CVE-2020-8816 – Pi-hole Remote Code Execution
https://natedotred.wordpress.com/2020/03/28/cve-2020-8816-pi-hole-remote-code-execution/ [natedotred.wordpress.com]
2020-05-28 17:33
tags:
exploit
php
sh
web
Pi-hole is affected by a Remote Code Execution vulnerability. An authenticated user of the Web portal can execute arbitrary command with the underlying server with the privileges of the local user executing the service. Exploitation of this vulnerability can be automated.
Neat trick to get around input restrictions:
Luckily for us, the PATH contains the strings “pihole” and “usr” which in turn contains the “p”, “h” and “r” lower-case characters. Those are the only letters we need to write “php -r”.
source: HN
Security alert: pipdig insecure, DDoSing competitors
https://www.jemjabella.co.uk/2019/security-alert-pipdig-insecure-ddosing-competitors/ [www.jemjabella.co.uk]
2019-04-01 08:15
tags:
business
investigation
malware
php
web
WordPress 5.1 CSRF to Remote Code Execution
https://blog.ripstech.com/2019/wordpress-csrf-to-rce/ [blog.ripstech.com]
2019-03-14 05:45
tags:
exploit
html
php
security
web
An attacker can take over any WordPress site that has comments enabled by tricking an administrator of a target blog to visit a website set up by the attacker. As soon as the victim administrator visits the malicious website, a cross-site request forgery (CSRF) exploit is run against the target WordPress blog in the background, without the victim noticing. The CSRF exploit abuses multiple logic flaws and sanitization errors that when combined lead to Remote Code Execution and a full site takeover.
source: white
Ending PHP Support, and The Future Of Hack
https://hhvm.com/blog/2018/09/12/end-of-php-support-future-of-hack.html [hhvm.com]
2018-09-13 17:40
tags:
php
update
Ultimately, we recommend that projects either migrate entirely to the Hack language, or entirely to PHP7 and the PHP runtime.
source: L
An Incomparable Event
https://thedailywtf.com/articles/an-incomparable-event [thedailywtf.com]
2018-08-01 16:27
tags:
intro-programming
javascript
php
type-system
For example, do you hate comparisons? Does writing if ($x == $y)… make your skin crawl? Don’t you just wish you could write something like, compareValues($x, $y, ’==’) instead?
The JavaScript version is attempting to create good from eval, which never works, and it breaks the D&D alignment chart.
WDMyCloud Multiple Vulnerabilities
http://gulftech.org/advisories/WDMyCloud%20Multiple%20Vulnerabilities/125 [gulftech.org]
2018-01-06 23:08
tags:
auth
exploit
ioshit
networking
php
security
storage
Several serious security issues were uncovered during my research. Vulnerabilities such as pre auth remote root code execution, as well as a hardcoded backdoor admin account which can NOT be changed. The backdoor also allows for pre auth remote root code execution on the affected device.
source: L
PAST: Platform-Agnostic Security Tokens
https://github.com/paragonie/past [github.com]
2018-01-04 20:34
tags:
auth
library
php
release
security
web
PAST (Platform-Agnostic Security Tokens) is a specification and reference implementation for secure stateless tokens.
Unlike JSON Web Tokens (JWT), which gives developers more than enough rope with which to hang themselves, PAST only allows secure operations. JWT gives you “algorithm agility”, PAST gives you “versioned protocols”. It’s incredibly unlikely that you’ll be able to use PAST in an insecure way.
source: L
WordPress WPDB SQL Injection
https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html [blog.ircmaxell.com]
2017-11-03 16:20
tags:
exploit
php
programming
security
sql
web
The correct fix is to ditch this whole prepare mechanism (which returns a string SQL query). Do what basically everyone else does and return a statement/query object or execute the query directly. That way you can’t double-prepare a string.
Joomla! 3.7.5 - Takeover in 20 Seconds with LDAP Injection
https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/ [blog.ripstech.com]
2017-09-24 04:19
tags:
auth
exploit
php
security
web
By using wildcard characters and by observing different authentication error messages, the attacker can literally search for login credentials progressively by sending a row of payloads that guess the credentials character by character.
source: solar
php_mt_seed - PHP mt_rand() seed cracker
http://www.openwall.com/php_mt_seed/ [www.openwall.com]
2017-08-26 00:26
tags:
links
php
random
security
Plus a great collection of links and references.
source: solar
Example scripts that cause segfaults in PHP
https://github.com/hannob/php-crashers [github.com]
2017-06-16 20:34
tags:
compiler
php
programming
I liked this one.
A __clone() function that calls clone on the object itself, causing a recursion.
source: L
Hacking the Western Digital MyCloud NAS
https://blog.exploitee.rs/2017/hacking_wd_mycloud/ [blog.exploitee.rs]
2017-03-05 20:14
tags:
exploit
ioshit
networking
php
security
storage
web
I quickly found the first bug that shocked me, this bug was based on code that performed a user login check but did so using cookies or PHP session variables.
source: grugq
Cryptographically Secure PHP Development
https://paragonie.com/blog/2017/02/cryptographically-secure-php-development [paragonie.com]
2017-02-11 00:48
tags:
php
programming
security
web
While working on sodium_compat, our pure-PHP implementation of libsodium, it has come to our attention that a lot of the engineering decisions we’ve made to minimize the risk of side-channels aren’t well-known outside of our development team.
source: HN
Let's Make 2017 the Year of Simply Secure PHP Cryptography
https://paragonie.com/blog/2017/01/let-s-make-2017-year-simply-secure-php-cryptography [paragonie.com]
2017-01-12 16:49
tags:
crypto
library
php
release
security
web
Although adding libsodium to the newest version of PHP will significantly improve the software written in 2018 and beyond, it doesn’t do a lot of good for the software that powers a third of all websites on the Internet today.
And thus, a polyfill backport.
PHPMailer < 5.2.20 Remote Code Execution (0day Patch Bypass/exploit)
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html [legalhackers.com]
2016-12-29 07:13
tags:
bugfix
exploit
php
security
web
The State of Wordpress Security
https://blog.ripstech.com/2016/the-state-of-wordpress-security/ [blog.ripstech.com]
2016-12-14 21:09
tags:
php
security
web
While many plugins do not contain vulnerabilities at all because of its small size, the ones that do have issues, have a lot of them.
Plus pretty graphs.
Roundcube 1.2.2: Command Execution via Email
https://blog.ripstech.com/2016/roundcube-command-execution-via-email/ [blog.ripstech.com]
2016-12-06 22:44
tags:
exploit
php
security
web
Shell injection via improper escaping.