Gratipay: Incomplete or No Cache-control and Pragma HTTP Header Set

Hello, The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content. HTTP/1.1 200 OK Connection: keep-alive Server: gunicorn Date: Sun, 27 Nov 2016 16:18:06 GMT Content-Type: text/html; charset=UTF-8 X-Gratipay-Version: 2014...

HackerOne: Users contents on AWS is cacheable

Hi , Background ============================= As I know you are using AWS S3 for saving and serving files . The AWS S3 on https://hackerone-attachments.s3.amazonaws.com are been called every time to show images on hackerone.com . For example view this report 145392 You will see a request for Fran...

Fedora 23 : drupal7-views (2016-ed5f606dde)

Fixes Views - Less Critical - Access Bypass - SA-CONTRIB-2016-036 Changes since 7.x-3.13 : - Adding field handlers for statistics fields - \2200309 by helmo: Changed invalid placeholder from 'handler' to 'extender'. - \2708535 by stefan.r: Allow users to sort on a specific language, showing it...

Radancy: Application error message

Attack details HTTP Header input X-Forwarded-For was set to 12345'"'";|%00%0d%0a%bf%27'??? Error message found: Warning: inetpton function.inet-pton: Unrecognized address 12345'"\'\";|%00%0d%0a%00%bf%27' in...

New Relic: Cache-Control Misconfiguration Leads to Sensitive Information Leakage

Hi, This is a issue related with cache and information disclosure. Generally when a user is logged out, the session gets terminated and no data is of the previous session is accessible. But when cache control is not configured correctly, Sensitive data leak over browser even after user have logge...

Responses with Set-Cookie header cached

h3. Context We have Jira running with SSO from Crowd. Jira is behind a corporate reverse proxy from BlueCoat which has caching enabled but respects the Cache-control, Expire and Pragma HTTP headers. h3. Problem We have discovered following cases of sessions mix up where a user \1 get the Crowd...

CVE-2015-7368

Revive Adserver before 3.2.2 does not send the appropriate Cache-Control HTTP headers in responses for admin UI pages, which allows local users to obtain sensitive information via the web browser cache...

Design/Logic Flaw

Revive Adserver before 3.2.2 does not send the appropriate Cache-Control HTTP headers in responses for admin UI pages, which allows local users to obtain sensitive information via the web browser cache...

CVE-2015-7368

Revive Adserver before 3.2.2 does not send the appropriate Cache-Control HTTP headers in responses for admin UI pages, which allows local users to obtain sensitive information via the web browser cache...

微软 IE11 MSHTML.dll 远程拒绝服务漏洞

IE11发现的一个BUG,对HTML协议中的某些元素的处理存在代码完整性缺失。造成浏览器崩溃。 function boom var divA = document.createElement"div"; document.body.appendChilddivA; try //divA.contentEditable = "true"; divA.outerHTML = "AAAA"; var context = divA'msGetInputContext'; catch exception...

X (Formerly Twitter): Headers Missing

Hellow Twiiter, i found that some of the headers are missing on the domain ads.twitter,com! Name Actual Value My Recommendation strict-transport-security max-age=631138519 Use 'max-age=31536000; includeSubDomains' set-cookie guestid=v1%3A141600...ov-2016 23:50:40 UTC Add 'secure; httponly;'...

Neon WebDAV Client Library 0.2x Format String Vulnerabilities

No description provided by source. source: http://www.securityfocus.com/bid/10136/info It has been reported that the Neon client library is prone to multiple remote format string vulnerabilities. This issue is due to a failure of the application to properly implement format string functions...

openSite 0.2.2 beta - Local File Inclusion Vulnerbility

No description provided by source. opensite-v0.2.2-beta === Local File Include vuln By n0n0x Homepage: http://priasantai.uni.cc/ Download script :http://sourceforge.net/projects/contentone/files/openSite/opensite-v0.2.2-beta/opensite-v0.2.2-beta.zip/download...

MGASA-2014-0231 Updated python-django package fix two vulnerabilities

Updated python-django and python-dgango14 packages fix security vulnerabilities: Stephen Stewart, Michael Nelson, Natalia Bidart and James Westby discovered that Django improperly removed Vary and Cache-Control headers from HTTP responses when replying to a request from an Internet Explorer or...

CVE-2014-1418

Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the 1 Vary: Cookie or 2 Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers...

DEBIAN-CVE-2014-1418

Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the 1 Vary: Cookie or 2 Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers...

PYSEC-2014-19

Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the 1 Vary: Cookie or 2 Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers...

CVE-2014-1418

Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the 1 Vary: Cookie or 2 Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers...

UBUNTU-CVE-2014-1418

Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the 1 Vary: Cookie or 2 Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers...

Design/Logic Flaw

The RES Console in Rule Execution Server in IBM Operational Decision Manager 7.5 before FP3 IF37, 8.0 before MP1 FP2, and 8.5 before MP1 IF26 does not send appropriate Cache-Control HTTP headers, which allows remote attackers to obtain sensitive information by leveraging an unattended workstation...