Information Filled Under ‘Web Service Security’ Category
We are continuing with the list of security vulnerabilities found in a number of web applications while testing our latest version of Acunetix WVS v7 . In this blog post, we will look into the details of a very serious web vulnerability discovered by Acunetix WVS in Axigen. Axigen is an integrated email, calendaring & collaboration platform, masterfully built on our unique Linux mail server technology, for increased speed & security.
See the original post:
Directory Traversal in Axigen v7.4.1 running on Windows
We just updated the Security Advisory (APSA10-02) posted on Wednesday, September 8, 2010 to include the planned schedule for a patch to resolve CVE-2010-2883. Adobe plans to make available updates for Adobe Reader and Acrobat 9.3.4 for Windows, Macintosh and UNIX during the week of October 4, 2010.
Read more:
Schedule Update to Security Advisory for Adobe Reader and Acrobat (APSA10-02)
Last week the website belonging to TechCrunch Europe had malicious code planted on it, the payload of which was a variant of Zbot – Troj/Zbot-YP . There are several interesting aspects of this variant that are worth exploring in a little more detail.
From the “been there, actively researched that” department. Cyberterrorism – don’t stereotype and it’s there! Tracking Down Internet Terrorist Propaganda Arabic Extremist Group Forum Messages’ Characteristics Cyber Terrorism Communications and Propaganda A Cost-Benefit Analysis of Cyber Terrorism Current State of Internet Jihad Analysis of the Technical Mujahid – Issue One Full List of
Read the original:
Summarizing 3 Years of Research Into Cyber Jihad
We just updated the Security Advisory (APSA10-02) posted on Wednesday, September 8, 2010 with a mitigation option for Windows users. We will continue to provide updates on this issue via the Security Advisory section of the Adobe website as well as the Adobe PSIRT blog
Read more:
Update to Security Advisory for Adobe Reader and Acrobat (APSA10-02)
Just a quick update on the latest Adobe zero-day vulnerability (APSA10-02) that has come to light this week. You may well have already watched the video Chet posted yesterday. We have also published an advisory page for this vulnerability as well
Read the original post:
APSA10-02: BOPs and the Adobe 0-day
We are continuing with the list of security vulnerabilities found in a number of web applications while testing our latest version of Acunetix WVS v7 . In this blog post, we will look into the details of a number of security problems discovered by Acunetix WVS in CubeCart .
More here:
SQL Injection and XSS vulnerabilities in CubeCart version 4.3.3
One of the security enhancements included with Firefox 3.6.9 is support for the x-frame-options header. This optional header can be included within the HTTP response to instruct the client’s browser on whether the returned content is allowed to be framed by other pages. A website can choose to include the x-frame-options header to protect against malicious framing of web content by third parties.
Go here to see the original:
X-Frame-Options
A Security Advisory has been posted in regards to a new Adobe Reader and Acrobat issue (CVE-2010-2883). A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh.
Visit link:
Security Advisory for Adobe Reader and Acrobat
We are continuing with the list of security vulnerabilities found in a number of web applications while testing our latest version of Acunetix WVS v7 . In this blog post, we will look into the details of a number of security problems discovered by Acunetix WVS in the popular web gallery application Zenphoto; Zenphoto is a standalone gallery CMS that just makes sense and doesn’t try to do everything and your dishes. We hope you agree with our philosophy: simpler is better
Excerpt from:
Web Security problems in Zenphoto version 1.3
15 posts left… I’ve talked about this a few times over the years during various presentations but I wanted to document it here as well. It’s a concept that I’ve been wrestling with for 7+ years and I don’t think I’ve made any headway in convincing anyone, beyond a few head nods. Bad security isn’t just bad because it allows you to be exploited.
Go here to read the rest:
The Effect of Snakeoil Security
18 posts left… I got an email last night from someone asking me to do a breakdown of which browser is better, Internet Explorer, Firefox, Opera, Safari and Chrome. First of all, there’s already a pretty good reference that Michal Zalewski put together . Like anything this comprehensive, since it’s not been edited for about half a year it’s already out of date in a few ways, but it’s a great place to get started for those who want to get familiar with the internal differences between various browsers.
Read the original here:
Browser Differences, Minutia Et Al…
While beta testing the latest version of Acunetix WVS v7 , we found a large number of security vulnerabilities in various web applications. In the following days we will publish some of these vulnerabilities. Note that we will not publish vulnerabilities found in applications that are not commonly used or in beta stage.
Read more here:
Security vulnerabilities in Pligg CMS version 1.0.4
Today we have observed some messages which at first glance appeared to be somebody trying to correct their mistakes on the CV they sent out. All messages had the same body text that read as follows: Thank you for the chat yesterday, it really helped me get a clearer idea of recruitment as well as exploring any potential opportunity.
SophosLabs has discovered a technique in anti-virus marketing, which we detect as Spin/BigNumber-P. Typical behaviour involves phrases such as “Product detects X viruses!”, where X is a large, rather exact-sounding number. Some variants involve high-tech numerical displays updated in real-time with ever growing numbers.
The rest is here:
To infinity and beyond
New scanning engine with improved vulnerability detection AND verification makes finding and fixing security issues in web applications easier.
Follow this link:
Acunetix 7 makes web application security checking easier and more cost effective
A while ago, we talked about Force-TLS that lets sites say “hey, only access me over HTTPS in the future” and the browser listens. Well, this idea has been solidifed into a draft spec for HTTP Strict Transport Security (HSTS) and we’ve landed support for it into our source tree
Originally posted here:
HTTP Strict Transport Security
A Security Bulletin was posted today addressing critical security issues in Adobe Shockwave Player. Adobe recommends users of Adobe Shockwave Player 11.5.7.609 and earlier versions update to Adobe Shockwave Player 11.5.8.612, using the instructions provided in the Security Bulletin . This posting is provided “AS IS” with no warranties and confers no rights
Here is the original post:
Security Bulletin – Adobe Shockwave Player
An updated build of Acunetix WVS Version 7 BETA has been released. This build includes the following number of improvements : Improved Cross-Site scripting (XSS) vulnerabilities detection scripts Improved blind SQLl injection vulnerability checks to reduce false positives Added a good number of new Cold Fusion security checks (including the latest directory traversal) Added a number new Apache Tomcat checks Improved File Upload security checks scripts Bug Fix: Fixed: HTTP Proxy crashing while manual browsing some particular websites How to upgrade to build 20100818: On starting up Acunetix WVS, a pop up window will automatically notify you that a more recent build is available for download. To download the latest build, navigate to General > Program Updates node in the Tools explorer, and click on Download and Install new build.
Read the original post:
Acunetix WVS Version 7 BETA 2 is available
Issue There has been discussion today about a Firefox feature that warns users when a site’s URL is deceptive. When a Firefox user visits a site with a url that might be deceptive (e.g. http://www.good.com@evil.com/) , Firefox will stop the load and confirm with the user that they are really visiting the site they expected to visit (in this example, evil.com is the actual site loaded).
Read the original here:
Obfuscated URLs within iframes