Re: [Full-disclosure] Facebook allows disclosure of friends list.

Answer to your queries: Yes you are correct works on account which has been accessed once from that IP. If you are using multiple PCs, then it works on any of those machines. You need to click No longer have access to this (3rd image). Apologies for that. Works like a charm  in cyber

[Full-disclosure] Defense in depth -- the Microsoft way (part 6): beginner's errors, QA sound asleep or out of sight!

Hi, the installation of Microsofts much acclaimed security tool EMET 3.0 (see http://www.microsoft.com/emet and http://support.microsoft.com/kb/2458544) creates the following VULNERABLE registry entry that runs a rogue program C:\PROGRA.EXE (as well as C:\Program Files.exe on x64) in the security

[Full-disclosure] Attacking Google Accounts with 'weblogin:' Tokens

For those who missed it, I would like to spread awareness about how conveniences built into the Google eco-system can allow an application, a physical user, or a forensics expert to access almost everything in your Google account. [LINKS] A nice summary from Lucian Constantine:

[Full-disclosure] [ MDVSA-2013:210 ] firefox

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:210 http://www.mandriva.com/en/support/security/

Re: [Full-disclosure] Facebook allows disclosure of friends list.

It does not work for all accounts. For example FB will ask me for the security question, all I can do is enter it or abort the recovery process (no option to skip it). Am 2013-08-06 20:12, schrieb Bhavesh Naik: Answer to your queries: Yes you are correct works on account which has been

Re: [Full-disclosure] [ MDVSA-2013:210 ] firefox

On Wed, Aug 07, 2013 at 12:36:01PM +0200, secur...@mandriva.com wrote: Security researcher Georgi Guninski reported an issue with Java Just to clarify: I haven't report _any_ issues to mozilla since years... They are not fast in fixing bugs, especially when involving other vendors. If I

[Full-disclosure] [SECURITY] [DSA 2735-1] iceweasel security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2735-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff August 07, 2013

[Full-disclosure] Apache suEXEC privilege elevation / information disclosure

Apache suEXEC privilege elevation / information disclosure Discovered by Kingcope/Aug 2013 The suEXEC feature provides Apache users the ability to run CGI and SSI programs under user IDs different from the user ID of the calling web server. Normally, when a CGI or SSI program executes, it runs

[Full-disclosure] Cisco Security Advisory: Cisco TelePresence System Default Credentials Vulnerability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Cisco Security Advisory: Cisco TelePresence System Default Credentials Vulnerability Advisory ID: cisco-sa-20130807-tp Revision 1.0 For Public Release 2013 August 7 16:00 UTC (GMT

Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure

hi... I posted the advisory to make administratos aware that it will be still possible to read files with the apache uid even when suEXEC is in place. suEXEC is installed on many hosting providers. I read the cpanel site describing the patches [1], tough standart apache httpd does not have these

[Full-disclosure] Updated [CVE-2013-2136] Apache CloudStack Cross-site scripting (XSS) vulnerabiliity

Issued: August 6, 2013 Updated: August 7, 2013 Product: Apache CloudStack Vendor: The Apache Software Foundation Vulnerability Type(s): Cross-site scripting (XSS) Vulnerable version(s): Apache CloudStack versions 4.0.0-incubating, 4.0.1-incubating, 4.0.2 and 4.1.0 CVE

[Full-disclosure] [Security-news] SA-CONTRIB-2013-062 - RESTful Web Services (RESTWS) - Access Bypass

View online: https://drupal.org/node/2059603 * Advisory ID: DRUPAL-SA-CONTRIB-2013-062 * Project: RESTful Web Services [1] (third-party module) * Version: 7.x * Date: 2013-August-07 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass

[Full-disclosure] [Security-news] SA-CONTRIB-2013-064 - Persona - Cross site request forgery (CSRF)

View online: https://drupal.org/node/2059599 * Advisory ID: DRUPAL-SA-CONTRIB-2013-064 * Project: Mozilla Persona [1] (third-party module) * Version: 7.x * Date: 2013-August-07 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery

[Full-disclosure] [Security-news] SA-CONTRIB-2013-063 - Authenticated User Page Caching (Authcache) - Information Disclosure

View online: https://drupal.org/node/2059589 * Advisory ID: DRUPAL-SA-CONTRIB-2013-063 * Project: Authenticated User Page Caching (Authcache) [1] (third-party module) * Version: 7.x * Date: 2013-August-07 * Security risk: Moderately critical [2] * Exploitable from: Remote *

[Full-disclosure] [Security-news] SA-CONTRIB-2013-065 - Organic Groups - Access Bypass

View online: https://drupal.org/node/2059765 * Advisory ID: DRUPAL-SA-CONTRIB-2013-065 * Project: Organic groups [1] (third-party module) * Version: 7.x * Date: 2013-August-07 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, Multiple

Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure

On 2013-08-07, at 09:08, king cope isowarez.isowarez.isowa...@googlemail.com wrote: SymLinksIfOwnerMatch will not help in this attack scenario because the .htaccess file overwrites this Options directive AllowOverride can be used to prevent this as well by specifying a set of values for

[Full-disclosure] [Security-news] SA-CONTRIB-2013-066 - Monster Menus - Multiple Vulnerabilities

View online: https://drupal.org/node/2059823 * Advisory ID: DRUPAL-SA-CONTRIB-2013-066 * Project: Monster Menus [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-August-07 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass