Praktische IT-Sicherheit
„Bridging the Gap between the Enterprise and You - or - Who's the JBoss now?”
Advisories
Zusätzlich zu Penetrationstests engagiert sich RedTeam mit Forschung im Bereich IT-Sicherheit. Die Ergebnisse werden in Form von Advisories auf dieser Homepage und relevanten Mailinglisten veröffentlicht. Aber auch bei Penetrationstests können für die Öffentlichkeit interessante Schwachstellen entdeckt werden. Nach Rücksprache mit dem Kunden werden diese ebenfalls veröffentlicht, sofern hierdurch die Sicherheit des Kunden nicht gefährdet wird.
Eine Liste aller veröffentlichten Sicherheits-Advisories, vorwiegend auf Englisch, finden Sie hier:
- rt-sa-2010-003: Geo++(R) GNCASTER: Faulty implementation of HTTP Digest Authentication (plaintext version)
- rt-sa-2010-002: Geo++(R) GNCASTER: Insecure handling of NMEA-data (plaintext version)
- rt-sa-2010-001: Geo++(R) GNCASTER: Insecure handling of long URLs (plaintext version)
- rt-sa-2009-005: Papoo CMS: Authenticated Arbitrary Code Execution (plaintext version)
- rt-sa-2009-004: IceWarp WebMail Server: Client-Side Specification of "Forgot Password" eMail Content (plaintext version)
- rt-sa-2009-003: IceWarp WebMail Server: SQL Injection in Groupware Component (plaintext version)
- rt-sa-2009-002: IceWarp WebMail Server: User-assisted Cross Site Scripting in RSS Feed Reader (plaintext version)
- rt-sa-2009-001: IceWarp WebMail Server: Cross Site Scripting in Email View (plaintext version)
- rt-sa-2008-002: SQL-Injections in Mapbender (plaintext version)
- rt-sa-2008-001: Remote Command Execution in Mapbender (plaintext version)
- rt-sa-2007-007: ActiveWeb Contentserver CMS Editor Permission Settings Problem (plaintext version)
- rt-sa-2007-006: ActiveWeb Contentserver CMS Clientside Filtering of Page Editor Content (plaintext version)
- rt-sa-2007-005: ActiveWeb Contentserver CMS Multiple Cross Site Scriptings (plaintext version)
- rt-sa-2007-004: ActiveWeb Contentserver CMS SQL Injection Management Interface (plaintext version)
- rt-sa-2007-003: Fujitsu-Siemens PRIMERGY BX300 Switch Blade Information Disclosure (plaintext version)
- rt-sa-2007-002: Fujitsu-Siemens ServerView Remote Command Execution (plaintext version)
- rt-sa-2007-001: Alcatel-Lucent OmniPCX Remote Command Execution (plaintext version)
- rt-sa-2006-007: Authentication bypass in BytesFall Explorer (plaintext version)
- rt-sa-2006-006: Remote command execution in planetGallery (plaintext version)
- rt-sa-2006-005: Unauthorized password recovery in phpBannerExchange (plaintext version)
- rt-sa-2006-004: Authentication bypass in phpBannerExchange (plaintext version)
- rt-sa-2006-003: Perlpodder Remote Arbitrary Command Execution (plaintext version)
- rt-sa-2006-002: Prodder Remote Arbitrary Command Execution (plaintext version)
- rt-sa-2006-001: PAJAX Remote Code Injection and File Inclusion Vulnerability (plaintext version)
- rt-sa-2005-016: Time modification flaw in BSD securelevels on NetBSD and Linux (plaintext version)
- rt-sa-2005-015: BSD Securelevels: Circumventing protection of files flagged immutable (plaintext version)
- rt-sa-2005-014: New banking security system iTAN not as secure as claimed (plaintext version)
- rt-sa-2005-013: Sophos does not recognize keylogger after string alteration (plaintext version)
- rt-sa-2005-012: Pico Server (pServ) Local Information Disclosure (plaintext version)
- rt-sa-2005-011: Pico Server (pServ) Information Disclosure Of CGI Sources (plaintext version)
- rt-sa-2005-010: Pico Server (pServ) Remote Command Injection (plaintext version)
- rt-sa-2005-009: o2 Germany promotes SMS-Phishing (plaintext version)
- rt-sa-2005-009-de: o2 Germany begünstigt SMS-Phishing (plaintext version)
- rt-sa-2005-008: JPEG EXIF information disclosure (plaintext version)
- rt-sa-2005-007: Cross Site Scripting Vulnerability in Openconf Conference Management Software (plaintext version)
- rt-sa-2005-006: Awstats official workaround flaw (plaintext version)
- rt-sa-2005-005: Directory traversal in CitrusDB (plaintext version)
- rt-sa-2005-004: SQL-Injection in CitrusDB (plaintext version)
- rt-sa-2005-003: Upload Authorization bypass in CitrusDB (plaintext version)
- rt-sa-2005-002: Authentication bypass in CitrusDB (plaintext version)
- rt-sa-2005-001: Credit Card data disclosure in CitrusDB (plaintext version)