Search Results

Search found 354 results on 15 pages for 'vulnerability'.

Page 5/15 | < Previous Page | 1 2 3 4 5 6 7 8 9 10 11 12 | Next Page >

Why Smartphones May Be the Biggest Security Vulnerability in Your Enterprise

Do you understand the threat surface of your mobile computing environment? Security vulnerabilities abound.

Read the article
Microsoft Disputes 'Vulnerability' in Virtual PC

Microsoft reacted this week to a claim that its Virtual PC hypervisor contains a security hole....Did you know that DotNetSlackers also publishes .net articles written by top known .net Authors? We already have over 80 articles in several categories including Silverlight. Take a look: here.

Read the article
Oracle Java Update Targets Critical Vulnerability

The Java 6 update is designed to fix two critical vulnerabilities in Java that put Windows, Linux and Solaris users at risk.

Read the article
New Vulnerability Surfaces in 64-Bit Windows

Its the second unpatched zero-day flaw revealed by Microsoft in recent weeks.

Read the article
IE 8 XSS Vulnerability To Get Fixed in June

Microsoft is preparing a security update in June for the IE XSS filter in Internet Explorer 8....Did you know that DotNetSlackers also publishes .net articles written by top known .net Authors? We already have over 80 articles in several categories including Silverlight. Take a look: here.

Read the article
Microsoft Alerts on Windows XP Vulnerability

A new security flaw has been discovered in the popular but aging OS's Help and Support Center.

Read the article
Network vulnerability and port scanning services

- by DigitalRoss

I'm setting up a periodic port scan and vulnerability scan for a medium-sized network implementing a customer-facing web application. The hosts run CentOS 5.4. I've used tools like Nmap and OpenVAS, but our firewall rules have special cases for connections originating from our own facilities and servers, so really the scan should be done from the outside. Rather than set up a VPS or EC2 server and configuring it with various tools, it seems like this could just be contracted out to a port and vulnerability scanning service. If they do it professionally they may be more up to date than something I set up and let run for a year... Any recommendations or experience doing this?

Read the article
How to avoid open-redirect vulnerability and safely redirect on successful login (HINT: ASP.NET MVC

- by Brad B.

Normally, when a site requires that you are logged in before you can access a certain page, you are taken to the login screen and after successfully authenticating yourself, you are redirected back to the originally requested page. This is great for usability - but without careful scrutiny, this feature can easily become an open redirect vulnerability. Sadly, for an example of this vulnerability, look no further than the default LogOn action provided by ASP.NET MVC 2: [HttpPost] public ActionResult LogOn(LogOnModel model, string returnUrl) { if (ModelState.IsValid) { if (MembershipService.ValidateUser(model.UserName, model.Password)) { FormsService.SignIn(model.UserName, model.RememberMe); if (!String.IsNullOrEmpty(returnUrl)) { return Redirect(returnUrl); // open redirect vulnerability HERE } else { return RedirectToAction("Index", "Home"); } } else { ModelState.AddModelError("", "User name or password incorrect..."); } } return View(model); } If a user is successfully authenticated, they are redirected to "returnUrl" (if it was provided via the login form submission). Here is a simple example attack (one of many, actually) that exploits this vulnerability: Attacker, pretending to be victim's bank, sends an email to victim containing a link, like this: http://www.mybank.com/logon?returnUrl=http://www.badsite.com Having been taught to verify the ENTIRE domain name (e.g., google.com = GOOD, google.com.as31x.example.com = BAD), the victim knows the link is OK - there isn't any tricky sub-domain phishing going on. The victim clicks the link, sees their actual familiar banking website and is asked to logon Victim logs on and is subsequently redirected to http://www.badsite.com which is made to look exactly like victim's bank's website, so victim doesn't know he is now on a different site. http://www.badsite.com says something like "We need to update our records - please type in some extremely personal information below: [ssn], [address], [phone number], etc." Victim, still thinking he is on his banking website, falls for the ploy and provides attacker with the information Any ideas on how to maintain this redirect-on-successful-login functionality yet avoid the open-redirect vulnerability? I'm leaning toward the option of splitting the "returnUrl" parameter into controller/action parts and use "RedirectToRouteResult" instead of simply "Redirect". Does this approach open any new vulnerabilities? Side note: I know this open-redirect may not seem to be a big deal compared to the likes of XSS and CSRF, but us developers are the only thing protecting our customers from the bad guys - anything we can do to make the bad guys' job harder is a win in my book. Thanks, Brad

Read the article
Multiple vulnerabilities in Adobe Flashplayer

- by chandan

CVE DescriptionCVSSv2 Base ScoreComponentProduct and Resolution CVE-2012-0724 Denial of Service (DoS) vulnerability 10.0 Adobe Flashplayer Solaris 10 SPARC: 125332-24 X86: 125333-23 CVE-2012-0725 Denial of Service (DoS) vulnerability 10.0 CVE-2012-0768 Denial of Service(DoS) vulnerability 10.0 CVE-2012-0769 Information disclosure vulnerability 5.0 CVE-2012-0772 Denial of Service (DoS) vulnerability 10.0 CVE-2012-0773 Denial of Service (DoS) vulnerability 10.0 This notification describes vulnerabilities fixed in third-party components that are included in Oracle's product distributions.Information about vulnerabilities affecting Oracle products can be found on Oracle Critical Patch Updates and Security Alerts page.

Read the article
Multiple Denial of Service vulnerabilities in Quagga

- by chandan

CVE DescriptionCVSSv2 Base ScoreComponentProduct and Resolution CVE-2007-4826 Denial of Service (DoS) vulnerability 3.5 Quagga Solaris 10 SPARC: 126206-09 X86: 126207-09 Solaris 11 11/11 SRU 4 CVE-2009-1572 Denial of Service (DoS) vulnerability 5.0 CVE-2010-1674 Denial of Service (DoS) vulnerability 5.0 CVE-2010-1675 Denial of Service (DoS) vulnerability 5.0 CVE-2010-2948 Denial of Service (DoS) vulnerability 6.5 CVE-2010-2949 Denial of Service (DoS) vulnerability 5.0 This notification describes vulnerabilities fixed in third-party components that are included in Sun's product distribution.Information about vulnerabilities affecting Oracle Sun products can be found on Oracle Critical Patch Updates and Security Alerts page.

Read the article
Multiple vulnerabilities in OpenSSL

- by chandan

CVE DescriptionCVSSv2 Base ScoreComponentProduct and Resolution CVE-2011-4108 Cryptographic Issues vulnerability 4.3 OpenSSL Solaris 11 11/11 SRU 4a CVE-2011-4109 Unspecified vulnerability 9.3 CVE-2011-4576 Information Disclosure vulnerability 5.0 CVE-2011-4577 Denial of Service (DoS) vulnerability 4.3 CVE-2011-4619 Denial of Service (DoS) vulnerability 5.0 CVE-2012-0027 Denial of Service (DoS) vulnerability 5.0 This notification describes vulnerabilities fixed in third-party components that are included in Sun's product distribution.Information about vulnerabilities affecting Oracle Sun products can be found on Oracle Critical Patch Updates and Security Alerts page.

Read the article
Multiple Denial of Service vulnerabilities in Wireshark

- by chandan

CVE DescriptionCVSSv2 Base ScoreComponentProduct and Resolution CVE-2012-0041 Denial of Service(DoS) vulnerability 1.9 Wireshark Solaris 11 11/11 SRU 04 CVE-2012-0042 Denial of Service(DoS) vulnerability 2.9 CVE-2012-0043 Buffer Overflow vulnerability 5.4 CVE-2012-0066 Denial of Service(DoS) vulnerability 1.9 CVE-2012-0067 Denial of Service(DoS) vulnerability 1.9 CVE-2012-0068 Buffer Overflow vulnerability 4.4 This notification describes vulnerabilities fixed in third-party components that are included in Sun's product distribution.Information about vulnerabilities affecting Oracle Sun products can be found on Oracle Critical Patch Updates and Security Alerts page.

Read the article
Multiple vulnerabilities in libexif

- by Umang_D

CVE DescriptionCVSSv2 Base ScoreComponentProduct and Resolution CVE-2012-2812 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability 6.4 libexif Solaris 11 11/11 SRU 12.4 CVE-2012-2813 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability 6.4 CVE-2012-2814 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability 7.5 CVE-2012-2836 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability 6.4 CVE-2012-2837 Numeric Errors vulnerability 5.0 CVE-2012-2840 Numeric Errors vulnerability 7.5 CVE-2012-2841 Numeric Errors vulnerability 7.5 CVE-2012-2845 Numeric Errors vulnerability 6.4 This notification describes vulnerabilities fixed in third-party components that are included in Oracle's product distributions.Information about vulnerabilities affecting Oracle products can be found on Oracle Critical Patch Updates and Security Alerts page.

Read the article
Multiple Vulnerabilities in Thunderbird

- by chandan

CVE DescriptionCVSSv2 Base ScoreComponentProduct and Resolution CVE-2011-3648 Cross-site scripting (XSS) vulnerability 4.3 Thunderbird Solaris 11 11/11 SRU 04 CVE-2011-3650 Denial of Service(DoS) vulnerability 9.3 CVE-2011-3651 Denial of Service(DoS) vulnerability 10.0 CVE-2011-3652 Denial of Service(DoS) vulnerability 10.0 CVE-2011-3654 Denial of Service(DoS) vulnerability 10.0 CVE-2011-3655 Access Control vulnerability 9.3 This notification describes vulnerabilities fixed in third-party components that are included in Sun's product distribution.Information about vulnerabilities affecting Oracle Sun products can be found on Oracle Critical Patch Updates and Security Alerts page.

Read the article
PHP Zend Hash Vulnerability Exploitation Vector [closed]

- by Resurrected Laplacian

Possible Duplicate: CVE-2007-5416 PHP Zend Hash Vulnerability Exploitation Vector (Drupal) According to exploit-db, http://www.exploit-db.com/exploits/4510/, it says the following: Example: http://www.example.com/drupal/?_menu[callbacks][1][callback]=drupal_eval&_menu[items][][type]=-1&-312030023=1&q=1/ What are "[callbacks]","[1]" and all these stuffs? What should I put in to these stuffs? Can anyone present a real possible example? I wasn't asking for a real website; I was asking for a possible example! So, how would address be like - what should I put in to these stuffs, as the question says..

Read the article
Pain Comes Instantly

- by user701213

When I look back at recent blog entries – many of which are not all that current (more on where my available writing time is going later) – I am struck by how many of them focus on public policy or legislative issues instead of, say, the latest nefarious cyberattack or exploit (or everyone’s favorite new pastime: coining terms for the Coming Cyberpocalypse: “digital Pearl Harbor” is so 1941). Speaking of which, I personally hope evil hackers from Malefactoria will someday hack into my bathroom scale – which in a future time will be connected to the Internet because, gosh, wouldn’t it be great to have absolutely everything in your life Internet-enabled? – and recalibrate it so I’m 10 pounds thinner. The horror. In part, my focus on public policy is due to an admitted limitation of my skill set. I enjoy reading technical articles about exploits and cybersecurity trends, but writing a blog entry on those topics would take more research than I have time for and, quite honestly, doesn’t play to my strengths. The first rule of writing is “write what you know.” The bigger contributing factor to my recent paucity of blog entries is that more and more of my waking hours are spent engaging in “thrust and parry” activity involving emerging regulations of some sort or other. I’ve opined in earlier blogs about what constitutes good and reasonable public policy so nobody can accuse me of being reflexively anti-regulation. That said, you have so many cycles in the day, and most of us would rather spend it slaying actual dragons than participating in focus groups on whether dragons are really a problem, whether lassoing them (with organic, sustainable and recyclable lassos) is preferable to slaying them – after all, dragons are people, too - and whether we need lasso compliance auditors to make sure lassos are being used correctly and humanely. (A point that seems to evade many rule makers: slaying dragons actually accomplishes something, whereas talking about “approved dragon slaying procedures and requirements” wastes the time of those who are competent to dispatch actual dragons and who were doing so very well without the input of “dragon-slaying theorists.”) Unfortunately for so many of us who would just get on with doing our day jobs, cybersecurity is rapidly devolving into the “focus groups on dragon dispatching” realm, which actual dragons slayers have little choice but to participate in. The general trend in cybersecurity is that powers-that-be – which encompasses groups other than just legislators – are often increasingly concerned and therefore feel they need to Do Something About Cybersecurity. Many seem to believe that if only we had the right amount of regulation and oversight, there would be no data breaches: a breach simply must mean Someone Is At Fault and Needs Supervision. (Leaving aside the fact that we have lots of home invasions despite a) guard dogs b) liberal carry permits c) alarm systems d) etc.) Also note that many well-managed and security-aware organizations, like the US Department of Defense, still get hacked. More specifically, many powers-that-be feel they must direct industry in a multiplicity of ways, up to and including how we actually build and deploy information technology systems. The more prescriptive the requirement, the more regulators or overseers a) can be seen to be doing something b) feel as if they are doing something regardless of whether they are actually doing something useful or cost effective. Note: an unfortunate concomitant of Doing Something is that often the cure is worse than the ailment. That is, doing what overseers want creates unfortunate byproducts that they either didn’t foresee or worse, don’t care about. After all, the logic goes, we Did Something. Prescriptive practice in the IT industry is problematic for a number of reasons. For a start, prescriptive guidance is really only appropriate if: • It is cost effective• It is “current” (meaning, the guidance doesn’t require the use of the technical equivalent of buggy whips long after horse-drawn transportation has become passé)*• It is practical (that is, pragmatic, proven and effective in the real world, not theoretical and unproven)• It solves the right problem With the above in mind, heading up the list of “you must be joking” regulations are recent disturbing developments in the Payment Card Industry (PCI) world. I’d like to give PCI kahunas the benefit of the doubt about their intentions, except that efforts by Oracle among others to make them aware of “unfortunate side effects of your requirements” – which is as tactful I can be for reasons that I believe will become obvious below - have gone, to-date, unanswered and more importantly, unchanged. A little background on PCI before I get too wound up. In 2008, the Payment Card Industry (PCI) Security Standards Council (SSC) introduced the Payment Application Data Security Standard (PA-DSS). That standard requires vendors of payment applications to ensure that their products implement specific requirements and undergo security assessment procedures. In order to have an application listed as a Validated Payment Application (VPA) and available for use by merchants, software vendors are required to execute the PCI Payment Application Vendor Release Agreement (VRA). (Are you still with me through all the acronyms?) Beginning in August 2010, the VRA imposed new obligations on vendors that are extraordinary and extraordinarily bad, short-sighted and unworkable. Specifically, PCI requires vendors to disclose (dare we say “tell all?”) to PCI any known security vulnerabilities and associated security breaches involving VPAs. ASAP. Think about the impact of that. PCI is asking a vendor to disclose to them: • Specific details of security vulnerabilities • Including exploit information or technical details of the vulnerability • Whether or not there is any mitigation available (as in a patch) PCI, in turn, has the right to blab about any and all of the above – specifically, to distribute all the gory details of what is disclosed - to the PCI SSC, qualified security assessors (QSAs), and any affiliate or agent or adviser of those entities, who are in turn permitted to share it with their respective affiliates, agents, employees, contractors, merchants, processors, service providers and other business partners. This assorted crew can’t be more than, oh, hundreds of thousands of entities. Does anybody believe that several hundred thousand people can keep a secret? Or that several hundred thousand people are all equally trustworthy? Or that not one of the people getting all that information would blab vulnerability details to a bad guy, even by accident? Or be a bad guy who uses the information to break into systems? (Wait, was that the Easter Bunny that just hopped by? Bringing world peace, no doubt.) Sarcasm aside, common sense tells us that telling lots of people a secret is guaranteed to “unsecret” the secret. Notably, being provided details of a vulnerability (without a patch) is of little or no use to companies running the affected application. Few users have the technological sophistication to create a workaround, and even if they do, most workarounds break some other functionality in the application or surrounding environment. Also, given the differences among corporate implementations of any application, it is highly unlikely that a single workaround is going to work for all corporate users. So until a patch is developed by the vendor, users remain at risk of exploit: even more so if the details of vulnerability have been widely shared. Sharing that information widely before a patch is available therefore does not help users, and instead helps only those wanting to exploit known security bugs. There’s a shocker for you. Furthermore, we already know that insider information about security vulnerabilities inevitably leaks, which is why most vendors closely hold such information and limit dissemination until a patch is available (and frequently limit dissemination of technical details even with the release of a patch). That’s the industry norm, not that PCI seems to realize or acknowledge that. Why would anybody release a bunch of highly technical exploit information to a cast of thousands, whose only “vetting” is that they are members of a PCI consortium? Oracle has had personal experience with this problem, which is one reason why information on security vulnerabilities at Oracle is “need to know” (we use our own row level access control to limit access to security bugs in our bug database, and thus less than 1% of development has access to this information), and we don’t provide some customers with more information than others or with vulnerability information and/or patches earlier than others. Failure to remember “insider information always leaks” creates problems in the general case, and has created problems for us specifically. A number of years ago, one of the UK intelligence agencies had information about a non-public security vulnerability in an Oracle product that they circulated among other UK and Commonwealth defense and intelligence entities. Nobody, it should be pointed out, bothered to report the problem to Oracle, even though only Oracle could produce a patch. The vulnerability was finally reported to Oracle by (drum roll) a US-based commercial company, to whom the information had leaked. (Note: every time I tell this story, the MI-whatever agency that created the problem gets a bit shirty with us. I know they meant well and have improved their vulnerability handling/sharing processes but, dudes, next time you find an Oracle vulnerability, try reporting it to us first before blabbing to lots of people who can’t actually fix the problem. Thank you!) Getting back to PCI: clearly, these new disclosure obligations increase the risk of exploitation of a vulnerability in a VPA and thus, of misappropriation of payment card data and customer information that a VPA processes, stores or transmits. It stands to reason that VRA’s current requirement for the widespread distribution of security vulnerability exploit details -- at any time, but particularly before a vendor can issue a patch or a workaround -- is very poor public policy. It effectively publicizes information of great value to potential attackers while not providing compensating benefits - actually, any benefits - to payment card merchants or consumers. In fact, it magnifies the risk to payment card merchants and consumers. The risk is most prominent in the time before a patch has been released, since customers often have little option but to continue using an application or system despite the risks. However, the risk is not limited to the time before a patch is issued: customers often need days, or weeks, to apply patches to systems, based upon the complexity of the issue and dependence on surrounding programs. Rather than decreasing the available window of exploit, this requirement increases the available window of exploit, both as to time available to exploit a vulnerability and the ease with which it can be exploited. Also, why would hackers focus on finding new vulnerabilities to exploit if they can get “EZHack” handed to them in such a manner: a) a vulnerability b) in a payment application c) with exploit code: the “Hacking Trifecta!“ It’s fair to say that this is probably the exact opposite of what PCI – or any of us – would want. Established industry practice concerning vulnerability handling avoids the risks created by the VRA’s vulnerability disclosure requirements. Specifically, the norm is not to release information about a security bug until the associated patch (or a pretty darn good workaround) has been issued. Once a patch is available, the notice to the user community is a high-level communication discussing the product at issue, the level of risk associated with the vulnerability, and how to apply the patch. The notices do not include either the specific customers affected by the vulnerability or forensic reports with maps of the exploit (both of which are required by the current VRA). In this way, customers have the tools they need to prioritize patching and to help prevent an attack, and the information released does not increase the risk of exploit. Furthermore, many vendors already use industry standards for vulnerability description: Common Vulnerability Enumeration (CVE) and Common Vulnerability Scoring System (CVSS). CVE helps ensure that customers know which particular issues a patch addresses and CVSS helps customers determine how severe a vulnerability is on a relative scale. Industry already provides the tools customers need to know what the patch contains and how bad the problem is that the patch remediates. So, what’s a poor vendor to do? Oracle is reaching out to other vendors subject to PCI and attempting to enlist then in a broad effort to engage PCI in rethinking (that is, eradicating) these requirements. I would therefore urge all who care about this issue, but especially those in the vendor community whose applications are subject to PCI and who may not have know they were being asked to tell-all to PCI and put their customers at risk, to do one of the following: • Contact PCI with your concerns• Contact Oracle (we are looking for vendors to sign our statement of concern)• And make sure you tell your customers that you have to rat them out to PCI if there is a breach involving the payment application I like to be charitable and say “PCI meant well” but in as important a public policy issue as what you disclose about vulnerabilities, to whom and when, meaning well isn’t enough. We need to do well. PCI, as regards this particular issue, has not done well, and has compounded the error by thus far being nonresponsive to those of us who have labored mightily to try to explain why they might want to rethink telling the entire planet about security problems with no solutions. By Way of Explanation… Non-related to PCI whatsoever, and the explanation for why I have not been blogging a lot recently, I have been working on Other Writing Venues with my sister Diane (who has also worked in the tech sector, inflicting upgrades on unsuspecting and largely ungrateful end users). I am pleased to note that we have recently (self-)published the first in the Miss Information Technology Murder Mystery series, Outsourcing Murder. The genre might best be described as “chick lit meets geek scene.” Our sisterly nom de plume is Maddi Davidson and (shameless plug follows): you can order the paper version of the book on Amazon, or the Kindle or Nook versions on www.amazon.com or www.bn.com, respectively. From our book jacket: Emma Jones, a 20-something IT consultant, is working on an outsourcing project at Tahiti Tacos, a restaurant chain offering Polynexican cuisine: refried poi, anyone? Emma despises her boss Padmanabh, a brilliant but arrogant partner in GD Consulting. When Emma discovers His-Royal-Padness’s body (verdict: death by cricket bat), she becomes a suspect.With her overprotective family and her best friend Stacey providing endless support and advice, Emma stumbles her way through an investigation of Padmanabh’s murder, bolstered by fusion food feeding frenzies, endless cups of frou-frou coffee and serious surfing sessions. While Stacey knows a PI who owes her a favor, landlady Magda urges Emma to tart up her underwear drawer before the next cute cop with a search warrant arrives. Emma’s mother offers to fix her up with a PhD student at Berkeley and showers her with self-defense gizmos while her old lover Keoni beckons from Hawai’i. And everyone, even Shaun the barista, knows a good lawyer. Book 2, Denial of Service, is coming out this summer. * Given the rate of change in technology, today’s “thou shalts” are easily next year’s “buggy whip guidance.”

Read the article
Tracking Security Vulnerability remediation

- by Zypher

I've been looking into this for a little while, but havn't really found anything suitable. What I am looking for is a system to track security vulnerability remdiation status. Something like "bugzilla for IT" What I am looking for is something pretty simple that allows the following: batch entry of new vulnerabilities that need to be remediated Per user assignment AD/LDAP Authentiation Simple interface to track progress - research, change control status, remediated, etc. Historical search ability Ability to divide by division Ability to store proof of resolution for the Security Team to access Dependency tracking Linux based is best (that's my group :) ) Free is good, but cost doesn't matter so much if the system is worth it The systems doesn't have to have all of these features, but if it did that would be great. yes we could use our helpdesk software, but that has a bunch of pitfalls such as triggering SLA alerts and penalties as well as not easily searchable outside of a group. Most of what I have found are bug tracking systems that are geared towards developers, and are honstely way overkill for what I am looking for. Server Faults input is greatly appreciated as always!

Read the article
Has anyone run an objective comparison of Nessus and Skipfish

- by jldugger

We recently set up Nessus, but the annual cost is not cheap. Recently Google published SkipFish which appears to compete in the area of webapps. As best I can tell, Nessus operates via a large database of known exploits. And, as best as I can tell, Skipfish automatically generates vulnerability tests. Has anyone done a comparison of the effectiveness of these two approaches yet?

Read the article
how to exploit vulnerability in php

- by Dr Deo

i have never seen a buffer overflow exploit in live action. supporse I have found a server that seems to have vulnerabilities. Where can i get proof of the concept code preferably in c/c++ to exploit the vulnerability? eg i found this vulnerability Multiple directory traversal vulnerabilities in functions such as 'posix_access()', 'chdir()', 'ftok()' may allow a remote attacker to bypass 'safe_mode' restrictions. (CVE-2008-2665 and CVE-2008-2666). How can i get proof of concept code for educational purposes PS I am a student and my only desire is to learn

Read the article
serving files using django - is this a security vulnerability

- by Tom Tom

I'm using the following code to serve uploaded files from a login secured view in a django app. Do you think that there is a security vulnerability in this code? I'm a bit concerned about that the user could place arbitrary strings in the url after the upload/ and this is directly mapped to the local filesystem. Actually I don't think that it is a vulnerability issue, since the access to the filesystem is restricted to the files in the folder defined with the UPLOAD_LOCATION setting. UPLOAD_LOCATION = is set to a not publicly available folder on the webserver url(r'^upload/(?P<file_url>[/,.,\s,_,\-,\w]+)', 'aeon_infrastructure.views.serve_upload_files', name='project_detail'), @login_required def serve_upload_files(request, file_url): import os.path import mimetypes mimetypes.init() try: file_path = settings.UPLOAD_LOCATION + '/' + file_url fsock = open(file_path,"r") file_name = os.path.basename(file_path) file_size = os.path.getsize(file_path) print "file size is: " + str(file_size) mime_type_guess = mimetypes.guess_type(file_name) if mime_type_guess is not None: response = HttpResponse(fsock, mimetype=mime_type_guess[0]) response['Content-Disposition'] = 'attachment; filename=' + file_name #response.write(file) except IOError: response = HttpResponseNotFound() return response

Read the article
how to exploit vulnerability of php?

- by Dr Deo

i have never seen a buffer overflow exploit in live action. supporse I have found a server that seems to have vulnerabilities. Where can i get proof of the concept code preferably in c/c++ to exploit the vulnerability? eg i found this vulnerability Multiple directory traversal vulnerabilities in functions such as 'posix_access()', 'chdir()', 'ftok()' may allow a remote attacker to bypass 'safe_mode' restrictions. (CVE-2008-2665 and CVE-2008-2666). How can i get proof of concept code for educational purposes PS I am a student and my only desire is to learn

Read the article
CentOS Vulnerabilities - Exploits/Payloads

- by Joao Heleno

Greetings. I'm doing an academic work where I have to find vulnerabilities in CentOS and show how to take advantage of those same vulnerabilities. I'm no hacker and I'm finding this task to be of great difficulty, that is, I see all the security alerts and their descriptions but no explanation of how to take advantage. Maybe I'm being a little naive but all I want to know is if there is any tool I can use to show that CentOS 5.0 vulnerability XPTO exists and to show it "working". If possible something like CVE-2007-0001 exploit tool, CVE-2007-0002 payload and so on. Thanks.

Read the article
Prevent malicious vulnerability scan increasing load on a server

- by Simon

Hi all, this week we have been suffering some malicious vulnerability scans to our servers, increasing the load on them, making them nearly unusable. The attack is easy to defend, just blocking the offending ip, but only after discovering it. Is there any form of prevent it? Is it normal that one server becomes nearly unusable due to one of these scans? These are the requests done in just one second to our server: [Fri Mar 12 19:15:27 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/zope trunk 2 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/8872fcacd7663c040f0149ed49f572e9 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/188201 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/74e118780caa0f5232d6ec393b47ae01 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/87d4b821b2b6b9706ba6c2950c0eaefd [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/138917 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/180377 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/182712 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/compl2s [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/e7ba351f0ab1f32b532ec679ac7d589d [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/184530 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/compl_s [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/55542 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/7b9d5a65aab84640c6414a85cae2c6ff [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/77257 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/157611 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/textwrapping [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/51713 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/elina [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/fd4800093500f7a9cc21bea232658706 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/59719 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/administrationexamples [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/29587 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/bdebc9c4aa95b3651e9b8fd90c015327 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/defaultchangenotetext [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/figments [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/69744 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/fastpixelperfect [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/conchmusicsoundtoolkit [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/settingwindowposition [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/windowresizing [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/84784 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/186114 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/99858 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/131677 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/167783 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/99933 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/3en17ljttc [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/gradientcode [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/pythondevelopmentandnavigationwithspe [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/10546 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/167932 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/smallerrectforspritecollision [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/176292 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/3sumvid-19yroldfuckedby2bigcocks [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/67909 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/175185 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/131319 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/99900 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/act5 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/contributors-agreement [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/128447 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/71052 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/114242 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/69768 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/debuggingwithwinpdbfromwithinspe [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/39360 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/176267 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/143468 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/140202 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/25268 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/82241 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/142920 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/downloadingipythonformswindows [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/34367 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/for_collaborators [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/pydeveclipseextensionsfabio [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/usingpdbinipython [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/142264 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/49003 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/gamelets [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/texturecoordinatearithmetic [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/project_interface [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/143177 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/pydeveclipsefabio [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/91525 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/40426 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/134819 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/usingipythonwithtextpad [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/developingpythoninipython [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/35569 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/objfileloader [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/simpleopengl2dclasses [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/191495 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/3dvilla [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/145368 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/140118 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/87799 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/142320 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/glslexample [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/39826 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/cairopygame [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/191338 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/91819 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/152003 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/gllight [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/40567 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/137877 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/188209 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/84577 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/131017 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/fightnight [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/79781 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/4731669 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/161942 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/160289 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/81594 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/12127 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/164452 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/96823 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/163598 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/159190 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/step-test fsfs+ra_local [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/davros [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/step-publish logs [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/step-cleanup [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/step-test fsfs+ra_svn [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/cdrwin_v3 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/brianpensive [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/x86-openbsd shared gcc [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/roundup-0 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/svcastle [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/56584 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/45934 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/step-build [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/97194 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/cdrwin_3 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/72243 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/117043 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/147084 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/52713 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/101489 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/134867 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/win32-dependencies [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/36548 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/43827 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/100791 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/elita_posing [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/167848 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/36314 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/49951 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/142740 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/cdromkiteletronicaptg [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/138060 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/68483 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/184474 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/137447 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/sndarray [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/127870 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/167312 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/75411 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/167969 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/surfarray [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/174941 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/59129 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/147554 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/105577 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/91734 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/96679 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/06au [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/124495 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/aah [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/164439 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/12638190 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/eliel [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/171164 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/linearinterpolator [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/step-test [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/heading_news [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/87778 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/portlet_64568222 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/graphic_ep [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/132230 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/12251 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/greencheese [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/188966 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/cdsonic [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/171522 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/elitewrap [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/184313 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/188079 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/147511 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/160952 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/132581 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/84885 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/graphic_desktop [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/win32-xp vs2005 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/128548 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/92057 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/65235 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/pyscgi [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/56926 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/svcastle-big [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/138553 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/138232 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/153367 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/42315 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/150012 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/160079 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/win32-xp vc60 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/163482 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/42642 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/174458 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/163109 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/spacer_greys [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/pdf_icon16 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/26346 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/190998 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/fforigins [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/aliens-0 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/step-update faad [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/13376 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/52647 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/155036 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/compl2 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/174323 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/42317 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/tsugumo [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/171850 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/184127 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/48321 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/162545 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/84180 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/135901 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/57817 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/6360574 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/124989 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/113314 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/sprite-tutorial [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/14294 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/191387 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/187294 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/178666 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/179653 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/wingide-users [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/16309095 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/169465 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/189399 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/172392 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/35627 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/2670901 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/177847 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/chimplinebyline [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/87518 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/154595 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/12811780 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/cdmenupro42 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/110131 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/95615 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/18464 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/lwedchoice-1999 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/5099582 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/100968 [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/j-emacs [Fri Mar 12 19:15:28 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/0206mathew [Fri Mar 12 19:15:29 2010] [error] [client 213.37.49.231] File does not exist: /var/www/html/10844356 Thanks in advance!

Read the article
Is my dns server being attacked? And what should I do about it?

- by Mnebuerquo

I've been having some intermittent dns problems with a web server, where certain isp's dns servers don't have my hostnames in cache and fail to look them up. At the same time, queries to opendns for those hostnames resolve correctly. It's intermittent, and it always works fine for me, so it's hard to identify the problem when someone reports connectivity problems to my site. In trying to figure this out, I've been looking at my logs to see if there are any errors I should know about. I found thousands of the following messages in my logs, from different ip's, but all requesting similar dns records: May 12 11:42:13 localhost named[26399]: client 94.76.107.2#36141: query (cache) 'burningpianos.com/MX/IN' denied May 12 11:42:13 localhost named[26399]: client 94.76.107.2#29075: query (cache) 'burningpianos.com/MX/IN' denied May 12 11:42:13 localhost named[26399]: client 94.76.107.2#47924: query (cache) 'burningpianos.com/MX/IN' denied May 12 11:42:13 localhost named[26399]: client 94.76.107.2#4727: query (cache) 'burningpianos.com/MX/IN' denied May 12 11:42:14 localhost named[26399]: client 94.76.107.2#16153: query (cache) 'burningpianos.com/MX/IN' denied May 12 11:42:14 localhost named[26399]: client 94.76.107.2#40267: query (cache) 'burningpianos.com/MX/IN' denied May 12 11:43:35 localhost named[26399]: client 82.209.240.241#63507: query (cache) 'burningpianos.com/MX/IN' denied May 12 11:43:35 localhost named[26399]: client 82.209.240.241#63721: query (cache) 'burningpianos.org/MX/IN' denied May 12 11:43:36 localhost named[26399]: client 82.209.240.241#3537: query (cache) 'burningpianos.com/MX/IN' denied I've read of Dan Kaminski's dns cache poisoning vulnerability, and I'm wondering if these log records are an attempt by some evildoer to attack my dns server. There are thousands of records in my logs, all requesting "burningpianos", some for com and some for org, most looking for an mx record. There are requests from multiple ip's, but each ip will request hundreds of times per day. So this smells to me like an attack. What is the defense against this?

Read the article
Aren't passwords written in inputbox vulnerable through a stack trace ?

- by loursonwinny

Hello, I am not a guru of the stack tracing, at all. I even don't know how to get some. Anyway, I am wondering if entering a password entered in an inputbox is safe. Can't it be retrieved by getting a stack trace ? A password entered that way will be found in many places : Caption property of the TEdit Result of the function which creates the inputbox probably, a variable that stores the Result of the InputBox Command etc... If the answer is "yes, it is a vulnerability", then my world collapses :p. What can be done to avoid that vulnerability hole ? NOTE : The InputBox is an example but it can be with a "homebrewed" login prompt. InputBox is a Delphi command but I haven't tagged the question with the Delphi tag because I suppose that the question concerns any language. Thanks for reading

Read the article

Search Results

Search found 354 results on 15 pages for 'vulnerability'.

Page 5/15 | < Previous Page | 1 2 3 4 5 6 7 8 9 10 11 12 | Next Page >

- by DigitalRoss

- by Brad B.

- by chandan

- by chandan

- by chandan

- by chandan

- by Umang_D

- by chandan

- by Resurrected Laplacian

- by user701213

- by Zypher

- by jldugger

- by Dr Deo

- by Tom Tom

- by Dr Deo

- by Joao Heleno

- by Simon

- by Mnebuerquo

- by loursonwinny

< Previous Page | 1 2 3 4 5 6 7 8 9 10 11 12 | Next Page >