SOLDIERX.COM Nobody Can Stop Information Insemination

Posted by Michal J. on Apr 30

Product: Wowza Media Server
URL: http://www.wowza.com/
Description: WMS is a quite popular RTMP/HLS/HDS/RTSP streaming server

Issue:

In early 2009 I reported problem with processing of requests with
relative paths.

The issue surfaced again.

In a nutshell, you can escape Applications StorageDir using relative
path.

Lets say you have two applications:

* vod1 with /usr/local/WowzaMediaServer/content1/ as StorageDir
* vod2 with...

Posted by Kotas, Kevin J on Apr 30

CA20130213-01: Security Notice for CA ControlMinder

Issued: February 13, 2013
Last updated: April 29, 2013

CA Technologies support is alerting customers to a potential risk
with CA ControlMinder. A vulnerability exists that can allow a remote
attacker to execute arbitrary code. CA has issued remediation to
address the vulnerability.

The vulnerability, CVE-2010-0738, occurs due to the default JBoss
Application Server configuration not correctly...

Posted by Vulnerability Lab on Apr 29

Title:
======
PayPal Bug Bounty #45 BillSafe - Remote Auth Bypass Session Web Vulnerability

Date:
=====
2013-04-30

References:
===========
http://www.vulnerability-lab.com/get_content.php?id=804
http://www.vulnerability-lab.com/dev/?p=665

PayPal Security UID: og1eb1mgi

PayPal Inc Bug Bounty: 5000$ (USD)

VL-ID:
=====
804

Common Vulnerability Scoring System:
====================================
8.6

Introduction:
=============
Als...

Posted by CORE Security Technologies Advisories on Apr 29

Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

D-Link IP Cameras Multiple Vulnerabilities

1. *Advisory Information*

Title: D-Link IP Cameras Multiple Vulnerabilities
Advisory ID: CORE-2013-0303
Advisory URL:
http://www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities
Date published: 2013-04-29
Date of last update: 2013-03-29
Vendors contacted: D-Link Corporation
Release mode: Coordinated release

2....

Posted by CORE Security Technologies Advisories on Apr 29

Core Security - Corelabs Advisory
http://corelabs.coresecurity.com

Vivotek IP Cameras Multiple Vulnerabilities

1. *Advisory Information*

Title: Vivotek IP Cameras Multiple Vulnerabilities
Advisory ID: CORE-2013-0301
Advisory URL:
http://www.coresecurity.com/advisories/vivotek-ip-cameras-multiple-vulnerabilities
Date published: 2013-04-29
Date of last update: 2013-04-29
Vendors contacted: Vivotek
Release mode: User release

2. *Vulnerability...

Posted by security on Apr 29

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2013:156
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : apache-mod_security
Date : April 29, 2013
Affected: Business Server 1.0, Enterprise Server 5.0
_______________________________________________________________________...

Posted by security on Apr 29

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2013:155
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : fuse
Date : April 29, 2013
Affected: Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

A...

Posted by security on Apr 29

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2013:154
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : util-linux
Date : April 29, 2013
Affected: Business Server 1.0, Enterprise Server 5.0
_______________________________________________________________________...

Posted by MustLive on Apr 27

Hello list!

I want to warn you about Brute Force and Insufficient Authentication
vulnerabilities in IBM Lotus Domino. These are vulnerabilities in Domino,
which I've found at 03.05.2012 together with other holes.

Last year I've announced multiple vulnerabilities in IBM software and after
IBM fixed many of them, I've disclosed them. They fixed almost all
vulnerabilities (with few exceptions, like Brute Force in IBM Lotus Notes...

Posted by zhangjiantao on Apr 27

WPS Office Wpsio.dll Stack Buffer Overflow Vulnerability

1 Summary
CVE number: CVE-2012-4886
Impact: High
Vendor homepage: http://www.wps.cn
Credit: Zhangjiantao of Hangzhou DPtech Technologies
2 Affected Prodects
Affected Version: http://wdl.cache.ijinshan.com/wps/download/special/WPS2012.12012.exe
The WPS office is a free desktop office suite (compatible with Microsoft office),popular in China.

3 Vulnerability Details
In module wpsio.dll, a...

Posted by security on Apr 26

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2013:153
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : subversion
Date : April 26, 2013
Affected: Business Server 1.0
_______________________________________________________________________

Problem Description:...

Posted by security on Apr 26

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2013:152
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : subversion
Date : April 26, 2013
Affected: Enterprise Server 5.0
_______________________________________________________________________

Problem Description:...

Posted by security on Apr 26

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2013:151
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : curl
Date : April 26, 2013
Affected: Business Server 1.0, Enterprise Server 5.0
_______________________________________________________________________

Problem...

Posted by Fernando Gont on Apr 26

Folks,

We have posted part of the materials of the BRUCON 2012 edition of our
"Hacking IPv6 Networks" IPv6 security training course. The slideware
is available at:
<http://www.si6networks.com/presentations/brucon2012/fgont-brucon2012-hacking-ipv6-networks-training.pdf>.

This year we will be teaching our new training course "Hacking IPv6
Networks Version 2.0", with an increased emphasis on hands-on
exercises, based on...

Posted by Jen Savage on Apr 25

I sent this to the python security team, and they responded that there are already several public bugs like this one,
so I'm forwarding it to full disclosure.

The attack is similar to DLL Hijacking, except with python modules instead.

(p.s. Yes, I am aware of virtualenv.)

Begin forwarded message:

Posted by Bsides Charlotte on Apr 25

Security BSides Charlotte 2013 (Self Centered Security) - Call for
Presenters

We are seeking talented speakers and interesting talks to present in sunny
Charlotte, NC on Saturday June 8th, 2013 to help educate and advance the
community and industry of information security.

Vendor/sales pitches will be summarily rejected. No exceptions.

Submissions can be emailed to bsidesclt()gmail com or at
http://www.bsidesclt.org/cfp and must include:...

Posted by Janek Vind on Apr 25

[waraxe-2013-SA#103] - Multiple Vulnerabilities in phpMyAdmin
===============================================================================

Author: Janek Vind "waraxe"
Date: 25. April 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-103.html

Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

phpMyAdmin is a free software tool written in PHP, intended...

Posted by John Kinsella on Apr 25

Product: Apache CloudStack
Vendor: The Apache Software Foundation
CVE References: CVE-2013-2756, CVE-2013-2758
Vulnerability Type(s): Authentication bypass (2756), cryptography (2758)
Vulnerable version(s): Apache CloudStack version 4.0.0-incubating and 4.0.1-incubating
Risk Level: High, Medium
CVSSv2 Base Scores: 7.3 (AV:N/AC:H/Au:N/CI:P/I:C/A:C), 4.3 (AV:A/AC:H/Au:N/CI:P/I:P/A:P)

Description:
The CloudStack PMC was notified of two issues found...

Posted by MustLive on Apr 24

Hello list!

I want to inform you about multiple vulnerabilities in multiple themes for
WordPress with jPlayer. These are Cross-Site Scripting, Content Spoofing and
Full path disclosure vulnerabilities.

I've wrote about vulnerabilities in jPlayer earlier
(http://seclists.org/fulldisclosure/2013/Apr/192). jPlayer is used in
multiple web applications and particularly in multiple plugins (as I've
wrote earlier) and themes for...

Posted by Cisco Systems Product Security Incident Response Team on Apr 24

Multiple Vulnerabilities in Cisco NX-OS-Based Products

Advisory ID: cisco-sa-20130424-nxosmulti

Revision 1.0

For Public Release 2013 April 24 16:00 UTC (GMT)
+---------------------------------------------------------------------

Summary
=======

Cisco Nexus, Cisco Unified Computing Systemn (UCS), Cisco MDS 9000 Series Multilayer Switches, and Cisco 1000 Series
Connected Grid Routers (CGR) are all based on the Cisco NX-OS operating system....