Serendipity 2.0.3: From File Upload to Code Execution

7 Dec 2016 by Hendrik Buchwald

Serendipity

Serendipity is an easy to maintain blog engine. There are a lot of plugins that can be used to extend the functionality, this article will focus on its core though. With close to 125,000 lines it is a medium-sized web application. In this post, we will show how attackers can bypass existing security mechanisms which can lead to remote code execution attacks.

Read More ...

Roundcube 1.2.2: Command Execution via Email

6 Dec 2016 by Robin Peraglie

Roundcube

Roundcube is a widely distributed open-source webmail software used by many organizations and companies around the globe. The mirror on SourceForge, for example, counts more than 260,000 downloads in the last 12 months1 which is only a small fraction of the actual users. Once Roundcube is installed on a server, it provides a web interface for authenticated users to send and receive emails with their web browser.

In this post, we show how a malicious user can remotely execute arbitrary commands on the underlying operating system, simply by writing an email in Roundcube 1.2.2 (>= 1.0). This vulnerability is highly critical because all default installations are affected. We urge all administrators to update the Roundcube installation to the latest version 1.2.3 as soon as possible.

Read More ...

Expression Engine 3.4.2: Code Reuse Attack

5 Dec 2016 by Hendrik Buchwald

Expression Engine

Expression Engine is a popular general purpose content management system that is used by thousands of individuals, organizations, and companies around the world. The open-source version has about 250,000 lines of code and is a medium-sized web application. In this post, we will examine a code reuse vulnerability that leads to remote code execution. This vulnerability type allows an attacker to partly control the applications logic and to chain existing code fragements.

Read More ...

Introducing the RIPS analysis engine

4 Dec 2016 by Johannes Dahse

RIPS

In today’s post, we would like to share some insights into our static code analysis engine RIPS that detected the security bugs described in the previous and upcoming calendar gifts. The engine has a long history and went through several generations before reaching its current performance. What does it actually do within the few seconds after you click on the scan button and the first vulnerability report pops up? How can a security vulnerability be automatically detected in source code? Let’s have a look.

Read More ...

eFront 3.6.15: Steal your professors password

3 Dec 2016 by Martin Bednorz

eFront

Today, we present our analysis results for eFront, the open-source edition of the thriving e-learning platform eFrontPro. The platform is used by hundreds of organizations world-wide and consists of over 700,000 lines of PHP code, rendering manual security analysis ineffective at best. We will analyze two SQL injections that can be used to leak sensitive data and demonstrate two related RIPS features for detection.

Read More ...