AppCheck Security Blog

Many applications and systems have adopted Unicode as a method of encoding and storing string data. This blog post looks at some of the security flaws that can arise due to Unicode Normalization in modern web applications.

Our security team discovered a Remote Code Execution (RCE) vulnerability in the GPS vehicle tracking system Traccar (version <= 4.0). This allows an attacker to compromise the server’s host via a self-registered user account.

AppCheck discovered a security flaw within the auth0.js JavaScript library that could be exploited by a malicious website to read sensitive access tokens cross-domain.

On the 25th of December 2016, a security researcher disclosed a critical security flaw within a popular PHP library used to send emails. The PHPMailer library is used by more than 9 million websites worldwide and is bundled with popular open source PHP content management systems such as WordPress. At worst the flaw could be exploited to execute arbitrary PHP code on the affected system. This would allow the remote attacker to take complete control of the application and launch further attacks against the system and internal network. PHPMailer versions below 5.2.20 are affected along with a number of other libraries that include the vulnerable code; such as SwiftMail and the Zend Framework.

On the 9th October researchers at AppCheck NG discovered a critical Remote Command Execution (RCE) in the popular WordPress plugin Form Manager which allows an attacker with an unprivileged account (including a self-registered account) to execute arbitrary commands on the host. The vulnerability was reported and fixed on the 12th October.