How boring would social networking websites, blogs, forums and other web applications with a social component be if they didn’t allow their users to upload rich media like photos, videos and MP3s?  The answer is easy: very, very boring! Thankfully, these social sites allow end-users to upload rich media and other files, and this makes communication on the world wide web more impactful and interesting.

But user-uploaded files also give hackers a potential entry-point into the same web apps, making their safe handling an extremely important task for administrators and the security team. If these files are not validated properly, a remote attacker could upload a malicious file on the web server and cause a serious breach.

Continue reading …

During my vulnerability analysis work I came across interesting firmware for Schneider Electric ETG3000 FactoryCast HMI Gateway. When playing around with the firmware, I discovered two severe vulnerabilities that could be exploited remotely without authentication. On January 21 ICS-CERT issued an advisory on these vulnerabilities that Qualys reported.

Continue reading …