Joomla! 3.7.5 - Takeover in 20 Seconds with LDAP Injection

6 min read 20 Sep 2017 by Robin Peraglie
With over 84 million downloads, Joomla! is one of the most popular content management systems. Our code analysis solution RIPS detected a previously unknown LDAP injection vulnerability in the login controller. This one vulnerability could allow remote attackers to leak the super user password and to fully take over any Joomla! <= 3.7.5 installation that uses LDAP for authentication.

e107 2.1.2: SQL Injection through Object Injection

7 min read 23 Dec 2016 by Hendrik Buchwald
The 23rd gift in our advent calendar presents security issues in e107, a content management system that is in development since 2013. Among others, we identified a critical issue that allows any user to update his permissions and to extract sensitive information from the database by exploiting a PHP Object Injection vulnerability.

Kliqqi 3.0.0.5: From Cross-Site Request Forgery to Code Execution

9 min read 20 Dec 2016 by Martin Bednorz
Today’s gift in our advent calendar contains descriptions of vulnerabilities in Kliqqi, the successor to the popular Pligg CMS mostly used for the creation of interactive social communities. Due to missing CSRF protection, an attacker is able to prepare a website that ultimately leads to code execution on the applications server when visited by a target.

Redaxo 5.2.0: Remote Code Execution via CSRF

8 min read 16 Dec 2016 by Robin Peraglie
Redaxo 5.2.0 is the latest release of a simple content management system that is mostly used in Germany. Today we are going to present our scan results for Redaxo and explain how completely omitting anti-CSRF measures can have a significant security impact.

PHPKit 1.6.6: Code Execution for Privileged Users

7 min read 8 Dec 2016 by Martin Bednorz
Today’s gift in our advent calendar contains PHPKit, a German web content management system in development since early 2002. With its ~42,000 lines of code it is a rather small application and the latest version is 1.6.6. This post describes two severe vulnerabilities in the administration section that require a minimal user permission for exploitation.