Lean Security Expert
Cyber Security Threats

Cyber Security Threats

Lean Security Expert
Attention App Developers: Protect Your Source ...

Software developers are faced with growing security concerns when it comes to the source codes powering their applications for users around the globe.

Attention App Developers: Protect Your Source Code!
penetration testing
Lean Security Expert
The Future of Penetration Testing: Declaring ...

It has become SOP for organizations to conduct penetration testing and vulnerability scans on a regular basis. Such practice is even endorsed by most IT specialists since an attack could lead to disastrous outcomes. Penetration testing assesses an IT infrastructure’s security by safely exploiting vulnerabilities. These vulnerabilities may exist in incorrect configurations, hazardous end-user behavior, operating systems and application flaws. 

The Future of Penetration Testing: Declaring War on Modern Hacking Techniques
web application security
Security Expert
What makes Penetration Testing Different than ...

If you are a security professional, you are most definitely familiar with what vulnerability assessment and penetration testing are. These two are types of vulnerability testing in order to complete a vulnerability analysis. Both are valuable tools for information security and are integral components of the process of managing threat and vulnerability of network systems. 

web application security
Security Expert
Analysing vulnerability scanning reports

The success of an enterprise wide vulnerability assessment program depends on many factors such as planning, budgeting, resources, technical solution and others, but the most important is the ability to analyse vulnerability scanning reports. Properly identified and categorised vulnerabilities will help organisations to get the most benefit from the program and achieve more Return on Investment. This article will cover some of the points to consider when analysing network and web application reports. 

Analysing vulnerability scanning reports

remote exploit

Magento Vulnerability - Check your web sites now

Magento platform is a popular eCommerce framework used by the organisation all over the world to create the Online shops.

The researchers from Check Point discovered the critical security issues, which could potently allow the remote compromise of a Magento based web site and gaining unauthorized access to the customer and credit card information. See the full post here: http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/ . The vulnerability is currently affecting thousands of online stores. 

Technical Details

Three vulnerabilities were discovered by the Check Point team:

CVE-2015-1398 - An authentication bypass vulnerability was reported in Magento component. The vulnerability is due to a user controlled parameter affecting the login mechanism. A remote attacker can exploit this issue by sending a specially crafted HTTP request to a vulnerable system. Successful exploitation may allow the attacker to gain access to a target system.

CVE-2015-1397 - An SQL injection vulnerability has been reported in Magento component. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.

CVE-2015-1399 - A remote file inclusion vulnerability has been reported in Magento component. The vulnerability is due to lack of sanitization for user-supplied data. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.

What should you do

Check your Magento implementation using our Trial Web Site Assessment Service  and see if you are vulnerable. If yes, apply the designated patch SUPEE-5344 released by Magento as soon as possible.