Blog

– ZeroCMS 1.0 (zero_view_article.php, article_id param) – SQL Injection Vulnerability

ZeroCMS 1.0 (zero_view_article.php, article_id param) – SQL Injection Vulnerability


June 10, 2014 0

The first mobile encryptor Trojan

In the middle of May a unique encryption Trojan that works on Android went on sale on a virus writers’ forum. The asking price – $5,000. A few days later on May 18, we saw the appearance of a new mobile encryptor Trojan in the wild that we detect as Trojan-Ransom.AndroidOS.Pletor.a.

By June 5, we had detected over 2,000 infections in 13 countries, located mainly in the former USSR: Azerbaijan, Belarus, Canada, Georgia, Germany, Greece, Kazakhstan, South Korea, Russia, Singapore, Tajikistan, Ukraine and Uzbekistan. The peak in Trojan-Ransom.AndroidOS.Pletor.a distribution came on May 22 when we recorded over 500 new infections.

At the time of writing, we have managed to identify over 30 modifications of the Trojan that can be broken down into two groups. The first uses the Tor network for communicating with its owners; the second uses more standard HTTP and SMS channels. Also, when the modifications from the second group demand money from the user, they display the victim’s image using the smartphone’s front camera.


June 9, 2014 0

– DevExpress ASPxFileManager 10.2 to 13.2.8 – Directory Traversal

DevExpress ASPxFileManager 10.2 to 13.2.8 – Directory Traversal


June 9, 2014 0

– eFront 3.6.14.4 (surname param) – Persistent XSS Vulnerability

eFront 3.6.14.4 (surname param) – Persistent XSS Vulnerability


June 9, 2014 0

– WebTitan 4.01 (Build 68) – Multiple Vulnerabilities

WebTitan 4.01 (Build 68) – Multiple Vulnerabilities


June 9, 2014 0

– WordPress Theme Elegance – Post Local File Disclosure

Wordpress Theme Elegance – Post Local File Disclosure


June 8, 2014 0

– WordPress Theme Infocus – Post Local File Disclosure

Wordpress Theme Infocus – Post Local File Disclosure


June 8, 2014 0

CVE-2014-3153

The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waite…


June 7, 2014 0

CVE-2014-2575

Directory traversal vulnerability in the File Manager component in DevExpress ASPxFileManager Control for ASP.NET WebForms and MVC before 13.1.10 and 13.2.x before 13.2.9 allows remote authenticated users to read or write arbitrary files via a .. (dot …


June 6, 2014 0