London DevOps #98.1 - Concrete Evidence: Two Races, One RCE - Adrian Tiron скачать в хорошем качестве

London DevOps #98.1 - Concrete Evidence: Two Races, One RCE - Adrian Tiron

Concrete CMS, a popular open-source content management system, contains a critical flaw in its file upload functionality that can be exploited in two distinct ways. This talk demonstrates how a single upload can lead to a Server-Side Request Forgery (SSRF), allowing access to internal cloud resources, and a double race condition that enables Remote Code Execution (RCE) via a malicious backdoor. We’ll walk through the exploitation process, show how existing protections can be bypassed, and highlight practical steps to secure file upload mechanisms in real-world applications. Adrian is the Co-Founder and Principal Pentester/Red Teamer at Fortbridge, bringing over 20 years of hands-on experience in cybersecurity. Adrian is known for delivering highly technical, practical content drawn from real-world assessments, and is passionate about pushing the boundaries of modern application security. Thanks to our hosts AutogenAI, and our sponsors Adaptavist, Prism Digital and Tyme Technologies.