Posts by author: Johannes Moritz

Bitbucket 6.1.1 Path Traversal to RCE

6 min read 3 Sep 2019 by Johannes Moritz
Bitbucket is one of the worlds leading version control software allowing millions of developers to manage Git repositories and collaborate on source code. Bitbucket is developed by the Australian software company Atlassian which is also kown for Confluence and Jira. In this blog post we will analyse how a common but often overseen security issue found by RIPS Code Analysis leads to a critical vulnerability in Bitbucket (CVE-2019-3397). The issue is caused by the insecure extraction of a compressed TAR archive.

dotCMS 5.1.5: Exploiting H2 SQL injection to RCE

6 min read 25 Jun 2019 by Johannes Moritz
In this blog post we will show how to exploit a SQL injection vulnerability (CVE-2019-12872) found by RIPS Code Analysis in the popular java-based content management system dotCMS and how we escalated it to execute code remotely.

The Hidden Flaws of Archives in Java

4 min read 29 May 2019 by Johannes Moritz
Archives such as Zip, Tar, Jar or 7z are useful formats to collect and compress multiple files or directories in a container-like structure. However, the extraction of archives can introduce security risks which resulted in multiple critical vulnerabilities in popular applications in the past. In this post we explain the risk behind archive extraction and show how to securely extract archives in Java.

LogicalDOC 8.2 Path Traversal Vulnerability

5 min read 26 Mar 2019 by Johannes Moritz
LogicalDOC is a global software company offering a popular Java-based document management solution as a community or enterprise edition of the same name. In this blog post we will examine a path traversal vulnerability (CVE-2019-9723) which allows malicious guest users to steal arbitrary documents and files from the server.