Archive

Archive for January, 2008

Update AntiVirus Signature

January 23rd, 2008
Comments Off

Surfing online nowadays is not secure, even a well known website can be compromised. One good example is the iframe attack which will force you to connect to malicious sites and download trojan, or possibly attack on the outdated applications which are installed on your computers.

In order to protect yourself from getting infected, we suggest you to install Anti Virus software on your computers, at least with the free Anti Virus software out there which is for personal use (if you are not business user), and remember to update the Anti Virus signature to the latest version. Although it will not fully protect your computer from infection, it will at least provide a basic protection to your computers. Other than that, please avoid surfing unknown sites, even they are provided by your trusted friends through Instant Messenger communication, emails, or other ways.

If you notice your website which is hosted at Exabytes gets compromised or gets infetcted, please contact us at support@exabytes.com immediately.

Tips

Importance of Having Strong Password

January 23rd, 2008
Comments Off

Over the last several months, we have seen an increase in the number of attacks on user accounts. Having a strong password is the first important step for ensuring that your account is secure. How to implement a strong password?

  • They should be at least 8 alphanumeric characters.
  • Passwords should contain numbers, characters, and symbols if possible.
  • Passwords should change periodically, recommend once every 6 months.
  • Avoid passwords like repeated words, dictionary words, sequences number or letter (on keyboards), same with usernames, use only 1 password for other accounts or personal information like birthday date, or car plate numbers.

Example of weak passwords:
admin, password, test, test123, 123456, asdfghjkl.

Example of strong passwords:
fiph2pdmq9!e, 9f2ohspm32h0s.

Compare both type of passwords above, you will notice, the weak passwords can be easily guessed. With strong passwords, attackers will probably need to take years to guess the passwords.

However, strong passwords are still vulnerable to attacks like phishing, brute forcing, social engineering, and so on.
The accounts protected by your passwords often contain your private information, important data, and probably emails which are private and confidential, so it is a great impact to you or your organization when your accounts get compromised.

If you notice any suspicious activities that someone may have access without authorization to your accounts, please contact us at support@exabytes.com immediately.

When was the last time you changed your password? ? If it has been a while, we suggest you change it now.

Tips

phpAutoVideo File Inclusion and XSS

January 22nd, 2008

Application: phpAutoVideo
Affected Version: 2.23 and 2.21 and other versions.
Vendor’s URL: phpAutoVideo
Bug Type: Cross Site Scripting, File Inclusion.
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly verified and sanitized.

Cross Site Scripting, File Inclusion

singapore “gallery” XSS

January 22nd, 2008
Comments Off

Application: singapore
Affected Version: 0.10.1 and other versions.
Vendor’s URL: http://www.sgal.org/
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Edit the source code to ensure that input is properly sanitized.

Cross Site Scripting, Image Galleries

MyBB SQL Injection and XSRF Vulnerabilities

January 22nd, 2008
Comments Off

Application: MyBB
Affected Version: 1.2.11 and prior versions.
Vendor’s URL: http://www.mybboard.net/
Bug Type: Cross Site Scripting, SQL Injection
Risk Level: Critical

Solution:
Update to version 1.2.12.

Cross Site Scripting, Discussion Boards, SQL Injection

WordPress WP-Forum Plugin SQL Injection

January 22nd, 2008
Comments Off

Application: WP-Forum (plugin for WordPress)
Affected Version: 1.7.4.
Vendor’s URL: http://www.fahlstad.se/wp-plugins/wp-forum/
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, SQL Injection

bloofoxCMS SQL Injection and Information Disclosure

January 22nd, 2008
Comments Off

Application: BloofoxCMS
Affected Version: 0.3 and other versions.
Vendor’s URL: http://www.bloofox.com/
Bug Type: SQL Injection, Information Disclosure
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitized.

Restrict access to the “admin/” directory (e.g. with “.htaccess”).

Content Management, Information Disclosure, SQL Injection

BLOG:CMS Multiple Vulnerabilities

January 22nd, 2008
Comments Off

Application: BLOG:CMS
Affected Version: 4.2.1b.
Vendor’s URL: http://blogcms.com/
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Update to version 4.2.1c.

Content Management, SQL Injection

MyBB PHP Code Execution and SQL Injection

January 22nd, 2008
Comments Off

Application: MyBB
Affected Version: 1.2.10 and prior versions.
Vendor’s URL: http://www.mybboard.net/
Bug Type: System access, SQL Injection
Risk Level: Critical

Solution:
Update to version 1.2.11.

Discussion Boards, Remote Command Execution, SQL Injection

Drupal Meta Tags Module Code Execution

January 22nd, 2008
Comments Off

Application: Drupal Meta Tags Module
Affected Version: 5.x-1.6.
Vendor’s URL: http://drupal.org/project/nodewords
Bug Type: System access
Risk Level: Critical

Solution:
Update to version 5.x-1.7.

Content Management, Remote Command Execution

vbDrupal Multiple Vulnerabilities

January 22nd, 2008
Comments Off

Application: vbDrupal
Affected Version: prior to version 4.7.11.0 or 5.6.0.
Vendor’s URL: http://www.vbdrupal.org/
Bug Type: Cross Site Scripting
Risk Level: Critical

Solution:
Update to version 4.7.11.0 or 5.6.0.

Content Management, Cross Site Scripting, Discussion Boards

ASP Photo Gallery Multiple SQL Injection

January 22nd, 2008
Comments Off

Application: ASP Photo Gallery
Affected Version: 1.0.
Vendor’s URL: http://www.matteobinda.com/apg.php
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitized.

Image Galleries, SQL Injection

minimal Gallery Information Disclosure Vulnerabilities

January 22nd, 2008
Comments Off

Application: minimal Gallery
Affected Version: 0.8.
Vendor’s URL: http://minimalgallery.net/home
Bug Type: Exposure of sensitive information
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitized. Restrict access to php_info.php (e.g. with “.htaccess”).

Image Galleries, Information Disclosure

TaskFreak SQL Injection Vulnerability

January 22nd, 2008
Comments Off

Application: TaskFreak
Affected Version: 0.6.1 and other versions.
Vendor’s URL: http://www.taskfreak.com/
Bug Type: SQL Injection
Risk Level: Medium

Solution:
Edit the source code to ensure that input is properly sanitized.

Content Management, SQL Injection

vBGallery PHP Script Upload Vulnerability

January 22nd, 2008
Comments Off

Application: vBGallery
Affected Version: prior to version 2.4.2.
Vendor’s URL: http://www.photopost.com/
Bug Type: File Inclusion
Risk Level: Critical

Solution:
Update to version 2.4.2.

File Inclusion, Image Galleries

vcart File Inclusion Vulnerabilities

January 22nd, 2008
Comments Off

Application: vcart
Affected Version: 3.3.2 and other versions.
Vendor’s URL: http://www.visionburst.com/
Bug Type: File Inclusion
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly verified.

E-Commerce, File Inclusion

Drupal Multiple Vulnerabilities

January 22nd, 2008
Comments Off

Application: Drupal
Affected Version: prior to 4.7.11 and 5.6.
Vendor’s URL: http://www.drupal.org/
Bug Type: Cross Site Scripting
Risk Level: Critical

Solution:
Update to 4.7.11 or 5.6.

Content Management, Denial Of Service

Mambo Search DOS

January 22nd, 2008

Application: Mambo
Affected Version: all 4.5.x and 4.6.x versions.
Vendor’s URL: http://www.mambo-foundation.org/
Bug Type: Denial of Service
Risk Level: Medium

Solution:
Apply patch below:
Patch 4.6.x
Patch 4.5.x

Content Management, Denial Of Service

WebEvent XSS Vulnerability

January 22nd, 2008
Comments Off

Application: WebEvent
Affected Version:
Vendor’s URL: WebEvent
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Filter malicious characters and character sequences in a web proxy.

Cross Site Scripting

PortalApp Multiple Vulnerabilities

January 22nd, 2008

Application: PortalApp
Affected Version: 4.0.
Vendor’s URL: PortalApp
Bug Type: Security Bypass, Cross Site Scripting
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised and access to dangerous actions is properly restricted.

Access Bypass, Content Management, Cross Site Scripting, Discussion Boards