AppCheck Security Blog

WordPress 4.5.1 Cross-Site Scripting (CVE-2016-4566)

WordPress versions 4.5.1 and earlier are affected by a XSS vulnerability through Plupload,the third-party library WordPress uses for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players. MediaElement.js and Plupload have also released updates fixing these issues.

read more

WordPress 4.5.1 Cross-Site Scripting (CVE-2016-4566)

WordPress versions 4.5.1 and earlier are affected by a XSS vulnerability through Plupload,the third-party library WordPress uses for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players. MediaElement.js and Plupload have also released updates fixing these issues.

Read more

Critical Security Flaw in ImageMagick (imagetragick)

A vulnerability with a widely deployed image processing library was disclosed on the 5th of May 2016. Within an hour of the disclosure AppCheck NG was updated to detect the flaw.

A Practical View of the Most Common Threats Facing Web Apps Today
The Web Application Security seminar is a free event that presents a detailed analysis of the most common threats facing web applications today. We will review high profile examples and provide a technical breakdown of critical security flaws along with an introduction into emerging technologies such as HTML5.
Each candidate will receive a copy of the slides and exclusive tools and exploit code used in the live hacking demonstrations.

Read more

Remote Code Execution Flaw in Apache Struts 2.3.20-2.3.28

A vulnerability in Apache Struts 2.3.20-2.3.28* could allow an unauthenticated, remote attacker to execute arbitrary code on a target server.

Read more

Critical: Remote Command Execution in WordPress Form Manager Plugin (CVE-2015-7806)

On the 9th October researchers at AppCheck NG discovered a critical Remote Command Execution (RCE) in the popular WordPress plugin Form Manager which allows an attacker with an unprivileged account (including a self-registered account) to execute arbitrary commands on the host. The vulnerability was reported and fixed on the 12th October.

Read more

Detecting Delayed Execution Vulnerabilities

AppCheck Sentinel is an external monitoring system designed to detect Out-of-Band events such as DNS Lookups and HTTP requests. Its’ function in Web Application scanning is to aid the detection of vulnerabilities that cannot be identified through the use of conventional scanning techniques.

Read more

Adobe Fixes HTML5 PostMessage Security Flaw

AppCheck has identified a significant security flaw affecting a common JavaScript component provided as part of the Adobe Marketing Cloud. The flaw affected many high profile applications including several banking sites and well known .com organisations, and has now been fixed by the vendor.

Read more

Critical Security Flaw Patched in Magento Blog Extension (CVE-2015-3428)

The aheadWorks Blog extension for Magento prior to version 1.3.10 is vulnerable to a critical SQL Injection security flaw. A remote unauthenticated attacker could exploit this vulnerability to take complete control of the affected Magento server and database.

With almost 80,000 downloads at the time of writing, the affected component is the most popular blog component available via Magento Connect.

Read more

HTML 5 Security

In this video series we discuss the common security flaws encountered in HTML5 enabled websites. Our focus is around Cross-Origin communication through postMessage and CORS.

Read more

Critical Vulnerability in Magento Platform

Researchers have identified a serious vulnerability in Magento, the popular e-commerce platform owned by eBay. This critical flaw in the Magento eCommerce platform exposes online shops to serious risk by allowing malicious hackers to access credit card data or execute arbitrary PHP code on the web server. This vulnerability should be considered a high risk factor for businesses making use of the Magento platform, and should be addressed as a matter of priority.

Read more

Critical Microsoft Web Services (IIS) Flaw Patched (MS15-034)

Microsoft has released a patch for a critical remote code execution vulnerability in the Windows HTTP Stack for all supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

Read more