Security Compliance with Static Code Analysis

22 Dec 2016 by Daniel Peeren

Compliance

Compliance describes the adherence to regulations and commitments organizations have to fulfill in certain sectors. Security is an integral part of many regulations. In general, a company is compliant if a snapshot of the current security arrangements meets a specific set of requirements. These requirements are defined by several regulatory organizations or standards, for example PCI DSS, HIPAA, or the ISO27k-series. If your company is bound to - or would like to - comply to these standards, read on and learn how the security requirements can be achived with a SAST tool.

Read More ...

AbanteCart 1.2.8 - Multiple SQL Injections

21 Dec 2016 by Martin Bednorz

AbanteCart

In our 21st advent calendar gift, we cover AbanteCart, a very popular e-commerce solution that just turned 5 years old last month. RIPS found multiple SQL injections, PHP object injections, and the complementary cross-site scriptings so that the more severe vulnerabilities can be exploited. Interestingly, the AbanteCart website was defaced just moments before we send out our analysis report to the development team.

Read More ...

Kliqqi 3.0.0.5: From Cross-Site Request Forgery to Code Execution

20 Dec 2016 by Martin Bednorz

Kliqqi

Today’s gift in our advent calendar contains descriptions of vulnerabilities in Kliqqi, the successor to the popular Pligg CMS mostly used for the creation of interactive social communities. Due to missing CSRF protection, an attacker is able to prepare a website that ultimately leads to code execution on the applications server when visited by a target.

Read More ...

osClass 3.6.1: Remote Code Execution via Image File

19 Dec 2016 by Robin Peraglie

osClass

In todays calendar gift, we present another beautiful chain of vulnerabilities which, in the end, allows an attacker to remotely execute arbitrary PHP code. This time, an attacker can smuggle his PHP payload through a valid image file. The issues were detected by RIPS in the open source marketplace software osClass 3.6.1 used for creating classifieds sites.

Read More ...

Continuous Integration - Jenkins at your service

18 Dec 2016 by Daniel Peeren

Continous Integration Jenkins

Continuous integration (CI) is a powerful tool to increase the quality of software and to save valuable time in the development process. An integral aspect of continuous integration is the automated testing of source code to reduce the likelihood of risks, bugs, and errors. In order to assist developers in writing secure code, it is possible to connect the sophisticated security analysis of RIPS into existing CI tools. In this post, we will introduce our plugin for Jenkins, one of the most popular automation platforms in the world, that can automatically warn you whenever a new security issue is introduced to your code base.

Read More ...