LogicalDOC 8.2 Path Traversal Vulnerability

Impact In order to exploit this vulnerability an attacker needs to be an authenticated read-only user of the role guest. The attacker can read arbitrary files and create arbitrary directories on the server with the permissions of the user running the web server. It is recommended to update...

flatCore CMS 1.4.6: Remote Code Execution and Easteregg

RIPS Analysis The 74,000 lines of code of the flatCore CMS were analyzed in less than 3 minutes. RIPS discovered multiple vulnerabilities ranging from open redirection CVE-2017-11205 and cross-site scripting CVE-2017-11204 to SQL injection CVE-2017-11207, many of them being exploitable as...

ImpressCMS 1.3.11 - Why you should not trust PHP_SELF

We scanned the at the time current version 1.3.11 of ImpressCMS and found an unauthorized SQL Injection vulnerability. The exploit affects installations that use PDO as a database driver. The issue was fixed in version 1.4.0, though the patch does not follow best practices and might not be...

Integrate Security Testing with GitHub Actions

GitHub Actions GitHub announced their own CI/CD system which is integrated into the user interface and called Github Actions. We added RIPS to the GitHub marketplace which enables you to integrate our leading code analysis directly into your GitHub workflow. It works as a security gateway and fai...

Integrate Security Testing into PhpStorm

New State-of-the-Art Reduces Costs Typically, application security testing is performed after the source code was already committed to the source code repository. For example, a security scan is manually performed before deployment, or continuous integration is used that automatically tests the...

Sync and Manage your Security Issues within Jira

Jira Software Jira Software is a proprietary product developed by Atlassian that is the most widely known issue and project management tool. One of the core values is to help teams and organizations to track and manage software development tasks within issue tickets. The issue types, priorities,...

Continuous Integration - Jenkins at your service

How Continuous Integration works Continuous integration is the process of - as the name suggests - continually merging all parts of code changed by developers. The main purpose of CI is to achieve better productivity and code integrity by using a shared code repository which is automatically buil...

Teampass 2.1.26.8: Unauthenticated SQL Injection

RIPS Analysis RIPS was able to analyze the whole project consisting of 140,000 lines of code in only 25 seconds, uncovering a lot of severe security vulnerabilities. The two main types of issues was SQL injection and file inclusion. Luckily, most of the SQL injections were found in the installati...

Shopware 5.3.3: PHP Object Instantiation to Blind XXE

Who is affected Installations with following requirements are affected by this vulnerabilities: Shopware version = 5.3.3 and = 5.1 Impact - What can an attacker do In order to exploit the found vulnerabilities an attacker needs to be able to use the backend functionality of Shopware, specifically...

What's new in RIPS 2.0.0?

The new release RIPS 2.0.0 includes the following major changes: A complete new interface with optimized performance demo.ripstech.com A new extensive REST API for full feature automation api.ripstech.com Team and user privilege management Application-specific analysis profiles More detailed code...

Integrate Security Checks with RIPS CLI

Getting started Installation The installation of rips-cli is described in detail in our documentation. You can download the PHAR build of our CLI tool into your bin directory and make it executable with the following commands: 1 2 sudo wget...

Framework Misconfiguration Analysis with RIPS

65 New Issue Types Added In the latest release of our RIPS Code Analysis solution we added a new Preparser. The Preparser is able to detect different types of configurations and to check whether they ensure a secure state of the web application. Each framework has its own configuration files,...

RIPS Integration into Jenkins CI with Pipeline Support

Pipelines The Pipeline approach is a more developer friendly method to define the build and test process of a project. It is as easy as placing a file named Jenkinsfile into your project which contains all the configuration. This is well known from other build tools like Docker or make and improv...

Privilege Escalation in 2.3M WooCommerce Shops

Who is affected Installations with the following requirements are affected by this vulnerability: WooCommerce version 3.2.4 WordPress version = 4.8.3 Impact - What can an attacker do The vulnerability discussed in the following can only be exploited by an attacker that already benefits of some...

Guest Post: Vtiger 6.5.0 - SQL Injection

RIPS Analysis RIPS analyzed the 27,371 files with around 650,000 lines of code in only 6 minutes. Due to the nature of a CRM system, it is necessary to have a valid user account to access any of the provided features. Nevertheless, the discovered issues allowed low-privileged users to access high...

e107 2.1.2: SQL Injection through Object Injection

RIPS Analysis The e107 CMS consists of 317,356 lines of code and was analyzed in about 2 minutes. Many of the vulnerabilities found by RIPS are exploitable, despite a few exceptions. The main reason for this is that e107 contains a lot of unused code from previous releases and thus not all affect...

PHP Security Advent Calendar 2017 Wrap-Up

The Challenges We presented a variety of interesting and partly obscure security bugs in as little code as possible such that a challenge can be solved during a coffee break. Some challenges addressed beginners in security, others were more advanced. Next to different vulnerability types, we...

What we learned from our Advent Calendar

Vulnerability Types In this years Advent of PHP Application Vulnerabilities APAV, we examined 36 critical security issues which were detected in 19 different PHP applications by our code analysis solution RIPS. We presented a multitude of critical security issues found in widely-used open-source...

Rescanning Applications with RIPS

Benefits One of the most important things in modern application development is to think about security in every step of the development lifecycle. Beginning with the start of the development right up until the continued deployment of patches and features - security is important in all stages of a...

SugarCRM's Security Diet - Multiple Vulnerabilities

SugarCRM is available as a commercial edition and as an open-source community edition and is used by more than 2 million individuals in over 120 countries to manage sensitive customer data 1. Lately its security attracted attention after a researcher reported multiple security issues in the code ...

The State of Wordpress Security

Statistics Before we start analyzing the vulnerabilities, let us have a look at the general statistics to understand what the results really indicate. Our scan includes all plugins that are hosted in the official Wordpress repository1 and have at least one PHP file. If there are releases, we use...

How to add a Security Gateway to TeamCity

TeamCity TeamCity is a continuous integration CI and deployment server which is developed by Jetbrains. It was released in 2006 as a commercial software but can also be used free of charge within a certain scale. Next to Bamboo and Jenkins it is one of the most common solutions to build and deplo...

WordPress Design Flaw Leads to WooCommerce RCE

Impact We detected and reported a file deletion vulnerability in WooCommerce, which was fixed in version 3.4.6. Arbitrary file deletion vulnerabilities arent considered critical in most cases as the only thing an attacker can cause is a Denial of Service by deleting the index.php of the website...

What is PHP Object Injection

PHP Serialization Recap PHP provides a mechanism for storing and loading data with PHP types across multiple HTTP requests. This mechanism boils down to two functions: serialize and unserialize. This may sound complicated but lets look at the following easy example: A PHP object being serialized ...

How security flaws in PHP's core can affect your application

PHP Version Usage At the time of writing, the statistics from W3Techs show that 93% of all PHP websites use PHP version 5, and only about 6% use its new successor PHP 7. For each of those major PHP versions several release branches are maintained. Each release branch is actively supported for two...

Redaxo 5.2.0: Remote Code Execution via CSRF

RIPS Analysis When inspecting the charts generated by RIPS, a code execution vulnerability indicated as critical catches our eye. Investigating this issue closer quickly reveals that the vulnerability lies in the administrator panel, seemingly nulling the severity of the vulnerability. We will se...

How to Fine-Tune Static Code Analysis - Part 1

Before integrating SAST into your SDLC you want to make sure that your code analysis produces only relevant findings with the best performance possible. In the first part of this guide, we will cover the following 5 configuration options and best practices for fine-tuning: Set the Language Versio...

Security Analysis with SonarQube Plugin

SonarQube Figure 1: The SonarQube dashboard lists security vulnerabilities detected by RIPS code analysis. Global organizations use SonarQube to concentrate different quality analysis tools in one place for easy management, maintenance, and learning potential of findings. Seasoned developers are...

Announcing the Advent of PHP Application Vulnerabilities

Why? At RIPS Technologies we continually scan open-source projects with our award-winning static code analysis solution RIPS for further analysis improvement. As we grew up with open-source software all around us and used it for many projects, we are now in the unique position to be able to give...

Roundcube 1.2.2: Command Execution via Email

The mirror on SourceForge counts more than 260,000 downloads for Roundcube in the last 12 months1 which is only a small fraction of the actual users. Once Roundcube is installed on a server, it provides a web interface for authenticated users to send and receive emails with their web browser. RIP...

FreePBX 13: From Cross-Site Scripting to Remote Command Execution

RIPS Analysis The total amount of detected vulnerabilities is very high. Luckily, the majority of the detected vulnerabilities are inside the administration control panel, such that attackers either need to steal a valid account first or they have to trick an administrator into visiting a malicio...

WordPress Configuration Cheat Sheet

In our series about misconfigurations of PHP frameworks, we have investigated Symfony, a very versatile and modular framework. Due to the enormous distribution and the multitude of plugins, WordPress is also a very popular target for attackers. This cheat sheet focuses on the wp-config.php file a...

Kliqqi 3.0.0.5: From Cross-Site Request Forgery to Code Execution

RIPS Analysis RIPS analysis of the 77,000 lines of Kliqqi code took only 31 seconds to complete and was able to discover several risks within the application. There were no critical vulnerabilities found directly but it is possible to escalate one high-rated security issue to a critical one - as ...

Security Compliance with Static Code Analysis

NOTE: This blog post is outdated. For an update list of supported compliance requirements please visit our website. PCI DSS The Data Security Standard from the Payment Card Industry, short PCI DSS, specifies 12 requirements for the safe use of credit card information. The specifications were...

PHPKit 1.6.6: Code Execution for Privileged Users

RIPS Analysis Within only 24 seconds, the analysis with RIPS completed and uncovered critical security vulnerabilities, mainly in the administration section of the application. As we demonstrated in multiple previous calendar posts, these vulnerabilities can be chained with other vulnerabilities...

eFront 3.6.15: Steal your professors password

RIPS Analysis Our SAST tool RIPS analyzed the whole application in only 1m 32s and uncovered many severe security issues. Most of them are straight-forward SQL Injections that can be used to extract confidential user data, such as passwords, private messages, course results, and personal...

WARNING: Pre-Auth Takeover of OXID eShops

OXID eShop is an e-commerce shop software originating from Germany and its enterprise edition is used by industry leaders such as Mercedes, BitBurger and Edeka. In this technical blog post we will show you how an unauthenticated attacker gains Remote Code Execution in OXID eShop running the lates...

Symfony Configuration Cheat Sheet

The Symfony framework provides web developers with a great foundation for their PHP applications. Several components can be used for many recurring tasks that are required in every application, such as handling input forms or accessing a database. In addition to functional tasks, security-relevan...

Comparison of Application Security Testing Approaches

Overview The following table lists a side-by-side comparison of different application security testing approaches. Additional rating details are available when hovering over each column. In the following, each approach is introduced. Category Automated Security Testing Manual Security Testing...

Ensure Application Security with Zend Server and RIPS

Zend Server is the ultimate and most secure software platform for deploying, monitoring, debugging, maintaining, and optimizing enterprise PHP applications. It also helps to keep the technology stack up-to-date and to avoid security risks that stem from outdated components. However, most of the...

Security Analysis with Bamboo Plugin

Build Management with Bamboo In the process of continuous integration, a code repository is automatically built and tested by a CI service when code is pushed or committed to the repository. This enables automated testing, tracking, and reporting of build errors and boosts the productivity of...

How To Automate Security Analysis with the RIPS API

RIPS API RIPS exposes a powerful REST-API, an interface specifically designed for developers and their applications. It is used to provide the web interface with analysis results, to start scans through plugins, to manage users, and much more. In short, the API enables easy automation of all RIPS...

Precurio 2.1: Remote Command Execution via Xinha Plugin

RIPS Analysis RIPS detected many security vulnerabilities, such as SQL injection and cross-site scripting issues. In order to exploit most of these vulnerabilities in Precurios code base, a user account is required. Precurio also includes a lot of third-party code though that is directly...

Introducing the RIPS analysis engine

History 2007 - 2009 Almost 10 years ago, a simple PHP Scanner was developed during popularity gaining Capture The Flag CTF hacking battles of university teams. The scanner based on regular expressions and identified simple connections between user input that is first assigned to a variable and th...

AbanteCart 1.2.8 - Multiple SQL Injections

RIPS Analysis The analysis with RIPS of the well over 200,000 lines of code took 4 minutes to complete. The most critical issues were primarily located in the language manager of the application and could thus be fixed as a bundle. The truncated analysis results are available in our RIPS demo...

osClass 3.6.1: Remote Code Execution via Image File

RIPS Analysis RIPS was able to scan the 156,000 lines of code in just 23 seconds. Looking at the scan results, a high number of vulnerabilities were detected in this project. Especially high-rated vulnerabilities seem to make the race. However, there is no critical-rated vulnerability found on th...

WordPress Plugin Vulnerabilities 2017 VS. Static Analysis

WordPress is used by 29.0% of all the websites1. Due to its wide adoption, specifically the security of WordPress plugins moved into the focus of cyber criminals. Often, the plugins provided by third parties do not share the same level of security as the WordPress core itself. Security...

OpenConf 5.30 - Multi-Step Remote Command Execution

RIPS Analysis An early prototype of RIPS detected the issues described in the following in roughly 24,000 lines of code. OpenConf suffered mainly from a few SQL injection vulnerabilities, as well as reflected and persistent cross-site scripting issues. In the following, we focus on the combinatio...

Expression Engine 3.4.2: Code Reuse Attack

RIPS Analysis The analysis with RIPS took about 4 minutes. Overall, the code of Expression Engine seems to be very robust. Still our analysis results point out some vulnerabilities. RIPS detected mainly possibilities for a malicious user to embed HTML and JavaScript code via the administration...

Serendipity 2.0.3: From File Upload to Code Execution

RIPS Analysis The analysis of Serendipity with RIPS took 67 seconds to complete. The total amount of issues is reasonable for a web application of this size. Most of the 36 low severe issues detected are information leakage issues, for example, when an error message leaks the DBMS system of a...