Hello, welcome to the Thursday, July 26th, 2018 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich. And today I'm recording from Jacksonville, Florida.

Ethereum blockchain explorer site EtherScan.io was affected by a cross-site scripting vulnerability earlier today. Cross-side scripting

vulnerabilities, of course, are very common, often underestimated in how they allow full

control over a browser visiting the site. Luckily for EtherScan, the attacker didn't

actually take full advantage of this vulnerability.

The attacker instead just displayed a simple pop-up message alerting the administrators and visitors

of this problem.

When I heard about this initially, I was concerned that maybe EtherScan did display data from the blockchain

without validating it and the result would be the cross-site scripting.

Instead, it turned out that the vulnerability was much simpler.

They used the popular Discus discussion forum on their site and apparently didn't update to the most recent

version which in turn left cross-site scripting vulnerably in Discus active on the site.

Lesson learned, make sure you track all of these components that you're including in your site

and make sure they are all of these components that you're including in your site and make

sure they are adequately patched.

Also with cross-site scripting, be happy if NetHacker does actually just display a simple pop-up.

And a couple of you have asked about the update that was released this week for Apache Tomcat. Well, turns out two vulnerabilities

are being addressed in this update. I didn't cover it earlier because I don't really consider

them all that important. One of them, CVE 2018-1336, is a denial of service vulnerability.

The second one, 2018-8037 is a bug in how connections are closed and could use to the reuse

of user sessions in new connections.

Essentially this would allow an attacker that follows an authenticated user

...