August 2021 Summaries
5 posts from Sonar
Filter
Month:
Year:
Post Summaries
Back to Blog
The Ghost Content Management System has a significant security vulnerability that allows attackers to gain control of admin accounts, including taking over the entire site. This is due to a DOM-based Cross-Site Scripting (XSS) issue in the theme preview feature, which was introduced in version 4.0.0 and fixed in version 4.3.3. The vulnerability can be exploited by visiting a malicious link while logged in, allowing attackers to create new admin accounts without the victim's notice. To avoid such issues during development, it is recommended to validate the origin of cross-origin message events and reject any messages that come from unknown origins. A patch was released by the vendor in version 4.3.3, and users are advised to update to this version or later to ensure their Ghost instance is secure.
Aug 31, 2021
1,307 words in the original blog post.
The build wrapper tool at SonarSource automates the extraction of configuration information needed for analyzing C or C++ code, which is often not present in the source code itself but rather in external files and non-explicit forms such as environment variables. The tool eavesdrops on the build process to detect compiler arguments and record them, but it has shortcomings including issues with statically linked processes, sandboxed environments, and daemons communicating with a running daemon. In contrast, a compilation database is a de facto standard that describes the result of executing a build, providing low-level information about what needs to be done in the end, such as which file needs to be compiled with what option. Both tools have their pros and cons, and the choice between them depends on specific project requirements and circumstances.
Aug 24, 2021
1,915 words in the original blog post.
Security vulnerabilities were discovered in the elFinder web file manager, a popular component used in Content Management Systems (CMS) and frameworks. The vulnerabilities allow attackers to delete arbitrary files, move arbitrary files, upload PHP files, exploit argument injection, and trigger a race condition, potentially leading to arbitrary code execution on the server. The vulnerabilities were identified through a responsible disclosure process with the elFinder maintainers and have been fixed in version 2.1.59. It is recommended that users upgrade to this version immediately and enforce strong access control on the connector.
Aug 17, 2021
2,949 words in the original blog post.
The SonarSource-provided functionality in SonarQube is now bundled, meaning that any plugins used come from third parties unless written by SonarSource. While most plugin maintainers are good folks providing valuable services, there are risks associated with using plugins, including potential security vulnerabilities and instability. The Marketplace plugins undergo basic testing for functionality, acceptable behavior, and user experience, but not source code or binaries. For commercial editions, installing non-SonarSource plugins requires manual download and installation, as SonarSource cannot endorse or support them. Non-Marketplace plugins are more risky, especially those with unusual installation steps, which can increase the risk to delivery pipelines. It's recommended to run an audit and ensure that each plugin is still needed.
Aug 10, 2021
1,145 words in the original blog post.
SonarLint, a free and open-source IDE extension, now includes advanced rules to protect AWS authentication credentials and Amazon Marketplace Web Service (MWS) credentials from leaking publicly. This feature helps developers identify and prevent leaks of sensitive information before it's committed to a repository, thereby safeguarding their code security. By detecting issues at the point of introduction, SonarLint acts as a first line of defense to catch potential public leaks of credentials, providing clear in-context guidance to address them. The new feature is currently available for various IDEs, including Visual Studio, VS Code, Eclipse, IntelliJ IDEA, and more, allowing developers to secure their code base with just a few clicks.
Aug 03, 2021
1,052 words in the original blog post.