Timeframe: Montag 02-02-2015 18:00 − Dienstag 03-02-2015 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl
*** Cisco Anyconnect and Cisco HostScan Web Launch XSS Vulnerability *** --------------------------------------------- A vulnerability in Cisco AnyConnect Secure Mobility Client and Cisco Host Scan could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the client when AnyConnect is launched through the web interface. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-...
*** Cisco UCS C-Series Rack Servers Integrated Management Controller Cross-Frame Scripting Vulnerability *** --------------------------------------------- A vulnerability in the web interface of the Cisco Integrated Management Controller of the Cisco Unified Computing System C-Series Rack Servers could allow an unauthenticated, remote attacker to execute a cross-frame scripting (XFS) attack. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-...
*** Remember Me Safely - Secure Long-Term Authentication Strategies *** --------------------------------------------- Lets say you have a web application with a user authentication system, wherein users must provide a username (or email address) and password to access certain resources. Lets also say that its properly designed (it uses .. --------------------------------------------- https://resonantcore.net/blog/2015/02/remember-me-safely-secure-long-term-au...
*** How a penetration test helps you meet PCI compliance guidelines *** --------------------------------------------- In order to protect credit card data, sometimes businesses have to think like a hacker. Every year, merchants who transmit, process, or store payment card data must conduct a suite of security test... --------------------------------------------- http://www.net-security.org/article.php?id=2213
*** Trotz Update: Adobe warnt vor neuer Flash Player-Lücke *** --------------------------------------------- Nachdem vor einer Woche kritische Sicherheitslücken geschlossen wurden, muss Adobe erneut warnen --------------------------------------------- http://derstandard.at/2000011209756
*** DSA-3151 python-django - security update *** --------------------------------------------- Several vulnerabilities were discovered in Django, a high-level Pythonweb development framework. The Common Vulnerabilities and Exposuresproject identifies the following problems: --------------------------------------------- https://www.debian.org/security/2015/dsa-3151
*** Creative Evasion Technique Against Website Firewalls *** --------------------------------------------- During one of our recent in-house Capture The Flag (CTF) events, I was playing with the idea of what could be done with Non-Breaking Spaces. I really wanted to win and surely there had to be a way through the existing evasion controls. This post is going to be a bit code-heavy for most end-users,Read More --------------------------------------------- http://blog.sucuri.net/2015/02/creative-evasion-technique-against-website-fi...
*** XSS, XFS, Open Redirect Vulnerabilities Found on About.com (SecurityWeek) *** --------------------------------------------- http://www.securityweek.com/xss-xfs-open-redirect-vulnerabilities-found-abou...
*** Beware of emails pushing Google Chrome updates! *** --------------------------------------------- Google Chrome users are being actively targeted with a spam email campaign impersonating the Internet giant, urging them to download a newer version of the popular browser because theirs .. --------------------------------------------- http://www.net-security.org/malware_news.php
*** Online-Erpresser verschlüsseln Datenbank und fordern 50.000 US-Dollar Lösegeld *** --------------------------------------------- Sicherheitsexperten habe eine perfide Erpressungsmasche entdeckt: Die Täter manipulieren Web-Dienste so, dass sie die von den Nutzern eingegebenen Daten verschlüsselt speichern. --------------------------------------------- http://heise.de/-2535621
*** Low VirusTotal detection rates for new malware, do they matter? *** --------------------------------------------- It is not as important as is often suggested - and doesn't mean the malware is allowed to execute.It is fairly common these days for security researchers to write about new malware attacks and point to low anti-virus detection rates when the affected sample is uploaded to VirusTotals multi-AV .. --------------------------------------------- http://www.virusbtn.com/blog/2015/02_03.xml?
*** Google belohnt auch Sicherheitsforscher, die keine Lücken finden *** --------------------------------------------- Wer nach neuen Schwachstellen sucht, weiss nie, ob sich die investierte Zeit rechnet. Bei traditionellen Bug Bounties winkt schliesslich nur im Erfolgsfall Bares. Google experimentiert nun mit einem neuen Ansatz. --------------------------------------------- http://heise.de/-2535890
*** Dumping Git Data from Misconfigured Web Servers *** --------------------------------------------- Every so often when performing a penetration test against a web application or a range of external/internal servers I come across publicly accessible .git directories. Git is a revision control tool that helps keep track of .. --------------------------------------------- https://blog.netspi.com/dumping-git-data-from-misconfigured-web-servers/