Expression Engine 3.4.2: Code Reuse Attack

17 min read 5 Dec 2016 by Hendrik Buchwald
Expression Engine is a popular general purpose content management system that is used by thousands of individuals, organizations, and companies around the world. In this post, we will examine a code reuse vulnerability that leads to remote code execution. This vulnerability type allows an attacker to partly control the applications logic and to chain existing code fragements.

eFront 3.6.15: Steal your professors password

14 min read 3 Dec 2016 by Martin Bednorz
Today, we present our analysis results for eFront, the open-source edition of the thriving e-learning platform eFrontPro. The platform is used by hundreds of organizations world-wide and consists of over 700,000 lines of PHP code, rendering manual security analysis ineffective at best. We will analyze two SQL injections that can be used to leak sensitive data.

Coppermine 1.5.42: Second-Order Command Execution

20 min read 2 Dec 2016 by Martin Bednorz
The second gift in our advent calendar contains descriptions of vulnerabilities in Coppermine, a very popular picture gallery application written in PHP and in active development since 2003. It consists of ~160,000 lines of code (medium-sized web application) and is downloaded roughly 1,200 times per week.

FreePBX 13: From Cross-Site Scripting to Remote Command Execution

20 min read 1 Dec 2016 by Hendrik Buchwald
FreePBX is a web-based graphical user interface that helps users to manage voice-over-IP services. With over one million production systems using FreePBX worldwide it is the most widely deployed open-source PBX (Private Branch Exchange) platform. Since FreePBX is written completely in PHP, we decided to throw it into our code analysis tool RIPS. The results were surprising…