End-of-Shift report
Timeframe: Mittwoch 18-02-2015 18:00 − Donnerstag 19-02-2015 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
SA-CONTRIB-2015-052 - RESTful Web Services - Access Bypass
This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The RESTWS Basic Auth submodule doesn't sufficiently disable page caching for ...
https://www.drupal.org/node/2428863
SA-CONTRIB-2015-048 - Avatar Uploader - Arbitrary PHP code execution
Avatar Uploader module provides an alternative way to upload user pictures. The module doesn't sufficiently enforce file extensions when an avatar is uploaded, allowing users to bypass Drupal's normal file upload protections to ..
https://www.drupal.org/node/2428793
Multiple vulnerabilities in Cisco products
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0623
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0626
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0622
BIND: A Problem with Trust Anchor Management Can Cause named to Crash
BIND servers which are configured to perform DNSSEC validation and which are using managed-keys (which occurs implicitly when using "dnssec-validation auto;" or "dnssec-lookaside auto;") may terminate with an assertion failure when .
https://kb.isc.org/article/AA-01235/0
OWASP AppSensor - implement real-time intrusion detection within in your software
Free, open source, DevOps friendly and cloud compatible AppSensor provides real-time application-layer attack detection and response.
https://www.owasp.org/images/8/8e/Appsensor_intro_for_developers.pdf
Lenovo-Laptops durch Superfish-Adware angreifbar
Eine Adware namens Superfish wird offenbar schon seit mehreren Monaten auf Laptops von Lenovo ausgeliefert. Diese fügt Werbung in fremde Webseiten ein und installiert dafür ein Root-Zertifikat - eine riesige Sicherheitslücke.
http://www.golem.de/news/adware-lenovo-laptops-durch-superfish-adware-angreifbar-1502-112460.html
Macros? Really?!
.. macro-based malware is now making a "successful" comeback. Last week, we saw a significant Dridex malware run that was using macros in Excel files (.XLSM), and earlier this week, the crooks behind the banking spyware "Vawtraq" started to spam the usual "Fedex Package" and "Tax Refund" emails, ..
https://isc.sans.edu/diary/Macros%3F+Really%3F!/19349
Automating Removal of Java Obfuscation
In this post we detail a method to improve analysis of Java code for a particular obfuscator, we document the process that was followed and demonstrate the results of automating our method. Obscurity will not stop an attacker and once the method is known, methodology can be developed to automate the process.
http://www.contextis.com/resources/blog/automating-removal-java-obfuscation/
IETF: RC4 in TLS offiziell nicht mehr erlaubt
Die RC4-Verschlüsselung darf laut dem neuen RFC 7465 nicht mehr für TLS-Verbindungen genutzt werden. Der Algorithmus gilt schon lange als problematisch, Details über neue Angriffe sollen in Kürze veröffentlicht werden.
http://www.golem.de/news/ietf-rc4-in-tls-offiziell-nicht-mehr-erlaubt-1502-112469.html
Cross-Site Tracing (XST): The misunderstood vulnerability
Alas, the 'XS' in XST evokes similarity to XSS (Cross-Site Scripting) which has the consequence of leading people to mistake XST as a method for injecting JavaScript. (Thankfully, character encoding attacks have avoided the term Cross-Site Unicode, XSU.) Although XST attacks rely on browser scripting ..
http://deadliestwebattacks.com/2010/05/18/cross-site-tracing-xst-the-misunderstood-vulnerability/
Duplicator 0.5.8 - Privilege Escalation
https://wpvulndb.com/vulnerabilities/7799
Technology doping: Competitive advantage by abusing security flaws in smart sports equipment
The term 'Technology doping' has recently been used [1] to mean the practice of gaining a competitive advantage through using sports equipment e.g. The LZR Racer bodysuit [2] that was used by many of the swimmers during the Beijing Olympics, resulting in world records being broken. Shortly afterwards, FINA (Federation Internationale de Natation), the international ..
https://www.nccgroup.com/en/blog/2015/02/technology-doping-competitive-advantage-by-abusing-security-flaws-in-smart-sports-equipment/
l+f: Geklonte SSH-Schlüssel sind böse
Tausende von Geräten im Netz verwenden ein und den selben SSH-Schlüssel. Das birgt Gefahren.
http://heise.de/-2555229
Erpressungs-Software im Aufstieg: Wenn Daten zur Geisel werden
Immer mehr Kriminelle setzen auf "Ransomware", um Lösegeld zu erpressen. Ihr nächstes Ziel: Mobiltelefone.
http://derstandard.at/2000011389615