Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts

Wednesday 19 November 2014



Around 5 million Gmail user names and related passwords have been leaked in Russian Bitcoin security forum.

Is Google got hacked?
No, the leak was not the result of a security breach of Google systems.  The dump is said to have been obtained from other websites.

So, if you have used the same password used anywhere else, your gmail account could be compromised.

Google's response
"We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We’ve protected the affected accounts and have required those users to reset their passwords." Google wrote.



What You should do?

  • There are few websites available online to check whether your gmail ID have been compromised or not. 

  • My suggestion is don't use them.  I suggest everyone to change the password.(I believe most of the people keep the same password for years, so it's better to change now).

  • If you have not enabled 2-step-factor feature, it is good to enable it.

  • Never use the gmail password in any other websites.




About five million Gmail IDs and passwords leaked

Tuesday 18 November 2014



Security analysts from SektionEins have found a vital SQL Injection vulnerability in Drupal CMS that leaves an outsized range of internet sites that uses Drupal in danger.

Drupal introduced a information abstraction API in version seven. The aim of this API is to forestall SQL Injection attacks by sanitizing SQL Queries. 

But, this API itself introduced a replacement and demanding SQL Injection vulnerability.  The vulnerability allows attackers to run malicious SQL queries, PHP code on vulnerable websites.  A prosperous exploitation permits hackers to require complete management of the positioning. 

This vulnerability are often exploited by a non-authenticated user and has been classified as "Highly Critical" one.

SektionEins did not unharness the POC however discharged AN informative  with technical details.

The vulnerability exists within the expandArguments perform that is employed for increasing arrays to handle SQL queries with "IN" Operator.  

The vulnerability affects Drupal core seven.x versions previous.  Users of 7.x versions area unit suggested to update their CMS in real time. 

You can additionally directly modify the "includes database.inc" file to patch this vulnerability; amendment the "foreach ($data as $i => $value) {"  in 739 line.

An evidence of Concept has been discharged online that permits anybody to change the secret word of administrator record. In this way, better Hurry UP! Overhaul your Drupal CMS. 

One of the reddit client "fyukyuk" posted a HTTP post ask for that endeavors this helplessness. - 

The accompanying python Code changes the administrator secret key of powerless Drupal to "administrator" (Tested with Drupal forms 7.21,7.31).




Hacking News

SQL Injection attacks





Critical SQL Injection vulnerability in Drupal seven.x

© All Type of Security And Hacking Reviews Distributed By Blogspot Templates | Designed By Template Trackers