Cisco Patches Authentication, Denial-of-Service, NTP Flaws In Many Products (csoonline.com) 33
itwbennett writes: Cisco Systems has released a new batch of security patches for flaws affecting a wide range of products, including for a critical vulnerability in its RV220W wireless network security firewalls. The RV220W vulnerability stems from insufficient input validation of HTTP requests sent to the firewall's Web-based management interface. This could allow remote unauthenticated attackers to send HTTP requests with SQL code in their headers that would bypass the authentication on the targeted devices and give attackers administrative privileges.
HTTP requests with SQL code (Score:3)
HTTP requests with SQL code: about using prepared statements and parameterized queries?
Input validation does not cause SQLi (Score:4, Insightful)
The only cause of SQLi is gross incompetence. It can never be caused by an accident or failure to do something.
It can only caused by willful and deliberate action to do something you know or should know to be wrong, stupid and dangerous at the time you did it. Unbound query strings don't build themselves.
Re: (Score:1)
> The only cause of SQLi is gross incompetence.
How true.
What perhaps horrifies me more is that the phantasy in our profession can't come up with a decent GUI other than with this browser + web server + sql data base monstrosity; most probably a PHP abomination and a MySQL database (not that a node or django -- and a couch or mongo would make that better) *plus* a big fat chunk of javascript with an embedded, mutilated mutant of jquery or similar.
I'm deeply ashamed of the trade I'm in.
Re: (Score:1)
Another 'Big Name' exposed as lacking quality , too little, too late.
Apple is a 'premium' company, while the 'premium' on this brands reputation has been outed.
May as well by cheap Chinese crap because it does the same thing, and probably no worse.
Throw in a few back doors, compromised keys - no corporate automatic sales for you.
Cisco and Blackberry - what will they have in common going forward?
Hey timothy (Score:3)
Why are you the only one posting stories recently? The other two crappy editors who posted dupes haven't been heard from in a while.
Hey timothy, I dare you, post another link to forbes.com.
Re: Hey timothy (Score:1)
No they won't.
Re: (Score:1)
Come on. Show some compassion. People losing their jobs is not something to be so cavalier about, regardless of your opinions of them.
They're still human beings with bills to pay and likely families to support.
Re: (Score:2, Insightful)
Come on. Show some compassion. People losing their jobs is not something to be so cavalier about, regardless of your opinions of them.
Yes, yes it is, because they were shit at their fucking jobs. In a world in which there are so many people homeless, jobless, hopeless, it's fucking pathetic to see people phone in their job like they can't be arsed to give one tenth of one fuck. That's especially true in tech, where more and more workers are losing their jobs even when they do them.
If they were good at their jobs, or even made more than a token effort, then we would miss them. They were shit, and they shit up Slashdot, and if you miss them
I still wonder (Score:3)
Re: (Score:2)
Re: (Score:1)
Cisco patches RV220W firewall .. (Score:1)
Re: (Score:3)
RV220W... (Score:2)
Re: (Score:2)
If you want decent hardware with the Cisco name, prepare to spend around $1,000 for an ASA 5500 series, and then another $500+ for an Aironet to get the wireless.
And then you can still expect amateur hour security mistakes, and intentional back doors, because we're talking about Cisco, and that's how they roll. There have been multiple serious holes in IOS.
Re: (Score:2)
Links are reversed (Score:3)
Re: (Score:2)