JVN#11424086: Password Vault Web Access vulnerable to cross-site scripting

Password Vault Web Access PVWA is a module in the Privileged Identity Management Suite that allows access via a web portal. PVWA contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the web browser of an user who is logged on. Solution Apply a patch Apply t...

Making An Application Security Program Succeed

After winning the attention, and hopefully the backing of executives, as we covered in The Challenge of Starting an Application Security Program, it becomes much more straightforward to win the funding needed for the right tools, services, and training needed for secure application development. N...

GNOME 3.0 Released , Available for Download !

GNOME 3.0 Released , Available for Download ! GNOME 3.0 is a major milestone in the history of the GNOME Project. The release introduces an exciting new desktop which has been designed for today's users and which is suited to a range of modern computing devices. GNOME's developer technologies hav...

SMF 2.0 RC5 Shell Upload

Title : SMF 2.0 RC5 Remote Shell Upload Exploit Author : KedAns-Dz E-mail : [email protected] Home : HMD/AM 30008/04300 - Algeria -00213555248701 Twitter page : twitter.com/kedans platform : php Impact : Remote Shell Upload Tested on : Windows XP sp3 FR » In The name of Allah Go0Gle D0rk : "Power...

Zero-day Flash vulnerability fixed in Chrome, still unpatched elsewhere

Google, proving the efficacy of Chrome's built-in Flash Player and its early, insider access to Adobe's developer builds, has fixed the zero-day vulnerability that emerged last week. The hole will be plugged on other platforms and browsers by a new version of Flash 10.1 and 10.2 that should've be...

Tumblr security flaw : server IPS, API keys, passwords, etc were leaked !

Update : Tumblr security flaw, Clarification by Tumblr official staff ! : The Hacker News There is a possible security issue with Tumblr. Basically a lot of confidential information, including server IPS, API keys, passwords, etc were leaked. There are some of the stuff that got disclosed:...

W-Agora 4.2.1 Cross Site Scripting / Local File Inclusion

Hello list! I want to warn you about Cross-Site Scripting, Local File Inclusion and Brute Force vulnerabilities in W-Agora. SecurityVulns ID: 11499. ------------------------- Affected products: ------------------------- Vulnerable are W-Agora 4.2.1 and previous versions. ---------- Details:...

Yahoo India R&D to Host 'HACK U' for IIT Kharagpur Students !

Yahoo! India R&D will be hosting 'HACK U'– the University Hack Day event for IIT Kharagpur students on campus between 17 and 20 March. Close to 250 students are expected to participate in this four day event of learning, hacking and fun, which is part of Yahoo!'s on-going commitment to nurture...

Game Maker: 40 Percent of iTunes App Purchases Are Fraud

A Hong Kong based developer of games for mobile devices says that its online, multi player games are being besieged by users making fraudulent purchases from compromised iTunes accounts and says that iPhone maker Apple has turned a deaf ear to its efforts cut off the bogus activity. In an e-mail...

SAP Management Console List Logfiles

This module simply attempts to output a list of available logfiles and developer tracefiles through the SAP Management Console SOAP Interface. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SA...

Motorola Xoom Gets Hacked In Under An Hour after Release !

Despite just being released on February 24th, the Motorola Xoom has become the newest victim of developer rooting, and it took less than two hours to do it. Xeriouxly. The best part? The Clockwork Recovery running on it means that other developers can now create their own custom ROMs to hack...

HTC HD Mini Gets Hacked, Now Runs Android !

The HTC HD Mini, also previously known as Photon, is pretty old as far as smartphones go--the Windows Mobile 6.5 phone was first released back in February 2010. So a XDA Developer member has given the cellphone a new lease of life by bringing Android and Linux OS to it. Forum member "Cotulla"...

It's Time to Move Away From the Build or Break Mentality

SAN FRANCISCO–The vulnerability disclosure and patching arms race that has developed in the last decade or so in the security industry has made life extremely difficult not just for the developers writing code, but also for the folks who are interested in helping to fix broken applications. A new...

Yahoo! Announces Hack U™ Spring 2011 Series !

Yahoo! is proud to announce the Hack U™ Spring 2011 calendar of events. Join Yahoo! web experts for a week of learning, hacking and fun! You'll hear interesting tech talks, hacking tips and lessons, and get hands-on coding workshops where you'll work with cutting-edge technology. The week's event...

JVN#84393059: EC-CUBE vulnerable to cross-site scripting

EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a cross-site scripting vulnerability. This vulnerability is different than the previous vulnerabilities disclosed on JVN. Impact An arbitrary script may be executed on the user's web browser...

maradns -- denial of service when resolving a long DNS hostname

MaraDNS developer Sam Trenholme reports: ... a mistake in allocating an array of integers, allocating it in bytes instead of sizeofint units. This resulted in a buffer being too small, allowing it to be overwritten. The impact of this programming error is that MaraDNS can be crashed by sending...

CVE-2011-0506

Directory traversal vulnerability in modules/profile/user.php in Ax Developer CMS AxDCMS 0.1.1 allows remote attackers to execute arbitrary code via a .. dot dot in the aXconfdefaultlanguage parameter...

Directory traversal

Directory traversal vulnerability in modules/profile/user.php in Ax Developer CMS AxDCMS 0.1.1 allows remote attackers to execute arbitrary code via a .. dot dot in the aXconfdefaultlanguage parameter...

CVE-2011-0506

Directory traversal vulnerability in modules/profile/user.php in Ax Developer CMS AxDCMS 0.1.1 allows remote attackers to execute arbitrary code via a .. dot dot in the aXconfdefaultlanguage parameter...

JVN#30414126: Ruby Version Manager escape sequence injection vulnerability

Ruby Version Manager is a command line tool for managing multiple ruby environments. Ruby Version Manager contains an escape sequence injection vulnerability. Impact A user may unknowingly open a malicious file. As a result, the string that is output on the terminal may contain an arbitrary escap...