We are also on #Mastodon: @pentagrid@infosec.exchange See you there!

A story about looking at the effectiveness of web application firewalls and finding bypasses for the filter ruleset. #WAF #OWASP #coreruleset #ergon #airlock

Pentagrid published two @hackvertor tags for #EAN13 (also Swiss AHV numbers) and #TOTP for #2FA. These tags are available via the Hackvertor Tag Store by @garethheyes . Our blog post explains what these tags do and how they can be used. #pentest #OWASP

Pentagrid is looking for an IT security analyst (d/f/m) in Buchs SG, Switzerland.

If you want to protect your IT #infrastructure against #MITM attacks where an attacker bypasses domain verification to obtain valid certificates, you may want to use #CAA and #accountURI binding, which is easy to set up. #hardening

It happened again. We accidentally broke another #hotel check-in #terminal. This time Mr O'Yolo triggered a problem, crashed the #Ariane Allegro Scenario Player and escaped the #kiosk mode, which enabled access to the Windows Desktop: #itsecurity #infosec

This is not a late April Fool's joke: After #37C3, we accidentally dumped the keypad codes of almost half of an IBIS hotel's rooms by entering some dashes into a check-in terminal: #itsecurity #infosec #ibis #accor #terminal #hotel

#SQLinjection in login dialog of web-based #YABOOK harbour administration allows authentication bypass #pentest #sailing #hafenverwaltung #imonaboat

Multiple vulnerabilities in Lantronix EDS-MD IoT gateway for medical devices: #itsecurity #infosec #pentesting #lantronix #iot #medical

♫ Ground control to Major Tom, take the patch and put secure mode on. ♫ #openstage #openscape #unify

A few email-related Python libraries do not check server certificates. It is nothing new, but a bit surprisingly in 2023 and not everyone got the memo. #itsecurity #infosec #pentesting #python #email #bugbounty

The #Liferay Portal software < 7.4.3.88 respectively < 7.4.3.92 is affected by persistent cross-site-scripting vulnerabilities. #itsecurity #infosec #pentesting

Wir haben ein Werkzeug in Python geschrieben, dass Dateiarchive wie zip, tar und cpio generiert welche Path Traversal Angriffe beinhalten: #itsicherheit #informationssicherheit #pentesting

We wrote a tool in Python to create file archives such as zip, tar and cpio that include path traversal attacks: #itsecurity #infosec #pentesting

We analysed the security of a #WindRiver #VxWorks (the operating system running also on NASA's Curiosity mars rover) embedded device and found a critical vulnerability in the #tarExtract function: #itsecurity #infosec #pentesting #cisa #vxworks

Wir haben uns das Liechtensteiner #Gesundheitsdossier und die zugrunde liegende Portal-Software #Liferay angeschaut. Im Ergebnis haben wir Verwundbarkeiten in Liferay gefunden und Schwächen im IT-Setup: #itsicherheit #informationssicherheit #eHealth #eGD

We had a look at Liechtenstein's electronic health files and the underlying #Liferay portal software and found some weaknesses in the portal software as well as risks in the IT setup. Full article (in German only): #itsecurity #infosec #eHealth #eGD

For some #Icinga #monitoring, we wrote a small plugin in Python that sends mail via SMTP and checks on another mail server via IMAP if the mail was received. Here is the code:

Our advisory for Busybox cpio. When extracting cpio archives with BusyBox cpio, the cpio archiving tools may write files outside the destination directory and there is no option to prevent this. Full advisory: #itsecurity #infosec #pentesting #Busybox

Do not put the PDU's management interface on the Internet. Otherwise, the Internet turns off the light. #aten #pdu #Vulnerability