#web

Red Hat Satellite provides webhooks to notify or perform an action when an event occurs. For example, webhooks can inform you of the completion of errata installation on Red Hat Enterprise Linux (RHEL) hosts (amongst many other events). The webhook mechanism helps integrate Satellite with applications such as Red Hat Ansible Automation Platform, Splunk and ServiceNow, to name a few.What is a webhook?In general, a webhook is an API call (or programmatic procedure/function) using the HTTP protocol. In Satellite, specific events can trigger the running of webhooks. Particular events can include c

### Summary Improperly configuring static resource resolution in aiohttp when used as a web server can result in the unauthorized reading of arbitrary files on the system. ### Details When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if a given file path is within the root directory.This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. i.e. An application is only vulnerable with setup code like: ``` app.router.add_routes([ web.static("/static", "static/", follow_symlinks=True), # Remove follow_symlinks to avoid the vulnerability ]) ``` ### Impact This is a directory traversal vulnerability with CWE I...

### Summary The Import Certificate feature allows arbitrary write into the system. The feature does not check if the provided user input is a certification/key and allows to write into arbitrary paths in the system. https://github.com/0xJacky/nginx-ui/blob/f20d97a9fdc2a83809498b35b6abc0239ec7fdda/api/certificate/certificate.go#L72 ``` func AddCert(c *gin.Context) { var json struct { Name string `json:"name"` SSLCertificatePath string `json:"ssl_certificate_path" binding:"required"` SSLCertificateKeyPath string `json:"ssl_certificate_key_path" binding:"required"` SSLCertificate string `json:"ssl_certificate"` SSLCertificateKey string `json:"ssl_certificate_key"` ChallengeMethod string `json:"challenge_method"` DnsCredentialID int `json:"dns_credential_id"` } if !api.BindAndValid(c, &json) { return } certModel := &model.Cert{ Name: json.Name, SSLCertificatePath: json.SSLCertificatePath, SSLCer...

By cyberwire Toronto, Canada, January 29th, 2024, Cyberwire – In an era where online threats no longer discriminate by business… This is a post from HackRead.com Read the original post: Control D Launches Control D for Organizations: Democratizing Cybersecurity

By Deeba Ahmed From Snowden to Shady Markets: The Long History of NSA's Unchecked Surveillance. This is a post from HackRead.com Read the original post: NSA Admits Buying American Browsing Records From Shady Markets

Ubuntu Security Notice 6610-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. Cornel Ionce discovered that Firefox did not properly manage memory when opening the print preview dialog. An attacker could potentially exploit this issue to cause a denial of service.

Reprise License Manager version 15.1 suffers from privilege escalation and arbitrary file write vulnerabilities.

CSZCMS version 1.3.0 suffers from a remote SQL injection vulnerability in the admin flows.

Interactive Floor Plan version 1.0 suffers from a cross site scripting vulnerability.

Senior Privacy Advocate David Ruiz speaks with Bruce Schneier about artificial intelligence, surveillance, and an era of "mass spying."