Severity: Moderate Vendor: Schneider Electrics Versions Affected: Kerweb < 3.0.1 Kerwin < 6.0.1 Description: Input fields used for searching and displaying content are not filtered properly. Thus, the web application suffers from multiple reflected XSS vulnerabilities. Exploitation is made easier as parameters are passed with GET HTTP method. Example: An URL can be forged by [...]
It has been a long long time since my last post… I have been very busy, but hopefully I am coming back in the coming months. Just a quick note to tell that I just come back from the Hackito Ergo Sum 2012 (HES). And that was great. All conferences were interesting and the level [...]
CrashMe, from the WinDbg developpers, may be a helpful application for those in the process of learning how to use a debugger or a disassembler. It simulates several crash situation that you will be able to easily reproduce and examine within these tools.
The SIEM planet has recently gone crazy. Following the acquisition of the leader, Arcsight, by HP last year, IBM just acquired Q1 Labs… and Mc Afee, Nitrosecurity ! With RSA and Norton having their own solutions, we know have 5 big players in the arena (see Gartner 2011). This is a good proof that the [...]
BNAT stands for “Broken NAT“. In the scope of Jonathan Claudius work, a NAT is considered broken when the client receives a reply from a server behind a NAT with a different IP than the one it sent the request to. It happens with bad implementations where the DNAT (destination NAT) and the SNAT (source NAT) use [...]
Didier Stevens “benchmarked” the efficiency of ALSR as implemented by the EMET tool. The conclusion is that it is pretty weak, whereas I thought it was on pair with true ALSR (as advertised). Very instructive.
On his website, Aza Raskin calls it Tabnabbing. Don’t miss the video there and the test web page. It is so simple and probably efficient with most users. Certainly another dangerous phishing attack.
I recently attended to the 2011 edition of the SSTIC conference (a major security conference in France), where I had a good time and where the slides of Joanna Rutkowska somehow inspired me. I shamelessly decided to reuse and extend her mind-map style diagram from a system security centric view into something more generic and [...]
