My documents

Stuff I published, worked at or helped at. Many of these documents have been published in various message boards, blogs, twitter posts, mailing lists, Joomla security alert sites and communities. Anyway, I try to point out some important links.

Security

• The (in)security of Omegle – What Omegle users should know, also published on packetstormsecurity.org, Exploit DB and on Docstoc.
• Lokalisten: identity problems – “Hyjacking” other profiles (is) was so much fun!, something similar happened by the way also to Facebook.
• The anatomy of an online banking fraud, or: Harvesting bank account data.
• leaftec cms multiple vulnerabilities, also published on Exploit DB, hack0wn, expbase, secunia, swxz88, bbs.honkwin, 7747, bug-blog.de, cnet.com, sans.org, cwo1f hi.baidu.com, nullbyte.org.il, secuobs, osvdb.org, sebug.net, securityhome.eu, Juniper(2) and packetstormsecurity.org.
• Devana SQL Injection vulnerability, also published on hack0wn, Exploit DB, expbase, bbs.honkwin, ariko-security,  sebug.net, nullbyte.org.il, osvdb.org, Juniper and packetstormsecurity.org.
• onepound shop / cms XSS and SQL Injection vulnerabilities, also published on Exploit DB, bbs.honkwin, hack0wn, nullbyte.org.il, Juniper and packetstormsecurity.org.
• Facebook – Having fun with the search box (XSS), also published on bbs.honkwin and hack0wn.
• Joomla component jp_jobs SQL Injection vulnerability, also published on hack0wn, Exploit DB, bbs.syue, siomalabs, expbase, hi.baidu.com, packetstormsecurity.org, cnet.com, Security Database, secunia, cwo1f, SecurityReason, 0daynet.com, launchpad.net, cve.mitre.org, hxcode.com, xforce.iss.net, SecurityFocus, nullbyte.org.il, National Vulnerability Database, osvdb.org and Juniper. I worked together with Kim from joomlanetprojects.com in order to fix the vulnerability, he mentions this here, here and in the changelog of the component.
• ShopSystem SQL Injection vulnerability, also published on Exploit DB, expbase, packetstormsecurity.org, cnet.com, secunia, nullbyte.org.il, bug-blog.de, osvdb.org, securelist.com (Kaspersky), SecurityFocus, Juniper and hack0wn.
• OnePC mySite Management Software SQL Injection Vulnerability, also published on Exploit DB, ExpBase, cwo1f, nullbyte.org.il, packetstormsecurity.org and hack0wn.
• Joomla Component Multi-Venue Restaurant Menu Manager SQL Injection Vulnerability, also published on Exploit DB, hack0wn, cwo1f, SecurityReason, secunia, ExpBase, Security Database, Sioma Labs, osvdb.org, SecurityFocus, sebug.net, bug-blog.de, governmentsecurity.org, yesmybi.cn, nullbyte.org.il, securelist.com (Kaspersky), packetstormsecurity.org, and Juniper.
• Joomla Component QPersonel SQL Injection Vulnerability, also published on hack0wn, SecurityReason, Exploit DB, cwo1f, ExpBase, packetstormsecurity.org, sebug.net, osvdb.org, yesmybi.cn, secunia, SecurityFocus, nullbyte.org.il, Security Database, xforce.iss.net, and Juniper.
• Joomla Component com_pandafminigames SQL Injection Vulnerabilities, also published on siomalabs, Exploit DB, ExpBase, nullbyte.org.il, cw01f, packetstormsecurity.org, Juniper and hack0wn.
• Joomla Component com_joltcard SQL Injection Vulnerability, also published on hack0wn, ExpBase, Exploit DB, nullbyte.org.il, osvdb.org, sebug.net, SecurityReason, secunia, Juniper, launchpad.net and packetstormsecurity.org.
• dl_stats Multiple Vulnerabilities, also published on cwo1f.com, secunia, bug-blog.de,  hack0wn, packetstormsecurity.org, osvdb.org, National Vulnerability Database, Vupen, cnet.com, SecurityReason, sans.org, SecurityFocus, xforce.iss.net, nullbyte.org.il, Juniper, securityspace.com, launchpad.net (2) and Exploit DB.
• phpGreetCards XSS Vulnerabilities, not published really since I discovered afterwards that someone else has reported this vulnerability before. Anyway, some sites published it: cwo1f, Exploit DB, sebug.net, 0daynet.com, hack0wn, nullbyte.org.il, ExpBase, SecurityReason, SecurityFocus, secunia and packetstormsecurity.org.
• FlashCard XSS Vulnerbility, also published on SecurityReason, bug-blog.de, hack0wn, SecurityFocus, osvdb.org, secunia, Juniper and packetstormsecurity.org.
• Guestbook PHP XSS Vulnerability, also published on Exploit DB, bug-blog.de, 0daynet.com, secunia, ExpBase, cwo1f, SecurityFocus, nullbyte.org.il, osvdb.org, packetstormsecurity.org, sans.org, Juniper and siomalabs.
• Auto-Img-Gallery XSS Vulnerability, also published on hack0wn, cnet.com, SecurityFocus, packetstormsecurity.org, xforce.iss.net, osvdb.org, Security Database, SecurityReason, Juniper, launchpad.net and secunia.
• Sethi Family Guestbook XSS Vulnerabilities, also published on Exploit DB, osvdb.org, ExpBase, packetstormsecurity.org, secunia, nullbyte.org.il, SecurityFocus, cnet.com, Juniper and SecurityReason.
• chCounter indirect SQL Injection and XSS Vulnerabilities, also published on Exploit DB, packetstormsecurity.org, ExpBase, cwo1f, hack0wn, SecurityReason, nullbyte.org.il, xforce.iss.net, entwickler.de, secunia, SecurityFocus and Juniper.
• Rad User Manager XSS Vulnerabilities, also published on packetstormsecurity.org and hack0wn.
• Joomla Component Card View JX XSS Vulnerabilities, also published on Exploit DB, cwo1f, ExpBase, hack0wn, packetstormsecurity.org, nullbyte.org.il, secunia and VUPEN.
• Joomla Component Table JX XSS Vulnerabilities, also published on cwo1f, 0daynet.com, packetstormsecurity.org, osvdb.org, bug-blog.de, nullbyte.org.il, Vupen, SecurityFocus cve.mitre.org, National Vulnerability Database, xforce.iss.net, secunia and Exploit DB.
• damianov.net Shoutbox XSS Vulnerability, also published on hack0wn, ExpBase, SecurityReason, nullbyte.org.il, packetstormsecurity.org and Exploit DB.
• Joomla Component JE Ajax Event Calendar Local File Inclusion Vulnerability, also published on packetstormsecurity.org, hack0wn, secunia, Juniper, SecurityFocus, National Vulnerability Database, nullbyte.org.il, xforce.iss.net, cve.mitre.org, Security Database, osvdb.org, us-cert.gov, China Information Technology Security Vulnerability Database and Exploit DB.
• Joomla Component JE Job Local File Inclusion Vulnerability, also published on packetstormsecurity.org, hack0wn, secunia, Juniper, SecurityFocus, securelist.com (Kaspersky), forum.joomla.it, bugsearch.net, nullbyte.org.il and Exploit DB.
• Joomla Component ActiveHelper LiveHelp XSS Vulnerabilities, also published on packetstormsecurity.org, cnet.com, sebug.net, SecurityReason, hack0wn, osvdb.org, National Vulnerability Database, Security Database, SecurityFocus, cve.mitre.org, Juniper, us-cert.gov and secunia.
• Joomla Component My Car Multiple Vulnerabilities, also published on Exploit DB, packetstormsecurity.org, hack0wn, ExpBase,  secunia, SecurityFocus, SecurityReason, osvdb.org, Vupen, National Vulnerability Database, nullbyte.org.il, xforce.iss.net(2), Juniper and us-cert.gov.
• Joomla Component Reservations XSS Vulnerability, also published on Exploit DB, packetstormsecurity.org, hack0wn, SecurityFocus, SecurityReason and Juniper.
• Joomla Component BF Quiz SQL Injection Vulnerability, also published on Exploit DB, ExpBase, secunia, SecurityFocus, SecurityReason, nullbyte.org.il, packetstormsecurity.org, 0daynet.com, osvdb.org, VUPEN, and Juniper.
• Dijitals CMS XSS Vulnerabilities, also published on hack0wn, bug-blog.de, bugsearch.net, osvdb.org(2), SecurityFocus, packetstormsecurity.org, SecurityReason, net-security.org, securelist.com (Kaspersky), VUPEN, Juniper and Secunia.
• Lyrics Script SQL Injection and Cross-Site Scripting Vulnerabilities, also posted on hack0wn, packetstormsecurity.org, secunia, nullbyte.org.il, VUPEN and Exploit DB.
• E-Book Store SQL Injection Vulnerability, also published on hack0wn, 0daynet.com, packetstormsecurity.org, secunia, securelist.com (Kaspersky), bug-blog.de, sans.org, ExpBase, Juniper, osvdb.org, SecurityReason, theglider.org, VUPEN, net-security.org, Hacking Expose, SecurityFocus and Exploit DB.
• Joke Website Script SQL Injection and Cross-Site Scripting Vulnerabilities, also published on hack0wn, packetstormsecurity.org, secunia, osvdb.org(2), bug-blog.de, SecurityReason, VUPEN, SecurityFocus, nullbyte.org.il, Juniper, lists.virus.org, bugsearch.net, 0daynet.com and Exploit DB.
• Daily Inspirational Quotes Script SQL Injection Vulnerability, also published on hack0wn, secunia, packetstormsecurity.org, SecurityFocus, osvdb.org, Juniper, ExpBase, SecurityReason, bugsearch.net, xforce.iss.net, nullbyte.org.il, VUPEN and Exploit DB.
• Membership Site Script SQL Injection Vulnerability, also published on hack0wn, secunia, packetstormsecurity.org, SecurityReason, ExpBase, bugsearch.net, xforce.iss.net, VUPEN, SecurityFocus, osvdb.org, nullbyte.org.il, securelist.com (Kaspersky), Juniper and Exploit DB.
• Joomla Component com_golfcourseguide SQL Injection Vulnerability, also published on Exploit DB, packetstormsecurity.org, SecurityReason, ExpBase, netcopsecurity.com, worksnet.net, xforce.iss.net, SecurityFocus, cve.mitre.org, National Vulnerability Database, securityhome.eu, nullbyte.org.il and osvdb.org.
• GaleriaSHQIP SQL Injection Vulnerability, also published on Exploit-DB, ExpBase, bugsearch.net, worksnet.net, launchpad.net, SecurityReason, secunia, packetstormsecurity.org, osvdb.org, National Vulnerability Database, xforce.iss.net, cve.mitre.org, SecurityFocus, Security Database and cvedetails.com.
• Mechbunny Porn Tube Search Script Multiple Vulnerabilities, also published on securityhome.eu, bugsearch.net, SecurityReason and packetstormsecurity.org.
• Mechbunny PaysiteReviewCMS Permanent XSS Vulnerabilities, also published on securityhome.eu, bugsearch.net, securelist.com (Ksaypersky), SecurityReason, secunia, osvdb.org (2), xforce.iss.net and packetstormsecurity.org.
• Joomla Component com_nkc SQL Injection Vulnerability, also published on securityhome.eu, bugsearch.net, SecurityReason and packetstormsecurity.org.
• Joomla Component com_restaurantguide Multiple Vulnerabilities, also published on bugsearch.net, packetstormsecurity.org, ExpBase, SecurityReason, SecurityFocus and Exploit-DB.
• VideoDB Multiple Vulnerabilities, also published on Exploit-DB, allinfosec.com, secunia, packetstormsecurity.org. ExpBase, Securityhome.eu, SecurityReason and bugsearch.net.
• Zeeways Adserver Multiple Vulnerabilities, also published on bugsearch.net, bug.haik8.com, ExpBase, SecurityReason, packetstormsecurity.org and Exploit-DB.
• Joomla Component com_jsupport Critical XSS Vulnerability, also published on bugsearch.net, Exploit-DB, SecurityReason, cnet.com, secunia, securelist.com (Kaspersky), ExpBase, Hungary Cert, osvdb.org and on packetstormsecurity.org.
• Joomla Component com_jsupport SQL Injection Vulnerability, also published on bugsearch.net, Exploit-DB, SecurityReason, cnet.com, secunia, ExpBase, Hungary Cert, osvdb.org and on packetstormsecurity.org.
• OneOrZero AIMS v2.6.0 Members Edition Multiple Vulnerabilities, also published on packetstormsecurity.org, secunia, ExpBase, bugsearch.net, SecurityFocus (2), osvdb.org, SecurityReason, secday.com and on Exploit-DB.
• South Korean UTW CMS Multiple Vulnerabilities, also published on packetstormsecurity.org, SecurityReason, SecurityFocus, xforce.iss.net (2) (3) and on bugsearch.net.
• The Joomla Hacking Compendium, also posted on Exploit-DB, phpcamp.net, Xing, SecurityReason, Twitter, governmentsecurity.org, packetstormsecurity.org and mentioned by the Joomla! co-founder Brian Teeman.
• Joomla Component com_jmsfileseller Local File Inclusion Vulnerability, also published on Exploit-DB, securityhome.eu, packetstormsecurity.org, Juniper, secunia, SecurityFocus, SecurityReason, osvdb.org and bugsearch.net.

Misc

• Xen Overview Slides by Xen.org: Stephen Spector, Xen Community Manager and ofc working at Citrix, created a Xen presentation which got translated by the Xen community. You can view the original file here and the German version (translated by me in Jan 2010) here. My German translation was published in this Xen.org blog entry.
• Xen.org Overview Brochure by Xen.org: Stephen Spector created this document. You can view the original file here and the German version (translated by me in Jan 2010) here. My German translation was published in this Xen.org blog entry.
• Xen.org Official Mascot: Not really a document and not made by me, but still I want to mention it here.
• Linux-Community.de:  I submitted the “Tip der Woche”, you can find it here.
• Participation in the WHOIS protocol debate from June 2011, you can find my mail to the ICANN here and here. Furthermore my thoughts were included in the discussion overview (authored by the ICANN).
• From time to time I also contribute to Wikipedia articles in English and German.
• Sometimes I also read IT books and get in contact with the author/publisher if I find any mistakes or feel worthy enough to contribute new content (latest contribution was talking to the Galileo Verlag in August 2011).
• I am also the German translation maintainer of the Dual Battery Widget for Android.
• Article about KVM, Clustering and Monitoring in 12/11 German Linux Magazine, together with Thilo and Markus. You can find an online preview here.
• Article about the Asus Transformer in  November 2011 German Android User. It was also published on the website.