Full Disclosure
Posted by Brandon Perry on Mar 03
I found a couple SQL injection vulnerabilities in the core Orion service
used in most of the Solarwinds products (SAM, IPAM, NPM, NCM, etc…). This
service provides a consistent configuration and authentication layer across
the products.
To be exact, the vulnerable applications and versions are:
Network Performance Monitor — < 11.5
NetFlow Traffic Analyzer — < 4.1
Network Configuration Manager — < 7.3.2
IP Address Manager — <…
Posted by Sullo on Mar 02
The RV4sec 2015 conference will be held on June 4-5th, 2015, in Richmond,
Virginia.
RVAsec is a Richmond, VA based security convention that brings top industry
speakers to the mid-atlantic region. Last year, RVAsec 2014 attracted 350
security professionals from across the country. For 2015, the conference is
a two day and dual-track format, with a mixed focus on technical and
management/business presentations.
All talks must be 55 minutes in…
Posted by Scott Arciszewski on Mar 02
Product: Slim PHP Framework
Website: http://www.slimframework.com/
Affected versions: 2.5.0 and lower
Fixed in: 2.6.0 (released 2015-03-01)
CVSS Score: I don’t care. Does anybody really?
“””
Slim has super-secure cryptography using military-grade encryption. Slim
uses your unique key to encrypt session and cookie data before persisting
data to disk.
“””
Wow, sounds great. Let’s look under the hood….
Posted by csirt on Mar 02
#############################################################################
#
# SWISSCOM CSIRT SECURITY ADVISORY – http://www.swisscom.com/security
#
#############################################################################
#
# CVE ID: CVE-2015-1187
# Product: D-Link DIR636L
# Vendor: D-Link
# Subject: Remote Command Injection – Incorrect Authentication
# Effect: Remotely exploitable
# Author: Tiago Caetano Henriques,…
Posted by MustLive on Mar 02
Hello list!
There are Abuse of Functionality and Brute Force vulnerabilities in
Hikvision DS-7204HWI-SH.
————————-
Affected products:
————————-
Vulnerable is the next model: Hikvision DS-7204HWI-SH with different
versions of firmware.
———-
Details:
———-
Abuse of Functionality (WASC-42):
Login is persistent: admin (only logins for users can be changed). Which
simplify Brute Force attack.
Brute…
Posted by Pablo on Mar 02
Hello,
I am seeing that Tor Browser 4.0.3 apparently has the configuration
of websocket of Firefox enabled (true) by default …. I think that this is
something that should have been corrected a long time ago (Tor bug 5741).
I think that this is a configuration bug. Am I wrong ?
Link:
http://picpaste.com/websocket_tor_config.png
Regards,
Pablo.
Posted by Ron Gutierrez on Mar 02
GDS LABS ALERT: CVE-2015-2080
JetLeak Vulnerability Remote Leakage Of Shared Buffers In Jetty Web Server
SYNOPSIS
========
Gotham Digital Science discovered a critical information leakage
vulnerability in the Jetty web server that allows an unauthenticated remote
attacker to read arbitrary data from previous requests and responses
submitted to the server by other users.
The vulnerability was made public by the Jetty development team on the…
Posted by Peter Adkins on Mar 02
Discovered by:
—-
Peter Adkins <peter.adkins () kernelpicnic net>
Access:
—-
Local network; unauthenticated access.
Remote network; unauthenticated access*.
Remote network; ‘drive-by’ via CSRF.
Tracking and identifiers:
—-
CVE – Mitre contacted; not yet allocated.
Platforms / Firmware confirmed affected:
—-
D-Link DIR-820L (Rev A) – v1.02B10
D-Link DIR-820L (Rev A) – v1.05B03
D-Link DIR-820L (Rev B) – v2.01b02
TRENDnet…
Posted by Matt on Mar 02
The SEC-T Organizers are pleased to announce the start of the 2015
SEC-T 0x08 Call For Papers.
The rules are pretty much the same as every year so save the deadline
date and get cracking. 😉 The SEC-T conference is an information
security conference strongly rooted in the technical realm. Talks on
technical subjects with no applicability to information security are
admissible as long as they are cool! Some topics we find interesting
are:
-…
Posted by halfdog on Mar 02
Although just reported to Ubuntu, this minor dev-branch issue was already made public. As the launchpad/lkml/…
feed-miners should not play all the games alone, and as others may want to learn how beginner errors still make it into
packages of quite large distributions, enjoy the power of
for session in /run/user/*/upstart/sessions/*
do
env $(cat $session) /sbin/initctl emit rotate-logs >/dev/null 2>&1 || true
done
executed as…
