FrontAccounting 2.4.19 — Four Zero Days — PHP, MariaDB — Apr 2026
CVE
FrontAccounting RCE: When htmlspecialchars Meets Path Traversal (Part 1 of 4)
Path traversal in the attachment upload handler — $_POST['unique_name'] is used directly as the destination filename, and $_FILES content bypasses the global html_cleanup() sanitizer entirely. Five HTTP requests from a standard accounting role to a webshell as www-data.
CVE-2026-40521 Apr 2026
CVE
SQL Injection in FrontAccounting's Reporting Engine: Your Credentials, Rendered as a PDF (Part 2 of 4)
UNION-based SQLi in rep601.php — an integer parameter dropped into a four-column WHERE clause turns the bank statement PDF into a credentials dump. htmlspecialchars() doesn't touch numbers or SQL keywords, and the passwords are stored as unsalted MD5.
CVE-2026-40522 Apr 2026
CVE
SLEEP(2) × 35 Rows: Time-Based Blind SQLi with Amplification in FrontAccounting (Part 3 of 4)
Time-based blind SQLi in rep710.phpSLEEP(2) evaluated per-row across the audit-trail JOIN amplifies a 2-second sleep into a 70-second database lock from a single request. A 780x amplification factor that doubles as a single-request DoS vector.
CVE-2026-40523 Apr 2026
CVE
Closing the Parenthesis: Boolean SQLi via IN() Clause Injection in FrontAccounting (Part 4 of 4)
Boolean-based SQLi in gl_db_trans.inc — breaking out of an IN() clause produces a 132x response-size oracle (2KB vs 340KB) for blind extraction. SLEEP() doesn't work here because the query has a GROUP BY — technique selection follows query structure.
CVE-2026-40524 Apr 2026
Microcorruption Embedded CTF — NCC Group — MSP430 Assembly
CTF
Microcorruption: Jakarta
Integer underflow in password length calculation enables 511-byte read; byte-truncation bypasses combined length check to control PC.
LOCKIT PRO r b.06 Jun 2018
CTF
Microcorruption: Montevideo
Stack buffer overflow exploited with null-byte-free MSP430 shellcode that patches the interrupt unlock code in-memory before calling it.
LOCKIT PRO r c.03 Jun 2018
CTF
Microcorruption: Novosibirsk
Format string vulnerability via printf()%n used to overwrite interrupt code from 0x7e to 0x7f in conditional_unlock_door().
LOCKIT PRO r c.02 Feb 2018
CTF
Microcorruption: Whitehorse
Stack buffer overflow with MSP430 shellcode injection — unlock_door() payload written to stack and executed via return address overwrite.
LOCKIT PRO r c.01 Sep 2017
CTF
Microcorruption: Santa Cruz
Two-buffer overflow chain satisfying multiple length constraints; strcpy() null terminator weaponized to satisfy a null-byte requirement while overwriting the return address.
LOCKIT PRO r b.05 Sep 2017
CTF
Microcorruption: Johannesburg
Hardcoded stack canary (0xec) preserved in payload while overwriting return address to redirect execution to unlock_door().
LOCKIT PRO r b.04 Sep 2017
CTF
Microcorruption: Addis Ababa
Format string vulnerability via printf()%n used to write a non-zero value to the stack address controlling the unlock_door() conditional.
LOCKIT PRO r b.03 Sep 2017
CTF
Microcorruption: Cusco
Stack buffer overflow overwrites return address; execution redirected to call #0x4446 <unlock_door> inside login().
LOCKIT PRO r b.02 Aug 2017
CTF
Microcorruption: Hanoi
One-byte off-by-one overflow places 0xc7 into the adjacent memory byte that login() compares as its unlock sentinel value.
LOCKIT PRO r b.01 Aug 2017
CTF
Microcorruption: Reykjavik
Runtime XOR decryption of obfuscated code region analyzed; static password comparison found in decrypted instructions despite "military-grade encryption" claim.
LOCKIT PRO r a.03 Aug 2017
CTF
Microcorruption: Sydney
Four hardcoded byte-pair comparisons in check_password() bypassed by reading little-endian values directly from the disassembly.
LOCKIT PRO r a.02 Aug 2017
CTF
Microcorruption: New Orleans
Password written to memory at runtime by create_password() — extracted directly via memory inspection before comparison loop executes.
LOCKIT PRO r a.01 Aug 2017

Research Interests

Current areas of active research and vulnerability investigation.

Hardware

Embedded systems, IoT devices, firmware security, and hardware interface enumeration.

Protocols

Deep protocol analysis across network, wireless, and proprietary communication stacks.

Web & API

Modern web application vulnerabilities, logic flaws, and API security research.

Exploitation

Vulnerability exploitation techniques, exploit development, and proof-of-concept creation.

Policy

Responsible Disclosure

All vulnerabilities discovered during independent research are disclosed responsibly, coordinating with affected vendors prior to public release. If you are a vendor and have received a disclosure report from Jiva Security, please use the contact details provided in the report for coordination.