Our advisory for Busybox cpio. When extracting cpio archives with BusyBox cpio, the cpio archiving tools may write files outside the destination directory and there is no option to prevent this. Full advisory: pentagrid.ch/en/blog/busybo… #itsecurity #infosec #pentesting #Busybox

For some #Icinga #monitoring, we wrote a small plugin in Python that sends mail via SMTP and checks on another mail server via IMAP if the mail was received. Here is the code: github.com/pentagridsec/i…

We had a look at Liechtenstein's electronic health files and the underlying #Liferay portal software and found some weaknesses in the portal software as well as risks in the IT setup. Full article (in German only): pentagrid.ch/de/blog/it-sic… #itsecurity #infosec #eHealth #eGD

Wir haben uns das Liechtensteiner #Gesundheitsdossier und die zugrunde liegende Portal-Software #Liferay angeschaut. Im Ergebnis haben wir Verwundbarkeiten in Liferay gefunden und Schwächen im IT-Setup: pentagrid.ch/de/blog/it-sic… #itsicherheit #informationssicherheit #eHealth #eGD

We analysed the security of a #WindRiver #VxWorks (the operating system running also on NASA's Curiosity mars rover) embedded device and found a critical vulnerability in the #tarExtract function: pentagrid.ch/en/blog/wind-r… #itsecurity #infosec #pentesting #cisa #vxworks

We wrote a tool in Python to create file archives such as zip, tar and cpio that include path traversal attacks: pentagrid.ch/en/blog/archiv… #itsecurity #infosec #pentesting

Wir haben ein Werkzeug in Python geschrieben, dass Dateiarchive wie zip, tar und cpio generiert welche Path Traversal Angriffe beinhalten: pentagrid.ch/de/blog/archiv… #itsicherheit #informationssicherheit #pentesting

The #Liferay Portal software < 7.4.3.88 respectively < 7.4.3.92 is affected by persistent cross-site-scripting vulnerabilities. pentagrid.ch/en/blog/stored… #itsecurity #infosec #pentesting

A few email-related Python libraries do not check server certificates. It is nothing new, but a bit surprisingly in 2023 and not everyone got the memo. pentagrid.ch/en/blog/python… #itsecurity #infosec #pentesting #python #email #bugbounty

Multiple vulnerabilities in Lantronix EDS-MD IoT gateway for medical devices: pentagrid.ch/en/blog/multip… #itsecurity #infosec #pentesting #lantronix #iot #medical

#SQLinjection in login dialog of web-based #YABOOK harbour administration allows authentication bypass pentagrid.ch/en/blog/sql-in… #pentest #sailing #hafenverwaltung #imonaboat

This is not a late April Fool's joke: After #37C3, we accidentally dumped the keypad codes of almost half of an IBIS hotel's rooms by entering some dashes into a check-in terminal: pentagrid.ch/en/blog/ibis-h… #itsecurity #infosec #ibis #accor #terminal #hotel

It happened again. We accidentally broke another #hotel check-in #terminal. This time Mr O'Yolo triggered a problem, crashed the #Ariane Allegro Scenario Player and escaped the #kiosk mode, which enabled access to the Windows Desktop: pentagrid.ch/en/blog/ariane… #itsecurity #infosec

If you want to protect your IT #infrastructure against #MITM attacks where an attacker bypasses domain verification to obtain valid certificates, you may want to use #CAA and #accountURI binding, which is easy to set up. pentagrid.ch/en/blog/domain… #hardening

Pentagrid is looking for an IT security analyst (d/f/m) in Buchs SG, Switzerland. pentagrid.ch/en/pages/caree…

Pentagrid published two hackvertor tags for #EAN13 (also Swiss AHV numbers) and #TOTP for #2FA. These tags are available via the Hackvertor Tag Store by Gareth Heyes \u2028 . Our blog post explains what these tags do and how they can be used. pentagrid.ch/en/blog/hacker… #pentest #OWASP

A story about looking at the effectiveness of web application firewalls and finding bypasses for the filter ruleset. pentagrid.ch/en/blog/airloc… #WAF #OWASP #coreruleset #ergon #airlock