Blog
Sonar's latest blog posts
What Code Issues Caused the CrowdStrike Outage?
This blog post takes a look at the potential code issues behind the recent global CrowdStrike outage.
WordPress Privilege Escalation through Post Types
A logic flaw in the way WordPress created blog posts allowed attackers to access features only administrators were supposed to have (CVE-2018-20152). This lead to a Stored XSS and Object Injection in the WordPress core and more severe vulnerabilities in WordPress’s most popular plugins Contact Form 7 and Jetpack.
Read Blog post >
phpBB 3.2.3: Phar Deserialization to RCE
A new PHP exploit technique affects the most famous forum software phpBB3. The vulnerability allows attackers who gain access to an administrator account to execute arbitrary PHP code and to take over the entire board (CVE-2018-19274).
Read Blog post >
WordPress Design Flaw Leads to WooCommerce RCE
WordPress Design Flaw Leads to WooCommerce RCEA flaw in the way WordPress handles privileges can lead to a privilege escalation in plugins. This affects for example the popular WooCommerce.
Read Blog post >
PHP Object Injection
A very common and critical vulnerability in PHP applications is PHP Object Injection. This blog post explains how they work and how they can lead to a full site takeover by remote attackers.
Read Blog post >
Fully Automated Promotion Pipelines with SonarQube and Artifactory
Catch builds constructed from poor quality code before they make it to production. Discover how to integrate Artifactory and SonarQube.
Read Blog post >
My Journey Interviewing with SonarSource...
What's it like to interview with SonarSource? Read on and find out!
Read Blog post >
What is Phar Deserialization
Last week a new exploitation technique for PHP applications was announced at the BlackHat USA conference. Find out everything you need to know in this blog post.
Read Blog post >
Protect your code against injection vulnerabilities with SonarCloud!
Injection security vulnerabilities (OWASP-A1) can run scared, as latest SonarCloud updates now provide advanced security checks to continuously detect them.
Read Blog post >
WordPress File Delete to Code Execution
In this blog post we introduce an authenticated arbitrary file deletion vulnerability (CVE-2018-20714) in the WordPress core that can lead to attackers executing arbitrary code.
Read Blog post >
Evil Teacher: Code Injection in Moodle
In this post we will examine the technical intrinsics of a critical vulnerability in the previous Moodle release (CVE-2018-1133).
Read Blog post >
Import issues of your favorite linters in SonarCloud!
Over the past 2 weeks, the following new features were deployed on SonarCloud: import of issues from external linters with built-in support for TypeScript projects, support for the Go language, graceful handling of username change, first version of the GitHub Application, new rules for Python, Java and Swift
Read Blog post >