CVE-2016-5117

OpenNTPD before 6.0p1 does not validate the CN for HTTPS constraint requests, which allows remote attackers to bypass the man-in-the-middle mitigations via a crafted timestamp constraint with a valid certificate...

CVE-2016-5117

CVE-2016-5117 affects OpenNTPD before 6.0p1. The vulnerability is that OpenNTPD does not validate the CN for HTTPS constraint requests, allowing remote attackers to bypass MITM mitigations via a crafted timestamp constraint with a valid certificate. The documented remediation is to upgrade to Ope...

shotwell -- failure to encrypt authentication

Jens Georg reports: I have just released Shotwell 0.24.5 and 0.25.4 which turn on HTTPS encryption all over the publishing plugins. Users using Tumblr and Yandex.Fotki publishing are strongly advised to change their passwords and reauthenticate Shotwell to those services after upgrade. Users of...

Verified, Efficient TLS Implementation In C: Project Everest

Verified, Efficient TLS Implementation In C The HTTPS ecosystem HTTPS and TLS protocols, X.509 public key infrastructure, crypto algorithms is the foundation on which Internet security is built. Unfortunately, this ecosystem is extremely brittle, with headline-grabbing attacks such as FREAK and...

Google becomes its own Root Certificate Authority

In an effort to expand its certificate authority capabilities and build the "foundation of a more secure web," Google has finally launched its root certificate authority. In past few years, we have seen Google taking many steps to show its strong support for sites using HTTPS, like: Giving more...

VirtualBox Privilege Escalation

Privilege Escalation in VirtualBox CVE-2017-3316 == Overview === System affected: VirtualBox Software-Version: prior to 5.0.32, prior to 5.1.14 User-Interaction: Required Impact: A Man-In-The-Middle could infiltrate an Extension-Pack-Update to gain a root-shell === Detailed description === In my...

Oracle VM VirtualBox 5.0.32 5.1.14 - Local Privilege Escalation

Oracle VM VirtualBox 5.0.32 5.1.14 - Local Privilege Escalation == Overview === System affected: VirtualBox Software-Version: prior to 5.0.32, prior to 5.1.14 User-Interaction: Required Impact: A Man-In-The-Middle could infiltrate an Extension-Pack-Update to gain a root-shell === Detailed...

OpenSSL 1.1.0 - Remote Client Denial of Service

OpenSSL 1.1.0 - Remote Client Denial of Service // Source: https://guidovranken.wordpress.com/2017/01/26/cve-2017-3730-openssl-1-1-0-remote-client-denial-of-service-affects-servers-as-well-poc/ / SSL server demonstration program Copyright C 2006-2015, ARM Limited, All Rights Reserved...

Firefox 51 Begins Warning Users of Insecure HTTP Connections

Mozilla Foundation took steps with the release of Firefox 51 on Tuesday to communicate more clearly to users when they land on a HTTP website collecting personal information such as passwords that the site may not be secure. Going forward, Firefox will display a gray lock icon with a red...

Weapon of Mass Destruction: WMD

Weapon of Mass Destruction This is a python tool with a collection of IT security software. The software is incapsulated in “modules”. The modules does consist of pure python code and/or external third programs. Main functions 1 To use a module, run the command “use modulecall”, e.g. “use apsniff...

csnsonline.org XSS vulnerability

Vulnerable URL: http://www.csnsonline.org/fellows.php?year=2011%27"--!' Details: Description| Value ---|--- Patched:| No Latest check for patch:| 30.07.2017 Vulnerability type:| XSS Vulnerability status:| Publicly disclosed Alexa Rank| 11099590 VIP website status:| No Check csnsonline.org SSL...

ProtonMail Gets Own Tor-Accessible .Onion Hidden Service

Users of the encrypted email service ProtonMail looking for an extra layer of security now have the option of accessing their inbox directly through the Tor network. ProtonMail, originally developed by CERN and MIT scientists, announced Thursday it had added its own Tor hidden service. According ...

ec-old2.mit.edu XSS vulnerability

Vulnerable URL: http://ec-old2.mit.edu/media/albums/view.py?path=./Miscellaneous%20old%20scans%27"--!confirmOPENBUGBOUNTY%3C/Script /K/ Details: Description| Value ---|--- Patched:| Yes, at Vulnerability type:| XSS Vulnerability status:| Publicly disclosed Alexa Rank| Unknown / Not calculated VIP...

Cisco Firepower Management Console 6.0 Login

This module attempts to authenticate to a Cisco Firepower Management console via HTTPS. The credentials are also used for SSH, which could allow remote code execution. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

CentOS Update for java CESA-2017:0061 centos5

Check the version of java SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription scriptoid"1.3.6.1.4.1.25623.1.0.882631";...

Man In The Middle (MitM)

databaserewinder is vulnerable to man-in-the-middle MitM attacks. The gem calls from the git source using HTTP rather than HTTPS, potentially allowing a malicious user to conduct a man-in-the-middle attack...

See how I found the Github Enterprise version of the application SQL injection vulnerabilities and get 5000 dollars Bounty-vulnerability warning-the black bar safety net

GitHub Enterprise Edition software is designed for company groups to deploy in the internal network for the development of services of commercial application. Github enterprise uses the standard OVF format integrated to a virtual machine（VM）mirror, can be in the enterprise. github. com website...

CVE-2016-10125

D-Link DGS-1100 devices with Rev.B firmware 1.01.018 have a hardcoded SSL private key, which allows man-in-the-middle attackers to spoof devices by hijacking an HTTPS session...

Hardcoded credentials

D-Link DGS-1100 devices with Rev.B firmware 1.01.018 have a hardcoded SSL private key, which allows man-in-the-middle attackers to spoof devices by hijacking an HTTPS session...

CVE-2016-10125

D-Link DGS-1100 devices with Rev.B firmware 1.01.018 have a hardcoded SSL private key, which allows man-in-the-middle attackers to spoof devices by hijacking an HTTPS session...