PHP Development Server <= 7.4.21 - Remote Source Disclosure
https://ift.tt/wHpJSYK
Submitted January 29, 2023 at 03:13PM by Gallus
via reddit https://ift.tt/KFNSOBn
https://ift.tt/wHpJSYK
Submitted January 29, 2023 at 03:13PM by Gallus
via reddit https://ift.tt/KFNSOBn
projectdiscovery.io
PHP Development Server <= 7.4.21 - Remote Source Disclosure — ProjectDiscovery Blog
Introduction
While testing request pipelining on multiple programming language built-in servers, we observed strange behavior with PHP’s. As we delved deeper, we discovered a security bug in PHP that could expose the source code of PHP files as if they were…
While testing request pipelining on multiple programming language built-in servers, we observed strange behavior with PHP’s. As we delved deeper, we discovered a security bug in PHP that could expose the source code of PHP files as if they were…
I am super bullish on security champions programs, but running it over a period of time is a challenge. This edition provides some ideas on how to avoid the trap
https://ift.tt/5qVtNCG
Submitted January 29, 2023 at 10:01PM by jubbaonjeans
via reddit https://ift.tt/rUPwtL7
https://ift.tt/5qVtNCG
Submitted January 29, 2023 at 10:01PM by jubbaonjeans
via reddit https://ift.tt/rUPwtL7
Boring AppSec
Edition 15: Is your champions program running out of steam?
Security champions programs usually start well, but taper off quickly. This edition provides a framework to help avoid that.
/r/netsec's Q1 2023 Information Security Hiring Thread
OverviewIf you have open positions at your company for information security professionals and would like to hire from the /r/netsec user base, please leave a comment detailing any open job listings at your company.We would also like to encourage you to post internship positions as well. Many of our readers are currently in school or are just finishing their education.Please reserve top level comments for those posting open positions.Rules & GuidelinesInclude the company name in the post. If you want to be topsykret, go recruit elsewhere. Include the geographic location of the position along with the availability of relocation assistance or remote work.If you are a third party recruiter, you must disclose this in your posting.Please be thorough and upfront with the position details.Use of non-hr'd (realistic) requirements is encouraged.While it's fine to link to the position on your companies website, provide the important details in the comment.Mention if applicants should apply officially through HR, or directly through you.Please clearly list citizenship, visa, and security clearance requirements.You can see an example of acceptable posts by perusing past hiring threads.FeedbackFeedback and suggestions are welcome, but please don't hijack this thread (use moderator mail instead.)
Submitted January 29, 2023 at 09:59PM by ranok
via reddit https://ift.tt/tp8Iaux
OverviewIf you have open positions at your company for information security professionals and would like to hire from the /r/netsec user base, please leave a comment detailing any open job listings at your company.We would also like to encourage you to post internship positions as well. Many of our readers are currently in school or are just finishing their education.Please reserve top level comments for those posting open positions.Rules & GuidelinesInclude the company name in the post. If you want to be topsykret, go recruit elsewhere. Include the geographic location of the position along with the availability of relocation assistance or remote work.If you are a third party recruiter, you must disclose this in your posting.Please be thorough and upfront with the position details.Use of non-hr'd (realistic) requirements is encouraged.While it's fine to link to the position on your companies website, provide the important details in the comment.Mention if applicants should apply officially through HR, or directly through you.Please clearly list citizenship, visa, and security clearance requirements.You can see an example of acceptable posts by perusing past hiring threads.FeedbackFeedback and suggestions are welcome, but please don't hijack this thread (use moderator mail instead.)
Submitted January 29, 2023 at 09:59PM by ranok
via reddit https://ift.tt/tp8Iaux
Hackers Using Microsoft OneNote Attachments To Spread Malware
https://ift.tt/jwZrQb1
Submitted January 29, 2023 at 11:43PM by achilles4828
via reddit https://ift.tt/KQR5WFa
https://ift.tt/jwZrQb1
Submitted January 29, 2023 at 11:43PM by achilles4828
via reddit https://ift.tt/KQR5WFa
FourCore
A Malicious Note: Hackers using Microsoft OneNote Attachments to spread malware - FourCore
Attackers are constantly looking for novel approaches to infect users with malware. Recently, hackers have been using OneNote attachments in phishing emails to spread malware and password stealers to their victims.
Public Disclosure for CVE-2022-42475
https://ift.tt/i2V10eX
Submitted January 30, 2023 at 07:14AM by BlackCatNeo
via reddit https://ift.tt/jU8xgLI
https://ift.tt/i2V10eX
Submitted January 30, 2023 at 07:14AM by BlackCatNeo
via reddit https://ift.tt/jU8xgLI
CataLpa's Home
CVE-2022-42475
2022 年 12 月 12 日,Fortinet 官方发布了影响 FortiGate SSLVPN 的 RCE 漏洞 CVE-2022-42475 相关信息。官方公告显示该漏洞已经被发现在野利用,建议所有用户尽快升级。本文对此漏洞的成因进行分析。
FIM (File Integrity Monitor) proof-of-concept implementation
https://ift.tt/bx8IQY0
Submitted January 30, 2023 at 05:45PM by CsaProtocol
via reddit https://ift.tt/2AhfxmI
https://ift.tt/bx8IQY0
Submitted January 30, 2023 at 05:45PM by CsaProtocol
via reddit https://ift.tt/2AhfxmI
GitHub
GitHub - CsaProtocol/PowerShell-FIM: File integrity monitor proof-of-concept in PowerShell sends a message via Telegram when it…
File integrity monitor proof-of-concept in PowerShell sends a message via Telegram when it detects changes to a specified directory. It continually checks for changes by generating hashes for all f...
Metasploit Framework 6.3 Released
https://ift.tt/FZNOmeE
Submitted January 30, 2023 at 07:45PM by Fugitif
via reddit https://ift.tt/euJBsiE
https://ift.tt/FZNOmeE
Submitted January 30, 2023 at 07:45PM by Fugitif
via reddit https://ift.tt/euJBsiE
Rapid7
Metasploit Framework 6.3 Released | Rapid7 Blog
Leopard Tank Announcement Prompt Retaliation
https://ift.tt/d0u8vQK
Submitted January 30, 2023 at 08:30PM by 0x636f6f6c
via reddit https://ift.tt/osz5EHF
https://ift.tt/d0u8vQK
Submitted January 30, 2023 at 08:30PM by 0x636f6f6c
via reddit https://ift.tt/osz5EHF
Cado Security | Cloud Investigation
Leopard Tank Announcement Prompts Cyber Retaliation - Cado Security | Cloud Investigation
The Cado Labs team discovered evidence of retaliation from high-profile Russian hacktivist groups in an effort to encourage collective cyber attacks against German infrastructure. This appears to be in response to yesterday’s expectations that Germany will…
DDoS attacks in Europe experienced a 73% increase in 2022 compared to the previous year
https://ift.tt/kyPAE4n
Submitted January 30, 2023 at 09:08PM by shapelez
via reddit https://ift.tt/hufNdsb
https://ift.tt/kyPAE4n
Submitted January 30, 2023 at 09:08PM by shapelez
via reddit https://ift.tt/hufNdsb
Habr
Q4 2022 DDoS Attacks and BGP Incidents
Now that 2022 has come to an end, we would like to share the DDoS attack mitigation and BGP incident statistics for the fourth quarter of the year, which overall saw unprecedented levels of DDoS...
Truffle Security is proud to host a new XSSHunter, that finds new vulnerabilities
https://ift.tt/zLlQYiD
Submitted January 30, 2023 at 09:56PM by wifihack
via reddit https://ift.tt/hIc75zi
https://ift.tt/zLlQYiD
Submitted January 30, 2023 at 09:56PM by wifihack
via reddit https://ift.tt/hIc75zi
Truffle Security
Truffle Security is proud to host a new XSSHunter - Truffle Security
Truffle Security is proud to be hosting a new XSSHunter, with new features, with the assistance of its original creator, Mandatory.
CloudGPT - Use ChatGPT to analyze AWS policies for vulnerabilities
https://ift.tt/lFWy9G5
Submitted January 31, 2023 at 08:01AM by ustayready
via reddit https://ift.tt/J8bgKLl
https://ift.tt/lFWy9G5
Submitted January 31, 2023 at 08:01AM by ustayready
via reddit https://ift.tt/J8bgKLl
Gist
CloudGPT - Use ChatGPT to analyze AWS policies for vulnerabilities
CloudGPT - Use ChatGPT to analyze AWS policies for vulnerabilities - gpt.py
Lockpicking The Lockout Policy For Information Correlation: Exploring the novel web app attack…
https://ift.tt/jS50Hfb
Submitted January 31, 2023 at 09:12AM by TheCrazyAcademic
via reddit https://ift.tt/zkeDalL
https://ift.tt/jS50Hfb
Submitted January 31, 2023 at 09:12AM by TheCrazyAcademic
via reddit https://ift.tt/zkeDalL
Medium
Lockpicking The Lockout Policy For Information Correlation: Exploring the novel web app attack…
If you don’t know what an oracle or testing oracle is in computer science in layman’s terms it’s where you ask a yes or no question in some…
How to identify and avoid malicious code in your software supply chain
https://ift.tt/v2GMN7D
Submitted January 31, 2023 at 04:33PM by n0llbyte
via reddit https://ift.tt/JwtQRZ5
https://ift.tt/v2GMN7D
Submitted January 31, 2023 at 04:33PM by n0llbyte
via reddit https://ift.tt/JwtQRZ5
JFrog
How to identify and avoid malicious code in your software supply chain
Dangerous payload scenarios are affecting cybersecurity now. Learn how attackers hide malicious code and methods to identify these packages to avoid infection.
The Good, Bad and Compromisable Aspects of Linux eBPF
https://ift.tt/XegUWO5
Submitted January 31, 2023 at 05:43PM by eberkut
via reddit https://ift.tt/TmG4loL
https://ift.tt/XegUWO5
Submitted January 31, 2023 at 05:43PM by eberkut
via reddit https://ift.tt/TmG4loL
Pentera
The Good, Bad and Compromisable Aspects of Linux eBPF - Pentera
2022 discoveries of new privilege escalation techniques Reading this blog will allow you to understand the eBPF mechanism and how a fairly small bug can
VMware vRealize Log Insight VMSA-2023-0001 Technical Deep Dive and Exploit POC
https://ift.tt/6HSIapt
Submitted January 31, 2023 at 05:41PM by scopedsecurity
via reddit https://ift.tt/rSz5wAJ
https://ift.tt/6HSIapt
Submitted January 31, 2023 at 05:41PM by scopedsecurity
via reddit https://ift.tt/rSz5wAJ
Horizon3.ai
VMware vRealize Log Insight VMSA-2023-0001 Technical Deep Dive
Technical deep-dive and exploit POC for VMware vRealize Log Insight RCE as reported in VMSA-2023-0001. This series of vulnerabilities leads to remote code execution and full system compromise. CVE-2022-31704, CVE-2022-31706, and CVE-2022-31711.
Exposing Secrets Via AppSec Tools: The SonarQube Case
https://ift.tt/lVpSnBO
Submitted January 31, 2023 at 04:59PM by roy_6472
via reddit https://ift.tt/CA0zVQd
https://ift.tt/lVpSnBO
Submitted January 31, 2023 at 04:59PM by roy_6472
via reddit https://ift.tt/CA0zVQd
Legitsecurity
Exposing Secrets Via SDLC Tools: The SonarQube Case
Legit Security | We investigate how sensitive information can get exposed via AppSec tools that you use in your dev pipeline, using the SonarQube Case.
Learning CodeQL - Going Beyond Grep
https://ift.tt/d9bsTOE
Submitted January 31, 2023 at 06:27PM by Gallus
via reddit https://ift.tt/6cUxEpe
https://ift.tt/d9bsTOE
Submitted January 31, 2023 at 06:27PM by Gallus
via reddit https://ift.tt/6cUxEpe
Goingbeyondgrep
Learning CodeQL
Unlike many SAST products, CodeQL is more than just a tool and learning it requires learning more than just a tool. It’s a programming language, a tool, and a supporting ecosystem that come together to create something extremely powerful, flexible, and unique.…
Github reports unauthorized access to some Github Desktop and Atom repositories
https://ift.tt/Mw5HBOY
Submitted January 31, 2023 at 06:12PM by qwerty0x41
via reddit https://ift.tt/eRC0MZu
https://ift.tt/Mw5HBOY
Submitted January 31, 2023 at 06:12PM by qwerty0x41
via reddit https://ift.tt/eRC0MZu
The GitHub Blog
Action needed for GitHub Desktop and Atom users | The GitHub Blog
Update to the latest version of Desktop and previous version of Atom before February 2.
Remote Command Execution in binwalk
https://ift.tt/Pu6X4mH
Submitted January 31, 2023 at 07:39PM by Gallus
via reddit https://ift.tt/lFqDaXz
https://ift.tt/Pu6X4mH
Submitted January 31, 2023 at 07:39PM by Gallus
via reddit https://ift.tt/lFqDaXz
ONEKEY
Security Advisory: Remote Command Execution in binwalk
Learn about the security vulnerability in binwalk v2.1.2b-2.3.3 !
We reversed engineered Splunk and created a pure python based S2S client
https://ift.tt/HlCnwi4
Submitted January 31, 2023 at 09:13PM by sh0n1z
via reddit https://ift.tt/qCyedFT
https://ift.tt/HlCnwi4
Submitted January 31, 2023 at 09:13PM by sh0n1z
via reddit https://ift.tt/qCyedFT
TimeException: A tool to find folders excluded from AV real-time scanning using a time oracle
https://ift.tt/0Oh7pRc
Submitted January 31, 2023 at 11:55PM by sanitybit
via reddit https://ift.tt/JQ425NC
https://ift.tt/0Oh7pRc
Submitted January 31, 2023 at 11:55PM by sanitybit
via reddit https://ift.tt/JQ425NC
GitHub
GitHub - bananabr/TimeException: A tool to find folders excluded from AV real-time scanning using a time oracle
A tool to find folders excluded from AV real-time scanning using a time oracle - GitHub - bananabr/TimeException: A tool to find folders excluded from AV real-time scanning using a time oracle