Search Results

Search found 374 results on 15 pages for 'vulnerabilities'.

Page 9/15 | < Previous Page | 5 6 7 8 9 10 11 12 13 14 15  | Next Page >

  • Good message board for a website (e.g. phpBB)

    - by unixman83
    Hi, What are the best (and most widely used) message board softwares, and the pros and cons of each. e.g. Security Vulnerabilities, Performance on a cheap server, comes pre-packaged. I am looking for the best message board software for my website. A VPS can run almost any software, so the sky is the limit! Free, doesn't require unreasonable number of hyperlinks to their website Security focused / Widely Used, vulnerabilities are found and fixed quick Easy to keep up-to-date, i.e. prepackaged / auto-update in some way Moderator features [like pinning / message preamble], account management Themeable, customize appearance a bit

    Read the article

  • Good message board for a website (e.g. phpBB)

    - by unixman83
    Hi, What are the best (and most widely used) Linux-based message board softwares, and the pros and cons of each. e.g. Security Vulnerabilities, Performance on a cheap server, comes pre-packaged [RPM or DEB]. I am looking for the best message board software for my website. A VPS can run almost any software, so the sky is the limit! Free, doesn't require unreasonable number of hyperlinks to their website Security focused / Widely Used, vulnerabilities are found and fixed quick Easy to keep up-to-date, i.e. prepackaged / auto-update in some way Moderator features [like pinning / message preamble], account management Themeable, customize appearance a bit

    Read the article

  • Automatically check for Security Updates on CentOS or Scientific Linux?

    - by Stefan Lasiewski
    We have machines running RedHat-based distros such as CentOS or Scientific Linux. We want the systems to automatically notify us if there are any known vulnerabilities to the installed packages. FreeBSD does this with the ports-mgmt/portaudit port. RedHat provides yum-plugin-security, which can check for vulnerabilities by their Bugzilla ID, CVE ID or advisory ID. In addition, Fedora recently started to support yum-plugin-security. I believe this was added in Fedora 16. Scientific Linux 6 did not support yum-plugin-security as of late 2011. It does ship with /etc/cron.daily/yum-autoupdate, which updates RPMs daily. I don't think this handles Security Updates only, however. CentOS does not support yum-plugin-security. I monitor the CentOS and Scientific Linux mailinglists for updates, but this is tedious and I want something which can be automated. For those of us who maintain CentOS and SL systems, are there any tools which can: Automatically (Progamatically, via cron) inform us if there are known vulnerabilities with my current RPMs. Optionally, automatically install the minimum upgrade required to address a security vulnerability, which would probably be yum update-minimal --security on the commandline? I have considered using yum-plugin-changelog to print out the changelog for each package, and then parse the output for certain strings. Are there any tools which do this already?

    Read the article

  • Patching and PCI Compliance

    - by Joel Weise
    One of my friends and master of the security universe, Darren Moffat, pointed me to Dan Anderson's blog the other day.  Dan went to Toorcon which is a security conference where he went to a talk on security patching titled, "Stop Patching, for Stronger PCI Compliance".  I realize that often times speakers will use a headline grabbing title to create interest in their talk and this one certainly got my attention.  I did not go to the conference and did not see the presentation, so I can only go by what is in the Toorcon agenda summary and on Dan's blog, but the general statement to stop patching for stronger PCI compliance seems a bit misleading to me.  Clearly patching is important to all systems management and should be a part of any organization's security hygiene.  Further, PCI does require the patching of systems to maintain compliance.  So it's important to mention that organizations should not simply stop patching their systems; and I want to believe that was not the speakers intent. So let's look at PCI requirement 6: "Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor- provided security patches, which must be installed by the entities that manage the systems. All critical systems must have the most recently released, appropriate software patches to protect against exploitation and compromise of cardholder data by malicious individuals and malicious software." Notice the word "appropriate" in the requirement.  This is stated to give organizations some latitude and apply patches that make sense in their environment and that target the vulnerabilities in question.  Haven't we all seen a vulnerability scanner throw a false positive and flag some module and point to a recommended patch, only to realize that the module doesn't exist on our system?  Applying such a patch would obviously not be appropriate.  This does not mean an organization can ignore the fact they need to apply security patches.  It's pretty clear they must.  Of course, organizations have other options in terms of compliance when it comes to patching.  For example, they could remove a system from scope and make sure that system does not process or contain cardholder data.  [This may or may not be a significant undertaking.  I just wanted to point out that there are always options available.] PCI DSS requirement 6.1 also includes the following note: "Note: An organization may consider applying a risk-based approach to prioritize their patch installations. For example, by prioritizing critical infrastructure (for example, public-facing devices and systems, databases) higher than less-critical internal devices, to ensure high-priority systems and devices are addressed within one month, and addressing less critical devices and systems within three months." Notice there is no mention to stop patching one's systems.  And the note also states organization may apply a risk based approach. [A smart approach but also not mandated].  Such a risk based approach is not intended to remove the requirement to patch one's systems.  It is meant, as stated, to allow one to prioritize their patch installations.   So what does this mean to an organization that must comply with PCI DSS and maintain some sanity around their patch management and overall operational readiness?  I for one like to think that most organizations take a common sense and balanced approach to their business and security posture.  If patching is becoming an unbearable task, review why that is the case and possibly look for means to improve operational efficiencies; but also recognize that security is important to maintaining the availability and integrity of one's systems.  Likewise, whether we like it or not, the cyber-world we live in is getting more complex and threatening - and I dont think it's going to get better any time soon.

    Read the article

  • Where can I learn various hacking techniques on the web?

    - by Carson Myers
    I would like to try my hand at hacking -- that is, exploiting various website vulnerabilities. Not for any illegal purpose mind you, but so I can have a better understanding and appreciation of these exploits while writing my own web software. I seem to recall that there was a community that hosted a bunch of demo websites, and you had to find and exploit certain vulnerabilities with each one. I can't remember what it is called but this is the sort of thing I am looking for -- I have read a tonne of little XSS and CSRF examples but have yet to find a real-life hands-on example of one. Does anyone know of such a place, where I can be given an example page and look for security holes? I would really rather not try this with actual websites, I don't want to break any laws.

    Read the article

  • Critical Patch Update For Oracle Fusion Middleware - CPU October 2012

    - by Daniel Mortimer
    The latest Critical Patch Update (CPU) has been released for Oracle products. Start your reading hereCritical Patch Updates, Security Alerts and Third Party Bulletin  This is the home page containing links to all "Critical Patch Updates" released to date, along with sections detailing  Security Alerts  Third Party Bulletin Public Vulnerabilities Fixed Policies Reporting Security Vulnerabilities  On this page you will find the link to the Oracle Critical Patch Update Advisory - October 2012 The advisory lists the support documents that cover the patch availability for all Oracle products. From an Oracle Fusion Middleware perspective, you can cut to the chase by using the links below which take you to the appropriate sections inPatch Set Update and Critical Patch Update October 2012 Availability Document [ID 1477727.1] Oracle Fusion Middleware 11g Release 2  11.1.2.0 Oracle Fusion Middleware 11g Release 1 11.1.1.4 (Portal,Forms,Reports and Discoverer) 11.1.1.5 11.1.1.6 Oracle Application Server 10g Release 3 10.1.3.5 The #anchor links above should work in Firefox and IE provided you have already logged into My Oracle Support within the same browser session. For some reason, Chrome always takes you to the top of the document :-/ Tip: Error Correction Support for Oracle Identity Management 10g, version 10.1.4.x ended in December 2011. For this reason, there is no section which is specific to this version. However, Error Correction Support remains in place, until end of this year, for the Oracle Identity Management 10.1.4.x components Single Sign On (SSO) Delegated Administration Services (OIDDAS) provided you are using them as part of a Single Sign-On solution (OID 11g + SSO / OIDDAS 10.1.4.3) for a Portal / Forms / Reports and Discoverer 11.1.1.x architecture.    As such there are security related patches available for Fusion Middleware Single Sign On. You will find the patch numbers listed in the sections for 11.1.1.4, 11.1.1.5 and 11.1.1.6 And finally, if you are hit any unexpected errors when applying the CPU patches, check out the known issues documented in these two support documents. Critical Patch Update October 2012 Oracle Fusion Middleware Known Issues (Doc ID 1455408.1) Critical Patch Update October 2012 Database Known Issues (Doc ID 1477865.1)

    Read the article

  • Critical Patch Update for Oracle Fusion Middleware - CPU October 2013

    - by Daniel Mortimer
    The latest Critical Patch Update (CPU) has been released for Oracle products. Start your reading here Critical Patch Updates, Security Alerts and Third Party Bulletin  This is the home page containing links to all "Critical Patch Updates" released to date, along with sections detailing  Security Alerts  Third Party Bulletin Public Vulnerabilities Fixed Policies Reporting Security Vulnerabilities On this page you will find the link to the Oracle Critical Patch Update Advisory - October 2013 The advisory lists the support documents that cover the patch availability for all Oracle products. For Oracle Fusion Middleware, go to: Patch Set Update and Critical Patch Update October 2013 Availability Document [ID 1571391.1] If you are hit any unexpected errors when applying the CPU patches, check out the known issues documented in these two support documents. Critical Patch Update October 2013 Oracle Fusion Middleware Known Issues  [ID 1571369.1] Critical Patch Update October 2013 Database Known Issues [ID 1571653.1] And lastly, for an informal summary of what the Critical Patch Update fixes, check out the blog posts by "Oracle Software Security Assurance" team October 2013 Critical Patch Update Released

    Read the article

  • Trigger IP ban based on request of given file?

    - by Mike Atlas
    I run a website where "x.php" was known to have vulnerabilities. The vulnerability has been fixed and I don't have "x.php" on my site anymore. As such with major public vulnerabilities, it seems script kiddies around are running tools that hitting my site looking for "x.php" in the entire structure of the site - constantly, 24/7. This is wasted bandwidth, traffic and load that I don't really need. Is there a way to trigger a time-based (or permanent) ban to an IP address that tries to access "x.php" anywhere on my site? Perhaps I need a custom 404 PHP page that captures the fact that the request was for "x.php" and then that triggers the ban? How can I do that? Thanks! EDIT: I should add that part of hardening my site, I've started using ZBBlock: This php security script is designed to detect certain behaviors detrimental to websites, or known bad addresses attempting to access your site. It then will send the bad robot (usually) or hacker an authentic 403 FORBIDDEN page with a description of what the problem was. If the attacker persists, then they will be served up a permanently reccurring 503 OVERLOAD message with a 24 hour timeout. But ZBBlock doesn't do quite exactly what I want to do, it does help with other spam/script/hack blocking.

    Read the article

  • 64kb limit on the size of MSMQ Multicast Messages

    - by John Breakwell
    When Windows 2003 came out, Microsoft introduced the ability to broadcast messages to any machines that were listening back. All you had to do was send out a message on a particular port and IP address and any client that had set up a Multicast queue with matching port and IP address would get a copy. Since its introduction, there have been a couple of security vulnerabilities that needed to be removed: Microsoft Security Bulletin MS06-052 Vulnerability in Pragmatic General Multicast (PGM) Could Allow Remote Code Execution (919007) Microsoft Security Bulletin MS08-036 Vulnerabilities in Pragmatic General Multicast (PGM) could allow denial of service (950762) The second of these, MS08-036, was resolved through an undocumented change in functionality. Basically, a limit of 64kb was put on the maximum size of a message that could be broadcast using the Multicast method. Obviously this has caused a few problems for any existing MSMQ Multicast applications that expected to be able to send larger messages. A hotfix has been developed to resolve this problem. 961605 FIX: Multicast messages larger than 64 kilobytes (KB) are not delivered as expected by using Message Queuing 3.0 after security update MS08-036 is installed A registry change is required: Open the registry with Regedit Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RMCAST\Parameters\ Create a DWord called MaxpacketSize Set the value to the desired number of bytes. You can set it to a value between zero and 4MB. If you specify anything above 4MB, it will default to 64K. A reboot is needed after adding this value.

    Read the article

  • Delphi and Microsoft ATL security issue

    - by Jens Nordenbro
    My impression is that standard Delphi uses the Win32 API. Recently Microsoft has been communicating a problem regarding ATL that requires application developers to rebuild ATL-using applications after installing an update on their machines. Will this practice be the general case also for Delphi developers, or are they in the clear with the exception of Delphi code using third party ATL COM objects? Sources: Microsoft Security: Protect your computer from the Active Template Library (ATL) security vulnerability MSDN VC++ DevCenter: Active Template Library Security Update for Developers Microsoft Security Advisory (973882): Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution Microsoft Security Bulletin MS09-034 - Critical: Cumulative Security Update for Internet Explorer (972260) Microsoft Security Bulletin MS09-035 - Moderate: Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706)

    Read the article

  • how to exploit vulnerability in php

    - by Dr Deo
    i have never seen a buffer overflow exploit in live action. supporse I have found a server that seems to have vulnerabilities. Where can i get proof of the concept code preferably in c/c++ to exploit the vulnerability? eg i found this vulnerability Multiple directory traversal vulnerabilities in functions such as 'posix_access()', 'chdir()', 'ftok()' may allow a remote attacker to bypass 'safe_mode' restrictions. (CVE-2008-2665 and CVE-2008-2666). How can i get proof of concept code for educational purposes PS I am a student and my only desire is to learn

    Read the article

< Previous Page | 5 6 7 8 9 10 11 12 13 14 15  | Next Page >