PCI & SSL/Early TLS QIDs 38601, 42366

Two QIDs will be marked as PCI Fail on May 1, 2019 as required by ASV Program Guide: QID 38601 “SSL/TLS Use of Weak RC4 Cipher” QID 42366 “SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability BEAST” Last revision of ASV Program Guide ver. 3.1 has the following for SSL/TLS component: “...

SQL Injection Vulnerability in MileagePlus PHP Blog System

MileagePHP Blog System is a blog system based on ThinkPHP development. MileagePHP Blog System suffers from a SQL injection vulnerability. It allows attackers to exploit the vulnerability to obtain sensitive database information...

Rails -- Action View vulnerabilities

Ruby on Rails blog: Rails 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2.1, and 6.0.0.beta3 have been released! These contain the following important security fixes. It is recommended that users upgrade as soon as possible: CVE-2019-5418 File Content Disclosure in Action View CVE-2019-5419 Denial of Service...

Videos and Links from the Public-Interest Technology Track at the RSA Conference

Yesterday at the RSA Conference, I gave a keynote talk about the role of public-interest technologists in cybersecurity. Video here. I also hosted a one-day mini-track on the topic. We had six panels, and they were all great. If you missed it live, we have videos: How Public Interest Technologist...

The Voice of Tech: Who We Are, What We Want to Say

Have you ever wondered what it might be like to see inside one of the biggest tech companies in the world? Well, we're starting a new series of blogs to give you the insight you've never had before. Akamai's innovations...

9 Questions for Facebook After Zuckerberg’s Privacy Manifesto

On Wednesday, Mark Zuckerberg laid out a vision for a very different Facebook—with a lot of unknowns about how to get there...

Letterlocking

Really good article on the now-lost art of letterlocking...

Google Reveals "BuggyCow," a Rare MacOS Zero-Day Vulnerability

Google's Project Zero researchers find a potentially powerful privilege escalation trick in how Macs manage memory...

OOP CMS BLOG 1.0 - Multiple Cross-Site Request Forgery

Exploit Title: OOP CMS BLOG 1.0 - Cross-Site Request Forgery Delete Admin Exploit Author: Mr Winst0n Author E-mail: [email protected] Discovery Date: March 1, 2019 Vendor Homepage: http://zsoft.com.bd/ Software Link :...

OOP CMS BLOG 1.0 - Multiple SQL Injection

OOP CMS BLOG 1.0 - Multiple SQL Injection Exploit Title: OOP CMS BLOG 1.0 - SQL Injection Exploit Author: Mr Winst0n Author E-mail: [email protected] Discovery Date: March 1, 2019 Vendor Homepage: http://zsoft.com.bd/ Software Link :...

OOP CMS BLOG 1.0 Cross Site Request Forgery / SQL Injection Vulnerabilities

Exploit for php platform in category web applications Exploit Title: OOP CMS BLOG 1.0 - SQL Injection Exploit Author: Mr Winst0n Author E-mail: [email protected] Vendor Homepage: http://zsoft.com.bd/ Software Link :...

Data Leakage from Encrypted Databases

Matthew Green has a super-interesting blog post about information leakage from encrypted databases. It describes the recent work by Paul Grubbs, Marie-Sarah Lacharité, Brice Minaud, and Kenneth G. Paterson. Even the summary is too much to summarize, so read it...

The Russian Sleuth Who Outs Moscow's Elite Hackers and Assassins

Roman Dobrokhotov has been playing a dangerous game for a Russian reporter: identifying agents of the GRU military intelligence agency...

openSUSE Security Update : chromium (openSUSE-2019-205)

This update for Chromium to version 72.0.3626.96 fixes the following issues : Security issues fixed bsc1123641 and bsc1124936 : - CVE-2019-5784: Inappropriate implementation in V8 - CVE-2019-5754: Inappropriate implementation in QUIC Networking. - CVE-2019-5782: Inappropriate implementation in V8...

Find a Place CMS Directory 1.5 - 'assets/external/data_2.php cate' SQL Injection

Exploit Title: Find a Place CMS Directory 1.5 - 'assets/external/data2.php cate' SQL Injection Google Dork: inurl:"assets/external/data.php" Date: 14 Feb 2019 Exploit Author: Deyaa Muhammad Author EMail: contact at deyaa.me Author Blog: http://deyaa.me Vendor Homepage: https://themerig.com/...

WordPress: Stored XSS in Post Preview as Contributor

Root cause I noticed that the getthecontent makes a pregreplacecallback after all other validation and sanitization has been performed. function getthecontent $morelinktext = null, $stripteaser = false global $page, $more, $preview, $pages, $multipage; $post = getpost; ... if $preview // Preview...

Cataloging IoT Vulnerabilities

Recent articles about IoT vulnerabilities describe hacking of construction cranes, supermarket freezers, and electric scooters...

Zendesk: Leaked artifactory_key, artifactory_api_key, and gcloud refresh_token via GitHub.

It was reported to Zendesk that valid credentials to an instance of Artifactory and a gcloud project were unintentionally leaked via a public GitHub repository. We immediately rotated the credentials and investigated to ensure they were not utilized by any other party. We want to thank @rubyroobs...

CVE-2019-7587

Bo-blog Wind through 1.6.0-r allows SQL Injection via the admin.php/comments/batchdel/ comID parameter because this parameter is mishandled in the mode/admin.mode.php delBlockedBatch function...

Sql injection

Bo-blog Wind through 1.6.0-r allows SQL Injection via the admin.php/comments/batchdel/ comID parameter because this parameter is mishandled in the mode/admin.mode.php delBlockedBatch function...