SQL Injection Vulnerability in miniBB
SQL Injection Vulnerability in miniBB
| Vector: | Remote |
| Severity: | Medium |
| Patch: | Patched |
| Impact: | Data Manipulation |
| Software: | miniBB 3.x , vulnerable versions: <3.1 released on 2014-11-27 |
SQL inection vulnerability was reported in miniBB.
Vulnerability is caused by an input validation error while processing the code parameter in bb_func_unsub.php, when “action” is set to “unsubscribe”. A remote attacker can send a specially crafted request to the vulnerable application and execute arbitrary SQL commands in application`s database.
Further exploitation of this vulnerability may result in unauthorized data manipulation.
Solution:
For miniBB 3.x: Update to version 3.1 released on 2014-11-27.
Links:
SQL Injection Vulnerability in WordPress Cart66 Lite Plugin
SQL Injection Vulnerability in WordPress Cart66 Lite Plugin
| Vector: | Remote |
| Severity: | Low |
| Patch: | Patched |
| Impact: | Data Manipulation |
| Software: | WordPress Cart66 Lite Plugin 1.x , vulnerable versions: <=1.5.1.17 |
SQL inection vulnerability has been discovered in WordPress Cart66 Lite Plugin.
Vulnerability is caused by an input validation error while processing the “id” POST parameter to wp-admin/admin-ajax.php (when “action” is set to “shortcode_products_table”). A remote attacker can send a specially crafted request to the vulnerable application and execute arbitrary SQL commands in application`s database.
Further exploitation of this vulnerability may result in unauthorized data manipulation.
Solution:
For WordPress Cart66 Lite Plugin 1.x: Update to version 1.5.2.
Links:
Even Thor Couldn’t save “Blackhat”
I was looking forward to this movie and really hoped it lived up to the hype and the directing ability of Michael Mann. So you already know where I’m coming from based on the title, but to take it a step or two further with the SciFi references, the Avengers could not even make this movie worth a rental at Redbox. If you’re looking for a good movie or a hacking movie, you’ve want to skip this mov
ie altogether. You would think that this movie given recent events relating to hacking in the world, that it would come out keyboards a blazing.
From the very poor, cheesy even, representation of how data flows across networks and SCADA devices to the hacker getting the girl in what seemed like a few hours, it was just hard to sit through. I found myself looking for anything to dig my teeth into, I even got excited when I saw a quick screen shot of netcat (2 second shot of a backdoor command “nc” being shown) being used.
Let’s face it here, the term “Blackhat” is related to hacking but it’s clear they didn’t have anybody on the set that knew what that meant little less, knew how to handle that on the big screen. The series “24” had much more realistic views of hacking and how to depict it
Ok, so I’ve beat the movie up from a “this is not a hacking movie” so let’s look at it on the merits of a good movie. The movie did not grab my attention at all and apparently didn’t grab the attention of at least 2 other people in the theater as they were on their phones after about 20-30 minutes. Usually this bothers me a lot, but to tell the truth I 
thought about pulling my phone out too. So its opening weekend, yes, it was Sunday and there was a football game on, but still there was only about a dozen people there for this showing and I think the girls were just there for Hemsworth. So the plot was slow to form and kept getting lost to me, until there was a sudden and abrupt end that really made no sense at all, other than to show that the hacker learned how to make a shank in prison.
To quote my girlfriend “The final confrontation between the “hero” and the bad guy was rushed and improbable”. The characters were not well thought out and casting could have been better, but still don’t think it would have helped the script. I could spend hours picking this movie apart, but I really saw no saving graces for this movie it was a waste of a good movie title to me. Lastly, the title of a movie should relate to the subject matter, in this case it was only maybe 5% related in conception and generalities not in real content.
Did you see the movie, what is your opinion of it, please share it with us.
SANS 2015 (Orlando) – April 11 – 18, 2015
*** Receive a $200 discount for any (4-6) day SANS course with code: SANS_SecOrb200 ***
For a complete list of courses and complete descriptions, please see:
http://www.sans.org/u/oj
SANS will be back in Orlando at Disney for SANS 2015 with more than 35 courses, evening talks and activities, and vendor events. Please plan to attend on April 11-18 at the Walt Disney World Swan Resort for a full SANS Live Training Event experience. This is where you can get the skills you need and learn tips and tricks from the experts so that you can win the battle against the wide range of cyber adversaries that want to harm your environment. SANS 2015 is one of SANS’ largest events with something for everyone.
A look at our Event Webpage will show that our courses are being taught by SANS top Instructors who will ensure that you not only learn the material, but that you can also apply it immediately when you return to the office.
Note our list of new courses and our list of 5- and 6-day courses (arranged by discipline for your convenience) that will raise your level of security preparedness:
================================
New Cutting-Edge Courses
================================
– New! SEC511: Continuous Monitoring and Security Operations (Simulcast) taught by Eric Conrad
– New! SEC760: Advanced Exploit Development for Penetration Testers taught by Stephen Sims
================================
Security and Pen Testing Courses
================================
– SEC301: Intro to Information (GIAC-GISF, Simulcast) taught by Keith Palmgren
– * SEC401: Security Essentials Bootcamp Style (GIAC-GSEC, Simulcast) taught by Dr. Eric Cole
– * SEC501: Advanced Security Essentials – Enterprise Defender (GIAC-GCED,
Simulcast) taught by Paul A. Henry
– * SEC503: Intrusion Detection In-Depth (GIAC-GCIA, Simulcast) taught by Mike Poor
– * SEC504: Hacker Tools, Techniques, Exploits and Incident Handling
(GIAC-GCIH) taught by John Strand
– SEC505: Securing Windows with the Critical Security Controls
(GIAC-GCWN) taught by Jason Fossen
– SEC542: Web App Penetration Testing and Ethical Hacking (GIAC-GWAPT) taught by Seth Misenar
– SEC560: Network Penetration Testing and Ethical Hacking (GIAC-GPEN) taught by Ed Skoudis
– SEC561: Intense Hands-on Pen Testing Skill Development (with SANS
NetWars) taught by Tim Medin
– SEC566: Implementing and Auditing the Critical Security Controls – In-Depth (GIAC-GCCC) taught by James Tarala
– SEC573: Python for Penetration Testers taught by Mark Baggett
– SEC575: Mobile Device Security and Ethical Hacking (GIAC-GMOB) taught by Joshua Wright
– SEC579: Virtualization and Private Cloud Security taught by Dave Shackleford
– SEC617: Wireless Ethical Hacking, Penetration Testing, and Defenses
(GIAC-GAWN) taught by Larry Pesce
– SEC642: Advanced Web App Penetration Testing and Ethical Hacking taught by Justin Searle
– SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking (GIAC-GXPN) taught by James Lyne
================================
Application Developer Courses
================================
– DEV522: Defending Web Applications Security Essentials (GIAC-GWEB) taught by Johannes Ullrich, Ph.D.
– DEV544: Secure Coding in .NET: Developing Defensible Applications
(GIAC-GSSP-.NET) taught by Eric Johnson
================================
Computer Forensics Courses
================================
– FOR408: Windows Forensic Analysis (GIAC-GCFE, Simulcast) taught by Rob Lee
– * FOR508: Advanced Digital Forensics and Incident Response (GIAC-GCFA) taught by Chad Tilbury
– FOR572: Advanced Network Forensics and Analysis (GIAC-GNFA) taught by Philip Hagen
– FOR585: Advanced Smartphone Forensics taught by Cindy Murphy
– FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques (GIAC-GREM) taught by Lenny Zeltser
================================
Security Management Courses
================================
– * MGT414: SANS(R) +S(TM) Training Program for the CISSP(R) Certification Exam (GIAC-GISP) taught by Jonathan Ham
– * MGT512: SANS Security Leadership Essentials For Managers with Knowledge Compression(TM) (GIAC-GSLC) taught by David Hoelzer
– MGT514: IT Security Strategic Planning, Policy and Leadership taught by G. Mark Hardy
– MGT525: IT Project Management, Effective Communication, and PMP(R) Exam Prep (GIAC-GCPM) taught by Jeff Frisk
================================
Security Audit Courses
================================
– * AUD507: Auditing & Monitoring Networks, Perimeters & Systems
(GIAC-GSNA) taught by Tanya Baccam
================================
Legal Course
================================
– LEG523: Law of Data Security and Investigations (GIAC-GLEG) taught by Benjamin Wright
================================
NetWars
================================
– NetWars – Tournament
– DFIR NetWars Tournament
* Courses with Certifications that align with DOD Directive 8570
For a complete list of courses and complete descriptions, please see:
http://www.sans.org/u/oj
*** Receive a $200 discount for any (4-6) day SANS course with code: SANS_SecOrb200 ***
U.S. DEPARTMENT OF DEFENSE AND U.S. CENTRAL COMMAND social network hacked
BREAKING NEWS: U.S. DEPARTMENT OF DEFENSE AND U.S. CENTRAL COMMAND admit their social network was hacked on January 12, 2014.
Social media accounts for the U.S. military’s Central Command appeared to have been hacked on Monday, with the command posting threatening messages on Twitter and YouTube to American troops.
The first rogue tweet was posted about 12:30 p.m. It appeared to come from sympathizers of the Islamic State militant group. The Central Command has orchestrated the U.S.-led airstrike campaign against the militants in Iraq and Syria and is beginning to train Iraqi troops to respond to the threat in the region.
The background and profile photo of the Centcom account were both changed to show an apparent militant and the phrases “CyberCaliphate” and “i love you isis,” using one of the acronyms for the militant group.
In a statement, the Central Command confirmed that its Twitter account had been “compromised” and said it “is taking appropriate measures to address the matter.” The statement did not elaborate on the extent or seriousness of the hack or who may have been responsible. The account was disabled by Twitter around 1:10 p.m.
Metasploit Mastery – Feb 2015
Metasploit has become the defacto standard for pentesting today. Most security professionals have some familiarity with it, but few can REALLY get in and drive it like a pro.
Take your Metasploit skills to the next level in this new live online course that is designed to take a user from little to no experience with Metasploit to using all of the most advanced features of the tool has to offer.
The course cost is $500, but the first 25 signups will get the course at $350 so signup now!
Syllabus
Day 1: Metasploit Fundamentals and Scanning
- Metasploit Fundamentals
- Installing Metasploit
- Interfaces
- MSFConsole
- MSFCLI
- Armatage
- Auxilliary Modules
- Port Scanning
- Vulnerability Scanning
Day 2: Exploitation
- Exploitation
- Service Based Exploitation
- Client-Side Exploitation
Post-Exploitation
- Privilege Escalation (post modules and local exploits)
- Hashdumping and other methods of credential theft
- Data-mining a host
- Pivoting
- Port Forwarding
- Setting a route
- VPN Pivoting
Day 3: Bypassing defensive mechanisms
- Bypassing Defensive Mechanisms
- Bypassing Anti-Virus
- Bypassing HIPS
- Bypassing EMET
- Tunneling
- SSH Tunneling
- Socks Tunneling
Day 4: Writing your own modules
- Writing Auxilliary Modules
- Writing Post Modules
- Railgun
Day 5: Writing exploits
- Writing Exploits for the Metasploit
- Converting Metasploit Modules to Stand Alone Tools
Schedule
This class will be held live online from 16 – 20 February from 10am EST to 4pm EST each day.
Videos
Each class will be recorded and made available to the students via email. So you can keep up with the class even if you have to miss time, or even a whole day.
Price
The class cost is $500USD.
The first 25 signups will get the course at $350 so signup now!
