Web Application
Security Research

In-depth analysis of our latest vulnerability findings and best practices for secure development.

Non-Exploitable Security Issues

7 min read 10 Dec 2016 by Hendrik Buchwald
In our previous calendar posts, we covered specific security issues in popular open-source applications that were detected by our code analysis solution RIPS. Most of the released issues lead to remote command execution, the most critical security vulnerability in PHP applications. But are all findings always exploitable? For more diversity of our calendar, we would like to introduce a few interesting examples today that turned out to be not exploitable and how RIPS handles these scenarios.

Precurio 2.1: Remote Command Execution via Xinha Plugin

8 min read 9 Dec 2016 by Hendrik Buchwald
Precurio is an Intranet portal that can be used as a calendar, phone directory, and much more. It is available as an open-source and commercial solution. We focused our analysis exclusively on the open-source version and detected several critical vulnerabilities that can be used to execute PHP code on the target system without any form of authentication.

PHPKit 1.6.6: Code Execution for Privileged Users

7 min read 8 Dec 2016 by Martin Bednorz
Today’s gift in our advent calendar contains PHPKit, a German web content management system in development since early 2002. With its ~42,000 lines of code it is a rather small application and the latest version is 1.6.6. This post describes two severe vulnerabilities in the administration section that require a minimal user permission for exploitation.

Serendipity 2.0.3: From File Upload to Code Execution

8 min read 7 Dec 2016 by Hendrik Buchwald
Serendipity is an easy to maintain blog engine. There are a lot of plugins that can be used to extend the functionality, this article will focus on its core though. With close to 125,000 lines it is a medium-sized web application. In this post, we will show how attackers can bypass existing security mechanisms which can lead to remote code execution attacks.

Roundcube 1.2.2: Command Execution via Email

10 min read 6 Dec 2016 by Robin Peraglie
Roundcube is a widely distributed open-source webmail software used by many organizations and companies around the globe. In this post, we show how a malicious user can remotely execute arbitrary commands on the underlying operating system, simply by writing an email in Roundcube 1.2.2 (>= 1.0). This vulnerability is highly critical because all default installations are affected.