Next Page >>
December
I think that the you can find the information at the incident references at http://www.webappsec.org/projects/whid/byid_id_2007-60.shtml.
----Original Message----
From: Memisyazici, Aras [mailto:arasm@vt.edu]
Sent: Sunday, December 30, 2007 2:13 PM
To: Ofer Shezaf; bugtraq@securityfocus.com
Subject: RE: Latest round of web hacking incidents for 2007 & Project news
>>The researchers found that they can use Google to retrieve the hashed password of the hacker. Google has become so big that it actually allows efficient encrypted passwords lookup.
Leader, WASC Web Hacking Incidents Database Project
WHID 2007-71: Hacker uses Social Security numbers from Ohio court site
======================================================================
Reported: 22 December 2007, Occurred: 22 December 2007
Classifications:
* Attack Method: Credential/Session Prediction
* Country: USA
> Leader, WASC Web Hacking Incidents Database Project
>
>
> WHID 2007-71: Hacker uses Social Security numbers from Ohio court site
> ======================================================================
> Reported: 22 December 2007, Occurred: 22 December 2007
>
> Classifications:
>
> * Attack Method: Credential/Session Prediction
> * Country: USA
Leader, WASC Web Hacking Incidents Database Project
WHID 2007-71: Hacker uses Social Security numbers from Ohio court site
======================================================================
Reported: 22 December 2007, Occurred: 22 December 2007
Classifications:
* Attack Method: Credential/Session Prediction
* Country: USA
=============================================
INTERNET SECURITY AUDITORS ALERT 2008-004
- Original release date: 12th December, 2008
- Last revised: 22nd December, 2008
- Discovered by: Jesus Olmos Gonzalez
- Severity: 4/5
=============================================
I. VULNERABILITY
-------------------------
on November 5th, 2007.
. *2007-10-17*: Vendor acknowledges notification, provides public key and
requests a draft of the security advisory .
. *2007-10-17*: Core sends the draft advisory.
. *2007-10-19*: Vendor indicates it will be able to address the issue in
a release planned for December.
. *2007-10-29*: Core requests an status update since there has been no
communication since October, 17th, 2007. Vendor indicates it will be able
to address the issue in a release planned for December, this information
was already provided to Core on October 19th 2007 on a personal email
exchange. The December release is likely to be move to the first week of
=============================================
INTERNET SECURITY AUDITORS ALERT 2009-013
- Original release date: December 7th, 2009
- Last revised: December 16th, 2009
- Discovered by: David Eduardo Acosta Rodriguez
- Severity: 4/10 (CVSS Base Score)
=============================================
I. VULNERABILITY
-------------------------
6. *Vendor Information, Solutions and Workarounds*
Microsoft has released patches for this vulnerability. For more
information refer to the Microsoft Security Bulletin MS08-072 released
on December 9th, 2008, available at
http://www.microsoft.com/technet/security/Bulletin/ms08-072.mspx
Microsoft recommends that customers apply the update immediately.
=============================================
INTERNET SECURITY AUDITORS ALERT 2007-006
- Original release date: December 18th, 2007
- Last revised: December 24th, 2007
- Discovered by: Jesus Olmos Gonzalez
- Severity: 5/5
=============================================
I. VULNERABILITY
-------------------------
28 October 2010: Informed Vendor that multiple pages are still
vulnerable
03 November 2010: Acknowledgement / Update requested
03 November 2010: Update received. No fixes initiated.
23 November 2010: Informed vendor disclosure date set to 1/12/2010
22 December 2010: Update requested.
22 December 2010: Vendor asks to release information as the
vulnerabilities are already known
23 December 2010: A different contact at the Vendor location informs
that there are no updates.
24 December 2010: Disclosure date set to 5 December 2010
28 October 2010: Informed Vendor that multiple pages are still
vulnerable
03 November 2010: Acknowledgement / Update requested
03 November 2010: Update received. No fixes initiated.
23 November 2010: Informed vendor disclosure date set to 1/12/2010
22 December 2010: Update requested.
22 December 2010: Vendor asks to release information as the
vulnerabilities are already known
23 December 2010: A different contact at the Vendor location informs
that there are no updates.
24 December 2010: Disclosure date set to 5 December 2010
=============================================
INTERNET SECURITY AUDITORS ALERT 2009-012
- Original release date: October 13th, 2009
- Last revised: December 16th, 2009
- Discovered by: Juan Galiana Lara
- CVE ID: CVE-2009-3701
- Severity: 6.3/10 (CVSS Base Score)
=============================================
I. VULNERABILITY
Platforms : PHP && MySQL
Vulnerability Type : Input Validation Errors
Disclosure Timeline
-------------------------
04 December 2007 -- Vendor Contacted
04 December 2007 -- Vendor Replied
05 December 2007 -- Fix Released
10 December 2007 -- Pulic Disclosure
What is Falt4Extreme
Platforms : PHP && MySQL
Vulnerability Type : Input Validation Error
Timeline
-------------------------
17 December 2007 -- Vendor Contacted
19 December 2007 -- Vendor Replied
22 December 2007 -- New Release
22 December 2007 -- Advisory Released
What is TikiWiki
40 minutes are for the presentation & 10 for the question-answer
sessions. We’d request you to submit the papers keeping the time
constraint in mind.
:: Event ::
Date: 3rd, 4th & 5th December (As Usual the first weekend of December)
Place: Pune, India
We are also hosting the finals of Malcon at ClubHack2010, for more
information & CFP of malcon see http://malcon.org/
CREDITS:
StenoPlasma (at) ExploitDevelopment.com
TIMELINE:
Discovery: December 4, 2010
Vendor Notified: December 7, 2010
Vendor Fixed: N/A
Vendor Dismissed: December 9, 2010
Vendor Notified of Disclosure: December 9, 2010
Disclosed: December 9, 2010
=============================================
INTERNET SECURITY AUDITORS ALERT 2009-010
- Original release date: September 28th, 2009
- Last revised: December 15th, 2009
- Discovered by: Juan Galiana Lara
- CVE ID: CVE-2009-3703
- Severity: 8.5/10 (CVSS Base Score)
=============================================
I. VULNERABILITY
The reason why we thought rawurlencode might be suitable is because htmlentities in a tracking URL might break the Google Analytics Tracking.
Disclosure Information:
- Vulnerability found 3rd December
- Patch was made available 4th December
- Disclosed on InterN0T 4th December
- Vendor and Buqtraq (SecurityFocus) contacted the 4th December
=============================================
INTERNET SECURITY AUDITORS ALERT 2008-001
- Original release date: January 3rd, 2008
- Last revised: December 22nd, 2008
- Discovered by: Jesus Olmos Gonzalez
- Severity: 2/5
=============================================
I. VULNERABILITY
-------------------------
December 5th, 2007
=======
Summary
=======
Name: Cross Site Scripting in CiscoWorks
Release Date: 05 December 2007
Reference: LSD001-2007
Discover: Dave Lewis
Vendor: Cisco
October 3rd 2007 - Respond to CERT letting them know they can release
prolog.disclosure@gmail.com as my contact info; no other info can be
released for fear of contract being nullified.
November 14 2007 - Asked CERT if anything is going on. Response that
they would check with Meridian.
December 4 2007 - Asked CERT again if anything was going on. They
again contacted Meridian.
December 5th 2007 - Meridian asked for contact info and other
information. Responded with other information but not direct contact
information for fear of retaliation. Other information included
specifics about how the issue was found. Gave CERT option to release
=============================================
INTERNET SECURITY AUDITORS ALERT 2009-003
- Original release date: March 2nd, 2009
- Last revised: December 17th, 2009
- Discovered by: Juan Galiana Lara
- Severity: 9/10 (CVSS scored)
=============================================
I. VULNERABILITY
-------------------------
=============================================
INTERNET SECURITY AUDITORS ALERT 2009-005
- Original release date: March 2nd, 2009
- Last revised: December 18th, 2009
- Discovered by: Juan Galiana Lara
- Severity: 6.8/10 (CVSS scored)
=============================================
I. VULNERABILITY
-------------------------
=============================================
INTERNET SECURITY AUDITORS ALERT 2009-011
- Original release date: October 13th, 2009
- Last revised: December 18th, 2009
- Discovered by: Juan Galiana Lara
- CVE ID: CVE-2009-3702
- Severity: 8.5/10 (CVSS Base Score)
=============================================
I. VULNERABILITY
We used htmlentities() since we thought that would be the best
solution. The other functions named htmlspecialchars(), urlencode()
and raw_urlencode() could have been an alternative to the above.
Disclosure Information:
- Vulnerability found 27th December
- Patch was made available 27th December
- Disclosed on InterN0T 27th December
- Vendor and Buqtraq (SecurityFocus) contacted the 27th December
=============================================
INTERNET SECURITY AUDITORS ALERT 2009-004
- Original release date: December 3rd, 2008
- Last revised: March 10th, 2009
- Discovered by: Juan Galiana Lara
- Severity: 6.3/10 (CVSS scored)
=============================================
I. VULNERABILITY
-------------------------
Discovered: November 26, 2008
Discovered by: Rob Kraus, princeofnigeria (PoN)
Vendor: k23productions
Vendor URL: http://sourceforge.net/projects/tftputil
Vendor notification date: December 1, 2008
Vendor response date: December 8, 2008
Vendor acknowledgement: December 8, 2008
Vendor provided fix: December 8, 2008
Release coordinated with the vendor: --
Public disclosure date: January 14, 2009
Discovered: November 26, 2008
Discovered by: Rob Kraus, princeofnigeria (PoN)
Vendor: k23productions (as per various download sites)
Vendor URL: http://sourceforge.net/projects/tftputil
Vendor notification date: December 1, 2008
Vendor response date: December 8, 2008
Vendor acknowledgment: December 8, 2008
Vendor provided fix: December 8, 2008
Release coordinated with the vendor: --
Public disclosure date: January 14, 2009
[--Vulnerability Summary--]
Title: Syslserve 1.058 Denial of Service Vulnerability
Product: Syslserve 1.058
Discovered: December 1, 2008
Discovered by: Rob Kraus, princeofnigeria (PoN)
Vendor: Syslserve
Vendor URL: http://www.syslserve.com/
Vendor notification date: December 2, 2008
a fix is February 2010".
. 2009-10-23:
Core sends email to MSRC indicating that publication of the advisory has
been re-scheduled to November 10 2009 and it is open to delaying it
further up to the second Tuesday of December 2009 if MSRC is willing to
provide: a)detailed technical explanations of the bugs, b)the full list
of vulnerable platforms and c)a firm commitment to a release date for
the fixes. Core also says that if Microsoft can not target the next IE
patch release cycle, Core would rather publish the advisory to let other
parties address the risk with alternative fixes or mitigations. The
Next Page>>
|
