PHPKit 1.6.6: Code Execution for Privileged Users

7 min read 8 Dec 2016 by Martin Bednorz
Today’s gift in our advent calendar contains PHPKit, a German web content management system in development since early 2002. With its ~42,000 lines of code it is a rather small application and the latest version is 1.6.6. This post describes two severe vulnerabilities in the administration section that require a minimal user permission for exploitation.

Serendipity 2.0.3: From File Upload to Code Execution

8 min read 7 Dec 2016 by Hendrik Buchwald
Serendipity is an easy to maintain blog engine. There are a lot of plugins that can be used to extend the functionality, this article will focus on its core though. With close to 125,000 lines it is a medium-sized web application. In this post, we will show how attackers can bypass existing security mechanisms which can lead to remote code execution attacks.

Expression Engine 3.4.2: Code Reuse Attack

9 min read 5 Dec 2016 by Hendrik Buchwald
Expression Engine is a popular general purpose content management system that is used by thousands of individuals, organizations, and companies around the world. In this post, we will examine a code reuse vulnerability that leads to remote code execution. This vulnerability type allows an attacker to partly control the applications logic and to chain existing code fragements.