Thursday, May 9, 2013

DDIVRT-2013-53 Actuate 'ActuateJavaComponent' Multiple Vulnerabilities


Follow us on Twitter!

Severity
--------
High

Date Discovered
---------------
March 19, 2013

Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: Dennis Lavrinenko, Bobby Lockett, and r@b13$

1. Actuate 'ActuateJavaComponent' Arbitrary File Retrieval

Vulnerability Description
-------------------------
Actuate 10 contains a vulnerability within the 'ActuateJavaComponent'. This component allows unauthenticated attackers to retrieve arbitrary system files located outside of the web root.

Solution Description
--------------------
A solution for this security issue is not available at this time. End-users can mitigate this flaw by limiting access to affected systems through the use of access controls.

2. Actuate 'ActuateJavaComponent' Arbitrary Directory Browsing Vulnerability

Vulnerability Description
-------------------------
Actuate 10 contains an arbitrary directory browsing vulnerability within the 'ActuateJavaComponent'. This vulnerability allows the contents of any drive or directory to be browsed within the web application's interface.

Solution Description
--------------------
A solution for this security issue is not available at this time. End-users can mitigate this flaw by limiting access to affected systems through the use of access controls.

Tested Systems / Software
-------------------------
Actuate 10 Service Pack 1 Fix 4

Vendor Contact
--------------
Vendor Name: Actuate Corporation
Vendor Website: http://www.actuate.com/home/

Posted by R@b13$ at Thursday, May 09, 2013

Monday, April 15, 2013

DDIVRT-2013-52 Dell EqualLogic PS6110X Directory Traversal


Follow us on Twitter!

Title
-----
DDIVRT-2013-52 Dell EqualLogic PS6110X Directory Traversal

Severity
--------
High

Date Discovered
---------------
February 19, 2013

Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: Evan Sylvester and r@b13$

Vulnerability Description
-------------------------
The Dell EqualLogic PS6110X is vulnerable to a directory traversal. A remote unauthenticated attacker can leverage this vulnerability to traverse out of the web root and retrieve arbitrary system files.

Solution Description
--------------------
Dell has stated that the vulnerability described will be addressed in both the next maintenance release of the firmware, version 6.0.4, and in the next major firmware version. Dell plans to release the updated firmware on April 15, 2013 and has stated that it will be available to customers with valid support agreements through the EqualLogic support website (https://support.equallogic.com/).

Tested Systems / Software
-------------------------
Dell EqualLogic PS6110X – Firmware version: 6.0.0 through 6.0.3

Vendor Contact
--------------
Vendor Name: Dell
Vendor Website: http://www.dell.com

===================================================================

Posted by R@b13$ at Monday, April 15, 2013

Friday, March 15, 2013

DDIVRT-2013-50 EverFocus EPARA264-16X1 Directory Traversal


DDIVRT-2013-50 EverFocus EPARA264-16X1 Directory Traversal

Follow us on Twitter!

Title
-----
DDIVRT-2013-50 EverFocus EPARA264-16X1 Directory Traversal

Severity
--------
High

Date Discovered
---------------
January 22, 2013

Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: r@b13$

Vulnerability Description
-------------------------
The EverFocus EPARA264-16X1 DVR allows unauthenticated remote users to retrieve arbitrary system files that are located outside of the web root through a directory traversal on port 80.

Solution Description
--------------------
EverFocus has provided a solution for this security issue in the form of a firmware upgrade. EPARA264-16X1 devices with firmware version 1.0.3 or later are not affected by the security issue. The firmware update is available from EverFocus technical support.

Tested Systems / Software
-------------------------
EverFocus EPARA264-16X1 Firmware Version 1.0.2

Vendor Contact
--------------
Vendor Name: EverFocus

Vendor Website: http://www.everfocus.com/

Posted by R@b13$ at Friday, March 15, 2013

Friday, December 14, 2012

VMware View Connection Server Directory Traversal


DDIVRT-2012-48 VMware View Connection Server Directory Traversal (CVE-2012-5978)

 Follow us on Twitter!

 Severity
--------
High

 Date Discovered
---------------
September 26, 2012

 Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: r@b13$

 Vulnerability Description
-------------------------
The tunnel-server component of the VMware View Connection Server fails to ensure that  each requested URL refers to a file that is both located within the web root of the server and is of a type that is allowed to be served. 

 A remote unauthenticated attacker can use this weakness to retrieve arbitrary files from the affected server's underlying root file system. This can be accomplished by submitting URL encoded HTTP GET requests that traverse out of the affected subdirectory.

 Solution Description
--------------------
VMware has produced a solution for the issue in the form of an upgrade which is available through their website. The VMware advisory can be found: http://www.vmware.com/security/advisories/VMSA-2012-0017.html

 Vulnerable Software
-------------------------
VMware View 5.x prior to version 5.1.2
VMware View 4.x prior to version 4.6.2

 Vendor Contact
--------------
Vendor Name: VMware, Inc.
Vendor Website: http://www.vmware.com/
Posted by BadK@rma at Friday, December 14, 2012
Labels: , , , ,

Thursday, December 6, 2012

I Know What You Are Reading...

Before e-readers and tablet computers, the only worry that most book readers had was whether or not the someone, usually the federal government, could keep tabs on what was being checked out at the local library.  While the possibility existed for this surveillance, the likelihood that you were going to be singled out was relatively low.  

My how things have changed.

With the advent of e-readers, it is the corporation, not the federal government that has become the new "big brother" of our reading habits. Via e-book and reader technologies, more and more companies know what you are reading, how you are reading, and when you are reading.

If you think that this is all unfounded paranoia, you need look no further than to the information provided by the EFF on what corporations can now find out about your reading habits.

The chart can be found here.  Check it out, it's enlightening to say the least.




Posted by BadK@rma at Thursday, December 06, 2012
Labels:

Tuesday, November 27, 2012

Another awesome infographic from our friends at Veracode!


Infographic by Veracode Application Security


Posted by BadK@rma at Tuesday, November 27, 2012
Labels: , ,

Monday, November 5, 2012

Ever wonder how you are being tracked on the Internet?  Here is a really nice infographic from our good friends at Veracode that breaks it all down.
How Companies Track You on the Web
Infographic by Veracode Application Security

Posted by BadK@rma at Monday, November 05, 2012
Labels: , , ,
Subscribe to: Posts (Atom)