Ruby Net::HTTPS library does not validate server certificate CN

The 1 Net::ftptls, 2 Net::telnets, 3 Net::imap, 4 Net::pop, and 5 Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that the commonName CN field in a server certificate matches the domain name in a request sent over SSL, which makes it easier for remote attackers to intercept SSL...

[SECURITY] [DSA 1380-1] New elinks packages fix information disclosure

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA 1380-1 [email protected] http://www.debian.org/security/ Steve Kemp October 2nd, 2007 http://www.debian.org/security/faq -...

elinks reveals POST data to HTTPS proxy

ELinks before 0.11.3, when sending a POST request for an https URL, appends the body and content headers of the POST request to the CONNECT request in cleartext, which allows remote attackers to sniff sensitive data that would have been protected by TLS. NOTE: this issue only occurs when a proxy ...

Moderate: Red Hat Security Advisory: elinks security update

An updated ELinks package that corrects a security vulnerability is now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. ELinks is a text mode Web browser used from the command line that supports...

Moderate: elinks security update

0.9.2-3.3.5.2 - fix elinks-0.9.2-httpspostdata.patch 303881 0.9.2-3.3.5.1 - fix 297611 - CVE-2007-5034 elinks reveals POST data to HTTPS proxy 0.9.2-3.3 - fix 215731 - elinks smb protocol arbitrary file access...

Debian DSA-1380-1 : elinks - programming error

Kalle Olavi Niemitalo discovered that elinks, an advanced text-mode WWW browser, sent HTTP POST data in cleartext when using an HTTPS proxy server potentially allowing private information to be disclosed. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and package checks...

[SECURITY] [DSA 1380-1] New elinks packages fix information disclosure

------------------------------------------------------------------------ Debian Security Advisory DSA 1380-1 [email protected] http://www.debian.org/security/ Steve Kemp October 2nd, 2007 http://www.debian.org/security/faq -...

DSA-1380-1 elinks - information disclosure

Bulletin has no description...

CVE-2007-5162

The connect method in lib/net/http.rb in the 1 Net::HTTP and 2 Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName CN field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions v...

CVE-2007-5162

The connect method in lib/net/http.rb in the 1 Net::HTTP and 2 Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName CN field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions v...

Cross site request forgery (csrf)

The connect method in lib/net/http.rb in the 1 Net::HTTP and 2 Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName CN field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions v...

JVN#79013771 Safari allows access from HTTP to HTTPS

Safari is a default web browser installed in Mac OS X and iPhone. Safari contains a vulnerability that allows a remote attacker to access web page contents protected by SSL/TLS from an HTTP page in the same domain. Impact A remote attacker could obtain or change the web page contents protected by...

Ruby Net::HTTPS library does not validate server certificate CN

iSEC Partners Security Advisory - 2007-006-RubySSL http://www.isecpartners.com -------------------------------------------- Ruby Net::HTTPS library does not validate server certificate CN Vendor: Ruby Vendor URL: http://www.ruby-lang.org Versions affected: 1.8.5, 1.8.6, Trunk Ruby Systems Affecte...

CVE-2007-5162

CVE-2007-5162 affects Ruby 1.8.5/1.8.6: Net::HTTP and Net::HTTPS do not verify the server certificate CN against the requested domain, enabling MITM or spoofed sites. The connected MiracleLinux advisory ( AXSA-2007-63:01 ) reiterates the flaw across multiple Net modules (including Net::HTTP/Net::...

[EXPL] Airsensor M520 HTTPD Preauth DoS and Buffer Overflow (Exploit)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com - - promotion The SecuriTeam alerts list - Free, Accurate, Independent. Get your security news from a reliable source...

Ruby Net::HTTPS library certificates validation cryptographic vulnerability

Certificate's CN field is not validated against DNS name, making it's possible to use valid certificate with wrong CN...

Web Server Transmits Cleartext Credentials

The remote web server contains several HTML form fields containing an input of type 'password' which transmit their information to a remote web server in cleartext. An attacker eavesdropping the traffic between web browser and server may obtain logins and passwords of valid users. C Tenable Netwo...

Code injection

Unspecified vulnerability in Safari in Apple iPhone 1.1.1, and Safari 3 before Beta Update 3.0.4 on Windows and Mac OS X 10.4 through 10.4.10, allows remote attackers to "alter or access" HTTPS content via an HTTP session with a crafted web page that causes Javascript to be applied to HTTPS pages...

CVE-2007-4671

Unspecified vulnerability in Safari in Apple iPhone 1.1.1, and Safari 3 before Beta Update 3.0.4 on Windows and Mac OS X 10.4 through 10.4.10, allows remote attackers to "alter or access" HTTPS content via an HTTP session with a crafted web page that causes Javascript to be applied to HTTPS pages...

CVE-2007-4671

Unspecified vulnerability in Safari in Apple iPhone 1.1.1, and Safari 3 before Beta Update 3.0.4 on Windows and Mac OS X 10.4 through 10.4.10, allows remote attackers to "alter or access" HTTPS content via an HTTP session with a crafted web page that causes Javascript to be applied to HTTPS pages...