38 matches found
5 things to consider in performance comparisons
Most people can probably relate to asking a child to handle a chore, only to have the kid come back way too soon, saying it's done. Or maybe you can relate to being that child. Either way, you know what comes next: checking shows the job was handled poorly, and it all goes downhill from there. It...
Review your security vulnerabilities in GitHub with code scanning alerts
Today, for GitHub repositories, our SAST analysis provides fast, precise security feedback directly inside your pull requests. You instantly know how many vulnerabilities are detected and, until now, you would systematically go to SonarCloud to start investigating. Not anymore. From this point...
Horde Webmail 5.2.22 - Account Takeover via Email
Horde Webmail is a free, enterprise-ready, and browser-based communication suite developed by the Horde project. It is a popular webmail solution for universities and government agencies to exchange sensitive email messages on a daily basis. It is also shipped as part of the popular hosting...
Zabbix - A Case Study of Unsafe Session Storage
Introduction Zabbix is a very popular open-source monitoring platform used to collect, centralize and track metrics like CPU load and network traffic across entire infrastructures. It is very similar to solutions like Pandora FMS and Nagios. Because of its popularity, features and its privileged...
WordPress < 5.8.3 - Object Injection Vulnerability
At the time of writing, WordPress powers 43% of websites on the Internet. Its simplicity and robustness enable millions of users to host their blog, eCommerce site, forum, or static website. To protect its users, several security hardening mechanisms were introduced to the code base in the past. ...
How to restrict XXE resolving?
In my last post, we saw how to configure XML parsers to globally disable XXE declarations and expansions. It was an easy but strict solution that might be difficult to implement in your project. So today, I’ll talk about how to restrict XXE precisely. Again, our code examples will be mainly in Ja...
How to disable XXE processing?
In my last post I talked about XXE vulnerabilities found on popular open-source projects and more generally how to assess this type of issue. Today, I’ll talk about the different strategies to disable XXE processing. External XXE and internal entities are useful for building concise XML documents...
Don't be afraid of XXE vulnerabilities: understand the beast and how to detect them
Today XML External Entities XXE vulnerabilities are still ubiquitous, despite the fact that recommendations to protect against them have been an integral part of security standards for years. In this post, the first in a series of three blog posts, we will try to demystify XXE vulnerabilities and...
WordPress 5.8.2 Stored XSS Vulnerability
WordPress is the world’s most popular content management system that, according to w3techs, is used by over 40% of all websites. This wide adoption makes it a top target for cyber criminals who seek to compromise high-traffic websites or infect as many web servers as possible. Its code is heavily...
Vulnerability Research Highlights 2021
At SonarSource we are constantly improving our code analyzers to help developers write Clean Code. The detection of severe code vulnerabilities plays an important role in this process so that applications are protected from attacks and security breaches. For this same reason, our research team...
‘Quick Fix’ your C++ issues with SonarLint
When the team decided to implement quick fixes for C++, we committed to bringing value to the C++ user by providing more than what they had today. It appears we found multiple ways to do that. First, by providing an enhanced version of the checks natively available through the IDE and other...
Modernizing your code with C++20
C++20 is here! In fact, as we head towards 2022, it’s been here a while. It may surprise some, but we’re only a few months from a freeze on new proposals for C++23! But let’s not get ahead of ourselves. C++20 is a big release - at least the biggest since C++11 - some have said it's the biggest...
NodeBB 1.18.4 - Remote Code Execution With One Shot
Message forums are used by many companies and open source projects to exchange with their users. NodeBB is the leading JavaScript-based forum solution, having over 12k stars on GitHub. Several popular companies are using NodeBB to establish a community around their flagship products. During recen...
Code Security Advent Calendar 2021
We are happy to announce our sixth consecutive Code Security Advent Calendar! Born at RIPS in 2016, each calendar comprises 24 little code puzzles containing hidden security vulnerabilities that wait to be spotted. This is our way to share good vibes with the community while learning and having f...
10 Unknown Security Pitfalls for Python
Python developers trust their applications to have a solid security state due to the use of standard libraries and common frameworks. However, within Python, just like in any other programming language, there are certain features that can be misleading or misused by developers. Often it is only a...
SmartStoreNET - Malicious Message leading to E-Commerce Takeover
SmartStoreNET is the leading open-source e-commerce platform for .NET, which makes it suitable for companies running Windows Server. Next to the operation of an online business, it offers advanced features, such as CRM tools, a blog and a forum. As a result, a SmartStoreNET instance handles highl...
Agent 007: Pre-Auth Takeover of Build Pipelines in GoCD
GoCD, written in Java, is a popular CI/CD solution with a large range of users from NGOs to Fortune 500 companies with billions of dollars in revenue. Naturally, this makes it a critical piece of infrastructure and an extremely attractive target for attackers. In order to automate build and relea...
Meet the new project experience for SonarCloud
We are very pleased to announce that we have released a new project experience. It’s now available in SonarCloud for all users. You’ll notice a few improvements the next time you open SonarCloud. We’re going to tell you more about what this makeover is about in this article. You may be wondering...
Squirrel Sandbox Escape allows Code Execution in Games and Cloud Services
SquirrelLang is an interpreted, open-source programming language that is used by video games and cloud services for customization and plugin development. For example, the extremely popular game Counter-Strike: Global Offensive CS:GO attracts millions of players on a monthly basis and utilizes the...
Supercharge your C++ analysis with SonarLint for CLion
Earlier this year we launched the support for C and C++ in SonarLint for CLion to address quality and security issues for your C/C++ projects. Since then, the team has continued to bring even greater value to the C and C++ users, continuing our mission to empower the community to deliver code tha...
Modernize Code Quality with ‘Quick Fixes’
Delivering functional code that is reliable, safe, and on schedule is a high priority for most development teams. And you’ll agree that the earlier in your workflow you address quality and security issues, the better and cheaper!. Today, I’d like to give you a quick tour of how you can maximize...
Cachet 2.4: Code Execution via Laravel Configuration Injection
Status pages are now an essential service offered by all Software-as-a-Service companies we do it too!. To help their adoption, startups quickly conceived status pages as-a-service, and open-source self-hosted alternatives were made available. Cachet, also sometimes referred to as CachetHQ, is a...
Product portals open: we want your input
SonarSource was born from open source software and most of what we do remains FLOSS, so openness and transparency have always been fundamental principles. With a recent change in how we approach product management, we've gone even further. We've recently opened up product portals on Productboard...
Ghost CMS 4.3.2 - Cross-Origin Admin Takeover
Ghost is one of the most popular Node.js-based Content Management Systems CMS. According to the vendor, there are currently more than 2.5 million installs of it and the project has more than 38k stars on GitHub. During our research on open-source applications, we analyzed the code and found a...
Compilation database: An alternative way to configure your C or C++ analysis
Analyzing C or C++ code requires - in addition to the source code - the configuration that is used to build the code. At SonarSource, we have provided a tool to automate the extraction of this information, the build wrapper. This tool has been used successfully with many projects, yet there are...
elFinder - A Case Study of Web File Manager Vulnerabilities
An application’s interaction with the file system is always highly security sensitive, since minor functional bugs can easily be the source of exploitable vulnerabilities. This observation is especially true in the case of web file managers, whose role is to replicate the features of a complete...
Use 3rd-party plugins at your own risk
SonarQube has always had a rich plugin Marketplace, with much of SonarQubes functionality originally delivered as plugins and many additional needs being met by community-maintained plugins. But since October 2019, all SonarSource-provided functionality is bundled with SonarQube. That means any...
Use 3rd-party plugins at your own risk
SonarQube has always had a rich plugin Marketplace, with much of SonarQubes functionality originally delivered as plugins and many additional needs being met by community-maintained plugins. But since October 2019, all SonarSource-provided functionality is bundled with SonarQube. That means any...
Launching ‘Secret Detection’ to keep your Cloud ‘Secrets’ safe
Most digital applications we work on require some type of credentials –– to connect to a database with a username/password, to access computer programs via authorized tokens, or API keys to invoke services for authentication. Credentials a.k.a ‘Secrets’ are pieces of user or system level...
Zimbra 8.8.15 - Webmail Compromise via Email
Zimbra is a popular webmail solution for global enterprises. According to Zimbra, it is used by over 200,000 businesses and over a thousand government & financial institutions to exchange emails between millions of users every day. When attackers get access to an employees email account, it often...
Clean As You Code essentials - What are Quality Profiles and Quality Gates?
In this blog, well focus on rules, Quality Profiles and Quality Gates. These elements are the building blocks of an effective Clean As You Code strategy. After reading this article, you’ll have a better understanding of what they are and how they’re used in the pursuit of clean, quality code for...
Etherpad 1.8.13 - Code Execution Vulnerabilities
Etherpad is one of the most popular online text editors that allows collaborating on documents in real-time. It is customizable with more than 250 plugins available and features a version history as well as a chat functionality. There are thousands of instances deployed worldwide with millions of...
Know where your project stands with the new project overview!
In late April, I introduced the new project experience for SonarCloud, which has already been adopted by a lot of you. Today, we’re adding a brand new project overview page! We can’t wait for you to try it! Let’s discover what’s inside in this blog. Your project status & activity all in one place...
Enterprise-ready: Authentication & Authorization with SonarQube (LDAP, SSO & more)
Enterprise-ready is a series of posts focused on Enterprise expectations. You’ll discover features built on top of our developer-first foundations, that enable usage of our products at scale, and allow for company-wide adoption of Code Quality & Code Security best-practices In this first post of...
CiviCRM 5.22.0 - Code Execution Vulnerability Chain Explained
During our vulnerability research on the largest CMS systems we came across CiviCRM last year. It’s an open source CRM plugin for the most popular CMS systems like Wordpress, Joomla, Drupal, and Backdrop. CiviCRM is specifically designed for the needs of non-profit, non-governmental, and advocacy...
7 more reasons to upgrade to SonarQube 8.9 LTS
SonarQube v8.9 LTS was just released and we hope you’ve already seen our announcement and are working on your upgrade! A new SonarQube LTS represents a huge amount of work. Since the release of the previous SonarQube LTS v7.9, in November 2019, there have been over 5200 development tickets merged...
Broken pipelines for everyone!
With SonarQube 8.9 LTS, SonarSource has made failing the pipeline available for everyone, using any CI you want. For people watching for a long time, this might seem like a contradiction. Let me explain. Yes, we have gone back and forth for a while on this feature, but the user community has...
Grav CMS 1.7.10 - Code Execution Vulnerabilities
In the lineage of most recent flat-file PHP CMS, Grav CMS is a modern web platform to build fast, safe and extensible websites. It uses a modern technology stack with Twig, Symfony and Doctrine, and offers an administration dashboard that allows managing the whole website structure, pages, static...