Archive for the ‘Stuffs’ Category

« Older Pages

Save MySQL : The Petition

Sunday, January 10th, 2010

In April 2009, Oracle announced that it had agreed to acquire Sun. Since Sun had acquired MySQL the previous year, this would mean that Oracle, the market leader for closed source databases, would get to own MySQL, the most popular open source database.

If Oracle acquired MySQL on that basis, it would have as much control over MySQL as money can possibly buy over an open source project. In fact, for most open source projects (such as Linux or Apache) there isn’t any comparable way for a competitor to buy even one tenth as much influence. But MySQL’s success has always depended on the company behind it that develops, sells and promotes it. That company (initially MySQL AB, then Sun) has always owned the important intellectual property rights (IPRs), most notably the trademark, copyright and (so far only for defensive purposes) patents. It has used the IPRs to produce income and has reinvested a large part of those revenues in development, getting not only bigger but also better with time.

If those IPRs fall into the hands of MySQL’s primary competitor, then MySQL immediately ceases to be an alternative to Oracle’s own high-priced products. So far, customers had the choice to use MySQL in new projects instead of Oracle’s products. Some large companies even migrated (switched) from Oracle to MySQL for existing software solutions. And every one could credibly threaten Oracle’s salespeople with using MySQL unless a major discount was granted. If Oracle owns MySQL, it will only laugh when customers try this. Getting rid of this problem is easily worth one billion dollars a year to Oracle, if not more.

Sign the Petition – Save MySQL

Tags: , , ,
Posted in News, Stuffs, Writing | 1 Comment »

Xmas is coming! Happy new year!

Monday, December 14th, 2009

Christmas is coming, and with this the New Year! Wishes to all.

We’ll see you soon.

~ nicola
Xmas @ Sealckers.org

Tags: , , ,
Posted in Announcement, Stuffs | 1 Comment »

Whitehouse.gov Mind Insecurity

Wednesday, November 4th, 2009

The incredible news is that Whitehouse has decided to go open source with the CMS system Drupal. It’s right, the crazy reality. “Ahaha” in this case, it’s right. I’m talking about the same Drupal that you all probably know. Oh, yes, there are “only” pages and pages of vulnerabilities on PacketStorm, Milw0rm and OSVDB about this “CMS”. Many of are truly ridiculous (but remote) like sqli or rce, and by kids. I’m sure that it’s the big websecurity mistake of the century. Wow.
You can take here a look of this. Very, very ridiculous. I’m sure that a 12year kid could write more security code of Drupal’s “monkeys” developers. But, at the end it’s a free and opensource content manager system, if you are stupid or you can’t code your own , you can chose it, or NOT. Indeed you could learn to write more security code after 3 hours of PHP study.
But, in my mind, the question is: Why security WhiteHouse experts chose it? Are they crazy or out of mind? Probably yes. This is a complete and totally fallacy.
Yes, opensource is more to appreciate than closed in philosophy, but not in security. Why? (Seriously are you asking me why??)
I can hack Drupal CMS all life without try my attacks on Whitehouse website, with the risk of being localized. I can search vulnerabilities looking the clean code lines, the modules and so on.
Yes, obviously if you expect the same drupal that you can download from the supplier, you’re crazy. The WhiteHouse’s a definitely hardened version, cleansed of unnecessary code, with modules written owners and revision of vulnerability acknowledged. So, it’s probably more difficult than hacking Drupal.org
But, yes, it’s also more easy than hacking a own system coded by security experts and pen-testers of the government. So, it’s a crazy choice. Ever and forever.

Tags: , , , , , ,
Posted in General, Hacking, News, Stuffs, Webappsec, Writing | Comments Off

Google says: “We want to protect users and ads from Malware”

Sunday, October 18th, 2009

Google, with Eric Davis, head of Anti-Malvertising created earlier this year a resource for all members of the online ecosystem. Anti-Malvertising contains tips designed for publishers, ad operations teams, and Internet users to help protect their websites, networks, and computers.
Google’s Anti-Malvertising Team created this site to help individuals and businesses make better-informed decisions to protect against cybercriminal threats and to prevent malvertising in Google and partner ad properties.
It includes a custom search engine to help individual ad networks, publishers, and ad operations teams conduct quick background checks on prospective advertisers. It indexes a variety of independent, third party sites that track possible attempts to distribute malware through advertising. It is intended to be used as one of the steps in a publisher’s background check process.
In some recent cases, infected ads that had already been caught and publicized by security researchers have remained active within some advertising systems. Anti-Malvertising.com’s malvertising research engine makes it easier for the online advertising and security communities to share information and collaborate to help protect users from emerging threats.

Tags: , , , , , , ,
Posted in Infosecurity, Seo, Stuffs, Webappsec | Comments Off

Hyperic HQ Multiple XSS Disclosure

Tuesday, October 6th, 2009

Hyperic HQ Multiple XSSCoreLabs Disclosure and Core Security Technologies – Advisories

Hyperic HQ is an open source monitoring software designed to manage web applications and infrastructure. It auto-discovers system resources (including hardware, operating systems and databases), and
is able to monitor hosts and services. Multiple cross-site scripting vulnerabilities (both stored and
reflected) have been found in the web interface of Hyperic HQ, which can be exploited by an attacker to execute arbitrary JavaScript code in the context of the browser of a legitimate logged in user.

Advisory Informations :

Vulnerability_ Cross site scripting [XSS]
Impact_ Code execution
Remotely Exploitable_ Yes
Packages_ Hyperic HQ 3.2, Hyperic HQ 4.0, Hyperic HQ 4.1, Hyperic HQ 4.2-beta1, Earlier (unsupported) versions may also be affected.
Patches_
http://download.hyperic.com/dl/patch/hq.jar.3.2.6.1.zip
http://download.hyperic.com/dl/patch/hq.jar.4.0.3.1.zip
http://download.hyperic.com/dl/patch/hq.jar.4.1.2.1.zip

Description :
Reflected XSS Vulnerability
A reflected cross-site scripting vulnerability was found in the generic exception handler of Hyperic, located in ‘hq/web/common/GenericError.jsp’. When there is an uncatched exception in Hyperic, this generic exception handler is invoked. It shows a stack trace, including the data that caused the error without
sanitizing it, leading to a reflected XSS.

hq/web/common/GenericError.jsp

This XSS can be triggered by sending invalid data for numeric parameters in several ‘.do’ pages, causing the webapp to raise a ‘java.lang.NumberFormatException’ exception; this way, ‘GenericError.jsp’ will be called and it will print the data that caused the exception without escaping HTML characters, leading to the
XSS vulnerability.

Stored XSS Vulnerability
A stored cross-site scripting vulnerability was found in the ‘Alerts’ list of Hyperic HQ. An authenticated Hyperic user can create an alert with JavaScript code in the ‘Description’ field. When a user visits
the ‘Alerts’ list, the ‘Description’ field of every alert is displayed without properly escaping especial HTML characters, thus leading to a persistent XSS.

http://:7080/alerts/Config.do?mode=list&rid=10001&type=3

Referers:

Hyperic HQ

Tags: , ,
Posted in Exploits, General, Hacking, Infosecurity, News, PoC, Stuffs | Comments Off

« Older Pages