This Is A Custom Widget

This Sliding Bar can be switched on or off in theme options, and can take any widget you throw at it or even fill it with your custom HTML Code. Its perfect for grabbing the attention of your viewers. Choose between 1, 2, 3 or 4 columns, set the background color, widget divider color, activate transparency, a top border or fully disable it on desktop and mobile.

This Is A Custom Widget

This Sliding Bar can be switched on or off in theme options, and can take any widget you throw at it or even fill it with your custom HTML Code. Its perfect for grabbing the attention of your viewers. Choose between 1, 2, 3 or 4 columns, set the background color, widget divider color, activate transparency, a top border or fully disable it on desktop and mobile.

Security Findings

::Security Findings

Edimax Webcam Authentication Bypass

A while ago I received an Edimax Webcam, the IC-7000 PTn v3 to test for possible vulnerabilities. So I updated to the latest available firmware version, which is v1.7. A quick portscan shows the following ports open: [crayon-58d6fe0222ba1639513766/] It shows that the Real Time Stream Protocol (RTSP) port is open to anyone on the network, [...]

By | December 19th, 2014|Security Findings|0 Comments

GetSimple CMS v3.3.1 Vulnerabilities

GetSimple is an XML and PHP based, stand-a-alone, fully independant and lite Content Management System (CMS). After performing some tests is was found that GetSimple CMS v3.3.1 has several security vulnerabilities. Persistent Cross Site Scripting The administrative interface does not always properly sanitize its input. The Display Name in the user's profile settings allows malicious [...]

By | March 24th, 2014|Security Findings|0 Comments

Ubee EVW3200 – Multiple Vulnerabilities

This weekend I had the opportunity to perform some security tests on  the Ubee EVW3200, a commonly used cable modem/router in the Netherlands. And yes, I do hate WPS enabled devices! Multiple vulnerabilities were discovered in this modem/router: Multiple Cross Site Request Forgery vulnerabilities (only one is shown in the video). Multiple Persistent Cross Site [...]

By | March 2nd, 2014|Security Findings|3 Comments

FoxyProxy Chrome – HTML Injectable

FoxyProxy is a set of proxy management tools for Firefox, Google Chrome, and Internet Explorer. While adding proxies to this addon in Chrome it was found that it does not properly sanitize its input. It turned out that FoxyProxy Standard version 2.9.2 is vulnerable to HTML Injection. HTML injection is an attack that is closely related [...]

By | March 1st, 2014|Security Findings|0 Comments

CoffeeCup Shoping Cart Creator Pro – XSS

Shopping Cart Creator Pro is a tool which generates a web shop which can we uploaded to any host that support PHP. It was found that it is vulnerable to an old school Reflected XSS payload due to missing input validation.  The used payload is: <script>alert(1337)>/script>  It also uses an outdated jQuery library (v1.4.2), which is [...]

By | February 26th, 2014|Security Findings|0 Comments
Web Design MymensinghPremium WordPress ThemesWeb Development

Android devices at risk again

August 8, 2015August 8, 2015
Security researchers from Checkpoint revealed new security issues that allow attackers to compromise hundred of million Android devices by a simple text message. The problem resides the way Google’s partners use certificates to sign remote support tools. Certificates are supposed to guarantee the authenticity of applications in order to allow them to access different parts of the Android Operating System. The vulnerabilities in Android allows attackers to clone these certificates and use them in a malicious way. It is possible to send a text message to a phone to force those remote access tools to launch commands. Revoking the cloned certificates is not considered a proper solution as these certificates will no longer be valid for the support tools as well. In order to resolve this issue, the manufacturer partners and carriers are required to work together to update the vulnerable plugins. Among the vulnerable plugins are RSupport, TeamViewer and Communitake.  

FBI Cracks TrueCrypt Password

August 8, 2015
According to recent reporting by South Florida's Sun Sentinel, the FBI has managed to crack a TrueCrypt password in the case of Christopher Glenn. Army counter intelligence expert Gerald Parsons noted that in his estimation, it would have taken "billions" of years to do so by traditional methods with current capabilities. Source: https://hacked.com/fbi-cracks-florida-mans-truecrypt-password/

GHOST: GNU C Library RCE Vulnerability

January 28, 2015January 28, 2015
In more detail, a heap-based buffer overflow was found in __nss_hostname_digits_dots(), which is used by the gethostbyname() and gethostbyname2() glibc function call.
[crayon-58d6fe024db84741772027/]  

RCE in PolarSSL

January 19, 2015January 19, 2015
Dutch researchers have discovered RCE in PolarSSL. RCE is short for Remote Code Execution, which allows malicious users - in certain cases only  - to run code on the server. When a web server that uses PolarSSL processes an "evil certificate', the attack (Remote Code Execution) can be executed. An example when the attack is possible, is when a server is configured to check for client certificates. In this case the malicious user is not required to have a valid certificate or credentials. Sending a false certificate to the server is sufficient enough to execute the attack. In certain cases it is also found possible to attack users that connect to a web server that uses PolarSSL. The Dutch National Cyber Security Center released this document. The CVE-ID for this vulnerability is: CVE-2015-1182. More information can be found at PolarSSL.

UK: Ban encrypted messaging apps

January 13, 2015January 13, 2015
The British Prime Minister David Cameron is considering to ban encrypted messaging apps like Snapchat, CryptoCat, WhatsApp and Apple’s iMessage if the companies don't give the UK government backdoor access to their encrypted communications. Cameron said the Paris terror attacks outlined the need for greater access on the encrypted communications. In his remarks, the attacks were aimed at messaging apps that encrypt messages to secure users' communications. If he wins the next election and re-elected, he would seek to ban the encrypted communication apps as part of his plans for new surveillance powers. "The attacks in Paris demonstrated the scale of the threat that we face and the need to have robust powers through our intelligence and security agencies in order to keep our people safe.", Cameron said. Encryption became a hot topic in the wake of the National Security Agency whistle blower Edward Snowden’s revelations on NSA surveillance. The leaked files revealed that Skype has a backdoor, highlighted a broad online global surveillance of encryption companies. However, messaging companies such as WhatsApp remained committed to keeping their services encrypted so that the communications between their users remain unable to be read by authorities. The Prime Minister didn’t name specific apps that could be subject to the ban but a number of popular messaging apps that use encryption in some or the other form, including Snapchat, WhatsApp, iMessage and FaceTime, should be considered in the list.

XBOX One SDK Leaked

January 3, 2015January 3, 2015
The XBOX One SDK leaked earlier this week by a group that call themselves H4LT. The software development kit (or SDK) for the Xbox One is circulating on the internet. This potentially opens the door for homemade applications and allowing unapproved developers to create homebrew for the system. [caption id="attachment_851" align="alignleft" width="300"]XBOX One SDK Setup XBOX One SDK Setup[/caption]                 [caption id="attachment_850" align="alignleft" width="300"]Install the XBOX One Software Development Kit Install the XBOX One Software Development Kit[/caption]                 H4LT said that there are currently no exploits available which allow a developer to run homebrew code on the XBOX One. By leaking it to the public they hope that someone familiar with the inner workings of Windows 8 will be able to dig through the files and find something interesting in the near future. H4LT quoted: "Once the SDK is out, people who have knowledge or has in the past reversed files related to the Windows (8) operating system should definitely have a go at reversing some files in there," the group added. "Why? Well, the Xbox One is practically a stripped Windows 8 device and has introduced a new package format that hasn't had much attention. This format is responsible for updating the console and storing applications (Games are under the category of 'Applications' on the Xbox One) and is a modification of Virtual Hard Disks."