Next Page >>
Ethical Issues
* Network Forensics
* Network Discovery and Mapping
* Incident Response and Management
* Privacy Protection
* Cryptography
* Legal and Ethical Issues
EC2ND 2010 specifically encourages submissions presenting work at an
early stage with the intention to act as a discussion forum for
innovative security research. While our goal is to solicit ideas
that are not completely worked out, and might have challenging and
* Network Forensics
* Network Discovery and Mapping
* Incident Response and Management
* Privacy Protection
* Cryptography
* Legal and Ethical Issues
EC2ND 2010 specifically encourages submissions presenting work at an
early stage with the intention to act as a discussion forum for
innovative security research. While our goal is to solicit ideas
that are not completely worked out, and might have challenging and
* Cryptography
* Network Discovery and Mapping
* Incident Response and Management
* Malicious Software
* Web Services Security
* Legal and Ethical Issues
The conference will be technically co-sponsored by the IEEE Computer
Society - Italy Chapter.
*** Submitting a Paper ***
* Cryptography
* Network Discovery and Mapping
* Incident Response and Management
* Malicious Software
* Web Services Security
* Legal and Ethical Issues
The conference will be technically co-sponsored by the IEEE Computer
Society - Italy Chapter.
*** Submitting a Paper ***
Cryptography
Network Discovery and Mapping
Incident Response and Management
Malicious Software
Web Services Security
Legal and Ethical Issues
Important Dates
Paper Submission Deadline: September 1st, 2008
* Network Forensics
* Network Discovery and Mapping
* Incident Response and Management
* Privacy Protection
* Cryptography
* Legal and Ethical Issues
EC2ND 2010 specifically encourages submissions presenting work at an
early stage with the intention to act as a discussion forum for
innovative security research. While our goal is to solicit ideas
that are not completely worked out, and might have challenging and
router) to the reader.
** About GNUCITIZEN **
GNUCITIZEN is a Cutting Edge, Ethical Hacker Outfit, Information Think
Tank, which primarily deals with all aspects of the art of hacking.
Our work has been featured in established magazines and information
portals, such as Wired, Eweek, The Register, PC Week, IDG, BBC and
many others. The members of the GNUCITIZEN group are well known and
well established experts in the Information Security, Black Public
http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-5
http://www.gnucitizen.org/blog/hacking-with-upnp-universal-plug-and-play
GNUCITIZEN is a Cutting Edge, Ethical Hacker Outfit, Information Think
Tank, which primarily deals with all aspects of the art of hacking.
Our work has been featured in established magazines and information
portals, such as Wired, Eweek, The Register, PC Week, IDG, BBC and
many others. The members of the GNUCITIZEN group are well known and
well established experts in the Information Security, Black Public
Europe, Africa, China and Australia. For more information,
visit https://www.trustwave.com
About Trustwave's SpiderLabs:
SpiderLabs is the advance security team at Trustwave
responsible for incident response and forensics, ethical
hacking and application security tests for Trustwave's
clients. SpiderLabs has responded to hundreds of security
incidents, performed thousands of ethical hacking exercises
and tested the security of hundreds of business applications
for Fortune 500 organizations. For more information visit
For all Apple's talk of "think different" the only one actually doing so in
regards to browser security is Google. XSS, XPS/IPE, all the traditional
methods fail against Chrome. Google, I don't even care that you are the most
ruthlessly evil corporation in existence anymore. Your stuff just works. You
had me sold at functional reliability. There was a time in my life that I had
large concern about corporate ethics. Now I know that all corporations are
evil. Some more than others. The one who is evil and smart will only ruin you
with malice, where the one that is evil and stupid can ruin you out of both
malice and out of sheer incompetence.
To give this exploit a little of that "je ne sais quoi", we need to come up
Vulnerable Version: 2.0a and Probably Prior Versions
Vendor Notification: 10 June 2010
Vulnerability Type: SQL Injection
Status: Fixed by Vendor
Risk level: High
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
Vulnerability Details:
The vulnerability exists due to failure in the search page to properly sanitize user-supplied input in Search* variables. Attacker can alter queries to the application SQL database, execute arbitrary queries to the database, compromise the application, access or modify sensitive data, or exploit various vulnerabilities in the underlying SQL database.
Attacker can use browser to exploit this vulnerability. The following PoC is available:
: Vulnerable Version: 2.0.6 and Probably Prior Versions
: Vendor Notification: 14 June 2010
: Vulnerability Type: SQL Injection
: Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
: Risk level: High
: Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
:
: Vulnerability Details:
: The vulnerability exists due to failure in the search script to properly sanitize user-supplied input in "q" variable. Attacker can alter queries to the application SQL database, execute arbitrary queries to the database, compromise the application, access or modify sensitive data, or exploit various vulnerabilities in the underlying SQL database.
:
: Attacker can use browser to exploit this vulnerability. The following PoC is available:
Vulnerable Version: 2.00 and Probably Prior Versions
Vendor Notification: 21 June 2010
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the "/newappointment.php" script to properly sanitize user-supplied input in multiple variables. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
/index.php?page=home&component=basket&command=%3Cscript%3Ealert(document.cookie);%3C/script%3E
Only becoming a Ethical Hacker, you can stop a Hacker. Learn with out having
to pay thousands!- http://kit.hackerscenter.com - The most comprehensive security
pack you will ever find on the net!
Vulnerable Version: 2.00 and Probably Prior Versions
Vendor Notification: 21 June 2010
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the "/newtelephone.php" script to properly sanitize user-supplied input in multiple variables. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
Vulnerable Version: 5.1.2 and Probably Prior Versions
Vendor Notification: 29 June 2010
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the page metas managing script to properly sanitize user-supplied input in "value" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
http://www.google.com/search?hl=en&q=Powered+by+BOINC&btnG=Search
Only becoming a Ethical Hacker, you can stop a Hacker. Learn with out having
to pay thousands!- http://kit.hackerscenter.com - The most comprehensive security
pack you will ever find on the net!
About Trustwave's SpiderLabs:
SpiderLabs is the advance security team at Trustwave
responsible for incident response and forensics, penetration
testing, application security and security research for
Trustwave's clients. SpiderLabs has responded to hundreds of
security incidents, performed thousands of ethical hacking
exercises and tested the security of hundreds of business
applications for Fortune 500 organizations. For more
information visit https://www.trustwave.com/spiderlabs
Disclaimer:
Only becoming a Ethical Hacker, you can stop a Hacker. Learn with out having
to pay thousands!- http://kit.hackerscenter.com - The most comprehensive security
pack you will ever find on the net!
http://www.hackerscenter.com/public/images/2.jpg
http://www.hackerscenter.com/public/images/3.jpg
Only becoming a Ethical Hacker, you can stop Black Hat Hackers. Learn with out
having to pay thousands!- http://kit.hackerscenter.com - The most comprehensive
security pack you will ever find on the net!
Vulnerable Version: 2.00 and Probably Prior Versions
Vendor Notification: 21 June 2010
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the "/login.php" script to properly sanitize user-supplied input in "txtusername" POST parameter. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
#Finding Date: April 2007
#Report Date: Dec. 2009
#Found by: Soroush Dalili (Irsdl {4t] yahoo [d0t} com)
#Website: Soroush.SecProject.com
#Weblog: Soroush.SecProject.com/blog/
#Thanks From: Mr. Ali Abbas Nejad, Mormoroth, Aria-Security Team, and other ethical hackers.
#Vulnerability/Risk Description:
- IIS can execute any extension as an Active Server Page or any other executable extension. For instance “malicious.asp;.jpg” is executed as an ASP file on the server. Many file uploaders protect the system by checking only the last section of the filename as its extension. And by using this vulnerability, an attacker can bypass this protection and upload a dangerous executable file on the server.
#Impact Description:
- Impact of this vulnerability is absolutely high as an attacker can bypass file extension protections by using a semi-colon after an executable extension such as “.asp”, “.cer”, “.asa”, and so on.
- Many web applications are vulnerable against file uploading attacks because of this weakness of IIS. In a measurement which was performed in summer 2008 on some of the famous web applications, 70 percent of the secure file uploaders were bypassed by using this vulnerability.
: Vulnerable Version: 4.0 and Probably Prior Versions
: Vendor Notification: 14 June 2010
: Vulnerability Type: XSS (Cross Site Scripting)
: Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
: Risk level: Medium
: Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
:
: Vulnerability Details:
: User can execute arbitrary JavaScript code within the vulnerable application.
:
: The vulnerability exists due to failure in the "/content.asp" script to properly sanitize user-supplied input in "keywords" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
Vulnerable Version: 5.1.2 and Probably Prior Versions
Vendor Notification: 29 June 2010
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the blog items filter module script to properly sanitize user-supplied input in "article_form_filter[name][text]" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
http://www.google.com/search?hl=en&q=%2Fforum%2Flogin_user.asp%3FRedirect%3D%2F&btnG=Google+Search
Only becoming an Ethical Hacker, you can stop a hacker. Were can you learn with out
having to pay thousands!- http://kit.hackerscenter.com - The most comprehensive
security pack you will ever find on the net!
Vulnerable Version: 5.1.2 and Probably Prior Versions
Vendor Notification: 29 June 2010
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the dmCore script to properly sanitize user-supplied input in "text" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
* About GNUCITIZEN *
GNUCITIZEN is a Cutting Edge, Ethical Hacker Outfit, Information Think
Tank, which primarily deals with all aspects of the art of hacking.
Our work has been featured in established magazines and information
portals, such as Wired, Eweek, The Register, PC Week, IDG, BBC and
many others. The members of the GNUCITIZEN group are well known and
well established experts in the Information Security, Black Public
> predicted.
>
>
> ABOUT GNUCITIZEN
>
> GNUCITIZEN is a Cutting Edge, Ethical Hacker Outfit, Information Think
> Tank, which primarily deals with all aspects of the art of hacking.
> Our work has been featured in established magazines and information
> portals, such as Wired, Eweek, The Register, PC Week, IDG, BBC and
> many others. The members of the GNUCITIZEN group are well known and
> well established experts in the Information Security, Black Public
Vulnerable Version: 2.0a and Probably Prior Versions
Vendor Notification: 10 June 2010
Vulnerability Type: SQL Injection
Status: Fixed by Vendor
Risk level: High
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
Vulnerability Details:
The vulnerability exists due to failure in the "index.asp" script to properly sanitize user-supplied input in "qt" variable. Attacker can alter queries to the application SQL database, execute arbitrary queries to the database, compromise the application, access or modify sensitive data, or exploit various vulnerabilities in the underlying SQL database.
Attacker can use browser to exploit this vulnerability. The following PoC is available:
Vulnerable Version: Current at 08.06.2010 and Probably Prior Versions
Vendor Notification: 10 June 2010
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the "search/results" script to properly sanitize user-supplied input in "keyword" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
Next Page>>
|
