Guest Post: Vtiger 6.5.0 - SQL Injection

7 min read 15 Dec 2016 by Dennis Detering
The Vtiger CRM is an open source Customer Relationship Management software developed by Vtiger. With more than 4.5 million downloads on SourceForge it enjoys great popularity. Some weeks ago, I had the chance to play with RIPS and test its features - and was invited as guest author to write this post. As I did some manual research of the Vtiger CRM before and already found several vulnerabilities, I decided to use it for my first experiments with RIPS.

phpBB 2.0.23 - From Variable Tampering to SQL Injection

7 min read 13 Dec 2016 by Johannes Dahse
In our 12th advent calendar gift, we would like to cover an exciting SQL injection in phpBB2. Although phpBB2 was replaced by its successor phpBB3, it is still one of the most popular bulletin boards. RIPS detected a less severe but very beautiful SQL injection vulnerability that bases on a PHP quirk we will examine in detail in this post.

Teampass 2.1.26.8: Unauthenticated SQL Injection

10 min read 12 Dec 2016 by Martin Bednorz
The next gift in our advent calendar reveals security issues in Teampass, a collaborative password manager first published in late 2011. We detected a critical unauthenticated SQL injection and many file inclusions which could have led to many leaked passwords and angry users. The issues were reported and fixed earlier this year.

Precurio 2.1: Remote Command Execution via Xinha Plugin

8 min read 9 Dec 2016 by Hendrik Buchwald
Precurio is an Intranet portal that can be used as a calendar, phone directory, and much more. It is available as an open-source and commercial solution. We focused our analysis exclusively on the open-source version and detected several critical vulnerabilities that can be used to execute PHP code on the target system without any form of authentication.

PHPKit 1.6.6: Code Execution for Privileged Users

7 min read 8 Dec 2016 by Martin Bednorz
Today’s gift in our advent calendar contains PHPKit, a German web content management system in development since early 2002. With its ~42,000 lines of code it is a rather small application and the latest version is 1.6.6. This post describes two severe vulnerabilities in the administration section that require a minimal user permission for exploitation.