Multiple vulnerabilities in SecurityOnion

Let this be a reminder of the joys in programming PHP


I have started to take a look at a number of security silver bullets.  The first on my list - SecurityOnion.

Fortunately, glossing over the source, the search didn't take longer than 3 minutes to find a few web vulnerabilities.   The poor programming practice was an inherent trust in the malicious browser to do no harm. 

I will leave the exercise of finding the RCE 0days to the reader.  There exist 3 web and 11 network traffic based vectors to enact arbitrary remote code execution.

Disclosure may be found @


Patches may be found @