Today’s gift in our advent calendar contains descriptions of vulnerabilities in Kliqqi, the successor to the popular Pligg CMS mostly used for the creation of interactive social communities. Due to missing CSRF protection, an attacker is able to prepare a website that ultimately leads to code execution on the applications server when visited by a target.

Redaxo 5.2.0 is the latest release of a simple content management system that is mostly used in Germany. Today we are going to present our scan results for Redaxo and explain how completely omitting anti-CSRF measures can have a significant security impact.

Plugins from the community are an integral part of most Wordpress sites. We downloaded all 47,959 plugins that are available from the official Wordpress repository and analyzed them with our static code analyzer RIPS. Shockingly, about every second larger plugin contains at least one medium severity issue. But is it really that bad?

Today’s gift in our advent calendar contains PHPKit, a German web content management system in development since early 2002. With its ~42,000 lines of code it is a rather small application and the latest version is 1.6.6. This post describes two severe vulnerabilities in the administration section that require a minimal user permission for exploitation.

Serendipity is an easy to maintain blog engine. There are a lot of plugins that can be used to extend the functionality, this article will focus on its core though. With close to 125,000 lines it is a medium-sized web application. In this post, we will show how attackers can bypass existing security mechanisms which can lead to remote code execution attacks.