# SANS ISC

# threatpost.com

  • Valve Patches Password Reset Vulnerability in Steam Mon, 27 Jul 2015 18:06:55 +0000
    Valve Software has patched a vulnerability in the Steam gaming platform that enabled account hijacking through its password reset mechanism.
  • PHP File Manager Riddled With Vulnerabilities, Including Backdoor Mon, 27 Jul 2015 16:39:13 +0000
    Multiple critical vulnerabilities have existed, some for nearly five years, in PHP File Manager, a web-based file manager used by several high profile corporations.
  • Pair of Bugs Open Honeywell Home Controllers Up to Easy Hacks Mon, 27 Jul 2015 14:50:49 +0000
    The accumulation of automation and Internet-connected devices in many homes these days has led observers to coin the term smart homes. But as researchers take a closer look at the security of these devices, they’re finding that what these homes really are is naive. The latest batch vulnerabilities to hit home automation equipment are in the Tuxedo Touch […]
  • Android Stagefright Flaws Put 950 Million Devices at Risk Mon, 27 Jul 2015 13:58:43 +0000
    Vulnerabilities in Stagefright, which processes media formats in Android, put 950 million devices at risk to remote attacks.
  • Census Bureau Says Breach Didn’t Compromise Sensitive Data Mon, 27 Jul 2015 13:22:35 +0000
    Officials at the United States Census Bureau say that the attackers who compromised one of the bureau’s databases last week did not get access to any confidential information, but only data such as names and phone numbers of organizations that submit information to the Federal Audit Clearinghouse. The data breach appears to have hit only […]
  • Stakeholders Argue Against Restrictive Wassennaar Proposal Fri, 24 Jul 2015 17:29:14 +0000
    The commenting period regarding the Wassenaar Arrangement expired on Monday but the echo chamber around the largely maligned proposal continues to reverberate.
  • Fiat Chrysler Recalls 1.4 Million Cars After Software Bug is Revealed Fri, 24 Jul 2015 15:45:27 +0000
    A few days after issuing a patch and reassuring owners that the attack that shut down the transmission and other systems remotely on a Jeep was not a huge risk, Fiat Chrysler has decided to recall nearly 1.5 million vehicles as a result of the bug exposed in the research. The recall is the result of […]
  • VUPEN Founder Launches New Zero-Day Acquisition Firm Zerodium Fri, 24 Jul 2015 13:46:07 +0000
    Chaouki Bekrar, the founder of VUPEN, has announced a new zero-day acquisition firm Zerodium.
  • Several Critical Flaws Patched in Drupal Module Thu, 23 Jul 2015 17:27:55 +0000
    There are several critical vulnerabilities in a middleware layer used in Drupal, including both cross-site scripting and cross-site request forgery bugs, that can be exploited remotely. The vulnerabilities are in the Open Semantic Framework, which is a third-party project and not part of the Drupal Core. The framework is used to allow “structured data (RDF) […]
  • WordPress Patches Critical XSS Vulnerability in All Builds Thu, 23 Jul 2015 17:08:55 +0000
    WordPress rolled out a new version of its content management system this morning that addresses a nasty cross-site scripting (XSS) vulnerability that could ultimately lead to site compromise.

# Reddit netsec

  • /r/netsec's Q3 2015 Information Security Hiring Thread Tue, 30 Jun 2015 19:03:56 -0700
    Overview

    If you have open positions at your company for information security professionals and would like to hire from the /r/netsec user base, please leave a comment detailing any open job listings at your company.

    We would also like to encourage you to post internship positions as well. Many of our readers are currently in school or are just finishing their education.

    Please reserve top level comments for those posting open positions.

    Rules & Guidelines
    • Include the company name in the post. If you want to be topsykret, go recruit elsewhere.
    • Include the geographic location of the position along with the availability of relocation assistance.
    • If you are a third party recruiter, you must disclose this in your posting.
    • Please be thorough and upfront with the position details.
    • Use of non-hr'd (realistic) requirements is encouraged.
    • While it's fine to link to the position on your companies website, provide the important details in the comment.
    • Mention if applicants should apply officially through HR, or directly through you.
    • Please clearly list citizenship, visa, and security clearance requirements.

    You can see an example of acceptable posts by perusing past hiring threads.

    Feedback

    Feedback and suggestions are welcome, but please don't hijack this thread (use moderator mail instead.)

    submitted by sanitybit
    [link] [65 comments]
  • RCE via MMS on Android Mon, 27 Jul 2015 15:48:34 +0000
    submitted by LivingInSyn
    [link] [88 comments]
  • How to use old GSM protocols/encodings to know if a user is Online on the GSM Network AKA PingSMS 2.0 Mon, 27 Jul 2015 22:17:00 +0000
    submitted by thefinn93
    [link] [comment]
  • Hardening Android's Bionic libc Mon, 27 Jul 2015 22:02:38 +0000
    submitted by strncat
    [link] [comment]
  • Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript Mon, 27 Jul 2015 10:09:00 +0000
    submitted by Fen-Jai
    [link] [9 comments]
  • Xen Security Advisory 138 (CVE-2015-5154) - QEMU heap overflow flaw while processing certain ATAPI commands. Mon, 27 Jul 2015 13:59:26 +0000
    submitted by iqlusion
    [link] [4 comments]
  • Infiltrate 2015 videos Mon, 27 Jul 2015 14:37:51 +0000
    submitted by _rs
    [link] [comment]
  • A little Roku with my morning coffee; A firmware update MITM technique Tue, 28 Jul 2015 00:05:11 +0000

    Roku - A little Roku with my morning coffee; A firmware update MITM technique


    Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". A copy is also available at https://www.gnu.org/licenses/fdl-1.3.en.html


    I woke up today to find an interesting article [1] on /r/netsec and decided to do my own research to compliment it. I don't know that this is an original thing to note, but I figured a follow-up would be fun none-the-less. The original article discusses the access point spun up by the Roku to facilitate communication between the base station and the remote. This was nice, but I wanted to go after the firmware. After some Googling I found another article [2] that discusses a 'secret' screen in the Roku system. I like secret screens.

    I found the same screen as shown in the image from article number two. The thing to note is the 'Update Software' option. I wanted to update the Roku software, but first I needed a copy of it to modify. Before I even started preparing my environment I had figured they would be using HTTPS to protect the integrity of the firmware file in transit. I setup a tcpdump instance on my WAN interface, and ran the update mechanism. It succeeded. I stopped the packet capture, downloaded it, and reviewed it in Wireshark. 


    Conversations -

    74.205.52.56 tyler.sw.roku.com

    74.205.52.57 tyler.ib.roku.com

    23.193.132.176 wwwimg.roku.com

    23.61.194.184 firmware.roku.com


     


    HTTP Request -

    GET /tyler/066.02E03473A HTTP/1.1

    Connection: close

    Host: firmware.roku.com

    User-Agent: Roku/DVP-6.2 (066.02E03473A)


     

    It appeared that there was in fact a TLSv1.2 connection that occured between tyler.* and my connection. I don't know who Tyler is, I reviewed the Roku LinkedIn page for both current and past employees who have the first name Tyler. No luck. I was going to say hi. :) The firmware file used during installation was downloaded from firmware.roku.com using HTTP. Wireshark provides an easy mechanism for exporting objects from HTTP streams. It was successful at extracting the firmware file.  


    File MD5 - 

    d1c0bf5bac7fdfb25edea554bd69d911 066.02E03473A


     


    Binwalk output -

    DECIMAL HEXADECIMAL DESCRIPTION

    0 0x0 Roku aimage SB

    32163882 0x1EAC82A StuffIt Deluxe Segment (data): f

    41041920 0x2724000 Roku aimage SB

    41218048 0x274F000 Roku aimage SB

    41218304 0x274F100 uImage header, header size: 64 bytes, header CRC: 0xEEE1B422, created: 2015-05-01 08:55:25, image size: 2674084 bytes, Data Address: 0x80001000, Entry Point: 0x803D3820, data CRC: 0x2123E7FE, OS: Linux, CPU: SuperH, image type: OS Kernel Image, compression type: gzip, image name: "Linux 2.6"

    41218368 0x274F140 gzip compressed data, maximum compression, has original file name: "vmlinux.bin", from Unix, last modified: 2015-05-01 08:55:24


     

    My Roku uses DHCP to obtain an IP address and corresponding settings. The DHCP leasing process allows the DHCP server to specify a DNS server that client should use when communicating on the network. I spun up a DNS server I controlled, and set DHCP to publish my newly created DNS server.


     

    Nslookup - Server: <redacted>

    Address: <redacted>#53

    Name: firmware.roku.com

    Address: 10.10.<redacted>.<redacted>


     

    I then created a VM with an Apache2 instance setup that followed the same directory structure that was observed during the packet capture analysis and attempted to run 'Update Software' again.


    127.0.1.1:80 <redacted> - - [09/Jul/2015:06:46:37 -0700] "GET /tyler/066.02E03473A HTTP/1.1" 200 43905263 "-" "Roku/DVP-6.2 (066.02E03473A)"


     

    The file downloads successfully, installs without error, reboots, and resumes normal operation.

    How about if I modify it? Lets look at the firmware file a bit more. Here is an unmodified version of the firmware file header.


    0000000: 0000 0000 0000 0000 696d 6741 524d 6343 ........imgARMcC

    0000010: 231b 02c2 0025 b253 0a00 0000 0040 7202 #....%.S.....@r.

    0000020: 0040 7202 0000 0000 0000 0000 0000 0000 .@r.............

    0000030: 8000 0000 753f 4355 0000 0000 8eb3 f6d3 ....u?CU........

    0000040: 9bfd 90e4 ef99 f85d 27f4 e7e5 d458 8229 .......]'....X.)

    0000050: 2836 f7f4 dd03 d4c1 6099 0acd b565 a5b6 (6......`....e..

    0000060: 5951 2df1 cf32 d8ab e3b5 7af4 5885 eb88 YQ-..2....z.X...

    0000070: dc7d ac8e 2e06 d509 967d 5b10 ed64 a175 .}.......}[..d.u

    0000080: 01e5 a5e4 0278 eb2f 7ca8 a9fc 0383 edb3 .....x./|.......

    0000090: ce6e bb7b 0b9f 2447 86c9 49f4 ec3e 85d7 .n.{..$G..I..>..

    00000a0: 5355 00a2 25bb 4ec8 15f1 d717 899d d3a9 SU..%.N.........

    00000b0: 9b7c 2d9d 2dc7 551a d9c3 eae4 0952 d34c .|-.-.U......R.L

    00000c0: c327 f7ff 3e1a 6e75 37c6 13c4 9379 9e2d .'..>.nu7....y.-

    00000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................

    00000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................


     

    The line below is the one that interested me:


    0000030: 8000 0000 753f 4355 0000 0000 8eb3 f6d3 ....u?CU........


     

    The value cared about is 0x753f4355 reversing for the endianness, 0x55433f75.

    By converting 0x55433f75 into decimal, we can see it is a Unix timestamp. The build I am working on is fairly recent.


    int('0x55433f75',16) 

    1430470517


     


    datetime.fromtimestamp(1430470517).strftime('%Y-%m-%d %H:%M:%S') 

    '2015-05-01 01:55:17'


     

    Calculating a new Unix timestamps...


    int(mktime(datetime(2015, 4, 1, 4, 1, 4, 1).timetuple())) 

    1427886064 

    hex(int(mktime(datetime(2015, 4, 1, 4, 1, 4, 1).timetuple()))) 

    '0x551bcff0'


     

    Reversing for endianness: 0xf0cf1b55 


    0000000: 0000 0000 0000 0000 696D 6741 524D 6343 ........imgARMcC

    0000010: 231B 02C2 0025 B253 0A00 0000 0040 7202 #..Â.%²S.....@r.

    0000020: 0040 7202 0000 0000 0000 0000 0000 0000 .@r.............

    0000030: 8000 0000 F0CF 1B55 0000 0000 8EB3 F6D3 €...ðÏ.U....Ž³öÓ

    0000040: 9bfd 90e4 ef99 f85d 27f4 e7e5 d458 8229 .......]'....X.)

    0000050: 2836 f7f4 dd03 d4c1 6099 0acd b565 a5b6 (6......`....e..

    0000060: 5951 2df1 cf32 d8ab e3b5 7af4 5885 eb88 YQ-..2....z.X...

    0000070: dc7d ac8e 2e06 d509 967d 5b10 ed64 a175 .}.......}[..d.u

    0000080: 01e5 a5e4 0278 eb2f 7ca8 a9fc 0383 edb3 .....x./|.......

    0000090: ce6e bb7b 0b9f 2447 86c9 49f4 ec3e 85d7 .n.{..$G..I..>..

    00000a0: 5355 00a2 25bb 4ec8 15f1 d717 899d d3a9 SU..%.N.........

    00000b0: 9b7c 2d9d 2dc7 551a d9c3 eae4 0952 d34c .|-.-.U......R.L

    00000c0: c327 f7ff 3e1a 6e75 37c6 13c4 9379 9e2d .'..>.nu7....y.-

    00000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................

    00000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................


     


    File MD5 - 

    10dd81bb21151b345b62f7d15317be24 066.02E03473A


     

    After replacing the firmware file obtained from the packet capture with the newly modified version, I ran the 'Update Software' mechanism again. The Roku reached out to my Apache2 instance and requested the modified firmware. The Roku downloaded it successfully.


    127.0.1.1:80 <redacted> - - [09/Jul/2015:08:18:07 -0700] "GET /tyler/066.02E03473A HTTP/1.1" 200 43905263 "-" "Roku/DVP-6.2 (066.02E03473A)"


     

    Error 006 was returned before installation. Error 006 relates to a signature validation check.

    I have to get back to my real job now but will do a follow up blog post once I have fully cracked this thing. In the meantime, if someone beats me to it don't forget to share!

    Thanks, Winston


    References

    1. http://x42.obscurechannel.com/2015/07/26/cracking-the-roku-v2-wpa2-psk/
    2. http://zatznotfunny.com/2014-09/accessing-rokus-secret-menu/
    submitted by w_s_m_i_t_h
    [link] [4 comments]
  • Securing a Node.js port of Quake2 using Nginx and Conjur Mon, 27 Jul 2015 15:58:06 +0000
    submitted by kegilpin
    [link] [comment]
  • Cracking the ROKU V2 WPA2-PSK Sun, 26 Jul 2015 18:53:23 +0000
    submitted by x42___
    [link] [22 comments]

# Krebs On Security

  • The Wheels of Justice Turn Slowly Mon, 27 Jul 2015 15:39:43 +0000
    On the evening March 14, 2013, a heavily-armed police force surrounded my home in Annandale, Va., after responding to a phony hostage situation that someone had alerted authorities to at our address. I’ve recently received a notice from the U.S. Justice Department stating that one of the individuals involving in that “swatting” incident had pleaded guilty to a felony conspiracy charge.
  • Spike in ATM Skimming in Mexico? Wed, 22 Jul 2015 14:57:12 +0000
    Several sources in the financial industry say they are seeing a spike in fraud on customer cards used at ATMs in Mexico. The reason behind that apparent spike hopefully will be fodder for another story. In this post, we'll take a closer look at a pair of ATM skimming devices that were recently found attached to a cash machine in Puerto Vallarta -- a popular tourist destination on Mexico's Pacific coast.
  • Experian Hit With Class Action Over ID Theft Service Tue, 21 Jul 2015 17:50:30 +0000
    Big-three credit bureau Experian is the target of a class-action lawsuit just filed in California. The suit alleges that Experian negligently violated consumer protection laws when it failed to detect for nearly 10 months that a customer of its data broker subsidiary was a scammer who ran a criminal service that resold consumer data to identity thieves.

# Bruce Schneier's blog

  • Michael Chertoff Speaks Out Against Backdoors Mon, 27 Jul 2015 13:16:39 -0500
    This is significant. News article....
  • Hacking Team's Purchasing of Zero-Day Vulnerabilities Mon, 27 Jul 2015 06:17:59 -0500
    This is an interesting article that looks at Hacking Team's purchasing of zero-day (0day) vulnerabilities from a variety of sources: Hacking Team's relationships with 0day vendors date back to 2009 when they were still transitioning from their information security consultancy roots to becoming a surveillance business. They excitedly purchased exploit packs from D2Sec and VUPEN, but they didn't find the...
  • Friday Squid Blogging: How a Squid Changes Color Fri, 24 Jul 2015 16:18:11 -0500
    The California market squid, Doryteuthis opalescens, can manipulate its color in a variety of ways: Reflectins are aptly-named proteins unique to the light-sensing tissue of cephalopods like squid. Their skin contains specialized cells called iridocytes that produce color by reflecting light in a predictable way. When the neurotransmitter acetylcholine activates reflectin proteins, this triggers the contraction and expansion of deep...
  • How an Amazon Worker Stole iPads Fri, 24 Jul 2015 12:49:28 -0500
    A worker in Amazon's packaging department in India figured out how to deliver electronics to himself: Since he was employed with the packaging department, he had easy access to order numbers. Using the order numbers, he packed his order himself; but instead of putting pressure cookers in the box, he stuffed it with iPhones, iPads, watches, cameras, and other expensive...
  • Remotely Hacking a Car While It's Driving Thu, 23 Jul 2015 06:17:43 -0500
    This is a big deal. Hackers can remotely hack the Uconnect system in cars just by knowing the car's IP address. They can disable the brakes, turn on the AC, blast music, and disable the transmission: The attack tools Miller and Valasek developed can remotely trigger more than the dashboard and transmission tricks they used against me on the highway....
  • Preventing Book Theft in the Middle Ages Wed, 22 Jul 2015 07:11:32 -0500
    Interesting article....
  • Malcolm Gladwell on Competing Security Models Tue, 21 Jul 2015 06:51:47 -0500
    In this essay/review of a book on UK intelligence officer and Soviet spy Kim Philby, Malcolm Gladwell makes this interesting observation: Here we have two very different security models. The Philby-era model erred on the side of trust. I was asked about him, and I said I knew his people. The "cost" of the high-trust model was Burgess, Maclean, and...
  • Organizational Doxing of Ashley Madison Mon, 20 Jul 2015 15:15:22 -0500
    The -- depending on who is doing the reporting -- cheating, affair, adultery, or infidelity site Ashley Madison has been hacked. The hackers are threatening to expose all of the company's documents, including internal e-mails and details of its 37 million customers. Brian Krebs writes about the hackers' demands. According to the hackers, although the "full delete" feature that Ashley...
  • Google's Unguessable URLs Mon, 20 Jul 2015 05:25:16 -0500
    Google secures photos using public but unguessable URLs: So why is that public URL more secure than it looks? The short answer is that the URL is working as a password. Photos URLs are typically around 40 characters long, so if you wanted to scan all the possible combinations, you'd have to work through 1070 different combinations to get the...
  • Friday Squid Blogging: Squid Giving Birth Fri, 17 Jul 2015 16:09:27 -0500
    I may have posted this short video before, but if I did, I can't find it. It's four years old, but still pretty to watch. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

# WIRED Threat Level

# exploit-db.com

# Securiteam

  • Magento Server MAGMI Cross Site Scripting Vulnerabilities Fri, 17 Jul 2015 00:00 GMT
    Directory traversal vulnerability in web/ajax_pluginconf.php in the MAGMI (aka Magento Mass Importer) plugin for Magento Server allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
  • Microsoft Windows Adobe Font Driver Remote Code Execution Vulnerabilities Fri, 17 Jul 2015 00:00 GMT
    Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted (1) web site or (2) file, aka "Adobe Font Driver Remote Code Execution Vulnerability,"
  • Mozilla Firefox Man In The Middle Information Disclosure Vulnerabilities Fri, 17 Jul 2015 00:00 GMT
    The WebRTC subsystem in Mozilla Firefox before 36.0 recognizes turns: and stuns: URIs but accesses the TURN or STUN server without using TLS, which makes it easier for man-in-the-middle attackers to discover credentials by spoofing a server and completing a brute-force attack within a short time window.
  • SAP BussinessObjects Edge Unauthorized Access Vulnerabilities Fri, 17 Jul 2015 00:00 GMT
    The Auditing service in SAP BusinessObjects Edge 4.0 allows remote attackers to obtains sensitive information by reading an audit event
  • Webshop Hun 1.062S Directory Traversal Vulnerabilities Fri, 17 Jul 2015 00:00 GMT
    Directory traversal vulnerability in Webshop hun 1.062S allows remote attackers to have unspecified impact via directory traversal sequences in the mappa parameter to index.php.
  • Apple IOS NULL Pointer Dereference Denial of Service Vulnerabilities Tue, 21 Jul 2015 00:00 GMT
    CoreTelephony in Apple iOS before 8.2 allows remote attackers to cause a denial of service (NULL pointer dereference and device restart) via a Class 0 SMS message.
  • Cisco IOS And IOS-XE IKEv2 Processing Denial Of Service Vulnerabilities Tue, 21 Jul 2015 00:00 GMT
    Cisco IOS 12.2, 12.4, 15.0, 15.1, 15.2, 15.3, and 15.4 and IOS XE 2.5.x, 2.6.x, 3.1.xS through 3.12.xS before 3.12.3S, 3.2.xE through 3.7.xE before 3.7.1E, 3.3.xSG, 3.4.xSG, and 3.13.xS before 3.13.2S allow remote attackers to cause a denial of service (device reload) by sending malformed IKEv2 packets over (1) IPv4 or (2) IPv6
  • Cisco Unified Communications Manager Remote Code Execution Vulnerabilities Tue, 21 Jul 2015 00:00 GMT
    Cisco Unified Communications Domain Manager 8.1(4) allows remote authenticated users to execute arbitrary code by visiting a "deprecated page,"
  • D-Link DAP-1320 Rev Ax Command Injection Vulnerabilities Tue, 21 Jul 2015 00:00 GMT
    D-Link DAP-1320 Rev Ax with firmware before 1.21b05 allows attackers to execute arbitrary commands
  • Ffmpeg Invalid Memory Handler Vulnerabilities Tue, 21 Jul 2015 00:00 GMT
    The seg_write_packet function in libavformat/segment.c in ffmpeg 2.1.4 and earlier does not free the correct memory location, which allows remote attackers to cause a denial of service ("invalid memory handler") and possibly execute arbitrary code via a crafted video that triggers a use after free.
  • GameHouse RealArcade Installer Use After Free Remote Code Execution Vulnerabilities Tue, 21 Jul 2015 00:00 GMT
    The RACInstaller.StateCtrl.1 ActiveX control in InstallerDlg.dll in RealNetworks GameHouse RealArcade Installer 2.6.0.481 performs unexpected type conversions for invalid parameter types, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted arguments to the (1) AddTag, (2) Ping, (3) QueuePause, (4) QueueRemove, (5) QueueTop, (6) RemoveTag, (7) TagRemoved, or (8) message method.
  • Google Chrome Triggering A Failed Image Decoding Vulnerabilities Tue, 21 Jul 2015 00:00 GMT
    The DragImage::create function in platform/DragImage.cpp in Blink, as used in Google Chrome before 41.0.2272.76, does not initialize memory for image drawing, which allows remote attackers to have a impact by triggering a failed image decoding, as demonstrated by an image for which the default orientation cannot be used.
  • Linux Kernel 'fs/fhandle.c' Local Race Condition Vulnerabilities Tue, 21 Jul 2015 00:00 GMT
    Race condition in the handle_to_path function in fs/fhandle.c in the Linux kernel through 3.19.1 allows local users to bypass intended size restrictions and trigger read operations on additional memory locations by changing the handle_bytes value of a file handle during the execution of this function.
  • MantisBT Login Page Open Redirect Cross-Site Request Forgery Vulnerabilities Tue, 21 Jul 2015 00:00 GMT
    Cross-site request forgery (CSRF) vulnerability in Snowfox CMS before 1.0.10 allows remote attackers to hijack the authentication of administrators for requests that add a new admin account via a submit action in the admin/accounts/create uri to snowfox/.
  • MantisBT Mc_account_api.php Information Disclosure Vulerabilities Tue, 21 Jul 2015 00:00 GMT
    The mci_account_get_array_by_id function in api/soap/mc_account_api.php in MantisBT before 1.2.18 allows remote attackers to obtain sensitive information via a (1) mc_project_get_users, (2) mc_issue_get, (3) mc_filter_get_issues, or (4) mc_project_get_issues SOAP request.
  • MICROSYS PROMOTIC Stack Based Buffer Overflow Vulnerabilities Tue, 21 Jul 2015 00:00 GMT
    Stack-based buffer overflow in the PmBase64Decode function in an unspecified demonstration application in MICROSYS PROMOTIC stable before 8.2.19 and PROMOTIC development before 8.3.2 allows remote attackers to execute arbitrary code by providing a large amount of data.
  • Mozilla Firefox Security Vulnerabilities Tue, 21 Jul 2015 00:00 GMT
    The UITour::onPageEvent function in Mozilla Firefox before 36.0 does not ensure that an API call originates from a foreground tab, which allows remote attackers to conduct spoofing and clickjacking attacks by leveraging access to a UI Tour web site.
  • Multiple Websense Products Arbitrary File Read Vulnerabilities Tue, 21 Jul 2015 00:00 GMT
    SVM in Websense TRITON V-Series appliances before 8.0.0 allows attackers to read arbitrary files
  • Oracle Solaris Cluster Local Security Vulnerabilities Tue, 21 Jul 2015 00:00 GMT
    Solaris Cluster component in Oracle Sun Systems Products Suite 3.3 and 4.1 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to System management.
  • Parse_SST Function FreeXL Stack Corruption Vulnerabilities Tue, 21 Jul 2015 00:00 GMT
    The parse_SST function in FreeXL before 1.0.0i allows remote attackers to cause a denial of service (memory consumption) via a crafted shared strings table in a workbook