Services Vulnerabilities Exploits Publications News Blog About DSecRG


Public references to DSecRG:

Credits to DSecRG

1. SAP

The SAP Product Security Response Team thanks all researchers and security IT professionals that helped with discovering and solving security vulnerabilities. Their findings have helped SAP to maintain the security and safety of its customers' and partners' SAP systems.
Our acknowledgements page lists those professionals we have worked with successfully in the past. The acknowledgements are published on a monthly basis and mention all security researchers who helped to improve the security and integrity of our customers' IT systems by respecting our disclosure guidelines. We thank all security researchers for their excellent work and hope to continue the fruitful relationship between security professionals and SAP.

ACKNOWLEDGMENTS TO SECURITY RESEARCHERS:

http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a

https://service.sap.com/sap/support/notes/1092631
https://service.sap.com/sap/support/notes/1136770
https://service.sap.com/sap/support/notes/1281820
https://service.sap.com/sap/support/notes/1284360
https://service.sap.com/sap/support/notes/1286637
https://service.sap.com/sap/support/notes/1292875
https://service.sap.com/sap/support/notes/1322098
https://service.sap.com/sap/support/notes/1327004
https://service.sap.com/sap/support/notes/1372153
https://service.sap.com/sap/support/notes/1327004
https://service.sap.com/sap/support/notes/1391770
https://service.sap.com/sap/support/notes/1407285
https://service.sap.com/sap/support/notes/1416047
https://service.sap.com/sap/support/notes/1422273
https://service.sap.com/sap/support/notes/1432114
https://service.sap.com/sap/support/notes/1438191
https://service.sap.com/sap/support/notes/1440336
https://service.sap.com/sap/support/notes/1450270
https://service.sap.com/sap/support/notes/1456175
https://service.sap.com/sap/support/notes/1451843
https://service.sap.com/sap/support/notes/1469549
https://service.sap.com/sap/support/notes/1481923
https://service.sap.com/sap/support/notes/1481924
https://service.sap.com/sap/support/notes/1483888
https://service.sap.com/sap/support/notes/1484097
https://service.sap.com/sap/support/notes/1509610
https://service.sap.com/sap/support/notes/1511179
https://service.sap.com/sap/support/notes/1512776


2. Oracle

"The following people or organizations discovered and brought security vulnerabilities addressed by this Critical Patch Update to Oracle's attention: CERT/CC; Esteban Martinez Fayo of Application Security, Inc.; Pete Finnigan; Joxean Koret; Alexander Kornbrust of Red Database Security; Ali Kumcu of inTellectPro; David Litchfield of NGS Software; Mariano Nunez Di Croce of CYBSEC S.A.; and Alexandr Polyakov of Digital Security."

http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
http://www.oracle.com/technetwork/topics/security/cpujul2010-155308.html
http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html
http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html
http://www.oracle.com/technetwork/topics/security/cpujan2009-097901.html
http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html
http://www.oracle.com/technetwork/topics/security/cpujan2008-086860.html


3. VMware

"VMware would like to thank Alexey Sintsov from Digital Security Research Group [DSecRG] for reporting this issue to us. The issue is identifed as DSECRG-09-058 by Digital Security Research Group."

https://www.vmware.com/security/advisories/VMSA-2010-0008.html
http://lists.vmware.com/pipermail/security-announce/2010/000092.html


4. HP

The Hewlett-Packard Company thanks Digital Security Research Group (dsecrg.com) for reporting these vulnerabilities to security-alert@hp.com.

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01841397

5. SUN

"I'd like to thank The Digital Security Research Group for bringing the issues listed below to our attention."

https://glassfish.dev.java.net/servlets/ReadMsg?list=cvs&msgNo=29669
https://glassfish.dev.java.net/servlets/ReadMsg?list=cvs&msgNo=29668
https://glassfish.dev.java.net/servlets/ReadMsg?list=cvs&msgNo=29675
https://woodstock.dev.java.net/servlets/ReadMsg?list=cvs&msgNo=4041
http://www.nabble.com/Re:--DSECRG--Sun-Glassfish-Multiple-Security-Vulnerabilities-p23002524.html

6. IBM

http://www-01.ibm.com/support/docview.wss?uid=swg1PK82988

7. Adobe

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers' security.
Alexandr Polyakov of Digital Security (CVE-2009-1872, CVE-2009-1873, CVE-2009-1874)

http://www.adobe.com/support/security/bulletins/apsb09-12.html

8. Apache

"Credit: The Apache Geronimo project would like to thank Digital Security Research Group (dsecrg.com) for responsibly reporting this issue and assisting us with validating our fixes."

https://issues.apache.org/jira/browse/GERONIMO-4597

9. Alcatel

"Alcatel-Lucent would like to thank Digital Security (http://dsec.ru) to inform us about this vulnerability, for the good cooperation and for acting according to our disclosure policy practices."

http://www1.alcatel-lucent.com/psirt/statements/2008001/OXOrexec.pdf

10. Ruby project

"Credit to Digital Security Research Group (URL:http://dsec.ru/) for disclosing the problem to Ruby Security Team."

http://www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerability/

11. Alienvault

Sintsov Alexey at Digital Security Research Group has discovered a series of security vulnerabilities in the OSSIM 2.1 and 2.1.1 releases. We'd like to thank DSecRG for the manner this join disclosure has been approached; it's always nice to be c ontacted before public disclosure.

http://www.alienvault.com/community.php?section=News

12. OpenBSD

http://www.mail-archive.com/misc@openbsd.org/msg49057.html

13. XOOPS

"This release is solely for a couple of critical fixes, including an XSS vulnerability reported by Digital Sercurity Research Group (or DSRG), potential local file inclusion vulnerability reported by DSRG. In the 2.3.2b release we have further improved security fixes with help from DSRG."

http://www.xoops.org/modules/news/article.php?storyid=4563

14. RunCMS

"P.S. Special thanks to Alexandr Polyakov from Digital Security Research Group for bugs & vulnerabilities report."

http://runcms.org/modules/mydownloads/singlefile_lid_130.html

Also:

APC, Claroline, Gallery, BlogCMS.

Vulnerabilities, exploits and whitepapers

Vulnerabilities

1. SUN GlassFish Enterprise Server Multiple XSS in TOP 5 Web application vulnerabilities may 2009.

http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2009/05/11/top-five-web-application-vulnerabilities-4-28-09-5-10-09.aspx

2. Apache Geronimo Application Server Multiple Remote Vulnerabilities took 1st place in TOP 5 Web application vulnerabilities april 2009.

http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2009/04/27/top-five-web-application-vulnerabilities-4-13-09-4-26-09.aspx

3. SAP cFolders XSS and HTML Injection Vulnerabilities in TOP 5 Web application vulnerabilities april 2009.

http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2009/04/27/top-five-web-application-vulnerabilities-4-13-09-4-26-09.aspx

4. IBM WebSphere Application Server multiple XSS in TOP 5 Web application vulnerabilities march 2009.

http://www.communities.hp.com/securitysoftware/blogs/top5/archive/2009/04/13/top-five-web-application-vulnerabilities-3-22-09-4-12-09.aspx

5. SAP MaxDB 'webdbm' Multiple XSS in TOP 5 Web application vulnerabilities march 2009.

http://www.communities.hp.com/securitysoftware/blogs/top5/archive/2009/04/13/top-five-web-application-vulnerabilities-3-22-09-4-12-09.aspx

6. APC PowerChute Network Shutdown's Web Interface - XSS and Response Splitting vulnerabilities in TOP 5 Web application vulnerabilities February 2009.

http://www.communities.hp.com/securitysoftware/blogs/top5/archive/2009/03/02/top-five-web-application-vulnerabilities-2-17-09-3-1-09.aspx

7. SAP Web Application Server XSS vulnerability in TOP 5 Web application vulnerabilities july 2008.

http://www.communities.hp.com/securitysoftware/blogs/top5/archive/2008/06/04/top-five-web-application-vulnerabilities-5-12-08-5-25-08.aspx?jumpid=reg_R1002_USEN

8. Ruby WEBrick Remote Directory Traversal and Information Disclosure Vulnerabilities in TOP 5 Web application vulnerabilities march 2008.

http://www.communities.hp.com/securitysoftware/blogs/top5/archive/2008/03/17/Top-Five-Web-Application-Vulnerabilities-3_2F00_3_2F00_08-_2D00_-3_2F00_16_2F00_08.aspx

Exploits

1. DSecRG exploits for Metasploit project.
http://trac.metasploit.com/changeset/6234
http://trac.metasploit.com/changeset/6209
http://trac.metasploit.com/changeset/6464
http://carnal0wnage.blogspot.com/2009/02/new-oracle-sqli-coverage.html

2. Our exploits in paper "Best of oracle security 2008" and "Best of oracle security 2007" by Oracle expert Alexander Kornbrust.
http://www.red-database-security.com/wp/best_of_oracle_security_2008.pdf
http://www.red-database-security.com/wp/Best_of_Oracle_Security_2007.pdf

3. Our exploits in "Oracle Security Masterclass" by Oracle expert Pete Finnigan.
http://www.petefinnigan.com/Oracle_Security_Masterclass.pdf

Whitepapers

1. References to our whitepapers and exploits by Oracle security expert Alexander Kornbrust.
http://blog.red-database-security.com/2009/01/15/exploits-for-october-2008-cpu-whitepaper-different-ways-to-guess-sids-published/

2. References to our whitepaper by Oracle security expert Pete Finnigan.
http://www.petefinnigan.com/weblog/archives/00001228.htm

3. References to our whitepaper by Oracle security expert Paul Wright.
http://www.oracleforensics.com/wordpress/index.php/2009/04/19/sans-rsa-and-three-tier-oracle-security/



© 2002—2014, ERPScan
For quoting or using materials from this site
link is obligatory

+44 (20) 81334493    e-mail: research@dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary
Search