Evil Teacher: Code Injection in Moodle

Impact - Who can exploit what? An attacker must be assigned the teacher role in a course of the latest Moodle earlier than 3.5.0 running with default configurations. Escalating to this role via another vulnerability, such as XSS, would also be possible. Given these requirements and the knowledge ...

Non-Exploitable Security Issues

Invalid Code The following code was found in the XOOPS project. User input is saved in the variable $filter and then used in a call to eval - a security nightmare. image.php 301 302 303 $filter = isset$GETfilter ? $GETfilter : false; $destinationimage = imagecreatetruecolor$tnwidth, $tnheight;...

Java Security Advent Calendar 2019

Open Advent Calendar 2019 24 Java Security Challenges Every day in December, until 24th, we will release a new Java code snippet that poses a critical security bug - similar to last years calendars. Each hidden bug can be in form of a classic vulnerability type, a faulty security patch that can b...

Why mail() is dangerous in PHP

During our advent of PHP application vulnerabilities, we reported a remote command execution vulnerability in the popular webmailer Roundcube CVE-2016-9920. This vulnerability allowed a malicious user to execute arbitrary system commands on the targeted server by simply writing an email via the...

Joomla! 3.8.3: Privilege Escalation via SQL Injection

Who is affected Installations with the following requirements are affected by this vulnerability: Joomla! version = 3.8.3 and = 3.7.0 For exploitation an attacker needs to be authenticated to the Joomla! backend with a Manager account. This user group is available by default in Joomla! and has...

PHP Code Quality Testing with RIPS 2.9.0

Code Quality VS. Exploitable Vulnerabilities There are many different perceptions of a "vulnerability" in the various tools available. What we at RIPS Technologies rank as a minor code quality issue, often is reported as a high-severe vulnerability by other vendors. The reason for this are...

Magento 2.3.1: Unauthenticated Stored XSS to RCE

...

RIPS 3.0 Supports Java Security Analysis

Java Application Security Testing At RIPS we take a unique approach for static code analysis of modern web applications. Instead of building one generic analyzer for fundamentally different programming languages, such as static Java and dynamic PHP, we strongly believe that complex security bugs ...

dotCMS 5.1.5: Exploiting H2 SQL injection to RCE

Impact The SQL injection vulnerability can be exploited as an unauthenticated attacker via CSRF or as a user of the role Publisher. An attacker is able to execute stacked SQL queries which means it is possible to manipulate arbitrary database entries and even execute shell commands when the H2...

phpBB 3.2.3: Phar Deserialization to RCE

Impact phpBB is one of the oldest and most popular board software. If an attacker aims to take over a board running phpBB3, he will usually attempt to gain access to the admin control panel by means of bruteforcing, phishing or XSS vulnerabilities in plugins that the target site has installed. Bu...

TYPO3 9.5.7: Overriding the Database to Execute Code

Affected are TYPO3 8.x through 8.7.26, and TYPO3 9.x through 9.5.7. A deserialization of untrusted data leads to a Remote Code Execution vulnerability, which can be combined with a Cross-Site Scripting vulnerability that was also detected in the backend CVE-2019-12748. The truncated analysis...

RIPS 3.2: Patch Generation and New IDE Integrations

Automated Patch Generation RIPS scans your source code for critical security vulnerabilities fully automated in only a few minutes. But the most time-intense task when securing your application is to research and to write code patches that fix all the detected security problems sufficiently...

PHP Security Advent Calendar 2017

The end of the year is coming closer and the cheery advent time begins. We are looking back at a spectacular year and it is time to thank and give back to the great PHP, infosec, and RIPS community. Thank you for developing, auditing, and securing your PHP applications with us in 2017! Similar to...

Wormable Stored XSS on WordPress.org

Introduction Finding a critical vulnerability in one popular WordPress plugin and exploiting it in the wild could allow attackers to easily hijack thousands to millions of websites. An example of this could be observed lately in the case of the popular plugin WP GDPR Compliance. One plugin thus...

Pydio 8.2.1 Unauthenticated Remote Code Execution

Impact The vulnerability, a PHP object injection, was fixed in the latest security release of Pydio. Affected are all installations below version 8.2.2 with default settings. The vulnerability allowed remote attackers to perform a full takeover of the filesharing system, leading to remote access ...

The Hidden Flaws of Archives in Java

The Risk of Archive Extraction Archives are often used to import data sets in web applications. Especially in Java, archives like Jar, War or Apk are used to aggregate Java class files and resources into one single file. Vulnerabilities resulting from an insecure extraction of archives are alread...

PHP Security Advent Calendar 2018

In our first calendar edition in 2016, we analyzed exceptional vulnerabilities in some of the most popular open source PHP applications. Last year, we released 24 PHP security challenges with a hidden security pitfall in every days code challenge. This year we would like to give once again...

CTF Writeup: Complex Drupal POP Chain

About the Challenge The Droops challenge consisted of a website which had a modified version of Drupal 7.63 installed. The creators of the challenge added a Cookie to the Drupal installation that contained a PHP serialized string, which would then be unserialized on the remote server, leading to ...

TikiWiki 17.1 SQLi: Scan, Verify and Patch in Minutes

Scanning TikiWiki comes with many built-in features. A manual audit of such a huge code base for security issues would require a tremendous amount of time and expertise. The automated security analysis of TikiWikis 1.7 million lines of code with RIPS took roughly 14 minutes. Once the scan finishe...

WordPress 5.0.0 Remote Code Execution

Impact Your browser does not support the video tag. An attacker who gains access to an account with at least author privileges on a target WordPress site can execute arbitrary PHP code on the underlying server, leading to a full remote takeover. We sent the WordPress security team details about...

WordPress <= 5.2.3: Hardening Bypass

WordPress Hardening Mechanisms WordPress per default allows users with the administrator role to install plugins and even edit the .php files of plugins from within the admin dashboard. Although this allows for the easy modification of plugins and themes, it also allows malicious administrators t...

RIPS 3.3: Scaling Security Testing to Large Teams

Data Center Edition Automated security testing with RIPS is typically performed when a new code feature is merged into the development branch. But when security scanning is shifted left to the developers who scan every single code commit, the total amount of scans increases significantly. As a...

Security Testing Plugin for Maven & Gradle

Maven and Gradle Maven and Gradle are build automation and dependency management systems used primarily for Java projects. Their goals are to provide a uniform build system and to simplify the build process altogether. They are used for dependency management, testing, and building of simple to...

Drive By RCE Exploit in Pimcore 6.2.0

We have scanned Pimcore 6.2.0 and identified multiple critical vulnerabilities including a command injection vulnerability and SQL injection vulnerability which both can be exploited into a full remote code execution. Both vulnerabilities were fixed in Pimcore 6.2.1. The truncated analysis result...

WooCommerce 3.6.4 - CSRF Bypass to Stored XSS

In WooCommerce shop managers and administrators have the ability to import insert/update products via a .csv file. Every product in WooCommerce has a product description where the shop manager can insert limited HTML, i.e. very basic HTML tags and attributes, such as the a tag in combination with...

5 Best Practices for your SAST Evaluation

Static Application Security Testing SAST solutions analyze the source code of applications for vulnerabilities without running or deploying the code. In case you are not sure if SAST is the right approach for you or what different SAST approaches exist we recommend reading our previous blog post...

MyBB <= 1.8.20: From Stored XSS to RCE

Impact Your browser does not support the video tag. We discovered a Stored XSS vulnerability that occured due to a parsing error in posts and private messages in MyBB 1.8.20 and prior versions, as well as an authenticated Remote Code Execution vulnerability that can be exploited by administrators...

RIPS becomes Joomla! Official Code Analysis Partner

RIPS and Joomla are pleased to announce a new partnership where Joomla will be using RIPS industry leading code analysis solution to continuously scan the Joomla code base for tangible security vulnerabilities and weaknesses. For RIPS, this deployment represents a milestone, serving one of the...

Bitbucket 6.1.1 Path Traversal to RCE

Impact In Bitbucket the four different user roles Bitbucket User, Project Creator, Admin and System Admin exist. An attacker with the permissions of the role Admin can abuse Bitbuckets Data Center Migration tool to drop an executable shell script in an arbitrary directory. This is caused by a...

Learnings from WordPress Security Month

About the security month With the help of our code analysis solution RIPS we identified critical vulnerabilities in the WordPress core itself and in many of the most popular WordPress plugins. Some of them have multiple million active installations. As an example, the e-commerce plugin WooCommerc...

RIPS Scores a Perfect 100% at OWASP Benchmark

Comparing different SAST solutions with one another is no trivial task. Indeed, beyond some straightforward criteria such as a tools speed, usability, or integration options, the quintessential question is: How well does it perform in detecting actual vulnerabilities in your code? Benchmark Metri...

WordPress Privilege Escalation through Post Types

Impact - What can an attacker do WordPress is at the core a Blogging Software that allows user to create and publish posts. Over time, different post types were introduced, such as pages and media entries images, videos etc.. Plugins can register new post types, such as products or contact forms...

RIPS 3.1: TeamCity, LDAP and JSP Support

Compliance Management Compliance to industry standards is a major topic in todays product development strategies. We revised our compliance tab that now provides an efficient overview of all violations against industry standard requirements that were found during RIPS code analysis. Developers ca...

Backend SQL Injection in BigTree CMS 4.4.6

We have scanned one of the latest versions of BigTree CMS 4.4.6 and detected multiple vulnerabilities. Among them is a SQL Injection vulnerability and a Phar Deserialization vulnerability leading to a Remote Code Execution in the small web application. The truncated analysis results are available...

CubeCart 6.1.12 - Admin Authentication Bypass

I Forgot My Password! Both vulnerabilities are exploitable through CubeCarts "I forgot my Password!" functionality. It is implemented in the file classes/cubecart.class.php, in the method recovery. When a user forgot his password, he can use this feature to enter his email address, a valid passwo...

RIPS 3.4 Supports Node.js Security Analysis

Node.js Support Over the last year, our engineers worked hard to apply our static code analysis algorithms from Java and PHP to a new JavaScript engine. The result is our third language specific analysis engine which accounts for all code features, characteristics, and flavors of the highly dynam...

Java Security Analysis for IntelliJ IDEA

New Plugin Features In the course of our last releases, we added various new functionalities and improved existing ones to enhance the quality of our IntelliJ plugin. These include support for analyzing Java code, support for multi-module projects, tracking and commenting of issues, and the optio...

WordPress 5.1 CSRF to Remote Code Execution

Impact An attacker can take over any WordPress site that has comments enabled by tricking an administrator of a target blog to visit a website set up by the attacker. As soon as the victim administrator visits the malicious website, a cross-site request forgery CSRF exploit is run against the...

phpBB 2.0.23 - From Variable Tampering to SQL Injection

RIPS Analysis The forum phpBB2 consists of only 50,000 lines of code and RIPS took only 19 seconds for its in-depth security analysis to complete. It found various PHP object injection vulnerabilities which are less severe due to missing gadget chains. Further, many SQL injections are reported du...

A Salesmans Code Execution: PrestaShop 1.7.2.4

The Impact With more than 270,000 running instances, PrestaShop it is one of the top 10 most used content management systems in the Web. Additionally to the classical software download, PrestaShop Ready offers to rent an online shop and to get administrative access to pre-hosted PrestaShop...

Official Code Analysis Partner for TYPO3

RIPS Technologies and TYPO3 are proud to announce their new technical partnership. TYPO3 will be using RIPS industry-leading code analysis solution to continuously scan the TYPO3 code base for security vulnerabilities and weaknesses. CEO Johannes Dahse explains: “This partnership represents anoth...

Flyeralarm Secures Web Shop with RIPS

Download PDF The Challenge At FLYERALARM, around 15,000 products and 24,000 dispatches are coordinated on a daily bases by a PHP-based web shop and backend that drives the major revenue of the company. Every day, the complex code base is customized and advanced by 80+ developers to meet new...

What is Phar Deserialization

Summary The security researcher Sam Thomas from Secarma found a new exploitation technique that can lead to critical PHP object injection vulnerabilities - without using the PHP function unserialize. The new technique was announced at the BlackHat USA conference in his talk Its a PHP...

Joomla! 3.7.5 - Takeover in 20 Seconds with LDAP Injection

Requirements - Who is affected Joomla! powers about 3.3% of all websites content and articles. Installations with the following requirements are affected by this vulnerability: Joomla! version 1.5 = 3.7.5 is installed Joomla! is configured to use LDAP for authentication This is not a configuratio...

Exploiting Hibernate Injections

Hibernate is a database ORM framework for Java offering developers a uniform interface and syntax to interact independently with underlying relational databases like MySQL, PostgreSQL, and many more. The Hibernate Query Language is a SQL dialect very similar to a limited version of MySQL or pgSQL...

WARNING: WordPress File Delete to Code Execution

Who is affected According to w3tech, WordPress is used by approximately 30% of all websites1. This wide adoption makes it an interesting target for cyber criminals. At the time of writing no patch preventing the vulnerability described in this post is available. Any WordPress version, including t...

LimeSurvey 2.72.3 - Persistent XSS to Code Execution

See RIPS Scan Report Unauthenticated Persistent Cross-Site Scripting LimeSurvey 2.72.3 is prone to a persistent cross-site scripting vulnerability which is exploitable through the unauthenticated perspective. When submitting a public survey, the Continue Later feature allows users to save their...

Breaking Into Your Company's Internal Network - SuiteCRM 7.11.4

As part of our efforts to make the open source web application space more secure we scanned SuiteCRM 7.11.4 with our static code analysis tool RIPS and we detected multiple critical vulnerabilities. Among them is a SQL Injection that can be exploited as a normal user CVE-2019-12598, which can be...

RIPS and SonarSource are Joining Forces

You can read the official announcement here. This acquisition reinforces our journey of pioneering in the field of static analysis and honours the work of our passionate team in Bochum. What started out 10 years ago as an open source project evolved into a state-of-the-art security solution that...

How to Fine-Tune Static Code Analysis - Part 2

RIPS performs language-specific code analysis. Each of our unique analysis engines is dedicated to a different programming language. You can get the maximum out of static analysis if you further fine-tune our language-specific engines to your specific code features. In the following, we guide you...