security

As part of my research into Gadget Chains and PHP Object Injection, I discovered an unsafe deserialisation vulnerability in the openmass project.

The maintainers responded quickly to the report, and put a fix in place the same day:

https://github.com/massgov/openmass/commit/1966c48ecee26e1c10479af00aa0f...

The vulnerability was never exposed on the public facing website.

As part of my research into Gadget Chains and PHP Object Injection, I discovered a File Write Gadget Chain in Joomla.

I submitted a PR for this to the excellent PHPGGC project - it will hopefully be Joomla/FW1:

https://github.com/ambionics/phpggc/pull/202 (not yet merged)

I reported this to the Joomla Security Team (before submitting the PR), and they responded quickly.

Unlike some projects I've reported Gadget Chains to, they were grateful for the report and put a fix in place fast:

As part of my research into Gadget Chains and PHP Object Injection, I discovered exploitable vulnerabilities in three different XOOPS modules.

The XOOPS team responded quickly to my report, and fixes were released not long after. They were very good to work with.

They published details here:

https://xoops.org/modules/newbb/viewtopic.php?topic_id=79555

The specific fixes were:

As part of my research into Gadget Chains and PHP Object Injection, I discovered an exploitable vulnerability in the MODX Login Extra project.

The MODX team responded immediately to my report and a fix was released within hours - very impressive!

They published details here:

https://community.modx.com/t/modx-login-extra-php-object-injection-vulne...

This was assessed as:

It's possible to use the metasploit console and meterpreter as a powerful Command and Control (C2) system using sessions and channels; here's how.

One-liner to start up a multi-handler in the metasploit console listening on a given port for incoming connections from a (staged) metasploit payload:

PHP's create_function() was:

DEPRECATED as of PHP 7.2.0, and REMOVED as of PHP 8.0.0

As the docs say, its use is highly discouraged.

PHP 7 is no longer supported by the upstream developers, but it'll still be around for a while longer (because, for example, popular linux distributions provide support for years beyond the upstream End of Life).

A few years ago I found quite an interesting vulnerability in a contributed Drupal module called tablefield.

The module allows Drupal entities to hold tabular data, and the vulnerability was a combination of Insecure Deserialisation and a type of Insecure Direct Object Reference (IDOR).

The fix was released over 4 years ago so sufficient time has passed for me to share some more details.

The module has a hook_menu page callback (Drupal 7's equivalent of a route) that looks like this:

A couple of years ago I was asked to take a look at a Drupal 7 site that was performing poorly where a colleague had spotted a strange function call in an Application Performance Management (APM) system.

The APM traces we were looking at included a __lamda_func under which was a class called Ratel. Under those were some apparent external calls to some dodgy looking domains.

One of my very excellent colleagues had done some digging and found some more details about the domains which confirmed their apparent dodginess.

My colleagues and I in the Drupal Security Team recently became aware of a Zero Day RCE vulnerability in Ghostscript. This was later assigned CVE-2021-3781.

At least one viable Proof of Concept (PoC) was made public not long after the Zero Day which illustrated Scalable Vector Graphics (SVG) handling in Imagemagick being used as an attack vector.

This was originally posted on the dev.acquia.com blog.

Easy-to-guess passwords are all too often the means by which intruders gain unauthorised access. It's useful to be able to audit the passwords in use on your site - especially for user accounts with administrative privileges.