News & Updates

A security researcher discovered a zero-day vulnerability, tracked as CVE-2018-9206, that affects older versions of the jQuery File Upload plugin since 2010.

Attackers can exploit the vulnerability to carry out several malicious activities, including defacement, exfiltration, and malware infection.

The flaw was reported by the Akamai researcher Larry Cashdollar, he explained that many other packages that include the vulnerable code may be affected.

“This package has been included in various other packages and this code included in the projects web accessible path. It’s actively being exploited in the wild,” the researcher told the plugin author.

The jQuery File Upload is a jQuery widget “with multiple file selection, drag&drop support, progress bars, validation and preview images, audio and video.”

The plugin is widely adopted by numerous server-side platforms that support standard HTML form file uploads: PHP, Python, Ruby on Rails, Java, Node.js, Go, and others.

Cashdollar discovered two PHP files named upload.php and UploadHandler.php in the package’s source, which contained the file upload code.

The files were uploaded to the files/ directory in the root path of the webserver, so the expert wrote a command line test with curl and a simple PHP shell to confirm that it was possible to upload a web shell and run commands on the server.

$ curl -F “[email protected]” http://example.com/jQuery-File-Upload-9.22.0/server/php/index.php

Where shell.php is:

<?php $cmd=$_GET[‘cmd’]; system($cmd);?>

“A browser connection to the test web server with cmd=id returned the user id of the web server’s running process.   I suspected this vulnerability hadn’t gone unnoticed and a quick Google search confirmed that other projects that used this code or possibly code derived from it were vulnerable.  There are a few Youtube videos demonstrating the attack for similar software packages.” wrote the expert

Evert project that leverages the plugin is potentially affected, the researcher pointed out that there are a few Youtube PoC videos demonstrating the exploitation of the attack for similar software packages.

Cashdollar also published a proof-of-concept (PoC) code.

The root cause of the problem is that Apache disabled support for .htaccess in version 2.3.9 to improve performance (the server doesn’t have to check for this file every time it accesses a director) and to prevent users from overriding security features that were configured on the server.

The side effect is that the technical choice left some developers and their projects open to attacks.

In order to address these changes and correct the file upload vulnerability in CVE-2018-9206 in Blueimp, the developer only allows file uploads to be of a content-type image.

“The internet relies on many security controls every day in order to keep our systems, data, and transactions safe and secure.  If one of these controls suddenly doesn’t exist it may put security at risk unknowingly to the users and software developers relying on them.” concludes the expert.

“For software developers reviewing changes to the systems and libraries you rely on during the development of your project is a great idea as well.  In the article above a security control was removed by Apache it not only removed a security control for Blueimp’s Jquery file upload software project but most of all of the forked code branches off of it.  The vulnerability impacted many projects that depend on it from stand-alone web applications to WordPress plugins and other CMSs.”

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(Security Affairs – CVE-2018-9206, jQuery File Upload plugin )


The post Thousands of applications affected by a zero-day issue in jQuery File Upload plugin appeared first on Security Affairs.

Source: Security affairs

Shredded dude is baffled and angry.

Enlarge / Luke Cage (Mike Colter) will have to put another dollar in the swear jar when he hears the news. (credit: Netflix)

Just one week ago, Netflix surprised us all by canceling Iron Fist after a much-improved second season. Now we can add Luke Cage to the casualties.

Netflix unexpectedly pulled the plug on a third season today. This reduces the original Defenders to Jessica Jones, The Punisher, and Daredevil, whose third season just made its debut.

This is frankly a huge disappointment to fans of the Defenders series. Luke Cage had a strong first two seasons, with a terrific supporting cast—most notably Alfre Woodard as Mariah Dillard and Theo Rossi as her right hand, Hernan “Shades” Alvarez. While season 2 was a bit uneven, it ended with the dearly departed Mariah turning the tables on Luke, deeding him the Harlem’s Paradise nightclub. We were looking forward to seeing what kind of corrupting influence that kind of power might have had on Harlem’s hero.

Read 4 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

By Ian Trump

This is the second in a series of blog posts “on all things Bot.” From bad to good and looking towards the future, Bots remain an information security issue which has the potential to impact all commercial and recreational online activity. This series will explore the security and business ramifications of the modern internet where […]

This is a post from HackRead.com Read the original post: Bad to the Bot Bone

Source: https://www.hackread.com/feed/

Apple CEO Tim Cook calls on Bloomberg to retract its Chinese spy story

(credit: Wikipedia)

Apple CEO Tim Cook is calling on Bloomberg Business to retract a story that said his company was the victim of a hardware-based attack carried out by the Chinese government. It’s the first time Apple has ever publicly demanded a retraction, according to BuzzFeed.

Since Bloomberg published the exclusive article 15 days ago, a gaggle of companies, well-placed government officials, and security researchers have publicly challenged its accuracy. Apple and Amazon have said they have no knowledge of ever finding or removing servers that contained the kind of spy chips Bloomberg alleged were found in the companies’ networks. Supermicro has also denied knowing anything about malicious chips being secretly implanted into any of its motherboards during the manufacturing process, as Bloomberg reported.

Meanwhile, an official from the US Department of Homeland Security has said he has no reason to doubt the Apple and Amazon denials, and a top official with the National Security Agency has said the vast resources at his disposal have been unable to confirm the report. As Ars reported last week, hardware experts, including two who were contacted by Bloomberg when reporting the story, said the kind of chip-based backdoors alleged by Bloomberg are extremely complex, particularly when introduced in the supply chain. They said state-sponsored attackers likely would prefer to exploit the numerous firmware vulnerabilities that affect motherboards from Supermicro and other makers.

Read 4 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

A Comcast DOCSIS 3.1 modem.

Enlarge / A Comcast DOCSIS 3.1 modem. (credit: Comcast)

Comcast’s gigabit cable service is now available to nearly all of the 58 million homes and businesses in the company’s US territory, Comcast announced yesterday.

Comcast, the nation’s largest ISP with more than 26 million subscribers, began rolling out gigabit cable in early 2016. It’s now available almost universally through Comcast’s territory that includes 39 states and the District of Columbia.

Comcast’s gigabit cable relies on DOCSIS 3.1 technology to deliver download speeds of up to 1,000Mbps, though Comcast notes that speeds will vary based on network traffic and “actual download speeds might be limited to 940Mbps due to Ethernet technical limitations.” Upload speeds are still limited to a comparatively paltry 35Mbps.

Read 6 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

A pen and book resting atop a paper copy of a lawsuit.

Enlarge (credit: Getty Images | eccolo74)

The nation’s largest broadband industry lobby groups have sued Vermont to stop a state law that requires ISPs to follow net neutrality principles in order to qualify for government contracts.

The lawsuit was filed yesterday in US District Court in Vermont by mobile industry lobby CTIA, cable industry lobby NCTA, telco lobby USTelecom, the New England Cable & Telecommunications Association, and the American Cable Association (ACA), which represents small and mid-size cable companies.

CTIA, NCTA, USTelecom, and the ACA also previously sued California to stop a much stricter net neutrality law, but they’re now expanding the legal battle to multiple states. These lobby groups represent all the biggest mobile and home Internet providers in the US and hundreds of smaller ISPs. Comcast, Charter, AT&T, Verizon, T-Mobile US, Sprint, Cox, Frontier, and CenturyLink are among the groups’ members.

Read 13 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Audi

In the past decade, the well-worn automotive cliché Race on Sunday, sell on Monday has taken a surprising twist. Now, automakers have realized that they can race on Sunday and sell race cars on Monday. If you’ve got the money, Porsche, Lamborghini, Audi, Acura, Ferrari, Mercedes, McLaren, Nissan, Bentley, and more have a race car for you—for around $500,000.

The rise in popularity of supercars worldwide has been paralleled by explosive growth in international GT3 class sportscar racing. GT3 cars are racing versions of the road-going supercars/GT cars that star in video games, YouTube channels, and print platforms. Instead of being built to a specific set of technical rules, in GT3 each make of car is benchmarked and then “performance balanced” by the FIA (the sporting organization that governs world motorsport) to create a relatively level playing field.

Read 19 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Google's Building 44, where Android is developed.

Google’s Building 44, where Android is developed. (credit: Ron Amadeo)

We’re still seeing the fallout from the European Commission’s $5 billion antitrust fine against Google. Earlier this week, Google announced it would comply with the ruling by unbundling the Google Android app package, allowing OEMs to skip Chrome and Google Search in favor of alternatives. The catch is that, since ad revenue from these Google services was used to support Android development, Google will start charging device makers that license Google apps but choose the unbundled route.

Now, thanks to a report from The Verge, we’re getting an idea of just how much this more flexible app licensing scheme will cost OEMs. Citing “confidential documents” that were shown to the site, The Verge says Google will charge device makers as much as $40 per device if they don’t use Google’s preferred Android setup. The pricing is flexible based on the country and the pixel density of the device’s screen. The EU is split into three tiers, with the UK, Sweden, Germany, Norway, and the Netherlands in the most expensive tier. Lower-end phones in bottom-tier countries can cost as little as $2.50 per device. Android tablets, if any of those still exist, get their own pricing tier that is even across all countries and caps out at $20. It all sounds very complicated, but if we imagine this pricing structure applied to the $720 Galaxy S9 sold in the UK, slapping on the top-end $40 fee works out to a 5.5 percent price increase and a $760 phone.

That’s not the only spot in Android OEMs’ wallets Google will hit. If OEMs don’t pre-install Chrome, the report claims they will no longer get a share of search revenue generated by Chrome users. The report says the new rules will kick in February 1, 2019, which is strange given that Google’s new licensing rules from earlier in the week start at the end of the month.

Read 4 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

"Mr. McKittrick, after very careful consideration, sir, I've come to the conclusion that your new defense system <em>sucks</em>."

Enlarge / “Mr. McKittrick, after very careful consideration, sir, I’ve come to the conclusion that your new defense system sucks.” (credit: MGM/UA)

Today we’re presenting the fourth and final installment of my conversation with the outspoken author, podcaster, philosopher, and recovering neuroscientist Sam Harris. Please check out parts one, two, and three if you missed them. Otherwise, you can press play on the embedded audio player or pull up the transcript, both of which are below.

We open today’s conversation by talking about bioterrorism. Because that’s not uplifting enough, we then move on to the dangers a super AI could present in certain worst-case scenarios (which was the topic of a popular TED talk of Harris’). This conversation builds on yesterday’s cheerful discussion of nuclear terrorism.

The final part of the podcast is a conversation between me and podcasting superstar Tom Merritt. In it, Merritt and I discuss my interview with Harris—as well as a chunk of my novel After On. This section exists because I originally thought my podcast would be a limited set of just eight episodes connected to that novel. But the podcast acquired a life of its own, and I’m about to publish episode #38 in the series of eight.

Read 7 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

A 110 megawatt (MW) solar plant in Israel’s Negev desert.

Enlarge / A 110 megawatt (MW) solar plant in Israel’s Negev desert. (credit: OPIC)

With the price of photovoltaics having plunged dramatically, solar is likely to become a major contributor to the electrical generating mix in many countries. But the intermittent nature of photovoltaics could put a limit on how much they contribute to future grids or force us to develop massive storage capabilities.

But photovoltaics aren’t the only solar technology out there. Concentrated solar power uses mirrors to focus the Sun’s light, providing heat that can be used to drive turbines. Advances in heat storage mean that the technology can now generate power around the clock, essentially integrating storage into the process of producing energy. Unfortunately, the price of concentrated solar hasn’t budged much, and photovoltaics have left it in the dust. But some materials scientists may have figured out a way to boost concentrated solar’s efficiency considerably, clawing back some of photovoltaics’ advantage.

Feel the heat

Solar thermal revolves around transfers of heat. Sunlight is used to heat up a working fluid at the mirrors’ focus. That then transfers the heat either to a storage system or directly to another fluid that is used to drive a turbine—typically steam. Higher temperatures typically mean more work can be extracted, making the efficiency of these transfers critical.

Read 9 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/