Multiple XSS Vulnerabilities and 27MHz Research

Two cross site scripting vulnerabilities were announced today in F5 Firepass 4100 SSL VPN and Apache 2.2.3 and 2.0.46 and above. In the F5 device, input passed to my.activation.php3 and my.logon.php3 is not properly sanitized before returning to the user. In Apache, input via the HTTP method is not properly sanitized before being sent to the user when a “413 Request Entity Too Large” error page is displayed. Both issues can be exploited to execute script or HTML code in a user’s browser session.

A security research team has demonstrated the ability to intercept communications between 27 Mhz keyboards and a computer. The team was able to reverse engineer the packets and break the trivial encryption to sniff commands entered between the keyboard and the computer. Reportedly this can be performed up to 10 m away. Maybe it’s time to take a look at your company’s security policy and see what’s in it about wireless keyboards and reevaluate those decisions.

Leave a Reply