View RSS Feed

[s]

  1. CVE-2015-2652 – Unauthenticated File Upload in Oracle E-business Suite.

    Quote Originally Posted by [s] View Post
    During my regular job, I unravelled an interesting vulnerability of Unauthenticated File Upload in Oracle E-business Suite 0-day vulnerability. This particular Upload Bug can be easily used to upload files on the web-server and also an attacker can flood the hard-disk of the server,thus making it easier for an attacker to leverage the vulnerability remotely.

    Oracle released Critical Patch Update containing security fixes for the Oracle E-Business Suite. This vulnerability is remotely
    ...
    Tags: -1', zap Add / Edit Tags
    Categories
    Uncategorized
  2. WordPress Plugin – Revslider update captions CSS file critical vulnerability

    Today being another day at work for SecureLayer7 to recover our client’s defaced website, and bang I think I hit upon a nasty vulnerability of a famous plugin.

    Although we successfully patched the vulnerability and we fixed the undoing of the blacklisting. On further research I stumbled upon its usage over the internet and as it turns out large number of web users online are affected, putting them to greater risk if not mitigated with a proper patch or an update.

    Following ...
    Attached Thumbnails Attached Images  
  3. Malware Cleanup: Analysis of an Undetectable web-shell code uploaded, RevSlider bug

    I started my day with my regular Malware Cleanup activity and came across an interesting backdoor web shell file on the server. The server is not specific to any particular environment, it was one of the regularly updated WordPress package with the plugin RevSlider Plugin ver. 4.1.4 .

    I initiated the process to detect the backdoors and web malwares, and got a hit on a malicious .htaccess file which was redirecting hxxp://m.mobi-avto.ru as shown below:

    ...
  4. CVE-2015-0235 – How to secure against Glibc Ghost Vulnerability

    CVE-2015-0235 Ghost (glibc gethostbyname buffer overflow) Vulnerability is serious cause for all Linux servers. This vulnerability leveraged to execute remote and code execution on the victim Linux server. The vulnerability found By Qualys Researcher and patched in GNU.

    What is the cause ?

    The bug is in __nss_hostname_digits_dots() function of function of the GNU C Library (glibc), and location of the path is file for non-reentrant version is nss/getXXbyYY.c , which ...
  5. Garage4Hackers Year 2014 Timeline Presentation

  6. Writeup on Garage4Hackers Xmas / Dec Web Challenge 2014

    Quote Originally Posted by [s] View Post
    Ho Ho Ho, Xmas challenge ended. This challenge was all about of bypassing login authentication. Obviously, it was funny challenge!! And the obvious reason was password md5 hash. A footnote was there in source code.

    Code:
    <!-- 
        We are so generous, see we provided you password hash to login :) 0e100132199235687421930375421091
        if(0e100132199235687421930375421091 == md5($_GET['pass']))
        {
          // Simple PHP CODE Logic 
        }
    ...
    Categories
    Uncategorized
  7. Garage4Hackers Ranchoddas Webcast on In the DOM- no one will hear you scream By

    Quote Originally Posted by [s] View Post
    Garage October month RWS series, our rancho Author Mario Heiderich

    Title :
    In the DOM- no one will hear you scream

    Recorded Video.

    Abstract
    This talk is about the DOM and its more twilight areas. Well see the weird parts and talk about where and why this might be security
    critical and affect your precious online applications, browser extensions or packaged apps. To understand the foundations
    ...
    Categories
    Uncategorized
  8. UI redress attack on live.com (affected all pages).

    Quote Originally Posted by [s] View Post
    On 7/29/13 I've reported Live.com XFO vulnerability to the Microsoft Security team and finally their investigation came to conclusion and fixed the bug. So, Here is details of bug and timeline of fixing bug. A year ago on the weekend, I started digging into MS services for bugs and this vulnerability seems to be more interesting to share on the Garage4Hackers.

    The timeline of investigation of the bug : July 29, 2013 - April 16 , 2014.

    Name:  msresponse.jpg
Views: 2092
Size:  23.1 KB
    ...
    Categories
    Uncategorized
  9. How to Fix OpenSSL Heart Bleed Bug on Ubuntu

    Quote Originally Posted by [s] View Post
    First check version of the openSSL

    Code:
    openssl version -b
    
    openssl version -a
    If it is already updated, then no need to worry about it . If your OpenSSL is not updated then execute following commands to update OpenSSL.

    Code:
    sudo apt-get update
    Once this finishes, upgrade openssl:

    Code:
    sudo apt-get upgrade openssl
    Regenerate your SSL certificate , follow the link to regenerating SSL Certificate
    ...
Page 1 of 2 12 LastLast