Posted by SBA Research Advisory on Nov 24
### RXTEC_20150513 #### Title: SQL injection vulnerability in the RXTEC RXAdmin Login Page allows remote attackers to
execute arbitrary SQL commands via several HTTP parameter.
#### Type of vulnerability: SQL injection
##### Attack outcome: It is possible to extract all information from the database in use by the application.
Depending on the configuration of the SQL server arbitrary code execution might be possible.
#### Impact: Critical
####…
Posted by bugbasher on Nov 24
########################################################################################################
Cross Site Scripting (XSS) & Content spoofing in SimpleViewer all
versions via remote xml payload [2015]
########################################################################################################
$$$$$$ $$ $$ $$ $$ $$
$$ __$$ __|…
Posted by Curesec Research Team (CRT) on Nov 24
Hi,
These vulnerabilities are similar, as both of them are issues with the
query parameter of the search.
However, the issue in version 1.1.2.1 exploits this line:
<?php if ($_GET[‘query’]) { ?>
<h1 class=”title”><?php echo
sprintf(language::translate(‘title_search_results_for_s’, ‘Search
Results for "%s"’), $_GET[‘query’]); ?></h1>…
LONDON, 24 November 2015: With parents gearing up for the online shopping blitz that is Black Friday and Cyber Monday later this month, AVG Technologies – the online security company for more than 200 million monthly active users – has released new research revealing the amount of time today’s kids are currently spending online and what this year’s ‘must have’ toys mean for their screen time and security risk.
The study, conducted among 2,200 UK parents, reveals that one in six (16%) 4-6 year-olds are spending up to six hours online each day, clocking up a massive 2,190 hours every year. The figure is three times higher than the UK average of 2 hours a day, for children aged 4-16.
However, with a new wave of internet-enabled toys – dubbed ‘Connected Cuddlies’ – topping kids’ wish lists this Christmas, this figure could significantly increase with the amount of additional screen time such ‘soft toys’ will add to their day.
The stats also show that two-thirds (66%) of kids already own one or two smart devices by the time they are six years old – a number that ignores the connected toy category completely.
The findings suggest that parents, too, are unaware of the online implications of connected toys like ‘Hello Barbie’, ‘My Friend Freddy’ and ‘Furby Boom’. With toy sales this Black Friday weekend likely to follow the trend set in 2014, exceeding those of the week prior to Christmas, parents need to be increasingly savvy about the type of toy – and subsequent connected commitments – they’re buying their child this holiday season.
Tony Anscombe, an online security expert at AVG Technologies, explains: “With key functionalities of these toys dependant on features such as WiFi connectivity, voice recognition and data collection within apps, parents must understand that the toy they are handing their child is a connected device. As with any connected device, it comes with security and privacy considerations – knowing what data is being collected, where it’s being held and how it can be protected is paramount.
“It’s easy to get caught up in the Christmas shopping culture, being persuaded to purchase by enticing online offers, or even pressure from our own children. However, as parents we must be conscious that the deals we strike online don’t prevent us from keeping our kids safe online – whether they’re ‘logging on’ with a tablet or teddy.”
Further findings from the research and advice for parents on how to help their children remain safe online this Christmas no matter what gift they get, along with blogs from Anscombe, can be found at http://now.avg.com/.
About the Research / Methodology:
AVG commissioned an online survey, interviewing 2,200 UK adult parents (aged 18-65) with one or more children aged 4-16 years old. The market research company, Vanson Bourne, carried out the fieldwork between 4-12 June 2015 using their propriety panels.
About AVG Technologies:
AVG is the online security company providing leading software and services to secure devices, data and people. AVG’s award-winning technology is delivered to over 200 million monthly active users worldwide.
AVG’s Consumer portfolio includes Internet security, performance optimization, and personal privacy and identity protection for mobile devices and desktops. The AVG Business portfolio – delivered by managed service providers, VARs and resellers – offers IT administration, control and reporting, integrated security, and mobile device management that simplify and protect businesses.
All trademarks are the property of their respective owners. www.avg.com
Press office contacts:
AVG UK Press Office, Waggener Edstrom Communications
AVG UK
The XML parser in the management interface in Cisco Adaptive Security Appliance (ASA) Software 8.4 allows remote authenticated users to cause a denial of service (device crash) via a crafted XML document, aka Bug ID CSCut14223.
CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 do not require authentication from Alarm Receiving Center (ARC) servers, which allows man-in-the-middle attackers to bypass intended access restrictions via a spoofed HSxx response.
CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 rely on a polyalphabetic substitution cipher with hardcoded keys, which makes it easier for remote attackers to defeat a cryptographic protection mechanism by capturing IP or v22bis PSTN protocol traffic.
CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 use the same 001984 default PIN across different customers’ installations, which allows remote attackers to execute commands by leveraging knowledge of this PIN and including it in an SMS message.
CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 allow remote attackers to modify the configuration via a command in an SMS message, as demonstrated by a “4 2” command.
The Internet Identity Workshop (IIW) recently held their 21st Meeting and AVG was one of the sponsors. Once again hosted at the Computer History Museum in Mountain View, California, this academic conference is focused on finding, probing and exploring the issues related to identity management.
The organizers, Phil Windley (@windley) and Kaliya Hamlin (@IdentityWoman) have managed to keep the IIW event rich with content, and suitably engaging to attract a loyal following of technical people.
The core themes of the conference were around trust, identity, privacy and technology – areas that we at AVG are very passionate about!
While a lot of users are quite proficient with the “sticky note system” for managing their internet identity, passwords and usernames – this conference by contrast is aimed at highly technical and advanced solutions that one day might provide a better and more secure alternative.
Technological advancement is happening quickly in the world of identity, and even a relatively new technology such as OAuth 2.0 is old news at IIW, with this year’s conversation all about the Blockchain – a technology utilized by the well-known cryptocurrency, Bitcoin.
Whereas previous identity recommendations have centered around technologies that look like an unbreakable-black-box, the Blockchain discussion is driven by a general consensus for complete transparency underpinned by cryptography that provides security and integrity.
The notion of using a Blockchain, which is a type of ‘distributed ledger’ offers the possibility of providing a secure history of every transaction – a chain of trust, which also acts as a permanent record of your identity that cannot be removed or tampered with.
This model of establishing trust is quite intuitive and human. We trust people who are trusted by others, and so forth. For example, it’s the way Google search rankings work (pages that link to other pages), and the way that SSL certificates are signed so you can trust your banking website.
“No, I am your father!”, from Darth Vader in Star Wars, just wouldn’t have carried the same element of surprise to Luke if they had access to Blockchain technology!
