Home Tags Web Server

Tag: Web Server

Nginx creates certified third-party module program

Nginx has begun certifying third-party modules for use with its commercially supported, enterprise-level web server and load balancer. The modules add capabilities like security, device detection, and application serving.Nginx Plus Certified Modules...

Millions of websites affected by unpatched flaw in Microsoft IIS 6...

A proof-of-concept exploit has been published for an unpatched vulnerability in Microsoft Internet Information Services 6.0, a version of the web server that's no longer supported but still widely used.The exploit allows attackers to execute malicious code on Windows servers running IIS 6.0 with the privileges of the user running the application.

Extended support for this version of IIS ended in July 2015 along with support for its parent product, Windows Server 2003.[ 18 surprising tips for security pros. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]Even so, independent web server surveys suggest that IIS 6.0 still powers millions of public websites. In addition, many companies might still run web applications on Windows Server 2003 and IIS 6.0 inside their corporate networks, so this vulnerability could help attackers perform lateral movement if they access such networks through other means.To read this article in full or to leave a comment, please click here

This is the dishwasher with an unsecured web server we deserve

Why wouldn't you want to have your restaurant's dishwasher hooked onto the internet at large?

Dishwasher has directory traversal bug

Thanks a Miele-on for making everything dangerous, Internet of things security slackers Don't say you weren't warned: Miele went full Internet-of-Things with a dishwasher, gave it a web server and now finds itself on the wrong end of a bug report and it's accused of ignoring.…

ABTA website hacked, 43,000 people affected by breach

Hacker used flaw in web server to access data uploaded to ABTA's website

In-the-wild exploits ramp up against high-impact sites using Apache Struts

Hackers are still exploiting the bug to install malware on high-impact sites.

Nginx JavaScript is ready for prime time

Nginx has upgraded its web server and load balancer to take advantage of its JavaScript implementation. The company on Tuesday debuts Nginx Plus R12, the commercially supported version of its technology.

This release moves NginScript, a JavaScript-...

Oops! 185,000-plus Wi-Fi cameras on the web with insecure admin panels

Just unplug them now before someone writes a botnet, okay? Get ready for the next camera-botnet: a Chinese generic wireless webcam sold under more than 1,200 brands from 354 vendors has a buggy and exploitable embedded web server.…

Researchers find “severe” flaw in WordPress plugin with 1 million installs

If you use NextGEN Gallery, now would be a good time to update.

IDG Contributor Network: Compressing Web API responses to reduce payload

Web API is the technology of choice for building RESTful web services in .Net.
It supports many media types, with application/json the one that's widely used. JSON is text based and lightweight and has already become a popular data exchange format f...

Got an OpenBSD Web server? Better patch it

DoS-able bugs splatted OpenBSD and two of its SSL libraries need patches against a pair of denial-of-service bugs that can crash Web-facing servers.…

Pwn2Own 2017 Expands Attack Surface Beyond the Web Browser

10th anniversary edition of Pwn2Own hacking contest offers over $1M in prize money to security researchers across a long list of targets including Virtual Machines, servers, enterprise applications and web browsers. Over the last decade, the Zero Day Initiative's (ZDI) annual Pwn2Own competition has emerged to become one of the premiere events on the information security calendar and the 2017 edition does not look to be any different. For the tenth anniversary of the Pwn2Own contest, ZDI, now owned and operated by Trend Micro, is going farther than ever before, with more targets and more prize money available for security researchers to claim by successfully executing zero-day exploits.HPE sold its TippingPoint division, which includes ZDI, for $300 million to Trend Micro in 2016 and the Pwn2own event that year was hosted as a joint effort between the two companies. By the end of the two-day event in 2016, $460,000 in prize money was awarded to researchers that demonstrated a total of 21 zero-day vulnerabilities.The Pwn2Own 2017 event is co-located at the CanSecWest conference in Vancouver, Canada, set for March 15-17. The 2017 event is sponsored by Trend Micro and unlike past Pwn2Own events, is not focused on web browsers.Among the targets this year are Virtual Machines, including both VMware and Microsoft Hyper-V systems. Researchers will need to execute a virtualization hypervisor escape from the guest virtual machine, to run arbitrary code on the underlying host operating system. ZDI will pay a $100,000 reward to the security researcher that is able to successfully execute a Virtual Machine escape. "We're always considering new targets for each year," Brian Gorenc, senior manager of vulnerability research with Trend Micro, told eWEEK. Outside of the Pwn2Own event, ZDI is in the business of acquiring security vulnerabilities from researchers. Gorenc added that ZDI is actively acquiring virtual machine escapes through its' program."Hopefully Pwn2Own will raise awareness among researchers, so we see even more of these reports," Gorenc said.While virtual machines are on the target list for Pwn2Own, Docker containers are not. Gorenc noted that containers weren’t really a consideration for this year's contest. Linux Pwn2Own has targeted Apple's macOS and Microsoft Windows based technologies for the past decade, but in 2017, the open-source Linux operating system has finally made the target list.Pwn2Own researchers will specifically be able to target the Ubuntu 16.10 Linux operating system in a pair of separate challenges, one for privilege escalation, the other for server-side web host exploitation.Researchers that target Linux will be awarded $15,000 if they can leverage a kernel vulnerability to escalate privileges. The same feat on Windows will earn a researcher $30,000, while a macOS escalation of privilege will be rewarded with $20,000.Ubuntu Linux systems can be secured with an additional layer of mandatory access control security known as 'AppArmor' that in some cases would limit the risk of a local user privilege escalation exploit. Gorenc noted that for the Pwn2Own contest, ZDI is not setting up any AppArmor profiles for this year's event.On the server side, the ZDI will award a successful exploit against the open-source Apache Web Server running on Ubuntu 16.10 Linux with a $200,000 prize. Web Browsers Once again web browsers are a key target at Pwn2Own, with successful exploitation of Microsoft's Edge browser or Google Chrome worth $80,000. A successful exploit of Apple's Safari will be rewarded with a $50,000 prize.After not being part of the 2016 event, Mozilla's Firefox web browser is back on the Pwn2Own target list of 2017. A successful exploit of Firefox will earn $30,000."Mozilla improved their security enough for us to warrant their re-inclusion in the contest," Gorenc said.Additionally the 2017 Pwn2Own event will award researchers $50,000 for each successful exploit of Adobe Reader, Microsoft Office Word, Excel and PowerPoint. The total prize pool available for researchers is more than any other Pwn2Own event has ever offered."Much of the final tally will depend on how many entries we have," Gorenc said. "We're definitely over $1 million, which is our largest Pwn2Own ever."After 10 years of running Pwn2Own events, it's likely that the hacking challenge will continue for many more years to come."While it would be great to live in a world with perfect security, we know this isn’t really practical," Gorenc said. "A lot of great research has been through the contest and inspired by the contest – research which ended up improving security for everyone."Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.