Login

Register

Login

Register

#hacking | BookStack struck by RCE security bug



John Leyden

16 March 2020 at 15:20 UTC

Updated: 16 March 2020 at 15:41 UTC

App needs re-binding to guard against PHP-related security flaw

A recently patched critical vulnerability in BookStack made it possible to push malware onto vulnerable systems simply by accessing the image upload feature.

Exploit scenarios for the remote code execution vulnerability (CVE-2020-5256) in BookStack – an application for building self-hosted wikis – center on where a non-trusted user has permission to upload images into the application.

“A user could upload PHP files through image upload functions, which would allow them to execute code on the host system remotely,” an advisory posted on GitHub explains.

“They would then have the permissions of the PHP process.”

The vulnerability is resolved in BookStack version 0.25.5.

Alternatively, developers should prevent the direct execution of any PHP files by applying restrictive web server configuration settings.

READ MORE Vulnerabilities in web and app frameworks fall, but weaponization rate jumps – study



Source link

Leave a Reply

Shqip Shqip አማርኛ አማርኛ العربية العربية English English Français Français Deutsch Deutsch Português Português Русский Русский Español Español

National Cyber Security Consulting App

 https://apps.apple.com/us/app/id1521390354

https://play.google.com/store/apps/details?id=nationalcybersecuritycom.wpapp


NATIONAL CYBER SECURITY RADIO
[spreaker type=player resource="show_id=4560538" width="100%" height="550px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]
HACKER FOR HIRE MURDERS
 [spreaker type=player resource="show_id=4569966" width="100%" height="350px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]

ALEXA “OPEN NATIONAL CYBER SECURITY RADIO”

National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.   

nationalcybersecurity.com

FREE
VIEW