Filter by tag: php object injection

What is PHP Object Injection

6 min read 9 Oct 2018 by Simon Scannell
A very common and critical vulnerability in PHP applications is PHP Object Injection. This blog post explains how they work and how they can lead to a full site takeover by remote attackers.

What is Phar Deserialization

5 min read 14 Aug 2018 by Johannes Dahse
Last week a new exploitation technique for PHP applications was announced at the BlackHat USA conference. Find out everything you need to know in this blog post.

A Salesmans Code Execution: PrestaShop 1.7.2.4

5 min read 7 May 2018 by Robin Peraglie
PrestaShop is one of the most popular e-commerce solutions. Our leading security analysis solution RIPS detected a highly critical vulnerability that allows to execute arbitrary code on any installation with version <= 1.7.2.4. In this technical blog post we present the vulnerability and the exploitation technique that could have been misused by attackers (CVE-2018-20717).

Privilege Escalation in 2.3M WooCommerce Shops

13 min read 26 Feb 2018 by Karim El Ouerghemmi, Slavco Mihajloski
The WordPress plugin WooCommerce runs on approximately 2,300,000 live websites and is currently the most prominent eCommerce platform used on the Web. During our research we discovered a PHP Object Injection vulnerability in WooCommerce (CVE-2017-18356) that allows to escalate privileges with a unique and interesting injection technique.

WordPress Plugin Vulnerabilities 2017 VS. Static Analysis

11 min read 29 Nov 2017 by Johannes Dahse
WordPress plugins are widely adopted and an attractive target for attackers. In this technical blog post we analyze the most critical vulnerabilities in WordPress plugins of 2017 and share insights about how static code analysis can detect these.