Surviving the Week 11/16/12, Not a Great Week for Password Protection

Not a Great Week for Password Protection

password protectionEarlier in the week, we saw Twitter forcing users to change their password due to some password loss. Later in the week, a password vulnerability was disclosed in the most famous messenger – Microsoft’s Skype. The vulnerability allowed an attacker to change username and password of a victim’s Skype account by just knowing their email address. Early Friday, Microsoft informed that vulnerability has been resolved.

Information about the attack description –
Information about the patch –

ModSecurity Rules Are Out

ModSecurity, one of the biggest open source web application firewall, released their updated rules. Download rules at –

One of the unique feature of NTOSpider is, it allows user to generate rules for different WAF including ModSecurity, Snort and Imperva. One can use this feature to import rules in WAF to temporary block all the vulnerabilities detected by NTOSpider.

Multiple Vulnerabilities

Vulnerabilities have been detected in some of the major applications incuding WordPress, Drupal and Oracle. The following list contains patches to the vulnerabilities detected in the past week.

WordPress Kakao Theme SQL Injection –
WordPress Eco-Annu SQL Injection –
WordPress 3.3.1 swfupload.swf Cross Site Scripting –
netOffice Dwins 1.4p3 SQL Injection –
BananaDance Wiki b2.2 Cross Site Scripting / SQL Injection –
Java Applet JAX-WS Remote Code Execution –
MYREphp Vacation Rental Cross Site Scripting / SQL Injection –
dotProject 2.1.6 Remote File Inclusion –
Narcissus Remote Command Execution –
ReciPHP 1.1 SQL Injection –
BabyGekko 1.2.2e XSS / LFI / SQL Injection  –
MYRE Realty Manager XSS / SQL Injection –
Bugzilla Informartion Leak / Cross Site Scripting –
Drupal RESTful Web Services 7.x Cross Site Request Forgery –
Drupal Smiley / Smileys 6.x Cross Site Scripting –
Friendsinwar FAQ Manager XSS / SQL Injection –
iDev Rentals 1.0 Cross Site Scripting –
Drupal Chaos Tool Suite 6.x Cross Site Scripting –
Drupal Table Of Contents 6.x Access Bypass –
Oracle Database Client System Analyzer Arbitrary File Upload –

About Dan Kuykendall 173 Articles
Connect with Dan on Google+

Be the first to comment

Leave a Reply

Your email address will not be published.