A few days ago in all versions of Joomla (1.5, 2.5, 3) found critical (0-day) vulnerability that allows an attacker to successfully attack the sites running Joomla absolutely all versions of the Exploitation of the vulnerability of RCE ("remote code execution") and, as a result, to gain complete control over the site. The attack is made possible due to insufficient filtering of variables in the HTTP request (the field HTTP_USER_AGENT, HTTP_X_FORWARDED_FOR, REMOTE_ADDR) and their subsequent use in the session object, and query a database.
In the past year, closed repository CentAlt which had a lot of useful things for servers with Centos 5-6. Now much of the fact that there were already out of date, but still it is very necessary. The network has several mirrors, but it packs have not been updated since the closure CentAlt.
We have created its mirror, slightly enlarged and updated. Address our repository http://repo.webpatron.net/Centos/. For Centos 5 there available php 5.2.17, apache 2.2.27 with support for mpm-itk, mod_rpaf and more. For Centos 6 - php 5.3.29, apache 2.2.29 with support for mpm-itk, mod_rpaf, mariadb, mysql 5.5.37, and a bunch of other essential packages.
The company Mozilla, which is the developer of the browser Firefox, in his blog said phaseout of support with sites using a secure protocol is not HTTP. In the first place not on a secure site will not work all the new functions of the browser, as well as those functions that browser developers deem dangerous.
Recall, earlier made a similar statement and the company Google, adding that the sites using HTTPS will be ranked higher in the SERPs is not secure sites.
This is due to the fact that the HTTP protocol is outdated in terms of security and the entire transmitted between the user and site information can easily be intercepted and read by third parties.
Thus the global giants have decided to gradually fully translate the entire Internet on a secure protocol HTTPS. Therefore, it is possible that in the near future by opening a website in your favorite browser you'll see a warning that your site is not secure .
As a platform for e-commerce Magento, which works on the basis of a huge number of online stores found critical vulnerability, allows an attacker to execute arbitrary PHP-code on the server and get full access to the data online store, including information on the customer's credit card. The attack can be accomplished without committing authentication. The problem is present in the base of the engine Magento and appears in the default configuration. The problem was identified in February and has already been fixed in the update SUPEE-5344, while for non-disclosure agreement about the vulnerability made public only now.
April 20, 2015 was publicized critical vulnerability allows an XSS attack on a website that is subject to a huge number of plugins for Wordpress.
The vulnerability is related to the misuse of the developers of plugins and features add_query_arg remove_query_arg, which were not well documented in the documentation Wordpress, plugin developers that introduced misleading and resulted in the feasibility of the attack.
Specialists of the company Sucuri were tested about 300 of the most popular plugins Wordpress, many of them are affected, it was confirmed. We will publish the list below. Developers data plug-ins already released an update covering the vulnerability. However, we want to note that this list is not complete, it is clear that much more vulnerable plug-ins, just as long as they might, no one tested.