5 min read 8 Oct 2019 by Dennis Brinkrolf
5 min read 16 Jul 2019 by Robin Peraglie
In this technical blog post we examine a critical vulnerability in the core of the TYPO3 CMS which was detected by our static code analysis tool RIPS (CVE-2019-12747). A reliable exploit allows the execution of arbitrary PHP code on the underlying system as authenticated user.
9 min read 13 Mar 2019 by Simon Scannell
Last month we released an authenticated remote code execution (RCE) vulnerability in WordPress 5.0. This blog post reveals another critical exploit chain for WordPress 5.1 that enables an unauthenticated attacker to gain remote code execution on any WordPress installation prior to version 5.1.1 (CVE-2019-9787).
15 min read 19 Feb 2019 by Simon Scannell
10 min read 29 Jan 2019 by Simon Scannell
A recent Capture-The-Flag tournament hosted by Insomni’hack challenged participants to craft an attack payload for Drupal 7. This blog post will demonstrate our solution for a PHP Object Injection with a complex POP gadget chain.