[Wapiti 2.3.0] Web Application Vulnerability Scanner

Wapiti allows you to audit the security of your web applications. It performs "black-box" scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data. Once it gets this list, Wapiti act...

Fedora Update for python-djblets FEDORA-2013-20817

Check for the Version of python-djblets OpenVAS Vulnerability Test Fedora Update for python-djblets FEDORA-2013-20817 Authors: System Generated Check Copyright: Copyright C 2013 Greenbone Networks GmbH, http://www.greenbone.net This program is free software; you can redistribute it and/or modify ...

Twitter Implements Perfect Forward Secrecy

Twitter took another step toward not only securing the privacy of its users’ communication over the social network, but in warding off the prying eyes of government surveillance with the implementation of Perfect Forward Secrecy. The technology thwarts the efforts of anyone who may be collecting...

EFF Encrypt the Web Report Shows Crypto Leaders, Laggards

There’s nothing like a little peer pressure to nudge someone toward doing the right thing. That’s the philosophy behind the Electronic Frontier Foundation’s Encrypt the Web Report, which examines the encryption capabilities of 18 leading Internet companies, including large carriers, social...

A jingdong log security vulnerabilities-vulnerability warning-the black bar safety net

Table of Contents 1 Introduction 2 the inspection process 3 Summary 1 Introduction Recently looking at an open source site code, found if the login page via the http Protocol requests, will be redirected to use the https Protocol of the url, so you can ensure login security. Today a whim, want to...

PineApp MailSecure Command Execution

Hi, related this: http://seclists.org/fulldisclosure/2013/Nov/136 In February 2013 I send Pineapp the following information: ----------------------------------------------------------------- It is possible execute any command bash as qmailq unprivilege user, sending only the following https...

Yahoo to Give Users Option for SSL on All Web Properties

Following months of criticism from security experts and privacy advocates for not deploying SSL across its Web offerings, Yahoo on Monday announced that it will be giving users the option to encrypt all of the data they exchange with the company by the end of the first quarter next year. The chan...

HTTP/2 Supports only HTTPS URIs

The head of the working group designing the next version of HTTP said the HTTP/2 protocol will work only with encrypted URIs. “I believe the best way that we can meet the goal of increasing use of TLS on the Web is to encourage its use by only using HTTP/2.0 with https:// URIs,” wrote Mark...

Private key in key.pem world readable

Description Due to incorrect directory and file permissions a local attacker might obtain the private key that is used for the SSL/TLS encryption for ldaps including STARTTLS on ldap and https network traffic. The attacker is then able to decrypt encrypted network traffic which may contain...

SA-CONTRIB-2013-088 - Secure Pages - Missing Encryption of Sensitive Data

The Secure Pages module manages redirects between HTTP and HTTPS pages. A flaw in the URL path matching could lead some pages and forms to be transmitted via plain HTTP, even if the administrator intended those pages to use HTTPS. This flaw may surface either due to a malicious user enticing a us...

Apple Turns on BEAST Attack Mitigation by Default in Safari

Apple enabled a feature in its recent OS X Mavericks update that neutered the BEAST cryptographic attacks. BEAST is a two-year-old attack tool that exploits a vulnerability in TLS 1.0 and SSL 3.0 and could lead to an attacker stealing HTTPS cookies or hijacking browser sessions. Apple’s Safari...

CVE-2013-5537

The web framework on Cisco Web Security Appliance WSA, Email Security Appliance ESA, and Content Security Management Appliance SMA devices does not properly manage the state of HTTP and HTTPS sessions, which allows remote attackers to cause a denial of service management GUI outage via multiple T...

Code injection

The web framework on Cisco Web Security Appliance WSA, Email Security Appliance ESA, and Content Security Management Appliance SMA devices does not properly manage the state of HTTP and HTTPS sessions, which allows remote attackers to cause a denial of service management GUI outage via multiple T...

Cisco WSA, ESA, and SMA Management GUI Denial of Service Vulnerability

A vulnerability in the GUI function in the web framework code could allow an unauthenticated, remote attacker to cause the GlassFish process to become unresponsive, resulting in a partial denial of service DoS condition. The vulnerability is due to improper handling, processing, and termination o...

HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HT...

The xsrf cookie token is not a 'secure' cookie for secure('https') requests

To prevent against man in the middle attacks the xsrf cookie token should have the 'secure' attribute set...

The xsrf cookie token is not a 'secure' cookie for secure('https') requests

To prevent against man in the middle attacks the xsrf cookie token should have the 'secure' attribute set...

CentOS 6 : rubygems (CESA-2013:1441)

An updated rubygems package that fixes three security issues is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System CVSS base scores, which give detailed severity ratings, ar...

RHEL 6 : rubygems (RHSA-2013:1441)

The remote Redhat Enterprise Linux 6 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2013:1441 advisory. RubyGems is the Ruby standard for publishing and managing third-party libraries. It was found that RubyGems did not verify SSL connections...

Scientific Linux Security Update : rubygems on SL6.x (noarch) (20131017)

It was found that RubyGems did not verify SSL connections. This could lead to man-in-the-middle attacks. CVE-2012-2126 It was found that, when using RubyGems, the connection could be redirected from HTTPS to HTTP. This could lead to a user believing they are installing a gem via HTTPS, when the...