UBUNTU-CVE-2017-3167

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the apgetbasicauthpw by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed...

Stellar.org: HTTP - Basic Authentication on https://www.stellar.org/wp-login.php

Greetings, noticed https://www.stellar.org/wp-login.php using basic authentication. PoC: YWRtaW46YWRtaW4= is base64 encode of admin:admin Impact: Vulnerable to client side attacks. Vulnerable to MITM attack. Vulenrable to Eavesdropping attack. Vulnerable to Brute force attacks. Fix: HTTP-Basic...

VICIdial user_authorization Unauthenticated Command Execution

This module exploits a vulnerability in VICIdial versions 2.9 RC 1 to 2.13 RC1 which allows unauthenticated users to execute arbitrary operating system commands as the web server user if password encryption is enabled disabled by default. When password encryption is enabled the user's password...

Anybus Modbus Gateway - Authenticated Directory Traversal Vulnerability

The cgi-bin/read.cgi CGI script in the cgi-bin folder on the devices webserver is vulnerable to directly traversal by directly including any file. It typically includes files from the /home/httpd/jjs directoy but you can access files outside of the main webserver directory. There's 67 of these...

CVE-2017-4970: Static file buildpack ignores basic authentication when misconfigured | Cloud Foundry

Severity High Vendor Cloud Foundry Foundation Versions Affected cf-release v255 Staticfile buildpack versions v1.4.0 – v1.4.3 Description A regression introduced in the Staticfile buildpack causes the Staticfile.auth configuration to be ignored when the Staticfile file is not present in the...

Schneider Electric Modicon M340 Devices Buffer Overflow Vulnerability (SEVD-2015-344-01)

Schneider Electric Modicon M340 devices are prone to a buffer overflow vulnerability. SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only if...

Nextcloud: HTTP-Basic Authentication on logs.nextcloud.com

Greetings, While visiting https://logs.nextcloud.com/ , I noticed that this server use HTTP-Basic Authentication. F152730 POC : ------ GET https://logs.nextcloud.com/ HTTP/1.1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.11; rv:50.0 Gecko/20100101 Firefox/50.0 Accept:...

SSL Enabled Basic Auth Credential Harvester: phishery

An SSL Enabled Basic Auth Credential Harvester with a Word Document Template URL Injector Phishery is a Simple SSL Enabled HTTP server with the primary purpose of phishing credentials via Basic Authentication. Phishery also provides the ability easily to inject the URL into a .docx Word document...

SUSE-SU-2016:2358-1 Security update for wget

This update for wget fixes the following issues: - CVE-2016-4971: A HTTP to FTP redirection file name confusion vulnerability was fixed. bsc984060. - CVE-2016-7098: A potential race condition was fixed by creating files with .tmp ext and making them accessible to the current user only. bsc995964...

Debian DLA-604-1 : ruby-actionpack-3.2 security update

Multiple vulnerabilities have been discovered in ruby-actionpack-3.2, a web-flow and rendering framework and part of Rails : CVE-2015-7576 A flaw was found in the way the Action Controller component compared user names and passwords when performing HTTP basic authentication. Time taken to compare...

Nextcloud: The application uses basic authentication.

Basic authentication is enabled on file access requests ==================== Description --------------------- Basic authentication is enabled on the server if we request for the direct URL of a file. The issues of using Basic Authentication can be read here - OWASP: Basic Authentication. Though...

Nextcloud: Bruteforce attack is possible on newsletter.nextcloud.com

Since HTTP Basic authentication is used on https://newsletter.nextcloud.com, This type of authentication is vulnerable to Bruteforce attack. refer the attachment below F100241 refer the attachment below F100240 Attacking via metasploit auxilary scanner httplogin: refer the attachment below F10023...

Brickcom Corporation Network Cameras - Multiple Vulnerabilities

| | | | | | | | | | | | / | '\ \ /\ / / \ | | |/ | ' / | | | | \ V V / / | | | | | | \ \ /|| // ||||,|./|/ Security Adivisory 2016-04-12 www.orwelllabs.com twt:@orwelllabs sm1thw@0rw3lll4bs:/bb ./Bruce.S + surveillance is the business model of the internet - OK! sm1thw@0rw3lll4bs:/bb echo $?...

Brickcom Network Cameras XSS / CSRF / Insecure Direct Object Reference

| | | | | | | | | | | | / | '\ \ /\ / / \ | | |/ | ' / | | | | \ V V / / | | | | | | \ \ /|| // ||||,|./|/ Security Adivisory 2016-04-12 www.orwelllabs.com twt:@orwelllabs sm1thw@0rw3lll4bs:/bb ./Bruce.S + surveillance is the business model of the internet - OK! sm1thw@0rw3lll4bs:/bb echo $?...

CVE-2016-2512

The utils.http.issafeurl function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting XSS attacks via a URL containing basic authentication, as demonstrated by...

DEBIAN-CVE-2016-2512

The utils.http.issafeurl function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting XSS attacks via a URL containing basic authentication, as demonstrated by...

PYSEC-2016-15

The utils.http.issafeurl function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting XSS attacks via a URL containing basic authentication, as demonstrated by...

Cross site scripting

The utils.http.issafeurl function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting XSS attacks via a URL containing basic authentication, as demonstrated by...

PYSEC-2016-15

The utils.http.issafeurl function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting XSS attacks via a URL containing basic authentication, as demonstrated by...

CVE-2016-2512

The utils.http.issafeurl function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting XSS attacks via a URL containing basic authentication, as demonstrated by...