Full Disclosure
Posted by Matthew Daley on Mar 28
Affected software: GoAhead Web Server
Affected versions: 3.0.0 – 3.4.1 (3.x.x series before 3.4.2)
CVE ID: CVE-2014-9707
Description: The server incorrectly normalizes HTTP request URIs that
contain path segments that start with a “.” but are not entirely equal
to “.” or “..” (eg. “.x”). By sending a request with a URI that
contains these incorrectly handled segments, it is possible for remote
attackers to…
Posted by INURL Brasil on Mar 28
Advisory: SQLi-vulnerabilities in aplication CMS WebDepo
Affected aplication web: Aplication CMS WebDepo (Release date: 28/03/2014)
Vendor URL: http://www.webdepot.co.il
Vendor Status: 0day
==========================
Vulnerability Description:
==========================
Records and client practice management application
CMS WebDepo suffers from multiple SQL injection vulnerabilitie
==========================
Technical Details:…
Posted by Berend-Jan Wever on Mar 26
TL;DR: Full disclosure of low risk 0-day in MSIE 8 after 60-day deadline
passed
without a fix.
1501H – MSIE 8 – F12 Developer Tools tooltips use-after-free
=====================================
Synopsis
——–
When using the Developer Tools of MSIE 8, one might hover the mouse over a
button in the “Script” tab, at which point a “tooltip” is shown. If one then
clicks the button, a use-after-free occurs.
Known affected…
Posted by Simon Waters on Mar 26
Berta CMS is a web based content management system using PHP and local file storage.
Due to use of a 3rd party Berta CMS website to redirect links within a phishing email brought to our attention we
checked the file upload functionality of this software.
We found that the file upload didn’t require authentication.
Images with a “.php” extension could be uploaded, and all that was required is that they pass…
Posted by Javantea on Mar 25
Remote Code Execution in realms-wiki install.sh
by Javantea
Mar 15, 2015
Product: Realms Wiki
Website: http://realms.io/
Github: https://github.com/scragg0x/realms-wiki
CVSS Score: 7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C)
On line 20 of realms-wiki install.sh, a GPG key that is requested via HTTP is added to the apt keyring. A remote
attacker that has a man-in-the-middle (via ARP spoof, DNS spoof, or HTTP man-in-the-middle) against the person…
Posted by Javantea on Mar 25
CSRF in Realms Wiki
Vulnerability Report
Mar 19, 2015
Product: Realms Wiki
Website: http://realms.io/
Github: https://github.com/scragg0x/realms-wiki
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:C/A:N)
Realms Wiki is vulnerable to Cross-Site Request Forgery on all posts. Especially of concern are New, Edit, and Revert.
If Realms Wiki had significant authentication mechananisms such as site administration, user administration, and so
forth, these…
Posted by Pierre-David / NorthSec Conference on Mar 25
www.nsec.io – northsec.eventbrite.ca
NorthSec 2015, one of the biggest applied security event in Canada,
coming up in Montreal May 21-24, with a 2-day technical conference
followed by a 48h on-site CTF.
The full line-up of speakers has been announced at
https://www.nsec.io/speakers featuring :
* KEYNOTE, from Chris Prince of the Office of the Privacy Comissioner of
Canada, here to talk about Privacy, Surveillance & Oversight.
* Joan…
Posted by WAHCKon CFP on Mar 25
__ __ ______ __ __ ____ __ __
/ __/ / _ / / / _` / /
/ L _ /_\ /’/’ ___ ___
__ _ /_/_ , < / __` /’ _ `
_/ _ / L \ \` / L / /
`___x___/ _ _ _ _ ____/ _ _ ____/ _ _
‘/__//__/…
Posted by James Forshaw on Mar 24
Windows Local WebDAV NTLM Reflection Elevation of Privilege
Platform: Windows 8.1 Update, Windows 7
Class: Elevation of Privilege
Disclosure Date: 18th March 2015
Reference: https://code.google.com/p/google-security-research/issues/detail?id=222
Summary:
A default installation of Windows 7/8 can be made to perform a NTLM
reflection attack through WebDAV which allows a local user to elevate
privileges to local system. It can also be used to…
Posted by Ming on Mar 23
#Overview
The Wall of Sheep would like to announce a call for presentations at DEF
CON 23 at the Paris and Bally’s Hotels in Las Vegas, NV from Friday, August
7th to Sunday, August 9th. The Wall of Sheep will be delivering talks that
increase security awareness and provide skills that can be immediately
applied after the conference. Our audience ranges from those who are new to
security to the most seasoned practitioners in the security…