Security Bulletin

Security Bulletin #104

  • Text Hover
2017 / 05 / 12

  • Text Hover
  • Text Hover

Google's PHP API client has XSS vulnerability


Users of Google's PHP API client: watch out for phishing attacks while Google patches a cross-site scripting (XSS) vulnerability in the code. The bug, discovered by DefenseCode's Leon Juranic using the company's ThunderScan source code scanner, has been acknowledged by the Chocolate Factory and a fix is promised. The basis of the vulnerability is that if an attacker can get an administrator to click the link, they can be send malicious JavaScript, and the attacker's code will be executed, with unrestricted access to the site in question. The two XSS bugs the post describes are in the $_SERVER `{`'PHP_SELF'`}` function. Once the unsuspecting user has visited such an URL, the attacker can proceed to send requests to the API on the behalf of the victim from his JavaScript.

  • Text Hover

Fake diplomas and certifications on sale in the dark web


It is quite easy to buy in dark web marketplaces any kind of illegal product and service, including fake certifications and diplomas. According to Israeli threat intelligence firm Sixgill, certifications and degrees are very cheap and it is possible to hire hackers to break into the university computer systems and alter grades. Sixgill identified several hackers that could be hired to compromise systems at the University in order to change grades and remove academic admonishments. According to the experts, this is a profitable business for hackers and the market of fake diplomas is booming. Crooks also offer many other types of counterfeit documents, including drivers licenses and passports, and fake professional certifications.

  • Text Hover

Patch available for vulnerable Asus RT wireless routers


Security experts at Nightwatch Cybersecurity serious flaws in the Asus RT wireless routers. Dozens of models don’t implement an adequate protection against cross-site request forgery attacks. The vulnerability, tracked as CVE-2017-5891, affects the Asus RT wireless RT-AC and RT-N models running firmware older than version 3.0.0.4.380.7378. Poorly configured devices left with default credentials could be easily accessed by an attacker that can take the control of the devices. CSRF on the login page could be exploited by attackers to submit a login request to the router without the user’s knowledge. Once the attacker has accessed the admin interface of the router he can change the settings, and hijack the DNS, and perform other malicious activity.

CERT-FR Weekly News Alert

Current Alerts

CERTFR-2017-ALE-009           : Vulnérabilité dans Microsoft Malware Protection Engine (09 mai 2017)
Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-ALE-009.pdf

CERTFR-2017-ALE-008 : Vulnérabilité dans RDP pour Microsoft Windows XP et Windows Server 2003 (14 avril 2017)
Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-ALE-008.pdf

Patches

CERTFR-2017-AVI-152           : Multiples vulnérabilités dans Cisco WebEx Meetings Server (11 mai 2017)
Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-AVI-152.pdf