This Metasploit module exploits a vulnerability in Nagios XI versions before 5.6.6 in order to execute arbitrary commands as root. The module uploads a malicious plugin to the Nagios XI server and then executes this plugin by issuing an HTTP GET request to download a system profile from the server. For all supported targets except Linux (cmd), the module uses a command stager to write the exploit to the target via the malicious plugin. This may not work if Nagios XI is running in a restricted Unix environment, so in that case the target must be set to Linux (cmd). The module then writes the payload to the malicious plugin while avoiding commands that may not be supported. Valid credentials for a user with administrative privileges are required. This module was successfully tested on Nagios XI 5.6.5 running on CentOS 7. The module may behave differently against older versions of Nagios XI.

This patch mitigates allowing launcher the ability to execute arbitrary programs.

Open-AudIT version 3.2.2 suffers from OS command injection, arbitrary file upload, and remote SQL injection vulnerabilities.

XBOX 360 Aurora version 0.6b default credential FTP bruteforcing script.

Delta Industrial Automation DCISoft version 1.12.09 suffers from a stack buffer overflow vulnerability.

sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.

graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie if a guest user has the graph real-time privilege.

This Metasploit module exploits a flaw where an authenticated user with sufficient administrative rights to manage pollers can use this functionality to execute arbitrary commands remotely. Usually, the miscellaneous commands are used by the additional modules (to perform certain actions), by the scheduler for data processing, etc. This module uses this functionality to obtain a remote shell on the target.

hwk is an easy-to-use wireless authentication and de-authentication tool. Furthermore, it also supports probe response fuzzing, beacon injection flooding, antenna alignment and various injection testing modes. Information gathering is selected by default and shows the incoming traffic indicating the packet types.

DA-WIN, a wireless IDS, provides an organization a continuous wireless scanning capability that is light touch and simple. It utilizes compact and discreet sensors that can easily be deployed reducing the total cost of protection and simplifying the effort required for absolute, categoric regulatory compliance. This archive includes a dd image to be used on a Raspberry Pi and a user manual.

DA-WIN, a wireless IDS, provides an organization a continuous wireless scanning capability that is light touch and simple. It utilizes compact and discreet sensors that can easily be deployed reducing the total cost of protection and simplifying the effort required for absolute, categoric regulatory compliance. This archive includes a dd image to be used on a Raspberry Pi and a user manual.

Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges.

The FLIR Brickstream 3D+ sensor is vulnerable to unauthenticated config download and file disclosure vulnerability when calling the ExportConfig REST API (getConfigExportFile.cgi). This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and/or full system access.

Synaccess netBooter NP-02x and NP-08x version 6.8 suffer from an authentication bypass vulnerability due to a missing control check when calling the webNewAcct.cgi script while creating users. This allows an unauthenticated attacker to create an admin user account and bypass authentication giving her the power to turn off a power supply to a resource.

The IDAL HTTP server CGI interface contains a URL, which allows an unauthenticated attacker to bypass authentication and gain access to privileged functions. In the IDAL CGI interface, there is a URL (/cgi/loginDefaultUser), which will create a session in an authenticated state and return the session ID along with the username and plaintext password of the user. An attacker can then login with the provided credentials or supply the string 'IDALToken=......' in a cookie which will allow them to perform privileged operations such as restarting the service with /cgi/restart.

D-Link DIR-859 Routers are vulnerable to OS command injection via the UPnP interface. The vulnerability exists in /gena.cgi (function genacgi_main() in /htdocs/cgibin), which is accessible without credentials.

FDI into Latvia has recovered in recent years as the Baltic state has implemented stricter anti-money laundering procedures. Latvian minister of economics Ralfs Nemiro talks to Alex Irwin-Hunt about the progress made.

(Please visit the site to view this video)

If you're a frequent visitor to our site, you might notice a few changes in the coming weeks. That's because we're making some big improvements and are proud to announce the upcoming launch of the newly redesigned TechSoup.org.

As a social enterprise, we never stop working to better serve nonprofits that share in our commitment to building a more equitable planet. In fact, TechSoup currently works with more than 965,000 NGOs in 236 countries and territories and has facilitated over $9 billion in U.S. market value of in-kind technology and funding.

To that end, we've created a refreshed, modern web presence to streamline access to all our traditional and beloved products and services. It will also serve as the place where TechSoup technologies and services are first announced.

The new TechSoup.org has been optimized for mobile devices, so you'll be able to experience all the new functionality wherever you go. We've also built the site with accessibility in mind on several fronts. And we're launching a new blog.

Our new website will officially go live in early November.

A Streamlined User Experience

Nonprofits who are regular visitors to TechSoup will find a streamlined catalog that makes finding product offers and solutions easier and more efficient. Additionally, the home page has been reconfigured, sending a clearer message of who we are and what we offer as an organization.

"We reduced clutter and developed a cleaner, simpler user experience with more breathing room in the interface to encourage users to do what they are intended to do on the site," says TechSoup head of user experience Tyler Benari. "It will now be easier to benefit from offerings available in and out of our catalog, interact with others in the nonprofit community, and gain access to other TechSoup services."

Maximized for Mobile

TechSoup's updated website will be maximized for mobile devices, allowing nonprofit staffers to take advantage of the many offers on TechSoup.org right from their phone or tablet.

"It's an exciting time," Benari says. "We will now be able to literally get TechSoup into more people's hands. Redesigning the site to be more mobile-friendly will allow us to grow our community much faster and better serve the existing nonprofits we love so much."

Improved Accessibility

The newly redesigned TechSoup.org also features greater accessibility and is informed by Web Content Accessibility 2.0 Guidelines (WCAG).

"TechSoup cares very much about accessibility and enabling access for all people," Benari says, describing two key factors that have been improved upon: contrast and code. "Our new color scheme makes it easier for people with impaired vision to access content on the site, and our code was updated to better communicate with screen readers."

A New Blog Platform

Finally, we're excited to introduce our new blog, more suited to integrate existing TechSoup.org content in a single, easy-to-access location. We've given the platform an upgrade, complete with a fresh look and improved functionality aimed to make blog posts more easily shareable and to promote a more robust multimedia experience.

You'll continue to see improvements in the coming months as we receive feedback from the communities we serve. Also, be on the lookout for more information surrounding the new site, including a webinar and short video.

spanhidden

Western European carmakers should consider an R&D footprint in CEE, says McKinsey.

Foreign investment into Serbia is growing at a healthy pace thanks to its attractive automotive manufacturing industry and highly regarded free zones.

Tesla's decision part of broader trend of investment into Germany at UK's expense.

Despite nurturing its R&D capacity, the city of Braunschweig lags its German peers in attracting FDI. Now it hopes a focus on the mobility sector will mean its technical skills are matched with investment.

Steve Armitage, general manager of destination at Auckland Tourism, Events and Economic Development explains why the New Zealand city’s international profile is growing so fast.

President Obrador aims to mobilise billions in public and private investment to create an alternative to the Panama Canal along the Tehuantepec corridor. 

FDI project numbers from China into the EU are on a downward trend, but Europe is still a popular destination for Chinese investment.

Bolivian President Evo Morales has inaugurated the 69-MW San Jose II Hydroelectric Power Plant in the municipality of Colomi, department of Cochabamba.