————————
Radjnies Bhansingh, March 2014
————————————————————————
Abstract
————————————————————————
A reflected Cross-Site scripting…
Posted by Pichaya Morimoto on Apr 05
######################################################################
# _ ___ _ _ ____ ____ _ _____
# | | / _ | | |/ ___|/ ___| / |_ _|
# | | | | | | | | | _| | / _ | |
# | |__| |_| | | | |_| | |___ / ___ | |
# |________/|_| _|____|____/_/ __|
#
# phpSFP – Schedule Facebook Posts 1.5.6 Pre-auth SQL Injection (0-day)
# Website :
http://codecanyon.net/item/phpsfp-schedule-facebook-posts/5177393
#…
Posted by Jing Wang on Apr 05
*6kbbs v8.0 XSS (Cross-site Scripting) Security Vulnerabilities*
Exploit Title: 6kbbs XSS (Cross-site Scripting) Security Vulnerabilities
Vendor: 6kbbs
Product: 6kbbs
Vulnerable Versions: v7.1 v8.0
Tested Version: v7.1 v8.0
Advisory Publication: April 02, 2015
Latest Update: April 02, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM)…
Posted by Jing Wang on Apr 05
*6kbbs v8.0 Multiple CSRF (Cross-Site Request Forgery) Security
Vulnerabilities*
Exploit Title: 6kbbs Multiple CSRF (Cross-Site Request Forgery) Security
Vulnerabilities
Vendor: 6kbbs
Product: 6kbbs
Vulnerable Versions: v7.1 v8.0
Tested Version: v7.1 v8.0
Advisory Publication: April 02, 2015
Latest Update: April 02, 2015
Vulnerability Type: Cross-Site Request Forgery (CSRF) [CWE-352]
CVE Reference: *
CVSS Severity (version 2.0):
CVSS v2 Base…
Posted by Jing Wang on Apr 05
*6kbbs v8.0 SQL Injection Security Vulnerabilities*
Exploit Title: 6kbbs Multiple SQL Injection Security Vulnerabilities
Vendor: 6kbbs
Product: 6kbbs
Vulnerable Versions: v7.1 v8.0
Tested Version: v7.1 v8.0
Advisory Publication: April 01, 2015
Latest Update: April 01, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an
SQL Command (‘SQL Injection’) [CWE-89]
CVE Reference: *
Impact CVSS Severity (version…