Monthly Archives: December 2015
Values – Critical – Arbitrary PHP code execution – SA-CONTRIB-2015-172
- Advisory ID: DRUPAL-SA-CONTRIB-2015-172
- Project: Values (third-party module)
- Version: 7.x
- Date: 2015-December-16
- Security risk: 16/25 ( Critical) AC:Basic/A:Admin/CI:All/II:All/E:Proof/TD:Uncommon
- Vulnerability: Arbitrary PHP code execution
Description
This module enables you to create key|value pairs for use in list fields, webforms etc.
The module includes an import page that runs eval() on an exported code block (ctools), but the permission for the page does not warn about security concerns of importing raw php code like this (trusted permission).
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “import value sets”.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Values 7.x-1.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Values module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the values module for Drupal 7.x, upgrade to Values 7.x-1.2
Also see the Values project page.
Reported by
Fixed by
- Chris Eastwood the module maintainer
Coordinated by
- Greg Knaddison of the Drupal Security Team
- Michael Hess of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version:
FireEye Wormable Remote Code Execution In MIP JAR Analysis
The FireEye MPS (Malware Protection System) is vulnerable to a remote code execution vulnerability, simply from monitoring hostile traffic. FireEye is designed to operate as a passive network tap, so that it can see all the files and emails that enter a monitored network. This vulnerability allows an attacker to compromise the FireEye device, get a root shell and start monitoring all traffic on the victim network (emails, attachments, downloads, web browsing, etc). This is about the worst possible vulnerability that you can imagine for a FireEye user, it literally does not get worse than this.
Wireshark Dissect_tds7_colmetadata_token Buffer Overflow
An ASAN build of Wireshark suffers from a stack-based buffer overflow in Dissect_tds7_colmetadata_token.
Wireshark Wmem_alloc Assertion Failure Crash
An ASAN build of Wireshark suffers from an assertion failure crash in Wmem_alloc.
Panda Security launches Small Business Protection, the cybersecurity solution for microbusinesses and freelancers
Online threats don’t just affect private users and large corporations. Freelancers and microbusinesses, which in the USA account for nearly 80% of the business sector, are an easy target for cybercriminals.
To help them stay protected against the 230,000 malware samples that are created daily, Panda Security has launched Small Business Protection, the new antivirus for freelancers and microbusinesses that protects them against large threats. Now, these companies can rely on a solution that eliminates, in real-time, all types of viruses and threats on IT devices.
Amongst the main characteristics of Small Business Protection is its ability to protect against both known and unknown threats, thanks to a security model based on the supervision of processes and the control of applications that run on the company’s computers.
This allows Panda to offer these types of businesses a complete protection that also protects against online fraud, identity theft, phishing attacks, and other threats. What’s more, in no way will it affect the performance of the devices as it is a lightweight and responsive product.
Wi-Fi protection against hackers and intruders
One of the daily battles that microbusinesses face is keeping their corporate data free from threats via Wi-Fi connections. To combat this, Small Business Protection includes a security model that detects weaknesses on the Wi-Fi network and protects against intruders. Thanks to a bidirectional firewall, corporate users can browse on the network in peace, without interruptions, and protected against unwanted connections.
Furthermore, Panda Security has incorporated a series of periodic tips and recommendations in Small Business Protection so that its users can increase the security of their network without needing to be IT experts.
“With Small Business Protection we wanted to help freelancers and microbusinesses to protect their business. They need the same protection as a large organization and by using free antiviruses, or inappropriate solutions, they are putting their company’s security at risk,” claims Alejandro García, Panda Security’s Head of Global Strategy. “This solution is particularly relevant for the USA, where approximately 80% of businesses consist of 9 employees or less.”
Small Business Protection is a product designed so as to allow freelancers and SMEs to focus their attention on the correct development of their business, removing any barrier that gets in the way of this, including cybersecurity. An intuitive and simplexity version of Panda Security’s best protection just for them.
To get more information on Small Business Protection, enter here.
The post Panda Security launches Small Business Protection, the cybersecurity solution for microbusinesses and freelancers appeared first on MediaCenter Panda Security.