View the advisory here. The Joomla component com_pandafminigames suffers from several SQL injection vulnerabilities.

View the advisory here. The Joomla component QPersonal suffers from a SQL injection vulnerability. While Pyske discovered a XSS flaw in December 2009, the vendor sadly failed to look over his code and prevent attackers from injecting SQL commands through the “katid” parameter. The vendor will be notified by me.

Today xen.org announced the availability of Xen 4.0. Many people thought that Xen was dead and would have no chance against the “mighty” KVM solution, but well, the facts talk another language. If you look a little bit closer you can see that a) most clouds are powered by Xen and b) the new features [...]

Stephen Spector, community manager of xen.org, recently started the Xen.org Mascot Contest Vote. The community now has the opportunity to vote for the new xen.org mascot. Weeks ago, xen.org blog readers were able to submit a mascot idea, afterwards an external artist drew the images. I must say that I am very impressed by his [...]

View the txt advisory here. The commercial Joomla component “Multi-Venue Restaurant Menu Manager” (MVRMM) is used by many restaurants to display information about their local offers. The software product is available for purchase. About the vulnerability The MVRMM fails to sanitize all URL parameters, SQL injection is possible. Affected Parameter “mid” Vulnerable URL http://some-cool-domain.tld/index.php? option=com_mv_restaurantmenumanager&task=menu_display& Venue=XX&mid=XX&Itemid=XX [...]

View original advisory here. The  ”OnePC mySite Management Software” suffers from a SQL injection vulnerability. The file index.php failes to sanitize the input through various parameters. Vulnerable URL http://www.some-cool-domain.tld/index.php?view=docs&doc_id=XX Exploit the vulnerability http://www.some-cool-domain.tld/index.php? view=docs&doc_id=XX+AND+1=2+UNION+SELECT+ concat(user()),concat(user()),concat(user()),concat(user()),5–

Finally: Facebook fixed several XSS vulnerabilities. Tt was possible to redirect users (who type a specific search string into the search box) to external websites, steal their cookies etc. I wrote about it here. Sadly they ignored many vulnerabilities for a long time and didn’t even bother to reply on mails and security reports.

During the last days lots of stuff was going on. Facebook was hacked but nobody seems to take this serious, at least that is my impression here in Germany. Although the media are aware of the issue, they completely ignore it. Not even the data privacy websites picked that topic up. This leaves the impression [...]

The security group Inj3ct0r claims to have hacked facebook.com. The published document (date: 6th April 2010) shows step by step how they proceeded and how easy it was to exploit a SQL injection vulnerability within the app tvshowchat and other files. It was possible to receive the entire database structure, tables, columns, contents, the database [...]

Yesterday I discovered a SQL injection vulnerability within the shop software of the German company ShopSystems. ShopSystems offers webdesign, hosting and training services for their customers. One of their most famous products is the software “ShopSystem”. It is an online shop and allows their customers to offer their products online. Like in other shops it [...]