Evil Teacher: Code Injection in Moodle

12 Jun 2018 by Robin Peraglie

Code Injection Exploit in Moodle

Moodle is a widely-used open-source e-Learning software with more than 127 million users allowing teachers and students to digitally manage course activities and exchange learning material, often deployed by large universities. In this post we will examine the technical intrinsics of a critical vulnerability in the previous Moodle release detected by RIPS Code Analysis. It is located in the Quiz component of Moodle and can be successfully exploited through the teacher role in order to perform remote code execution. If you are running Moodle < 3.5.0 we highly recommend to update your instances to the newest version immediately.

Read More ...

A Salesmans Code Execution: PrestaShop 1.7.2.4

7 May 2018 by Robin Peraglie

PrestaShop is an open-source e-commerce solution. With more than 270,000 running instances it is one of the top 10 most used content management systems in the Web1. Additionally to the classical software download, PrestaShop Ready offers to rent an online shop and to get administrative access to pre-hosted PrestaShop instances. From the perspective of attackers these e-commerce systems are very attractive targets because thousands of customers enter sensitive payment information.

Our leading security analysis solution RIPS detected a highly critical PHP object injection vulnerability in PrestaShop that allows to execute arbitrary code on any installation with version <= 1.7.2.4. In this technical blog post we present the vulnerability and the exploitation technique that could have allowed attackers to compromise PrestaShop servers. This posed a serious risk for the PrestaShop Ready cloud. A fix was released and administrators of outdated PrestaShop installations are highly encouraged to update.

Read More ...

LimeSurvey 2.72.3 - Persistent XSS to Code Execution

10 Apr 2018 by Robin Peraglie

LimeSurvey is an open source and commercial web application written in PHP that enables its users to quickly design and setup scalable surveys. Last year, we scanned the at that time latest version 2.72.3 with our static code analysis tool RIPS. In this technical post we will discuss and present two of the automatically detected vulnerabilities in 1MLOC: An unauthenticated persistent cross-site scripting vulnerability in the continue later feature and an authenticated arbitrary file write vulnerability. Both vulnerabilities can be chained by an attacker in order to execute code on the targeted web server with only one payload.

Read More ...

CubeCart 6.1.12 - Admin Authentication Bypass

17 Jan 2018 by Robin Peraglie

CubeCart

CubeCart is an open source e-commerce solution for an easy to install webshop package. In one of our latest security analysis we found two flaws in this web application that allow an attacker to circumvent the authentication mechanism required to login as an administrator. Once bypassed, an attacker can execute arbitrary code on the web server and steal all sensitive files and data. In this technical blog post we will take a closer look at these interesting vulnerabilities and learn how a custom database abstraction layer can turn against you.

Read More ...

SugarCRM's Security Diet - Multiple Vulnerabilities

14 Sep 2017 by Robin Peraglie
SugarCRM Security

SugarCRM is one of the most popular customer relationship management solutions. It is available as a commercial edition and as an open-source community edition and is used by more than 2 million individuals in over 120 countries to manage sensitive customer data 1. Lately its security attracted attention after a researcher reported multiple security issues in the code 2. As a result, a new version of SugarCRM was released.

We wanted to check what our automated code analysis technology RIPS would find after the recent manual audit and how it could contribute to the security. As a result, critical issues were uncovered that could allow attackers to steal customer data or sensitive files from the server.

Read More ...