Next Page >>
authors
Dear Mr. Poehls,
yes, I can see your point and I agree that there's a risk for an unexperienced user to be spoofed by showing an Author, Time Stamps and State that could have been tampered with after the original owner has signed the document.
But in my opinion, this again emphasizes the need for sufficient knowledge of users about the way how applications may change the appearance of signed documents in a way not intended by the author at the time of signing and that's a question far beyond the considerations concerning the behavior of individual applications like MS Office.
In fact the visual clue you gave for a signed document in Word 2007 shows that in the context for those document properties there are also attributes like keywords, category and comments which are less misleading to the assumption those properties could be part of the signed document. So for example users of SharePoint Office Server are acquainted with the behavior of showing data that is managed and shown on server side in that area above the document. You should also mention that the label on the menu for showing this area reads "Prepare Document for Publishing" which also in my opinion gives a clue that this data is not part of the signed document.
Although I would appreciate if Word 2007 would give more visual clue for the fact that this data isn't part of the signed document, I still believe that this is not a major security issue.
Regards,
> server side in that area above the document.
This might be true, but in my opinion, still builds on either the
assumption
- that MetaData (like category) is not part of the
author's document (thus not covered by his digital
signature), or
- that users are educated/aquinted with having
information "with" a document that did not originate from the
author.
rt of the document and so they decided not to include it in the content pro=
tected by the certificate.=20
>=20
> This fits the way we use attaching metadata during the process of categor=
ization to enable retrieval of a document by means and taxonomies of the re=
cipient, not of the author. If instead, as you seem to propose, metadata wo=
uld be treated as part of the document, attaching the metadata needed for r=
etrieval purposes would invalidate the signature of the document.=20
>=20
> Therefore this time I would go with Microsoft for their solution fits our=
needs and doesn't compromise the integrity protection of the document itse=
• Application security awareness and education
• Security for the mobile web
• Attacks and Vulnerability Exploitation
Paper Submission Instructions
Authors should submit an original paper in English, carefully checked for correct grammar and spelling, using the on-line submission procedure (http://www.easychair.org/conferences/?conf=ibwas10). Please check the paper formats so you may be aware of the accepted paper page limits (12 pages, in accordance to a supplied template: ftp://ftp.springer.de/pub/tex/latex/llncs/word/LNCS-Office2007.zip).
The guidelines for paper formatting provided at the conference web site must be strictly used for all submitted papers. The submission format is the same as the camera-ready format. Please check and carefully follow the instructions and templates provided.
Each paper should clearly indicate the nature of its technical/scientific contribution, and the problems, domains or environments to which it is applicable.
Papers that are out of the conference scope or contain any form of plagiarism will be rejected without reviews.
Remarks about the on-line submission procedure:
1. A "double-blind" paper evaluation method will be used. To facilitate that, the authors are kindly requested to produce and provide the paper, WITHOUT any reference to any of the authors. This means that is necessary to remove the author’s personal details, the acknowledgements section and any reference that may disclose the authors identity
one would assume will be addressed by J2SE 1.4.2 SR13 and Java SE 6 SR4
but no further information was provided by IBM.
** Disclosure History **
Initial disclosures to the Java Runtime author community;
17 Jul - Apache Harmony Project
18 Jul - OpenJDK Project
21 Jul - Sun Microsystems, Inc.
28 Jul - HP
31 Jul - Apple, Inc.
> part of the document and so they decided not to include it in the
> content protected by the certificate.
Considering that the MetaData not protected by the signature contains
among others:
1.) Author
2.) Dates of creation and last change
3.) State Information
I do think that most people, certainly the users, would feel that this
data belongs to the "document", and would be protected when the
"document" is signed.
New core features:
Trending for top author, popular topics and daily additions
Tagging exists all over the place
Commenting is allowed everywhere
return r
To encode a plain tgz file into a valid configuration archive, just apply
the inverse of the "conf_decode" procedure.
[UNAUTHORIZED ACCESS TO THE DEVICE]
By leveraging the aforementioned vulnerabilities, an attacker can easily obtain
the authentication credentials for the "admin" user as follows:
1. Authenticate as the hidden "productmaker" user.
2. Exploit the command-injection vulnerability to obtain the content of the
. 2010-05-27:
Core Security Technologies notifies XnView of the vulnerability.
. 2010-05-27:
The XnView author acknowledges receipt of the notification.
. 2010-05-27:
Core sends a technical description of the vulnerability, and a
Proof-of-Concept file that triggers the bug.
networks. Papers can be 10-20 pages long and, if accepted, they will
be presented and included in the RAID 2009 proceedings published by
Springer Verlag in its Lecture Notes in Computer Science
(http://www.springer.de/comp/lncs/index.html) series. Papers must be
formatted according to the instructions provided by Springer Verlag
(http://www.springer.de/comp/lncs/authors.html), and include an
abstract and a list of keywords.
2. Posters describing innovative ideas not mature enough for a full
paper and works in progress. A two-page poster abstract formatted as
a full paper with an abstract must be submitted. If accepted, it
networks. Papers can be 10-20 pages long and, if accepted, they will
be presented and included in the RAID 2009 proceedings published by
Springer Verlag in its Lecture Notes in Computer Science
(http://www.springer.de/comp/lncs/index.html) series. Papers must be
formatted according to the instructions provided by Springer Verlag
(http://www.springer.de/comp/lncs/authors.html), and include an
abstract and a list of keywords.
2. Posters describing innovative ideas not mature enough for a full
paper and works in progress. A two-page poster abstract formatted as
a full paper with an abstract must be submitted. If accepted, it
Uninformed is pleased to announce the release of its eighth volume. This
volume includes 6 articles on a variety of topics:
- Covert Communications: Real-time Steganography with RTP
Author: I)ruid
- Engineering in Reverse: PatchGuard Reloaded: A Brief Analysis of
PatchGuard Version 3
Author: Skywing
Uninformed is pleased to announce the release of its eighth volume. This
volume includes 6 articles on a variety of topics:
- Covert Communications: Real-time Steganography with RTP
Author: I)ruid
- Engineering in Reverse: PatchGuard Reloaded: A Brief Analysis of
PatchGuard Version 3
Author: Skywing
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Authorization bypass, Buffer overflow
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 34035
CVE Name: CVE-2009-0836, CVE-2009-0837
There is possbile get username and password from "Proxy-Authorization" header, which is not correctly removed when authorization header sends WMP.
Requirements:
- IWSVA/IWSS basic authorization on
- Client is using WMP (8-11) as video player
- Standalone proxy (if upstream proxy is used, "Proxy-Authorization" header is removed by this upstream proxy)
Bug:
MITKRB5-SA-2010-006
MIT krb5 Security Advisory 2010-006
Original release: 2010-10-05
Topic: KDC uninitialized pointer crash in authorization data handling
CVE-2010-1322
CVSSv2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:C/E:H/RL:OF/RC:C
----------------------------------------------------------------------
(PT-2011-20) Positive Technologies Security Advisory
Authorization bypass vulnerability in OneOrZero AIMS
----------------------------------------------------------------------
---[Vulnerable software]
======================================================================
Secunia Research 05/07/2010
- Joomla BookLibrary From Same Author Module "id" SQL Injection -
======================================================================
Table of Contents
Affected Software....................................................1
There are the next solutions for you:
1. Wait until developers of CB Captcha released new fixed version of the
plugin. They are examining this vulnerability for some time already (at
least Beat, developer of CB Captcha 2.x, because from two authors only he
answered me). But Beat told me, that they will be releasing the new fixed
version not very quickly (due to their standardized bugfixing process), so
users of CB Captcha will need to wait for new release.
2. Contact Beat and ask him when developers will be releasing new version of
Ekoparty 4th edition is recruiting everyone who is interested in showing
their researches and/or develops in the field of Information
Security/Insecurity.
The author of a selected speech will be able to attend as event speaker.
In the case that a speech has shared authors, no more than 3 will be
allowed to present it.
*Where to send speeches*
"netOffice Dwins is a free web based time tracking, timesheet, and
project management environment."
- Details
It is possible for an attacker to bypass authorization, upload arbitrary
PHP files, and then execute them on the server.
netOffice extracts all GET, POST, SESSION, SERVER, and COOKIE parameters
into the local variable space. This has the same effect as turning
on register globals. The code below is from includes/library.php.
Dear Mr. Poehls,
I think Microsoft does not consider metadata attached to a document as part of the document and so they decided not to include it in the content protected by the certificate.
This fits the way we use attaching metadata during the process of categorization to enable retrieval of a document by means and taxonomies of the recipient, not of the author. If instead, as you seem to propose, metadata would be treated as part of the document, attaching the metadata needed for retrieval purposes would invalidate the signature of the document.
Therefore this time I would go with Microsoft for their solution fits our needs and doesn't compromise the integrity protection of the document itself in any serious way. Just think of it as a sticker placed on the outside of a sealed envelope: You mustn't trust anything on the outside, just look inside the envelope to find the information you can rely on.
Yours
H.-D. Naujoks
The version with a fix was in fact sent to me personally, but not, as
the reporter claims, to all the "SquirrelMail developers."
That version was not up to spec in several regards, and so I
encouraged the plugin's author to work on a more up-to-date version.
The author responded with interest, but after another correspondence
regarding the quality of the plugin's code, the author failed to
reply.
As far as I was concerned, the issue was waiting for the author to
Submissions must be made by the deadline of May 6, 2011, through the
website:
http://www.easychair.org/conferences/?conf=ccs2011
The review process will be carried out in two phases and authors will
have an opportunity to comment on the first-phase reviews. Authors will
be notified of the first-phase reviews on Monday, June 20, 2011 and can
send back their comments by Thursday, June 23, 2011.
Submitted papers must not substantially overlap papers that have been
server setup and comes as default with most PHP5 installations. Just drop Pritlog into your server and it
starts running. No separate installation is required.
Feature(s):
* WYSIWYG editor - nicEdit
* Admin interface (change site properties, add authors, change password)\\\\\\\'\\\\\\\'\\\\\\\'
* Easy translation. Language selection available in the admin panel. Language files must be created.
* Sticky Posts
* Integrated login system with registration
* Pretty Urls
* SEO Optimization
Selected table.
SQL Injection:
Attack is conducted during access to admin panel of XAMPP - via
above-mentioned Insufficient Authorization vulnerability or via Insufficient
Authorization vulnerability which was found earlier, which I wrote about
(http://websecurity.com.ua/3220/).
At page http://site/xampp/adodb.php
CVE-2010-4020
MIT krb5 (releases krb5-1.8 and newer) incorrectly accepts RFC 3961
key-derivation checksums using RC4 keys when verifying AD-SIGNEDPATH
and AD-KDC-ISSUED authorization data.
CVE-2010-4021
MIT krb5 KDC (release krb5-1.7 only) may issue tickets not requested
by a client, based on an attacker-chosen KrbFastArmoredReq.
- Strategic Viewpoints
- Technical Challenges and Solutions
- Cyber Law
Authors should send a one-page abstract to cfp ... / at / ...
ccdcoe.org by November 30, 2009.
The Selection Committee will notify all authors of its decisions by
December 18, 2009.
Name: Xpdf - Integer overflow which causes heap overflow and NULL pointer derefernce
Author: Adam Zabrocki / HISPASEC (<pi3@itsec.pl> or <adam@hispasec.com>)
Date: July 06, 2009
Issue:
Xpdf allows local and remote attackers to overflow buffer on heap via integer overflow vulnerability.
Xpdf is prone to NULL pointer dereference attack.
published by IEEE CPS (Conference Publishing Service) and distributed
to all participants, and will also be included in the IEEE Digital
Library. A special issue of an IEEE Journal collecting selected papers
presented at COMPENG is planned after the workshop.
Perspective Authors should send by October 1, 2009, a draft of their
paper (template on the web) to the Conference Secretariat (TBC)
Notification of acceptance will be e-mailed to Authors by November 15,
and the preliminary program will be issued on the conference website.
Camera-Ready papers must be submitted within November 30.
Next Page>>
|
