A vulnerability, which was classified as problematic, has been found in View All Posts Page Plugin up to 0.9.0 on WordPress. This issue affects the function action_admin_notices_activation of the file view-all-posts-pages.php. The manipulation leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 0.9.1 is able to address this issue. The patch is named bf914f3a59063fa4df8fd4925ae18a5d852396d7. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-233363.
Monthly Archives: July 2023
Crimeware Group Asylum Ambuscade Ventures Into Cyber-Espionage
Android OS Tools Fuel Cybercrime Spree, Prey on Digital Users
According to Resecurity, the trend poses challenges for online banking and payment systems
redis-7.0.12-1.fc37
FEDORA-2023-800612d23a
Packages in this update:
redis-7.0.12-1.fc37
Update description:
Redis 7.0.12 – Released Mon July 10 12:00:00 IDT 2023
Upgrade urgency SECURITY: See security fixes below.
Security Fixes:
(CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger
a heap overflow in the cjson and cmsgpack libraries, and result in heap
corruption and potentially remote code execution. The problem exists in all
versions of Redis with Lua scripting support, starting from 2.6, and affects
only authenticated and authorized users.
(CVE-2023-36824) Extracting key names from a command and a list of arguments
may, in some cases, trigger a heap overflow and result in reading random heap
memory, heap corruption and potentially remote code execution. Specifically:
using COMMAND GETKEYS* and validation of key names in ACL rules.
Bug Fixes
Re-enable downscale rehashing while there is a fork child (#12276)
Fix possible hang in HRANDFIELD, SRANDMEMBER, ZRANDMEMBER when used with <count> (#12276)
Improve fairness issue in RANDOMKEY, HRANDFIELD, SRANDMEMBER, ZRANDMEMBER, SPOP, and eviction (#12276)
Fix WAIT to be effective after a blocked module command being unblocked (#12220)
Avoid unnecessary full sync after master restart in a rare case (#12088)
redis-7.0.12-1.fc38
FEDORA-2023-c406ba1ff6
Packages in this update:
redis-7.0.12-1.fc38
Update description:
Redis 7.0.12 – Released Mon July 10 12:00:00 IDT 2023
Upgrade urgency SECURITY: See security fixes below.
Security Fixes:
(CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger
a heap overflow in the cjson and cmsgpack libraries, and result in heap
corruption and potentially remote code execution. The problem exists in all
versions of Redis with Lua scripting support, starting from 2.6, and affects
only authenticated and authorized users.
(CVE-2023-36824) Extracting key names from a command and a list of arguments
may, in some cases, trigger a heap overflow and result in reading random heap
memory, heap corruption and potentially remote code execution. Specifically:
using COMMAND GETKEYS* and validation of key names in ACL rules.
Bug Fixes
Re-enable downscale rehashing while there is a fork child (#12276)
Fix possible hang in HRANDFIELD, SRANDMEMBER, ZRANDMEMBER when used with <count> (#12276)
Improve fairness issue in RANDOMKEY, HRANDFIELD, SRANDMEMBER, ZRANDMEMBER, SPOP, and eviction (#12276)
Fix WAIT to be effective after a blocked module command being unblocked (#12220)
Avoid unnecessary full sync after master restart in a rare case (#12088)
CIS Benchmarks July 2023 Update
Here is an overview of the CIS Benchmarks that the Center for Internet Security updated or released for July 2023.
USN-6213-1: Ghostscript vulnerability
It was discovered that Ghostscript incorrectly handled pipe devices. If a
user or automated system were tricked into opening a specially crafted PDF
file, a remote attacker could use this issue to execute arbitrary code.
Wisconsin Governor Hacks the Veto Process
In my latest book, A Hacker’s Mind, I wrote about hacks as loophole exploiting. This is a great example: The Wisconsin governor used his line-item veto powers—supposedly unique in their specificity—to change a one-year funding increase into a 400-year funding increase.
He took this wording:
Section 402. 121.905 (3) (c) 9. of the statues is created to read: 121.903 (3) (c) 9. For the limit for the 2023-24 school year and the 2024-25 school year, add $325 to the result under par. (b).
And he deleted these words, numbers, and punctuation marks:
Section 402. 121.905 (3) (c) 9. of the statues is created to read: 121.903 (3) (c) 9. For the limit for the 2023-24 school year and the 2024–25 school year, add $325 to the result under par. (b).
Seems to be legal:
Rick Champagne, director and general counsel of the nonpartisan Legislative Reference Bureau, said Evers’ 400-year veto is lawful in terms of its form because the governor vetoed words and digits.
“Both are allowable under the constitution and court decisions on partial veto. The hyphen seems to be new, but the courts have allowed partial veto of punctuation,” Champagne said.
Definitely a hack. This is not what anyone thinks about when they imagine using a line-item veto.
And it’s not the first time. I don’t know the details, but this was certainly the same sort of character-by-character editing:
Mr Evers’ Republican predecessor once deploying it to extend a state programme’s deadline by one thousand years.
A couple of other things:
One, this isn’t really a 400-year change. Yes, that’s what the law says. But it can be repealed. And who knows that a dollar will be worth—or if they will even be used—that many decades from now.
And two, from now all Wisconsin lawmakers will have to be on the alert for this sort of thing. All contentious bills will be examined for the possibility of this sort of delete-only rewriting. This sentence could have been reworded, for example:
For the 2023-2025 school years, add $325 to the result under par. (b).
The problem is, of course, that legalese developed over the centuries to be extra wordy in order to limit disputes. If lawmakers need to state things in the minimal viable language, that will increase court battles later. And that’s not even enough. Bills can be thousands of words long. If any arbitrary characters can be glued together by deleting enough other characters, bills can say anything the governor wants.
The real solution is to return the line-item veto to what we all think it is: the ability to remove individual whole provisions from a law before signing it.
golang-github-mailru-easyjson-0.7.7-1.fc39
FEDORA-2023-7abdd861d6
Packages in this update:
golang-github-mailru-easyjson-0.7.7-1.fc39
Update description:
Automatic update for golang-github-mailru-easyjson-0.7.7-1.fc39.
Changelog
* Mon Jul 10 2023 Mikel Olasagasti Uranga <mikel@olasagasti.info> – 0.7.7-1
– Update to 0.7.7 – Closes rhbz#1925832 rhbz#2163173
Unveiling the secrets: Exploring whitespace steganography for secure communication
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
In the realm of data security, there exists a captivating technique known as whitespace steganography. Unlike traditional methods of encryption, whitespace steganography allows for the hiding of sensitive information within whitespace characters, such as spaces, tabs, and line breaks.
This inconspicuous approach to data concealment has gained significant attention in recent years as a means of secure communication. In this blog, we will delve into the world of whitespace steganography, exploring its techniques, applications, tools, and ethical considerations for educational purposes.
Whitespace steganography is a method of concealing data within whitespace characters that are often overlooked or deemed insignificant. By strategically modifying the frequency or arrangement of whitespace characters, hidden messages can be embedded within a text document. To the naked eye, the document appears normal, but those aware of the encoding technique can retrieve the concealed information.
In whitespace steganography, several techniques are employed to conceal information effectively. These techniques include altering the frequency of whitespace characters, such as adding or removing spaces, tabs, or line breaks. Another approach involves manipulating the arrangement of whitespace characters to represent encoded data. Various algorithms, such as the Least Significant Bit (LSB) technique, can be utilized to embed and extract hidden messages from whitespace.
Whitespace steganography finds applications in a range of scenarios where secure communication and data protection are paramount. Some common use cases include:
Covert communication: Whitespace steganography allows individuals to exchange sensitive information discreetly, evading detection and interception.
Document protection: Concealing critical information within whitespace characters can help protect sensitive documents from unauthorized access or tampering.
Digital watermarking: Hidden within whitespace, digital watermarks can be embedded in images or documents to protect intellectual property or verify authenticity.
Numerous open-source tools are available that facilitate whitespace steganography. These tools provide features and functionalities for encoding and decoding hidden messages within whitespace characters. Notable examples include Snow, Steghide, OpenStego, and Whitespace. There are also closed source or commercial whitespace steganography tools that offer advanced capabilities and additional security features. These tools often provide user-friendly interfaces, encryption algorithms, and integration with other security technologies. Some popular closed-source tools include SilentEye, OutGuess, and Masker.
In this blog, we will use Snow (Steganographic Nature of Whitespace) to see a working example of whitespace steganography -the tool can be downloaded from here.
As per the documentation, The Snow program runs in two modes – message concealment, and message extraction. During concealment, the following steps are taken.
Message -> optional compression -> optional encryption -> concealment in text
Extraction reverses the process.
Extract data from text -> optional decryption -> optional uncompression -> message
Now, let’s look on a working example.
We have downloaded the 32-bit version of Snow, and we’ve ensured that Java runtime environment (JRE) is installed on our system. Once everything is in place extract Snow to the desired directory. To run Snow, you will need to run command prompt as administrator and move to the directory where you have extracted Snow.
Once you are in the directory, you will need an input file (we are using a text file for demonstration)
Now, let us try to conceal a message “Hello There.” using Snow.
In the above example we concealed a message in the input file and created an output file using Snow (to avoid any contradiction we kept the input file in same directory as Snow)
In the above example we used -C for compression, -p for password and -m for message.
Now let us take a look at the output file.
Now let’s see if there are any differences in size of input and output files.
We can observe that there is a difference in size – however, when we open the output file it looks the same as the input file.
Now, let’s try to read the hidden message. Let’s run the command prompt as administrator and move to the directory of Snow where the output file is located.
So, I tried with wrong password once and then with the correct password as you can see below:
This was a demonstration of whitespace steganography using Snow and is purely for educational and research purposes to understand how it works in real life scenarios.
Steganalysis: Detecting steganography
Steganalysis refers to the detection and analysis of hidden messages within digital content. While whitespace steganography can be difficult to detect, specialized techniques and tools are available to identify potential instances of concealment. Steganalysis plays a vital role in identifying potential misuse and ensuring responsible use of steganography. We’ll dive deep into steganalysis in coming blogs.
Ethical usage and disclosure are crucial when it comes to steganography. It is important to adhere to legal regulations and privacy laws governing data security and communication. Whitespace steganography should be used responsibly for educational purposes only, emphasizing the importance of obtaining proper consent and ensuring ethical practices.
Whitespace steganography offers a remarkable approach to secure communication and data protection. By harnessing the power of seemingly innocuous whitespace characters, sensitive information can be concealed within plain sight. Understanding the techniques, applications, and tools associated with whitespace steganography enables individuals to navigate the field responsibly. As technology continues to advance, the future of whitespace steganography holds the potential for further innovations in secure communication and data privacy.