PHP is an open source, general-purpose scripting language used for web development that can also be embedded into HTML. It has over 9 million users, and is used by many popular tools, such as WordPress, Drupal, Joomla!, and so on. This week, a high-level security update was released to fix a remote code execution vulnerability (CVE-2016-10033) in PHPMailer, which is an open source PHP library for sending emails from PHP websites. This critical vulnerability is caused by class.phpmailer.php incorrectly processing user requests. As a result, remote... [Read More]
by RSS Zhouyuan Yang  |  Jan 05, 2017  |  Filed in: Security Research
Joomla, a popular free and open-source content management system, just released version 3.6.4 that fixed two critical vulnerabilities: [CVE-2016-8870] - Core - Account Creation: attackers can exploit this vulnerability to create any account in a Joomla system regardless of whether its registration has been disabled. [CVE-2016-8869] - Core - Elevated Privileges:  with the vulnerability above, an attacker not only can register an account in a vulnerable system, but also register with the highest privilege – Administrator. CVE-2016-8870... [Read More]
by RSS Tien Phan  |  Oct 27, 2016  |  Filed in: Security Research
Cross-site scripting (XSS) vulnerabilities have become fairly commonplace in web applications and crop up frequently in content management systems like WordPress and Joomla! While WordPress is the most popular CMS on the Web, and therefore a popular and potentially lucrative target for hackers, it’s not the only one. Joomla! is the second most popular CMS on the market, running just under 3% of all websites. FortiGuard recently discovered a persistent XSS vulnerability for Joomla!’s top e-commerce extension, VirtueMart, that could allow... [Read More]
by RSS Alex Harvey  |  May 06, 2015  |  Filed in: Industry Trends & News
Popular CMS software Joomla released a critical patch advisory earlier this month addressing a flaw in Joomla that allows an attacker the ability to inject malicious code into a Joomla-powered site. Once compromised, it's likely the site would be used as a drive-by-download location, potentially infecting both legitimate visitors to the site and to people falling prey to phishing emails. The patch affects Joomla 3.1.4 and earlier versions of Joomla 3.X, as well as Joomla 2.5.13 and earlier versions of Joomla 2.5.X. What's especially notable about... [Read More]
by RSS Richard Henderson  |  Aug 12, 2013  |  Filed in: Industry Trends & News