Buggy Phishing Kits Allow Criminals to Cannibalize Their Own

They say it’s a dog-eat-dog world out there, but in cybercrime terms, perhaps it should be called a “phish-eat-phish” situation. Researchers recently discovered that several widely used phishing kits harbor vulnerabilities that can be exploited by other criminals to hijack operations – and...

CVE-2018-17826

HisiPHP 1.0.8 allows CSRF via admin.php/admin/user/adduser.html to add an administrator account. The attacker can then use that account to execute arbitrary PHP code by leveraging app/common/model/AdminAnnex.php to add .php to the default list of allowable file-upload types .jpg, .png, .gif, .jpe...