InfoWatch and Vulners cooperation: search for vulnerabilities in popular CMS

You can now search for potential vulnerabilities in the popular CMS and plugins with Application source codes are checked by InfoWatch APPERCUT static source code analyzer.

It is generally known that the most exploited vulnerabilities are not in CMS engines, but in thousands of third-party plugins. Developers rarely fix this vulnerabilities quickly or even don’t fix them at all. You can find examples of such vulnerabilities and exploits with “wordpress plugin bulletinFamily:exploit” request.

Appercut is well suited for CMS analysis. Appercut® Custom Code Scanner supports a wide range of programming languages: 1C 8x, Delphi, Java, JavaScript, LotusScript, PHP, C#, PLSQL, SAP Abap4, T-SQL. One of the main Appercut features is concentration on developer’s undocumented features (backdoors) detection. It is very important in the case of open source software.

APPERCUT bulletin

Appercut bulletin contains all information about found vulnerabilities, including vulnerability decription, criticality and a piece of code where the vulnerability was detected. Vulnerable version of the application is aslo indicated, e.g. “WordPress CMS <= 4.5.2”.

At current moment, 9 bulletins were added for WordPress, Drupal, Joomla, Regular Labs, Apache Apex and Apache Camel.

Appercut bulletins list

In future we are planning to scan all the popular plugins for all popular CMS. Thus, end-users will be able to get information about the potential vulnerabilities in CMS and plugins, before this vulnerability will get any id. We believe that together with Appercut we can make popular CMS much safer!

The Only Invulnerable in CityF

Our project team took a part in СityF: The Standoff competitions at PHDays VI Information Security Conference.

PHDays key theme is ‘The Standoff’. This year we are replacing the usual CTF format and are instead bringing you a fully-fledged battle. We are using a realistic scenario in a specially designed setting that mimics a typical urban infrastructure. This time, the hackers will bring out the big guns in order to take down the city (CityF), while city defenders — security experts and the SOC — will be trying to counter their attacks.

Our ‪Vulners‬ city defenders team results on PHDays VI CTF competition:

  • WTF for hacking hackers team
  • excellence at banking for defending our CTF home
  • zen sensei for keeping calm
  • The Invulnerable – no comments
  • Last man standing

PHDays VI CTF results

PHDays VI CTF Awards Ceremony

Ivan is a representative of defending team. They got so bored with all situation that nothing was happening around them so they decided to hack into hackers computer. And he came to the scene without any mask on his face. And all hackers were looking at him. Who is this guy? So, Ivan, the glory is yours.

Hi everyone. Yeah, we get bored and while we’ve been bored we scanned /16 subnet. We found some neighboring defending teams, some banks. And starting from 10 and higher we have found out that there were some user machines. And some of them had lot of open ports and http servers as well. And in one of this http services there were file upload functionality. It was an Apache server with PHP on. And then we just uploaded web shell with which we just had a lot of fun.

And by the the way it’s not prohibited by the rules. Rules doesn’t say not a single word that defenders can’t break the hackers. Ivan, just tell me please what about computers of those guys, are they operational, can they do something on them?

While being good defense team and not those evil hackers, we of course let theirs computers intact and operational, but we would like to warn all of you, well, it’s a hackers conference, so if you do something Internet based, keep your ports closed and your web service also closed. Just basic security precautions. Well, if you hack somebody, it doesn’t lead that somebody can not hack you.

Advertising. We are Vulners Team and we represent Vulners Vulnerability Database.

So, they can break and they can fix!