What we learned from our Advent Calendar

24 Dec 2016 by Johannes Dahse

Advent

In this years Advent of PHP Application Vulnerabilities (APAV), we examined 36 critical security issues which were detected in 19 different PHP applications by our code analysis solution RIPS. In our final post, we would like to summarize what we learned during this thrilling advent time. We reveal how the affected vendors reacted to our reportings behind the scenes. Was it right to publish all these sensitive issues? What conclusions can we draw about the security state of PHP applications from our findings?

Read More ...

e107 2.1.2: SQL Injection through Object Injection

23 Dec 2016 by Hendrik Buchwald

e107

The 23rd gift in our advent calendar presents security issues in e107, a content management system that is in development since 2013. Among others, we identified a critical issue that allows any user to update his permissions and to extract sensitive information from the database by exploiting a PHP object injection vulnerability.

Read More ...

AbanteCart 1.2.8 - Multiple SQL Injections

21 Dec 2016 by Martin Bednorz

AbanteCart

In our 21st advent calendar gift, we cover AbanteCart, a very popular e-commerce solution that just turned 5 years old last month. RIPS found multiple SQL injections, PHP object injections, and the complementary cross-site scriptings so that the more severe vulnerabilities can be exploited. Interestingly, the AbanteCart website was defaced just moments before we send out our analysis report to the development team.

Read More ...

Kliqqi 3.0.0.5: From Cross-Site Request Forgery to Code Execution

20 Dec 2016 by Martin Bednorz

Kliqqi

Today’s gift in our advent calendar contains descriptions of vulnerabilities in Kliqqi, the successor to the popular Pligg CMS mostly used for the creation of interactive social communities. Due to missing CSRF protection, an attacker is able to prepare a website that ultimately leads to code execution on the applications server when visited by a target.

Read More ...

osClass 3.6.1: Remote Code Execution via Image File

19 Dec 2016 by Robin Peraglie

osClass

In todays calendar gift, we present another beautiful chain of vulnerabilities which, in the end, allows an attacker to remotely execute arbitrary PHP code. This time, an attacker can smuggle his PHP payload through a valid image file. The issues were detected by RIPS in the open source marketplace software osClass 3.6.1 used for creating classifieds sites.

Read More ...