AppCheck Security Blog

Remote Code Execution Flaw in Apache Struts 2.3.20-2.3.28

A vulnerability in Apache Struts 2.3.20-2.3.28* could allow an unauthenticated, remote attacker to execute arbitrary code on a target server.

read more

Remote Code Execution Flaw in Apache Struts 2.3.20-2.3.28

A vulnerability in Apache Struts 2.3.20-2.3.28* could allow an unauthenticated, remote attacker to execute arbitrary code on a target server.

Read more

Critical: Remote Command Execution in WordPress Form Manager Plugin (CVE-2015-7806)

On the 9th October researchers at AppCheck NG discovered a critical Remote Command Execution (RCE) in the popular WordPress plugin Form Manager which allows an attacker with an unprivileged account (including a self-registered account) to execute arbitrary commands on the host. The vulnerability was reported and fixed on the 12th October.

Read more

Detecting Delayed Execution Vulnerabilities

AppCheck Sentinel is an external monitoring system designed to detect Out-of-Band events such as DNS Lookups and HTTP requests. Its’ function in Web Application scanning is to aid the detection of vulnerabilities that cannot be identified through the use of conventional scanning techniques.

Read more

Adobe Fixes HTML5 PostMessage Security Flaw

AppCheck has identified a significant security flaw affecting a common JavaScript component provided as part of the Adobe Marketing Cloud. The flaw affected many high profile applications including several banking sites and well known .com organisations, and has now been fixed by the vendor.

Read more

Critical Security Flaw Patched in Magento Blog Extension (CVE-2015-3428)

The aheadWorks Blog extension for Magento prior to version 1.3.10 is vulnerable to a critical SQL Injection security flaw. A remote unauthenticated attacker could exploit this vulnerability to take complete control of the affected Magento server and database.

With almost 80,000 downloads at the time of writing, the affected component is the most popular blog component available via Magento Connect.

Read more

HTML 5 Security

In this video series we discuss the common security flaws encountered in HTML5 enabled websites. Our focus is around Cross-Origin communication through postMessage and CORS.

Read more

Critical Vulnerability in Magento Platform

Researchers have identified a serious vulnerability in Magento, the popular e-commerce platform owned by eBay. This critical flaw in the Magento eCommerce platform exposes online shops to serious risk by allowing malicious hackers to access credit card data or execute arbitrary PHP code on the web server. This vulnerability should be considered a high risk factor for businesses making use of the Magento platform, and should be addressed as a matter of priority.

Read more

Critical Microsoft Web Services (IIS) Flaw Patched (MS15-034)

Microsoft has released a patch for a critical remote code execution vulnerability in the Windows HTTP Stack for all supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

Read more

AppCheck NG Acknowledged by Microsoft, EBay, AT&T and Adobe

The Appcheck Web Application scanner is developed in conjunction with a team of around 20 experienced penetration testers and as such deploys the very latest techniques in vulnerability detection from the front lines. Included in those techniques is our ability to detect DOM Based Cross Site Scripting vulnerabilities using a combination of static and run-time analysis of JavaScript and Flash content. Unlike most SaaS vulnerability scanners, AppCheck NG deploys both lexical and browser based analysis of each assessed application component to ensure modern JavaScript heavy and Flash based applications are fully explored for vulnerabilities. This technology allows AppCheck to detect security flaws in components other scanners will fail to detect.

Read more

Security Flaw Fixed in Popular Joomla Extension VirtueMart (CVE-2015-2193)

On the 10th of February 2015 Appcheck reported several security flaws in the popular VirtueMart eCommerce extension for Joomla (Version 3.0.2). A fix has since been made available via http://virtuemart.net/ although no official announcement was released by the vendor.

Read more