熱帶雨林 – S.H.E – 青春株式會社 柔美溫和華文歌曲

save-forest-house-young_185

 

高 中的時候,第壹次從同學那聽到這首歌,喜歡無比。如今,多年已過,物是人非,做壹視頻以自慰,紀念曾經的青春。"熱帶雨林" 采用柔美溫和的旋律,讓人容易回憶起往事,采用傷感又令人感動的歌詞,易引起聽眾的共鳴。歌曲通過三人的完美配合,表達出了青春期少男少女中感情受困如置 身夢境、迷失在熱帶雨林的感覺

 

 

音樂
所屬專輯: “青春株式會社"
歌曲原唱: SHE – 任家萱(Selina)、田馥甄(Hebe)、陳嘉樺(Ella)
填詞: 方文山
譜曲: 周傑倫

 

 

歌曲歌詞
冷風過境 回憶凍結成冰
我的付出全都要不到回音
悔恨就象是綿延不斷的丘陵
痛苦全方位的降臨
悲傷入侵
誓言下落不明我找不到那些愛過的曾經
妳象在寂寞上空盤旋的禿鷹
將我想妳啃食幹凈
月色搖晃樹影 穿梭在熱帶雨林
妳離去的原因 從來不說明
妳的謊象陷阱 我最後才清醒
幸福只是水中的倒影
月色搖晃樹影 穿梭在熱帶雨林
悲傷的雨不停 全身血淋淋
那深陷在沼澤 我不堪的愛情
是我無能為力的傷心
悲傷入侵 誓言下落不明
我找不到那些愛過的曾經
妳象在寂寞上空盤旋的禿鷹
將我想妳啃食幹凈
月色搖晃樹影 穿梭在熱帶雨林
妳離去的原因 從來不說明
妳的謊象陷阱 我最後才清醒
幸福只是水中的倒影
月色搖晃樹影 穿梭在熱帶雨林
悲傷的雨不停 全身血淋淋
那深陷在沼澤 我不堪的愛情
是我無能為力的傷心

 

 

 

制作: 谷雨 (Essayjeans) @justqdjing
圖片: 來自網上
http://www.tetraph.com/blog/essayjeans/

 

 

視頻地址: https://www.youtube.com/watch?v=VNi6oIf_u3Y
歌詞鏈接: http://essayjeans.blog.163.com/blog/static/23717307420155744626301/
推特: https://twitter.com/essayjeans/status/607468881662214144
樂乎: http://aibiyi.lofter.com/post/1cc9f4e9_735dd83
湯博樂: http://canghaixiao.tumblr.com/post/120922254507
谷歌+: https://plus.google.com/u/0/+essayjeans/posts/HrzASc1VcG6
非死不可: https://www.facebook.com/essayjeans/posts/840142132743607

 

 

 

廣告

SITEFACT CMS XSS (Cross-site Scripting) Web Security Vulnerabilities

sitefact_xss2

 

SITEFACT CMS XSS (Cross-site Scripting) Web Security Vulnerabilities

 

Exploit Title: SITEFACT CMS content.php? &id Parameter XSS Security Vulnerabilities

Product: SITEFACT CMS (Content Management System)

Vendor: SITEFACT

Vulnerable Versions: version 2.01

Tested Version: version 2.01

Advisory Publication: May 24, 2015

Latest Update: May 24, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Writer and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

 

 

Recommendation Details:

 

(1) Vendor & Product Description:

Vendor:

SITEFACT

 

Product & Vulnerable Versions:

SITEFACT

version 2.01

 

Vendor URL & Download:

Product can be obtained from here,

http://www.sitefact.de/index.cfm?resid=1&res=1024&sid=2&skt=2279

 

Google Dork:

“Powered by SITEFACT"

 

Product Introduction Overview:

“Publish . Your content without any prior knowledge on the Internet Numerous integrated tools are available . Images, documents and movies can be provided with a click. We present yourself individually and professionally to your CI and your wishes . About a layout interface design can change at any time , or of course your own layout to be integrated. Our content management system is designed for search engine indexing . You can easily book your website for search engines like Google , Bing , Yahoo , … optimize .."

“By running his own web server , you do not need a provider and need to install anything . Updates are performed automatically and for free . All you need is a PC with Internet access. SITE FACT is a proprietary development of Arvenia GmbH . Therefore, we can always realize your individual wishes and integrate them into SITE FACT. If you need our assistance , please contact our free support. With personal contact and landline number during the entire runtime."

 

 

 

(2) Vulnerability Details:

SITEFACT web application has a computer cyber security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. SITEFACT has patched some of them. The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here! It also publishes suggestions, advisories, solutions details related to XSS vulnerabilities and cyber intelligence recommendations.

 

(2.1) The first programming flaw occurs at “/index.cfm?" page with “&res" “&skt" “&pid" parameters.

 

(2.2) The second programming flaw occurs at login domain “/index.cfm?" page with “&sid" parameter.

 

 

 

 

 

References:

http://www.tetraph.com/security/xss-vulnerability/sitefact-cms-xss/

http://securityrelated.blogspot.com/2015/05/sitefact-cms-xss.html

http://www.inzeed.com/kaleidoscope/computer-security/sitefact-cms-xss/

http://www.diebiyi.com/articles/security/sitefact-cms-xss/

https://itswift.wordpress.com/2015/05/24/sitefact-cms-xss/

https://www.facebook.com/pcwebsecurities/posts/695045367308050

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg02031.html

http://computerobsess.blogspot.com/2015/05/sitefact-cms-xss.html

https://webtechwire.wordpress.com/2015/05/24/sitefact-cms-xss/

http://whitehatpost.blog.163.com/blog/static/242232054201542474057982/

http://cxsecurity.com/issue/WLB-2015030073

http://seclists.org/fulldisclosure/2015/Mar/2

https://www.facebook.com/tetraph/posts/1655170311369595

https://www.bugscan.net/#!/x/21256

http://permalink.gmane.org/gmane.comp.security.oss.general/16882

http://lists.openwall.net/full-disclosure/2015/05/08/7

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1958

Web Technology Wire

sitefact_xss2

SITEFACT CMS XSS (Cross-site Scripting) Web Security Vulnerabilities

Exploit Title: SITEFACT CMS content.php? &id Parameter XSS Security Vulnerabilities

Product: SITEFACT CMS (Content Management System)

Vendor: SITEFACT

Vulnerable Versions: version 2.01

Tested Version: version 2.01

Advisory Publication: May 24, 2015

Latest Update: May 24, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Writer and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

Recommendation Details:

(1) Vendor & Product Description:

Vendor:

SITEFACT

Product & Vulnerable Versions:

SITEFACT

version 2.01

Vendor URL & Download:

Product can be obtained from here,

http://www.sitefact.de/index.cfm?resid=1&res=1024&sid=2&skt=2279

Google Dork:

“Powered by…

View original post 詳見內文:約401字

About Group 超过 99.88% 的链接容易遭受 XSS 和 XFS 攻击

18638880

 
About Group 网站有一个严重的网络安全问题,它容易遭受 XSS (跨站脚本漏洞) XFS (跨Frame脚本漏洞)。这对它的近10亿月访问用户是灾难和毁灭性的。

 

根据漏洞研究者发布的结果POC视频,所有About.com的话题(子域名)都可以被攻击者利用。

 

新加坡南洋理工大学 (NTU) 数学和物理学院 (SPMS) 数学系 (MAS) 的王晶 (Wang Jing) 发布了这个严重的安全漏洞。王晶声称在2014年10月19号,他向 About Group 做了报告,但是迄今为止一直没有收到回复。漏洞的发布时间是2015年2月2号。“到现在为止,漏洞还没有被修复” 王晶说。

 

与此同时,王晶披露 About.com 主页面的搜索域也容易遭受 XSS 攻击。除此之外,他还发布了一些 About.com 的公开重定向漏洞 (Open Redirect). 王说他的测试是在 Windows 8 的 IE (10.0.9200.16750) 和 Mozilla 的 Firefox (34.0), Ubuntu (14.04) 的 Google Chromium 39.0.2171.65-0, 以及 Mac OS X Lion 10.7 的 Apple Safari 6.1.6 上进行的。

 

XSS (Cross- site Scripting) 可以用来窃取用户信息,控制用户浏览器,和进行 DOS (Denial of Service) 攻击。 XFS (Cross-frame Scripting) 也叫 iFrame Injection,可以修改用户浏览器页面内容。

 

在发布漏洞的同时,王晶还说明因为 About Group 的普遍性,它的漏洞可以用来对其他网站进行隐蔽重定向攻击 (Covert Redirect);XFS 则可以用来对计算机和网络进行 DDOS (Distributed Denial of Service) 黑客攻击。这些漏洞发布在著名漏洞平台 Full-Disclosure 上和他的个人博客上。

 

王晶是一名学生安全研究人员。他发布了包括谷歌,脸书,亚马逊,阿里巴巴,电子湾,领英等多家公司网站的重要漏洞以及大量网络应用程序的补丁。
 

 
 
 

相关新闻:
http://www.zdnet.com/article/over-99-percent-of-about-com-links-vulnerable-to-xss-xfs-iframe-attack/
http://www.securityweek.com/xss-xfs-open-redirect-vulnerabilities-found-aboutcom
http://securityaffairs.co/wordpress/33070/hacking/com-affected-xss-xfs-open-redirect-vulnerabilities-since-october-2014.html
http://packetstormsecurity.com/files/130211/About.com-Cross-Site-Scripting.html
http://www.zoomit.ir/it-news/security/17394-about-com-links-vulnerable-to-xss-xfs
http://itsecurity.lofter.com/post/1cfbf9e7_6f05a63
http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html
http://securitypost.tumblr.com/post/118837857592/about-group-99-88-xss-xfs-about
http://www.inzeed.com/kaleidoscope/computer-security/about-group-xss-xfs/
https://www.secnews.gr/99percent-about-xss-xfs-attack-exploit
http://www.decomoadesinstalar.com/abrir-codigo-iframe-xss-xfs-ataque-mas-del-99-por
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1547
http://www.40kalagh.net/about-grope-xss-and-xfs
http://blog.norsecorp.com/2015/02/03/about-com-platform-rife-with-xss-and-iframe-injection-vulnerabilities/

2015羊年的新春對聯集錦 – 午馬未羊

Beautiful-flower-28

2015羊年的新春對聯集錦 – 午馬未羊

上聯:馬馳萬裏 下聯:羊戀千山

上聯:羊肥馬壯 下聯:國富民豐

上聯:雲邊雁斷 下聯:隴上羊歸

上聯:壹元復始 下聯:萬象更新

上聯:材源茂盛 下聯:人壽年豐

上聯:四海生色 下聯:五湖呈祥

上聯:江山不老 下聯:神州永春

上聯:百花齊放 下聯:萬木爭榮

上聯:擡頭見喜 下聯:舉步生風

上聯:五金利市 下聯:萬象回春

上聯:國強民富 下聯:政通人和

上聯:人歡馬叫 下聯:春和景明

上聯:舉國安定 下聯:全民團結

上聯:春燕剪柳 下聯:喜鵲登梅

上聯:黨興軍旺 下聯:法嚴政明

上聯:君民義重 下聯:魚水情深

上聯:國家興旺 下聯:人民安康

上聯:海闊魚躍 下聯:天高鳥飛

上聯:鴻鵠得誌 下聯:桃李爭春

上聯:六畜興旺 下聯:五谷豐登

上聯:北鬥光明春臺起鳳 下聯:南溟壯闊羊角搏鵬

上聯:碧草白羊三春圖畫 下聯:金戈鐵馬萬裏征途

上聯:福鹿吉羊三元開泰 下聯:堯天舜日萬象更新

上聯:過佳節方知紅日暖 下聯:度陽春倍覺黨恩深

上聯:立誌當懷虎膽馳騁 下聯:求知莫畏羊腸扶搖

上聯:綠草如茵羊盈瑞氣 下聯:紅桃似火猴沐春風

上聯:時雨春風五羊獻穗 下聯:堯天舜日百鳳朝陽

上聯:送馬年春花融白雪 下聯:迎羊歲喜鵲鬧紅梅

上聯:萬象更新山青水秀 下聯:五羊獻瑞日麗春華

上聯:壹派生機陽春映日 下聯:滿天煥彩浩氣騰雲

上聯:倡廉反腐清風兩袖 下聯:知恥明榮正氣滿腔

上聯:春滿人間百花吐艷 下聯:福臨小院四季常安

上聯:佳節迎春春生笑臉 下聯:豐收報喜喜上眉梢

上聯:辭舊歲革除舊習慣 下聯:迎新春描繪新藍圖

上聯:發展安定團結形勢 下聯:完成經濟調整任務

上聯:錦繡前程千帆競渡 下聯:長征路上萬馬奔騰

上聯:壯誌淩雲紅心向黨 下聯:春風送暖瑞氣盈門

上聯:軍愛民同心幹四化 下聯:民擁軍並肩保國防

上聯:手握五尺嚴陣以待 下聯:胸懷四化眾誌成城

上聯:面向世界虛懷請教 下聯:腳踏實地循序漸進

上聯:萬象更新精神煥發 下聯:百花齊放春滿人間

上聯:服務周到群眾滿意 下聯:態度和善顧客稱心

上聯:萬紫千紅百花爭艷 下聯:五湖四海壹體同春

上聯:科學春天百花齊放 下聯:人間美景四化宏圖

上聯:加強社會主義法制 下聯:堅持人民民主專政

上聯:安定團結四海添喜 下聯:政策稱心五虎逢春

上聯:選賢任能唯才是舉 下聯:勵精圖治振興在望

上聯:炊煙裊裊 家家忙年飯 下聯:清風陣陣 處處樂新春

上聯:春回大地 形勢壹片好 下聯:香飄神州 風光無限新

新年的古詩 – 新年快樂 恭喜發財

Beautiful-flower-20

新年的古詩 – 新年快樂 恭喜發財

田家元日
(唐)孟浩然
昨夜鬥回北,今朝歲起東;
我年已強壯,無祿尚憂農。
桑野就耕父,荷鋤隨牧童;
田家占氣候,共說此年豐。

《賣癡呆詞》
(唐)範成大
除夕更闌人不睡,厭禳鈍滯迫新歲;
小兒呼叫走長街,雲有癡呆召人賣。

《除夜》
(唐)來鵠
事關休戚已成空,萬裏相思壹夜中。
愁到曉雞聲絕後,又將憔悴見春風。

元日
(宋)王安石
爆竹聲中壹歲除,春風送暖入屠蘇;
千門萬護瞳瞳日,總把新桃換舊符。

元日 玉樓春
(宋)毛滂
壹年滴盡蓮花漏,碧井屠蘇沈凍酒。
曉寒料峭尚欺人,春態苗條先到柳。
佳人重勸千長壽,柏葉椒花芬翠袖。
醉鄉深處少相知,只與東君偏故舊。

除夜
(南宋)文天祥
乾坤空落落,歲月去堂堂;
末路驚風雨,窮邊飽雪霜。
命隨年欲盡,身與世俱忘;
無復屠蘇夢,挑燈夜未央。

拜年
(明)文征明
不求見面惟通謁,名紙朝來滿敝蘆。
我亦隨人投數紙,世情嫌間不嫌虛。

已酉新正
(明)葉颙
天地風霜盡,乾坤氣象和;
歷添新歲月,春滿舊山河。
梅柳芳容徲,松篁老態多;
屠蘇成醉飲,歡笑白雲蝸。

癸已除夕偶成
(清)黃景仁
千家笑語漏遲遲,憂患潛從物外知,
悄立市橋人不識,壹星如月看多時。

鳳城新年辭
(清)查慎行
巧裁幡勝試新邏,畫彩描金作鬧蛾;
從此剪刀閑壹月,閨中針線歲前多。

甲午元旦
(清)孔尚任
蕭疏白發不盈顛,守歲圍爐竟廢眠。
剪燭催幹消夜酒,傾囊分遍買春錢。
聽燒爆竹童心在,看換桃符老興偏。
鼓角梅花添壹部,五更歡笑拜新年。

CVE-2014-9559 SnipSnap XSS (Cross-Site Scripting) Security Vulnerabilities

CVE-2014-9559 SnipSnap XSS (Cross-Site Scripting) Security Vulnerabilities
Exploit Title: SnipSnap /snipsnap-search? query Parameter XSS
Product: SnipSnap
Vulnerable Versions: 0.5.2a 1.0b1 1.0b2
Tested Version: 0.5.2a 1.0b1 1.0b2
Advisory Publication: Jan 30, 2015
Latest Update: Jan 30, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-9559
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [MAS, Nanyang Technological University (NTU), Singapore]

 

 

Advisory Details:

 

(1) Vendor & Product Description
Vendor:
SnipSnap
Product & Version:
SnipSnap
0.5.2a
1.0b1
1.0b2
Vendor URL & Download:
Product Description:
“SnipSnap is a user friendly content management system with features such as wiki and weblog. “

 

(2) Vulnerability Details:
SnipSnap has a security problem. It can be exploited by XSS attacks.
(2.1) The vulnerability occurs at “snipsnap-search?” page with “query” parameter.

 

 


References:

CVE-2014-8490 TennisConnect COMPONENTS System XSS (Cross-Site Scripting) Security Vulnerability

CVE-2014-8490 TennisConnect COMPONENTS System XSS (Cross-Site Scripting) Security Vulnerability

 

Exploit Title: TennisConnect “TennisConnect COMPONENTS System" /index.cfm pid Parameter XSS

Product: TennisConnect COMPONENTS System

Vendor: TennisConnect

Vulnerable Versions: 9.927

Tested Version: 9.927

Advisory Publication: Nov 18, 2014

Latest Update: Nov 18, 2014

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-8490

CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Credit: Wang Jing [CCRG, Nanyang Technological University, Singapore]

 

 

Advisory Details:

 

(1) Vendor URL:

http://www.tennisconnect.com/products.cfm#Components

 

Product Description:

TennisConnect COMPONENTS

* Contact Manager (online player database)

* Interactive Calendar including online enrollment

* League & Ladder Management through Tencap Tennis

* Group Email (including distribution lists, player reports, unlimited sending volume and frequency)

* Multi-Administrator / security system with Page Groups

* Member Administration

* MobileBuilder

* Online Tennis Court Scheduler

* Player Matching (Find-a-Game)

* Web Site Builder (hosted web site and editing tools at www. your domain name .com)

 

 

(2) Vulnerability Details.

TennisConnect COMPONENTS System has a security problem. It is vulnerable to XSS attacks.

(2.1) The vulnerability occurs at “/index.cfm?" page, with “&pid" parameter.

 

 

 

 


References:

http://packetstormsecurity.com/files/129662/TennisConnect-9.927-Cross-Site-Scripting.html

http://tetraph.com/security/cves/cve-2014-8490-tennisconnect-components-system-xss-cross-site-scripting-security-vulnerability/

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8490

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8490

http://www.osvdb.org/show/osvdb/116149

http://cve.scap.org.cn/CVE-2014-8490.html

http://en.hackdig.com/?11701.htm

http://itsecurity.lofter.com/

http://seclists.org/fulldisclosure/2014/Dec/83

http://securitypost.tumblr.com/

http://computerobsess.blogspot.com/2015/02/cve-2014-8490-tennisconnect-components.html

http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/xss-vulnerability/cve-2014-8490-tennisconnect-components-system-xss-cross-site-scripting-security-vulnerability/

http://whitehatpost.blog.163.com/blog/static/2422320542015110102316210/#

http://tetraph.blogspot.com/2015/02/cve-2014-8490-tennisconnect-components.html

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1352