Web Application
Security Research

In-depth analysis of our latest vulnerability findings and best practices for secure development.

OpenConf 5.30 - Multi-Step Remote Command Execution

10 min read 17 Dec 2016 by Johannes Dahse
Today, we present a multi-step command execution vulnerability in the popular conference management software OpenConf. The vulnerability was reported and fixed a while ago, but the chain of 4 exploitation steps involved makes it a very interesting vulnerability sample for our advent calendar. 4 - 3 - 2 - 1 …

Redaxo 5.2.0: Remote Code Execution via CSRF

8 min read 16 Dec 2016 by Robin Peraglie
Redaxo 5.2.0 is the latest release of a simple content management system that is mostly used in Germany. Today we are going to present our scan results for Redaxo and explain how completely omitting anti-CSRF measures can have a significant security impact.

Guest Post: Vtiger 6.5.0 - SQL Injection

7 min read 15 Dec 2016 by Dennis Detering
The Vtiger CRM is an open source Customer Relationship Management software developed by Vtiger. With more than 4.5 million downloads on SourceForge it enjoys great popularity. Some weeks ago, I had the chance to play with RIPS and test its features - and was invited as guest author to write this post. As I did some manual research of the Vtiger CRM before and already found several vulnerabilities, I decided to use it for my first experiments with RIPS.

The State of Wordpress Security

16 min read 14 Dec 2016 by Hendrik Buchwald
Plugins from the community are an integral part of most Wordpress sites. We downloaded all 47,959 plugins that are available from the official Wordpress repository and analyzed them with our static code analyzer RIPS. Shockingly, about every second larger plugin contains at least one medium severity issue. But is it really that bad?

phpBB 2.0.23 - From Variable Tampering to SQL Injection

7 min read 13 Dec 2016 by Johannes Dahse
In our 12th advent calendar gift, we would like to cover an exciting SQL injection in phpBB2. Although phpBB2 was replaced by its successor phpBB3, it is still one of the most popular bulletin boards. RIPS detected a less severe but very beautiful SQL injection vulnerability that bases on a PHP quirk we will examine in detail in this post.