CVE-2013-5785

Unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.6, 11.1.1.7, and 11.1.2.1 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Security and Authentication...

Command injection vulnerability in Ruby Gem sprout 0.7.246

Title: Command injection vulnerability in Ruby Gem sprout 0.7.246 Date: 11/14/2013 Download: http://rubygems.org/gems/sprout, http://projectsprouts.org/ Vulnerability: The unpackzip function contains the following code: sprout-0.7.246/lib/sprout/archiveunpacker.rb 60 zipdir =...

[Sandcat Browser 4.4] The fastest web browser combined with the fastest scripting language packed with features for pen-testers

Sandcat Browser is the fastest web browser combined with the fastest scripting language packed with features for pen-testers. Sandcat Browser is a freeware portable pen-test oriented multi-tabbed web browser with extensions support developed by the Syhunt team. The Sandcat Browser is built on top...

Jacob Appelbaum 2013 30c3 keynote on NSA Surveillance

Cryptographer, developer and activist Jacob Appelbaum took to the pages of Germany’s Der Spiegel and the keynote dais of the 30th Chaos Communication Congress this weekend to deliver a damning expose of the catalog of backdoors, monitoring programs and products that potentially have and could be...

JVN#69700259: HP Autonomy Ultraseek vulnerable to cross-site scripting

HP Autonomy Ultraseek provided by Hewlett-Packard Development Company, L.P. contains an issue in handling specific character encoding, which may result in cross-site scripting. Impact An arbitrary script may be executed on the user's Internet Explorer. Solution Update the Software Update the...

Santander BillPay Security Vulnerabilities Patched

Security weaknesses on the Santander Group BillPay website and mobile banking application have been addressed by the financial services organization’s developer Headland after they were exposed less than a week ago. U.K. consultant Paul Moore of Cresona Corp., reported a number of serious...

Debian Announces End of Security Support for IceApe

Developers at Debian today informed users still clinging to Iceape – an Internet suite modeled on old Mozilla code – that they are cutting the cord and will stop supplying the software with security updates. Iceape is more or less a Debian-branded hybrid of several community-driven entities,...

Software defense: mitigating common exploitation techniques

In our previous posts in this series, we described various mitigation improvements that attempt to prevent the exploitation of specific classes of memory safety vulnerabilities such as those that involve stack corruption, heap corruption, and unsafe list management and reference count...

Microsoft Releases December 2013 Security Bulletin

Microsoft has released updates to address vulnerabilities in Microsoft Windows, Microsoft Office, Microsoft Lync, Internet Explorer, Microsoft Exchange, Microsoft SharePoint, and Microsoft Developer Tools as part of the Microsoft Security Bulletin Summary for December 2013. These vulnerabilities...

Sandbox restrictions not applied to nested object elements — Mozilla

Mozilla security developer Daniel Veditz discovered that restrictions are not applied to an element contained within a sandboxed iframe. This could allow content hosted within a sandboxed iframe to use element to bypass the sandbox restrictions that should be applied...

Microsoft Releases Advance Notification for December Security Bulletin

Microsoft has issued a Security Bulletin Advance Notification indicating that its December 2013 release will contain 11 bulletins. These bulletins will have severity ratings of critical and important and will be for Microsoft Windows, Microsoft Office, Microsoft Lync, Internet Explorer, Microsoft...

JVN#41703192: TOWN (modified version) vulnerable to directory traversal

TOWN modified version provided by Tattyan's HP contains a directory traversal vulnerability. Impact A remote attacker may obtain arbitrary files on the server. Solution Apply an update Update to the latest version according to the information provided by the developer. Products Affected TOWN...

WordPress Blogggie Shell Upload

Exploit Title : Wordpress Themes Bloggie Arbitrary File Upload Vulnerability Author : ReC0ded Vendor : http://themify.me/ Download : http://themify.me/themes/Bloggie Date : 22, November 2013. Type : php, html, htm, asp, etc. Category : Web Applications Vulnerability : File Upload Tested On :...

JVN#97810280: KDrive Personal for Windows contains an issue where it fails to verify SSL server certificates

KDrive Personal for Windows contains an issue where it fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by th...

Light Alloy 4.7.3 - .m3u Local Buffer Overflow (SEH Unicode)

Light Alloy 4.7.3 - .m3u Local Buffer Overflow SEH Unicode !/usr/bin/perl Exploit Title: Light Alloy 4.7.3 .m3u - SEH Buffer Overflow Unicode Date: 11-18-2013 Exploit Author: Mike Czumak Tv3rn1x -- @SecuritySift Vulnerable Software: Light Alloy v4.7.3 Vendor Site: http://www.light-alloy.ru/...

ImpressPages CMS 3.6 Remote Code Execution

!/usr/bin/python ImpressPages CMS v3.6 manage Function Remote Code Execution Exploit Vendor: ImpressPages UAB Product web page: http://www.impresspages.org Affected version: 3.6, 3.5 and 3.1 Summary: ImpressPages CMS is an open source web content management system with revolutionary drag & drop...

Horde Groupware Web Mail Edition 5.1.2 - Cross-Site Request Forgery (1)

Exploit Title : Multiple CSRF Horde Groupware Web mail Edition Author:Marcela Benetrix Date: 10/25/13 version: 5.1.2 software link:http://www.horde.org/apps/webmail GroupWare Web mail Edition Horde Groupware Webmail Edition is a free, enterprise ready, browser based communication suite. Users can...

Google to Pay Rewards For Patches to Open Source Projects

Google, one of the first companies to offer a significant bug bounty program, is extending its rewards to researchers and developers who contribute patches to a variety of open source projects and have an effect on the security of the project. The new rewards will range from $500 to $3,133.70, an...

[OWASP Zed Attack Proxy 2.2.1] Tool for finding vulnerabilities in web applications (Now supports CWE)

OWASP Zed Attack Proxy ZAP An easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing...

U.S. Government asked Linus Torvalds to insert Backdoor Into Linux

At the Linuxcon conference in New Orleans today, Linus Torvalds and the other top Linux developers, talked to the Linux faithful about Linux, Microsoft, and other issues. During a question-and-answer ‪session ‬at ‪the LinuxCon, Linux Torvalds admitted to questions from the audience that the U.S...