This Metasploit module exploits an arbitrary command execution vulnerability in Webmin versions 1.900 and below. Any user authorized to the "Java file manager" and "Upload and Download" fields, to execute arbitrary commands with root privileges. In addition, "Running Processes" field must be authorized to discover the directory to be uploaded. A vulnerable file can be printed on the original files of the Webmin application. The vulnerable file we are uploading should be integrated with the application. Therefore, a ".cgi" file with the vulnerability belong to webmin application should be used. The module has been tested successfully with Webmin version 1.900 over Debian 4.9.18.

Telus Actiontec WEB6000Q with firmware 1.1.02.22 suffers from a denial of service vulnerability. By querying CGI endpoints with empty (GET/POST/HEAD) requests causes a Segmentation Fault of the uhttpd webserver. Since there is no watchdog on this daemon, a device reboot is needed to restart the webserver to make any modification to the device.

(Please visit the site to view this video)

If you're a frequent visitor to our site, you might notice a few changes in the coming weeks. That's because we're making some big improvements and are proud to announce the upcoming launch of the newly redesigned TechSoup.org.

As a social enterprise, we never stop working to better serve nonprofits that share in our commitment to building a more equitable planet. In fact, TechSoup currently works with more than 965,000 NGOs in 236 countries and territories and has facilitated over $9 billion in U.S. market value of in-kind technology and funding.

To that end, we've created a refreshed, modern web presence to streamline access to all our traditional and beloved products and services. It will also serve as the place where TechSoup technologies and services are first announced.

The new TechSoup.org has been optimized for mobile devices, so you'll be able to experience all the new functionality wherever you go. We've also built the site with accessibility in mind on several fronts. And we're launching a new blog.

Our new website will officially go live in early November.

A Streamlined User Experience

Nonprofits who are regular visitors to TechSoup will find a streamlined catalog that makes finding product offers and solutions easier and more efficient. Additionally, the home page has been reconfigured, sending a clearer message of who we are and what we offer as an organization.

"We reduced clutter and developed a cleaner, simpler user experience with more breathing room in the interface to encourage users to do what they are intended to do on the site," says TechSoup head of user experience Tyler Benari. "It will now be easier to benefit from offerings available in and out of our catalog, interact with others in the nonprofit community, and gain access to other TechSoup services."

Maximized for Mobile

TechSoup's updated website will be maximized for mobile devices, allowing nonprofit staffers to take advantage of the many offers on TechSoup.org right from their phone or tablet.

"It's an exciting time," Benari says. "We will now be able to literally get TechSoup into more people's hands. Redesigning the site to be more mobile-friendly will allow us to grow our community much faster and better serve the existing nonprofits we love so much."

Improved Accessibility

The newly redesigned TechSoup.org also features greater accessibility and is informed by Web Content Accessibility 2.0 Guidelines (WCAG).

"TechSoup cares very much about accessibility and enabling access for all people," Benari says, describing two key factors that have been improved upon: contrast and code. "Our new color scheme makes it easier for people with impaired vision to access content on the site, and our code was updated to better communicate with screen readers."

A New Blog Platform

Finally, we're excited to introduce our new blog, more suited to integrate existing TechSoup.org content in a single, easy-to-access location. We've given the platform an upgrade, complete with a fresh look and improved functionality aimed to make blog posts more easily shareable and to promote a more robust multimedia experience.

You'll continue to see improvements in the coming months as we receive feedback from the communities we serve. Also, be on the lookout for more information surrounding the new site, including a webinar and short video.

spanhidden

This Metasploit module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The type confusion leads to the ability to allocate fake Javascript objects, as well as the ability to find the address in memory of a Javascript object. This allows us to construct a fake JSCell object that can be used to read and write arbitrary memory from Javascript. The module then uses a ROP chain to write the first stage shellcode into executable memory within the Safari process and kick off its execution. The first stage maps the second stage macho (containing CVE-2017-13861) into executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake exploit leads to a kernel task port (TFP0) that can read and write arbitrary kernel memory. The processes credential and sandbox structure in the kernel is overwritten and the meterpreter payloads code signature hash is added to the kernels trust cache, allowing Safari to load and execute the (self-signed) meterpreter payload.

WhatWeb is a next-generation web scanner. WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1800 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more. WhatWeb supports an aggression level to control the trade off between speed and reliability.

WhatWeb is a next-generation web scanner. WhatWeb recognizes web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1800 plugins, each to recognize something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more. WhatWeb supports an aggression level to control the trade off between speed and reliability.

Clarion Energy’s Teresa Hansen, vice president of global content, for a webcast Wednesday  will be making some important announcements regarding this year’s event in New Orleans. Hansen also will offer key details on content, the exhibit floor and resources available to attendees.

Clarion Energy’s Teresa Hansen, vice president of global content, for a webcast Wednesday  will be making some important announcements regarding this year’s event in New Orleans. Hansen also will offer key details on content, the exhibit floor and resources available to attendees.

Clarion Energy’s Teresa Hansen, vice president of global content, for a webcast Wednesday  will be making some important announcements regarding this year’s event in New Orleans. Hansen also will offer key details on content, the exhibit floor and resources available to attendees.

Join Austrade's webinar to gain insights on the Bangladesh E-commerce market, emerging trends, growth drivers, regulations, route to market and opportunities for partnering with Bangladesh online companies.

Participate in Austrade's webinar, the third in a series of 5 on India’s Agtech sector, will provide an insight into the dynamic disruption of conventional agriculture value chain from the perspective of a Venture Capital Fund.

Austrade invites your participation in an interactive webinar "Mongolia Mining 2020". In addition to an update on the impact of COVID-19, the webinar will provide valuable information on major mining projects in Mongolia and the market's business potential.

What does 2020 and beyond hold for your company's global growth plans? How will COVID-19 disrupt and create new supply chains and R&D hubs in the APAC region?

Austrade welcomes you to US market entry resources & opportunities for Australian AgriTech companies in the US market featuring Cassandra Keener (Chicago), Joanna Olivera (San Francisco) and David Brown (Landing Pads SF).

Clarion Energy’s Teresa Hansen, vice president of global content, for a webcast Wednesday  will be making some important announcements regarding this year’s event in New Orleans. Hansen also will offer key details on content, the exhibit floor and resources available to attendees.

Google's video chat app got new features this week. No, the other one. No, the other other one.

In a Friday blog post, Google announced some snazzy new features for Duo, one of its three video chat services. Let's get this out of the way early: Duo is the one that's mobile-friendly and resembles FaceTime more than Hangouts and Meet.

The new features make more sense with that in mind. Google added something called "Family Mode" to Duo, in which you can draw silly little doodles on the video feed, presumably to amuse the little ones on the call. There are also AR effects you can use on one-on-one calls on Android and iOS, similar to those available on Facebook's video calls. Read more...

This webcast gives 6 tips for keeping employees safe and mitigating security threats as your workforce goes remote.
Learn how to protect employees from malicious web content.

This webcast gives 6 tips for keeping employees safe and mitigating security threats as your workforce goes remote.
Learn how to protect employees from malicious web content.

This webcast gives 6 tips for keeping employees safe and mitigating security threats as your workforce goes remote.
Learn how to protect employees from malicious web content.