web application security – Page 15

Latest Joomla 3.7.1 Release Patches Critical SQL Injection Attack

Posted on May 17, 2017 by Mohit Kumar

If your website is based on the popular Joomla content management system, make sure you have updated your platform to the latest version released today.

Joomla, the world’s second popular open source Content Management System, has reportedly patched a critical vulnerability in its software’s core component.

Website administrators are strongly advised to immediately install latest Joomla

Continue reading Latest Joomla 3.7.1 Release Patches Critical SQL Injection Attack→

Apache servers under attack through easily exploitable Struts 2 flaw

Posted on March 9, 2017 by Zeljka Zorz

A critical vulnerability in Apache Struts 2 is being actively and heavily exploited, even though the patch for it has been released on Monday. System administrators are encouraged to upgrade to version 2.3.32 or 2.5.10.1 as soon as possible to avoid compromise. What is Apache Struts 2, and how is the vulnerability exploited? Apache Struts 2 is an open source web application framework for developing Java EE web applications. The vulnerability (CVE-2017-5638), discovered and reported … More → Continue reading Apache servers under attack through easily exploitable Struts 2 flaw→

New Apache Struts Zero-Day Vulnerability Being Exploited in the Wild

Posted on March 9, 2017 by Swati Khandelwal

Security researchers have discovered a Zero-Day vulnerability in the popular Apache Struts web application framework, which is being actively exploited in the wild.

Apache Struts is a free, open-source, Model-View-Controller (MVC) framework for creati… Continue reading New Apache Struts Zero-Day Vulnerability Being Exploited in the Wild→

Discover, catalog and protect all your apps

Posted on February 27, 2017 by Mirko Zorz

In this podcast recorded at RSA Conference 2017, Jason Kent, VP of Web Application Security at Qualys, illustrates how web application security is complex due to the continuously evolving threat landscape, the diverse nature of the web, mobile and IoT applications, and the broad range of systems needed to manage security across them. Here’s a transcript of the podcast for your convenience. As we approach the market for web application security, we’ve realized that organizations … More → Continue reading Discover, catalog and protect all your apps→

Yahoo Hacked Once Again! Quietly Warns Affected Users About New Attack

Posted on February 16, 2017 by Mohit Kumar

Has Yahoo rebuilt your trust again?

If yes, then you need to think once again, as the company is warning its users of another hack.

Last year, Yahoo admitted two of the largest data breaches on record. One of which that took place in 2013 disclosed p… Continue reading Yahoo Hacked Once Again! Quietly Warns Affected Users About New Attack→

Qualys and Bugcrowd bring automation, crowdsourcing to web app security

Posted on February 14, 2017 by Help Net Security

At RSA Conference 2017, Qualys and Bugcrowd announced joint development integrations allowing joint customers the ability to share vulnerability data across automated web application scanning and crowdsourced bug bounty programs. Many organizations’ security strategies have changed to a proactive approach, which includes both automation and human expertise to discover vulnerabilities. To reduce the escalating cost and effort of implementing multiple tools or programs, this joint integration between Bugcrowd Crowdcontrol and Qualys Cloud Platform brings together … More → Continue reading Qualys and Bugcrowd bring automation, crowdsourcing to web app security→

WordPress kept users and hackers in the dark while secretly fixing critical zero-day

Posted on February 2, 2017 by Zeljka Zorz

Last week WordPress released the newest version (4.7.2) of the popular CMS, ostensibly fixing three security issues affecting versions 4.7.1 and earlier. What the WordPress team didn’t share at that time is that the update also secretly fixes a bug that allows unauthenticated users to modify the content of any post or page within a WordPress site. The vulnerability was discovered by Sucuri researcher Marc-Alexandre Montpas and responsibly disclosed to the WordPress security team on … More → Continue reading WordPress kept users and hackers in the dark while secretly fixing critical zero-day→

Update — Hacker Claims to Have Hacked the FBI, But It Wasn’t

Posted on January 6, 2017 by Mohit Kumar

Update: A hacker yesterday claimed to have hacked the FBI’s website running on Plone CMS, but it seems it wasn’t hacked using any zero-day vulnerability in Plone. We contacted Plone security team and updated this story (see below) with official stateme… Continue reading Update — Hacker Claims to Have Hacked the FBI, But It Wasn’t→

Update — Hacker Claims to Have Hacked the FBI, But It Wasn’t

Posted on January 5, 2017 by Mohit Kumar

Someone Hijacking Unsecured MongoDB Databases for Ransom

Posted on January 4, 2017 by Swati Khandelwal

Nearly two years back, we warned users about publicly accessible MongoDB instances – almost 600 Terabytes (TB) – over the Internet which require no authentication, potentially leaving websites and servers at risk of hacking.

These MongoDB instances weren’t exposed due to any flaw in its software, but due to a misconfiguration (bad security practice) that let any remote attacker access MongoDB

Continue reading Someone Hijacking Unsecured MongoDB Databases for Ransom→