Services Vulnerabilities Exploits Publications News Blog About DSecRG


Public references to DSecRG:

Credits to DSecRG

1. SAP

https://service.sap.com/sap/support/notes/1092631
https://service.sap.com/sap/support/notes/1136770
https://service.sap.com/sap/support/notes/1281820
https://service.sap.com/sap/support/notes/1284360
https://service.sap.com/sap/support/notes/1286637
https://service.sap.com/sap/support/notes/1292875
https://service.sap.com/sap/support/notes/1322098
https://service.sap.com/sap/support/notes/1327004
https://service.sap.com/sap/support/notes/1372153

2. Oracle

"The following people or organizations discovered and brought security vulnerabilities addressed by this Critical Patch Update to Oracle's attention: CERT/CC; Esteban Martinez Fayo of Application Security, Inc.; Pete Finnigan; Joxean Koret; Alexander Kornbrust of Red Database Security; Ali Kumcu of inTellectPro; David Litchfield of NGS Software; Mariano Nunez Di Croce of CYBSEC S.A.; and Alexandr Polyakov of Digital Security."

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2008.html

3. HP

The Hewlett-Packard Company thanks Digital Security Research Group (dsecrg.com) for reporting these vulnerabilities to security-alert@hp.com.

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01841397

4. SUN

"I'd like to thank The Digital Security Research Group for bringing the issues listed below to our attention."

https://glassfish.dev.java.net/servlets/ReadMsg?list=cvs&msgNo=29669
https://glassfish.dev.java.net/servlets/ReadMsg?list=cvs&msgNo=29668
https://glassfish.dev.java.net/servlets/ReadMsg?list=cvs&msgNo=29675
https://woodstock.dev.java.net/servlets/ReadMsg?list=cvs&msgNo=4041
http://www.nabble.com/Re:--DSECRG--Sun-Glassfish-Multiple-Security-Vulnerabilities-p23002524.html

5. IBM

http://www-01.ibm.com/support/docview.wss?uid=swg1PK82988

6. Adobe

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers’ security.
Alexandr Polyakov of Digital Security (CVE-2009-1872, CVE-2009-1873, CVE-2009-1874)

http://www.adobe.com/support/security/bulletins/apsb09-12.html

7. Apache

"Credit: The Apache Geronimo project would like to thank Digital Security Research Group (dsecrg.com) for responsibly reporting this issue and assisting us with validating our fixes."

https://issues.apache.org/jira/browse/GERONIMO-4597

8. Alcatel

"Alcatel-Lucent would like to thank Digital Security (http://dsec.ru) to inform us about this vulnerability, for the good cooperation and for acting according to our disclosure policy practices."

http://www1.alcatel-lucent.com/psirt/statements/2008001/OXOrexec.pdf

9. Ruby project

"Credit to Digital Security Research Group (URL:http://dsec.ru/) for disclosing the problem to Ruby Security Team."

http://www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerability/

10. Alienvault

Sintsov Alexey at Digital Security Research Group has discovered a series of security vulnerabilities in the OSSIM 2.1 and 2.1.1 releases. We'd like to thank DSecRG for the manner this join disclosure has been approached; it's always nice to be c ontacted before public disclosure.

http://www.alienvault.com/community.php?section=News

11. OpenBSD

http://www.mail-archive.com/misc@openbsd.org/msg49057.html

12. XOOPS

"This release is solely for a couple of critical fixes, including an XSS vulnerability reported by Digital Sercurity Research Group (or DSRG), potential local file inclusion vulnerability reported by DSRG. In the 2.3.2b release we have further improved security fixes with help from DSRG."

http://www.xoops.org/modules/news/article.php?storyid=4563

13. RunCMS

"P.S. Special thanks to Alexandr Polyakov from Digital Security Research Group for bugs & vulnerabilities report."

http://runcms.org/modules/mydownloads/singlefile_lid_130.html

Also:

APC, Claroline, Gallery, BlogCMS.

Vulnerabilities, exploits and whitepapers

Vulnerabilities

1. SUN GlassFish Enterprise Server Multiple XSS in TOP 5 Web application vulnerabilities may 2009.

http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2009/05/11/top-five-web-application-vulnerabilities-4-28-09-5-10-09.aspx

2. Apache Geronimo Application Server Multiple Remote Vulnerabilities took 1st place in TOP 5 Web application vulnerabilities april 2009.

http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2009/04/27/top-five-web-application-vulnerabilities-4-13-09-4-26-09.aspx

3. SAP cFolders XSS and HTML Injection Vulnerabilities in TOP 5 Web application vulnerabilities april 2009.

http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2009/04/27/top-five-web-application-vulnerabilities-4-13-09-4-26-09.aspx

4. IBM WebSphere Application Server multiple XSS in TOP 5 Web application vulnerabilities march 2009.

http://www.communities.hp.com/securitysoftware/blogs/top5/archive/2009/04/13/top-five-web-application-vulnerabilities-3-22-09-4-12-09.aspx

5. SAP MaxDB 'webdbm' Multiple XSS in TOP 5 Web application vulnerabilities march 2009.

http://www.communities.hp.com/securitysoftware/blogs/top5/archive/2009/04/13/top-five-web-application-vulnerabilities-3-22-09-4-12-09.aspx

6. APC PowerChute Network Shutdown's Web Interface - XSS and Response Splitting vulnerabilities in TOP 5 Web application vulnerabilities February 2009.

http://www.communities.hp.com/securitysoftware/blogs/top5/archive/2009/03/02/top-five-web-application-vulnerabilities-2-17-09-3-1-09.aspx

7. SAP Web Application Server XSS vulnerability in TOP 5 Web application vulnerabilities july 2008.

http://www.communities.hp.com/securitysoftware/blogs/top5/archive/2008/06/04/top-five-web-application-vulnerabilities-5-12-08-5-25-08.aspx?jumpid=reg_R1002_USEN

8. Ruby WEBrick Remote Directory Traversal and Information Disclosure Vulnerabilities in TOP 5 Web application vulnerabilities march 2008.

http://www.communities.hp.com/securitysoftware/blogs/top5/archive/2008/03/17/Top-Five-Web-Application-Vulnerabilities-3_2F00_3_2F00_08-_2D00_-3_2F00_16_2F00_08.aspx

Exploits

1. DSecRG exploits for Metasploit project.
http://trac.metasploit.com/changeset/6234
http://trac.metasploit.com/changeset/6209
http://trac.metasploit.com/changeset/6464
http://carnal0wnage.blogspot.com/2009/02/new-oracle-sqli-coverage.html

2. Our exploits in paper "Best of oracle security 2008" and "Best of oracle security 2007" by Oracle expert Alexander Kornbrust.
http://www.red-database-security.com/wp/best_of_oracle_security_2008.pdf
http://www.red-database-security.com/wp/Best_of_Oracle_Security_2007.pdf

3. Our exploits in "Oracle Security Masterclass" by Oracle expert Pete Finnigan.
http://www.petefinnigan.com/Oracle_Security_Masterclass.pdf

Whitepapers

1. References to our whitepapers and exploits by Oracle security expert Alexander Kornbrust.
http://blog.red-database-security.com/2009/01/15/exploits-for-october-2008-cpu-whitepaper-different-ways-to-guess-sids-published/

2. References to our whitepaper by Oracle security expert Pete Finnigan.
http://www.petefinnigan.com/weblog/archives/00001228.htm

3. References to our whitepaper by Oracle security expert Paul Wright.
http://www.oracleforensics.com/wordpress/index.php/2009/04/19/sans-rsa-and-three-tier-oracle-security/

© 2002—2010, Digital Security
For quoting or using materials from this site
link is obligatory

+7 (812) 703-1547, +7 (812) 430-9130    e-mail: research@dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary
Search