June 2018 Summaries
3 posts from Sonar
Filter
Month:
Year:
Post Summaries
Back to Blog
The WordPress CMS is vulnerable to an arbitrary file deletion vulnerability that can lead to attackers executing arbitrary code, allowing them to delete and manipulate files on the server, potentially causing desastrous consequences if no current backup is available. The vulnerability was reported 7 months ago to the WordPress security team but remains unpatched, affecting approximately 30% of all websites using WordPress. An attacker would need to gain privileges to edit and delete media files to exploit this vulnerability, which can be used to escalate privileges and execute arbitrary code on the server. A temporary hotfix has been provided to prevent attacks until a permanent patch is released.
Jun 26, 2018
1,339 words in the original blog post.
The Moodle security vulnerability` refers to a critical issue discovered in the widely-used open-source e-Learning software, allowing attackers to execute arbitrary commands on the underlying operating system of a server running Moodle. The vulnerability is triggered by a math formula used in the Quiz component, which can be manipulated to bypass internal security mechanisms and inject malicious PHP code via the `eval()` function. The exploit takes advantage of the way Moodle validates formulas, specifically through the use of placeholder substitution and regular expression-based validation, allowing attackers to hide malicious characters from detection. Four patches were proposed by the Moodle team in response to the vulnerability, but each had its own limitations and bypasses, ultimately requiring further analysis and adaptation to fully secure the application. The vulnerability highlights the importance of automated security testing and collaboration between vendors and researchers to address critical issues in time.
Jun 12, 2018
1,699 words in the original blog post.
SonarCloud now supports analysis of TypeScript projects, allowing users to configure it to import TSLint and ESLint reports, tracking issues as first-class citizens. This feature is part of a broader effort to integrate external linters into SonarCloud. Additionally, SonarCloud has been updated with new features including support for Go programming language, a GitHub application that simplifies the configuration process, and improved handling of username changes on GitHub and Bitbucket Cloud. Furthermore, 146 new rules have been added for Python, 9 new rules for Java, and 13 new rules for Swift, expanding SonarCloud's rule set to improve code quality and detection capabilities.
Jun 04, 2018
677 words in the original blog post.