#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Insider Risk Management

Local file inclusion | Breaking Cybersecurity News | The Hacker News

Critical LFI Vulnerability Reported in Hashnode Blogging Platform

Critical LFI Vulnerability Reported in Hashnode Blogging Platform

Apr 12, 2022
Researchers have disclosed a previously undocumented local file inclusion ( LFI ) vulnerability in  Hashnode , a developer-oriented blogging platform, that could be abused to access sensitive data such as SSH keys, server's IP address, and other network information. "The LFI originates in a  Bulk Markdown Import feature  that can be manipulated to provide attackers with unimpeded ability to download local files from Hashnode's server," Akamai researchers said in a report shared with The Hacker News. Local file inclusion flaws occur when a web application is tricked into exposing or running unapproved files on a server, leading to directory traversal, information disclosure, remote code execution, and cross-site scripting (XSS) attacks. The flaw, caused due to the web application failing to adequately sanitize the path to a file that's passed as input, could have serious repercussions in that an assailant could navigate to any path on the server and access s
GhostCat: New High-Risk Vulnerability Affects Servers Running Apache Tomcat

GhostCat: New High-Risk Vulnerability Affects Servers Running Apache Tomcat

Feb 28, 2020
If your web server is running on Apache Tomcat, you should immediately install the latest available version of the server application to prevent hackers from taking unauthorized control over it. Yes, that's possible because all versions (9.x/8.x/7.x/6.x) of the Apache Tomcat released in the past 13 years have been found vulnerable to a new high-severity (CVSS 9.8) ' file read and inclusion bug '—which can be exploited in the default configuration. But it's more concerning because several proof-of-concept exploits ( 1 , 2 , 3 , 4  and more ) for this vulnerability have also been surfaced on the Internet, making it easy for anyone to hack into publicly accessible vulnerable web servers. Dubbed ' Ghostcat ' and tracked as CVE-2020-1938 , the flaw could let unauthenticated, remote attackers read the content of any file on a vulnerable web server and obtain sensitive configuration files or source code, or execute arbitrary code if the server allows file uploa
phpMyAdmin Releases Critical Software Update — Patch Your Sites Now!

phpMyAdmin Releases Critical Software Update — Patch Your Sites Now!

Dec 11, 2018
Developers of phpMyAdmin, one of the most popular and widely used MySQL database management systems, today released an updated version 4.8.4 of its software to patch several important vulnerabilities that could eventually allow remote attackers to take control of the affected web servers. The phpMyAdmin project last Sunday gave an early heads-up about the latest security update through its blog, probably the first time, as an experiment to find if pre-announcements can help website admins, hosting providers and package managers better prepare for the security release. "We are inspired by the workflow of other projects (such as Mediawiki and others) which often announce any security release in advance to allow package maintainers and hosting providers to prepare. We are experimenting to see if such a workflow is suitable for our project," phpMyAdmin release manager Isaac Bennetch told The Hacker News. phpMyAdmin is a free, open-source administration tool for managing
cyber security

Webinar: How to streamline security reviews with Trust Center

websiteVantaCompliance / Security Audit
Learn how Vanta Trust Center can help provide real-time evidence for passing controls and automate responses to security questionnaires.
Defending Your Commits From Known CVEs With GitGuardian SCA And Git Hooks

Defending Your Commits From Known CVEs With GitGuardian SCA And Git Hooks

May 20, 2024Software Security / Vulnerability
All developers want to create secure and dependable software. They should feel proud to release their code with the full confidence they did not introduce any weaknesses or anti-patterns into their applications. Unfortunately, developers are not writing their own code for the most part these days. 96% of all software contains some open-source components, and open-source components make up between  70% and 90% of any given piece of modern software . Unfortunately for our security-minded developers, most modern vulnerabilities come from those software components.  As new vulnerabilities emerge and are publicly reported as  Common Vulnerabilities and Exposures  (CVEs), security teams have little choice but to ask the developer to refactor the code to include different versions of the dependencies. Nobody is happy in this situation, as it blocks new features and can be maddening to roll back component versions and hope that nothing breaks. Developers need a way to  quickly  determine if
Over 300 Million AdultFriendFinder Accounts Exposed in Massive Data Breach
Jobvite Recruitment Service Website Vulnerable to Hackers

Jobvite Recruitment Service Website Vulnerable to Hackers

Aug 04, 2014
Jobvite , a recruiting platform for the social web, is found vulnerable to the most common, but critical web application vulnerabilities that could allow an attacker to compromise and steal the database of the company's website. Jobvite is a Social recruiting and applicant tracking created for companies with the highest expectations of recruiting technology and candidate quality. Growing companies use Jobvite's social recruiting, sourcing and talent acquisition solutions to target the right talent and build the best teams. An independent security researcher Mohamed M. Fouad from Egypt, has found two major flaws in Jobvite website  that could be used by an attacker to comprise the company's web server. As a responsible security researcher, Fouad also reported the critical flaws three months ago to the Jobvite team, but the company didn't fix it till now. According to Fouad, Jobvite is vulnerable to Boolean SQLi (SQL injection) and LFI (local file inclusion) v
Vulnerability in Whatsapp messenger media server

Vulnerability in Whatsapp messenger media server

Jun 12, 2013
If you own an iPhone or an Android device, then the chances are high that you're familiar with the extremely popular cross-platform messaging app, WhatsApp. According to a whitehat hacker Mohammed Saeed , Whatsapp media server ( media.whatsapp.com ) interface was vulnerable to Traversal local file inclusion. This vulnerability occurs when a page include is not properly sanitized, and allows directory traversal characters to be injected. Flaw allowed hacker to gather usernames via an " /etc/passwd " file and also another sensitive files like log files i.e   "/apache/logs/error.log" or " /apache/logs/access.log ". Flaw was reported by Mohammed with proof of conpect to Whatsapp security team on 27th May and was addressed this week. If you are also penetration tester and have something buggy that can help Whatsapp team to make there service more secure, feel free to contact them at  support@whatsapp.com .
Sensitive server info leaked from weather.gov Vulnerability

Sensitive server info leaked from weather.gov Vulnerability

Oct 16, 2012
Kosova Hacker's Security group today release very sensitive server info of " The National Weather Service ", which was gathered due to a " Local file inclusion " Vulnerability in weather.gov . By definition, Local File Inclusion (also known as LFI) is the process of including files on a server through the web browser. This vulnerability occurs when a page include is not properly sanitized, and allows directory traversal characters to be injected. Hackers publish complete data in a pastebin file uploaded today, but the hack was performed two day back and in meantime, server administrator fix the vulnerability. We just talk with the hacking crew to know the reason of hack and data exposure, one of them explain that they are against US policies, who are targeting muslim countries. " They hack our nuclear plants using STUXNET and FLAME like malwares , they are bombing us 24*7, we can't sit silent - hack to payback them " Hacker expo
Cybersecurity
Expert Insights
Cybersecurity Resources