This week’s web vulnerability news includes an article about scareware offering cheats for the popular game Minecraft when really it is designed to scare users into thinking their device is infected! As always, be sure to check out the ionCube24 section to see what it can protect against for your own website.
General
- CVE-2015-1835: … – <p>Posted by Dirk-Willem van Gulik on behalf of Apache Cordova on May 28</p>CVE-2015-1835: Remote exploit of secondary configuration variables
- Experts Concerned About Effects of Proposed Wassenaar Cybersecurity Rules (SecurityWeek)
- Why Facebook, Google And Yahoo Security Pros Are Furious About Exploit Export Rules (Forbes)
ionCube24
Infrastructure
- Blackhat hack trick wallops popular routers (The Register)
- How Google let another certificate expire? As far as i know, it isn’t the first time… (Reddit)
- Is It Possible for Passengers to Hack Commercial Aircraft? (WIRED)
- New Linux-Based Router Worm Used in Social Network Scheme
- Vuln: OpenSSL CVE-2014-3509 Remote Denial of Service Vulnerability
- [SEARCH-LAB advisory] More than fifty vulnerabilities in D-Link NAS and NVR devices
Malware
- 2.8 million victims squared up by malicious Minecraft apps (The Register)
- Fake Minecraft Cheats Hosted on Google Play Hide Android Scareware (SecurityWeek)
- Grabit campaign spies on SMBs, steals sensitive data (ZDNet)
- New PoS Malware Hits Victims Via Spam Camapign: FireEye
- Ransomware threat ‘Locker’ has sleeper component (SC Magazine)
- Scammers use Facebook to distribute malware disguised as video player (SC Magazine)
- Small businesses trashed in big malware campaign (The Register)
- Small-to Mid-sized Organizations Targeted By ‘Grabit’ Cyberspies (Dark Reading)
- Trojanized PuTTY Software (Reddit)
PHP Security
- CVE-2012-1978 – Multiple cross-site request forgery (CSRF) vulnerabilities in Simple PHP Agenda 2.2.8 and earlier
- CVE-2015-0916 – SQL injection vulnerability in graph.php in Cacti before 0.8.6f allows remote authenticated users to execute arbitrary SQL commands via the local_graph_id parameter, a different vulnerability than CVE-2007-6035.
- CVE-2015-0935 – Bomgar Remote Support before 15.1.1 allows remote attackers to execute arbitrary PHP code via crafted serialized data to unspecified PHP scripts.
- CVE-2015-2945 – mt-phpincgi.php in Hajime Fujimoto mt-phpincgi before 2015-05-15 does not properly restrict URLs
- CVE-2015-3902 – Multiple cross-site request forgery (CSRF) vulnerabilities in the setup process in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1
- CVE-2015-3903 – libraries/Config.class.php in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 disables X.509 certificate verification for GitHub API calls over SSL
- CVE-2015-3921 – Cross-site scripting (XSS) vulnerability in contact.php in Coppermine Photo Gallery before 1.5.36 allows remote authenticated users to inject arbitrary web script or HTML via the referer parameter. (CVSS:0.0)
- CVE-2015-3922 – Open redirect vulnerability in mode.php in Coppermine Photo Gallery before 1.5.36 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referer parameter.
- CVE-2015-4134 – Open redirect vulnerability in goto.php in phpwind 8.7
- CVE-2015-4135 – Cross-site scripting (XSS) vulnerability in goto.php in phpwind 8.7
- Unauthorized Access Vulnerability Fixed in Symfony (SecurityWeek)
- Vuln: PHP SSL Certificate Validation CVE-2013-4248 Security Bypass Vulnerability – PHP SSL Certificate Validation CVE-2013-4248 Security Bypass Vulnerability
- Vuln: php-gd ‘gdxpm.c’ NULL Pointer Dereference Denial of Service Vulnerability – php-gd ‘gdxpm.c’ NULL Pointer Dereference Denial of Service Vulnerability
User Space
- Flawed Android factory reset leaves crypto and login keys ripe for picking
- Google launches native Android Smart Lock password manager (The Register)
- Google: Account Recovery Security Questions Not Very Secure (Dark Reading)
- In Britain, Malware No. 1 Cyberthreat (InfoRiskToday)
- There’s a Moose loose aboot this hoose: Linux worm hijacks Twitter feeds for spam slinging (The Register)
WordPress
- Bugtraq: CVE-2015-4038 – WordPress WP Membership plugin [Privilege escalation] – CVE-2015-4038 – WordPress WP Membership plugin [Privilege escalation]
- Bugtraq: CVE-2015-4084 – WordPress Free Counter Plugin [Stored XSS] – CVE-2015-4084 – WordPress Free Counter Plugin [Stored XSS]
- CVE-2015-3647 – Multiple cross-site scripting (XSS) vulnerabilities in wppa-ajax-front.php in the WP Photo Album Plus (aka WPPA) plugin before 6.1.3
- CVE-2015-4018 – SQL injection vulnerability in feedwordpresssyndicationpage.class.php in the FeedWordPress plugin before 2015.0514
- CVE-2015-4038 – WordPress WP Membership plugin [Privilege escalation]
- CVE-2015-4039 – WordPress WP Membership plugin [Stored XSS]
- CVE-2015-4062 – SQL injection vulnerability in includes/nsp_search.php in the NewStatPress plugin before 0.9.9
- CVE-2015-4063 – Cross-site scripting (XSS) vulnerability in includes/nsp_search.php in the NewStatPress plugin before 0.9.9
- CVE-2015-4064 – SQL injection vulnerability in modules/module.ab-testing.php in the Landing Pages plugin before 1.8.5
- CVE-2015-4065 – Cross-site scripting (XSS) vulnerability in shared/shortcodes/inbound-shortcodes.php in the Landing Pages plugin before 1.8.5 7)
- CVE-2015-4066 – Multiple SQL injection vulnerabilities in admin/handlers.php in the GigPress plugin before 2.3.9
- CVE-2015-4084 – Cross-site scripting (XSS) vulnerability in the Free Counter plugin 1.1
- CVE-2015-4127 – Cross-site scripting (XSS) vulnerability in the church_admin plugin before 0.810
- Vuln: WordPress WP Symposium Plugin CVE-2015-3325 SQL Injection Vulnerability – WordPress WP Symposium Plugin CVE-2015-3325 SQL Injection Vulnerability
Weekly Cyber and PHP Security News
