Archive for October, 2011

Scurgerea de informaţii de la RSA a avut impact asupra companiilor din Moldova

Posted by Grigori in Criptografie, Noutăţi on October 27, 2011

În martie 2011,  au fost sparte serverele RSA, în urma cărora au fost compromise unele dispozitive de autentificare bifactorială SecurID.
Astăzi a fost publicată lista celor 760 de companii asupra cărora a avut impact această scurgere de informaţie şi printre ele am observat companii locale:

MOLDCELL_AS Moldcell SA Autonomous System
MOLDDATA-AS Administrator of the top level domain .MD,
MOLDTELECOM-AS Moldtelecom Autonomous System
OMD-FNO Orange Moldova Fix Network Autonomous System
STARNET-AS StarNet Moldova

Poti să afli mai multe despre cum a fost efectuat atacul aici.

Be safe.

, , , , ,

No Comments

phpMyAdmin 3.4.5 – Full path disclosure in phpmyadmin.css.php

Posted by Mihai in Vulnerabilităţi on October 17, 2011

phpMyAdmin 3.4.5 suffers of insufficient input validation of the parameter js_frame in phpmyadmin.css.php, exposing information that could be used in further attacks.

CVE Entry: CVE-2011-3646
CWECWE-20, CWE-200
PMASA ENTRY: PMASA-2011-15

Description

The script returns an error message, containing the full path if the js_frame parameter is defined as an array.

Exploit

No authentication needed to exploit this vulnerability.

http://example.com/path_to_phpmyadmin/phpmyadmin.css.php?js_frame[]=right

Official fix

http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=d35cba980893aa6e6455fd6e6f14f3e3f1204c52

Credits

Discovered by Mihail Ursu (securitate.md) on 12 Sep 2011.

Disclosure Timeline

Reported to vendor on 12 Sep 2011.
Confirmation from vendor 21 Sep 2011.
Patch confirmation 4 Oct 2011.
Official fix and public disclosure 17 Oct 2011.

, , ,

No Comments