Hello list!
I want to warn you about Cross-Site Scripting and Abuse of Functionality
vulnerabilities in Drupal.
-
Affected products:
-
Vulnerable are Drupal 6.22 and previous versions. Taking into account that
developers didn't fixed these holes, t
> The
>>
> FAQ says: "You can usually avoid problems by either finding the
> Options directive that already applies to a specific directory and
> changing it, or by putting your Options directive inside the most
> specific possible section."
>
> The option is in the most specific directory section
On Friday, June 24, 2011, Joel Esler wrote:
> On Jun 23, 2011, at 8:29 PM, Jeffrey Walton wrote:
>
>> It appears the latest Apple Updates available through Software Updates
>> are bricking Wintels: https://discussions.apple.com/message/15474962.
>>
>> Pick your poison: run with a vulnerable machin
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ferenc Kovacs wrote:
> On Fri, Jun 24, 2011 at 5:24 PM, Christian
> Sciberras wrote:
>> I think you meant "apache follows symlinks even when
>> -FollowSymLinks is not set". Otherwise it doesn't seem to make
>> sense?
>
> -FollowSymLinks turns off the
It all depends on how the files are being validated, but I would guess for
IIS6,7 the use of a RegularExpressionValidator would be run against the upload
control with whatever ValidationExpression would be in place given how easy it
is to implement. That would ensure the filetype extension was
Chris,
On 06/24/2011 01:37 PM, Christian Sciberras wrote:
> You shouldn't filter against known files, but do the reverse, you should
> filter against known good files.
>
> Oh and the medium you decide to throw this data should have special checks
> against execution etc...
>
Yeap! I know that,
You shouldn't filter against known files, but do the reverse, you should
filter against known good files.
Oh and the medium you decide to throw this data should have special checks
against execution etc...
On Fri, Jun 24, 2011 at 6:16 PM, Nahuel Grisolia wrote:
> List,
>
> Imagine that you're
Ah, I see . For a moment I confused -FollowSymLinks with a shell parameter.
My bad,
Chris.
On Fri, Jun 24, 2011 at 6:15 PM, Ferenc Kovacs wrote:
> On Fri, Jun 24, 2011 at 5:24 PM, Christian Sciberras
> wrote:
> > I think you meant "apache follows symlinks even when -FollowSymLinks is
> not
On Fri, Jun 24, 2011 at 5:24 PM, Christian Sciberras wrote:
> I think you meant "apache follows symlinks even when -FollowSymLinks is not
> set".
> Otherwise it doesn't seem to make sense?
-FollowSymLinks turns off the FollowSymLinks option without resetting
the other Options.
http://wiki.apache.
List,
Imagine that you're in front of an insecure file upload in the
context of an IIS6,7 (no ;.jpg :P) and the regex filtering the file is like:
[anything].asp[anything] (yeah, my.aspirator.jpg is filtered hehe)
No .aspx, no .asp and no .aspx;jpg even if the server is vulnerable...
So.
On Jun 23, 2011, at 8:29 PM, Jeffrey Walton wrote:
> It appears the latest Apple Updates available through Software Updates
> are bricking Wintels: https://discussions.apple.com/message/15474962.
>
> Pick your poison: run with a vulnerable machine, or don't run at all!
No. Say it isn't so! Sof
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Christian Sciberras wrote:
> I think you meant "apache follows symlinks even when -FollowSymLinks
> is *not* set". Otherwise it doesn't seem to make sense?
No. Unless I made a mistake while testing AND misunderstood the
documentation, even with -Foll
I think you meant "apache follows symlinks even when -FollowSymLinks is *not
* set".
Otherwise it doesn't seem to make sense?
Cheers,
Chris.
On Fri, Jun 24, 2011 at 5:14 PM, halfdog wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> For those, who did not already know:
>
> Due to spe
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
For those, who did not already know:
Due to specification, apache follows symlinks even when -FollowSymLinks
is set, when the data is modified concurrently. This can be trivially
shown as demonstrated in
http://www.halfdog.net/Security/2011/ApacheNoFo
Hello list!
I want to warn you about new security vulnerabilities in ADSL modem Callisto
821+ (SI2000 Callisto821+ Router).
These are Denial of Service, Cross-Site Request Forgery and Cross-Site
Scripting vulnerabilities. In April I've already drew attention of
Ukrtelecom's representative (and th
Probably in fear that said attribution would kill the notion that they
actually wrote the software they're trying to sell.
IMHO, none of this ranting would happen if the "tool" had been free to
begin with. It's a long lost cause now.
On Thu, Jun 23, 2011 at 8:23 PM, root wrote:
> Skipfish is Apa
*On June 16, 2011, LulzSec released over 62,000 accounts containing emails
and passwords in cleartext obtained from random sources. LulzSec announced
the release in a Twitter post at
https://twitter.com/#!/LulzSec/status/81327464156119040. The table below is
the list of these accounts. Passwords ha
whats with lulz an all them loving to make comments to this list...
are you all not doing disclosure on us here...
common.. who knows what here?
--
been great, thanks
RandyM
a.k.a System
___
Full-Disclosure - We believe in it.
Charter: http:/
18 matches
Mail list logo
