Showing posts sorted by relevance for query Github. Sort by date Show all posts
Showing posts sorted by relevance for query Github. Sort by date Show all posts

Ruby on Rails Public Key Security Vulnerability In GitHub

Posted by Avik Sarkar On 3/07/2012 03:11:00 pm

 Ruby on Rails Public Key Security Vulnerability In GitHub
A Russian security researcher named Homakov has found that Github has succumbed to a public key vulnerability in Ruby on Rails which is allowing a normal user to gain administrator access into the popular Rails Git. Homakov exploited a flaw in how the Ruby on Rails web framework handles mass assignments that allowed him to write a posting, delete a posting or push changes into source code on any GitHub project. Homakov had previously created an issue regarding mass assignment security on the rails issue tracker on GitHub; this was closed by the developers saying that it was the application developers' responsibility to secure their applications. Homakov then decided to demonstrate the issue using the nearest Ruby on Rails application, GitHub. The problem or in other word this security flaws is known as the mass assignment vulnerability, has been around since the ability to set a number of attributes in one call was introduced in Rails. Later GitHub confirms to close that security hole. 
According to the GitHub official Blog post:- 
"The root cause of the vulnerability was a failure to properly check incoming form parameters, a problem known as the mass-assignment vulnerability. In parallel to the attack investigation we initiated a full audit of the GitHub codebase to ensure that no other instances of this vulnerability were present. This audit is still ongoing, and I am going to personally ensure that we have a strategy going forward to prevent this type of vulnerability from happening again.
I sincerely apologize for allowing this to happen. Security is our priority and I will be arranging additional external security audits above and beyond our normal schedule to further test our security measures and give you peace of mind."
Brief About GitHub:-
Github is the web based front-end set up around Linus Torvald's Git revision control system. Due to the web site's extensive social networking features combined with the Git revisioning system Github has become extremely popular. Github is also used by a number of high-profile projects including the Linux kernel. 


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Hackers Exploiting Old Ruby on Rails Vulnerability To Compromise Web Servers & Create Botnet

Posted by Avik Sarkar On 6/03/2013 09:06:00 pm

Hackers Exploiting Old Ruby on Rails Vulnerability (CVE-2013-0156) To Compromise Web Servers & Create IRC Botnet
A critical vulnerability on Ruby on Rails spotted in January this year which was deemed “critical” at the same time yet again found in the wild. The vulnerability known as CVE-2013-0156 that affected versions 3.0.20 and 2.3.16 again rises it's hand. Though a security patch was released by the Rails developers. But as we all know that many server administrator used to be unaware of these events have not patched their systems. As a result hackers and cyber criminals are actively exploiting a critical vulnerability in the Ruby on Rails Web application development framework in order to compromise Web servers and create a dangerous botnet. This major security issue was first discovered by a security consultant Mr. Jeff Jarmoc of research firm Matasano Security. In his blog Jarmoc said "It’s pretty surprising that it’s taken this long to surface in the wild, but less surprising that people are still running vulnerable installations of Rails. It also appears to be affecting some web hosts." According to his blog post -the exploit that's currently being used by attackers adds a custom cron job -- a scheduled task on Linux machines that executes a sequence of commands. Those commands download a malicious C source file from a remote server, compile it locally and execute it. The resulting malware is a bot that connects to an IRC (Internet Relay Chat) server and joins a predefined channel where it waits for commands from the attackers. A pre-compiled version of the malware is also downloaded in case the compilation procedure fails on the compromised systems.
"Functionality is limited, but includes the ability to download and execute files as commanded, as well as changing servers," Jarmoc said. "There's no authentication performed, so an enterprising individual could hijack these bots fairly easily by joining the IRC server and issuing the appropriate commands." But the matter of relief is that Jarmoc concluded while saying "this is a pretty straightforward skiddy exploit of a vulnerability that has been publicly known, and warned about, for months."

But still administrators who have not yet patched their Rails version should immediately should update the Ruby on Rails installations on their servers to at least versions 3.2.11, 3.1.10, 3.0.19 or 2.3.15 which contain the patch for this vulnerability. However, the best course of action is probably to update to the latest available Rails versions, depending on the branch used, since other critical vulnerabilities have been addressed since then. 

Brief About RoR:- Ruby on Rails is a popular framework for developing Web applications based on the Ruby programming language and is used by major websites including Hulu, GroupOn, GitHub and Scribd.







SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

SQL Injection Vulnerability Affected All Versions of Ruby on Rails

Posted by Avik Sarkar On 1/07/2013 06:19:00 pm

SQL Injection Vulnerability Affected All Versions of Ruby on Rails (CVE-2012-5664)

Developers at Ruby on Rails are warning its users regarding a Sql Injection flaws which has affected all the current version of Ruby on Rails web framework. While exploiting the vulnerability an attacker can inject and even execute malicious codes into the web application. "Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL," explained the Rails framework's developers. As soon as this vulnerability has been spotted in the wild, the maintainers of Ruby on Rails have released new versions that addresses the flaw, versions 3.2.10, 3.1.9 and 3.0.18. In their advisory Ruby on Rails team recommends that users running affected versions, which is essentially anyone using Ruby on Rails, upgrade immediately to one of the fixed versions mentioned earlier. "We're sorry to drop a release like this so close to the holidays but regrettably the exploit has already been publicly disclosed and we don't feel we can delay the release," Rails developer concluded. 

The original problem was disclosed on the Phenoelit blog in late December where the author applied the technique to extract user credentials from a Ruby on Rails system, circumventing the authlogic authentication framework. While talking about the vulnerability discloser of Ruby on Rails, we would like to remind you that, this is not the first time, earlier in 2012 a Russian security researcher named Homakov has found that Github has succumbed to a public key vulnerability in Ruby on Rails which is allowing a normal user to gain administrator access into the popular Rails Git.

Brief About Ruby on Rails:- Ruby on Rails, often shortened to Rails, is an open source full-stack web application framework for the Ruby programming language. Ruby on Rails runs on the general-purpose programming language Ruby, which predates it by more than a decade. Rails is a full-stack framework, meaning that it gives the web developer the ability to gather information from the web server, talk to or query the database, and render templates out of the box. As a result, Rails features a routing system that is independent of the web server. Ruby on Rails emphasizes the use of well-known software engineering patterns and principles, such as Active record pattern, Convention over Configuration, Don't Repeat Yourself and Model-View-Controller.





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

#ProjectWhiteFox -Team GhostShell Hacked 1.6 Million Accounts of NASA, ESA, Pentagon & FBI

Posted by Avik Sarkar On 12/15/2012 04:14:00 pm

#ProjectWhiteFox -Team GhostShell Hacked 1.6 Million Accounts of NASA, ESA, Pentagon & FBI

After the devastating "Project Blackstar" now the hacktivist group calling them selves "Team GhostShell" announced another big hack, where the hackers have targeted several big organizations. This round of cyber attack was going under the banner of #ProjectWhiteFox, in which GhostShell has posted log-in details of 1.6 million accounts they claim are taken from a series of attacks on organizations including NASA, FBI, European Space Agency and Pentagon, as well as many companies that partner with these organizations. The Anonymous subsidiary group has posted the details on Pastebin, while describing the aim of the hack; as part of their #ProjectWhiteFox campaign to promote hacktivism and freedom of information on the internet. The hacker group claimed that the leaked information contained log-in names, passwords, email addresses, CV & several other sensitive information. In their release GhostShell said - "For those two factors we have prepared a juicy release of 1.6 million accounts/records from fields such as aerospace, nanotechnology, banking, law, education, government, military, all kinds of wacky companies & corporations working for the department of defense, airlines and more."
GhostShell members also said that they have messaged security bosses about the insecurity a number of organizations they targeted during attacks throughout 2012, describing it as "an early Christmas present." 
In a Pastebin file, GhostShell features a list of 37 organizations and companies, including The European Space Agency, NASA’s Engineers: Center for Advanced Engineering, and a Defense Contractor for the Pentagon. GhostShell sets itself apart from other hacktivist groups by targeting more than just one company or organization, and then releasing the results of its attack all at once. This set of hacks is spread out across 456 links, many of which simply contain raw dump files uploaded to GitHub and mirrored on paste sites Slexy.org and PasteSite.com.
The uploaded files contain what appears to be user data that looks to have been obtained from the servers of the various firms (likely via SQL injection). The entries include IP addresses, names, logins, email addresses, passwords, phone numbers, and even home addresses. Email accounts include the big three (Gmail, Hotmail, and Yahoo), as well as many .gov accounts. There are also various documents and material related to partnerships between companies and government bodies, as well as sensitive information for the aforementioned industries. 
Furthermore, the group says it has sent an email to the ICS-CERT Security Operations Center, Homeland Security Information Network (HSIN), Lessons Learned and Information Sharing (LLIS), the FBI’s Washington Division and Seattle location, Flashpoint Intel Partners, Raytheon, and NASA. In it, they say to have detailed “another 150 vulnerable servers from the Pentagon, NASA, DHS, Federal Reserve, Intelligence firms, L-3 CyberSecurity, JAXA, etc.”
-Source (TNW)






SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

"Python for Android" Has Been Launched

Posted by Avik Sarkar On 1/11/2012 03:13:00 pm


A new project named "Python For Android" has been launched. The goal of this project is to package your python application into an APK. The project is under the umbrella of Kivy organization, but is not designed to be limited to Kivy only, its a opensource project. To that end, the packaged applications currently only have one "bootstrap" which decompresses the files, creates an OpenGL ES 2.0 surface for drawing and sets up to handle audio and touch events. Although built for the Kivy project, the developers welcome anyone prepared to create a new lighter bootstrap mechanism. Python has been executable on Android through the Android Scripting project, but that doesn't create simple-to-install, self-contained binary files.

Overview:- 

  1. Download Android NDK, SDK
  2. Launch "android", and download latest Android platform
  3. Export some environment variables:
    export ANDROIDSDK="/path/to/android/android-sdk-linux_86"
export ANDROIDNDK="/path/to/android/android-ndk-r7"
export ANDROIDNDKVER=r7
export ANDROIDAPI=14
  4. Clone python-for-android:
    git clone git://github.com/kivy/python-for-android
  5. Build a distribution with OpenSSL module, PIL and Kivy:
    cd python-for-android
./distribute.sh -m "openssl pil kivy"
  6. Go to your fresh distribution, build the APK of your application:
    cd dist/default
./build.py --package org.test.touchtracer --name touchtracer \
--version 1.0 --dir ~/code/kivy/examples/demo/touchtracer debug
  7. Install the debug apk to your device:
    adb install bin/touchtracer-1.0-debug.apk
  8. Enjoy.


    To Know More About The Python For Android Project Click Here



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Whonix -Anonymous Operating System Based on Debian/GNU Linux & Tor

Posted by Avik Sarkar On 10/16/2012 07:34:00 pm

Whonix -Anonymous Operating System Based on Debian/GNU Linux & Tor 

Whonix, which is earlier called TorBOX or aos; now been reintroduced with a new style. This time we got a complete anonymous general purpose Operating System based on Virtual Box, Debian GNU/Linux and Tor.  According to the project wiki page - in Whonix IP and DNS leaks are impossible. Not even malware with root rights can find out the user's real IP/location. This is because Whonix consists of two virtual machines. One machine solely runs Tor and acts as a gateway, which we call Whonix-Gateway. The other machine, which we call Whonix-Workstation, is on a completely isolated network. Only connections through Tor are possible. 

We request our reader to See Security for a more comprehensive description, security features and threat model. You can even go through with full change log and also download the source code from github

Key Features:- 

  • Adobe Flash anonymously
  • browse the web anonymously
  • Anonymous IRC
  • Anonymous Publishing
  • Anonymous E-Mail with Mozilla Thunderbird and TorBirdy
  • Add a proxy behind Tor (Tor -> proxy)
  • Based on Debian GNU/Linux.
  • Based on the Tor anonymity network.
  • Based on Virtual Box.
  • Can torify almost any application.
  • Can torify any operating system
  • Can torify Windows.
  • Chat anonymously.
  • Circumvent Censorship.
  • DNSSEC over Tor
  • Encrypted DNS
  • Full IP/DNS protocol leak protection.
  • Hide the fact that you are using Tor/Whonix
  • Isolating Proxy
  • Java anonymously
  • Javascript anonymously
  • Location/IP hidden servers
  • Prevents anyone from learning your IP.
  • Prevents anyone from learning your physical location.
  • Private obfuscated bridges supported.
  • Protects your privacy.
  • Protocol-Leak-Protection and Fingerprinting-Protection
  • Secure And Distributed Time Synchronization Mechanism
  • Security by Isolation
  • Stream isolation to prevent identity correlation through circuit sharing
  • Virtual Machine Images
  • VPN/Tunnel Support
  • Whonix is produced independently from the Tor (r) anonymity software and carries no guarantee from  The Tor Project about quality, suitability or anything else.
  • Transparent Proxy
  • Tunnel Freenet through Tor
  • Tunnel i2p through Tor
  • Tunnel JonDonym through Tor
  • Tunnel Proxy through Tor
  • Tunnel Retroshare through Tor
  • Tunnel SSH through Tor
  • Tunnel UDP over Tor
  • Tunnel VPN through Tor
To Download Whonix-0.4.5 Click Here. Before download please note that Whonix is produced independently from the Tor anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else. 






SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Windows RDP Exploit Can Give You A Reward of $1,500 From Open-source Community

Posted by Avik Sarkar On 3/16/2012 07:33:00 pm

Windows RDP Exploit Can Give You A Reward of $1,500 From Open-source Community 
Yesterday Microsoft released March 2012 Security bulletins to close a total of seven security holes in its products. Among them one Critical-class, four Important and one Moderate – addressing seven issues in Microsoft Windows, Visual Studio, and Expression Design. According to Microsoft (MS12-020) remote code execution vulnerability has been found in RDP (Remote Desktop Protocol).
Tuesday has sparked some greed. Both Black and White Hats are currently trying to develop an exploit that could remotely compromise an unpatched Windows system – as long as the RDP (Remote Desktop Protocol) server is active on the target system and accessible over the web. On the hacker job site gun.io, a reward of about $1,500 has even been offered for a Metasploit module that can be used to exploit the vulnerability. If someone wants to claim the reward, they will have to release the Metasploit module under an open source licence and make it available to the public. Also  GitHub, offering a reward of around $1,500 for functional code that exploits the Windows RDP flaw. The goal, according to founder Rich Jones, is to “advance the culture of independent software development.”





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Related Posts Plugin for WordPress, Blogger...

Site search