Posts tagged with: security

Well, it's been a week since I implemented my changes to the tagcloud.swf and I've not encountered any problems. I've also been in touch with MustLive who reported the original XSS and HTML Injection issues I mentioned last week and he believes my changes successfully mitigate the HTML Injection issue.  Continue reading ►

This week an announcement was made on Seclist.org about a XSS and HTML Injection vulnerability in all the plugins that use the original tagcloud.swf from WP-Cumulus (which includes HB-Cumulus).  Continue reading ►

Today's XKCD, "Password Strength"...  Continue reading ►

I'm a little slow on this one - it was a busy weekend - but we've just pushed out a new security update for Habari following being contacted by High-Tech Bridge regarding a low-risk path disclosure vulnerability (HTB22732) and two potential medium-risk XSS flaws (HTB22731 and HTB22733).  Continue reading ►

If you're running Habari 0.6.4 or earlier, I encourage you to update to the recently released Habari 0.6.5 to resolve a minor security issue.  Continue reading ►

Links of interest for 26 Jul 2010 - 6 Aug 2010:  Continue reading ►

July this year saw Solaris starting to comply with Oracle's standard practice of releasing quarterly Critical Patch Updates (CPUs) containing security fixes. Unfortunately, it also saw Solaris complying with Oracle's policy to not actually provide a correlation between CVE numbers and the corresponding patches in the CPU itself (CPU July 2010). This naturally caused a lot of uproar in the Solaris install base with a lot of big customers very upset.  Continue reading ►

Many people don't run the SSH that comes with Solaris 9 and later on their Solaris hosts, instead opting for OpenSSH or one of Tectia's SSH products. Some don't like SunSSH's versioning, as it makes it hard to determine if SunSSH is vulnerable to the same issues as OpenSSH (most often it's not or the issue has already been addressed), others rely on features on OpenSSH that haven't made it into SunSSH (there aren't many) and then there are those who's corporate guidelines only allow for a third party solution - probably for uniformity across platforms. Whatever the reason, all of these people are security conscious so they may also have an auditing (aka BSM) requirement too, and this is where the problem comes to light: they soon discover that it appears that not all events are being recorded for users who connect via this third party SSH software.Thankfully it's easy to get OpenSSH working with Solaris auditing thanks to the very generous code contributions made by Sun to the OpenSSH community, way back in 2001, that were finally included in OpenSSH 4.0 and later. However, despite these contributions, people still miss the details on getting BSM working as they expect and this is what I'll address here.  Continue reading ►

Links of interest for 9 Mar 2010 - 21 Apr 2010:  Continue reading ►

Links of interest for 27 Jan 2010 - 14 Feb 2010:  Continue reading ►