Hack Talk
You shot who in the what now? Home | Gitweb | Status | IRC

Wed, 17 Jan 2018 01:41:42 +0100

The 2018 LibrePlanet keynotes are here -- you won't want to miss them!
    16 Jan 2018 | 20:35 from FSF blogs

The tenth annual LibrePlanet free software conference is just two months away, and we've got a slate of fantastic keynote speakers for you!


MagicSpam 2.0.13 - Insecure File Permission Vulnerability
    16 Jan 2018 | 12:17 from Bugtraq

Posted by Vulnerability Lab on Jan 16

Document Title:
===============
MagicSpam 2.0.13 - Insecure File Permission Vulnerability

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2113

Release Date:
=============
2018-01-12

Vulnerability Laboratory ID (VL-ID):
====================================
2113

Common Vulnerability Scoring System:
====================================
2.8

Vulnerability Class:
====================
Privacy Violation...

Zenario v7.6 CMS - SQL Injection Web Vulnerability
    16 Jan 2018 | 12:10 from Bugtraq

Posted by Vulnerability Lab on Jan 16

Document Title:
===============
Zenario v7.6 CMS - SQL Injection Web Vulnerability

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2043

Release Date:
=============
2018-01-16

Vulnerability Laboratory ID (VL-ID):
====================================
2043

Common Vulnerability Scoring System:
====================================
5.7

Vulnerability Class:
====================
SQL Injection

Current...

[SECURITY] [DSA 4088-1] gdk-pixbuf security update
    16 Jan 2018 | 12:09 from Bugtraq

Posted by Moritz Muehlenhoff on Jan 16

-------------------------------------------------------------------------
Debian Security Advisory DSA-4088-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
January 15, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : gdk-pixbuf
CVE ID : CVE-2017-1000422

It was...

[RT-SA-2017-013] Truncation of SAML Attributes in Shibboleth 2
    16 Jan 2018 | 12:05 from Bugtraq

Posted by RedTeam Pentesting GmbH on Jan 16

Advisory: Truncation of SAML Attributes in Shibboleth 2

RedTeam Pentesting discovered that the shibd service of Shibboleth 2
does not extract SAML attribute values in a robust manner. By inserting
XML entities into a SAML response, attackers may truncate attribute
values without breaking the document's signature. This might lead to a
complete bypass of authorisation mechanisms.

Details
=======

Product: Shibboleth 2
Affected Versions:...

Broken TLS certificate pinning in VTech DigiGo Kid Connect app
    15 Jan 2018 | 16:32 from Bugtraq

Posted by Summer of Pwnage on Jan 15

------------------------------------------------------------------------
Broken TLS certificate pinning in VTech DigiGo Kid Connect app
------------------------------------------------------------------------
Sipke Mellema, September 2017

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
VTech's DigiGo is a hand held smart device for...

Adminer <= v4.3.1 Server Side Request Forgery
    15 Jan 2018 | 16:29 from Bugtraq

Posted by apparitionsec on Jan 15

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt
[+] ISR: apparition security

Vendor:
==============
www.adminer.org

Product:
================
Adminer <= v4.3.1

Adminer (formerly phpMinAdmin) is a full-featured database management tool written in PHP. Conversely to phpMyAdmin, it...

Authentication bypass in Kaseya VSA
    15 Jan 2018 | 16:28 from Bugtraq

Posted by Securify B.V. on Jan 15

------------------------------------------------------------------------
Authentication bypass in Kaseya VSA
------------------------------------------------------------------------
Kin Hung Cheng, Robert Hartshorn, May 2017

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A security vulnerability was found in Kaseya VSA that allows users to...

Seagate Media Server allows deleting of arbitrary files and folders
    15 Jan 2018 | 16:26 from Bugtraq

Posted by Summer of Pwnage on Jan 15

------------------------------------------------------------------------
Seagate Media Server allows deleting of arbitrary files and folders
------------------------------------------------------------------------
Yorick Koster, September 2017

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
Seagate Personal Cloud is a consumer-grade...

[SECURITY] [DSA 4086-1] libxml2 security update
    15 Jan 2018 | 16:17 from Bugtraq

Posted by Salvatore Bonaccorso on Jan 15

-------------------------------------------------------------------------
Debian Security Advisory DSA-4086-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
January 13, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : libxml2
CVE ID : CVE-2017-15412
Debian Bug :...

[SECURITY] [DSA 4087-1] transmission security update
    15 Jan 2018 | 16:14 from Bugtraq

Posted by Moritz Muehlenhoff on Jan 15

-------------------------------------------------------------------------
Debian Security Advisory DSA-4087-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
January 14, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : transmission
CVE ID : not yet available

Tavis...

Multiple vulnerabilities in VTech DigiGo allow browser overlay attack
    15 Jan 2018 | 16:13 from Bugtraq

Posted by Summer of Pwnage on Jan 15

------------------------------------------------------------------------
Multiple vulnerabilities in VTech DigiGo allow browser overlay attack
------------------------------------------------------------------------
Sipke Mellema, September 2017

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
VTech's DigiGo is a hand held smart device...

Arbitrary file read in Kaseya VSA
    15 Jan 2018 | 16:12 from Bugtraq

Posted by Securify B.V. on Jan 15

------------------------------------------------------------------------
Arbitrary file read in Kaseya VSA
------------------------------------------------------------------------
Kin Hung Cheng, Robert Hartshorn, May 2017

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A security vulnerability was found in Kaseya VSA file download file...

Broken TLS certificate validation in VTech DigiGo browser
    15 Jan 2018 | 16:05 from Bugtraq

Posted by Summer of Pwnage on Jan 15

------------------------------------------------------------------------
Broken TLS certificate validation in VTech DigiGo browser
------------------------------------------------------------------------
Sipke Mellema, September 2017

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
VTech's DigiGo is a hand held smart device for...

Code execution in Kaseya VSA
    15 Jan 2018 | 15:56 from Bugtraq

Posted by Securify B.V. on Jan 15

------------------------------------------------------------------------
Code execution in Kaseya VSA
------------------------------------------------------------------------
Kin Hung Cheng, Robert Hartshorn, May 2017

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A security vulnerability was found in Kaseya VSA file upload file...

[SECURITY] [DSA 4085-1] xmltooling security update
    15 Jan 2018 | 15:41 from Bugtraq

Posted by Moritz Muehlenhoff on Jan 15

-------------------------------------------------------------------------
Debian Security Advisory DSA-4085-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
January 12, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : xmltooling
CVE ID : CVE-2018-0486

Philip Huppert...

Your support made it happen! Over $500k for the FSF fundraiser
    12 Jan 2018 | 20:06 from FSF blogs


Friday Free Software Directory IRC meetup: January 12th starting at 12:00 p.m. EST/17:00 UTC
    11 Jan 2018 | 18:18 from FSF blogs

Join the FSF and friends Friday, January 12th, from 12:00 p.m. to 3 p.m. EST (17:00 to 20:00 UTC) to help improve the Free Software Directory, with this week's theme of organizing for the future.


Call for Review: WOFF File Format 2.0 is a W3C Proposed Recommendation
    11 Jan 2018 | 13:14 from W3C News

The WebFonts Working Group has published a Proposed Recommendation of WOFF File Format 2.0. Based on experience with WOFF 1.0, which is widely deployed, this specification was developed to provide improved compression and thus lower use of network bandwidth, while still allowing fast decompression even on mobile devices. This is achieved by combining a content-aware […]


Undermine mass surveillance with free software and your phone calls
    10 Jan 2018 | 23:10 from FSF blogs

UPDATE: The bill was passed by the House of Representatives and has now moved on to the Senate, where a vote is expected on January 16. Tell your Senators that the bill—S. 139—fails to protect your constitutional rights to privacy!