Security Advisory 01/2019

by Stefan Schmer, Managing Consultant Security Analysis & Pentests, usd AG. Vulnerability Disclosure usd AG penetration testers have identified several security vulnerabilities during security analyses. These vulnerabilities affect the products Riverbed SteelCentral AppResponse, Dropbear and Cisco Unified Communications Manager. The following vulnerability classes were identified: Cross Site Scripting (XSS) Username Enumeration Sensitive Data disclosure In accordance with usd AG’s Responsible …

Security Advisory 12/2018

by Stefan Schmer, Managing Consultant Security Analysis & Pentests, usd AG. Vulnerability Disclosure usd AG penetration testers have identified several security vulnerabilities during security analyses. These vulnerabilities affect the products Shpock App, SEP sesam, Nagios Core, Icinga Web 2 and Fortigate 900D. The following vulnerability classes were identified: Authentication Bypass Cross Site Scripting (XSS) Cross-Site-Request Forgery (CSRF) Denial of Service …

Security Advisory 11/2018

by Stefan Schmer, Managing Consultant Security Analysis & Pentests, usd AG. Vulnerability Disclosure usd AG penetration testers have identified several security vulnerabilities during security analyses. These vulnerabilities affect the products SafeQ Pro SmartCard v2, Patlite NBM-D88N, Patlite NHL-3FB1, Patlite NHL-3FV1N and Paramiko. The following vulnerability classes were identified: Backdoor Authentication Bypass Replay Attack In accordance with usd AG’s Responsible Disclosure …

Security Advisory 07/2018

by Stefan Schmer, Managing Consultant Security Analysis & Pentests, usd AG. Vulnerability Disclosure usd AG penetration testers have identified several security vulnerabilities during security analyses. These vulnerabilities affect the product Lexware Professional 2017. The following vulnerability classes were identified: Broken Authentication Denial of Service Improper Access Control In accordance with usd AG’s Responsible Disclosure Policy, Haufe-Lexware has been notified of the …

Security Advisory 06/2018

by Stefan Schmer, Managing Consultant Security Analysis & Pentests, usd AG. Vulnerability Disclosure usd AG penetration testers have identified several security vulnerabilities during security analyses. These vulnerabilities affect the products Pdf-Xchange Viewer and FirstSpirit SiteArchitect. The following vulnerability classes were identified: Heap Overflow Improper Access Control Path Traversal In accordance with usd AG’s Responsible Disclosure Policy, all vendors have been …

Security Advisory 05/2018 "BCS & STARFACE"

by Stefan Schmer, Managing Consultant Security Analysis & Pentests, usd AG. Vulnerability Disclosure usd AG penetration testers have identified several security vulnerabilities during security analyses. These vulnerabilities affect the products Projektron BCS and Starface. The following vulnerability classes were identified: Cross Site Scripting (XSS) SQL-Injection (SQLi) Expression Language Injection (EXPi) Cross-Site-Request Forgery (CSRF) Overview In accordance with usd AG’s Responsible …

How a Vulnerable Picture Upload Can Be Exploited Using Manipulated Picture Files

By Ralf Almon, Senior Consultant Security Analysis & Pentests, usd AG. Abstract There are numerous websites allowing users to upload picture files. In trying to allow the users to upload different file extensions, an attacker is sometimes able to find weaknesses in these image uploads. This article describes an attack which circumvents weak file name restrictions and injects PHP code …

Hackerday tour 2016 – HeroLab in action

With the publication of our challenge on March 03, interested parties started to hack codes to applicate for one of the Hackerdays. On April 26th our security experts will start the Hackerday tour through Germany and will give impressions in latest pentests methods. The Hackerdays themselves are based on the technologies of the usd HeroLab. Attendees could proof their knowledge …