[Full-disclosure] [SE-2012-01] Security vulnerabilities in Java SE (details released)

2012-11-19 Thread Security Explorations
Hello All, On 14 Nov 2012, Security Explorations delivered a talk at Devoxx Java Community Conference in Antwerp where we disclosed details pertaining to our research project verifying security of Java SE platform (project SE-2012-01). Presentation slides for this talk along with our more

[Full-disclosure] Skype Account Service - Session Token Bypass Vulnerability

2012-11-19 Thread Vulnerability Lab
Title: == Skype Account Service - Session Token Bypass Vulnerability Date: = 2012-11-15 References: === http://www.vulnerability-lab.com/get_content.php?id=762 http://www.vulnerability-lab.com/get_content.php?id=739 MSRC ID: 13175 VL-ID: = 739 Common Vulnerability

[Full-disclosure] Skype Account Service - Reset (Session) Password/Username Vulnerability

2012-11-19 Thread Vulnerability Lab
Title: == Skype Account Service - Reset (Session) Vulnerability Date: = 2012-11-16 References: === http://www.vulnerability-lab.com/get_content.php?id=720 MSRC ID: 13050[bc] News:

[Full-disclosure] Akeni LAN v1.2.118 - Filter Bypass Vulnerability (Local)

2012-11-19 Thread Vulnerability Lab
Title: == Akeni LAN v1.2.118 - Filter Bypass Vulnerability Date: = 2012-11-14 References: === http://www.vulnerability-lab.com/get_content.php?id=761 VL-ID: = 761 Common Vulnerability Scoring System: 3.3 Introduction: =

[Full-disclosure] [SECURITY] [DSA 2575-1] tiff security update

2012-11-19 Thread Nico Golde
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2575-1 secur...@debian.org http://www.debian.org/security/Nico Golde November 18, 2012

[Full-disclosure] bash path normalization bug

2012-11-19 Thread Andris Berzins
$ bash --versionGNU bash, version 4.2.8(1)-release (x86_64-pc-linux-gnu)$ bash --versionGNU bash, version 4.0.28(1)-release (i386-pc-solaris2.8)Bash fails to normalize path starting starting with "//" and will consider "/" and "//" to be different paths:$ cd /tmp pwd/tmp$ cd //tmp

[Full-disclosure] Open-Realty CMS 2.5.8 (2.x.x) = Cross Site Request Forgery (CSRF) Vulnerability

2012-11-19 Thread YGN Ethical Hacker Group
1. OVERVIEW Open-Realty 2.5.8 and lower versions are vulnerable to Cross Site Request Forgery. 2. BACKGROUND Open-Realty is the world's leading real estate listing marketing and management CMS application, and has enjoyed being the real estate web site software of choice for professional web

Re: [Full-disclosure] XSS, LFI and SQL Injection Vulnerabilities in Achievo

2012-11-19 Thread Vulnerability Lab
Hallo /Netsparker Henri Solo, already reported. Greets *Sry / Title: == Achievo v1.4.3 - Multiple Web Vulnerabilities Date: = 2012-01-30 References: === http://www.vulnerability-lab.com/get_content.php?id=403 http://www.cnnvd.org.cn/vulnerability/show/cv_id/2012020060 ID:

[Full-disclosure] [ MDVSA-2012:172 ] libproxy

2012-11-19 Thread security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:172 http://www.mandriva.com/security/

[Full-disclosure] ZDI-12-187 : RealNetworks RealPlayer RV20 Frame Size Array Remote Code Execution Vulnerability

2012-11-19 Thread ZDI Disclosures
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-187 : RealNetworks RealPlayer RV20 Frame Size Array Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-187 November 19, 2012 - -- CVE ID: CVE-2012-0923 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - --

[Full-disclosure] n.runs-SA-2012.004 - SPLUNK Unauthenticated remote DoS

2012-11-19 Thread security
n.runs AG http://www.nruns.com/ security(at)nruns.com n.runs-SA-2012.004 19-Nov-2012 Vendors:Splunk Inc., http://www.splunk.com Product:Splunk 4.0 - 4.3.4 Vulnerability: Unauthenticated remote

[Full-disclosure] n.runs-SA-2012.004 - SPLUNK Unauthenticated remote DoS

2012-11-19 Thread security
n.runs AG http://www.nruns.com/ security(at)nruns.com n.runs-SA-2012.004 19-Nov-2012 Vendors:Splunk Inc., http://www.splunk.com Product:Splunk 4.0 - 4.3.4 Vulnerability: Unauthenticated remote

[Full-disclosure] phpmyadmin compromised?

2012-11-19 Thread Lucio Crusca
Hello *, I've setup my browser to remember login password at my server phpmyadmin login page. It usually fills the two fields correctly, but today it showed this crap instead: http://img208.imagevenue.com/img.php?image=38933_php_myadmin_compromised_122_430lo.jpg Since I've already suffered a

Re: [Full-disclosure] phpmyadmin compromised?

2012-11-19 Thread Benji
.. coul On Mon, Nov 19, 2012 at 4:45 PM, Lucio Crusca lu...@sulweb.org wrote: Hello *, I've setup my browser to remember login password at my server phpmyadmin login page. It usually fills the two fields correctly, but today it showed this crap instead:

Re: [Full-disclosure] phpmyadmin compromised?

2012-11-19 Thread Benji
.. could you have provided any less information? why dont you look through your code instead of emailing a screenshot to a mailing list? really? On Mon, Nov 19, 2012 at 4:47 PM, Benji m...@b3nji.com wrote: .. coul On Mon, Nov 19, 2012 at 4:45 PM, Lucio Crusca lu...@sulweb.org wrote: Hello

Re: [Full-disclosure] phpmyadmin compromised?

2012-11-19 Thread Christian Sciberras
That is not a compromise. It is related to a change in encoding. Please clear your cookies and try again. (I've had this exact problem in the past, but I don't remember the details) Chris. On Mon, Nov 19, 2012 at 5:48 PM, Benji m...@b3nji.com wrote: .. could you have provided any less

Re: [Full-disclosure] bash path normalization bug

2012-11-19 Thread Seth Arnold
On Thu, Nov 15, 2012 at 10:09:56PM +0200, Andris Berzins wrote: $ bash --versionbr /GNU bash, version 4.2.8(1)-release (x86_64-pc-linux-gnu)br /br /$ bash --versionbr /GNU bash, version 4.0.28(1)-release (i386-pc-solaris2.8)br /br /Bash fails to normalize path starting starting with // and