Infi-Zeal's Blog

Security researchers from SektionEins have discovered a critical SQL Injection vulnerability in Drupal CMS that leaves a large number of websites that uses Drupal at risk. Drupal introduced a database abstraction API in version 7.  The purpose of this API is to prevent SQL Injection attacks by sanitizing SQL Queries. But, this API itself introduced a new and critical SQL Injection vulnerability.   The vulnerability enables attackers to run malicious SQL queries, PHP code on vulnerable websites.  A successful exploitation allows hackers to take complete control of the site. This vulnerability can be exploited by a non-authenticated user and has been classified as "Highly Critical" one. SektionEins didn't release the POC but released an advisory with technical details.  The vulnerability exists in the expandArguments function which is used for expanding arrays to handle SQL queries with "IN" Operator.  The vulnerability affects Drupal core 7.x versions...

An application normally needs permission and should alert user that it needs permission to make phone call, when it is being installed. Researchers at Security firm CureSec has discovered a security flaw in the Android system that allows malicious applications to initiate unauthorized phone calls.   By exploiting this vulnerability, malicious apps can make phone calls to premium-rated numbers and terminate any outgoing calls.  It is also capable of sending Unstructured Supplementary Service Data (USSD) codes that can be used for enabling call forwarding, blocking your sim cards and so on. The security bug appears to be introduced in Android Jelly bean 4.1.1  and it exits in all latest versions through Android Kitkat 4.4.2. CureSec has also released a source code and proof-of-concept application to demonstrate the existence of vulnerability

Google has launched a new effort to warn its users that they could be the victims of cyberattacks from hostile governments. Account-holders working in international relations, development and other sensitive areas have received messages from the search giant informing them of recent efforts to spy on their online history. The move comes after the company started detecting 'tens of thousands' of new hacking attacks originating in the Middle East. Warning: Google has sent this message to a number of at-risk users Google is a tempting target for hackers, as it is not focussed solely on search but also offers its users services such as email, mapping and Chrome, one of the most popular web browsers. This week, according to the  New York Times , users thought to have been targeted saw a message attached to their accounts saying, 'Warning: We believe state-sponsored attackers may be attempting to compromise your account or computer.' This is not the first t...

Windows Media Player Bug Security researchers have seen attackers going after the newly patched CVE-2012-0003 vulnerability in the Windows Media Player. The flaw, which was patched earlier this month by Microsoft, is a critical one that can enable remote code execution, and it affects a wide range of Windows systems. When the patch was released, Microsoft officials recommended that customers install it immediately as there was a decent chance of attackers leveraging it in the near future. And that's just what's happened. Researchers at the IBM ISS X-Force have seen malicious attacks against the MIDI vulnerability going on in the wild in recent days, and say that because exploitation of the flaw is not considered difficult, there may well be more on the horizon. "In addition to the appearance of live exploitation, detailed discussion of the vulnerability details and methods of exploitation have been seen. The relatively low complexity of locating the vulnerabilit...