Full Disclosure
Posted by Summer of Pwnage on Jan 25
————————————————————————
InfiniteWP Client WordPress Plugin unauthenticated PHP Object injection
vulnerability
————————————————————————
Yorick Koster, June 2016
————————————————————————
Abstract
————————————————————————
A PHP Object injection vulnerability…
Posted by Summer of Pwnage on Jan 25
————————————————————————
CMS Commander Client WordPress Plugin unauthenticated PHP Object
injection vulnerability
————————————————————————
Yorick Koster, June 2016
————————————————————————
Abstract
————————————————————————
A PHP Object injection…
Posted by Summer of Pwnage on Jan 25
————————————————————————
Google Forms WordPress Plugin unauthenticated PHP Object injection
vulnerability
————————————————————————
Yorick Koster, June 2016
————————————————————————
Abstract
————————————————————————
A PHP Object injection vulnerability was…
Posted by Stefan Kanthak on Jan 24
“Ding Dong” <dingdongloop () gmail com> wrote:
Please stop top posting and full quotes!
Run “NTSD.exe setup.exe” and see which DLLs Windows loads, and how
they are loaded.
Rename setup.exe to something.exe, run “NTSD.exe something.exe” and
compare the results.
JFTR: NTSD.exe was shipped with Windows NT5.x; in newer versions you
have to install the debugging tools.
If you want to run without debugger:…
Posted by Apple Product Security on Jan 24
APPLE-SA-2017-01-23-7 iTunes for Windows 12.5.5
iTunes for Windows 12.5.5 is now available and addresses the
following:
WebKit
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved memory handling.
CVE-2017-2354: Neymar of Tencent’s Xuanwu Lab (tencent.com) working
with Trend Micro’s Zero Day Initiative
WebKit
Impact:…
Posted by Kacper Szurek on Jan 24
# Exploit Title: WD My Cloud Mirror 2.11.153 RCE and Authentication Bypass
# Date: 24.01.2017
# Software Link: https://www.wdc.com
# Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# Category: local
1. Description
It’s possible to execute arbitrary commands using login form because
`exec()` function is used without `escapeshellarg()`.
It’s possible to bypass login form…
Posted by Apple Product Security on Jan 23
APPLE-SA-2017-01-23-6 iCloud for Windows 6.1.1
iCloud for Windows 6.1.1 is now available and addresses the
following:
WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved memory handling.
CVE-2017-2354: Neymar of Tencent’s Xuanwu Lab (tencent.com) working
with Trend Micro’s Zero…
Posted by Apple Product Security on Jan 23
APPLE-SA-2017-01-23-5 Safari 10.0.3
Safari 10.0.3 is now available and addresses the following:
Safari
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.3
Impact: Visiting a malicious website may lead to address bar spoofing
Description: A state management issue in the address bar was
addressed through improved URL handling.
CVE-2017-2359: xisigr of Tencent’s Xuanwu Lab (tencent.com)
WebKit
Available…
Posted by Fernando Gont on Jan 23
Folks,
We have created a new mailing-list: IoT Hackers
(<https://lists.si6networks.com/mailman/listinfo/iot-hackers>).
It is meant to provide forum for security researchers and networking
professionals to discuss low-level networking and security issues
related to IoT.
Subscription to the list is open to the community. However, posts to the
list from new subscribers are moderated, in order to keep an acceptable
signal/noise ratio….
Posted by Ding Dong on Jan 23
Can you elaborate a bit on what special treatment windows gives installeres
named setup.exe?