Full Disclosure
Posted by Russell Sanford on Jan 30
Critical Start security expert Russell Sanford discovered and reported two critical zero-day vulnerabilities in the
Sophos Web Appliance in December of 2016. The vulnerabilities, documented under CVE-2016-9553, allow the remote
compromise of the appliance’s underlining Linux subsystem. The vulnerabilities have now been patched in the January
2017 4.3.1 release of the appliance line.
Here is a summary of the two vulnerabilities documented…
Posted by Simon Bieber on Jan 30
Affected Products
Tested with
OPSI Server 4.0.7.26
OPSI ClientAgent 4.0.7.10-1
(older releases have not been tested)
According to the vendor all server instances that use a python-opsi version lower
than 4.0.7.28-4 are affected
References
https://www.secuvera.de/advisories/secuvera-SA-2017-01.txt (used for updates)
https://sourceforge.net/p/opsi/mailman/message/35609086/ (announcement by vendor
in german…
Posted by Daniel Busch on Jan 30
________________________________
Hi Folks,
We will have a Security BSides in Hannover again this year, date march 19th.
CFP is open and runs until march 10th ->
Please the website bsideshannover.de for more details !
Kindly note our new Twitter account: @BSides_HN_2017
On behalf of the BSides Hannover Team,
Daniel
Posted by Black Arch on Jan 30
Dear list,
We’ve released the new BlackArch Linux ISOs along with many
improvements. They include more than 1620 tools now. The armv6h,
armv7h and aarch64 repositories are filled with about 1550 tools.
A short ChangeLog of the Live-ISOs:
– add 20 new tools
– update blackarch installer to 0.3.2 (bugfixes)
– fix shadow permissions (thx to ldionmarcil)
– fix f*cking ruby tools (wpscan, metasploit, etc.)
– include linux kernel…
Posted by Summer of Pwnage on Jan 28
————————————————————————
Persistent Cross-Site Scripting vulnerability in User Access Manager
WordPress Plugin
————————————————————————
Burak Kelebek, July 2016
————————————————————————
Abstract
————————————————————————
A persistent Cross-Site Scripting…
Posted by Summer of Pwnage on Jan 28
————————————————————————
Multiple blind SQL injection vulnerabilities in FormBuilder WordPress
Plugin
————————————————————————
Burak Kelebek, July 2016
————————————————————————
Abstract
————————————————————————
Multiple blind SQL injection vulnerabilities…
Posted by Summer of Pwnage on Jan 28
————————————————————————
Cross-Site Request Forgery vulnerability in FormBuilder WordPress Plugin
allows plugin permissions modification
————————————————————————
Burak Kelebek, July 2016
————————————————————————
Abstract
————————————————————————
A…
Posted by Wolfgang on Jan 27
Privilege Escalation in VirtualBox (CVE-2017-3316)
== [ Overview ] ===
System affected: VirtualBox
Software-Version: prior to 5.0.32, prior to 5.1.14
User-Interaction: Required
Impact: A Man-In-The-Middle could infiltrate an
Extension-Pack-Update to gain a root-shell
=== [ Detailed description ] ===
In my research about update mechanism of open-source software I found
vulnerabilities in Oracle’s VirtualBox. It’s…
Posted by Daniel Elebash on Jan 27
Regarding digitalocean.com cloud computing.
PasswordAuthentication is reset to yes in /etc/ssh/sshd_config when using ssh key authentication given the following
scenario:
When creating a new droplet from a snapshot where ssh key authentication “PasswordAuthentication” in
/etc/ssh/sshd_config was previosly set to no, “PasswordAuthentication” is reset to yes.
I am not sure how common this scenario is but for me I often…
Posted by Sandra Evans on Jan 26
——————————————
CALL FOR PAPERS DigitalSec2017 – Malaysia
——————————————
You are invited to participate in The Fourth International Conference on
Digital Security and Forensics (DigitalSec2017) that will be held in Kuala
Lumpur, Malaysia, on July 11-13, 2017. The event will be held over three
days, with presentations delivered by researchers from the international
community, including…