Filter by tag: cross-site scripting

Expression Engine 3.4.2: Code Reuse Attack

17 min read 5 Dec 2016 by Hendrik Buchwald
Expression Engine is a popular general purpose content management system that is used by thousands of individuals, organizations, and companies around the world. In this post, we will examine a code reuse vulnerability that leads to remote code execution. This vulnerability type allows an attacker to partly control the applications logic and to chain existing code fragements.

FreePBX 13: From Cross-Site Scripting to Remote Command Execution

20 min read 1 Dec 2016 by Hendrik Buchwald
FreePBX is a web-based graphical user interface that helps users to manage voice-over-IP services. With over one million production systems using FreePBX worldwide it is the most widely deployed open-source PBX (Private Branch Exchange) platform. Since FreePBX is written completely in PHP, we decided to throw it into our code analysis tool RIPS. The results were surprising…