Monthly Archives: December 2014

Full Disclosure

Releasing PuttyRider – for penetration testers

Posted by Adrian Furtuna on Dec 10

Dear List,

I am pleased to announce the release of a new tool that I have recently
developed – called PuttyRider.

In a few words, PuttyRider injects a DLL into a running putty.exe process
in order to sniff all communication and inject Linux commands on the remote
server.
This can be useful in an internal penetration test when you already have
access to a sysadmin’s machine who has a Putty session open to a Linux
server. You can use PuttyRider…

Full Disclosure

Multiple vulnerabilities in InfiniteWP Admin Panel

Posted by Walter Hop on Dec 10

Multiple vulnerabilities in InfiniteWP Admin Panel
https://lifeforms.nl/20141210/infinitewp-vulnerabilities/

—–

InfiniteWP (http://www.infinitewp.com/) allows an administrator to manage multiple WordPress sites from one control
panel. According to the InfiniteWP homepage, it is used on over 317,000 WordPress sites.

The InfiniteWP Admin Panel contains a number of vulnerabilities that can be exploited by an unauthenticated remote
attacker….

Debian

DSA-3097 unbound – security update

Florian Maury from ANSSI discovered that unbound, a validating,
recursive, and caching DNS resolver, was prone to a denial of service
vulnerability. An attacker crafting a malicious zone and able to emit
(or make emit) queries to the server can trick the resolver into
following an endless series of delegations, leading to ressource
exhaustion and huge network usage.