Page 32-Safety Programming Tutorials: Learn Safety Online-php.cn

Article Tags

Safety

Home

Technical articles

Operation and Maintenance

Safety

What is CNNVD's report on Drupal Core remote code execution vulnerabilities?

The National Information Security Vulnerability Database (CNNVD) received reports about DrupalCore remote code execution vulnerabilities (CNNVD-201804-1490, CVE-2018-7602). An attacker who successfully exploited this vulnerability could conduct remote code execution attacks on the target system. Multiple versions of Drupal, including version 7.x and version 8.x, are affected by this vulnerability. Currently, part of the vulnerability verification code for this vulnerability has been made public on the Internet, and Drupal has officially released a patch to fix the vulnerability. It is recommended that users promptly confirm whether they are affected by the vulnerability and take patching measures as soon as possible. 1. Vulnerability introduction Drupal is a set of free and open source software developed in PHP language maintained by the Drupal community.

May 19, 2023 pm 06:55 PM

CNNVDDrupal Core

Example analysis of discovering chat application vulnerabilities in the 'Thomas the Tank Engine' smart toy APP

Background of the Vulnerability Discovery ToyTalk is an artificial intelligence toy startup founded by former Pixar executives. The smart toys they design have visual tracking, voice recognition and network expansion functions, allowing children to communicate with the toys through voice communication and behavioral responses through the APP. Identify and stimulate children's ability to talk to virtual characters, and better realize the fun of interaction with toys. ToyTalk launched a paid APP called "Thomas & Friends Talk To You" in July 2015, which allows children to interact and chat with the famous cartoon character "Thomas the Tank Engine". Children allowed under 8

May 19, 2023 pm 06:31 PM

App

What is Django development method

PART1. Before we start, Django, as a powerful web application framework, has gradually become popular in recent years. More and more Python developers are investing in Django. However, due to the many contents in Django, everyone is still in the early stage When I enter Django, I always feel a little "a little bit overwhelmed" and don't know where to start. Or after a preliminary understanding, I don’t know whether the current approach is elegant, how to organize a project, and how to reuse my own code. PART2. Project structure A good project structure is half the battle. 2.1 Overall structure By default, the project structure generated by Django is roughly like this: With the Applicati in the project

May 19, 2023 pm 05:44 PM

django

What are the basic applications of cacti?

Monitor the local virtual machine linuxconsole->management->devices, click ADD on the right and enter the following content, click create to select the graph template and data template required for monitoring and save them. After saving, click CreateGraphsforthishost to select the image data that needs to be generated. OK, click Create and continue to click CREATE to create the image. Successfully add the device to the tree. Console->management->graphtrees, click DefaultTree, and then click ADD to enter as shown below. Click Create to add the device.

May 19, 2023 pm 05:25 PM

cacti

What code execution vulnerabilities does Apple fix in iOS and iPadOS?

Apple this week fixed multiple critical code execution vulnerabilities affecting its iOS and iPadOS mobile operating systems. The IT giant released iOS 14.3 and iPadOS 14.3, which fixed 11 security vulnerabilities, including code execution vulnerabilities. Attackers can use malicious font files to exploit the most severe vulnerabilities to execute malicious code on Apple iPhones and iPads. The vendor fixed two font parsing vulnerabilities, CVE-2020-27943 and CVE-2020-27944. Apple said in a security advisory that the two vulnerabilities exist in the FontParser component and that there is memory corruption in the function that handles font files. The vulnerability has been fixed by optimizing input validation.

May 19, 2023 pm 04:26 PM

iOSiPadOS

What are the attack methods of Ddos?

The three attack methods of DDoS are: 1. SYN/ACKFlood attack; mainly by sending a large number of SYN or ACK packets with forged source IPs and source ports to the victim host, causing the host's cache resources to be exhausted or busy sending response packets to cause rejection. Serve. 2. TCP full connection attack; it is designed to bypass conventional firewall inspections. 3. Script attack; characterized by establishing a normal TCP connection with the server and constantly submitting queries, lists and other calls that consume a large number of database resources to the script program. The biggest headache for websites is being attacked. Common server attack methods mainly include the following: port penetration, port penetration, password cracking, and DDOS attacks. Among them, DDOS is currently the most powerful and the most

May 19, 2023 pm 04:10 PM

DDoS

How to learn more about ARP protocol

1. MAC definition MAC is called the hardware address, which is the unique identifier of the device in the network, totaling 48 bits. For example, my wireless MAC: 8C-A9-82-96-F7-66 is displayed in the system as a combination of 6 numbers composed of hexadecimal. For example, the first digit of 8C is 8__c and the number of binary digits is 4X2=8 digits and 8X6=48 digits. Extended content: This address is globally unique and there are no duplicate MAC addresses. If duplicate MAC addresses appear in the switching network, there must be a loop. The loop phenomenon will cause the communication to be blocked or not at all. 2. PC communication within LAN (IP and MAC) There is a thing in the world called a computer, and there are LOL and CF on the computer, haha. The IT world is full of

May 19, 2023 pm 03:15 PM

arp

How to use deep linking to backdoor Facebook APP

Recently, the author discovered a deep link vulnerability in the Facebook Android APP. Using this vulnerability, the Facebook Android APP installed on the user's mobile phone can be converted into a backdoor program (Backdoor) to achieve backdooring. In addition, this vulnerability can also be used to repackage the Facebook APP and send it to specific target victims for installation and use. Let’s take a look at the author’s discovery process of this vulnerability, and how to construct it through Payload and finally transform it into a security risk in the actual production environment of Facebook APP. When I usually do public testing when discovering vulnerabilities, I will first carefully understand the application mechanism of the target system. In my last blog, I have shared how to parse Face

May 19, 2023 pm 02:49 PM

AppFacebook

Analysis of switch port security examples

[Experiment name] Port security configuration of the switch [Experiment purpose] Master the port security function of the switch and control users' secure access [Background description] You are the network administrator of a company, and the company requires strict control of the network. In order to prevent IP address conflicts among users within the company, and prevent network attacks and sabotage within the company. Each employee is assigned a fixed IP address, and only company employee hosts are allowed to use the network, and no other hosts are allowed to connect at will. For example: the IP address assigned to an employee is 172.16.1.55/24, the host MAC address is 00-06-1B-DE-13-B4, and the host is connected to a 2126G. [Requirements Analysis] For all ports of the switch, configure

May 19, 2023 pm 01:55 PM

交换机

What is H3C port security technology?

As the Internet becomes increasingly developed today, security is a topic that must be paid attention to. There are many behaviors that threaten switch ports in enterprises, such as unauthorized user hosts randomly connecting to the enterprise network. For example, if employees own their own laptops, they can unplug the network cable of a certain host without the administrator's consent, plug it into the laptop they brought, and then connect it to the corporate network. This will bring great security risks. , it is very likely to cause the loss of confidential information. Another example is installing hubs and other network equipment without consent. In order to increase the number of network terminals, some employees will do so without authorization. Plug devices such as hubs and switches into the office network interface. In this case, the traffic of the switch interface corresponding to this network interface will increase.

May 19, 2023 pm 12:46 PM

h3c

Analysis of IPSec instances based on GRE

IPSecoverGRE

May 19, 2023 pm 12:40 PM

ipsecgre

How is the small test of xss carried out?

There are no security restrictions, just use alert(/xss/); Restrictions: Only CSS can be used, html tags are not allowed. We know that expression can be used to construct XSS, but it can only be tested under IE, so the following test Please execute in IE6. body{black;xss:alert(/xss/));/*Tested under IE6*/}Restrictions: HTML is escaped and the Image tag is available. The characters input by the test will be inserted into the src address, so you can use a pseudo protocol to bypass it. Directly enter alert(/xss/); or you can use events to bypass it. Just pay attention to the closing statement, as follows: 1&quo

May 19, 2023 am 11:37 AM

xss

Example analysis of bash vulnerability recurrence

BourneAgainShell (BASH for short) is the most popular SHELL implementation on GNU/Linux. It was born in 1980. After decades of evolution, it has evolved from a simple terminal command line interpreter into a multi-functional interface deeply integrated with the GNU system. . Bash, a type of Unix shell. The first official version was released in 1989. It was originally planned to be used on the GNU operating system, but it can run on most Unix-like operating systems, including Linux and MacOSXv10.4, which use it as the default shell. It has also been ported to Cygwin and MinGW on Microsoft Windows, or can be used on MS-

May 19, 2023 am 11:13 AM

Bash

How zabbix monitors traceroute data

1. Zabbixserver and proxy install the mtrmtr script and place it in the following path of zabbixserver and proxy: execute chownzabbix:zabbixmtrtrace.shzabbix to create the mtrtrace template: 5. Associate the host to the template and observe the data in zabbix: [monitoring]-[latestdata]:

May 19, 2023 am 11:10 AM

zabbixtraceroute