We call it Misfortune Cookie over the affected vulnerable HTTP cookie
parsing module, but MITRE insists on CVE-2014-9222
To be honest I'm getting rather annoyed by how Check Point is (mis)handling
this vulnerability. I mean, there is already a cool marketing name, there
is a website dedicated
Already disclosed
http://www.exploit-db.com/exploits/35040/
# Exploit Title: iBackup = 10.0.0.32 Local Privilege Escalation
# Date: 23/01/2014
# Author: Glafkos Charalambous glafkos.charalambous[at]unithreat.com
# Version: 10.0.0.32
# Vendor: IBackup
# Vendor URL: https://www.ibackup.com/
#
=[Alligator Security Team - Security Advisory]
- Graylog2-Web LDAP Injection - CVE-2014-9217 - Author: José Tozo
juniorbsd () gmail com =[Table of
Contents]== 1. Background 2. Detailed
description 3. Other contexts solutions 4. Timeline 5.
Vantage Point Security Advisory 2014-004
Title: SysAid Server Arbitrary File Disclosure
ID: VP-2014-004
Vendor: SysAid
Affected Product: SysAid On-Premise
Affected Versions: 14.4.2
Product Website: http://www.sysaid.com/product/sysaid
Author: Bernhard
Hello participants of Mailing List.
After the article about me and Ukrainian Cyber Forces on Global Voices
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2014-December/009065.html),
here is the article on BBC. I gave interview for both of these journalists.
Ukraine
The most technical it seems to get is the following:
quote
The Misfortune Cookie vulnerability is exploitable due to an error within
the HTTP cookie management mechanism present in the affected software,
allowing an attacker to determine the ‘fortune’ of a request by
manipulating cookies.
Hi Sandro,
As I commented before, we are bound by policy that is out of my personal reach
at the moment.
I can tell you, however, that when any independent researcher looks into the
HTTP cookie parsing function in the RomPager 4.07 binary, his bounds will not
be checked.
Cheers,
Shahar
From:
Hi @ll,
in their software development kits Microsoft typically ships
Visual C++ (cross) compilers with headers and libraries,
including the MSVCRT for both static and dynamic linking.
The compiler(s) and the libraries are almost never updated (the
only update I know is
Fuzzing bmp2tiff, using the afl-fuzzer, revealed an integer overflow issue
related to the dimensions of the input BMP image.
It's probably worth noting that although the bundled utilities are
pretty buggy, there are also several bugs affecting the libtiff
library itself that can be hit with afl
Hello list!
There are Information Leakage and Insufficient Authorization vulnerabilities
in SyncThru Web Service. This is web application for Samsung printers,
particularly I found it with Samsung ML-1865W and other printers. Earlier I
informed Samsung about it.
-
10 matches
Mail list logo