101 matches found
RIPS and SonarSource are Joining Forces
You can read the official announcement here. This acquisition reinforces our journey of pioneering in the field of static analysis and honours the work of our passionate team in Bochum. What started out 10 years ago as an open source project evolved into a state-of-the-art security solution that...
ImpressCMS 1.3.11 - Why you should not trust PHP_SELF
We scanned the at the time current version 1.3.11 of ImpressCMS and found an unauthorized SQL Injection vulnerability. The exploit affects installations that use PDO as a database driver. The issue was fixed in version 1.4.0, though the patch does not follow best practices and might not be...
RIPS Scores a Perfect 100% at OWASP Benchmark
Comparing different SAST solutions with one another is no trivial task. Indeed, beyond some straightforward criteria such as a tools speed, usability, or integration options, the quintessential question is: How well does it perform in detecting actual vulnerabilities in your code? Benchmark Metri...
Exploiting Hibernate Injections
Hibernate is a database ORM framework for Java offering developers a uniform interface and syntax to interact independently with underlying relational databases like MySQL, PostgreSQL, and many more. The Hibernate Query Language is a SQL dialect very similar to a limited version of MySQL or pgSQL...
RIPS 3.4 Supports Node.js Security Analysis
Node.js Support Over the last year, our engineers worked hard to apply our static code analysis algorithms from Java and PHP to a new JavaScript engine. The result is our third language specific analysis engine which accounts for all code features, characteristics, and flavors of the highly dynam...
WordPress <= 5.2.3: Hardening Bypass
WordPress Hardening Mechanisms WordPress per default allows users with the administrator role to install plugins and even edit the .php files of plugins from within the admin dashboard. Although this allows for the easy modification of plugins and themes, it also allows malicious administrators t...
How to Fine-Tune Static Code Analysis - Part 2
RIPS performs language-specific code analysis. Each of our unique analysis engines is dedicated to a different programming language. You can get the maximum out of static analysis if you further fine-tune our language-specific engines to your specific code features. In the following, we guide you...
How to Fine-Tune Static Code Analysis - Part 1
Before integrating SAST into your SDLC you want to make sure that your code analysis produces only relevant findings with the best performance possible. In the first part of this guide, we will cover the following 5 configuration options and best practices for fine-tuning: Set the Language Versio...
Java Security Advent Calendar 2019
Open Advent Calendar 2019 24 Java Security Challenges Every day in December, until 24th, we will release a new Java code snippet that poses a critical security bug - similar to last years calendars. Each hidden bug can be in form of a classic vulnerability type, a faulty security patch that can b...
Integrate Security Testing with GitHub Actions
GitHub Actions GitHub announced their own CI/CD system which is integrated into the user interface and called Github Actions. We added RIPS to the GitHub marketplace which enables you to integrate our leading code analysis directly into your GitHub workflow. It works as a security gateway and fai...
RIPS 3.3: Scaling Security Testing to Large Teams
Data Center Edition Automated security testing with RIPS is typically performed when a new code feature is merged into the development branch. But when security scanning is shifted left to the developers who scan every single code commit, the total amount of scans increases significantly. As a...
Backend SQL Injection in BigTree CMS 4.4.6
We have scanned one of the latest versions of BigTree CMS 4.4.6 and detected multiple vulnerabilities. Among them is a SQL Injection vulnerability and a Phar Deserialization vulnerability leading to a Remote Code Execution in the small web application. The truncated analysis results are available...
Official Code Analysis Partner for TYPO3
RIPS Technologies and TYPO3 are proud to announce their new technical partnership. TYPO3 will be using RIPS industry-leading code analysis solution to continuously scan the TYPO3 code base for security vulnerabilities and weaknesses. CEO Johannes Dahse explains: “This partnership represents anoth...
Drive By RCE Exploit in Pimcore 6.2.0
We have scanned Pimcore 6.2.0 and identified multiple critical vulnerabilities including a command injection vulnerability and SQL injection vulnerability which both can be exploited into a full remote code execution. Both vulnerabilities were fixed in Pimcore 6.2.1. The truncated analysis result...
WooCommerce 3.6.4 - CSRF Bypass to Stored XSS
In WooCommerce shop managers and administrators have the ability to import insert/update products via a .csv file. Every product in WooCommerce has a product description where the shop manager can insert limited HTML, i.e. very basic HTML tags and attributes, such as the a tag in combination with...
Bitbucket 6.1.1 Path Traversal to RCE
Impact In Bitbucket the four different user roles Bitbucket User, Project Creator, Admin and System Admin exist. An attacker with the permissions of the role Admin can abuse Bitbuckets Data Center Migration tool to drop an executable shell script in an arbitrary directory. This is caused by a...
Breaking Into Your Company's Internal Network - SuiteCRM 7.11.4
As part of our efforts to make the open source web application space more secure we scanned SuiteCRM 7.11.4 with our static code analysis tool RIPS and we detected multiple critical vulnerabilities. Among them is a SQL Injection that can be exploited as a normal user CVE-2019-12598, which can be...
WARNING: Pre-Auth Takeover of OXID eShops
OXID eShop is an e-commerce shop software originating from Germany and its enterprise edition is used by industry leaders such as Mercedes, BitBurger and Edeka. In this technical blog post we will show you how an unauthenticated attacker gains Remote Code Execution in OXID eShop running the lates...
TYPO3 9.5.7: Overriding the Database to Execute Code
Affected are TYPO3 8.x through 8.7.26, and TYPO3 9.x through 9.5.7. A deserialization of untrusted data leads to a Remote Code Execution vulnerability, which can be combined with a Cross-Site Scripting vulnerability that was also detected in the backend CVE-2019-12748. The truncated analysis...
RIPS 3.2: Patch Generation and New IDE Integrations
Automated Patch Generation RIPS scans your source code for critical security vulnerabilities fully automated in only a few minutes. But the most time-intense task when securing your application is to research and to write code patches that fix all the detected security problems sufficiently...
Magento 2.3.1: Unauthenticated Stored XSS to RCE
...
dotCMS 5.1.5: Exploiting H2 SQL injection to RCE
Impact The SQL injection vulnerability can be exploited as an unauthenticated attacker via CSRF or as a user of the role Publisher. An attacker is able to execute stacked SQL queries which means it is possible to manipulate arbitrary database entries and even execute shell commands when the H2...
MyBB <= 1.8.20: From Stored XSS to RCE
Impact Your browser does not support the video tag. We discovered a Stored XSS vulnerability that occured due to a parsing error in posts and private messages in MyBB 1.8.20 and prior versions, as well as an authenticated Remote Code Execution vulnerability that can be exploited by administrators...
The Hidden Flaws of Archives in Java
The Risk of Archive Extraction Archives are often used to import data sets in web applications. Especially in Java, archives like Jar, War or Apk are used to aggregate Java class files and resources into one single file. Vulnerabilities resulting from an insecure extraction of archives are alread...
Flyeralarm Secures Web Shop with RIPS
Download PDF The Challenge At FLYERALARM, around 15,000 products and 24,000 dispatches are coordinated on a daily bases by a PHP-based web shop and backend that drives the major revenue of the company. Every day, the complex code base is customized and advanced by 80+ developers to meet new...
How to add a Security Gateway to TeamCity
TeamCity TeamCity is a continuous integration CI and deployment server which is developed by Jetbrains. It was released in 2006 as a commercial software but can also be used free of charge within a certain scale. Next to Bamboo and Jenkins it is one of the most common solutions to build and deplo...
RIPS 3.1: TeamCity, LDAP and JSP Support
Compliance Management Compliance to industry standards is a major topic in todays product development strategies. We revised our compliance tab that now provides an efficient overview of all violations against industry standard requirements that were found during RIPS code analysis. Developers ca...
LogicalDOC 8.2 Path Traversal Vulnerability
Impact In order to exploit this vulnerability an attacker needs to be an authenticated read-only user of the role guest. The attacker can read arbitrary files and create arbitrary directories on the server with the permissions of the user running the web server. It is recommended to update...
Java Security Analysis for IntelliJ IDEA
New Plugin Features In the course of our last releases, we added various new functionalities and improved existing ones to enhance the quality of our IntelliJ plugin. These include support for analyzing Java code, support for multi-module projects, tracking and commenting of issues, and the optio...
WordPress 5.1 CSRF to Remote Code Execution
Impact An attacker can take over any WordPress site that has comments enabled by tricking an administrator of a target blog to visit a website set up by the attacker. As soon as the victim administrator visits the malicious website, a cross-site request forgery CSRF exploit is run against the...
5 Best Practices for your SAST Evaluation
Static Application Security Testing SAST solutions analyze the source code of applications for vulnerabilities without running or deploying the code. In case you are not sure if SAST is the right approach for you or what different SAST approaches exist we recommend reading our previous blog post...
WordPress 5.0.0 Remote Code Execution
Impact Your browser does not support the video tag. An attacker who gains access to an account with at least author privileges on a target WordPress site can execute arbitrary PHP code on the underlying server, leading to a full remote takeover. We sent the WordPress security team details about...
Security Testing Plugin for Maven & Gradle
Maven and Gradle Maven and Gradle are build automation and dependency management systems used primarily for Java projects. Their goals are to provide a uniform build system and to simplify the build process altogether. They are used for dependency management, testing, and building of simple to...
CTF Writeup: Complex Drupal POP Chain
About the Challenge The Droops challenge consisted of a website which had a modified version of Drupal 7.63 installed. The creators of the challenge added a Cookie to the Drupal installation that contained a PHP serialized string, which would then be unserialized on the remote server, leading to ...
Learnings from WordPress Security Month
About the security month With the help of our code analysis solution RIPS we identified critical vulnerabilities in the WordPress core itself and in many of the most popular WordPress plugins. Some of them have multiple million active installations. As an example, the e-commerce plugin WooCommerc...
RIPS 3.0 Supports Java Security Analysis
Java Application Security Testing At RIPS we take a unique approach for static code analysis of modern web applications. Instead of building one generic analyzer for fundamentally different programming languages, such as static Java and dynamic PHP, we strongly believe that complex security bugs ...
Wormable Stored XSS on WordPress.org
Introduction Finding a critical vulnerability in one popular WordPress plugin and exploiting it in the wild could allow attackers to easily hijack thousands to millions of websites. An example of this could be observed lately in the case of the popular plugin WP GDPR Compliance. One plugin thus...
WordPress Privilege Escalation through Post Types
Impact - What can an attacker do WordPress is at the core a Blogging Software that allows user to create and publish posts. Over time, different post types were introduced, such as pages and media entries images, videos etc.. Plugins can register new post types, such as products or contact forms...
PHP Security Advent Calendar 2018
In our first calendar edition in 2016, we analyzed exceptional vulnerabilities in some of the most popular open source PHP applications. Last year, we released 24 PHP security challenges with a hidden security pitfall in every days code challenge. This year we would like to give once again...
phpBB 3.2.3: Phar Deserialization to RCE
Impact phpBB is one of the oldest and most popular board software. If an attacker aims to take over a board running phpBB3, he will usually attempt to gain access to the admin control panel by means of bruteforcing, phishing or XSS vulnerabilities in plugins that the target site has installed. Bu...
Pydio 8.2.1 Unauthenticated Remote Code Execution
Impact The vulnerability, a PHP object injection, was fixed in the latest security release of Pydio. Affected are all installations below version 8.2.2 with default settings. The vulnerability allowed remote attackers to perform a full takeover of the filesharing system, leading to remote access ...
WordPress Design Flaw Leads to WooCommerce RCE
Impact We detected and reported a file deletion vulnerability in WooCommerce, which was fixed in version 3.4.6. Arbitrary file deletion vulnerabilities arent considered critical in most cases as the only thing an attacker can cause is a Denial of Service by deleting the index.php of the website...
WordPress Configuration Cheat Sheet
In our series about misconfigurations of PHP frameworks, we have investigated Symfony, a very versatile and modular framework. Due to the enormous distribution and the multitude of plugins, WordPress is also a very popular target for attackers. This cheat sheet focuses on the wp-config.php file a...
What is PHP Object Injection
PHP Serialization Recap PHP provides a mechanism for storing and loading data with PHP types across multiple HTTP requests. This mechanism boils down to two functions: serialize and unserialize. This may sound complicated but lets look at the following easy example: A PHP object being serialized ...
Symfony Configuration Cheat Sheet
The Symfony framework provides web developers with a great foundation for their PHP applications. Several components can be used for many recurring tasks that are required in every application, such as handling input forms or accessing a database. In addition to functional tasks, security-relevan...
Sync and Manage your Security Issues within Jira
Jira Software Jira Software is a proprietary product developed by Atlassian that is the most widely known issue and project management tool. One of the core values is to help teams and organizations to track and manage software development tasks within issue tickets. The issue types, priorities,...
Framework Misconfiguration Analysis with RIPS
65 New Issue Types Added In the latest release of our RIPS Code Analysis solution we added a new Preparser. The Preparser is able to detect different types of configurations and to check whether they ensure a secure state of the web application. Each framework has its own configuration files,...
What is Phar Deserialization
Summary The security researcher Sam Thomas from Secarma found a new exploitation technique that can lead to critical PHP object injection vulnerabilities - without using the PHP function unserialize. The new technique was announced at the BlackHat USA conference in his talk Its a PHP...
Comparison of Application Security Testing Approaches
Overview The following table lists a side-by-side comparison of different application security testing approaches. Additional rating details are available when hovering over each column. In the following, each approach is introduced. Category Automated Security Testing Manual Security Testing...
TikiWiki 17.1 SQLi: Scan, Verify and Patch in Minutes
Scanning TikiWiki comes with many built-in features. A manual audit of such a huge code base for security issues would require a tremendous amount of time and expertise. The automated security analysis of TikiWikis 1.7 million lines of code with RIPS took roughly 14 minutes. Once the scan finishe...