Pi-hole is affected by a Remote Code Execution vulnerability. An authenticated user of the Web portal can execute arbitrary command with the underlying server with the privileges of the local user executing the service. Exploitation of this vulnerability can be automated.

Neat trick to get around input restrictions:

Luckily for us, the PATH contains the strings “pihole” and “usr” which in turn contains the “p”, “h” and “r” lower-case characters. Those are the only letters we need to write “php -r”.

source: HN

pipdig, one of the biggest WordPress theme providers to bloggers, is distributing code dressed up as the “pipdig Power Pack” plugin which amongst other things:

... does bad stuff.

More: https://www.wordfence.com/blog/2019/03/peculiar-php-present-in-popular-pipdig-power-pack-plugin/

source: HN

An attacker can take over any WordPress site that has comments enabled by tricking an administrator of a target blog to visit a website set up by the attacker. As soon as the victim administrator visits the malicious website, a cross-site request forgery (CSRF) exploit is run against the target WordPress blog in the background, without the victim noticing. The CSRF exploit abuses multiple logic flaws and sanitization errors that when combined lead to Remote Code Execution and a full site takeover.

source: white

Ultimately, we recommend that projects either migrate entirely to the Hack language, or entirely to PHP7 and the PHP runtime.

source: L

For example, do you hate comparisons? Does writing if ($x == $y)… make your skin crawl? Don’t you just wish you could write something like, compareValues($x, $y, ’==’) instead?

The JavaScript version is attempting to create good from eval, which never works, and it breaks the D&D alignment chart.

Several serious security issues were uncovered during my research. Vulnerabilities such as pre auth remote root code execution, as well as a hardcoded backdoor admin account which can NOT be changed. The backdoor also allows for pre auth remote root code execution on the affected device.

source: L

PAST (Platform-Agnostic Security Tokens) is a specification and reference implementation for secure stateless tokens.

Unlike JSON Web Tokens (JWT), which gives developers more than enough rope with which to hang themselves, PAST only allows secure operations. JWT gives you “algorithm agility”, PAST gives you “versioned protocols”. It’s incredibly unlikely that you’ll be able to use PAST in an insecure way.

source: L

The correct fix is to ditch this whole prepare mechanism (which returns a string SQL query). Do what basically everyone else does and return a statement/query object or execute the query directly. That way you can’t double-prepare a string.

By using wildcard characters and by observing different authentication error messages, the attacker can literally search for login credentials progressively by sending a row of payloads that guess the credentials character by character.

source: solar

Plus a great collection of links and references.

source: solar

I liked this one.

A __clone() function that calls clone on the object itself, causing a recursion.

source: L

I quickly found the first bug that shocked me, this bug was based on code that performed a user login check but did so using cookies or PHP session variables.

source: grugq

While working on sodium_compat, our pure-PHP implementation of libsodium, it has come to our attention that a lot of the engineering decisions we’ve made to minimize the risk of side-channels aren’t well-known outside of our development team.

source: HN

Although adding libsodium to the newest version of PHP will significantly improve the software written in 2018 and beyond, it doesn’t do a lot of good for the software that powers a third of all websites on the Internet today.

And thus, a polyfill backport.

First fix didn’t take. Shell quoting is hard. Just don’t.

Previously: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

Also: https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html

While many plugins do not contain vulnerabilities at all because of its small size, the ones that do have issues, have a lot of them.

Plus pretty graphs.

Shell injection via improper escaping.