Privilege Escalation in 2.3M WooCommerce Shops

26 Feb 2018 by Karim El Ouerghemmi, Slavco Mihajloski
WooCommerce Object Injection

The WordPress plugin WooCommerce runs on approximately 2,300,000 live websites1 and is currently the most prominent eCommerce platform used on the Web. During our research we discovered a PHP object injection vulnerability in WooCommerce that allows to escalate privileges. The vulnerability was responsibly disclosed to the Automattic security team and was fixed last year with the release of version 3.2.4. In this blog post we investigate how recent changes in the WordPress core database driver opened the doors for this vulnerability. Furthermore, we describe how the circumstances could be exploited with a unique and interesting injection technique.

Read More ...

Joomla! 3.8.3: Privilege Escalation via SQL Injection

6 Feb 2018 by Karim El Ouerghemmi
Joomla! Privilege Escalation via SQL Injection

Joomla! is one of the biggest players in the market of content management systems. Its easy installation, usage, and extensibility make it the second most used CMS on the web next to WordPress1. Last year, our PHP static code analysis solution unveiled a rare LDAP injection vulnerability within the 500,000 lines of Joomla! code. This LDAP injection vulnerability, explained in our previous blog post, allowed attackers to fully take over Joomla! <= v3.7.5 installations that rely on LDAP for authentication.

Recent updates to our analysis engine lead to the discovery of a new vulnerability in the Joomla! core affecting versions prior to 3.8.4. RIPS discovered a second-order SQL injection that could be used by attackers to leverage lower permissions and to escalate them into full admin permissions. This previously unknown vulnerability was disclosed to the Joomla! security team who released a security fix on the 30th of January 2018.

Read More ...

CubeCart 6.1.12 - Admin Authentication Bypass

17 Jan 2018 by Robin Peraglie

CubeCart

CubeCart is an open source e-commerce solution for an easy to install webshop package. In one of our latest security analysis we found two flaws in this web application that allow an attacker to circumvent the authentication mechanism required to login as an administrator. Once bypassed, an attacker can execute arbitrary code on the web server and steal all sensitive files and data. In this technical blog post we will take a closer look at these interesting vulnerabilities and learn how a custom database abstraction layer can turn against you.

Read More ...

PHP Security Advent Calendar 2017 Wrap-Up

4 Jan 2018 by Felix Knischewski
PHP Security Advent Calendar

In this years PHP Security Advent Calendar we published 24 challenges for the PHP community where security issues were hidden in code snippets for fun and training. The challenges are based on real-world security vulnerabilities that we found with the help of RIPS over the last year in popular PHP applications. In this blog post we are going to discuss the main take-aways from our advent calendar regarding PHP security.

Read More ...

PHP Security Advent Calendar 2017 Announcement

30 Nov 2017 by Dr. Johannes Dahse
PHP Security Advent Calendar

The end of the year is coming closer and the cheery advent time begins. We are looking back at a spectacular year and it is time to thank and give back to the great PHP, infosec, and RIPS community. Thank you for developing, auditing, and securing your PHP applications with us in 2017!

Similar to last years advent of PHP application vulnerabilities where we released a new application vulnerability each day, we will release a new calendar gift from December 1st to 24th this year again. This time, we will focus on nifty PHP pitfalls and release a daily code challenge for you to solve. Can you spot the daily security bug?

Read More ...