Hack Talk
ERROR: Witty joke not found Home | Gitweb | Status | IRC

Sun, 25 Sep 2016 02:14:35 +0200

ESA-2016-097: RSA Identity Governance and Lifecycle Information Disclosure Vulnerability
    23 Sep 2016 | 15:35 from Bugtraq

Posted by EMC Product Security Response Center on Sep 23

ESA-2016-097: RSA Identity Governance and Lifecycle Information Disclosure Vulnerability

EMC Identifier: EMC-2016-097

CVE Identifier: CVE-2016-0918

Severity Rating: CVSS v3 Base Score: 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products:
•RSA Identity Management and Governance versions prior to 6.8.1 P25
•RSA Identity Management and Governance versions prior to 6.9.1 P15
•RSA Via Lifecycle and Governance versions prior to...

W3C Global Web Experts Plan Technical Roadmap for Future of Web
    23 Sep 2016 | 13:14 from W3C News

As W3C concludes today our annual Technical Plenary and Advisory Committee (TPAC) Meeting week, where more than 550 experts from the Web community met, we are excited to share advancements to the Open Web Platform and specific industry requirements for the next generation Web. In summarizing the W3C’s activities, Jeff Jaffe, W3C CEO commented “Members […]


Recon Europe 2017 Call For Papers - January 27 - 29, 2017 - Brussels, Belgium
    23 Sep 2016 | 09:47 from Bugtraq

Posted by cfpbrussels2017 on Sep 23

` . R E C O N * B R U S S E L S .
. . C F P ' .
' https://recon.cx
. 27 - 29 January 2017 . .
. ' Brussels, Belgium .
\ .
-6)) +
\ † ....

[SECURITY] [DSA 3674-1] firefox-esr security update
    23 Sep 2016 | 09:34 from Bugtraq

Posted by Moritz Muehlenhoff on Sep 23

-------------------------------------------------------------------------
Debian Security Advisory DSA-3674-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
September 22, 2016 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : firefox-esr
CVE ID : CVE-2016-5250 CVE-2016-5257...

IE11 is not following CORS specification for local files
    23 Sep 2016 | 02:52 from Penetration Testing

Posted by Ricardo Iramar dos Santos on Sep 22

IE11 is not following CORS specification for local files like Chrome
and Firefox.
I've contacted Microsoft and they say this is not a security issue so
I'm sharing it.

files as supposed to be.
In order to prove I've created a malicious html file with the content below.

<html>
<script>
function createCORSRequest(method, url) {
var xhr = new XMLHttpRequest();
if ("withCredentials" in xhr) {...

Welcome Faraday 2.1! Collaborative Penetration Test & Vulnerability Management Platform
    23 Sep 2016 | 02:47 from Penetration Testing

Posted by Francisco Amato on Sep 22

After a long sprint we are proud to present Faraday v2.1:

Faraday is the Integrated Multiuser Risk Environment you were looking
for! It maps and leverages all the knowledge you generate in real
time, letting you track and understand your audits. Our dashboard for
CISOs and managers uncovers the impact and risk being assessed by the
audit in real-time without the need for a single email. Developed with
a specialized set of functionalities that...

Recon Europe 2017 Call For Papers - January 27 - 29, 2017 - Brussels, Belgium
    23 Sep 2016 | 02:43 from Penetration Testing

Posted by cfpbrussels2017 on Sep 22

` . R E C O N * B R U S S E L S .
. . C F P ' .
' https://recon.cx
. 27 - 29 January 2017 . .
. ' Brussels, Belgium .
\ .
-6)) +
\ † ....

[SECURITY] [DSA 3673-1] openssl security update
    22 Sep 2016 | 21:15 from Bugtraq

Posted by Moritz Muehlenhoff on Sep 22

-------------------------------------------------------------------------
Debian Security Advisory DSA-3673-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
September 22, 2016 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : openssl
CVE ID : CVE-2016-2177 CVE-2016-2178...

Calling all free software supporters: It's time to renew our shop inventory!
    22 Sep 2016 | 17:57 from FSF's blog

In advance of the Fall fundraiser and Winter holidays, we at the Free Software Foundation (FSF) want to make sure we have the snazziest possible selection of useful and stylish apparel, books, and other items.


Fwd: BT Wifi Extenders - Cross Site Scripting leading to disclosure of PSK
    22 Sep 2016 | 17:25 from Bugtraq

Posted by Jamie R on Sep 22

BT Wifi Extenders - 300, 600 and 1200 models - Cross Site Scripting
leading to disclosure of PSK.

A firmware update is required to resolve this issue.

The essential problem is that if you hit the following URL on your
wifi extender, it will pop up a whole load of private data, including
your PSK. Instead of doing a pop up, we could exfiltrate that data to
our server....

Friday "Back to School" Free Software Directory IRC meetup: September 23rd
    22 Sep 2016 | 16:20 from FSF's blog

Join the FSF and friends every Friday to help improve the Free Software Directory (FSD), with this week having a special theme of updating entries for educational software.


IE11 is not following CORS specification for local files
    22 Sep 2016 | 11:10 from Bugtraq

Posted by Ricardo Iramar dos Santos on Sep 22

IE11 is not following CORS specification for local files like Chrome
and Firefox.
I've contacted Microsoft and they say this is not a security issue so
I'm sharing it.

files as supposed to be.
In order to prove I've created a malicious html file with the content below.

<html>
<script>
function createCORSRequest(method, url) {
var xhr = new XMLHttpRequest();
if ("withCredentials" in xhr) {...

[slackware-security] irssi (SSA:2016-265-03)
    22 Sep 2016 | 10:56 from Bugtraq

Posted by Slackware Security Team on Sep 22

[slackware-security] irssi (SSA:2016-265-03)

New irssi packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,
14.2, and -current to fix security issues.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/irssi-0.8.20-i586-1_slack14.2.txz: Upgraded.
This update fixes two remote crash and heap corruption vulnerabilites
in Irssi's format parsing code. Impact: Remote crash...

[security bulletin] HPSBHF03646 rev.1 - HPE Comware 7 (CW7) Network Products running NTP, Multiple Remote Vulnerabilities
    22 Sep 2016 | 10:40 from Bugtraq

Posted by security-alert on Sep 22

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05270839

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c05270839
Version: 1

HPSBHF03646 rev.1 - HPE Comware 7 (CW7) Network Products running NTP,
Multiple Remote Vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2016-09-21
Last...

Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla
    22 Sep 2016 | 10:30 from Bugtraq

Posted by Larry W. Cashdollar on Sep 22

Title: Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla
Author: Larry W. Cashdollar, @_larry0
Date: 2016-09-15
Download Site: http://huge-it.com/joomla-video-gallery/
Vendor: www.huge-it.com, fixed v1.1.0
Vendor Notified: 2016-09-17
Vendor Contact: info () huge-it com
Description: A video slideshow gallery.
Vulnerability:
The following code does not prevent an unauthenticated user from injecting SQL into functions located...

[security bulletin] HPSBGN03645 rev.2 - HPE Helion OpenStack Glance, Remote Access Restriction Bypass, Unauthorized Access
    22 Sep 2016 | 10:20 from Bugtraq

Posted by security-alert on Sep 22

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05273584

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c05273584
Version: 2

HPSBGN03645 rev.2 - HPE Helion OpenStack Glance, Remote Access Restriction
Bypass, Unauthorized Access

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2016-09-15...

[slackware-security] pidgin (SSA:2016-265-01)
    22 Sep 2016 | 10:05 from Bugtraq

Posted by Slackware Security Team on Sep 22

[slackware-security] pidgin (SSA:2016-265-01)

New pidgin packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,
14.2, and -current to fix security issues.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/pidgin-2.11.0-i586-1_slack14.2.txz: Upgraded.
This release fixes bugs and security issues.
For more information, see:
https://www.pidgin.im/news/security/
(* Security...

[SECURITY] [DSA 3672-1] irssi security update
    22 Sep 2016 | 09:50 from Bugtraq

Posted by Salvatore Bonaccorso on Sep 22

-------------------------------------------------------------------------
Debian Security Advisory DSA-3672-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
September 21, 2016 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : irssi
CVE ID : CVE-2016-7044 CVE-2016-7045

Gabriel...

Cisco Security Advisory: Cisco Cloud Services Platform 2100 Remote Command Execution Vulnerability
    21 Sep 2016 | 19:23 from Bugtraq

Posted by Cisco Systems Product Security Incident Response Team on Sep 21

Cisco Security Advisory: Cisco Cloud Services Platform 2100 Remote Command Execution Vulnerability

Advisory ID: cisco-sa-20160921-csp2100-2

Revision 1.0

Published: 2016 September 21 16:00 GMT
+---------------------------------------------------------------------

Summary
=======

A vulnerability in the web interface of Cisco Cloud Services Platform (CSP) 2100 could allow an unauthenticated, remote
attacker to execute arbitrary code on a...

Cisco Security Advisory: Cisco Cloud Services Platform 2100 Command Injection Vulnerability
    21 Sep 2016 | 19:06 from Bugtraq

Posted by Cisco Systems Product Security Incident Response Team on Sep 21

Cisco Security Advisory: Cisco Cloud Services Platform 2100 Command Injection Vulnerability

Advisory ID: cisco-sa-20160921-csp2100-1

Revision 1.0

Published: 2016 September 21 16:00 GMT
+---------------------------------------------------------------------

Summary
=======

A vulnerability in the web-based GUI of the Cisco Cloud Services Platform 2100 could allow an authenticated, remote
attacker to execute arbitrary commands on the...