Embedded devices can be hacked through the web interface

Anyone who has tested even a small number of web configuration interfaces on embedded devices, such as managed routers, VoIP gateways and wireless routers, knows that these devices are notorious for web application vulnerabilities. It is not uncommon for these devices to be vulnerable to Cross Site Scripting and similar attacks. Recently Cisco published a […]

Read More →

How can any web page log you off all other websites?

A recent post on “Full-Disclosure” mailing list referenced a web page called “Session Destroyer”. This web page is a demonstration by Kristian Erik Hermansen that promises to make logging off various popular websites very easy. How does it work? This static html page simply contains IMG tags that link to the logout url for various […]

Read More →

Why upgrade PHP to 5.2.8? Part 2

To read part 1 of this article please refer to the previous post. Note: a large number of vulnerabilities described in this post can be exploited to bypass safe_mode. It is not recommended to rely on this PHP functionality for the security of your web servers. Only use safe_mode as a supplement to PHP code […]

Read More →

Why upgrade PHP to 5.2.8? Part 1

Note: PHP 5.2.7 is the actual version that fixes the below security holes. PHP 5.2.8 fixes an issue introduced in 5.2.7. Details from the PHP news site. A new version of the popular scripting language, PHP includes a couple of security fixes (taken from the Changelog): Upgraded PCRE to version 7.8 (Fixes CVE-2008-2371) Fixed missing […]

Read More →