Shared by Andrea Lazzari Il signor ministro ha anche detto che vuole eliminare la carta dalla PA in al più 18 mesi. Spero che non siano solo manie di grandezza e si faccia qualcosa di pro attivo. "Colpirne uno per educarne cento". E' quanto ha dichiarato, nel corso della registrazione di 'Porta a porta', il ministro della Funzione pubblica, Renato Brunetta, in riferimento ai 'fannulloni' nella pubblica amministrazione. [Via - Repubblica News ]
David Ross had a good blog post a few weeks back about how IE8.0 is no longer vulnerable to the US-ASCII encoding attack . For those of you who don’t know what I’m talking about you can find an example of it on the charsets page . Looks like both of the browser manufacturers are stepping up their game a little for the next version of the browsers to hit the market. On a side note, and something I’ve been meaning to post for a while now, I’ve found a discrepancy between IE and Firefox that I think is worth noting. Most of the time this isn’t an issue but most web-pages decode Unicode inputs, so the fact that Firefox automatically encodes every GET parameter with Unicode is not a big deal. However, if the page doesn’t do any conversions, but rather echos the data back exactly as it was seen Firefox isn’t vulnerable. However, Internet Explorer is - because it doesn’t convert " into %22 for instance. It’s a subtle difference, and only effects certain websites, but it was big enou...
OSVDB-ID: 44969 - http://osvdb.org/show/osvdb/44969 Description <em style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-5208" target="_blank">CVE</a>)</em> : SQL injection vulnerability in sub_votepic.php in the Datsogallery (com_datsogallery) module 1.6 for Joomla! allows remote attackers to execute arbitrary SQL commands via the User-Agent HTTP header. Classification Location: Remote / Network Access Attack Type: Information Disclosure, Input Manipulation Impact: Loss of Confidentiality, Loss of Integrity Exploit: Exploit Public Disclosure: Uncoordinated Disclosure OSVDB: Web Related Products Unknown or Incomplete [Via - http://www.exploit-db.com/exploits/5583/ ]
The Oracle Application Server Portal 10G suffers from an authentication bypass vulnerability. Details are provided. [Via - http://packetstormsecurity.org/filedesc/oracleasp-bypass.txt.html ]
This is not good. Researchers from INSERT found a vulnerability in the Gmail engine that could allow spammers to forward mail through Google, thereby bypassing blacklists and being accepted by whitelists. It works by using the same forwarding features that allow users, myself included, to forward their email through Gmail. The worst part of this is that it also bypasses Gmails 500 recipient limit for any email, though that part should be easy to fix. I hope. INSERT has been courteous enough to omit a fair amount of the details of the vulnerability, but I think there’s enough general information in the notification that spammers will be able to figure it out soon if Google doesn’t act even faster than the bad guys. Given Google’s track record and the sneaking suspicion that Google was given advance warning of the vulnerability, I’m hoping Gmail can be made secure fairly quickly. I’ll be interested to see what we hear on this over the next couple of weeks on the Full Disclosure/No...