Web Application
Security Research

In-depth analysis of our latest vulnerability findings and best practices for secure development.

phpBB 3.2.3: Phar Deserialization to RCE

7 min read 20 Nov 2018 by Simon Scannell
A new PHP exploit technique affects the most famous forum software phpBB3. The vulnerability allows attackers who gain access to an administrator account to execute arbitrary PHP code and to take over the entire board (CVE-2018-19274).

Pydio 8.2.1 Unauthenticated Remote Code Execution

4 min read 13 Nov 2018 by Simon Scannell, Robin Peraglie
Pydio is a popular file sharing solution used by enterprises and governments around the world. It suffered from a highly critical vulnerability that allowed unauthenticated attackers to compromise the entire file sharing server and to execute arbitrary code on the remote machine (CVE-2018-20718). Find out more about the impact and technical details in our blog post.

WordPress Design Flaw Leads to WooCommerce RCE

7 min read 6 Nov 2018 by Simon Scannell
A flaw in the way WordPress handles privileges can lead to a privilege escalation in WordPress plugins. This affects for example WooCommerce, the most popular e-commerce plugin with over 4 million installations. The vulnerability allows shop managers to delete certain files on the server and then to take over any administrator account (CVE-2018-20714).

WordPress Configuration Cheat Sheet

6 min read 31 Oct 2018 by Nils Werner
WordPress is the most frequently installed web application in the world. The system is operated not only by experienced developers but also by beginners. In this blog post, we summarize what to look out for when configuring your WordPress installation’s security.

What is PHP Object Injection

6 min read 9 Oct 2018 by Simon Scannell
A very common and critical vulnerability in PHP applications is PHP Object Injection. This blog post explains how they work and how they can lead to a full site takeover by remote attackers.