Daily Archives: September 6, 2017

Apache REST / Struts easily exploitable through browser

Posted on by
Reply

Servers and data stored by dozens of Fortune 100 companies are at risk, including airlines, banks and financial institutions, and social media sites.

A critical security vulnerability in open-source server software enables hackers to easily take control of an affected server — putting sensitive corporate data at risk.

The vulnerability allows an attacker to remotely run code on servers that run applications using the REST plugin, built with Apache Struts, according to security researchers who discovered the vulnerability.

All versions of Struts since 2008 are affected, said the researchers.

[…]
Mo said that all a hacker needs “is a web browser.”

“I can’t stress enough how incredibly easy this is to exploit,” said Bas van Schaik, product manager at Semmle, a company whose analytical software was used to discover the vulnerability.

“If you know what request to send, you can start any process on the web server running a vulnerable application,” he said.

Source: ZDNet

Get patching!

Yet another AWS config fumble: Time Warner Cable exposes 4 million subscriber records

Posted on by
Reply

Researchers with security company Kromtech said freelancers who handled web applications for TWC and other companies had left one of its AWS S3 storage bins containing seven years’ worth of subscriber data wide open on the ‘net. That data included addresses and contact numbers, information about their home gateways, and account settings.

Just before the weekend, Kromtech said the vulnerable AWS instance was operated by BroadSoft, a cloud service provider that had been using the S3 silos to hold the SQL database information that included customer records.

When Kromtech spotted the repository in late August, it realized that databases had been set to allow public access, rather than limit access to administrators or authorized users.

Source: Yet another AWS config fumble: Time Warner Cable exposes 4 million subscriber records

Oh dear, is AWS so hard to configure then?!

After years of IBAN, only 1 NL bank has just figured out how to check the name with an account.

Posted on by
Reply

The Rabobank has started warning users when the name doesn’t match an IBAN account. A trivial function that used to work before IBAN but apparently was so hard to implement that users have had to wait for years to get. If you put in the wrong number – then sorry, you were screwed! Now for the rest of banking Netherlands, please?

Source: ‘Banken moeten Rabo snel volgen met naam-nummercontrole’ – Emerce

Does your monitor unplug from HDMI when you turn it off and mess up your desktop? Monitordetectkiller is the solution!

Posted on by
Reply

Remove Monitor Detection EDID override turn off disable monitor auto detect remove windows monitor autodetect

The computer detects when a TV/monitor is ‘turned off’ or ‘switched’ to another input. Then when powered-on or switched back, it gives the wrong resolution or breaks your extended display to reflect the single monitor, there may even be crashes and other issues.

Our hardware solution, the “MDK device” is a male to female modified adapter with integrated circuitry.

Now, the computer/device won’t receive a signal telling it the monitor is offline, thus avoiding any issues.

Source: Remove Monitor Detection disable monitor auto detect EDID