Quickbooks 2009 – Quickbooks 2012; in conjunction with Internet Explorer Versions 7-9
- The vulnerability described in this document can potentially be
code as the user viewing the malicious content.
- Intuit Help System Protocol File Retrieval:
- The vulnerability described in this document can be exploited by
which the user viewing the HTML has local or network file system
access. The attacker must know or guess the path and file name of the
target ZIP archive and the target file it contains. A further
significant limitation is that files in subdirectories inside of ZIP
archives have proven inaccessible, based on a sampling of Windows
ZIPs, Microsoft Office 2007 documents, JARs, and APKs.
No vendor response at the time of public release. More information with be posted has it becomes available.
**Trendnet Responds: Comment left below from Trendnet in response to the most recent vulnerability.
TRENDnet has posted the resolution to the security breach on their IP cameras: You can check information on affected TRENDnet IP cameras at:http://www.trendnet.com/products/features.asp?featureid=52. You can download critical firmware along with detailed update instructions for the affected TRENDnet IP cameras athttp://www.trendnet.com/downloads/.
Consolecowboys.org blogger “someLuser” (yes that is his tag)has identified a security vulnerability in some TRENDnetIP cameras which permits inquisitive web users to access them without authentication. He discovered the vulnerability whilst exploring the firmware on his TV-IP110w camera using a tool called binwalk.
Lengthy lists of freely accessible video streams are already circulating on the web. Random sampling by most testers found that most of the cameras were indeed freely accessible, providing views of offices, living rooms and children’s bedrooms. For demonstration purposes, someLuser has put together a Python script which uses server search engine Shodan to find cameras. Navigating to a camera web server URL displays the video stream recorded by the camera – this occurs whether or not a password has been set.
TRENDnet has already responded by providing a firmware update promising “improved security”, which can be downloaded from its support page. Many other TRENDnet cameras also appear to be affected – according to someLuser, the firmware for the company’s TV-IP121W, TV-IP252P, TV-IP410WN, TV-IP410, TV-IP121WN and TV-IP110WN models has been updated. Anyone using one of these cameras should update the firmware without delay.
You can find the firmware for your device here: http://www.trendnet.com/langge/downloads/category.asp?iType=32
- Trendnet Home Security Breach Raises Concern (ibtimes.com)
- Trendnet home security cam flaw exposes video feeds on net (gansec.com)
Vulnerability description: CVE-2012-0389
Discovered by: Sajjad Pourali, Narendra Shinde and Shahab NamaziKhah
MailEnable <http://www.mailenable.com/> Professional and Enterprise versions are prone to cross-site scripting vulnerabilities as the user-supplied input received via “Username” parameter of “ForgottonPassword.aspx” page is not properly sanitized. A specially crafted URL which a user clicks could gain access to the users cookies for webmail or execute other malicious code in users browser in context of the domain in use.
– MailEnable Professional, Enterprise & Premium 4.26 and earlier
– MailEnable Professional, Enterprise & Premium 5.52 and earlier
– MailEnable Professional, Enterprise & Premium 6.02 and earlier
– MailEnable Standard is not affected.
Users of MailEnable 5 and 6 can resolve the issue by upgrading to version 5.53 or 6.03 or later. Alternatively, and for version 4 users, the following fix can be applied:
1) Open the ForgottenPassword.aspx file in Notepad. This file is in the Mail Enable\bin\NETWebMail\Mondo\lang\[language] folders in version 4 and in Mail Enable\bin\NETWebMail\Mondo\lang\sys in version 5 and 6.
2) Locate and remove the following line, then save the file: document.getElementById(“txtUsername”).value = ‘<%= Request.Item(“Username”) %>’;
– Henri Salo
- Cross-site scripting (shirokanzaki.com)
- Keylogging threat could lead to more attacks, say researchers (download.cnet.com)
- TWSL2011-019: Cross-Site Scripting Vulnerability in phpMyAdmin (spiderlabs.com)
AOLs AIM Upgrade not recommended, says the Electronic Frontier Foundations (EFF), read the AIM-Post for the breaking blog news and the story and details from AIM-Threat-Post links.
Blogged First: http://tinyurl.com/AIM-Post
EFF Story: http://tinyurl.com/AIM-Threat-Post
- New AIM Instant Messaging Client Poses Privacy Risks, Says EFF (pcworld.com)
- New AIM instant messaging client poses privacy risks, says EFF (infoworld.com)