Popular Post

Archive for 2014-03-09

Express Language(EL) Injection vulnerability in Paypal's subsidiary

By : Unknown

An Indian Security researcher Piyush Malik has discovered an Expression Language(EL) Injection security flaw in Zong, a subsidiary of Paypal.Sponsored LinksAccording toOWASP, EL Injection is a vulnerability that allows hacker to control data passed to the EL Interpreter.  In some cases, itallows attackers to execute arbitrary code on the server.Researcher Malik said in his blog that Zong wasrunning an outdated version of Clearspace(Nowknown as Jive software) on a subdomain."Clearspace is a Knowledge management tool and is Integrated with Spring Framework. EL Pattern was used in Spring JSP Tags which made Clearspace Vulnerable to this Bug." Malik explained in hisblog.He found two forms in the site which are vulnerable to this bug. He was able to performsome arithmetic operations using the vulnerable field.One of the vulnerable urls:https://clearspace.zong.com/login!input.jspa?unauth=${custom command here}An attacker can inject a Express Language command on the 'unauth' field which will be executed in the server.  In his demo, researcher inject an arithmetic command(https://clearspace.zong.com/login!input.jspa?unauth=${100*3}) and able to executed it.Paypal has offered some bounty amount for his finding.  Researcher didn't disclose the bounty amount.About EL Injection vulnerability is first documented by security researchers from Minded Security in 2011.  You can find the document here:https://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf
Read More
0 Comments

Miley Cyrus, Taylor Swift and Britney Spears websites hacked by Ethical Spectrum

By : Unknown
Update :
The latest tweet from the hacker shows he compromised the database containing username and password details belong to these websites "The database of #MileyCyrus, #SelenaGomez......etc with 2,5 million users and pass is for sell, anyone interested email me at my mail"

Exclusive Information:
The hacker told E Hacking News that he found multiple vulnerabilities in the Groundctrl website and gained access to the database server.


He also gained access to the CMS panel which manages the celebrities' websites.
  
GroundCtrl CMS Panel

                                                                 Original Article:

A hacker going by online handle "Ethical Spectrum" has hacked into websites belong to several celebrities and defaced the sites.

The affected websites include Miley Cyrus official site(mileycyrus.com), Selena Gomez(selenagomez.com), Taylor Swift site(taylorswift.com), Britney Spears site(britneyspears.com).

Sponsored Links


We are able to confirm that these are official websites of the celebrities, as it is being linked from their twitter account.

According to hackers twitter account(@Eth_Spectrum), he hacked into the above mentioned websites on March 8th.  The website was restored after the breach.  However, hacker mentioned he once again managed to deface them.  ]

Other websites attacked by the hacker are Ground Ctrl(groundctrl.com), mypinkfriday.com, Chelsea Handler site (chelseahandler.com), Aaron Lewis(aaronlewismusic.com/), therealcocojones.com, christinagrimmieofficial.com, Kacey Musgraves(kaceymusgraves.com).

The defacement just reads "Why i hacked this site, you can ask this person greg.patterson@groundctrl.com".

Greg Patterson is the co-founder of the Groundctrl, an organization that build websites for artists.  It appears the security breach started from Groundctrl.

Other affected sites:
Pat Green(patgreen.com), 
Rob Thomas(robthomasmusic.com),
Rock Mafia(rockmafia.com  ),
ritawilson.com  ,
sum41.com
nickcarter.net
jordanknight.com
If you are not able to see the defacement, you can find the mirror here:
http://www.zone-h.org/archive/notifier=Ethical%20Spectrum

All of the affected websites are currently showing the maintenance error message except groundctrl official website.

Hacker didn't provide much information about the breach, so we are not sure how exactly he hacked into all of these websites, whether he found a zero-day exploit on the cms developed by groundctrl or all of the affected sites managed in a central place. 
Read More
0 Comments

Bug in Twitter could allow anyone to read tweets from protected accounts

By : Unknown
Twitter has fixed a bug in their website that could allow non-approved followers to read the tweets made by protected twitter accounts.

Normally, Tweets from protected accounts can't be seen by public user;  One should get approval from the account holder to view the protected tweets.

This bug could allow anyone to view hidden tweets by getting SMS or push notification from the accounts.  

The microblogging firm said a member of white hat security community helped them to discover and diagnose the bug.  According to its blog post, the bug is there since November 2013.

"As part of the bug fix, we’ve removed all of these unapproved follows, and taken steps to protect against this kind of bug in the future."


The bug affects around 93,788 protected accounts.  Twitter has sent mail to all affected users to inform about the bug and apologize.
Read More
0 Comments

Statistic User

Like Us on Facebook

Powered by Blogger.

- Copyright © Virus Bhabhi - Expeet Outsourcing - - - - Designed by Expeet Outsourcing -