Posted by Mohamed A. Baset on Mar 09

# Exploit Title: OpenKM Platform Remote Reflected Cross Site Scripting
# Google Dork: N/A
# Date: 18-11-2014
# Exploit Author: Mohamed Abdelbaset Elnoby (@SymbianSyMoh)
# Vendor Homepage: http://www.openkm.com/en
<http://s.bl-1.com/h/mPQYWnX?url=http://www.openkm.com/en>/
# Software Link: http://www.openkm.com/en/download-english.html
<http://s.bl-1.com/h/mPQZb9Z?url=http://www.openkm.com/en/download-english.html>
# Version: All…

Posted by Hutton on Mar 09

Multiple issues have been discovered in the Untangle NGFW virtual
appliance. The vendor was unresponsive and uncooperative to the researcher.

– Persistent XSS leading to root
Authentication requiredConfirmed in versions 9 and 11 (up to rev r39357)
Throughout
the Untangle user interface there are editable data tables for various
user configuration options. An example of this is in: Configuration >
Networking > Port Forwards. This table…

Posted by Nick FitzGerald on Mar 07

James Hodgkinson wrote:

Indeed!

So you did not notice the explanation that this would happen, right
there on the “continue the install” permission dialog?

The one we can see a screenshot of at, say:

https://grahamcluley.com/2015/03/oracle-java-mac/

Your description rather strongly implies that you have no choice in
getting the Ask toolbar, which is untrue.

I understand that Mac users will likely not be _accustomed_ to such…

Posted by Christophe Hauser on Mar 07

Hi Robert,

thank you, this is very interesting and seems to be one potential
occurrence of what I am looking for.

Nice tool by the way !

Posted by Alan Coopersmith on Mar 07

There are Java updates associated with security fixes on the quarterly
CPU cycle, but those aren’t the only Java updates – it is software under
active development after all, and releases new features too, not just
security patches.

http://www.oracle.com/technetwork/java/javase/overview/jdk-version-number-scheme-1918258.html
https://www.java.com/en/download/faq/release_dates.xml
http://openjdk.java.net/projects/jdk8u/

Posted by paul . szabo on Mar 07

Alan Coopersmith <alan.coopersmith () oracle com> wrote (and he should
know!):

My observation in the past was that Java updates came with the rest
of the “quarterly CPU” cycle. Was that wrong, has something changed?

Thanks, Paul

Paul Szabo psz () maths usyd edu au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia

Posted by James Hodgkinson on Mar 07

Maybe the major change is that they’re including the Ask toolbar in all releases now, not just the windows one? 🙂

The unwelcome Ask extension shows up as part of the installer if a Mac user downloads Java 8 Update 40 for the Mac. In
my tests on a Mac running that latest release of OS X, the installer added an app to the current browser, Chrome
version 41 …
James

My reading of the first WWW page is that only Java SE 7 u75/76 contains…

Posted by Alexander Burke on Mar 07

Java 8u40 includes adware on OS X for the first time ever:

http://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-for-macs/

Sorry for the poor quality of the link; I don’t have time to find a better one.

— Alex

El 06/03/2015, a les 21:02, paul.szabo () sydney edu au va escriure:

Posted by Alan Coopersmith on Mar 07

Java 8u40 is a feature release that’s been planned for almost a year, not
a special out of band bug fix release.

http://openjdk.java.net/projects/jdk8u/releases/8u40.html
https://blogs.oracle.com/thejavatutorials/entry/jdk_8u40_released

Posted by MustLive on Mar 07

Hello list!

There are Cross-Site Scripting and Cross-Site Request Forgery
vulnerabilities in ASUS Wireless Router RT-G32.

————————-
Affected products:
————————-

Vulnerable is the next model: ASUS RT-G32 with different versions of
firmware. I checked in ASUS RT-G32 with firmware versions 2.0.2.6 and
2.0.3.2.

———-
Details:
———-

Cross-Site Scripting (WASC-08):…