Resolved Bugs
1153402 – CVE-2014-3704 drupal7: SQL injection leading to code execution and privilege escalation (SA-CORE-2014-005)
1153403 – CVE-2014-3704 drupal7: SQL injection leading to code execution and privilege escalation (SA-CORE-2014-005) [fedora-all]<br
Update to upstream 7.32 security release for SA-CORE-2014-005, CVE-2014-3704
Category Archives: Security
Security
Hacker-Hunters Finger 'Keyser Soze' Of Russian Underground Card Sales
UK Leads Europe As A Target For Malware Attacks
Smart Meters Can Be Hacked To Cut Power Bills
Anonabox Kickstarter Project Raises Controversy At Reddit
OpenSSL Releases Patch for POODLE Attack
The OpenSSL Project has released a new version of the encryption software, which patches several security flaws, including the bug that is exploited by the POODLE attack on SSLv3. The updated versions of OpenSSL come just a couple of days after a trio of researchers at Google revealed the POODLE attack, which allows an attacker to […]
OpenSSL Patches Four Vulnerabilities
Original release date: October 16, 2014
OpenSSL has released updates patching four vulnerabilities, some of which may allow an attacker to cause a Denial of Service (DoS) condition or execute man-in-the-middle attacks. The following updates are available:
- OpenSSL 1.0.1 users should upgrade to 1.0.1j
- OpenSSL 1.0.0 users should upgrade to 1.0.0o
- OpenSSL 0.9.8 users should upgrade to 0.9.8zc
US-CERT recommends users and administrators review the OpenSSL Security Advisory for additional information and apply the necessary updates.
Â
Â
This product is provided subject to this Notification and this Privacy & Use policy.
Advisory 01/2014: Drupal7 – pre Auth SQL Injection Vulnerability
Posted by Stefan Horst on Oct 16
SektionEins GmbH
www.sektioneins.de
-= Security Advisory =-
Advisory: Drupal – pre-auth SQL Injection Vulnerability
Release Date: 2014/10/15
Last Modified: 2014/10/15
Author: Stefan Horst [stefan.horst[at]sektioneins.de]
Application: Drupal >= 7.0 <= 7.31
Severity: Full SQL injection, which results in total control and code execution of Website.
Risk: Highly Critical…
Bypassing blacklists based on IPy
Posted by Nicolas Grégoire on Oct 16
IPy is a Python “class and tools for handling of IPv4 and IPv6 addresses
and networks” (https://github.com/haypo/python-ipy). This library is
sometimes used to implement blacklists forbidding internal, private or
loopback addresses.
Using octal encoding (supported by urllib2), it is possible to bypass
checks based on the result of the iptype() function. For example, IP
address ‘0177.0000.0000.0001’ is considered as…
New York Times nytimes.com Page Design XSS Vulnerability (Almost all Article Pages Before 2013 are Affected)
Posted by Jing Wang on Oct 16
New York Times nytimes.com Page Design XSS Vulnerability (Almost all
Article Pages Before 2013 are Affected)
Domain:
http://www.nytimes.com/
Vulnerability Description:
The vulnerability occurs at New York Times’s URLs. Nytimes (short for New
York Times) uses part of the URLs to construct its pages. However, it seems
that Nytimes does not filter the content used for the construction at all
before 2013.
Based on Nytimes’s Design, Almost all…