Full Disclosure
Posted by Asterisk Security Team on Apr 08
Asterisk Project Security Advisory – AST-2015-003
Product Asterisk
Summary TLS Certificate Common name NULL byte exploit
Nature of Advisory Man in the Middle Attack
Susceptibility Remote Authenticated Sessions
Severity Major…
Posted by Pedro Ribeiro on Apr 08
Hi,
I’ve found a reported an unrestricted file upload vulnerability in
Novell ZenWorks Configuration Management which can be abused to
achieve remote code execution.
The full advisory text is below, and can also be obtained from my repo
[1]. A Metasploit module has been submitted and should hopefully be
accepted soon [2].
Regards,
Pedro
=================================================================================
Disclosure:…
Posted by Levon Kayan on Apr 08
Hi,
Today, nullsecurity released a new tool: smalisca.
[ DESCRIPTION ]
Static Code Analysis tool for Smali files.
If you ever have looked at Android applications you know to appreciate
the ability of analyzing your target at the most advanced level. Dynamic
programm analysis will give you a pretty good overview of your
applications activities and general behaviour. However sometimes you’ll
want to just analyze your application *without*…
Posted by Gsunde Orangen on Apr 08
Thanks, Matthew, for having spotted this.
As only current versions of Appweb (4 & 5) have been addressed so far,
but legacy versions (see http://embedthis.com/appweb/download.html) were
not mentioned yet in https://github.com/embedthis/appweb/issues/413 :
– Appweb V3: vulnerable, too
— Source code audit on Appweb 3.4.2:
The vulnerable code is not in the parseRange() function in
paks/http/httpLib.c, but similarly in http/request.c
–…
Posted by Bhadresh Patel on Apr 08
Title:
====
HotExBilling Manager – Cross-site scripting (XSS) vulnerability
Credit:
======
Name: Bhadresh Patel
Company/affiliation: HelpAG
Website: www.helpag.com
CVE:
=====
CVE-2015-2781
Date:
====
12-03-2015 (dd/mm/yyyy)
Vendor:
======
Hotspot Express has been in the billing solution business since 1997 in its earlier name EasyBrowsing. Initially, it
designed billing solution to address Internet Café. Till today we have more 10000…
Posted by Securify B.V. on Apr 07
————————————————————————
Reflected Cross-Site Scripting vulnerability in asdoc generated
documentation
————————————————————————
Radjnies Bhansingh, March 2014
————————————————————————
Abstract
————————————————————————
A reflected Cross-Site scripting…
Posted by Pichaya Morimoto on Apr 05
######################################################################
# _ ___ _ _ ____ ____ _ _____
# | | / _ | | |/ ___|/ ___| / |_ _|
# | | | | | | | | | _| | / _ | |
# | |__| |_| | | | |_| | |___ / ___ | |
# |________/|_| _|____|____/_/ __|
#
# phpSFP – Schedule Facebook Posts 1.5.6 Pre-auth SQL Injection (0-day)
# Website :
http://codecanyon.net/item/phpsfp-schedule-facebook-posts/5177393
#…
Posted by Larry W. Cashdollar on Apr 05
Hello Folks,
You can get php execution by using the file extension .phtml for both of these advisories. I’m currently updating the
advisories and the vendor.
Try using an uncommon extension not defined in /etc/mime.types.
$ grep “#app” /etc/mime.types
#application/vnd.ms-pki.stl stl
#application/x-httpd-eruby rhtml
#application/x-httpd-php…
Posted by Jing Wang on Apr 05
*Proverbs Web Calendar 2.1.2 XSS (Cross-site Scripting) Security
Vulnerabilities*
Exploit Title: Proverbs Web Calendar /calendar.php Multiple Parameters XSS
(Cross-site Scripting) Security Vulnerabilities
Vendor: Proverbs
Product: Proverbs Web Calendar
Vulnerable Versions: 1.0.0 1.1 1.2.2 2.1 2.1.2
Tested Version: 1.2.2 2.1
Advisory Publication: April 03, 2015
Latest Update: April 03, 2015
Vulnerability Type: Cross-Site Scripting…
Posted by Jing Wang on Apr 05
*6kbbs v8.0 XSS (Cross-site Scripting) Security Vulnerabilities*
Exploit Title: 6kbbs XSS (Cross-site Scripting) Security Vulnerabilities
Vendor: 6kbbs
Product: 6kbbs
Vulnerable Versions: v7.1 v8.0
Tested Version: v7.1 v8.0
Advisory Publication: April 02, 2015
Latest Update: April 02, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM)…