AppCheck Security Blog
Featured post
Security Flaw Fixed in Popular Joomla Extension VirtueMart (CVE-2015-2193)
/ Posted March 03, 2015
On the 10th of February 2015 Appcheck reported several security flaws in the popular VirtueMart eCommerce extension for Joomla (Version 3.0.2). A fix has since been made available via http://virtuemart.net/ although no official announcement was released by the vendor.
read moreFilter by:
Security Flaw Fixed in Popular Joomla Extension VirtueMart (CVE-2015-2193)
Research Security Alerts / Posted March 03, 2015
On the 10th of February 2015 Appcheck reported several security flaws in the popular VirtueMart eCommerce extension for Joomla (Version 3.0.2). A fix has since been made available via http://virtuemart.net/ although no official announcement was released by the vendor.
Read moreAppCheck Updated to Detect CVE-2015-0235 (a.k.a. GHOST)
Product Security Alerts / Posted January 09, 2015
The “GHOST” vulnerability is a security flaw within a key component of the Linux Operating System. The affected component “gethostbyname” is found in the Linux GNU C Library that is used by all Linux programs. If an attacker can pass a specially crafted hostname to the affected function it may be possible to execute malicious code on the system.
Read moreSafeNet SAS OWA Agent Directory Traversal Vulnerability
Research Security Alerts / Posted November 28, 2014
On the 18th August, 2014, AppCheck reported a Directory Traversal Vulnerability in the SafeNet SAS Outlook Web Access Agent that, without requiring any user authentication, allows a remote attacker to gain access to any file located on the remote server’s local hard drives.
Read moreDrupal 7 SQL Injection – Use AppCheck NG to Discover if You Are Affected
Product Security Alerts / Posted October 31, 2014
Drupal is a popular open source content management system (CMS). The CMS platform is used by hundreds of thousands of organisations globally and has one of the largest user communities.
On 15th October 2014, a pre-authentication SQL injection vulnerability (CVE-2014-3704) was disclosed after a code audit of Drupal extensions. The vulnerability was found in the way Drupal handles prepared statements meaning a malicious user can inject arbitrary SQL queries and control the Drupal installation.
Read moreUnpatched Vulnerabilities in Magento E-Commerce Platform
Research Security Alerts / Posted October 21, 2014
On April 8th 2014, AppCheck reported several Cross Site Scripting Vulnerabilities in the Magento e-commerce platform via the eBay bug bounty program. eBay responded to inform us that the vulnerabilities had already been reported.
However, since more than 6 months have passed and no fix is yet available, This advisory is intended to inform Magento administrators of the vulnerability so that action can be taken to mitigate the flaw.
Read moreShell Shock Vulnerability – Use AppCheck NG to Discover if You Are Affected
Product Security Alerts / Posted September 25, 2014
On the 24th September 2014, a remote code execution vulnerability in bash (CVE-2014-6271) was made public after its discovery by Stephane Chazelas. The flaw, dubbed “Shell Shock” has been given the highest CVSS impact and exploitability rating of 10; and affects all versions of bash between 1.14.0 and 4.3, having existed in bash for 22 years. The flaw affects any operating system and application that utilises the bash shell, including Linux, MacOSX, and Cygwin environments on Windows.
Read more50,000 Websites Hacked Through Critical WordPress Vulnerability
News Security Alerts / Posted July 26, 2014
Over 50,000 websites have been compromised within the first three weeks following the disclosure of a critical vulnerability in the MailPoet plugin (formerly known as Wysija Newsletter) for WordPress.
Read moreTime for Better Web App Security as SQL & XSS Threats Surge
News Product / Posted July 16, 2014
A recent report revealed a 32% increase in cross-site scripting (XSS) and SQL injection attacks on the web-facing and cloud applications that carry sensitive information about organisations and their customers.
Read moreApache Struts Vulnerability – Use AppCheck NG to Discover if You Are Affected
Security Alerts / Posted July 16, 2014
Apache Struts 2 is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller (MVC) architecture.
On April 24th the Apache Struts project released an advisory for a remote code execution vulnerability affecting all versions of Struts between 2.0.0 and 2.3.16.1. Struts 2.3.16.2 (the latest release) is not vulnerable.
Read moreAppCheck NG Updated to Discover Critical OpenSSL Bug “Heartbleed”
Product Security Alerts / Posted June 12, 2014
On 7th April 2014 a group of security researchers disclosed a critical security flaw in the popular cryptographic software library OpenSSL.
The Heartbleed Bug allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.
The AppCheck NG Web Application and Infrastructure vulnerability scanner has already been updated with a plugin to detect the flaw.