Re: RE: [Full-disclosure] XSS in Oracle default fcgi-bin/echo

Dear An, Referrer: scriptalert(1)/script Yes, but... seems not all echo's get a Referer passed to them. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia

Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass

(, ) (, . `.' ) ('.', ). , ('. ( ) ( (_,) .`), ) _ _, / _/ / _ \ _ \ \==/ /_\ \ _/ ___\/ _ \ / \ / \/ |\\ \__( _ ) Y Y \ /__ /\___|__ / \___ /|__|_| / \/ \/.-.\/ \/:wq

H2HC Cancun - Registrations are open

Dear Lists, I'm happy (and proud) to announce that the registrations for H2HC Cancun are finally available online. This is the first year of the conference in Cancun/Mexico (on 3rd of december) and the 7th year of the Conference in São Paulo/Brazil (on 27-28 of november). We are growing fast

Re: [Full-disclosure] XSS in Oracle default fcgi-bin/echo

Dear Riyaz, The mere mention of fcgi-bin/echo in your first mail is enough for anybody to derive the PoC. Here's what I found in under a minute: */fcgi-bin/echo/scriptaler('xss')/script* Sorry, that is a different issue: the one you mention was patched by Oracle a long time ago. (All the

[USN-1005-1] poppler vulnerabilities

=== Ubuntu Security Notice USN-1005-1 October 19, 2010 poppler vulnerabilities CVE-2010-3702, CVE-2010-3703, CVE-2010-3704 === A security issue affects the following Ubuntu

[USN-1006-1] WebKit vulnerabilities

=== Ubuntu Security Notice USN-1006-1 October 19, 2010 webkit vulnerabilities https://launchpad.net/bugs/660075 === A security issue affects the following Ubuntu releases:

The GNU C library dynamic linker expands $ORIGIN in setuid library search path

The GNU C library dynamic linker expands $ORIGIN in setuid library search path -- Gruezi, This is CVE-2010-3847. The dynamic linker (or dynamic loader) is responsible for the runtime linking of dynamically linked

Re: Insecure SMS authorization scheme at LiqPAY micro-payments of PrivatBank (Ukraine)

Hello Andriy and Bugtraq! It's interesting issue in LiqPAY. Which was quickly fixed by Privat Bank after your disclosure. Even if they denied to fix it (as not issue in their opinion) at 22 March 2010, when you officially informed them, already at 27 March 2010 they fixed it, by adding site's

VSR Advisories: Linux RDS Protocol Local Privilege Escalation

Date: 2010-10-19 Application: Linux Kernel Versions: 2.6.30 - 2.6.36-rc8 Severity: High Author: Dan Rosenberg drosenberg (at) vsecurity (dot) com Vendor Status: Patch Released [3] CVE Candidate: CVE-2010-3904 Reference: http://www.vsecurity.com/resources/advisory/20101019-1