Surviving the Week 11/16/12, Not a Great Week for Password Protection

Not a Great Week for Password Protection

password protectionEarlier in the week, we saw Twitter forcing users to change their password due to some password loss. Later in the week, a password vulnerability was disclosed in the most famous messenger – Microsoft’s Skype. The vulnerability allowed an attacker to change username and password of a victim’s Skype account by just knowing their email address. Early Friday, Microsoft informed that vulnerability has been resolved.

Information about the attack description – http://thenextweb.com/microsoft/2012/11/14/security-hole-allows-anyone-to-hijack-your-skype-account-using-only-your-email-address
Information about the patch – http://abcnews.go.com/Technology/skype-fixes-password-reset-security-hole/t/story?id=17718868

ModSecurity Rules Are Out

ModSecurity, one of the biggest open source web application firewall, released their updated rules. Download rules at – http://www.modsecurity.org/download/

One of the unique feature of NTOSpider is, it allows user to generate rules for different WAF including ModSecurity, Snort and Imperva. One can use this feature to import rules in WAF to temporary block all the vulnerabilities detected by NTOSpider.

Multiple Vulnerabilities

Vulnerabilities have been detected in some of the major applications incuding WordPress, Drupal and Oracle. The following list contains patches to the vulnerabilities detected in the past week.

WordPress Kakao Theme SQL Injection – http://packetstormsecurity.org/files/118008
WordPress Eco-Annu SQL Injection – http://packetstormsecurity.org/files/118007
WordPress 3.3.1 swfupload.swf Cross Site Scripting – http://packetstormsecurity.org/files/118009
netOffice Dwins 1.4p3 SQL Injection – http://packetstormsecurity.org/files/118010
BananaDance Wiki b2.2 Cross Site Scripting / SQL Injection – http://packetstormsecurity.org/files/118027
Java Applet JAX-WS Remote Code Execution – http://packetstormsecurity.org/files/118040
MYREphp Vacation Rental Cross Site Scripting / SQL Injection – http://packetstormsecurity.org/files/118088
dotProject 2.1.6 Remote File Inclusion – http://packetstormsecurity.org/files/118101
Narcissus Remote Command Execution – http://packetstormsecurity.org/files/118102
ReciPHP 1.1 SQL Injection – http://packetstormsecurity.org/files/118103
BabyGekko 1.2.2e XSS / LFI / SQL Injection  – http://packetstormsecurity.org/files/118104
MYRE Realty Manager XSS / SQL Injection – http://packetstormsecurity.org/files/118105
Bugzilla Informartion Leak / Cross Site Scripting – http://packetstormsecurity.org/files/118106
Drupal RESTful Web Services 7.x Cross Site Request Forgery – http://packetstormsecurity.org/files/118108
Drupal Smiley / Smileys 6.x Cross Site Scripting – http://packetstormsecurity.org/files/118109
Friendsinwar FAQ Manager XSS / SQL Injection – http://packetstormsecurity.org/files/118110
iDev Rentals 1.0 Cross Site Scripting – http://packetstormsecurity.org/files/118111
Drupal Chaos Tool Suite 6.x Cross Site Scripting – http://packetstormsecurity.org/files/118114
Drupal Table Of Contents 6.x Access Bypass – http://packetstormsecurity.org/files/118115
Oracle Database Client System Analyzer Arbitrary File Upload – http://packetstormsecurity.org/files/118119

About Dan Kuykendall 173 Articles
Connect with Dan on Google+

Be the first to comment

Leave a Reply

Your email address will not be published.


*