Scan, Verify and Patch in Minutes: TikiWiki 17.1 SQLi

19 Jul 2018 by Karim El Ouerghemmi
Tikiwiki SQLi

TikiWiki is an open source software that offers a wiki-style based content management system. It has more than 1.25 million downloads and a large code base of around 1.7 million lines of code. In this blog post, we demonstrate step by step how we used our leading RIPS Code Analysis solution to detect and verify a SQL injection vulnerability in minutes.

Read More ...

WARNING: WordPress File Delete to Code Execution

26 Jun 2018 by Slavco Mihajloski, Karim El Ouerghemmi
WordPress Unlink to RCE

WordPress is the most popular CMS on the web. According to w3tech, it is used by approximately 30% of all websites1. This wide adoption makes it an interesting target for cyber criminals. In this blog post we are going to introduce an authenticated arbitrary file deletion vulnerability in the WordPress core that can lead to attackers executing arbitrary code. The vulnerability was reported 7 months ago to the WordPress security team but still remains unpatched. The long time elapsed since the initial reporting without any patch or concrete plans has led us to the decision to make it public.

Read More ...

Privilege Escalation in 2.3M WooCommerce Shops

26 Feb 2018 by Karim El Ouerghemmi, Slavco Mihajloski
WooCommerce Object Injection

The WordPress plugin WooCommerce runs on approximately 2,300,000 live websites1 and is currently the most prominent eCommerce platform used on the Web. During our research we discovered a PHP object injection vulnerability in WooCommerce that allows to escalate privileges. The vulnerability was responsibly disclosed to the Automattic security team and was fixed last year with the release of version 3.2.4. In this blog post we investigate how recent changes in the WordPress core database driver opened the doors for this vulnerability. Furthermore, we describe how the circumstances could be exploited with a unique and interesting injection technique.

Read More ...

Joomla! 3.8.3: Privilege Escalation via SQL Injection

6 Feb 2018 by Karim El Ouerghemmi
Joomla! Privilege Escalation via SQL Injection

Joomla! is one of the biggest players in the market of content management systems. Its easy installation, usage, and extensibility make it the second most used CMS on the web next to WordPress1. Last year, our PHP static code analysis solution unveiled a rare LDAP injection vulnerability within the 500,000 lines of Joomla! code. This LDAP injection vulnerability, explained in our previous blog post, allowed attackers to fully take over Joomla! <= v3.7.5 installations that rely on LDAP for authentication.

Recent updates to our analysis engine lead to the discovery of a new vulnerability in the Joomla! core affecting versions prior to 3.8.4. RIPS discovered a second-order SQL injection that could be used by attackers to leverage lower permissions and to escalate them into full admin permissions. This previously unknown vulnerability was disclosed to the Joomla! security team who released a security fix on the 30th of January 2018.

Read More ...

Shopware 5.3.3: PHP Object Instantiation to Blind XXE

8 Nov 2017 by Karim El Ouerghemmi
Shopware Object Instantiation

Shopware is a popular e-commerce software. It is based on PHP using technologies like Symfony 2, Doctrine and the Zend Framework. The code base of its open source community edition encompasses over 690,000 lines of code which we scanned for security vulnerabilities with our RIPS static code analyzer.

The analysis of this complex code base took roughly 4 minutes. RIPS discovered two vulnerabilities: a PHP object instantiation and a SQL injection which we disclosed to the vendor and were fixed in version 5.3.4. In this blog post we investigate the rare object instantiation vulnerability. We describe how it can occur and how it can be exploited by an attacker in order to retrieve arbitrary files from the server.

Read More ...