Kundenstimmen

"Um unseren Kunden Sicherheit zu gewährleisten, vertrauen wir auf MajorSecurity Research."IT Leiter, Geizstrom.de

"Überraschend und erschreckend zugleich wie einfach selbst moderne Systeme zu "hacken" sind - Sehr hohes Niveau während des Audits." IT-Leiter Tarifprofi.de

"Sehr gutes und tiefgehendes Wissen im Bereich Web Application Auditing." CEO, HACKATTACK IT SECURITY GmbH

Weitere Referenzen ...


twitter account rss button
Start - Publikationen - Security Advisories

Security Advisories von MajorSecurity

In unregelmäßigen Abständen publiziere ich Security Advisories, in denen Sicherheitslücken aufgedeckt werden. Hierbei handelt es sich um Hinweise auf Verwundbarkeiten in Applikationen. Unter Verwundbarkeit versteht man in diesem Fall, dass eine Applikation konkrete Angriffsvektoren für potentiell böswillige Hacker und Kriminelle bietet.

Der Ablauf sieht folgendermaßen aus:

1. Überprüfen einer Anwendung auf Verwundbarkeiten
2. Erstellung von Proof of Concept Exploits
3. Kontaktieren des Herstellers
4. Abwarten der Rückmeldung des Herstellers
5. Gegebenenfalls Zusendung eines funktionstüchtigen Patches für die Sicherheitslücken
6. Publizieren des Advisorys, sobald der Hersteller einen Patch für die jeweilige Sicherheitslücke bereit stellt

Hier sehen Sie eine Auflistung der von mir im Jahr 2012 entdeckten Sicherheitslücken in bekannten Applikationen.

MajorSecurity-SA-2012-0012012-01-06phpMyAdmin <=3.4.7Cross-site Scripting in "rename" feature
MajorSecurity-SA-2012-0022012-01-06phpMyAdmin <=3.4.7Cross-site Scripting in "synchronise" feature
MajorSecurity-SA-2012-0032012-01-06Piwik 1.5.xReflected Cross Site Scripting
MajorSecurity-SA-2012-0042012-01-06Piwik 1.5.xPersistant Cross Site Scripting
MajorSecurity-SA-2012-005upcomingApache XX Script Injection via HTTP Header
MajorSecurity-SA-2012-006upcomingOpera 11.60 WebbrowserFile Permission Bypass
MajorSecurity-SA-2012-007upcomingTypo3 "phpMyAdmin" PluginBB-Code Injection
MajorSecurity-SA-2012-008upcomingPiwik 1.6no information until the vendor has released a fix
MajorSecurity-SA-2012-009upcomingFirefox 9.xAdressbar Spoofing
MajorSecurity-SA-2012-010upcomingJQueryno information until the vendor has released a fix
MajorSecurity-SA-2012-011upcomingSafari 5.1.2 WebbrowserFile Permission Bypass
MajorSecurity-SA-2012-012upcomingChive 1.0.1no information until the vendor has released a fix

Advisories der Jahre 2005 bis 2011

#822011-01-18Simploo CMS Community EditionRemote PHP Code Execution Issue
#812011-01-12 Contao CMS 2.9.2Persistent Cross Site Scripting Issue
#802010-08-13WordPress 3.0.1Cross Site Scripting Issue
#792010-07-27PHPKIT WCMSMultiple stored Cross Site Scripting Issues
#782011-07-27PHPKIT WCMSReflected Cross Site Scripting Issue
#772010-07-16Conpresso CMS v4.1.1Cross site Scripting vulnerabilities
#762011-01-18Simploo CMS Community EditionRemote PHP Code Execution Issue
#7516-06-2010RedAks CMS 2SQL Injection
#7415-06-2010RedAks CMS 2Cross-site Scripting Issues
#7314-06-2010Subdreamer CMSSQL Injection
#7211-06-2010Magnolia CMS Enterprise EditionCross site Scripting Issues
#7112-06-2010phpFaber CMSCross-site Scripting Issues
#7009-06-2010Plume CMSCross-site Request Forgery
#6908-06-2010Invision IP.Boardstored Cross site Scripting Issues
#6807-06-2010Anantasoft Gazelle CMS Cross-site Request Forgery
#6706-06-2010Invision Power Boardtype casting issues
#6605-06-2010chillyCMSCross-site Request Forgery
#6502-02-2010Motorola Milestone smartphoneRemote Crash Exploit
#6405-02-2010Apple Safari 4Remote Denial of Service
#63Reservedxt:CommerceUpcoming coordinated disclosure
#62ReservedMS Outlook Web AccessPending Disclosure
#61ReservedDotNetNukePending Disclosure
#6004-12-2009Mozila Firefox 3.5.5Remote Crash Vulnerability
#5922-09-2009PHP 5.3Security issue in mysqli_real_escape_string()
#5816-10-2009PHP 5.2.11Several Vulnerabilites in file_get_contents()
#5727-09-2009PHP 5.3Security issue in preg_match()
#5621-09-2008moziloWikiCross Site Scripting and Session Fixation Issues
#5522-09-2009moziloCMSDirectory Traversal, Cross Site Scripting,Session Fixation Issues
#5421-09-2008xt:CommerceCross Site Scripting and Session Fixation Issues
#5320-09-2008BLUEPAGE CMSCross Site Scripting and Session Fixation Issues
#5213-05-2008Actual AnalyzerCross Site Scripting Issues
#5121-07-2007Virtual Hosting Control SystemSession Fixation Issue
#5001-06-2007Chameleon CMS Session Fixation Issue
#4901-06-2007Calimero.CMS Session Fixation Issue
#4829-05-2007eggblog Session Fixation Issue
#4705-05-2007Simple Machines Forum Session Fixation Issue
#4624-04-2007Plogger Session Fixation Issue
#4515-04-2007oe2edit CMS Cross-Site-Scripting Issue
#4413-04-2007MailBee WebMail Pro Cross-Site-Scripting Issue
#4311-04-2007Calacode ATMail Cookie Manipulation and Cross-Site-Scripting Issue
#4207-04-2007webblizzard CMSCross-Site-Scripting and Session fixation Issues
#4106-04-2007courts onlineSession fixation and Cross-Site-Scripting Issues
#4006-04-2007eboShopSession fixation and Cross-Site-Scripting Issues
#3906-04-2007onebyone CMSSession fixation and Cross-Site-Scripting Issues
#3804-04-2007eXV2 CMSSession fixation and Cross-Site-Scripting Issues
#3703-04-2007holaCMSCross Site Scripting Issue
#3618-11-2006dev4u CMSMultiple Cross Site Scripting and SQL Injection Issues
#3518-11-2006Travelsized CMSMultiple Cross Site Scripting Issues
#3414-11-2006PLESKMultiple Cross Site Scripting Issues
#3311-11-2006ShopSystemsSQL Injection Issue
#3206-11-2006phpComasy CMSMultiple Cross Site Scripting Issues
#3104-11-2006Xenis.creator CMSMultiple Cross Site Scripting and SQL Injection Issues
#3004-11-2006admin.tool 3 CMSMultiple Cross Site Scripting Issues
#2929-10-2006foresite CMSCross Site Scripting Issue
#2829-09-2006ConPresso CMSMultiple XSS and SQL Injection Issues
#2703-08-2006Toenda CMSCross Site Scripting Issue
#2623-06-2006Woltlab Burning BoardCross Site Scripting, Session fixation and SQL Injection Vulnerabilities
#2522-07-2006Advanced Guestbook for phpBBCross Site Scripting and Cookie Disclosure Vulnerability
#2422-07-2006Fire-Mouse ToplistCross Site Scripting and SQL Injection Vulnerabilities
#2321-07-2006BLOG:CMSCross Site Scripting and Cookie Disclosure Vulnerability
#2220-07-2006Paddelberg TOP XLCross Site Scripting and Cookie Disclosure Vulnerability
#2119-07-2006phpFaber TopsitesMultiple Cross Site Scripting and SQL Injection Vulnerabilities
#2018-07-2006SiteDepth CMSRemote File Inclusion Vulnerability
#1923-06-2006AutoRank PHP ProMultiple Cross Site Scripting and Cookie Disclosure Vulnerabilities
#1812-06-2006Ralf Image GalleryMultiple Cross Site Scripting , Directory traversal and remote File Inclusion vulnerabilities
#1712-06-2006SixCMSMultiple Cross Site Scripting and directory traversal vulnerabilities
#1611-06-2006CensoredRevoked
#1511-06-2006CensoredRevoked
#1410-06-2006CFXe-CMSCross Site Scripting Issue
#1310-06-2006Cababos Web CMSCross Site Scripting Issue
#1210-06-2006ZMSRevoked
#1110-06-2006OpenCMSCross Site Scripting Issue
#1008-06-2006i.List ToplistMultiple Parameter Handling Script Insertion and Cross Site Scripting Issues
#903-06-2006HostAdminRemote File Inclusion Vulnerability
#803-06-2006DreamAccountRemote File Inclusion Vulnerability
#702-06-2006dotWidget CMSRemote File Inclusion Vulnerability
#623-05-2006SocketMailRemote File Inclusion Vulnerability
#504-05-2006phpListPro 2.01Multiple Remote File Inclusion Vulnerabilities
#424-04-2006phpMyAgendaRemote File Inclusion Vulnerability
#323-04-2006TotalCalendarRemote File Inclusion Vulnerability
#219-04-2006ActualAnalyzerRemote File Inclusion Vulnerability
#111-04-2006phpListPro 1.xRemote File Inclusion Vulnerability