WARNING: WordPress File Delete to Code Execution

Who is affected According to w3tech, WordPress is used by approximately 30% of all websites1. This wide adoption makes it an interesting target for cyber criminals. At the time of writing no patch preventing the vulnerability described in this post is available. Any WordPress version, including t...

RIPS becomes Joomla! Official Code Analysis Partner

RIPS and Joomla are pleased to announce a new partnership where Joomla will be using RIPS industry leading code analysis solution to continuously scan the Joomla code base for tangible security vulnerabilities and weaknesses. For RIPS, this deployment represents a milestone, serving one of the...

Evil Teacher: Code Injection in Moodle

Impact - Who can exploit what? An attacker must be assigned the teacher role in a course of the latest Moodle earlier than 3.5.0 running with default configurations. Escalating to this role via another vulnerability, such as XSS, would also be possible. Given these requirements and the knowledge ...

RIPS Integration into Jenkins CI with Pipeline Support

Pipelines The Pipeline approach is a more developer friendly method to define the build and test process of a project. It is as easy as placing a file named Jenkinsfile into your project which contains all the configuration. This is well known from other build tools like Docker or make and improv...

A Salesmans Code Execution: PrestaShop 1.7.2.4

The Impact With more than 270,000 running instances, PrestaShop it is one of the top 10 most used content management systems in the Web. Additionally to the classical software download, PrestaShop Ready offers to rent an online shop and to get administrative access to pre-hosted PrestaShop...

PHP Code Quality Testing with RIPS 2.9.0

Code Quality VS. Exploitable Vulnerabilities There are many different perceptions of a "vulnerability" in the various tools available. What we at RIPS Technologies rank as a minor code quality issue, often is reported as a high-severe vulnerability by other vendors. The reason for this are...

LimeSurvey 2.72.3 - Persistent XSS to Code Execution

See RIPS Scan Report Unauthenticated Persistent Cross-Site Scripting LimeSurvey 2.72.3 is prone to a persistent cross-site scripting vulnerability which is exploitable through the unauthenticated perspective. When submitting a public survey, the Continue Later feature allows users to save their...

Ensure Application Security with Zend Server and RIPS

Zend Server is the ultimate and most secure software platform for deploying, monitoring, debugging, maintaining, and optimizing enterprise PHP applications. It also helps to keep the technology stack up-to-date and to avoid security risks that stem from outdated components. However, most of the...

Integrate Security Checks with RIPS CLI

Getting started Installation The installation of rips-cli is described in detail in our documentation. You can download the PHAR build of our CLI tool into your bin directory and make it executable with the following commands: 1 2 sudo wget...

Privilege Escalation in 2.3M WooCommerce Shops

Who is affected Installations with the following requirements are affected by this vulnerability: WooCommerce version 3.2.4 WordPress version = 4.8.3 Impact - What can an attacker do The vulnerability discussed in the following can only be exploited by an attacker that already benefits of some...

Integrate Security Testing into PhpStorm

New State-of-the-Art Reduces Costs Typically, application security testing is performed after the source code was already committed to the source code repository. For example, a security scan is manually performed before deployment, or continuous integration is used that automatically tests the...

Joomla! 3.8.3: Privilege Escalation via SQL Injection

Who is affected Installations with the following requirements are affected by this vulnerability: Joomla! version = 3.8.3 and = 3.7.0 For exploitation an attacker needs to be authenticated to the Joomla! backend with a Manager account. This user group is available by default in Joomla! and has...

CubeCart 6.1.12 - Admin Authentication Bypass

I Forgot My Password! Both vulnerabilities are exploitable through CubeCarts "I forgot my Password!" functionality. It is implemented in the file classes/cubecart.class.php, in the method recovery. When a user forgot his password, he can use this feature to enter his email address, a valid passwo...

PHP Security Advent Calendar 2017 Wrap-Up

The Challenges We presented a variety of interesting and partly obscure security bugs in as little code as possible such that a challenge can be solved during a coffee break. Some challenges addressed beginners in security, others were more advanced. Next to different vulnerability types, we...

PHP Security Advent Calendar 2017

The end of the year is coming closer and the cheery advent time begins. We are looking back at a spectacular year and it is time to thank and give back to the great PHP, infosec, and RIPS community. Thank you for developing, auditing, and securing your PHP applications with us in 2017! Similar to...

WordPress Plugin Vulnerabilities 2017 VS. Static Analysis

WordPress is used by 29.0% of all the websites1. Due to its wide adoption, specifically the security of WordPress plugins moved into the focus of cyber criminals. Often, the plugins provided by third parties do not share the same level of security as the WordPress core itself. Security...

Shopware 5.3.3: PHP Object Instantiation to Blind XXE

Who is affected Installations with following requirements are affected by this vulnerabilities: Shopware version = 5.3.3 and = 5.1 Impact - What can an attacker do In order to exploit the found vulnerabilities an attacker needs to be able to use the backend functionality of Shopware, specifically...

Security Analysis with Bamboo Plugin

Build Management with Bamboo In the process of continuous integration, a code repository is automatically built and tested by a CI service when code is pushed or committed to the repository. This enables automated testing, tracking, and reporting of build errors and boosts the productivity of...

flatCore CMS 1.4.6: Remote Code Execution and Easteregg

RIPS Analysis The 74,000 lines of code of the flatCore CMS were analyzed in less than 3 minutes. RIPS discovered multiple vulnerabilities ranging from open redirection CVE-2017-11205 and cross-site scripting CVE-2017-11204 to SQL injection CVE-2017-11207, many of them being exploitable as...

Joomla! 3.7.5 - Takeover in 20 Seconds with LDAP Injection

Requirements - Who is affected Joomla! powers about 3.3% of all websites content and articles. Installations with the following requirements are affected by this vulnerability: Joomla! version 1.5 = 3.7.5 is installed Joomla! is configured to use LDAP for authentication This is not a configuratio...

SugarCRM's Security Diet - Multiple Vulnerabilities

SugarCRM is available as a commercial edition and as an open-source community edition and is used by more than 2 million individuals in over 120 countries to manage sensitive customer data 1. Lately its security attracted attention after a researcher reported multiple security issues in the code ...

How To Automate Security Analysis with the RIPS API

RIPS API RIPS exposes a powerful REST-API, an interface specifically designed for developers and their applications. It is used to provide the web interface with analysis results, to start scans through plugins, to manage users, and much more. In short, the API enables easy automation of all RIPS...

Security Analysis with SonarQube Plugin

SonarQube Figure 1: The SonarQube dashboard lists security vulnerabilities detected by RIPS code analysis. Global organizations use SonarQube to concentrate different quality analysis tools in one place for easy management, maintenance, and learning potential of findings. Seasoned developers are...

How security flaws in PHP's core can affect your application

PHP Version Usage At the time of writing, the statistics from W3Techs show that 93% of all PHP websites use PHP version 5, and only about 6% use its new successor PHP 7. For each of those major PHP versions several release branches are maintained. Each release branch is actively supported for two...

Why mail() is dangerous in PHP

During our advent of PHP application vulnerabilities, we reported a remote command execution vulnerability in the popular webmailer Roundcube CVE-2016-9920. This vulnerability allowed a malicious user to execute arbitrary system commands on the targeted server by simply writing an email via the...

What's new in RIPS 2.0.0?

The new release RIPS 2.0.0 includes the following major changes: A complete new interface with optimized performance demo.ripstech.com A new extensive REST API for full feature automation api.ripstech.com Team and user privilege management Application-specific analysis profiles More detailed code...

What we learned from our Advent Calendar

Vulnerability Types In this years Advent of PHP Application Vulnerabilities APAV, we examined 36 critical security issues which were detected in 19 different PHP applications by our code analysis solution RIPS. We presented a multitude of critical security issues found in widely-used open-source...

e107 2.1.2: SQL Injection through Object Injection

RIPS Analysis The e107 CMS consists of 317,356 lines of code and was analyzed in about 2 minutes. Many of the vulnerabilities found by RIPS are exploitable, despite a few exceptions. The main reason for this is that e107 contains a lot of unused code from previous releases and thus not all affect...

Security Compliance with Static Code Analysis

NOTE: This blog post is outdated. For an update list of supported compliance requirements please visit our website. PCI DSS The Data Security Standard from the Payment Card Industry, short PCI DSS, specifies 12 requirements for the safe use of credit card information. The specifications were...

AbanteCart 1.2.8 - Multiple SQL Injections

RIPS Analysis The analysis with RIPS of the well over 200,000 lines of code took 4 minutes to complete. The most critical issues were primarily located in the language manager of the application and could thus be fixed as a bundle. The truncated analysis results are available in our RIPS demo...

Kliqqi 3.0.0.5: From Cross-Site Request Forgery to Code Execution

RIPS Analysis RIPS analysis of the 77,000 lines of Kliqqi code took only 31 seconds to complete and was able to discover several risks within the application. There were no critical vulnerabilities found directly but it is possible to escalate one high-rated security issue to a critical one - as ...

osClass 3.6.1: Remote Code Execution via Image File

RIPS Analysis RIPS was able to scan the 156,000 lines of code in just 23 seconds. Looking at the scan results, a high number of vulnerabilities were detected in this project. Especially high-rated vulnerabilities seem to make the race. However, there is no critical-rated vulnerability found on th...

Continuous Integration - Jenkins at your service

How Continuous Integration works Continuous integration is the process of - as the name suggests - continually merging all parts of code changed by developers. The main purpose of CI is to achieve better productivity and code integrity by using a shared code repository which is automatically buil...

OpenConf 5.30 - Multi-Step Remote Command Execution

RIPS Analysis An early prototype of RIPS detected the issues described in the following in roughly 24,000 lines of code. OpenConf suffered mainly from a few SQL injection vulnerabilities, as well as reflected and persistent cross-site scripting issues. In the following, we focus on the combinatio...

Redaxo 5.2.0: Remote Code Execution via CSRF

RIPS Analysis When inspecting the charts generated by RIPS, a code execution vulnerability indicated as critical catches our eye. Investigating this issue closer quickly reveals that the vulnerability lies in the administrator panel, seemingly nulling the severity of the vulnerability. We will se...

Guest Post: Vtiger 6.5.0 - SQL Injection

RIPS Analysis RIPS analyzed the 27,371 files with around 650,000 lines of code in only 6 minutes. Due to the nature of a CRM system, it is necessary to have a valid user account to access any of the provided features. Nevertheless, the discovered issues allowed low-privileged users to access high...

The State of Wordpress Security

Statistics Before we start analyzing the vulnerabilities, let us have a look at the general statistics to understand what the results really indicate. Our scan includes all plugins that are hosted in the official Wordpress repository1 and have at least one PHP file. If there are releases, we use...

phpBB 2.0.23 - From Variable Tampering to SQL Injection

RIPS Analysis The forum phpBB2 consists of only 50,000 lines of code and RIPS took only 19 seconds for its in-depth security analysis to complete. It found various PHP object injection vulnerabilities which are less severe due to missing gadget chains. Further, many SQL injections are reported du...

Teampass 2.1.26.8: Unauthenticated SQL Injection

RIPS Analysis RIPS was able to analyze the whole project consisting of 140,000 lines of code in only 25 seconds, uncovering a lot of severe security vulnerabilities. The two main types of issues was SQL injection and file inclusion. Luckily, most of the SQL injections were found in the installati...

Rescanning Applications with RIPS

Benefits One of the most important things in modern application development is to think about security in every step of the development lifecycle. Beginning with the start of the development right up until the continued deployment of patches and features - security is important in all stages of a...

Non-Exploitable Security Issues

Invalid Code The following code was found in the XOOPS project. User input is saved in the variable $filter and then used in a call to eval - a security nightmare. image.php 301 302 303 $filter = isset$GETfilter ? $GETfilter : false; $destinationimage = imagecreatetruecolor$tnwidth, $tnheight;...

Precurio 2.1: Remote Command Execution via Xinha Plugin

RIPS Analysis RIPS detected many security vulnerabilities, such as SQL injection and cross-site scripting issues. In order to exploit most of these vulnerabilities in Precurios code base, a user account is required. Precurio also includes a lot of third-party code though that is directly...

PHPKit 1.6.6: Code Execution for Privileged Users

RIPS Analysis Within only 24 seconds, the analysis with RIPS completed and uncovered critical security vulnerabilities, mainly in the administration section of the application. As we demonstrated in multiple previous calendar posts, these vulnerabilities can be chained with other vulnerabilities...

Serendipity 2.0.3: From File Upload to Code Execution

RIPS Analysis The analysis of Serendipity with RIPS took 67 seconds to complete. The total amount of issues is reasonable for a web application of this size. Most of the 36 low severe issues detected are information leakage issues, for example, when an error message leaks the DBMS system of a...

Roundcube 1.2.2: Command Execution via Email

The mirror on SourceForge counts more than 260,000 downloads for Roundcube in the last 12 months1 which is only a small fraction of the actual users. Once Roundcube is installed on a server, it provides a web interface for authenticated users to send and receive emails with their web browser. RIP...

Expression Engine 3.4.2: Code Reuse Attack

RIPS Analysis The analysis with RIPS took about 4 minutes. Overall, the code of Expression Engine seems to be very robust. Still our analysis results point out some vulnerabilities. RIPS detected mainly possibilities for a malicious user to embed HTML and JavaScript code via the administration...

Introducing the RIPS analysis engine

History 2007 - 2009 Almost 10 years ago, a simple PHP Scanner was developed during popularity gaining Capture The Flag CTF hacking battles of university teams. The scanner based on regular expressions and identified simple connections between user input that is first assigned to a variable and th...

eFront 3.6.15: Steal your professors password

RIPS Analysis Our SAST tool RIPS analyzed the whole application in only 1m 32s and uncovered many severe security issues. Most of them are straight-forward SQL Injections that can be used to extract confidential user data, such as passwords, private messages, course results, and personal...

Coppermine 1.5.42: Second-Order Command Execution

RIPS Analysis The analysis with RIPS took only 53 seconds to complete and it uncovered a lot of security vulnerabilities - although most of them require authentication. Nonetheless, these issues are severe because they can be combined with other security vulnerabilities that allow an attacker to...

FreePBX 13: From Cross-Site Scripting to Remote Command Execution

RIPS Analysis The total amount of detected vulnerabilities is very high. Luckily, the majority of the detected vulnerabilities are inside the administration control panel, such that attackers either need to steal a valid account first or they have to trick an administrator into visiting a malicio...