Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 524
Alerts This Week
Warning Icon 1 524

Stay Ahead With Linux Security News

Filter%20icon Refine news
X Clear Filters
X Clear Filters
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security news

We found 3 articles for you...
77

WordPress 3.5.2 Moderate: XSS, DoS, and SSRF Security Fixes

With the second security and maintenance release of WordPress 3.5, the developers of the popular open source blogging software have closed 12 bugs, seven of them security issues. In their announcement, the developers "strongly encourage" all users to update all their installations of the software to version 3.5.2 immediately. . In addition to the fixed vulnerabilities, the new release also includes some proactive changes intended to harden the platform against attacks. The link for this article located at H Online is no longer available. . In addition to the fixed vulnerabilities, the new release also includes some proactive changes inten. second, security, maintenance, release, wordpress, developers, popular. . LinuxSecurity.com Team

Calendar%202 Jun 24, 2013 User Avatar LinuxSecurity.com Team Server Security
78

Python 2.6.7 Medium Severity Advisory: XSS and DoS Risk Fix

The Python developers have released Python 2.6.7, as noted when Python 2.5.6 was released last week. Python 2.6 is in "security fix only" mode until October 2013, with no new bug fixes or features to come; Python 2.6.7 saw three medium severity issues addressed.. According to the Python 2.6.7 NEWS file, these were a vulnerability to XSS attacks in SimpleHTTPServer, a failure to follow redirections with file: schemes in urllib and urllib2 (CVE-2011-1521), and smtpd.py being vulnerable to DoS attacks due to missing error handling when accepting a new connection. Still to come this month are Python 3.2.1 on June 5 and Python 2.7.2 and 3.1.4 on June 11. Unlike the 2.5.6 and 2.6.7 security only updates, Python 2.7.2 and 3.1.4 will be more general maintenance releases and 3.2.1 will be the latest in the ongoing development of Python. The link for this article located at H Security is no longer available. . Python 2.6.7 introduces a crucial security update mitigating XSS and Denial of Service risks stemming from significant vulnerabilities.. Python 2.6 Security, XSS Risk, DoS Attack Fix, Security Enhancement. . LinuxSecurity.com Team

Calendar%202 Jun 06, 2011 User Avatar LinuxSecurity.com Team Vendors/Products
78

WordPress 3.1.1 Moderate: CSRF and XSS Security Issues Fixed

The WordPress.org development team has issued version 3.1.1 of its open source blogging and publishing platform, a maintenance and security update to WordPress 3.1 from late February. According to the developers, the update addresses nearly 30 issues in WordPress, including three security vulnerabilities.. WordPress 3.1.1 corrects a cross-site request forgery (CSRF) vulnerability in the media uploader, as well as a PHP related crash caused when handling specially crafted links in comments. A cross-site scripting (XSS) issue has also been fixed. The link for this article located at H Security is no longer available. . WordPress 5.8.2 addresses several security flaws including CSRF, XSS vulnerabilities and enhances safety measures within the media uploader for this open-source platform.. WordPress Update, CSRF Fix, XSS Resolution, Blogging Security, Open Source Improvement. . LinuxSecurity.com Team

Calendar%202 Apr 07, 2011 User Avatar LinuxSecurity.com Team Vendors/Products
83

Drupal Context 6.x-2.0-rc4 Moderate: XSS Access Threat Mitigated

The development team behind the Drupal module Context have released version 6.x-2.0-rc4, which fixes a cross-site scripting (XSS) vulnerability when displaying block descriptions. If a user with 'administer blocks' permission clicks on a crafted link, JavaScript contained in the link is executed with the privileges of the Drupal page. Attackers can exploit this to gain access to a system. . Just a few weeks ago, a 'simple' XSS vulnerability in a bug-tracking system allowed root access to Apache Software Foundation servers, so XSS vulnerabilities are certainly not to be treated lightly. Update: According to Drupal security team member Heine Deelstra, there is no URL manipulation or JavaScript contained in the link itself involved in the exploitation of the vulnerability. The vulnerability occurs if a user with 'administrator blocks' permission has added JavaScript to a block description on the block administration page. The impact is low since not that many sites using context have role seperation between block admins and other admins. Only a small subsection of the sites using the context release candidate are affected. The link for this article located at H Security is no longer available. . The WordPress plugin Editor Enhancements resolves a minor CSRF vulnerability impacting user roles with editing privileges. Critical security update.. Drupal Security, XSS Attack, Context Module. . LinuxSecurity.com Team

Calendar%202 May 12, 2010 User Avatar LinuxSecurity.com Team Hacks/Cracks
77

Meta Information Facilitating XSS Attacks in Web Services

According to security expert Tyler Reguly of nCircle, data fields for storing meta-information offer plenty of latitude for future cross-site scripting (XSS) attacks. JavaScript embedded in Whois and DNS records and in SSL certificates, for instance, can, under certain circumstances, be executed in a browser. . There are, for example, web services which carry out online checks on SSL certificates from other servers. As well as cryptographically relevant information, such services also display data on a certificate's owner and who it was issued by. If a service fails to filter the query data correctly, the user's browser may execute JavaScript contained in the query. Attackers could exploit this to carry out various activities, such as copying login cookies or changing a user's profile settings (for their account for the web service). SSL Shopper is one service provider which was affected by this issue The link for this article located at H Security is no longer available. . Explore the role of metadata in enhancing vulnerabilities within cross-domain scripting for online applications and secure socket layer assessments.. Cross Site Scripting, SSL Exploits, Web Service Security, Security Risks. . LinuxSecurity.com Team

Calendar%202 Apr 08, 2010 User Avatar LinuxSecurity.com Team Server Security
77

Understanding CSRF Attacks and Their Associated Security Risks

Cross Site Request Forgery (also known as XSRF, CSRF, and Cross Site Reference Forgery) works by exploiting the trust that a site has for the user. Site tasks are usually linked to specific urls (Example: ;stock=ebay) allowing specific actions to be performed when requested. If a user is logged into the site and an attacker tricks their browser into making a request to one of these task urls, then the task is performed and logged as the logged in user. Typically an attacker will embed malicious HTML or JavaScript code into an email or website to request a specific 'task url' which executes without the users knowledge, either directly or by utilizing a Cross-site Scripting Flaw. Injection via light markup languages such as BBCode is also entirely possible. These sorts of attacks are fairly difficult to detect potentially leaving a user debating with the website/company as to whether or not the stocks bought the day before was initiated by the user after the price plummeted. . Most of the functionality allowed by the website can be performed by an attacker utilizing CSRF. This could include posting content to a message board, subscribing to an online newsletter, performing stock trades, using an shopping cart, or even sending an e-card. CSRF can also be used as a vector to exploit existing Cross-site Scripting flaws in a given application. For example imagine an XSS issue on an online forum or blog, where an attacker could force the user through CSRF to post a copy of the next big website worm. An attacker could also utilize CSRF to relay an attack against a site of their choosing, as well as perform a Denial Of Service attack in the right circumstances. The link for this article located at CGI Security is no longer available. . Grasping XSS strategies uncovers the ways malicious actors can take advantage of web features without detection. Discover additional insights.. Cross-Site Request Forgery, Web Attack Techniques, XSRF Exploits. . LinuxSecurity.com Team

Calendar%202 Jan 19, 2007 User Avatar LinuxSecurity.com Team Server Security
77

XSS Risks: Understanding Trends in Web Application Security

Web administrators beware: cross-site scripting vulnerabilities are now far more attractive targets than more notorious bugs such as buffer overflows, according to new figures from Mitre, a U.S. government-funded research organization. Buffer overflows have long been one of the most common types of bugs attacked by malware, with Intel and Advanced Micro Devices (AMD) even building in hardware support for an anti-buffer overflow technology called NX (No Execute) or XD (Execution Disable). . But a shift is under way, according to Mitre's findings. While buffer overflows affect executable files written in languages such as C, the increasing popularity of cross-site scripting (XSS) bugs indicates attackers are looking more at programming languages typically used for Web applications, such as Java, .Net and PHP. Client-side scripting languages generally include same-origin policies, which allow interaction between Web objects and pages only as long as they come from the same domain and over the same protocol. XSS bugs allow malicious Web sites to find ways around these policies, potentially accessing sensitive data in other objects or browser windows. The link for this article located at Network World is no longer available. . Recent statistics indicate an increase in cross-site scripting incidents, overshadowing conventional buffer overflow exploits.. Cross-Site Scripting, Web Application Security, XSS Trends. . LinuxSecurity.com Team

Calendar%202 Sep 19, 2006 User Avatar LinuxSecurity.com Team Server Security
74

Techniques For SQL Injection And XSS Detection With Snort IDS

In this article, we've presented different types of regular expression signatures that can be used to detect SQL Injection and Cross Site Scripting attacks. Some of the signatures are simple yet paranoid, in that they will raise an alert even if there is a hint of an attack. But there is also the possibility that these paranoid signatures may result in false positives. To take care of this, we've then modified the simple signatures with additional pattern checks so that they are more accurate. We recommend that these signatures be taken as a starting point for tuning your IDS or log analysis methods, in the detection of these Web application layer attacks. After a few modifications, and after taking into account the non-malicious traffic that occurs as part of your normal Web transactions, you should be able to accurately detect these attacks. . . .. 1. Introduction In the last couple of years, attacks against the Web application layer have required increased attention from security professionals. This is because no matter how strong your firewall rulesets are or how diligent your patching mechanism may be, if your Web application developers haven't followed secure coding practices, attackers will walk right into your systems through port 80. The two main attack techniques that have been used widely are SQL Injection [ref 1] and Cross Site Scripting [ref 2] attacks. SQL Injection refers to the technique of inserting SQL meta-characters and commands into Web-based input fields in order to manipulate the execution of the back-end SQL queries. These are attacks directed primarily against another organization's Web server. Cross Site Scripting attacks work by embedding script tags in URLs and enticing unsuspecting users to click on them, ensuring that the malicious Javascript gets executed on the victim's machine. These attacks leverage the trust between the user and the server and the fact that there is no input/output validation on the server to reject Javascript characters. This article discusses techniques todetect SQL Injection and Cross Site Scripting (CSS) attacks against your networks. There has been a lot of discussion on these two categories of Web-based attacks about how to carry them out, their impact, and how to prevent these attacks using better coding and design practices. However, there is not enough discussion on how these attacks can be detected. We take the popular open-source IDS Snort [ref 3], and compose regular-expression based rules for detecting these attacks. Incidentally, the default ruleset in Snort does contain signatures for detecting cross-site scripting, but these can be evaded easily. Most of them can be evaded by using the hex-encoded values of strings such as %3C%73%63%72%69%70%74%3E instead of . We have written multiple rules for detecting the same attack depending upon the organization's level of paranoia. If you wish to detect each and every possible SQL Injection attack, then you simply need to watch out for any occurrence of SQL meta-characters such as the single-quote, semi-colon or double-dash. Similarly, a paranoid way of checking for CSS attacks would be to simply watch out for the angled brackets that signify an HTML tag. But these signatures may result in a high number of false positives. To avoid this, the signatures can be modified to be made accurate, yet still not yield too many false positives. Each of these signatures can be used with or without other verbs in a Snort signature using the pcre [ref 4] keyword. These signatures can also be used with a utility like grep to go through the Web-server's logs. But the caveat is that the user input is available in the Web server's logs only if the application uses GET requests. Data about POST requests is not available in the Web server's logs. The link for this article located at is no longer available. . Monitor SQL Injection (SQLi) and XSS attacks effectively by tailoring regex patterns for IDS like Snort, ensuring robust security measures in place. SQL Injection Detection, XSS Detection, Snort Techniques, WebApplication Security, Attack Detection Methods. . Anthony Pell

Calendar%202 Mar 18, 2004 User Avatar Anthony Pell Network Security
News Add Esm H340

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200