Tuesday, July 15th, 2008
Ever wondered what name is behind some obscure gmail address? Maybe your preferred gmail address was taken and you’re wondering who took it?
Here’s a cute vulnerability in the gmail system that comes from the strong tie-ins between gmail, the google calendar and all the other services.
Source:
http://blogs.securiteam.com/index.php/archives/1113
Posted in Internet, Privacy, Security, Software | No Comments
Friday, June 6th, 2008
Due to a problem in the way Apache binds itself to port 80 on Windows machines allows the PHP environment running under Apache to gain access to the information being sent to port 80, which in turn can be leveraged to preform man-in-the-middle attacks.
This problem is exploited by the PHP ...
Posted in Coding, Internet, PHP, Windows | No Comments
Wednesday, May 14th, 2008
Most of todays tools for fingerprinting are focusing on server-side services. Well-known and widely-accepted implementations of such utilities are available for http web services, smtp mail server, ftp servers and even telnet daemons. Of course, many attack scenarios are focusing on server-side attacks.
Client-based attacks, especially targeting web clients, are becoming ...
Posted in Internet, Privacy, Security, Software | No Comments
Sunday, May 11th, 2008
We received a report from Mike this afternoon about a couple of URLs containing a malicious JavaScript that pulls down a file associated with Zlob. If you do a google search for these two URLs, you get about 400,000 sites that have a call to this Javascript file included in ...
Posted in Internet, Privacy, Security | No Comments
Wednesday, May 7th, 2008
In PHP there exist two functions to escape shell commands or arguments to shell commands that are used in PHP applications to protect against shell command injection vulnerabilities.
- escapeshellcmd()
- escapeshellarg()
Unfortunately it was discovered that both functions fail to protect against shell command injection when the shell uses a locale with ...
Posted in Coding, PHP, Security | No Comments
Wednesday, May 7th, 2008
Since version 4.2.0 PHP automatically seeds the random number generators on the first usage of rand() and mt_rand(). This is done with the help of the GENERATE_SEED() macro.
Unfortunately it was discovered that the GENERATE_SEED() macro contains several problems that can lead to a weaker seed than expected. In the worst ...
Posted in Coding, PHP, Security | No Comments
Monday, May 5th, 2008
Nowadays, who understands Di-Di-Di-Da-Da-Da-Di-Di-Dit (S.O.S., Save Our Souls)? Few people do, but your web browser just might. In his blog, security expert Nathan McFeters has reported the discovery of a cross-site scripting (XSS) vulnerability on an Italian website that allows attackers to inject malicious JavaScript encoded in Morse code in ...
Posted in Coding, Internet, Privacy, Security | No Comments
Friday, May 2nd, 2008
The developers of the PHP scripting language have issued Version 5.2.6, which fixes numerous bugs and plugs some security holes. The changes are comprehensive, including bug fixes to modules that link to third-party products. PHP 5.2.6 also rectifies several flaws that could have caused a crash.
The developers have eliminated errors ...
Posted in Coding, Internet, PHP, Security | No Comments
Wednesday, April 30th, 2008
If you allow user-contributed content in your site, you run into the problem of dealing with user supplied HTML in a safe manner. The most secure way of dealing with things, of course, is to strip or escape all HTML from user input fields. Unfortunately, there are many situations where ...
Posted in Coding, Internet, Security | No Comments
Monday, April 28th, 2008
Two vulnerabilities have been reported in WordPress, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and to compromise a vulnerable system.
1) A vulnerability is caused due to improper access restriction of the administration section. This can be exploited to bypass the authentication ...
Posted in Coding, Internet, Security, Software | No Comments
