Published by TL Guan January 23rd, 2008
in Tips.
Surfing online nowadays is not secure, even a well known website can be compromised. One good example is the iframe attack which will force you to connect to malicious sites and download trojan, or possibly attack on the outdated applications which are installed on your computers.
In order to protect yourself from getting infected, we suggest you to install Anti Virus software on your computers, at least with the free Anti Virus software out there which is for personal use (if you are not business user), and remember to update the Anti Virus signature to the latest version. Although it will not fully protect your computer from infection, it will at least provide a basic protection to your computers. Other than that, please avoid surfing unknown sites, even they are provided by your trusted friends through Instant Messenger communication, emails, or other ways.
If you notice your website which is hosted at Exabytes gets compromised or gets infetcted, please contact us at support@exabytes.com immediately.
Published by TL Guan January 23rd, 2008
in Tips.
Over the last several months, we have seen an increase in the number of attacks on user accounts. Having a strong password is the first important step for ensuring that your account is secure. How to implement a strong password?
- They should be at least 8 alphanumeric characters.
- Passwords should contain numbers, characters, and symbols if possible.
- Passwords should change periodically, recommend once every 6 months.
- Avoid passwords like repeated words, dictionary words, sequences number or letter (on keyboards), same with usernames, use only 1 password for other accounts or personal information like birthday date, or car plate numbers.
Example of weak passwords:
admin, password, test, test123, 123456, asdfghjkl.
Example of strong passwords:
fiph2pdmq9!e, 9f2ohspm32h0s.
Compare both type of passwords above, you will notice, the weak passwords can be easily guessed. With strong passwords, attackers will probably need to take years to guess the passwords.
However, strong passwords are still vulnerable to attacks like phishing, brute forcing, social engineering, and so on.
The accounts protected by your passwords often contain your private information, important data, and probably emails which are private and confidential, so it is a great impact to you or your organization when your accounts get compromised.
If you notice any suspicious activities that someone may have access without authorization to your accounts, please contact us at support@exabytes.com immediately.
When was the last time you changed your password? ? If it has been a while, we suggest you change it now.
Published by TL Guan January 22nd, 2008
in Cross Site Scripting and File Inclusion.
Application: phpAutoVideo
Affected Version: 2.23 and 2.21 and other versions.
Vendor’s URL: phpAutoVideo
Bug Type: Cross Site Scripting, File Inclusion.
Risk Level: Critical
Solution:
Edit the source code to ensure that input is properly verified and sanitized.
Published by TL Guan January 22nd, 2008
in Cross Site Scripting and Image Galleries.
Application: singapore
Affected Version: 0.10.1 and other versions.
Vendor’s URL: http://www.sgal.org/
Bug Type: Cross Site Scripting
Risk Level: Medium
Solution:
Edit the source code to ensure that input is properly sanitized.
Application: MyBB
Affected Version: 1.2.11 and prior versions.
Vendor’s URL: http://www.mybboard.net/
Bug Type: Cross Site Scripting, SQL Injection
Risk Level: Critical
Solution:
Update to version 1.2.12.
Published by TL Guan January 22nd, 2008
in Content Management and SQL Injection.
Application: WP-Forum (plugin for WordPress)
Affected Version: 1.7.4.
Vendor’s URL: http://www.fahlstad.se/wp-plugins/wp-forum/
Bug Type: SQL Injection
Risk Level: Critical
Solution:
Edit the source code to ensure that input is properly sanitised.
Application: BloofoxCMS
Affected Version: 0.3 and other versions.
Vendor’s URL: http://www.bloofox.com/
Bug Type: SQL Injection, Information Disclosure
Risk Level: Critical
Solution:
Edit the source code to ensure that input is properly sanitized.
Restrict access to the “admin/” directory (e.g. with “.htaccess”).
Published by TL Guan January 22nd, 2008
in Content Management and SQL Injection.
Application: BLOG:CMS
Affected Version: 4.2.1b.
Vendor’s URL: http://blogcms.com/
Bug Type: SQL Injection
Risk Level: Critical
Solution:
Update to version 4.2.1c.
Application: MyBB
Affected Version: 1.2.10 and prior versions.
Vendor’s URL: http://www.mybboard.net/
Bug Type: System access, SQL Injection
Risk Level: Critical
Solution:
Update to version 1.2.11.
Application: Drupal Meta Tags Module
Affected Version: 5.x-1.6.
Vendor’s URL: http://drupal.org/project/nodewords
Bug Type: System access
Risk Level: Critical
Solution:
Update to version 5.x-1.7.
Application: vbDrupal
Affected Version: prior to version 4.7.11.0 or 5.6.0.
Vendor’s URL: http://www.vbdrupal.org/
Bug Type: Cross Site Scripting
Risk Level: Critical
Solution:
Update to version 4.7.11.0 or 5.6.0.
Published by TL Guan January 22nd, 2008
in Image Galleries and SQL Injection.
Application: ASP Photo Gallery
Affected Version: 1.0.
Vendor’s URL: http://www.matteobinda.com/apg.php
Bug Type: SQL Injection
Risk Level: Critical
Solution:
Edit the source code to ensure that input is properly sanitized.
Application: minimal Gallery
Affected Version: 0.8.
Vendor’s URL: http://minimalgallery.net/home
Bug Type: Exposure of sensitive information
Risk Level: Critical
Solution:
Edit the source code to ensure that input is properly sanitized. Restrict access to php_info.php (e.g. with “.htaccess”).
Published by TL Guan January 22nd, 2008
in Content Management and SQL Injection.
Application: TaskFreak
Affected Version: 0.6.1 and other versions.
Vendor’s URL: http://www.taskfreak.com/
Bug Type: SQL Injection
Risk Level: Medium
Solution:
Edit the source code to ensure that input is properly sanitized.
Published by TL Guan January 22nd, 2008
in File Inclusion and Image Galleries.
Application: vBGallery
Affected Version: prior to version 2.4.2.
Vendor’s URL: http://www.photopost.com/
Bug Type: File Inclusion
Risk Level: Critical
Solution:
Update to version 2.4.2.
Published by TL Guan January 22nd, 2008
in E-Commerce and File Inclusion.
Application: vcart
Affected Version: 3.3.2 and other versions.
Vendor’s URL: http://www.visionburst.com/
Bug Type: File Inclusion
Risk Level: Critical
Solution:
Edit the source code to ensure that input is properly verified.
Published by TL Guan January 22nd, 2008
in Content Management and Denial Of Service.
Application: Drupal
Affected Version: prior to 4.7.11 and 5.6.
Vendor’s URL: http://www.drupal.org/
Bug Type: Cross Site Scripting
Risk Level: Critical
Solution:
Update to 4.7.11 or 5.6.
Published by TL Guan January 22nd, 2008
in Content Management and Denial Of Service.
Application: Mambo
Affected Version: all 4.5.x and 4.6.x versions.
Vendor’s URL: http://www.mambo-foundation.org/
Bug Type: Denial of Service
Risk Level: Medium
Solution:
Apply patch below:
Patch 4.6.x
Patch 4.5.x
Published by TL Guan January 22nd, 2008
in Cross Site Scripting.
Application: WebEvent
Affected Version:
Vendor’s URL: WebEvent
Bug Type: Cross Site Scripting
Risk Level: Medium
Solution:
Filter malicious characters and character sequences in a web proxy.
Application: PortalApp
Affected Version: 4.0.
Vendor’s URL: PortalApp
Bug Type: Security Bypass, Cross Site Scripting
Risk Level: Critical
Solution:
Edit the source code to ensure that input is properly sanitised and access to dangerous actions is properly restricted.
