HP Security Bulletin HPSBMU03217 1 – A potential security vulnerability has been identified with HP Vertica. This is the Bash Shell vulnerability known as “ShellShock” which could be exploited remotely to allow execution of code. Revision 1 of this advisory.
Monthly Archives: December 2014
UFONet 0.4b
UFONet is a tool designed to launch DDoS attacks against a target, using open redirection vectors on third party web applications.
Jease CMS v2.11 – Persistent UI Web Vulnerability
Posted by Vulnerability Lab on Dec 17
Document Title:
===============
Jease CMS v2.11 – Persistent UI Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1373
Release Date:
=============
2014-12-12
Vulnerability Laboratory ID (VL-ID):
====================================
1373
Common Vulnerability Scoring System:
====================================
3.7
Product & Service Introduction:
===============================…
SA-CONTRIB-2014-126 – Open Atrium – Multiple vulnerabilities
- Advisory ID: DRUPAL-SA-CONTRIB-2014-126
- Project: Open Atrium (third-party module)
- Version: 7.x
- Date: 2014-12-17
- Security risk: 13/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
- Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities
Description
This distribution enables you to create an intranet.
Several of the sub modules included do not prevent CSRF on several menu callbacks.
Open Atrium Discussion also does not exit correctly after checking access on a several ajax callbacks, allowing anyone with “access content” to update and delete nodes.
Also, (alpha) module OG Subgroups contained a vulnerability that allowed access to child groups even if membership inheritance was disabled.
The vulnerabilities are mitigated by needing the sub modules enabled — Open Atrium Sitemap, Open Atrium Discussion, and OpenA trium Admin Role and OA Teams, modules bundled with of Open Atrium Core.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
- Open Atrium 7.x-2.x versions prior to 7.x-2.26
Drupal core is not affected. If you do not use the contributed Open Atrium module,
there is nothing you need to do.
Solution
Install the latest version:
- If you use the Open Atrium Distro for Drupal 7.x, upgrade to Open Atrium 7.x-2.26
Also see the Open Atrium project page.
Reported by
- Hunter Fox of the Drupal Security Team & an Open Atrium maintainer
- Pere Orga
Fixed by
- Hunter Fox of the Drupal Security Team & an Open Atrium maintainer
Coordinated by
- Hunter Fox of the Drupal Security Team & an Open Atrium maintainer
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version:
Dutch University unveils ‘fraud proof’ credit card concept
A Dutch university has reportedly made great steps towards making the dream of a ‘fraud-proof’ credit card a reality by utilizing quantum physics.
The post Dutch University unveils ‘fraud proof’ credit card concept appeared first on We Live Security.
CVE-2014-7285
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.
CVE-2014-7880
Multiple unspecified vulnerabilities in the POP implementation in HP OpenVMS TCP/IP 5.7 before ECO5 allow remote attackers to cause a denial of service via unspecified vectors.
Delta Airlines security flaw exposes passengers’ boarding passes
A vulnerability at Delta Airlines which allowed customers to view any other passengers’ electronic boarding passes has been fixed, reports Ubergizmo.
The post Delta Airlines security flaw exposes passengers’ boarding passes appeared first on We Live Security.
Kaspersky Lab Survey: Half of Companies Put Themselves at Risk by Undervaluing DDoS Countermeasures
Google Adds Content Security Policy Support to Gmail
Google has added another layer of security for users of Gmail on the desktop, which now supports content security policy, a standard that’s designed to help mitigate cross-site scripting and other common Web-based attacks. CSP is a W3C standard that has been around for several years, and it’s been supported in a number of browsers […]