Posted by webmaster on Apr 16

Stored Cross Site Scripting in Ektron CMS 8.7

CVE reference: CVE-2014-2729
Affected platforms: Ektron Web Content Management System
Version: 8.7.0
Date: 2013-December-19
Security risk: Medium (CVSS – AV:N/AC:L/Au:S/C:P/I:P/A:N)
Researcher: Joseph Zeng Xianbo
Vendor Status: Issue reported to be patched in Ektron CMS
SP2 Patch Update:


SmartAboutThings (1951032) writes “While we are still waiting for the official Windows 8.1 touch-enabled apps to get launched on the Windows Store, Microsoft went and decided that it’s time to finally bring the Office online apps to the Chrome Web Store, instead. Thus, Microsoft is making the Web versions of its Word, Excel, PowerPoint and OneNote apps available to users through the Chrome Web Store and also improving all of them with new features, along with several bug fixes and performance improvements.” More on the Microsoft front: an anonymous reader wrote in with a link to Ars Technica’s review of the upcoming Windows Phone 8.1 release: “It is a major platform update even if it is just a .1 release. Updates include the debut of Cortana, using the same kernel as Windows 8.1 and the Xbox One, a notebook reminder app, inner circle friend management, IE 11, Nokia’s camera app by default, lock screen and background customizations, a much improved email client with calendar support, more general Windows 8.1 API inclusion for better portability, and a notification center. Ars rated it more of a Windows Phone 9 release than .1 update.”

Read more of this story at Slashdot.

Speed up Apache webserver with mod_pagespeed and memcached on Debian 7 (Wheezy)The page load time gets more and more important for websites to provide a better user experience and it is important for the search engine ranking as well. Google has developed the apache module “mod_pagespeed” to optimize and streamline the content delivery of the apache webserver which reduces the load times of pages, especially when they use many assets like css files, javascript includes and images.

Plus: Why do we splatter the internet with plugs for our employers, anyway?

Posted by Security Alert on Apr 16

ESA-2014-028: EMC Cloud Tiering Appliance XML External Entity (XXE) and Information Disclosure Vulnerabilities

EMC Identifier: ESA-2014-028

CVE Identifier: CVE-2014-0644, CVE-2014-0645

Severity Rating: CVSS v2 Base Score: See below for individual scores

Affected products:
• EMC Cloud Tiering Appliance (CTA) 10
• EMC Cloud Tiering Appliance (CTA) 10 SP1
• EMC Cloud Tiering Appliance (CTA) 9.x
• EMC File…

Do not pass go, do cough (up to) $840m in damages

Apple has lost its bid to dismiss an $840m class action lawsuit over the ebook price-fixing fiasco.…

CanHasDIY (1672858) writes “In his yet-to-be-released book, Six Amendments: How and Why We Should Change the Constitution, John Paul Stevens, who served as an associate justice of the Supreme Court for 35 years, believes he has the key to stopping the seeming recent spate of mass killings — amend the Constitution to exclude private citizens from armament ownership. Specifically, he recommends adding 5 words to the 2nd Amendment, so that it would read as follows: ‘A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms when serving in the Militia shall not be infringed.’ What I find interesting is how Stevens maintains that the Amendment only protects armament ownership for those actively serving in a state or federal military unit, in spite of the fact that the Amendment specifically names ‘the People’ as a benefactor (just like the First, Fourth, Ninth, and Tenth) and of course, ignoring the traditional definition of the term militia. I’m personally curious about his other 5 suggested changes, but I guess we’ll have to wait until the end of April to find out.”

Read more of this story at Slashdot.

Here is a
long piece from Christian Schaller
describing the planning for the
upcoming Fedora Workstation product. “So when we are planning the
Fedora Workstation we are not just looking at what features we can develop
for individual libraries or applications like GTK+, Firefox or LibreOffice,
but we are looking at what we want the system as a whole to look like. And
maybe most important we try our hardest to look at things from a
feature/usecase viewpoint first as opposed to a specific technology

[security bulletin] HPSBUX03001 SSRT101382 rev.1 – HP-UX Whitelisting (WLI), Local System Integrity Risk

Bugtraq: [SECURITY] [DSA 2905-1] chromium-browser security update

[SECURITY] [DSA 2905-1] chromium-browser security update

Bugtraq: CVE-2014-2735 – WinSCP: missing X.509 validation

CVE-2014-2735 – WinSCP: missing X.509 validation

Eben Moglen’s FreedomBox concept (personal servers for everyone to enable private communication) is getting closer to being an easy-to-install reality: all packages needed for FreedomBox are now in Debian’s unstable branch, and should be migrating to testing in a week or two. Quoting Petter Reinholdtsen: “Today, the last of the packages currently used by the project to created the system images were accepted into Debian Unstable. It was the freedombox-setup package, which is used to configure the images during build and on the first boot. Now all one need to get going is the build code from the freedom-maker git repository and packages from Debian. And once the freedombox-setup package enter testing, we can build everything directly from Debian. :) Some key packages used by Freedombox are freedombox-setup, plinth, pagekite, tor, privoxy, owncloud, and dnsmasq. There are plans to integrate more packages into the setup. User documentation is maintained on the Debian wiki.” You can create your own image with only three commands, at least if you have a DreamPlug or Raspberry Pi (you could also help port it to other platforms).

Read more of this story at Slashdot.

Posted by security-alert on Apr 16

Note: the current version of the following document is available here:


Document ID: c04239374
Version: 1

HPSBMU02999 rev.1 – HP Software Autonomy WorkSite Server (On-Premises
Software), Running OpenSSL, Remote Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as

Hackers attempt to BLACKMAIL plastic surgeons

Nip, tuck and pwn

Cybercrooks attempted to extort a chain of cosmetic surgeons after hacking into its systems and stealing an estimated 480,000 files stuffed with info about prospective nip-’n'-tuck customers.…

SQL Injection in mAdserve

Posted by High-Tech Bridge Security Research on Apr 16

Advisory ID: HTB23209
Product: mAdserve
Vendor: MobFox
Vulnerable Version(s): 2.0 and probably prior
Tested Version: 2.0
Advisory Publication: March 26, 2014 [without technical details]
Vendor Notification: March 26, 2014
Public Disclosure: April 16, 2014
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2014-2654
Risk Level: Medium
CVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Solution Status: Solution Available…

theodp (442580) writes “As Google Glass goes on sale [ed: or rather, went on sale] to the general public, GeekWire reports that Bill Gates has already snagged one patent for ‘detecting and responding to an intruding camera’ and has another in the works. The invention proposes to equip computer and device displays with technology for detecting and responding to any cameras in the vicinity by editing or blurring the content on the screen, or alerting the user to the presence of the camera. Gates and Nathan Myhrvold are among the 16 co-inventors of the so-called Unauthorized Viewer Detection System and Method, which the patent application notes is useful ‘while a user is taking public transportation, where intruding cameras are likely to be present.’ So, is Bill’s patent muse none other than NYC subway rider Sergey Brin?” A more cynical interpretation: closing the analog hole. Vaguely related, mpicpp pointed out that Google filed a patent for cameras embedded in contact lenses.

Read more of this story at Slashdot.

Lucky customers get to play with a BRA as well

Granite is an unchanging rock. The ROBO product of that name, however, has just been rebranded by Riverbed as SteelFusion, nominally tying it into Riverbed’s Steelhead WAN optimiser products.…

Adobe Flash Player and AIR CVE-2014-0509 Unspecified Cross Site Scripting Vulnerability

Adobe Flash Player and AIR CVE-2014-0508 Unspecified Security Vulnerability

Adobe Flash Player Use After Free Remote Code Execution Vulnerability