Posts by author: Robin Peraglie

Redaxo 5.2.0: Remote Code Execution via CSRF

8 min read 16 Dec 2016 by Robin Peraglie
Redaxo 5.2.0 is the latest release of a simple content management system that is mostly used in Germany. Today we are going to present our scan results for Redaxo and explain how completely omitting anti-CSRF measures can have a significant security impact.

Roundcube 1.2.2: Command Execution via Email

10 min read 6 Dec 2016 by Robin Peraglie
Roundcube is a widely distributed open-source webmail software used by many organizations and companies around the globe. In this post, we show how a malicious user can remotely execute arbitrary commands on the underlying operating system, simply by writing an email in Roundcube 1.2.2 (>= 1.0). This vulnerability is highly critical because all default installations are affected.