Holiday Scams and Malware Campaigns

US-CERT reminds users to remain vigilant when browsing or shopping online this holiday season. Emails and ecards from unknown senders may contain malicious links. Fake advertisements or shipping notifications may deliver attachments infected with malware. Spoofed email messages and phony posts on...

IBM Spectrum Protect Information Disclosure Vulnerability

IBM Spectrum Protect formerly known as Tivoli Storage Manager is a suite of data protection platforms from U.S.-based IBM that provides organizations with a single point of control and management, and support for backup and recovery of virtual, physical and cloud environments of all sizes. An...

The vulnerability of the software in Siemens SICAM PAS systems for telecontrol and telemanagement in the electric energy sector lies in the insufficient protection of passwords in the databases, which allows attackers to calculate the passwords.

The vulnerability of the software in Siemens SICAM PAS systems for telecontrol and telemanagement is related to insufficient protection of passwords in the databases. Exploiting this vulnerability allows a malicious actor, operating locally, to calculate the passwords using certain privileges...

The vulnerability of the software of Siemens SICAM PAS systems for power management and control involves insufficient protection of passwords in the databases, allowing attackers to calculate the passwords.

The vulnerability of the software in Siemens SICAM PAS systems for telecontrol and telemanagement is related to insufficient protection of passwords in the databases. Exploiting this vulnerability allows a malicious actor, operating locally, to calculate the passwords using certain privileges...

SUSE-SU-2017:2258-1 Security update for postgresql94

Postgresql94 was updated to 9.4.13 to fix the following issues: CVE-2017-7547: Further restrict visibility of pgusermappings.umoptions, to protect passwords stored as user mapping options. bsc1051685 CVE-2017-7546: Disallow empty passwords in all password-based authentication methods. bsc1051684...

the Crypto Undertaker: Tomb

Tomb aims to be a free and open source system for easy encryption and backup of personal files, written in code that is easy to review and links shared GNU/Linux components. At present, Tomb consists of a simple shell script Zsh using standard filesystem tools GNU and the cryptographic API of the...

JKS Private Key Cracker - Cracking passwords of private key entries in a JKS file

The Java Key Store JKS is the Java way of storing one or several cryptographic private and public keys for asymmetric cryptography in a file. While there are various key store formats, Java and Android still default to the JKS file format. JKS is one of the file formats for Java key stores, but J...

Yelp: Weak Password Policy

Summary your website allowing users to set their password to simple, at this time, i can set my password to 123456 Determine the resistance of the application against brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse and aging...

openSUSE Security Update : postgresql93 (openSUSE-2017-657)

This update for postgresql93 fixes the following issues : The PostgreSQL package was updated to 9.3.17, bringing various bug and security fixes. Security fixes : - CVE-2017-7486: Restrict visibility of pgusermappings.umoptions, to protect passwords stored as user mapping options. bsc1037624 -...

Nextcloud: Session fixation in password protected public download.

Public downloads protected with a password are vulnerable to a session fixation attack. This finding was discovered during a penetration test of NextCloud version 10.0.2.7. 1 Pre-provision a victim with the attacker controlled cookie values: Firefox cookie manager: www.clouddrive.example FALSE %2...

Nextcloud: Shared file link - password protection bypass under certain conditions

Summary An unauthenticated remote attacker can bypass password protection on certain shared file types through the file sharing app's publicpreview.php function. Vulnerable URL http://server/nextcloud/index.php/apps/filessharing/ajax/publicpreview.php?x=width&y=height&t=share ID Description...

Design/Logic Flaw

An issue was discovered in certain Apple products. Pages before 6.1, Numbers before 4.1, and Keynote before 7.1 on macOS and Pages before 3.1, Numbers before 3.1, and Keynote before 3.1 on iOS are affected. The issue involves the "Export" component. It allows users to bypass iWork PDF password...

CVE-2017-2391

An issue was discovered in certain Apple products. Pages before 6.1, Numbers before 4.1, and Keynote before 7.1 on macOS and Pages before 3.1, Numbers before 3.1, and Keynote before 3.1 on iOS are affected. The issue involves the "Export" component. It allows users to bypass iWork PDF password...

CVE-2017-2391

The CVE-2017-2391 issue affects Apple iWork exports (Pages, Numbers, Keynote) on macOS and iOS prior to the patched versions. Root cause: iWork exported PDFs used weak 40-bit RC4 encryption, enabling exposure of password-protected PDF contents. Affected versions include Pages 6.0/6.1, Numbers 4.0...

Hacking Printers Advisory 2

TL;DR: In the scope of academic research on printer security, various vulnerabilities in network printers and MFPs have been discovered. This is advisory 2 of 6 of the Hacking Printers' series. Each advisory discusses multiple issues of the same category. This post is about accessing a printers...

ownCloud: bug reporting template encourages users to paste config file with passwords

The dangerous bug reporting template ============================= The github bug reporting template for owncloud's server and some apps contains this: The content of config/config.php: If you have access to your command line run e.g.: sudo -u www-data php occ config:list system from within your...

Fedora 23 : php-pecl-zip (2016-0312cf1dcd)

Version 1.13.5 - Fixed bug php72660 NULL pointer dereference in zendvirtualcwd. Laruence - Fixed bug php68302 impossible to compile php with zip support. cmb - Fixed bug php70752 Depacking with wrong password leaves 0 length files. cmb Note that Tenable Network Security has extracted the precedin...

tinyshell - Python Client with PHP Shell

python Client with php shell , allows to connect and send commands over current protocol using POST and GET Requests Features 1. connect with direct session with no need for reverse connection . 2. support password protection . 3. can be binded to any file with no damage . 4. using GET/POST reque...

CVE-2016-7442

The CVE-2016-7442 entry concerns Sophos UTM, specifically the Frontend component. Firmware 9.405-5 and earlier expose an information-disclosure vulnerability by allowing local administrators to read the password value from the proxy user settings in System Settings / Scan Settings / Anti Spam. Af...

Researchers Find 'Severe' Security Hole in iOS 10 Backup

UPDATE A computer forensics firm says Apple weakened backup security protection with the Sept. 13 release of iOS 10, making it simple work for hackers to crack password protection used for backups of iOS devices stored on Macs and PCs. Elcomsoft, which explained the security hole in a blog post...