flatCore CMS 1.4.6: Remote Code Execution and Easteregg

17 Oct 2017 by Dennis Detering
flatCore CMS

flatCore is a lightweight Content Management System (CMS) based on PHP and SQLite. It is designed to be as minimalistic as possible, but can be easily extended by its modular structure. We tested the latest stable version 1.4.6 with RIPS and detected, among others, a critical persistent cross-site scripting vulnerability that can be used by an unauthenticated adversary to attack administrators and to execute PHP code on the web server. Further, we found an interesting easteregg.

Read More ...

Guest Post: Vtiger 6.5.0 - SQL Injection

15 Dec 2016 by Dennis Detering

Vtiger

The Vtiger CRM is an open source Customer Relationship Management software developed by Vtiger. With more than 4.5 million downloads on SourceForge it enjoys great popularity. Some weeks ago, I had the chance to play with RIPS and test its features - and was invited as guest author to write this post. As I did some manual research of the Vtiger CRM before and already found several vulnerabilities, I decided to use it for my first experiments with RIPS.

Read More ...