Premium addons/extensions/plugins for Joomla, WordPress and other popular CMS?

What if there was a project which checks all available extensions for popular CMS (such as Joomla or WordPress) for vulnerabilities and therefore creates a list of “trusted” and secure plugins on which ppl can rely on? During the last weeks I spent much time thinking about the security of websites in general. While many […]... Read More

Joomla Component JE Job Local File Inclusion Vulnerability

Please view the original advisory here. The Joomla component JE Job suffers from a Local File Inclusion vulnerability. Furthermore XSS attacks may be possible. Example URI = index.php?option=com_jejob&view=../../../../../../etc/passwd%00 It is highly recommended to activate the PHP var OpenBaseDir and configure it correctly.... Read More

Google Skipfish version 1.34b released

On the 6th May 2010 a new version of Google Skipfish (penetration testing tool/vulnerability scanner) was released. View the changelog here. Download it here. According to the changelog not many things were changed.... Read More

Joomla Component JE Ajax Event Calendar Local File Inclusion Vulnerability

Please view the original advisory here. The Joomla component JE Ajax Event Calendar suffers from a Local File Inclusion vulnerability. Example URI = index.php?option=com_jeajaxeventcalendar&view=../../../../../../etc/passwd%00 Affected version(s): 1.0.3... Read More

damianov.net Shoutbox XSS Vulnerability

Please view the original advisory here. The free shoutbox script from damianov.net suffers from a XSS vulnerability. Injecting arbitrary HTML and Java Script code is possible while adding a new shout, no matter if HTML is allowed in the shoutsettings.php or not. #1 Example: <SCRIPT src=some-script.js></SCRIPT> #2 Example: <SCRIPT>alert("XSS")</SCRIPT> #3 Example: <SCRIPT>alert(document.cookie)</SCRIPT> #4 Example: <script>document.location.href="http://www.google.de"</script> […]... Read More

Thoughts on user/customer support of websites offering free services

During the last years I most probably used the same websites like you: GMail, Facebook, Zynga Games (games being offered through MySpace and Facebook for example) and many more. They all have one thing in common: They are offering free services. And all of them are companies. And all of them have an interested in […]... Read More

Currently busy

I have received some mails, mostly regarding security stuff and didn’t reply. For those who wonder: I am currently busy learning for one of the two final exams. The most comprehensive one is tomorrow (have to wake up at 5:20 am, Jesus!), that is why I am currently not doing any work for any project […]... Read More

New Xen.org mascot announced

I was very happy when I received the news from Stephen Spector, Community Manager of Xen.org, that my suggestion for a Xen.org mascot was chosen by the Xen.org community. Back in 2008, Stephen was asking the community if they would like to have a mascot for Xen. Some suggestions were entered, sadly the shark and […]... Read More