End-of-Shift report
Timeframe: Donnerstag 21-11-2013 18:00 − Freitag 22-11-2013 18:00
Handler: Stephan Richter
Co-Handler: Robert Waldner
DNP3 Implementation Vulnerability (Update A)
Adam Crain of Automatak and independent researcher Chris Sistrunk reported an improper input validation vulnerability to NCCIC/ICS-CERT that was evident in numerous slave and/or master station software products. The researchers emphasize that the vulnerability is not with the DNP3 stack but with the
http://ics-cert.us-cert.gov/advisories/ICSA-13-291-01A
Facebook Vulnerability Discloses Friends Lists Defined as Private
Researchers from the Quotium Seeker Research Center identified a security flaw in Facebook privacy controls. The vulnerability allows attackers to see the friends list of any user on Facebook. This attack is carried out by abusing the 'People You May Know' mechanism on Facebook, ...
http://cxsecurity.com/issue/WLB-2013110157
Imperva WAF/DAF 9.5 patch8 and 10.0 patch 2 localroot vulnerability
Topic: Imperva WAF/DAF 9.5 patch8 and 10.0 patch 2 localroot vulnerability
Risk: High
Text: Imperva use hardened centos 5.4 to run Web Application Firewall and Database Activity Monitoring product. It could be expl...
http://cxsecurity.com/issue/WLB-2013110158
Instagram for iOS Flattr account security bypass
Instagram for iOS could allow a remote attacker to bypass security restrictions, caused by an implementation error when the Instagram for iOS and Flattr are linked. An attacker could exploit this vulnerability by flattring the photos causing the money from the users account to be redirected.
http://xforce.iss.net/xforce/xfdb/89162
Instagram for iOS upload module file upload
Instagram for iOS could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system.
http://xforce.iss.net/xforce/xfdb/89160
prettyPhoto Cross-Site Scripting Vulnerability
Input appended to the URL after /#!prettyPhoto/ is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The vulnerability is confirmed in version 3.1.4. Prior versions may also be affected.
https://secunia.com/advisories/55769
Security Bulletin: IBM iNotes Cross-Site Scripting Vulnerability (CVE-2013-0595)
IBM iNotes versions 8.5.3 and 9.0 contain a cross-site scripting vulnerability. The fix for this issue is available starting in IBM Domino versions 8.5.3 Fix Pack 5 and 9.0.1.
CVE(s): CVE-2013-0595
Affected product(s) and affected version(s): IBM iNotes 9.0 IBM iNotes 8.5.3 through 8.5.3 Fix Pack 4
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_inotes_cross_site_scripting_vulnerability_cve_2013_0595?lang=en_us
VU#893462: Thomson Reuters Velocity Analytics Vhayu Analytic Server version 6.9.4 build 2995 contains a code injection vulnerability
Overview Thomson Reuters Velocity Analytics Vhayu Analytic Server version 6.94 build 2995 and possibly earlier versions contain a code injection vulnerability (CWE-94).
Description CWE-94: Improper Control of Generation of Code (Code Injection)
http://www.kb.cert.org/vuls/id/893462
Dovecot checkpassword-reply Security Bypass Security Issue
A security issue has been reported in Dovecot, which can be exploited by malicious, local users to bypass certain security restrictions.
https://secunia.com/advisories/54808