Icinga Web 2 Detection (HTTP)

HTTP based detection of Icinga Web 2. SPDX-FileCopyrightText: 2015 SCHUTZWERK GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later ifdescription...

[SECURITY] Fedora 22 Update: activemq-5.6.0-12.fc22

The most popular and powerful open source messaging and Integration Patterns server...

[SECURITY] Fedora 23 Update: activemq-5.6.0-12.fc23

The most popular and powerful open source messaging and Integration Patterns server...

How Spies Could Unmask Tor Users without Cracking Encryption

The Onion Router Tor is weeping Badly! Yes, Tor browser is in danger of being caught once again by the people commonly known as "Spies," who's one and only intention is to intrude into others’ network and gather information. A team of security researchers from Massachusetts Institute of Technolog...

CVE-2015-1831

The default exclude patterns excludeParams in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors...

CVE-2015-1831

The default exclude patterns excludeParams in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors...

SOL16879 - Apache Portable Runtime vulnerability CVE-2011-1928

The fnmatch implementation in aprfnmatch.c in the Apache Portable Runtime APR library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows remote attackers to cause a denial of service infinite loop via a URI that does not match unspecified types of wildcard patterns, as demonstrated by...

Apache Struts 2.3.20 Incorrect Default Exclude Pattern (S2-024)

The remote web server is using Apache Struts version 2.3.20. It is, therefore, affected by an issue where the default exclude patterns are incorrect when using default settings. This allows a remote attacker to impact the internal application's state. Note that Nessus has not tested for this issu...

Concrete CMS: Multiple XSS Vulnerabilities in Concrete5 5.7.3.1

Proof of Concept URLs for XSS in Concrete5: URL: /concrete5.7.3.1/index.php/dashboard/system/conversations/bannedwords/success Parameter Name: bannedword%5b%5d Parameter Type: POST Attack Pattern: '"--alert0x000936 URL:...

Apache Struts Incorrect Default Exclude Pattern Vulnerability

Apache Struts is an open source architecture for building Java web applications. The Apache Struts program fails to properly default exclude patterns when using the default settings, allowing remote attackers to exploit the vulnerability against the internal application state...

Drupal Patterns Module Cross-Site Request Forgery Vulnerability

Drupal is a free, open-source content management system developed in PHP and maintained by the Drupal community.Patterns is one of the modules that builds around bottlenecks by managing and automating site configurations stored in XML or YAML schema. A cross-site request forgery vulnerability...

CVE-2015-3367

Multiple cross-site request forgery CSRF vulnerabilities in the Patterns module before 7.x-2.2 for Drupal allow remote attackers to hijack the authentication of administrators for requests that 1 restore, 2 publish, or 3 unpublish a pattern via unspecified vectors...

Cross site request forgery (csrf)

Multiple cross-site request forgery CSRF vulnerabilities in the Patterns module before 7.x-2.2 for Drupal allow remote attackers to hijack the authentication of administrators for requests that 1 restore, 2 publish, or 3 unpublish a pattern via unspecified vectors...

CVE-2015-3367

Multiple cross-site request forgery CSRF vulnerabilities in the Patterns module before 7.x-2.2 for Drupal allow remote attackers to hijack the authentication of administrators for requests that 1 restore, 2 publish, or 3 unpublish a pattern via unspecified vectors...

CVE-2015-3367

CVE-2015-3367 corresponds to CSRF vulnerabilities in the Drupal Patterns module. Affected: Patterns 7.x-2.x prior to 7.x-2.2. Impact: remote attackers could leverage CSRF to cause administrators to restore, publish, or unpublish patterns. Root cause: missing or weak CSRF protection in the Pattern...

SA-CONTRIB-2015-025 - Patterns - Cross Site Request Forgery (CSRF)

Patterns module manages and automates site configuration. Site configurations stored in XML or YAML are called Patterns, and these are easy to read, modify, manage & share and can be executed manually or as a part of an automated web site deployment. Some links were not protected against CSRF. A...

python: ssl.match_hostname() DoS via certificates with specially crafted hostname wildcard patterns

A denial of service flaw was found in the way Python's SSL module implementation performed matching of certain certificate names. A remote attacker able to obtain a valid certificate that contained multiple wildcard characters could use this flaw to issue a request to validate such a certificate,...

The offline cookbook

Update: Together with Udacity I created a free offline-first interactive course. It involves taking an online-only site to full offline-first glory. Many of the patterns in this article are used. When AppCache arrived on the scene it gave us a couple of patterns to make content work offline. If...

Paper: NetFlow Data De-Anonymizes Tor Users

Tor Project leaders are trying to rein in concerns about an academic paper describing an end-to-end traffic correlation attack that could be used by a well-funded attacker such as a nation state to de-anonymize traffic on Tor. Executive director Roger Dingledine points out that the researchers...

Google Releases Open Source XSS Web App Scanner

UPDATE: A previous version of this story incorrectly reported that Firing Range is a scanner when in reality Firing Range is a tool that tests Web application security scanners. Google today released to open source tool called Firing Range, which is designed as a test bed for Web application...