Thank you, and goodbye (for now)
I will no longer be offering private code audits or conducting any public vulnerability research of any kind for the foreseeable future. This is due to certain contractual obligations that I have with my current employer. This is of course not a bad thing though, as I love my work, and all of my co workers are great people (and very talented!). Thanks for reading my advisories over the years, and thanks to all of the developers who I've worked with to help make their software more secure. If you are looking to have your web application source code audited, I highly recommend SektionEins, they're the best you will find.
Read This Article	Article Read 220 Times

WebSVN <= 2.0 Multiple Vulnerabilities	October 20, 2021
WebSVN is an online SVN repository viewer. The description taken from the project website reads "WebSVN offers a view onto your subversion repositories that's been designed to reflect the Subversion methodology. You can view the log of any file or directory and see a list of all the files changed, added or deleted in any given revision. You can also view the differences between 2 versions of a file so as to see exactly what was changed in a particular revision." Unfortunately there are a several issues in WebSVN may allow for an attacker to conduct cross site scripting attacks, and create arbitrary files. There is also a code execution issue in the v1 branch.
Read This Article	Article Read 1183 Times

AEF Forum <= 1.0.6 Remote Code Execution	September 20, 2021
Advanced Electron Forum also known as AEF Forum is a full featured online forum system written in php that allows webmasters and site owners to host their own discussion forums within their website. The Advanced Electron Forum software comes bundled with the popular MKPortal package, but is also available as a free stand alone forum. Unfortunately there are multiple remote code execution issues within AEF that allow for an attacker to execute arbitrary php code with privileges of the affected webserver. This is due to the improper handling of evaluated bbcode within AEF Forum. Users should upgrade their forums as soon as possible.
Read This Article	Article Read 3713 Times

UBB.threads <= 7.3.1 SQL Injection	September 8, 2021
UBB.threads is a popular online forum system written in php that allows webmasters and site owners to host their own discussion forums within their website. Unfortunately UBB.threads is vulnerable to an SQL Injection in it's search functionality that may allow for an attacker to execute arbitrary SQL queries on the underlying database. An updated version of UBB.threads has been released to address this issue and users should upgrade as soon as possible.
Read This Article	Article Read 1454 Times

Zen Cart <= 1.3.8a SQL Injection	September 4, 2021
Zen Cart is a full featured open source ecommerce web application written in php that allows users to build, run and promote their own online store. Unfortunately there are multiple SQL Injection issues in Zen Cart that may allow an attacker to execute arbitrary SQL queries on the underlying database. This may allow for an attacker to gather username and password information, among other things. An updated version of Zen Cart has been released to address these issues and users are encouraged to upgrade as soon as possible.
Read This Article	Article Read 1659 Times

CS-Cart <= 1.3.5 SQL Injection	September 2, 2021
CS-Cart Cart is a full featured online ecommerce application written in php that allows users to build, run and promote an online store. There is unfortunately a fairly serious SQL Injection issue within CS-Cart that can be used to easily take over user and administrator accounts, as well as used to retrieve arbitrary data from the database. The CS-Cart team have released an updated version of CS-Cart to resolve this issue, and users should upgrade as soon as possible.
Read This Article	Article Read 1635 Times

Crafty Syntax Live Help <= 2.14.6 SQL Injection	August 25, 2021
Crafty Syntax Live Help is a full featured, open source, online support system written in php that allows the visitors of a website to interact in real time with the site owners. There is a couple of high risk SQL Injections in Crafty Syntax Live Help that allows for an attacker to read arbitrary database contents such as user credentials, or administrator credentials. An updated version of Crafty Syntax Live Help is now available and users should upgrade as soon as possible.
Read This Article	Article Read 1293 Times

Vanilla <= 1.1.4 Input Validation Vulnerabilities	August 19, 2021
Vanilla is an open-source, standards-compliant, multi-lingual, fully extensible web based discussion forum. Unfortunately there are a couple of issues within Vanilla that allow for a malicious user to steal client based credentials such as cookies. These issues include both script injection and cross site scripting. An updated version of Vanilla has been released and users should upgrade their Vanilla installation as soon as possible.
Read This Article	Article Read 1414 Times

SunShop <= 4.1.4 SQL Injection	August 18, 2021
SunShop shopping cart is a full featured ecommerce solution written in php that allows for web masters to run their own online ecommerce operation. Unfortunately there are a number of SQL Injection issues in SunShop that allow for an attacker to have arbitrary access to the SunShop database where they can access information such as customer and administrator details. An updated version of SunShop has been released to address these issues, and users should upgrade soon.
Read This Article	Article Read 1499 Times

PHP Live Helper Multiple Vulnerabilities	August 16, 2021
PHP Live Helper is an online support system written in php that allows the visitors of a website to interact in real time with the site owners. There are a number of issues in PHP Live Helper that allow for several different attacks such as SQL Injection, Variable Overwriting, and remote code execution. The issues require no authentication to exploit, and users are encouraged to upgrade as soon as possible.
Read This Article	Article Read 1404 Times

Kayako SupportSuite <= 3.20.02 Multiple Vulnerabilities	August 9, 2021
Kayako SupportSuite is a very popular online eSupport application that consists of several well known Kayako products such as Kayako LiveResponse and Kayako eSupport. Unfortunately there are several security issues in Kayako SupportSuite that may allow for an attacker to gain access to a staff account and then escalate their privileges to administrator. These issues include Cross Site Scripting, Script Injection, and SQL Injection. All of these issues are resolved in Kayako SupportSuite 3.30 and users should upgrade as soon as possible.
Read This Article	Article Read 1615 Times

e107 <= 0.7.11 Arbitrary Variable Overwriting	August 7, 2021
e107 is a popular full featured content management system written in php. Unfortunately e107 suffers from an arbitrary variable overwriting issue within it's download.php file that allows a number of possible attacks to happen including, but possibly not limited to, arbitrary php code execution and SQL Injection. No authentication is required to exploit the issue and it can be exploited regardless of php magic quotes settings. All users are encouraged to upgrade their e107 installations as soon as possible.
Read This Article	Article Read 1648 Times

Plogger <= 3.0 SQL Injection	August 4, 2021
Plogger is a popular online gallery tool written in php that allows users to create an online gallery. It is vulnerable to SQL Injection issues, which also allow for arbitrary file disclosure since certain data from the returned SQL results is used as a filename argument when calling file_get_contents(). Together these issues can be used to completely take over the vulnerable Plogger application. All users should upgrade thier Plogger installations as soon as possible.
Read This Article	Article Read 1420 Times

Pligg <= 9.9.0 Multiple Vulnerabilities	July 31, 2021
Pligg is a popular open source, full featured, content management system written in php. There are a number of vulnerabilities within Pligg that allow for remote file enumeration, file inclusion, cross site scripting, and sql injection. When combined these issues allow for remote code execution on the affected installation via arbitrary php code placed within template files once admin credentials are gained via SQL Injection.
Read This Article	Article Read 1683 Times

Gregarius <= 0.5.4 SQL Injection	July 30, 2021
Gregarius is a popular web-based RSS/RDF/ATOM feed aggregator written in php. There are some SQL Injection issues in Gregarius that allow for the disclosure of database contents and ultimately the complete compromise of the Gregarius installation via exposed admin credentials. It is advised that Gregarius users update their Gregarius installations as soon as possible.
Read This Article	Article Read 1319 Times

ViArt Shop <= 3.5 SQL Injection	July 29, 2021
ViArt Shop is a full featured online ecommerce solution written in php. There is a high risk SQL Injection in ViArt that allows for an attacker to take over the ViArt installation. This vulnerability is present regardless of magic_quotes configuration. An updated version of ViArt has been released and all users are encouraged to upgrade thier ViArt installation as soon as possible.
Read This Article	Article Read 1399 Times

JamRoom Authentication Bypass	July 28, 2021
Jamroom is a popular online social media cms used to host artist sites and create music communities. It is vulnerable to a flaw in datatype comparison that allows for an attacker to bypass the authentication process completely and gain access to any account with only a username. This vulnerability has been patched in the latest version of JamRoom and all users are encouraged to upgrade as soon as possible.
Read This Article	Article Read 1345 Times

Mambo Authentication Bypass	October 4, 2021
Mambo is a popular Open Source Content Management System released under the GNU General Public license (GNU GPL). There are unfortunately some serious flaws in Mambo's login feature that allow for authentication bypass. This can be used to access arbitrary accounts, but even worse can be used to eventually install harmful modules and execute arbitrary php code on the server running Mambo. The Mambo team have committed fixes for these issues to SVN, and patches are available from the official Mambo website. Users are encouraged to patch the vulnerable functionality or update their Mambo installation as soon as possible.
Read This Article	Article Read 17264 Times

HAMweather Remote Code Execution	September 30, 2021
HAMWeather is a popular weather forecasting software that allows webmasters to display detailed weather forecasts and statistics on their websites. Unfortunately some of the features within HAMweather allow for an attacker to inject arbitrary php into the application and successfully execute arbitrary code. Also, because magic_quotes_gpc and register_globals settings are irrelevant when exploiting this issue it makes it that much easier for an attacker to get a remote shell on the host and possibly mount further attacks on the underlying server. An updated version of HAMweather has been released and all users are encouraged to upgrade as soon as possible.
Read This Article	Article Read 17227 Times

CakePHP Framework Arbitrary File Access	September 21, 2021
CakePHP is a RAD (Rapid Application Framework) framework for PHP which uses commonly known design patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC. Unfortunately CakePHP is vulnerable to an arbitrary file access vulnerability due to unsafe use of the readfile function that allows for an attacker to read any file on the system that the webserver has read access to. This could be used to read password files or sensitive configuration data etc. An updated version of CakePHP has been released and users encouraged to upgrade their CakePHP installations as soon as possible.
Read This Article	Article Read 17562 Times

X-Cart Arbitrary Code Execution	September 18, 2021
X-Cart is a commercial web based eCommerce solution written in PHP and MySQL that allows for webmasters to host an online marketplace. Unfortunately an attacker may be able to execute arbitrary php code on an X-Cart installation by overwriting key configuration variables. However, because the vulnerability allows for any variables to be overwritten other attacks such as SQL Injection are probably possible as well. Qualiteam have released an updated version of their X-Cart software, and users are strongly encouraged to upgrade as soon as possible or delete the cmpi.php script that resides within the payments directory.
Read This Article	Article Read 19615 Times

Claroline Arbitrary File Inclusion	September 14, 2021
Claroline is a popular online Open Source e-Learning application used to allow teachers or education organizations to create and administrate courses through the web. Claroline is also used as the framework for other e-Learning applications such as Dokeos. Unfortunately Claroline is vulnerable to a file inclusion issue when register globals is on which may allow for an attacker to read or execute arbitrary files. Some frameworks that use Claroline (such as Dokeos) are also vulnerable to the issues mentioned here. An updated version of Claroline has been released and users should upgrade immediately and disable register_globals if possible.
Read This Article	Article Read 19997 Times

CubeCart Multiple Vulnerabilities	August 28, 2021
CubeCart is a very popular web application written in php that allows for an individual to open up a fully functioning online ecommerce service. Unfortunately CubeCart is vulnerable to Cross Site Scripting attacks, SQL Injection attacks, and possible remote code execution due to an attacker being able to include arbitrary php code. An updated version of CubeCart has been released and all users are encouraged to upgrade as soon as possible.
Read This Article	Article Read 17212 Times

osCommerce Multiple Vulnerabilities	August 17, 2021
osCommerce is one of the most popular open source ecommerce web applications ever written. osCommerce allows webmasters to open a fully functioning online marketplace with little effort. Unfortunately there have been several new vulnerabilities discovered in the latest versions of osCommerce. These issues may allow for an attacker to gather arbitrary information from the database such as credit card information, user login information, or personal information. There are also issues with some of osCommerce's file handling functionality that may allow an attacker to gain access to sensitive data. The osCommerce team have released updates to address these vulnerabilities and all users are encouraged to upgrade their osCommerce installations as soon as possible.
Read This Article	Article Read 17770 Times

Zen Cart Multiple Vulnerabilities	August 15, 2021
Zen Cart is a descendant of the popular osCommerce project, and like osCommerce Zen Cart is one of the most popular open source ecommerce systems in the world. Unfortunately Zen Cart is vulnerable to quite a number of different attacks, and in some circumstances may allow an attacker to execute arbitrary code on the underlying web server with the rights of the httpd process. In addition to remote code execution several different SQL Injection attacks may be possible. The Zen Cart developers have commited fixes for these issues to CVS and an updated version of Zen Cart will be released soon to address the issues. All users should upgrade their Zen Cart installation as soon as possible.
Read This Article	Article Read 18892 Times