Surviving the Week 9/7/12

A Number of Exploits Including SQL Injection, XSS, and Authentication Bypass

This week, researchers found some remarkable vulnerabilities including Remote code execution, SQL Injection, and Cross-Site Scripting within bug tracking systems as well as in security vendor’s products. Test your application with NTOSpider to find all possible vulnerabilities.

GarrettCom Privilege Escalation – http://packetstormsecurity.org/files/download/116278/ICSA-12-243-01.pdf
Symantec Messaging Gateway 9.5 Default SSH Password  - http://packetstormsecurity.org/files/download/116277/symantec_smg_ssh.rb.txt
HP SiteScope Remote Code Execution – http://packetstormsecurity.org/files/download/116276/hp_sitescope_uploadfileshandler.rb.txt
Kayako Fusion 4.40.1148 Cross Site Scripting – http://packetstormsecurity.org/files/download/116274/kayakofusion440-xss.txt
Drupal Exposed Filter Data 6.x Cross Site Scripting – http://packetstormsecurity.org/files/download/116272/DRUPAL-SA-CONTRIB-2012-138.txt
Flogr 2.5.6 Cross Site Scripting – http://packetstormsecurity.org/files/download/116270/flogr256-xss.txt
Web@All CMS 2.0 Shell Upload / Local File Inclusion – http://packetstormsecurity.org/files/download/116260/webatall-lfishell.txt
Ektron CMS 8.5.0 File Upload / XXE Injection – http://packetstormsecurity.org/files/download/116259/SOS-12-009.txt
Barracuda Web Filter 910 5.0.015 Cross Site Scripting – http://packetstormsecurity.org/files/116239
eFront Enterprise 3.6.11 Cross Site Scripting – http://packetstormsecurity.org/files/116238
Support4Arabs Pages 2.0 SQL Injection – http://packetstormsecurity.org/files/download/116201/support4arabspages-sql.txt
Wiki Web Help 0.3.11 Remote File Inclusion – http://packetstormsecurity.org/files/download/116202/wikiwebhelp-rfi.txt
JIRA / GreenHopper Cross Site Scripting – http://packetstormsecurity.org/files/download/116203/jiragreenhopper-xssxsrf.txt
ES Job Search Engine 3.0 SQL Injection – http://packetstormsecurity.org/files/download/116231/VL-675.txt

Database Security on the Cloud for Microsoft SQL Azure

GreenSQL’s software-based solution can be installed as a front-end to SQL Azure. It fully camouflages and secures the Azure database, dynamically masks sensitive and confidential data in real-time, and provides monitoring and auditing of data access and administrative activities. Its caching dramatically increases database performance, reducing latency in cloud environments. By using GreenSQL, companies comply with regulations such as HIPAA, PCI, SOX, and Basel II.
http://www.net-security.org/secworld.php?id=13531

Government Warns Businesses of Cyber Crime Threat

The UK government’s spy agency, GCHQ, launched a program that aims to help business leaders tackle the growing threat of cyber attacks. GCHQ head Lain Lobban will tell business leaders that current confidence in existing security defenses is often misplaced, with potentially major implications for the economy and customers’ trust in online services. He will also ask board members and chief executives how confident they are that their most important corporate information is safe from cyber threats and whether they are aware of the impact on a company’s reputation, share price or even existence if sensitive information is stolen.
http://www.net-security.org/secworld.php?id=13535

Last updated by Dan Kuykendall at September 11, 2012.