Bonsai Information Security - Vulnerability Research


Bonsai Security Consultants, may find security vulnerabilities in many types of software during the course of their work. And as a responsible Internet citizen's we will:

  1. Make a good faith effort to work cooperatively and confidentially with any external software vendors to develop patches, fixes, or mitigation strategies for any vulnerability we discover.
  2. Coordinate with the vendor to publicly disclose the vulnerability and its associated patch in a responsible manner.
  3. Contribute these findings to the Internet community by publishing vulnerability advisories through Information Security Mailing Lists.

The policy outlining how Bonsai handles vulnerability disclosing, is detailed here.

Bonsai is committed to responsible disclosure. We believe that it is the best way we can serve our customers and do our part to protect the Internet community. This is a list of our publicly reported vulnerabilities:

  1. 2010-12-09: VMware Tools update OS Command Injection
  2. 2010-10-13: Oracle Virtual Server Agent Command Injection
  3. 2010-08-03: Twitter Open Redirection Vulnerability
  4. 2010-06-29: Multiple XSS Vulnerabilities in TornadoStore
  5. 2010-06-29: Multiple SQL Injection in Tornado Store
  6. 2010-04-21: OS Command Injection in Cacti
  7. 2010-04-21: SQL Injection in Cacti
  8. 2010-04-14: Apache OFBiz Multiple XSS Vulnerabilities
  9. 2009-10-13: Multiple Cross Site Scriptings in Achievo
  10. 2009-10-13: SQL Injection in Achievo
  11. 2009-07-15: SQL Injection in CS-Cart