Archive for January, 2018

12 results.

[20180104] – Core – SQLi vulnerability in Hathor postinstall message

Jan30
by Ike on January 30, 2018 at 2:45 pm
Posted In: Uncategorized
  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 3.7.0 through 3.8.3
  • Exploit type: SQLi
  • Reported Date: 2017-November-17
  • Fixed Date: 2018-January-30
  • CVE Number: CVE-2018-6376

Description

The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the Hathor postinstall message.

Affected Installs

Joomla! CMS versions 3.7.0 through 3.8.3

Solution

Upgrade to version 3.8.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Karim Ouerghemmi, ripstech.com

 Comment 

[20180103] – Core – XSS vulnerability in Uri class

Jan30
by Ike on January 30, 2018 at 2:45 pm
Posted In: Uncategorized
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 1.5.0 through 3.8.3
  • Exploit type: XSS
  • Reported Date: 2017-November-17
  • Fixed Date: 2018-January-30
  • CVE Number: CVE-2018-6379

Description

Inadequate input filtering in the Uri class (formerly JUri) leads to a XSS vulnerability.

Affected Installs

Joomla! CMS versions 1.5.0 through 3.8.3

Solution

Upgrade to version 3.8.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Octavian Cinciu

 Comment 

[20180102] – Core – XSS vulnerability in com_fields

Jan30
by Ike on January 30, 2018 at 2:45 pm
Posted In: Uncategorized
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 3.7.0 through 3.8.3
  • Exploit type: XSS
  • Reported Date: 2018-January-20
  • Fixed Date: 2018-January-30
  • CVE Number: CVE-2018-6377

Description

Inadequate input filtering in com_fields leads to a XSS vulnerability in multiple field types, i.e. list, radio and checkbox.

Affected Installs

Joomla! CMS versions 3.7.0 through 3.8.3

Solution

Upgrade to version 3.8.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Benjamin Trenkle, JSST

 Comment 

[20180101] – Core – XSS vulnerability in module chromes

Jan30
by Ike on January 30, 2018 at 2:45 pm
Posted In: Uncategorized
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 3.0.0 through 3.8.3
  • Exploit type: XSS
  • Reported Date: 2018-January-21
  • Fixed Date: 2018-January-30
  • CVE Number: CVE-2018-6380

Description

Lack of escaping in the module chromes leads to XSS vulnerabilities in the module system.

Affected Installs

Joomla! CMS versions 3.0.0 through 3.8.3

Solution

Upgrade to version 3.8.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: David Jardin, JSST

 Comment 

Joomla 3.8.4 Release

Jan30
by Ike on January 30, 2018 at 2:45 pm
Posted In: Uncategorized
Joomla 3.8.4

Joomla 3.8.4 is now available. This is a security release for the 3.x series of Joomla addressing four security vulnerabilities and including over 100 bug fixes and improvements.

 Comment 

The hidden “well-known” phishing sites

Jan29
by Ike on January 29, 2018 at 1:04 pm
Posted In: Uncategorized

Thousands of phishing sites have been finding homes in special hidden directories on compromised web servers. In the past month alone, over 400 new phishing sites were found hosted within directories named /.well-known/; but rather than being created by fraudsters, these special directories are already present on millions of websites. The /.well-known/ directory acts as […]

 Comment 

January 2018 Web Server Survey

Jan19
by Ike on January 19, 2018 at 9:10 am
Posted In: Uncategorized

In the January 2018 survey we received responses from 1,805,260,010 sites across 213,053,157 unique domain names and 7,228,005 web-facing computers. This reflects a gain of 214,000 computers, but only 183,000 domains. Overall hostname growth was 71 million, although the number of active sites fell slightly, by 311,000. DPS powering GoDaddy’s Website Builder While the total […]

 Comment 

Brazilian government providing warm waters for shoals of phish

Jan18
by Ike on January 18, 2018 at 4:33 pm
Posted In: Uncategorized

Security holes in Brazilian government websites are still rife, with no fewer than eight different gov.br sites being compromised within the past week to host phishing attacks and hacking scripts. The situation does not seem to have improved much since two years ago, when we noticed a similar spate of phishing sites and malware hosted […]

 Comment 

WordPress 4.9.2 Security and Maintenance Release

Jan16
by Ike on January 16, 2018 at 11:00 pm
Posted In: Uncategorized

WordPress 4.9.2 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately. An XSS vulnerability was discovered in the Flash fallback files in MediaElement, a library that is included with WordPress. Because the Flash files are no longer needed for […]

Oracle Critical Patch Update Advisory – January 2018

Jan16
by Ike on January 16, 2018 at 7:30 pm
Posted In: Uncategorized
 Comment 

Most Reliable Hosting Company Sites in December 2017

Jan04
by Ike on January 4, 2018 at 8:50 am
Posted In: Uncategorized

Rank Performance Graph OS Outagehh:mm:ss FailedReq% DNS Connect Firstbyte Total 1 One.com Linux 0:00:00 0.000 0.165 0.037 0.110 0.110 2 Swishmail FreeBSD 0:00:00 0.000 0.121 0.055 0.110 0.156 3 Bigstep Linux 0:00:00 0.000 0.135 0.071 0.147 0.147 4 Multacom Linux 0:00:00 0.000 0.156 0.090 0.180 0.316 5 www.viawest.com Linux 0:00:00 0.005 0.249 0.008 0.189 0.189 […]

 Comment 

The Month in WordPress: December 2017

Jan03
by Ike on January 3, 2018 at 10:00 am
Posted In: Uncategorized

Activity slowed down in December in the WordPress community, particularly in the last two weeks. However, the month started off with a big event and work pushed forward in a number of key areas of the project. Read on to find out more about what transpired in the WordPress community as 2017 came to a […]

58 queries. 8.5 mb Memory usage. 0.629 seconds.