CVE-2010-3700 - Spring Security - Bypassing of security constraints
Severity:
Important
Vendor:
SpringSource, a division of VMware
Versions affected:
Spring Security 3.0.0 to 3.0.3
Spring Security 2.0.0 t0 2.0.5
Acegi Security 1.0.0 to 1.0.7
Description:
Spring Security does not consider
Good news everyone!
nSense is releasing a tool which instruments executables during
runtime in order to extract code coverage data. This is done through
runtracing using runtime instrumentation.
Why?
Analyzing code coverage of large or self modifying executables with
various input files is a
nSense Vulnerability Research Security Advisory NSENSE-2010-002
---
t2'10 infosec conference special release
http://www.t2.fi
20101028 - Justanotherhacker.com : Multiple vulnerabilities in Feindura CMS
JAHx104 - http://www.justanotherhacker.com/advisories/JAHx104.txt
Hi there,
For those who still do not know .. The proof of concept for CVE-2010-3765 is
the following:
http://extraexploit.blogspot.com/2010/10/cve-2010-3765-proof-of-concept.html
Regards.
--
http://extraexploit.blogspot.com
___
Full-Disclosure - We
Haven't seen any post on full disclosure about this yet, so thought
I'd post it up for those that don't already know about it!
http://www.exploit-db.com/exploits/15296/
- exp details
http://vimeo.com/16060620
- poc example video
Haven't had time to try this out myself, but it looks like
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDVSA-2010:213
http://www.mandriva.com/security/
===
Ubuntu Security Notice USN-1011-2 October 28, 2010
thunderbird vulnerability
CVE-2010-3765
===
A security issue affects the following Ubuntu releases:
Ubuntu 8.04 LTS
Sorry to rant, but I have seen this term used once too many times to
sit idly by. And used today by what I once thought was a respectable
infosec publication (that will remain nameless) while referring to the
current Firefox vulnerability (that did, by the way, once have a 0-day
sploit) Also, by
The term 0-day vulnerability usually refers to a currently unpatched security
issue in some specific product. The availability of an exploit, public or not,
is optional in this case. That's why both terms have the right to exist.
On Thu, Oct 28, 2010 at 17:18, Curt Purdy infosy...@gmail.com
Yep. Totally agree. Vulnerability exists in the system since it has been
developed. It is just the matter when it has been disclosed or being exploited.
I would suggest 0 day disclosure instead of 0 day vulnerability :)
--Original Message--
From: Curt Purdy
Sender:
OK, good points.
And since my mac dictionary widget doesn't have the term yet, I vote
for 0day dis It has a nice ring to it ;)
Curt
On Thu, Oct 28, 2010 at 12:24 PM, w0lfd...@gmail.com wrote:
Yep. Totally agree. Vulnerability exists in the system since it has been
developed. It is just the
None of this really matters. People will call it whatever they want to.
Generally, all software has some sort of vulnerability. If they want to call
the process of that vulnerability being communicated for the first time 0 day
vulnerability then so what.
The industry can't (and won't)
Even my dictionary doesn't have it but if it suits the most, we have include it
;)
--Original Message--
From: Curt Purdy
To: w0lfd...@gmail.com
Cc: full-disclosure-boun...@lists.grok.org.uk
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] 0-day vulnerability
Sent: Oct
Right as usual t-man, but while we are doing FWs job for them,
Remote code execution is: any program you can run on a machine you
can't touch (for further explanation, man touch).
Curt
On Thu, Oct 28, 2010 at 12:35 PM, Thor (Hammer of God)
t...@hammerofgod.com wrote:
None of this really
Yup. We arguing here on fine tuning industry accepted terms would hardly make
any difference. But here we are just trying to argue what should had been
the terminology.
You can say that just cutting out time when there is really no work ;) :P
Regards;
w0lf
-- sent from BlackBerry --
I would further define it as code that can be run on a machine remotely
without any human interaction. What I think would be ultimately effective is
if researches and those who make disclosure announcements quit trying to make
their discoveries or processes cool and just stick to the facts.
Along the same lines, from DHS to Symantec, the threat level is always
Elevated. So yellow is now the new green. I think ISS (IBM now) is
one of the few that leave their alert level at 1 until there is
really a 2-4 situation to deal with. I don't need more stress in my
day than the crackers
===
Ubuntu Security Notice USN-1010-1 October 28, 2010
openjdk-6, openjdk-6b18 vulnerabilities
CVE-2009-3555, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549,
CVE-2010-3551, CVE-2010-3553, CVE-2010-3554, CVE-2010-3557,
CVE-2010-3561,
Well, you know how it is, we all love calling bugs information
security vulnerability exploits (pick any combo).
It just there's a new one in the club, 0day. They're as much realistic
as flying elephants can get.
The good thing is, their use (in mail subjects) is often an indication
of (a lack
For once and for all: There is no such thing as a zero-day
vulnerability (quoted), only a 0-day exploit...
Cool story, bro.
Any thoughts on the use of the term hacker?
/mz
___
Full-Disclosure - We believe in it.
Charter:
Adobe Shockwave Director pamm Chunk Memory Corruption
TSL ID: FSC20101028-02
1. Affected Software
Adobe Shockwave Player, version 11.5.8.612 and prior
Reference: http://www.adobe.com/products/shockwaveplayer/
2. Vulnerability Summary
A memory corruption vulnerability exists in Adobe
I lol'd at this thread.
On Thu, Oct 28, 2010 at 11:02 PM, Michal Zalewski lcam...@coredump.cxwrote:
For once and for all: There is no such thing as a zero-day
vulnerability (quoted), only a 0-day exploit...
Cool story, bro.
Any thoughts on the use of the term hacker?
/mz
Great way to split hairs. Fumbling between metaphors, you're better off
contacting Merriam-Webster.
--- On Thu, 10/28/10, Michal Zalewski lcam...@coredump.cx wrote:
From: Michal Zalewski lcam...@coredump.cx
Subject: Re: [Full-disclosure] 0-day vulnerability
To: Curt Purdy infosy...@gmail.com
zero day can happen to anyone.
--
ciao
JT
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
0-day is a scene word. Connotations are inferred, you're more precise
definition is pretty much what people already assume.
Desensitization to security is a serious issue also. Look at homeland
security's warning level system. Look at the news of deaths in Iraq and
Afghanistan. It's boring as
Are you threatening the internet?
--- On Fri, 10/29/10, Jubei Trippataka vpn.1.fana...@gmail.com wrote:
From: Jubei Trippataka vpn.1.fana...@gmail.com
Subject: Re: [Full-disclosure] 0-day vulnerability
To: Curt Purdy infosy...@gmail.com
Cc: full-disclosure@lists.grok.org.uk
Date: Friday, October
clearly sir, you are uneducated.
http://www.youtube.com/watch?v=L74o9RQbkUA
On Fri, Oct 29, 2010 at 2:18 AM, Josey Yelsef hg_expo...@yahoo.com wrote:
Are you threatening the internet?
--- On *Fri, 10/29/10, Jubei Trippataka vpn.1.fana...@gmail.com* wrote:
From: Jubei Trippataka
I first noticed this business years ago when I set up a website for a friend's
forum. He was extremely appealed by the deal. After hosting with them for a
very short time he parted ways. At first I thought they were just another
lowly shared host. Recently, I checked back to see how this web
Yeah, just for the record, this thread is now hitting google spam filters :S
On Fri, Oct 29, 2010 at 2:03 AM, Josey Yelsef hg_expo...@yahoo.com wrote:
0-day is a scene word. Connotations are inferred, you're more precise
definition is pretty much what people already assume.
Desensitization
===
Ubuntu Security Notice USN-1011-3 October 29, 2010
xulrunner-1.9.1, xulrunner-1.9.2 vulnerability
CVE-2010-3765
===
A security issue affects the following Ubuntu releases:
31 matches
Mail list logo