Vulnerability disclosures, CVE discoveries, technical write-ups, and security tooling published by Jiva. Research credibility is central to the Jiva Security brand.
$_POST['unique_name'] is used directly as the destination filename, and $_FILES content bypasses the global html_cleanup() sanitizer entirely. Five HTTP requests from a standard accounting role to a webshell as www-data.rep601.php — an integer parameter dropped into a four-column WHERE clause turns the bank statement PDF into a credentials dump. htmlspecialchars() doesn't touch numbers or SQL keywords, and the passwords are stored as unsalted MD5.rep710.php — SLEEP(2) evaluated per-row across the audit-trail JOIN amplifies a 2-second sleep into a 70-second database lock from a single request. A 780x amplification factor that doubles as a single-request DoS vector.gl_db_trans.inc — breaking out of an IN() clause produces a 132x response-size oracle (2KB vs 340KB) for blind extraction. SLEEP() doesn't work here because the query has a GROUP BY — technique selection follows query structure.mailpath configuration field flows unsanitized into CodeIgniter 4's popen() sendmail call. One form field writes a shell command; the next receipt email executes it as www-data on the underlying server.sanitizeSortColumn() to whitelist its ORDER BY column. Except Taxes. A boolean-blind SQL injection through the GET sort parameter extracts the admin bcrypt hash, chaining into the mailpath RCE for full server compromise from any employee with taxes-module access.printf() — %n used to overwrite interrupt code from 0x7e to 0x7f in conditional_unlock_door().unlock_door() payload written to stack and executed via return address overwrite.strcpy() null terminator weaponized to satisfy a null-byte requirement while overwriting the return address.0xec) preserved in payload while overwriting return address to redirect execution to unlock_door().printf() — %n used to write a non-zero value to the stack address controlling the unlock_door() conditional.call #0x4446 <unlock_door> inside login().0xc7 into the adjacent memory byte that login() compares as its unlock sentinel value.check_password() bypassed by reading little-endian values directly from the disassembly.create_password() — extracted directly via memory inspection before comparison loop executes.Current areas of active research and vulnerability investigation.
Embedded systems, IoT devices, firmware security, and hardware interface enumeration.
Deep protocol analysis across network, wireless, and proprietary communication stacks.
Modern web application vulnerabilities, logic flaws, and API security research.
Vulnerability exploitation techniques, exploit development, and proof-of-concept creation.
All vulnerabilities discovered during independent research are disclosed responsibly, coordinating with affected vendors prior to public release. If you are a vendor and have received a disclosure report from Jiva Security, please use the contact details provided in the report for coordination.