For well over a decade our focus at ionCube has been on PHP security but recently with the release of ionCube24 we have been looking into different kinds of vulnerabilities. This post has a few of the interesting issues we have found this week.
A selection of this week’s more interesting vulnerability disclosures and cyber security news.
- Bugtraq: Safebreach adsivory: Node.js HTTP Response Splitting (CVE-2016-2216) Safebreach adsivory: Node.js HTTP Response Splitting (CVE-2016-2216)
- Bugtraq: SSO Authentication Bypass and Website Takeover in DOKEOS SSO Authentication Bypass and Website Takeover in DOKEOS
- CVE-2016-2230 OpenELEC and RasPlex devices have a hardcoded password for the root account, which makes it easier for remote attackers to obtain access via an SSH session.
- Linode SSH key blunder left virtual servers open to man-in-the-middle fiddles for months (The Register)
- Oracle posts security patch for bug that could result in ‘complete compromise’ of Windows machines (ZDNet)
- Patch ASAP: Tons of Linux apps can be hijacked by evil DNS servers, man-in-the-middle miscreants (The Register)