CVE-2010-1622
Spring Source has recently published an advisory on CVE-2010-1622, so I figured I'd provide more details since other projects may be affected in similar ways due to incorrect usage of Java Beans...
View ArticleCVE-2010-1870: Struts2/XWork remote command execution
Update Tue Jul 13 2010: Added proof of conceptUpdate Wed July 14 2010: Added PoC for older version of Struts2/XworkUpdate Fri Aug 20 2010: Struts2 team finally released 2.2.1 on Aug 16th (2.5 months to...
View ArticleCVE-2010-1871: JBoss Seam Framework remote code execution
Update Mon Aug 2 2010: Turned out JBoss didn't release fix for the community version at seamframework.org, though fix has been committed to the svn.Update Mon Aug 11 2010: 2.2.1CR2 is released fixing...
View Articlenotes on PHP source code protection
Situation: you have php code. php code to be installed on untrusted system. What's your take?We've been experimenting with compiling php code into native binaries and then using binary packers. Binary...
View ArticleSingaporean airlines entertainment system pwn
Here're some hints for your in-flight entertainment. If you're flying with singaporean airlines, they have a very nice in-flight entertainment system, apparently based on embedded linux, that among...
View ArticleCVE-2011-3923: Yet another Struts2 Remote Code Execution
While investigating SEC Consult's Struts2 bugs (cool bugs, btw!), I've realized that due to the fact that Struts2 still allowed OGNL expression evaluation via parentheses I could evaluate OGNL...
View Article
