Joomla! 3.8.3: Privilege Escalation via SQL Injection

6 Feb 2018 by Karim El Ouerghemmi
Joomla! Privilege Escalation via SQL Injection

Joomla! is one of the biggest players in the market of content management systems. Its easy installation, usage, and extensibility make it the second most used CMS on the web next to WordPress1. Last year, our PHP static code analysis solution unveiled a rare LDAP injection vulnerability within the 500,000 lines of Joomla! code. This LDAP injection vulnerability, explained in our previous blog post, allowed attackers to fully take over Joomla! <= v3.7.5 installations that rely on LDAP for authentication.

Recent updates to our analysis engine lead to the discovery of a new vulnerability in the Joomla! core affecting versions prior to 3.8.4. RIPS discovered a second-order SQL injection that could be used by attackers to leverage lower permissions and to escalate them into full admin permissions. This previously unknown vulnerability was disclosed to the Joomla! security team who released a security fix on the 30th of January 2018.

Read More ...

CubeCart 6.1.12 - Admin Authentication Bypass

17 Jan 2018 by Robin Peraglie

CubeCart

CubeCart is an open source e-commerce solution for an easy to install webshop package. In one of our latest security analysis we found two flaws in this web application that allow an attacker to circumvent the authentication mechanism required to login as an administrator. Once bypassed, an attacker can execute arbitrary code on the web server and steal all sensitive files and data. In this technical blog post we will take a closer look at these interesting vulnerabilities and learn how a custom database abstraction layer can turn against you.

Read More ...

WordPress Plugin Vulnerabilities 2017 VS. Static Analysis

29 Nov 2017 by Dr. Johannes Dahse
WordPress Plugin Vulnerabilities

WordPress is used by 29.0% of all the websites1. Due to its wide adoption, specifically the security of WordPress plugins moved into the focus of cyber criminals. Often, the plugins provided by third parties do not share the same level of security as the WordPress core itself, making them an attractive target for attackers. Security vulnerabilities are actively exploited in order to compromise large amounts of installations that use vulnerable plugins. Can static code analysis detect these vulnerabilities out of the box? In this technical blog post we analyze the most critical plugin vulnerabilities in 2017 and share some insights about the requirements of a static code analyzer needed for detection.

Read More ...

Shopware 5.3.3: PHP Object Instantiation to Blind XXE

8 Nov 2017 by Karim El Ouerghemmi
Shopware Object Instantiation

Shopware is a popular e-commerce software. It is based on PHP using technologies like Symfony 2, Doctrine and the Zend Framework. The code base of its open source community edition encompasses over 690,000 lines of code which we scanned for security vulnerabilities with our RIPS static code analyzer.

The analysis of this complex code base took roughly 4 minutes. RIPS discovered two vulnerabilities: a PHP object instantiation and a SQL injection which we disclosed to the vendor and were fixed in version 5.3.4. In this blog post we investigate the rare object instantiation vulnerability. We describe how it can occur and how it can be exploited by an attacker in order to retrieve arbitrary files from the server.

Read More ...

SugarCRM's Security Diet - Multiple Vulnerabilities

14 Sep 2017 by Robin Peraglie
SugarCRM Security

SugarCRM is one of the most popular customer relationship management solutions. It is available as a commercial edition and as an open-source community edition and is used by more than 2 million individuals in over 120 countries to manage sensitive customer data 1. Lately its security attracted attention after a researcher reported multiple security issues in the code 2. As a result, a new version of SugarCRM was released.

We wanted to check what our automated code analysis technology RIPS would find after the recent manual audit and how it could contribute to the security. As a result, critical issues were uncovered that could allow attackers to steal customer data or sensitive files from the server.

Read More ...