HUP cikkturkáló

Új Magento RCE + Hazai boltok sebezhetőségei

( toMpEr | 2016. 10. 13., cs – 20:10 )
HUP cikkturkáló

https://magento.com/security/patches/supee-8788

RCE, Sql injection, XSS, Session lopas emailcim alapjan, Bejelentekzes nelkuli adatbazis backup stb.

Erdekessegkeppen megvizsgaltam par, hazai, Magento alapu webshopot:

9db sebezhetoseg: beauty.hu
9db sebezhetoseg: fashionoutlet.hu
9db sebezhetoseg: formatexjatekok.hu
8db sebezhetoseg: beston.hu
8db sebezhetoseg: cuwebshop.hu
8db sebezhetoseg: deltavision.hu
7db sebezhetoseg: dogloveshop.hu
7db sebezhetoseg: monkey-sports.hu
6db sebezhetoseg: anemzetikonyvekboltja.hu
6db sebezhetoseg: autoguminet.hu
5db sebezhetoseg: szerszamdoboz.hu
5db sebezhetoseg: basys.co
5db sebezhetoseg: stellabeauty.hu
5db sebezhetoseg: rokonsport.hu
5db sebezhetoseg: hitspace.hu
5db sebezhetoseg: pingvinpatika.hu
4db sebezhetoseg: stylebolt.hu
4db sebezhetoseg: ithon.info
3db sebezhetoseg: limeset.com
3db sebezhetoseg: bauhaus.hu
3db sebezhetoseg: gasztronagyker.hu
3db sebezhetoseg: gemklub.hu
3db sebezhetoseg: harrypottershop.hu
2db sebezhetoseg: iceklima.hu
2db sebezhetoseg: shop.rossmann.hu
1db sebezhetoseg: shop.fradi.hu
1db sebezhetoseg: cipofalva.hu

Tehat a temanyito linken emlitett sebezhetosegeket mindegyik tartalmazta, de a legtobb a korabbi (hasonloan sulyos) javitasokat se tartalmazza.

Kapcsolodik:
Almost 6,000 online shops hit by hackers - http://www.bbc.com/news/technology-37643754

Apple will automatically download macOS Sierra on Macs starting today

( trey | 2016. 10. 04., k – 10:27 )
HUP cikkturkáló

"The move, which mimics Microsoft's aggressive rollout of Windows 10, is meant to make upgrading a more seamless and convenient process. It should also boost the percentage of customers that are keeping up with Apple's latest release."

Apple will automatically download macOS Sierra on Macs starting today

Apple to automatically cram macOS Sierra into Macs – 'cos that worked well for Windows 10
And they say Microsoft never innovates anything…

Ahahahhaahhaha.

Multiple vulnerabilities found in the Dlink DWR-932B (backdoor, backdoor accounts, weak WPS, RCE ...)

( toMpEr | 2016. 09. 29., cs – 23:54 )
HUP cikkturkáló

- Telnet and SSH services running by default, with two hard-coded secret accounts (admin:admin and root:1234).
- Router has another secret backdoor that can be exploited by only sending "HELODBG" string as a secret hard-coded command to UDP port 39889, which in return launch Telnet as root privileges without any authentication.
- The PIN for the WPS system on D-Link routers is '28296607,' which is hard-coded in the /bin/appmgr program.
- It's notable the FOTA (Remote firmware over-the-air) daemon tries to retrieve the firmware over HTTPS. But at the date of the writing, the SSL certificate for https://qdp:qdp@fotatest.qmitw.com/qdh/ispname/2031/appliance.xml is invalid for 1.5 years

- Jun 16, 2016: Dlink Security Incident Response Team (William Brown) acknowledges the receipt of the report and says they will provide further updates.
- Sep 13, 2016: Dlinks says they don't have a schedule for a firmware release. Customers who have questions should contact their local/regional D-Link support offices for the latest information. support.dlink.com will be updated in the next 24 hours.
- Sep 28, 2016: A public advisory is sent to security mailing lists.

https://pierrekim.github.io/blog/2016-09-28-dlink-dwr-932b-lte-routers-…

How to Crash Systemd in One Tweet

( toMpEr | 2016. 09. 29., cs – 10:58 )
HUP cikkturkáló

The following command, when run as any user, will crash systemd:

NOTIFY_SOCKET=/run/systemd/notify systemd-notify ""

After running this command, PID 1 is hung in the pause system call. You can no longer start and stop daemons. inetd-style services no longer accept connections. You cannot cleanly reboot the system. The system feels generally unstable (e.g. ssh and su hang for 30 seconds since systemd is now integrated with the login system).

https://www.agwa.name/blog/post/how_to_crash_systemd_in_one_tweet

Feliratkozás a következőre: HUP cikkturkáló