[CERT-daily] Tageszusammenfassung - Dienstag 3-02-2015

Daily end-of-shift report team at cert.at
Tue Feb 3 18:05:25 CET 2015


=======================
= End-of-Shift report =
=======================

Timeframe:   Montag 02-02-2015 18:00 − Dienstag 03-02-2015 18:00
Handler:     Robert Waldner
Co-Handler:  Alexander Riepl



*** Cisco Anyconnect and Cisco HostScan Web Launch XSS Vulnerability ***
---------------------------------------------
A vulnerability in Cisco AnyConnect Secure Mobility Client and Cisco Host Scan could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the client when AnyConnect is launched through the web interface.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-8021




*** Cisco UCS C-Series Rack Servers Integrated Management Controller Cross-Frame Scripting Vulnerability ***
---------------------------------------------
A vulnerability in the web interface of the Cisco Integrated Management Controller of the Cisco Unified Computing System C-Series Rack Servers could allow an unauthenticated, remote attacker to execute a cross-frame scripting (XFS) attack.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0599




*** Remember Me Safely - Secure Long-Term Authentication Strategies ***
---------------------------------------------
Lets say you have a web application with a user authentication system, wherein users must provide a username (or email address) and password to access certain resources. Lets also say that its properly designed (it uses ..
---------------------------------------------
https://resonantcore.net/blog/2015/02/remember-me-safely-secure-long-term-authentication-strategies




*** How a penetration test helps you meet PCI compliance guidelines ***
---------------------------------------------
In order to protect credit card data, sometimes businesses have to think like a hacker. Every year, merchants who transmit, process, or store payment card data must conduct a suite of security test...
---------------------------------------------
http://www.net-security.org/article.php?id=2213




*** Trotz Update: Adobe warnt vor neuer Flash Player-Lücke ***
---------------------------------------------
Nachdem vor einer Woche kritische Sicherheitslücken geschlossen wurden, muss Adobe erneut warnen
---------------------------------------------
http://derstandard.at/2000011209756




*** DSA-3151 python-django - security update ***
---------------------------------------------
Several vulnerabilities were discovered in Django, a high-level Pythonweb development framework. The Common Vulnerabilities and Exposuresproject identifies the following problems:
---------------------------------------------
https://www.debian.org/security/2015/dsa-3151




*** Creative Evasion Technique Against Website Firewalls ***
---------------------------------------------
During one of our recent in-house Capture The Flag (CTF) events, I was playing with the idea of what could be done with Non-Breaking Spaces. I really wanted to win and surely there had to be a way through the existing evasion controls. This post is going to be a bit code-heavy for most end-users,Read More
---------------------------------------------
http://blog.sucuri.net/2015/02/creative-evasion-technique-against-website-firewalls.html



*** XSS, XFS, Open Redirect Vulnerabilities Found on About.com (SecurityWeek) ***
---------------------------------------------
http://www.securityweek.com/xss-xfs-open-redirect-vulnerabilities-found-aboutcom




*** Beware of emails pushing Google Chrome updates! ***
---------------------------------------------
Google Chrome users are being actively targeted with a spam email campaign impersonating the Internet giant, urging them to download a newer version of the popular browser because theirs ..
---------------------------------------------
http://www.net-security.org/malware_news.php




*** Online-Erpresser verschlüsseln Datenbank und fordern 50.000 US-Dollar Lösegeld ***
---------------------------------------------
Sicherheitsexperten habe eine perfide Erpressungsmasche entdeckt: Die Täter manipulieren Web-Dienste so, dass sie die von den Nutzern eingegebenen Daten verschlüsselt speichern.
---------------------------------------------
http://heise.de/-2535621




*** Low VirusTotal detection rates for new malware, do they matter? ***
---------------------------------------------
It is not as important as is often suggested - and doesn't mean the malware is allowed to execute.It is fairly common these days for security researchers to write about new malware attacks and point to low anti-virus detection rates when the affected sample is uploaded to VirusTotals multi-AV ..
---------------------------------------------
http://www.virusbtn.com/blog/2015/02_03.xml?




*** Google belohnt auch Sicherheitsforscher, die keine Lücken finden ***
---------------------------------------------
Wer nach neuen Schwachstellen sucht, weiss nie, ob sich die investierte Zeit rechnet. Bei traditionellen Bug Bounties winkt schliesslich nur im Erfolgsfall Bares. Google experimentiert nun mit einem neuen Ansatz.
---------------------------------------------
http://heise.de/-2535890




*** Dumping Git Data from Misconfigured Web Servers ***
---------------------------------------------
Every so often when performing a penetration test against a web application or a range of external/internal servers I come across publicly accessible .git directories. Git is a revision control tool that helps keep track of ..
---------------------------------------------
https://blog.netspi.com/dumping-git-data-from-misconfigured-web-servers/






More information about the Daily mailing list