WordPress Core up to 4.7.4 – Potential Unauthorized Password Reset

====================================================
– Discovered by: Dawid Golunski (@dawid_golunski)
– dawid[at]legalhackers.com
– https://legalhackers.com
– ExploitBox.io (@Exploit_Box)

– CVE-2017-8295
– Release date: 03.05.2017
– Revision 3.0
– Last update: 04.05.2017
– Severity: Medium/High
====================================================

I. VULNERABILITY
————————-

WordPress Core

——————————-

As we can see, fields Return-Path, From, and Message-ID, all have the attacker’s
domain set.

The verification of the headers can be performed by replacing /usr/sbin/sendmail with a
bash script of:

#!/bin/bash
cat > /tmp/outgoing-email

VI. BUSINESS IMPACT
————————-

Upon a successfull exploitation, attacker may be able to reset user’s password
and gain unauthorized access to their WordPress account.

VII. SYSTEMS AFFECTED
————————-

All WordPress versions up to the latest 4.7.4

VIII. SOLUTION
————————-

No official solution available. As a temporary solution users can enable
UseCanonicalName to enforce static SERVER_NAME value

https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname

This issue has been reported to WordPress security team multiple times
with the first report sent back in July 2016. It was reported both directly
via security contact email, as well as via HackerOne website.

As there has been no progress in this case , this advisory is finally
released to the public


Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/mDBecTh2YZ0/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html

Original article

“This is just a temporary hack”. The Biggest Myths Software Developers Believe

May 04, 2017
What are some popular myths in software development? Why are they myths, and how did they become popular? Some of these are myths because because they are convenient distortions in order to promote an agenda, and some because they are naive over-simplifications. Do you agree with these opinions?

#1. THIS IS JUST A TEMPORARY HACK – I’LL COME BACK AND FIX IT LATER

John Miller, Engineering manager at Microsoft (Greater Seattle Area, Washington):

“You’ll never ‘fix it later’ so do it right. The mistake I’ve made many times is throwing something together with the intention of fixing it before I ship. Then one fire after another springs up, and the code ships in hideous shape. Write it the right way the first time”.

John Ohno, Software Engineer at Thomson Reuters (New York, New York):

“In personal projects, temporary hacks do get fixed (and when they don’t, it’s generally OK). In enterprise, you often won’t get


Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/atszHBJufzI/biggest-myths-software-developers-believe

Original article

Kodi: Open source TV app inspires full-blown copyright panic in the UK

You know a technology’s gone mainstream when the tabloids start yelling about it. This year the Sun, the Mirror, the Express, and the Daily Star have run splashes ranging from “Kodi Crackdown” through “Kodi Killers” to “Kodi TOTAL BAN!”. It’s not that they’ve stumbled on an underground hack scene; the stories have been briefed by copyright owners and law enforcement agencies. So what is Kodi, and why is it such a threat to The Man?
Kodi is an open source media player program that started life as XBMC (Xbox Media Center). Today, running on a variety of devices, it provides a friendly interface to play video and audio content, whether from static files, torrents, or a live stream.
In 2014, Nathan Betzen, a leading figure in XBMC’s community, announced that the software was changing its name to Kodi, a registered trademark. “Users have been fooled into wasting money buying boxes running hacked and


Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/xV_ZwnnaMLY/

Original article

Google releases DIY open source Raspberry Pi ‘Voice Kit’ hardware — here’s how to get it

Google has long been focused on artificial intelligence. Its Google Now and voice assistance projects have used AI to better the lives of users. The Google Home voice-based hardware unit brings its assistant to life, making traditional inputs and displays unnecessary. With just the power of your voice, you can interact with the device — nothing else is needed. The search giant has decided to take artificial intelligence to the maker community with a new initiative called AIY. This initiative (found here) will introduce open source AI projects to the public that makers can leverage in a simple way. Today, Google announces… [Continue Reading]


Original URL: https://betanews.com/2017/05/04/google-open-source-raspberry-pi-diy-voice-kit/

Original article

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: