Why mail() is dangerous in PHP

3 May 2017 by Robin Peraglie
Email Security in PHP

During our advent of PHP application vulnerabilities, we reported a remote command execution vulnerability in the popular webmailer Roundcube (CVE-2016-9920). This vulnerability allowed a malicious user to execute arbitrary system commands on the targeted server by simply writing an email via the Roundcube interface. After we reported the vulnerability to the vendor and released our blog post, similar security vulnerabilities that base on PHP’s built-in mail() function popped up in other PHP applications 1 2 3 4. In this post, we have a look at the common ground of these vulnerabilities, which security patches are faulty, and how to use mail() securely.

Read More ...

OpenConf 5.30 - Multi-Step Remote Command Execution

17 Dec 2016 by Johannes Dahse

OpenConf

Today, we present a multi-step command execution vulnerability in the popular conference management software OpenConf. The vulnerability was reported and fixed a while ago, but the chain of 4 exploitation steps involved makes it a very interesting vulnerability sample for our advent calendar. 4 - 3 - 2 - 1 …

Read More ...

Redaxo 5.2.0: Remote Code Execution via CSRF

16 Dec 2016 by Robin Peraglie

Redaxo CMS

Redaxo 5.2.0 is the latest release of a simple content management system that is mostly used in Germany. Today we are going to present our scan results for Redaxo and explain how completely omitting anti-CSRF measures can have a significant security impact.

Read More ...

Coppermine 1.5.42: Second-Order Command Execution

2 Dec 2016 by Martin Bednorz

Coppermine

The second gift in our advent calendar contains descriptions of vulnerabilities in Coppermine, a very popular picture gallery application written in PHP and in active development since 2003. It consists of ~160,000 lines of code (medium-sized web application) and is downloaded roughly 1,200 times per week.

Read More ...

FreePBX 13: From Cross-Site Scripting to Remote Command Execution

1 Dec 2016 by Hendrik Buchwald

FreePBX

FreePBX is a web-based graphical user interface that helps users to manage voice-over-IP services. According to the creator, there are over one million production systems using FreePBX worldwide and 20,000 new installations monthly 1. It is the most widely deployed open-source PBX (Private Branch Exchange) platform in use across the world.

Recently, the announcement of a critical security vulnerability caught our attention that was fixed in August 2. Since FreePBX is written completely in PHP, we decided to throw it into our code analysis tool RIPS. The results were more than surprising…

Read More ...