HTB23074: Multiple XSS in Dotclear

Dotclear version 2.4.1.2 suffers from a cross site scripting vulnerabilities:
1. XSS in "login_data" POST parameter ("/admin/auth.php" script).
2. XSS in "nb" GET parameter to "/admin/blogs.php"; "type", "sortby", "order", "status" GET parameters to "/admin/comments.php"; "page" GET parameter to "/admin/plugin.php" scripts.

This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Vulnerability ID: HTB23074
Vendor Notification / Vendor Patch / Public Disclosure: 8 February / 9 February / 29 February
Vulnerable Version(s): 2.4.1.2 and probably prior
Vulnerabilities Type: Cross Site Scripting (XSS)
Risk level: Medium

Also You can see all Security Advisories by High-Tech Bridge SA Security Research Lab.

Breaking Through Internet Censorship (March, 12)

As the UN humanitarian headquarters and the host city of numerous NGOs, Geneva is considered the world capital of human rights. The Swiss branch of Reporters Without Borders and NY-based PEN American Center partner to celebrate World Day Against Cyber Censorship, an initiative launched by Reporters Without Borders in 2008 to support a single Internet without walls and available to all. Though walls still stand today, bloggers, hacktivists and specialists in Internet security have been astonishingly creative in their circumvention of censorship, matching the vanguard vigilance of censors.

"BREAKING THROUGH INTERNET CENSORSHIP"
Thursday, 12 of March 2012 from 7:00PM
Frederick P. Rose Auditorium, Cooper Union
41 Cooper Square
Manhattan, New York 10003

Come hear international bloggers who will share their personal experience with censorship, and Internet experts who will offer information and new technology to help netizens of the world outwit surveillance.

More information:
- Participation at 'World Day Against Cyber Censorship' by ThinkSwiss
- Breaking Through Internet Censorship

Disclosed advisory: Multiple XSS in Chyrp HTB23073

Two vulnerabilities in Chyrp (HTB23073) were disclosed this week:
1. XSS in "content" parameter ("includes/ajax.php" script).
2. Cross-site scripting vulnerability in "body" POST parameter ("includes/error.php" script).

Vulnerability ID: HTB23073
Public Disclosure: 22 February 2012
Vulnerable Version(s): 2.5b1 and probably prior
Vulnerabilities Type: Cross Site Scripting (XSS)
Risk level: Medium

You can see more information about Cross Site Scripting.

PenTest Extra 02/2012: Interview with Marsel Nizamutdinov

New issue of PenTest Extra No.2 is out! In this issue you can read Interview with Marsel Nizamutdinov - Head of Research & Development Department at High-Tech Bridge SA, web application security expert and the author of "Hacker Web Exploitation Uncovered" (2005).

Also, the full version of interview you can read at the HTBridge's website: PenTest Extra Magazine No.2: Interview with Marsel Nizamutdinov

Latest Disclosed Advisories at 15 February

This week were disclosed two security advisories.

• Multiple vulnerabilities in LEPTON
  Vulnerability ID: HTB23072
  Public Disclosure: 15 February 2012
  Vulnerable Version(s): 1.1.3 and probably prior
  Vulnerabilities Type: Local File Inclusion, SQL Injection, Cross Site Scripting (XSS)
  Risk level: High

• Multiple vulnerabilities in 11in1
  Vulnerability ID: HTB23071
  Public Disclosure: 15 February 2012
  Vulnerable Version(s): 1.2.1 stable 12-31-2011 and probably prior
  Vulnerabilities Type: Local File Inclusion, Сross-Site Request Forgery (CSRF)
  Risk level: High

You can see other security advisories.

High-Tech Bridge annonce une augmentation de son capital et aborde sa stratégie d'expansion pour 2012

High-Tech Bridge, un prestataire de services Genevois dédié à la sécurité de l'information, augmente son capital- actions nominal à 3 millions de francs suisses (approximativement USD 3.3M) et annonce sa stratégie de développement pour 2012. High-Tech Bridge reste une société privée financée par des investisseurs suisses, mais les récents changements relatifs à son capital permettront également de distribuer une participation minoritaire d'actions au sein des employés principaux de l'entreprise.

Par ailleurs, High-Tech Bridge étendra sa gamme de services de sécurité aux petites et moyennes entreprises durant l'année 2012. M. Ilia Kolochenko, Président Directeur-Général, déclare : "Nous avons révisé et adapté notre stratégie de développement et d'expansion aux nouvelles conditions du marché. La situation économique n'est pas idéale aujourd'hui, nous devons donc être plus compétitifs, faire preuve de flexibilité, et prêter une attention particulière aux besoins des PME. Par conséquent, investir dans la recherche et le développement reste l'une de nos priorités et nous permettra de fournir des services de qualité tout en nous démarquant de la concurrence. Durant le premier trimestre 2012, nous investirons un demi-million de francs suisses supplémentaire dans notre propre département de R&D, lequel est dirigé par M. Marsel Nizamutdinov depuis la fin de l'année 2011."

M. Frédéric Bourla, Directeur des départements Ethical Hacking et Computer Forensics, confirme: "Nous allons prochainement annoncer l'inauguration d'un service de sécurité novateur, et entièrement adapté aux besoins du marché actuel en Suisse et en Europe. L'infrastructure informatique de production est en voie de finalisation, et les marques afférentes ont été déposées. Nous sommes actuellement dans la phase de bêta test précédant l'annonce publique et le lancement officiel."

Source: market.ch
Related: High-Tech Bridge Announces Capital Increase and Adapted Expansion Strategy for 2012

Latest Disclosed Advisories at 8 February

All vulnerabilities in this 2 advisories are fixed by vendors at the time of publication.

• Multiple vulnerabilities in ZENphoto
  Vulnerability ID: HTB23070
  Public Disclosure: 8 February 2012
  Vulnerable Version: 1.4.2 and probably prior
  Risk level: High

• Multiple vulnerabilities in OpenEMR
  Vulnerability ID: HTB23069
  Public Disclosure: 1 February 2012
  Vulnerable Version: 4.1.0 and probably prior
  Risk level: High

Subscribe to our newsletter to be in touch of our news.

High-Tech Bridge Announces Capital Increase and Adapted Expansion Strategy for 2012

GENEVA, February 7, 2012 /PRNewswire/

High-Tech Bridge, a leading provider of information security services headquartered in Geneva, increases its nominal share-capital to CHF 3M (approximately USD 3.3M), and announces its development strategy for 2012. High-Tech Bridge remains a privately held company funded by Swiss investors; however the recent change in capital will also permit to distribute a minority stake of shares among the key employees and management of the company.

Moreover, High-Tech Bridge will extend its range of security services to Small and Medium Businesses during 2012. Mr. Ilia Kolochenko, CEO, says "We have revised and adapted our development and expansion strategy for the new market conditions. Economical situation is not in the best shape today, therefore we have to be more competitive and flexible, as well as to consider the needs of SMBs. This is why investing into R&D remains one of our first priorities in order to be able to deliver high-quality information security services, and to differentiate among the competitors. In the first quarter of 2012 we will invest half a million CHF in our proprietary R&D department, headed by Marsel Nizamutdinov, appointed to this position at the end of 2011."

Mr. Frederic Bourla, Head of Ethical Hacking and Computer Forensics, says "In the near future, we are going to announce the launch of an innovative information security service, fully-adapted to present needs of Swiss and European markets. The IT infrastructure is almost ready and trademarks are registered; we are currently in the phase of beta-testing before the public announcement and official launch."

About High-Tech Bridge

High-Tech Bridge SA provides companies, governmental agencies and international organizations with cutting-edge information security services, such as penetration testing, malware analysis, digital forensics, source code review and best-practice security consulting.

Contact
Damien Lavoix
Project Manager
High-Tech Bridge SA
Tel.: +41 22 560 68 43
E-Mail: press@htbridge.ch
Web: https://www.htbridge.ch
Twitter: http://twitter.com/htbridge

SOURCE High-Tech Bridge SA
PRNewswire: High-Tech Bridge Announces Capital Increase and Adapted Expansion Strategy for 2012

Summary of latest High-Tech Bridge news and events

We are glad to present you the summary of latest High-Tech Bridge news and events.

Video from hashdays

New video in our YouTube Channel: #days Defcon Switzerland: Frederic Bourla's presentation:

Cybercrime in nowadays businesses: A real case study of targeted attack

Latest Disclosed Advisories

All vulnerabilities are fixed by vendors at the time of publication.

• Multiple vulnerabilities in OSclass
  Vulnerability ID: HTB23068
  Public Disclosure: 25 January 2012
  Vulnerable Version: 2.3.3
  Risk level: High

• CSRF (Cross-Site Request Forgery) in DClassifieds
  Vulnerability ID: HTB23067
  Public Disclosure: 25 January 2012
  Vulnerable Version: 0.1 final
  Risk level: Low

To stay connected with High-Tech Bridge you can always subscribe to our newsletter.