Surviving the Week 9/14/12

Surviving SQL Injection (link to free SQL Injection tool)
SQLInjection continues to be in the news each week. Despite the fact that it the most well understood vulnerability, it remains the most popular attack technique and many successful breaches are done with SQLi. This attack method remains a problem even in today’s modern web technologies like AMF and REST based applications.

Here a bunch of good resources that might help:
– Free tool for testing SQLi, SQLInvader. Its very similar to SQLmap, but it has a GUI so its very easy to use.
SQLInjection cheatsheet
Injection cheatsheet

A Number of products with SQL Injection, XSS, OS injection and other high risk security issues were reported this week

This week, some very critical security issues has been discovered in some widely used products including WordPress, Joomla, and Drupal.

WordPress Krea3AllMedias SQL Injection –
Knowledge Base EE 4.62.0 SQL Injection –
Joomla RokModule Blind SQL Injection –
PersianTools SQL Injection / Shell Upload –
VICIDIAL Call Center Suite 2.2.1-237 SQL Injection / Cross Site Scripting –
Drupal PDFThumb 7.x OS Injection –
Drupal Inf08 6.x Cross Site Scripting –
Fortigate UTM WAF Appliance Cross Site Scripting –
Wordpress Download Monitor Cross Site Scripting –
Drupal Mass Contact 6.x Access Bypass –
Webify Business Directory Arbitrary File Deletion –
Openfiler 2.x NetworkCard Command Execution –
Oracle VM VirtualBox 4.1 Denial Of Service –

HoneyNet Project Releases SQL Injection Emulator

The HoneyNet Project has released a new version of the Glastopf Web application Honeypot software, which can now replicate SQL Injection attacks.

Use NTO’s Free SQL Invader to test SQL Injection
Use SQL Injection cheat sheet to try stuff manually

Microsoft, Adobe Push out Security Patches

Microsoft has released two security bulletins to address issues in Visual Studio Team Foundation Server and Microsoft System Center Configuration Manager. Adobe released a security hotfix for ColdFusion 10 and earlier versions for Windows, Macintosh and UNIX. Patch your systems if you are attacked –

Oracle Confirms Existence of Another Critical Java Flaw

A new security issue has been discovered in Java which allows to achieve a complete JVM sandbox bypass in the environment of latest Java SE 7 Update 7.

BlackHole Exploit kit to release version 2.0

This exploit kit is one of the best known to date.  We don’t yet know all the new exploits that could be added into version 2.0 and it’s authors will have done their best to obfuscate mush of their work.  But it can be assumed that this latest Java exploit would be included.  There are quite a few web based Java applications out there that require users to remain on specific, vulnerable versions of Java client which makes them a high risk target.  If you’re a developer of a Java application you need to ensure that your application will support updated Java versions or take your application offline.


About Dan Kuykendall 173 Articles
Connect with Dan on Google+

Be the first to comment

Leave a Reply

Your email address will not be published.