L'affaire serait en lien avec le scandale d'espionnage concernant Anne Lauvergeon, ancienne patronne du groupe nucléaire français Areva. M. Stéphane Koch s'exprime sur le sujet.
Related links:
Radio Télévision Suisse (RTS.ch): Le 19:30 - La procédure concernant l'inculpation d'employés de Swisccom, d'Orange et de Sunrise pren...
High-Tech Bridge (htbridge.com): La procédure concernant l'inculpation d'employés de Swisccom, d'Orange et de Sunrise
pragmaMx version 1.12.1 and probably prior suffers from multiple cross-site scripting (XSS) vulnerabilities:
Input passed via a name of a GET parameter to "modules.php", "img_url" GET parameter to "includes/wysiwyg/spaw/editor/plugins/imgpopup/img_popup.php" scripts are not properly sanitised before being returned to the user.
Vulnerability ID: HTB23090
Vendor Notification / Patch / Public Disclosure Dates: 2 May / 4 May / 23 May 2012
Vulnerabilities Type: Cross-Site Scripting (XSS)
Risk level: Medium
Solution: Fixed by Vendor, upgrade to pragmaMx 1.12.2
Pligg CMS version 1.2.1 and probably prior suffers from local file inclusion (LFI), cross site scripting (XSS) vulnerabilities:
1. Cross-Site Scripting (XSS): Input passed via the arbitrary (any) GET parameter to "admin/admin_index.php", "karma_username" POST parameter, "q_1_low", "q_1_high", "q_2_low", "q_2_high", "edit" GET parameters to "module.php" scripts are not properly sanitised before being returned to the user.
2. Local File Inclusion (LFI): Input passed via the "captcha" GET parameter to "module.php" script is not properly verified before being used in "include_once()" PHP function and can be exploited to include arbitrary or previously uploaded local files, however successful exploitation of this vulnerability requires administrative privileges, so the most appropriate vector of exploitation is CSRF.
Vulnerability ID: HTB23089
Vendor Notification / Patch / Public Disclosure Dates: 25 April / 18 May / 23 May
Vulnerabilities Type: Cross-site scripting (XSS), Local file inclusion (LFI)
Risk level: Medium
Solution Status: Fixed by Vendor, upgrade to Pligg CMS 1.2.2
Read full information, details and Proof of Concept (PoC) for this advisory: High-Tech Bridge Advisory HTB23089: Multiple vulnerabilities in Pligg CMS.
High-Tech Bridge participates as Gold sponsor and speaker at "ITSecuDay Geneva" organized by the "Groupement Romand de l'Informatique (GRI)".
This event will happen on May 25, it is dedicated to Information Security, the security challenges in the globalization of information.
Speakers:
More about "ITSecuDay Geneva" event you can read at GRI Portal.
25th of May 2012 from 08h30 to 17h30
at Hotel Bristol
Rue du Mont-Blanc, 10
CH-1201 Geneva
ITSecuDay Geneva registration is available online here.
Source: High-Tech Bridge: Gold sponsor and speaker at "ITSecuDay Geneva".
The Importance Of Ethical Hacking: Emerging Threats Emphasise The Need For Holistic Assessments
Subscribe to High-Tech Bridge's YouTube Channel to stay in touch with interesting videos.
Related links:
Frost & Sullivan: The Importance of Ethical Hacking: Emerging Threats Emphasise Need for Holistic Assessments, Says Frost & Sullivan
High-tech Bridge: Frost & Sullivan recognizes High-Tech Bridge as a market leader
OrangeHRM version 2.7 RC and probably prior suffers from SQL injection and cross-site scripting (XSS) vulnerabilities:
1. SQL Injection: Input passed via the "hspSummaryId" GET parameter to "plugins/ajaxCalls/haltResumeHsp.php" script is not properly sanitised before being used in SQL "UPDATE" query.
3. Cross-Site Scripting (XSS): Input passed via the "newHspStatus" GET parameter to "plugins/ajaxCalls/haltResumeHsp.php", "sortOrder" GET parameter to "templates/hrfunct/emppop.php", "uri" GET parameter to "index.php" scripts are not properly sanitised before being returned to the user.
Vulnerability ID: HTB23080
Vendor Notification / Patch / Public Disclosure Dates: 7 March / 24 April / 9 May 2012
Vulnerabilities Type: SQL injection, Cross-site scripting (XSS)
Risk level: High
Solution Status: Fixed by Vendor, upgrade to OrangeHRM 2.7 Stable Release.
PivotX version 2.3.2 and probably prior suffers from cross-site scripting (XSS) vulnerability:
Input passed via the "file" GET parameter to "pivotx/ajaxhelper.php" is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of the affected website.
Input passed via the "file" GET parameter to "pivotx/ajaxhelper.php" script is not properly sanitised before being returned to the user.
Vulnerability ID: HTB23087
Vulnerability Type: Cross-Site Scripting (XSS)
Risk level: Medium
Vendor Notification / Patch / Public Disclosure Dates: 18 April / 18 April / 9 May 2012
Solution: Fixed in svn repository. Apply vendor's patch.
PluXml version 5.1.5 and probably prior suffers from Local File Inclusion (LFI) vulnerability:
Input passed via the "default_lang" POST parameter to "update/index.php" is not properly verified before being used in "include_once()" function and can be exploited to include arbitrary local files. This can be exploited to include local files via directory traversal sequences and URL-encoded NULL bytes.
Vulnerability ID: HTB23086
Vendor Notification / Patch / Public Disclosure Dates: 11 April / 16 April / 2 May 2012
Vulnerabilities Type: Local File Inclusion (LFI)
Risk level: High
Solution: Fixed by Vendor, Upgrade to PluXml 5.1.6
Read full information and details about this advisory: High-Tech Bridge Advisory HTB23084: Local File Inclusion in PluXml.
An online version of the White Paper is available on SlideShare. Read more about this white paper here at htbridge.blogspot.com: The Importance of Ethical Hacking: Emerging Threats Emphasise Need for Holistic Assessments.
Interesting article "Les hackers ciblent les dispositifs médicaux" / "Hackers could target medical devices" was published at Planète Santé (30/04/2012).
Prendre le contrôle à distance d’une pompe à insuline, voici la démonstration que des experts en sécurité informatique ont faite à plusieurs reprises l’an dernier. Faut-il pour autant renoncer à ces dispositifs médicaux que l’on peut piloter via des logiciels informatiques? Certainement pas répondent les experts.
Read more: Les hackers ciblent les dispositifs médicaux in french.
