The goal of this project is to make virtual world a safer and better place without child pornography, major computer crime and RIAA.
Login As
You can log in if you are registered at one of these services:
Security Bulletins
Latest Malware Updates

Infostealer.Posteal

02/26/2015

Downloader.Busadom

02/26/2015

Trojan.Ladocosm

02/26/2015

SONAR.SuspDocRun

02/25/2015

SONAR.SuspHelpRun

02/25/2015

New details on bug on PayPals website

New details on bug on PayPals website

Security experts at Vulnerability Laboratory published a new report on a recently patched SQL vulnerability on PayPal’s website. The critical flaw, which allowed hackers to inject commands through the web app into the backend databases, could be exploited remotely.

In early January the researchers produced a proof-of-concept demo and reported the flaw to PayPal. The bug was patched in late January.

According to the Vulnerability Laboratory, the flaw was not abused. The researchers said that the vulnerability was located in the analysis all review module with the bound vulnerable page id parameter listing.

Successful exploitation of the bug resulted in web application context manipulation via DBMS injection, website defacement, hijack of database accounts via DBMS extract, information disclosure of database content, data lost or full DBMS compromise.

“When a customer is processing to request the link to, for example, page 7 the server will include the integer value not encoded or parsed in the URL path,” – report stated.

Benjamin Kunz Mejri of Vulnerability Laboratory claimed the attackers could change the integer page with SQL statements to compromise the DBMS app, as well as all PayPal accounts.

The Polish security firm stated: The second problem is the server is bound to the main site auth which allows after a SQL and DBMS compromise via inject to exploit the bound PayPal Inc. services. Attackers can access all database tables and columns to steal the GP+ database content and disclose information, deface the website phish account or extract database password/username information.

Advisory by the Polish researchers suggests that the vulnerability could be patched by a secure parse of the page parameter request when processing to list via GET method.

(c) Naked Security


Security Advisories Database

Remote Code Execution Vulnerability in Microsoft OpenType Font Driver

A remote attacker can execute arbitrary code on the target system.

07/21/2015

SQL Injection Vulnerability in Piwigo

SQL inection vulnerability has been discovered in Piwigo.

02/05/2015

Cross-site Scripting Vulnerability in DotNetNuke

A cross-site scripting (XSS) vulnerability has been discovered in DotNetNuke.

02/05/2015

Cross-site Scripting Vulnerability in Hitachi Command Suite

A cross-site scripting vulnerability was found in Hitachi Command Suite.

02/02/2015

Denial of service vulnerability in FreeBSD SCTP RE_CONFIG Chunk Handling

An attacker can perform a denial of service attack.

01/30/2015

Denial of service vulnerability in Apache Traffic Server HTTP TRACE Max-Forwards

An attacker can perform a denial of service attack.

01/30/2015

Denial of service vulnerability in MalwareBytes Anti-Exploit "mbae.sys"

An attacker can perform a denial of service attack.

01/30/2015

Denial of service vulnerability in Linux Kernel splice

An attacker can perform a denial of service attack.

01/29/2015

Denial of service vulnerability in Python Pillow Module PNG Text Chunks Decompression

An attacker can perform a denial of service attack.

01/20/2015