SOLDIERX.COM Nobody Can Stop Information Insemination

Posted by Shaikh Shahnawaz on Jan 27

[+] Credits: Shahnawaz Shaikh, Security Researcher at Cybergate Defense LLC
[+] twitter.com/_striv3r_

[Vendor]
Autolib-india
http://autolib-india.net/products.php

[Product]
AutoLib Software Systems OPAC Version.20.10

[Affected Component]
main.js file

[CVE Reference]
CVE-2024-48310

[Security Issue]
AutoLib Software Systems OPAC v20.10 was discovered to have multiple API
keys exposed within the source code. Attackers may use these keys to...

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jan 27

SEC Consult Vulnerability Lab Security Advisory < 20250127-0 >
=======================================================================
title: Weak Password Hashing Algorithms
product: Wind River Software VxWorks RTOS
vulnerable version: >= VxWorks 6.9
fixed version: not available
CVE number: no CVE assigned by Wind River
impact: High
homepage:...

Posted by Andrey Stoykov on Jan 27

# Exploit Title: Host Header Injection - atutorv2.2.4
# Date: 01/2025
# Exploit Author: Andrey Stoykov
# Version: 2.2.4
# Tested on: Ubuntu 22.04
# Blog:
https://msecureltd.blogspot.com/2025/01/friday-fun-pentest-series-18-host.html

Description:

- It was found that the application had a Host Header Injection
vulnerability.

Host Header Injection #1:

Steps to Reproduce:

1. Visit specific page of the application
2. Intercept the HTTP GET/POST...

Posted by Andrey Stoykov on Jan 27

# Exploit Title: Reflected XSS - atutorv2.2.4
# Date: 01/2025
# Exploit Author: Andrey Stoykov
# Version: 2.2.4
# Tested on: Ubuntu 22.04
# Blog:
https://msecureltd.blogspot.com/2025/01/friday-fun-pentest-series-17-reflected.html

Description:

- It was found that the application was vulnerable to Reflected XSS.

Reflected XSS #1 - "theme_dir":

Steps to Reproduce:

1. Login to the application with admin user
2. Paste the following URL...

Posted by Sean Heelan via Dailydave on Jan 13

As it happens, I’ve found the most effective way to use LLMs is to de-anthropomorphise them entirely and treat them
very like fuzzers (large scale generation of results, lots of false positives/nonsense, filtered by some oracle).

The “conversation with an AI” approach where you imagine yourself as having a single artificial brain to interact with
is (currently at least) practically far less useful than one in which you are content with...

Posted by A K via Dailydave on Jan 13

Hi all,

In the latest "Security Weekly" (https://www.youtube.com/watch?v=CXefYdEGW04
)
they present the Anthropological "Hacker" Map
https://wherewarlocksstayuplate.com/map/

While the map is incomplete (how can it ever be complete?), I think it is
one of the few times, outside of David Aitel's writings about the cross-cut
between the "underground" (for a lack of a better term) and subsequent
commercial...

Posted by Don A. Bailey via Dailydave on Jan 12

I designed one of the first working fuzzers (albeit unintentionally) back
in the late 90's. I don't remember if I published it, but I still have the
code. It, however, worked - badly - but it worked. I was heavily flamed,
however, because as you stated - it was not hip. It only attacked
environment variable and command-line argument based vulnerabilities. But,
in the 90's and early 00's, we had no shortage of local suid-based...

Posted by Thomas Dullien via Dailydave on Jan 12

Hey,

I have one quibble: We are using "reasoning" in a qualitative, not
descriptive, form here -- "fuzzing is or is not reasoning", "LLMs reason or
do not reason". I am not sure this is helpful. Fuzzing is empirically
successful at finding crashes. Somebody that needs to light a fire and
smashes two stones together until they throw sparks does not, once the fire
burns, need to justify that 'stones perform...

Posted by Darren Bounds via Dailydave on Jan 12

Everything old is new and the way we reason is the same way LLMs reason. It's
not about looking for the same problem the same way it's about going to
searching for that flaw the same way with unlimited (nearly) resources.

Traditional human-led vulnerability research and discovery is, today, a short
lived venture.

Things will change very rapidly over the coming 24 months.

Memories and thoughts are the same thing, someone tried to...

Posted by Dave Aitel via Dailydave on Jan 11

Memories and thoughts are the same thing, someone tried to explain to me
recently. You have to think to remember, in other words. This is hard to
grasp for a lot of people because they *think *they have *memories*. They
wrongly think memory is a noun instead of a verb, which is ok in philosophy
and psychology but in cutting edge computer science we have to be precise
about these sorts of things.

Twenty-five years ago, when I first started...