New issue of (IN)SECURE Magazine – Feb 2007

February 15th, 2007

The February 2007 10th issue of (IN)SECURE Magazine is out ! The topics which are covered include :

  • Microsoft Windows Vista: significant security improvement?
  • Review: GFI Endpoint Security 3

  • Interview with Edward Gibson, Chief Security Advisor at Microsoft UK
  • Top 10 spyware of 2006
  • The spam problem and open source filtering solutions
  • Office 2007: new format and new protection/security policy
  • Wardriving in Paris
  • Interview with Joanna Rutkowska, security researcher
  • Climbing the security career mountain: how to get more than just a job
  • RSA Conference 2007 report
  • ROT13 is used in Windows? You’re joking!
  • Data security beyond PCI compliance – protecting sensitive data in a distributed environment

Here is the definitive fix for Universal PDF XSS Vulnerability

February 12th, 2007

The (in) famous Adobe Acrobat Reader Plugin Universal PDF XSS is the scariest vulnerability discovered this year because it can turn any pdf into an XSS attack vector.

Today Cyrill Brunschwiler released the definitive fix for it. His solution is based on a mechanism to sanitize the malicious pdf link by generating unique session IDs for each pdf request and later check that session id. Because one picture is worth 1000 words here is the schema : Many thanks to the Compass Security team for this.

Alarming WordPress Security Vulnerabilities

February 11th, 2007

beNi released 3 alarming vulnerabilities in the popular WordPress blog platform

  1. Cross Site Scripting – it didn’t work for me
  2. Forced Redirectit worked for me
  3. Directory Traversal – n /a

Due to the really huge install base, I really hope that the folks at wordpress.org issue a patch quickly to address these vulnerabilities. Update : It sems that the site hosting the proof of concept exploits is down for maintenance.(thanks leion)

How to Turn Firefox Into an Attack Webserver

February 11th, 2007

David Kellogg released one of the most amazing Firefox plugins : Plain Old Webserver (POW), which adds a server to your browser.

Yes. You can run your own webserver within the browser. Although I didn’t get past the "Hello World" application, it’s amazing that this nifty tool supports Server-side JS, GET, POST, uploads, Cookies, SQLite and AJAX.

This plugin is definitely a must have tool for any web security assessment Thanks to pdp (architect) for pointing out this tool!

Page 51 of 60« First...4950515253...Last »