Announcing the Advent of PHP Application Vulnerabilities


Advent

As the year is slowly coming to an end and the Christmas decorations are starting to brighten up the streets, we at RIPS Technologies decided to give back to the wonderful community surrounding PHP and information security. Starting on December 1st, we are going to open one gift of our advent calendar each day until the 24th. Our gifts are technical blog posts about specific real-world security vulnerabilities in open-source PHP applications that examine PHP security characteristics and how to avoid common pitfalls.

Why?

At RIPS Technologies we continually scan open-source projects with our award-winning static code analysis solution RIPS for further analysis improvement. As we grew up with open-source software all around us and used it for many projects, we are now in the unique position to be able to give back to the open-source community and provide it with best-in-class security analysis. This way we can help open-source projects to remmediate overlooked security issues and to make the web a safer place.

The APAV

Each day, starting from December 1st, we are going to release one blog post until the 24th. Typically, our posts are going to cover one critical security vulnerability in a popular open-source PHP application that was found using RIPS. Each post will provide insights into different aspects of web application security issues and help developers to better understand the selected issue. In addition, we demonstrate how invaluable static code analysis is to find critical security issues in large code bases. All detected security vulnerabilities were reported responsibly to the affected vendors beforehand in a timely manner.

If you can not wait until December 1st you can already have a look at some bugs we found in the past. Our vulnerability database highlights a list of security vulnerabilities in popular open-source software that were found using RIPS and references related blog posts and demo reports of our tool.

Vulnerability Database

We wish all our readers a nice December season and a safe year 2017!


Follow us on Twitter to be notified when the next gift of our advent calendar is opened!

APAV Time Table

DateAuthorTitle
24 Dec 2016Johannes DahseWhat we learned from our Advent Calendar
23 Dec 2016Hendrik Buchwalde107 2.1.2: SQL Injection through Object Injection
22 Dec 2016Daniel PeerenSecurity Compliance with Static Code Analysis
21 Dec 2016Martin BednorzAbanteCart 1.2.8 - Multiple SQL Injections
20 Dec 2016Martin BednorzKliqqi 3.0.0.5: From Cross-Site Request Forgery to Code Execution
19 Dec 2016Robin PeraglieosClass 3.6.1: Remote Code Execution via Image File
18 Dec 2016Daniel PeerenContinuous Integration - Jenkins at your service
17 Dec 2016Johannes DahseOpenConf 5.30 - Multi-Step Remote Command Execution
16 Dec 2016Robin PeraglieRedaxo 5.2.0: Remote Code Execution via CSRF
15 Dec 2016Dennis DeteringGuest Post: Vtiger 6.5.0 - SQL Injection
14 Dec 2016Hendrik BuchwaldThe State of Wordpress Security
13 Dec 2016Johannes DahsephpBB 2.0.23 - From Variable Tampering to SQL Injection
12 Dec 2016Martin BednorzTeampass 2.1.26.8: Unauthenticated SQL Injection
11 Dec 2016Daniel PeerenRescanning Applications with RIPS
10 Dec 2016Hendrik BuchwaldNon-Exploitable Security Issues
9 Dec 2016Hendrik BuchwaldPrecurio 2.1: Remote Command Execution via Xinha Plugin
8 Dec 2016Martin BednorzPHPKit 1.6.6: Code Execution for Privileged Users
7 Dec 2016Hendrik BuchwaldSerendipity 2.0.3: From File Upload to Code Execution
6 Dec 2016Robin PeraglieRoundcube 1.2.2: Command Execution via Email
5 Dec 2016Hendrik BuchwaldExpression Engine 3.4.2: Code Reuse Attack
4 Dec 2016Johannes DahseIntroducing the RIPS analysis engine
3 Dec 2016Martin BednorzeFront 3.6.15: Steal your professors password
2 Dec 2016Martin BednorzCoppermine 1.5.42: Second-Order Command Execution
1 Dec 2016Hendrik BuchwaldFreePBX 13: From Cross-Site Scripting to Remote Command Execution
25 Nov 2016Martin BednorzAnnouncing the Advent of PHP Application Vulnerabilities

Disclaimer: The information provided here is for educational purposes only. It is your responsibility to obey all applicable local, state and federal laws. RIPS Technologies GmbH assumes no liability and is not responsible for any misuse or damages caused by direct or indirect use of the information provided.

Tags: apav, php, security, rips,

Comments

comments powered by Disqus