PSNC Security Team

SQL Injection vulnerability in TikiWiki 4.1

During internal works carried out by our team, Mateusz Drygas discovered SQL Injection vulnerability in TikiWiki portal system. This problem affects all versions up to 4.2 and 3.5 LTS.
Please look at our full advisory.

Advertising on the Internet - workshop

On 5th June 2009 Poznan University of Technology held another meeting as a part of the Startup-IT program. This time entitled "Internet Advertising - how to promote your own portal". Security Team member Jakub Tomaszewski described easy-to-apply and effective ways to block addvertising on the web. We encourage everyone to download the presentation (in polish) we prepared especially for this occasion.

• Jakub Tomaszewski: How to block advertising on the web (4.5 MB)

Presentation from the PSNC Supercomputing Department training

On 29 April 2009, PSNC Security Team for the first time in this year has performed a lecture in a Supercomputing Department training series. Tomasz Nowocien prepared a introduction to web applications security.

For more information - please download materials.

• Tomasz Nowocien: Web Applications Security (4.0 MB)

Poznan .NET Group meeting and Startup IT - performances

Please take a look at latest performances done by PSNC Security Team at the end of February. This time we had the opportunity to participate in both Poznan .NET Group meeting (Gerard Frankowski, 26.02) and Startup IT initiative (Gerard Frankowski and Jakub Tomaszewski, 27.02). The presentations were deliberately prepared to help people thinking about starting their own microenterprises.

For further information - please download available materials:

• Poznan .NET Group meeting
• Gerard Frankowski: ASP.NET Services Security (3.5 MB)


• Startup-IT workshop "Creating Web Services"
• Gerard Frankowski: Securing ASP.NET Web Applications (2.8 MB)
• Jakub Tomaszewski: Securing Web Servers (1.4 MB)

Schools and microenterprises security

After the SECURE 2008 conference speech, PSNC Security Team members once again had the opportunity to promote IT security in different environments. Presentations were conducted as a part of StartUp-IT program and "Secure Internet" conference.

• Startup-IT workshop
• Tomasz Nowocien: Data Security. The threats and the countermeasures (1.7 MB)
• Marcin Jerzak: Securing Windows Server 2003 platform (2.0 MB)
• Gerard Frankowski: Secure services in the Internet (2.1 MB)


• "Secure Internet" conference
• Tomasz Nowocien: Security threats in IT networks and the securing methods (1.9 MB)
• Gerard Frankowski: Data and services security in the Internet on the example of e-commerce applications (2.8 MB)

Live show at PGCIC meeting in Poznan

Members of PSNC Security Team, Marcin Jerzak and Jakub Tomaszewski, participated in a Polish-German Chamber of Industry and Commerce meeting held on 15 October in Sheraton Hotel in Poznan. Polish-German Chamber of Industry and Commerce (PGCIC) is the largest organization of that kind in Poland, bringing together more than 950 companies. The main tasks of PGCIC is supporting German companies in Poland as well as Polish companies in Germany and also informing about the German market. PGCIC is one of 83 German Foreign Chambers of Commerce and Industry AHK, considered by the German Association of Chambers of Commerce and Industry (German Deutscher Industrie-und Handelskammertag, DIHK) and the National Chamber of Commerce.

During the meeting, Jakub and Marcin conducted presentations "Data loss in companies - Facts and Myths". Participates learned - among other things - on risks in different areas of IT in today's organizations. Particular interest, however, aroused a live attack show on the encrypted connection of several popular sites that offer free access to the mail by WWW (webmail). Speeches met with great approval of participants and a the live show met an especial interest.

Marcin Jerzak, Jakub Tomaszewski: Data loss prevention - Facts and Myths (PDF, 0.7 MB)

Presentation at Secure 2008 conference

Members of PSNC Security Team, Blazej Miga and Gerard Frankowski, performed at the SECURE 2008 conference (2-3 October 2008, Hotel Hyatt Regency Warsaw). SECURE is one of the oldest polish conferences about networks and ICT systems security. It has an opinion of one of the biggest events of this type in Europe. This year's twelfth edition was organized jointly by NASK, CERT Poland and the ENISA organization (polish National Security Agency was also the conference co-organizer). The conference was also under the patronage of Minister of Science and Higher Education, Professor Barbara Kudrycka and Vice-President of the Council of Ministers, Minister of Internal Affairs and Administration, Grzegorz Schetyna.

At the end of the second day of the conference Blazej and Gerard presented the results of studies on public-key infrastructure in the context of the bug (published in May 13, 2008) in a Pseudo-Random Number Generator in one of the open source operating systems. During the presentation Gerard and Blazej explained how public key infrastructure works, how one can break some a RSA key, and why we cannot totally trust all the certificates issued by a trusted certification centers (CA). Despite the unfortunate time of presentation (last spot on the agenda on Friday!), the performance has been received very well. We encourage you to download a slightly extended version of slides (a couple additional ones with examples) - in Polish.

More information about the conference http://www.secure.edu.pl

Blazej Miga, Gerard Frankowski: 13.05.2008 (PDF, 2.8 MB)

Performance at Microsoft Academic Conference

PSNC Security Team representative, Marcin Jerzak occurred at Microsoft's annual Academic Conference held on 22-24 September by Microsoft Education Team in Rosnówko near Poznan.

The main topics of the conference were the latest Microsoft Universities cooperation programs, which are to be introduced in the upcoming academic year, and the latest Microsoft technology. On the second day of the conference presentations conducted Marcin Jerzak. He explained how to secure now widely used platform Windwos 2003 Server.

Marcin Jerzak Securing Windows Server 2003 platform (PDF, 2.3 MB)

IDC Security Roadshow 2008 conference performance

Members of PSNC Security Team were invited to     participate in IDC Security Roadshow 2008 - Business Protection: People and Technology conference as independent experts to perform presentation regarding security services outsourcing.

During presentation of the topic, which took place in Warsaw Mariott hotel, Gerard Frankowski and Jakub Tomaszewski explained how external security audits work, what problems they stumbled across and solutions they suggest are the most accurate. Presentation has been very well perceived.

Presentation available for download (PDF, in polish)

Gerard Frankowski, Jakub Tomaszewski External Security Audits (1.8 MB)

Report about security of on-line shopping

PSNC Security Team evaluated a security level of on-line shopping services available on the Polish market. The revenue of the firms providing services in that sector (on the Polish market) oscillated around ... in the year 2007. Thus it is worth to make sure that the customers money are safe and secure.

We decided to check 50 randomly chosen Polish on-line shops. We directed our tests to evaluate only the sessions and cookieshandling mechanisms. If you are interested please do not hesitate to read our report.

Report in PDF file (154 KB, available only in Polish)

Conference talk on the IT Underground 2007

Blazej Miga and Gerard Frankowski were speakers on IT Underground 2007 Conference.The international conference that last three days and took place in Warsaw gathered together large number of security specialists. The topic of our representatives talk was about security of the Microsoft Information Services in version 7.0. The number of questions raised by the audience proof that the presentation was very interesting and worth attending.

Our presentation is available for download.

Presentation (PDF, 1.8 MB).

SecureCON 2007 Conference (Wroclaw)

Congress Center of the Wroclaw University of Technology was a venue of SecureCON 2007 conference devoted to all aspects of computer security. The motto of the conference was the phrase: "In Secure World We Trust". More than 200 participants have an opportunity to watch the presentation prepared by members of Security Team of PSNC. Blazej Miga and Gerard Frankowski inaugurated the first day of conference. They spoke about research project connected with security of Microsoft IIS 7.0. The project is part of the work done as a result of Microsoft Innovation Center initiative.

We encourage you to download the presentation prepared exclusively for that conference.

Presentation (PDF, 3.5 MB).

Apache httpd vulnerabilities

Apache httpd vulnerabilities PSNC Security Team would like to communicate that as a result of the Apache httpd (ver 1.3.x, 2.x) source code audit, several security vulnerabilities have been found. These vulnerabilities make a successful DoS attack against services and local system possible. The basic information about vulnerabilities:

Vuln #1
Httpd Server DoS
Tested versions: ver 2.0.59, 2.2.4, prefork mpm module

Vuln #2
SIGUSR1 killer
Tested versions: ver 2.0.59, 2.2.4, prefork mpm module

Vuln #3
SIGUSR1 killer
Tested versions: ver 1.3.37

Vuln #4
System DoS
Tested versions: ver 2.0.59, 2.2.4, prefork mpm module

The full notice about bugs mention above has been sent to Apache Software Foundation on May 16th 2006 (sic!). After a year, official patch has not been released.

More information about vulnerabilities in the report (in Polish).

Internet Banking Security 2006

Internet Banking Security 2006 conference took place in Mikolajki and last from August 28th to August 30th. During the conference the PSNC Security Team represented by Jaroslaw Sajko and Michal Melewski presented a report about security of electronic banking extended by some additional, practical information.

The talk had been warmly welcomed and followed by long lasting discussion. The discussion concentrated around policies of disclosures of vulnerabilities notes and an influence of such vulnerabilities on the overall security level of e-banking services. Moreover the participants discussed also the procedures that could reduce the risk level caused by improperly patched or configured systems in the future.

CONFidence 2006 in Cracow

It was a pleasure for the Team members to participate again (for the second time) in CONFidence conference. The conference is devoted to security systems and physical security. Blazej Miga and Jaroslaw Sajko presented talks about security of Apache web server and extensions of iptables, respectively. The speakers were supported by the presence of Michal Melewski. He was responsible for asking them thought questions. The content of the talks appeared to be the natural base for the conversations during informal part of the conference.

The presentations (in Polish) are available for download:
Blazej Miga - Hacking Apache Web Server
Jaroslaw Sajko - IPTables Hacking

All persons that would like to extend their knowledge about iptables are kindly invited to attend the course organized by Supercomputing Department of PSNC. The final date of the course will be available soon. For further information please see these web-site.

"Secure" E-Banking

Nowadays, the fast growth of Electronic banking services made them as popular as automatic teller machines (ATMs). On the web pages of the most banks it is quite easy to find login panel. After successful log we get the access to the information about our account. We can check current balance, debits, credits, open an account or apply for a loan. Most of these data of course are confidential. Banks usually convince that they properly secure the clients data as well as their money. Should we trust banks' spokesmen before we check the truth?

The PSNC Security Team analyzed publicly available data about the configuration of secure connections (based on Secure Socket Layer) to e-banking systems. The analysis covered 41 e-banking portals providing services in Poland. Although the tests concern only narrow range of security analysis, the results allow to formulate valuable conclusions. If you are interested then read the report (in Polish).

Report - version 1.09 (in Polish)