Re: [FD] Beginners error: QuickTime for Windows runs rogue program C:\Program.exe when opening associated files

2014-08-12 Thread Reindl Harald
scary - maybe the list of not affected apps would be shorter :-) Am 07.08.2014 um 21:11 schrieb Stefan Kanthak: > Hi @ll, > > the current version of QuickTime for Windows (and of course older versions > too) associates the following erroneous and vulnerable command lines with > some of the suppor

[FD] Multiple Vulnerabilities in Disqus for Wordpress v2.7.5

2014-08-12 Thread Nik Cubrilovic
Vendor: Disqus for Wordpress - https://wordpress.org/plugins/disqus-comment-system Code repo: https://github.com/disqus/disqus-wordpress/ Version affected: up to v2.7.5 15th most popular Wordpress plugin with 1.4M+ installs. Three issues: CSRF in manage.php, no nonce check on settings reset or del

[FD] CVE-2014-5035 - Opendaylight Vulnerable to Local and Remote File Inclusion in the Netconf (TCP) Service

2014-08-12 Thread Gregory Pickett
Title === Opendaylight Vulnerable to Local and Remote File Inclusion in the Netconf (TCP) Service Summary === Opendaylight (www.opendaylight.com) is vulnerable to Local and Remote File Inclusion in the Netconf (TCP) Service via an External Entity Injection (XXE).

[FD] Beginners error: QuickTime for Windows runs rogue program C:\Program.exe when opening associated files

2014-08-12 Thread Stefan Kanthak
Hi @ll, the current version of QuickTime for Windows (and of course older versions too) associates the following erroneous and vulnerable command lines with some of the supported file types/extensions: QuickTime.3g2=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1" QuickTime.3gp=C:\Program File

[FD] “Steganos Online Shield VPN” leaks the user’s hostname in the HTTP “Via” header

2014-08-12 Thread Stefan Paletta
Hi! “Steganos Online Shield VPN” claims to enhance the user’s privacy online () by, among other measures, (a) blocking advertisements in web pages, (b) blocking tracking code in web pages, and (c) replacing the browser’s “Us

[FD] CS-Cart v4.2.0 Session Hijack and Other Vulnerabilities

2014-08-12 Thread Nik Cubrilovic
Vendor: CS-Cart Homepage: https://www.cs-cart.com Fixed in: v4.2.1 Released: July 22nd 2014 CS-Cart is 127MB of shitty PHP and HTML code that is supposed to function as a secure e-commerce site. It is developed by people who don't reply to emails but who covertly patch bugs reported to them and th

[FD] Perverting Embedded Devices - ZKSoftware Fingerprint Reader (Part I)

2014-08-12 Thread Francisco Amato
Hi list, I would like to share the following blog post about ZKSoftware Fingerprint Reader vulnerabilities: *http://blog.infobytesec.com/2014/07/perverting-embedded-devices-zksoftware_2920.html * Best -- FRANCIS