Jump to content

mundy.

Active Members
 View Profile  See their activity

  • Posts

    212

  • Joined

  • Last visited

 Content Type 

Everything posted by mundy.

  1. mundy.

    Adult-premium!

    mundy. replied to io.kent's topic in Free stuff

    Unele merg, deja am luat unul de pe passion-hd.
  2. mundy.
    Spor la gasit xss
  3. mundy.
    Va dau licenta mea, eu am deja un antivirus licentiat. S3CACNL
  4. mundy.
    Este o mare porcarie, mai ales ca tema este facuta de un bun prieten de-al meu, chiar atat de nesimtiti sa fii sa modifici si creditele ? Halal oameni, sa mor eu. Sper ca peste o zi sa va inchideti, sunteti doar niste amatori.
  5. mundy.
    Vand un cont steam care are toate cs-urile, cu tot cu itemele facute. Uitati mai jos o poza, dovada ca il detin: PS. Nu eu vand contul, ci un prieten. Uitati un id de messenger care ii apartine: romanianmc@yahoo.com
  6. mundy.
    Recomand, apropo, te-ai mutat de pe extream aici ?
  7. mundy.
    Am vandut deja domeniul, scuze.
  8. mundy.
    As dori acest cont ( Steam Community :: Tr[E]fLa ) , accepti un domeniu .ro la schimb ? Ti-am trimis pm cu domeniul.
  9. mundy.
    Cam ai dreptate cu viteza internetului in RO.
  10. mundy.
    apreciez, insa trebuia sa le selectezi pe cele bune.
  11. mundy.
    Eu am cont cu ratie 1.80
  12. mundy.
    Las la 15 euro.
  13. mundy.
    Am trimis la amandoi.
  14. mundy.
    Dupa cum spune si titlul, vand un domeniu .ro , cei care vor link catre acesta pm me. Pret: 15 euro Dovada ca il detin: NU MAI CERETI NUMELE DOMENIULUI DACA NU SUNTETI INTERESATI
  15. mundy.
    Nu merge daca e branduit.
  16. mundy.
    Care e logica ? Nu inteleg despre ce este vorba aici.
  17. mundy.
    Thanks very much.
  18. mundy.
    HackerOne, the popular security response and bug bounty platform, rewarded a researcher with with a $5,000 bounty for identifying a severe cross-site scripting (XSS) vulnerability. HackerOne hosts bug bounty programs for several organizations, but the company also runs a program for its own services. So far, HackerOne has thanked 54 hackers for helping the company keep its services secure, but Trello developer Daniel LeCheminant is the first to find a flaw rated “severe.” The researcher discovered that he could insert arbitrary HTML code into bug reports and other pages that use Markdown, a markup language designed for text-to-HTML conversions. “While being able to insert persistent, arbitrary HTML is often game over, HackerOne uses Content Security Policy (CSP) headers that made a lot of the fun stuff ineffective; e.g. I could insert a <script> tag or an element with an event handler, but it wouldn't run because these unsafe inline scripts were blocked by their CSP,” LeCheminant explained in a blog post. “Fortunately (for me) not all browsers have full support for CSP headers (e.g. Internet Explorer 11), so it wasn't hard to make a case that being able to run arbitrary script when someone attempted to view a bug that I'd submitted qualified as something that ‘might grant unauthorized access to confidential bug descriptions’,” he added. An attacker couldn’t have exploited the vulnerability to run arbitrary scripts, but as the expert demonstrated, the bug was serious enough. LeCheminant managed to change visual elements on the page (e.g. color of the links) because HackerOne’s CSP allows inline styles, and even insert an image into his submission. According to the researcher, an attacker could have also inserted other elements, such as text areas, and he could have redirected visitors of the page to an arbitrary website by using the meta refresh method. When users click on links found in bug reports, they are redirected to a warning page where they are informed that they are about leave HackerOne and visit a potentially unsafe website. However, by leveraging the XSS found by LeCheminant, a malicious actor could have bypassed the warning page and take users directly to a potentially harmful site. The vulnerability was reported just three days ago and it was resolved by HackerOne one day later. Source: securityweek.com
  19. mundy.
    Siemens has resolved several vulnerabilities affecting the company’s SCALANCE industrial switches and Ruggedcom WIN base stations. According to an advisory published by ICS-CERT, the SCALANCE X-200IRT (Isochronous Realtime Ethernet) switch family is affected by a remotely exploitable user impersonation vulnerability (CVE- 2015-1049). The switches are used to connect programmable logic controllers (PLCs), human-machine interfaces (HMIs) and other industrial components. The devices are deployed in various sectors worldwide. “The device’s web server could allow unauthenticated attackers to impersonate legitimate users of the web interface (Port 80/TCP and Port 443/TCP) if an active web session of an authenticated user exists at the time of attack,” ICS-CERT said in its advisory. The vulnerability affects SCALANCE X-200IRT switches running versions of the firmware prior to V5.2.0. The company addressed the issue with the release of version 5.2.0. There are no known public exploits for the vulnerability and Siemens has pointed out that an attacker needs network access to the device and a legitimate user must be logged in to the targeted switch’s Web interface for the attack to work. Siemens has also released a firmware update to fix a total of three vulnerabilities affecting Ruggedcom WIN, high-power, broadband wireless base stations used in various sectors across the world. The issues were discovered and reported to the company by IOActive researchers. One of the security holes found in Ruggedcom WIN solutions is an improper authentication issue (CVE- 2015-1448) that can be leveraged by an unauthenticated attacker to perform administrative operations on the network. A critical buffer overflow vulnerability (CVE- 2015-1449) that could be exploited for remote code execution affects the device’s integrated Web server, ICS-CERT said. Another flaw impacting Ruggedcom WIN devices can be leveraged by a malicious actor to obtain passwords from security logs or local files (CVE- 2015-1357). The flaws have not been exploited in the wild and they can only be leveraged by an attacker with network access to the devices, and access to security log files (in the case of CVE- 2015-1357), Siemens noted in its advisory. The vulnerabilities affect Ruggedcom WIN51xx and Win52xx versions prior to SS4.4.4624.35, and WIN70xx and WIN72xx versions prior to BS4.4.4621.32. Siemens advises industrial control system (ICS) operators to install the latest firmware versions and protect network access to these products by using appropriate mechanisms. In January, the Germany-based electronics and industrial conglomerate released firmware updates to address security holes in SCALANCE industrial switches and SIMATIC controllers. Source: securityweek.com
  20. mundy.
    A researcher has identified a serious universal cross-site scripting (UXSS) vulnerability in the latest version of Microsoft’s Internet Explorer web browser. The issue was discovered by David Leo, a researcher at the UK-based security firm Deusen. The vulnerability can be leveraged to completely bypass Same Origin Policy (SOP), the policy that prevents scripts loaded from one origin from interacting with a resource from another origin. The bug allows an attacker to “steal anything from another domain, and inject anything into another domain,” the expert said in a post on Full Disclosure. A proof-of-concept (PoC) exploit for the vulnerability, tested on Internet Explorer 11 running on Windows 7, was published by Leo over the weekend. The PoC shows how an external domain can alter the content of a website. In the demonstration, the text “Hacked by Deusen” is injected into the website of The Daily Mail. The URL in the browser’s address bar remains the same -- in this case dailymail.co.uk -- even after the arbitrary content is injected, which makes this vulnerabilty ideal for phishing attacks. Joey Fowler, a senior security engineer at Tumblr, said the exploit has some “quirks,” but it works as long as the targeted website doesn’t have X-Frame-Options headers with “deny” or “same-origin” values. “Pending the payload being injected, most Content Security Policies are also bypassed (by injecting HTML instead of JavaScript, that is),” Fowler said in a reply to Leo’s Full Disclosure post. “It looks like, through this method, all viable XSS tactics are open!” Fowler has also highlighted the fact that the exploit can even bypass standard HTTP-to-HTTPS restrictions. The issue was reported to Microsoft on October 13, 2014. The company says it’s working on fixing the vulnerability, but has pointed out that an attacker needs to trick potential victims into visiting a malicious website for the exploit to work. “To successfully exploit this issue, an adversary would first need to lure a person, often through trickery such as phishing, to a malicious website that they’ve created. SmartScreen, which is on by default in newer versions of Internet Explorer, helps protect against nefarious phishing websites,” a Microsoft spokesperson told SecurityWeek. “We’re not aware of this vulnerability being actively exploited and are working to address it with an update. We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information.” This isn’t the first time a vulnerability affecting Microsoft products is disclosed before the company manages to release a patch. Over the past weeks, Google’s Project Zero published the details of three Windows vulnerabilities after the expiration of a 90-day disclosure deadline. Source: securityweek.com
  21. mundy.
    Google recently removed multiple applications from its Google Play store after reports surfaced linking the apps to adware. Researchers at the security vendor Avast called out three apps laced with adware. The most popular of these is the Durak card game, which has been downloaded between five and 10 million times. The other apps were a history application and an IQ test app. Unlike other examples of adware, these applications waited an extended period of time before displaying anything. "When you install Durak, it seems to be a completely normal and well working gaming app," Avast's Filip Chytry blogged Tuesday. "This was the same for the other apps, which included an IQ test and a history app. This impression remains until you reboot your device and wait for a couple of days. After a week, you might start to feel there is something wrong with your device. Some of the apps wait up to 30 days until they show their true colors. After 30 days, I guess not many people would know which app is causing abnormal behavior on their phone right?" Each time an infected user unlocked their device an ad would be presented to them warning them about a problem such as the device being infected or out-of-date. "This, of course, is a complete lie," Chytry blogged. The user is then asked to take action. If they approve, they are redirected to harmful threats on fake pages, such as "dubious app stores and apps that attempt to send premium SMS behind your back or to apps that simply collect too much of your data for comfort while offering you no additional value," he continued. Sometimes users were directed to security apps on Google Play. However even if the user installed the security apps, the ads would still appear, Chytry noted. "This kind of threat can be considered good social engineering," he wrote. "Most people won‘t be able to find the source of the problem and will face fake ads each time they unlock their device. I believe that most people will trust that there is a problem that can be solved with one of the apps advertised “solutions” and will follow the recommended steps, which may lead to an investment into unwanted apps from untrusted sources." Source: securityweek.com
  22. mundy.
    Adobe Systems has made a patch available for a zero-day vulnerability in Flash Player that came under attack in recent days. The vulnerability, CVE-2015-0313, affects Adobe Flash Player 16.0.0.296 and earlier versions for Windows, Macintosh and Linux, as well as Flash Player 13.0.0.264 and earlier 13.x versions. The vulnerability can be exploited to cause a crash and possibly take control of a vulnerable systems. So far, the vulnerability is known to have been used to target systems running Internet Explorer and Firefox on Windows 8.1 and below. The bug has been linked to malvertising attacks. In the days since news broke of the vulnerability, security researchers have determined that the zero-day was being leveraged by a lesser known exploit called 'HanJuan' – not the Angler kit as some had previously thought. "Exploit kits are made of different parts that can be updated as time goes on," Malwarebyes Senior Security Researcher Jerome Segura blogged recently. "That is one critical part as most software programs evolve and new vulnerabilities are discovered. Since there is a high demand to have the most effective exploitation tools, there is a lot of money that goes into making the exploit kits better." The malvertising attack detected by Trend Micro impacted visitors to dailymotion.com, who were directed to a series of sites that ultimately led to the exploit kit. Malvertisements are an old style of malware delivery, but they remain incredibly notorious because websites have no choice but to load ads and trust whatever content is served by third parties, blogged Trend Micro Threats Analyst Brooks Li. Users, on the other hand, have no choice but to accept ads as a part of their everyday browsing experience as well, Li added. According to Adobe, users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.305 beginning today to fix CVE-2015-0313. "Adobe expects to have an update available for manual download on February 5, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11," according to Adobe. This vulnerability is the third Flash Player zero-day discovered in the past month that came under attack. In January, Adobe patched CVE-2015-0310, which could be used to circumvent memory randomization mitigations on Windows, as well as CVE-2015-0311, which could be leveraged to cause a crash or hijack a vulnerable system. Source: securityweek.com
  23. mundy.
    Frumos, mersi fain.
  24. mundy.
    Cam asa ceva..
  25. mundy.

    secure.js

    mundy. replied to Nytro's topic in Programare

    Mi-ai luat-o inainte
×
×
  • Create New...