Red Hat Security Advisory 2023-7662-03 - An update for windows-machine-config-operator-bundle-container and windows-machine-config-operator-container is now available for Red Hat OpenShift Container Platform 4.11. Issues addressed include a privilege escalation vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7662.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat OpenShift for Windows Containers 6.0.3 security updateAdvisory ID:        RHSA-2023:7662-03Product:            Red Hat OpenShift EnterpriseAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7662Issue date:         2023-12-06Revision:           03CVE Names:          CVE-2023-5528====================================================================Summary: An update for windows-machine-config-operator-bundle-container and windows-machine-config-operator-container is now available for Red Hat OpenShift Container Platform 4.11.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat OpenShift for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers.Security Fix(es):* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)* kubernetes: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes (CVE-2023-5528)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://docs.openshift.com/container-platform/latest/windows_containers/windows-node-upgrades.htmlCVEs:CVE-2023-5528References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003https://bugzilla.redhat.com/show_bug.cgi?id=2243296https://bugzilla.redhat.com/show_bug.cgi?id=2247163https://issues.redhat.com/browse/WINC-1109

Red Hat Security Advisory 2023-7662-03

Red Hat Security Advisory 2023-7656-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include integer overflow and remote SQL injection vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7656.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: postgresql:12 security update  
Advisory ID:        RHSA-2023:7656-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7656  
Issue date:         2023-12-05  
Revision:           03  
CVE Names:          CVE-2023-5868  
====================================================================

Summary: 

An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

PostgreSQL is an advanced object-relational database management system (DBMS).

Security Fix(es):

* postgresql: Buffer overrun from integer overflow in array modification (CVE-2023-5869)

* postgresql: Memory disclosure in aggregate function calls (CVE-2023-5868)

* postgresql: extension script @substitutions@ within quoting allow SQL injection (CVE-2023-39417)

* postgresql: Role pg_signal_backend can signal certain superuser processes. (CVE-2023-5870)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-5868

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2228111  
https://bugzilla.redhat.com/show_bug.cgi?id=2247168  
https://bugzilla.redhat.com/show_bug.cgi?id=2247169  
https://bugzilla.redhat.com/show_bug.cgi?id=2247170

Red Hat Security Advisory 2023-7656-03

Red Hat Security Advisory 2023-7653-03 - An update to the images for Red Hat Integration - Service Registry is now available from the Red Hat Container Catalog. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Issues addressed include bypass and denial of service vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7653.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Service Registry (container images) release and security update [2.5.4 GA]  
Advisory ID:        RHSA-2023:7653-03  
Product:            Red Hat Integration  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7653  
Issue date:         2023-12-05  
Revision:           03  
CVE Names:          CVE-2023-1584  
====================================================================

Summary: 

An update to the images for Red Hat Integration - Service Registry is now available from the Red Hat Container Catalog. The purpose of this text-only errata is to inform you about the security issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

This release of Red Hat Integration - Service Registry 2.5.4 GA includes the following security fixes.

Security Fix(es):

* undertow: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) [rhint-serv-2] (CVE-2023-44487)

* quarkus-vertx-http: quarkus: HTTP security policy bypass [rhint-serv-2] (CVE-2023-4853)

* netty: SniHandler 16MB allocation leads to OOM [rhint-serv-2] (CVE-2023-34462)

* snappy-java: Unchecked chunk length leads to DoS [rhint-serv-2] (CVE-2023-34455)

* quarkus-oidc: ID and access tokens leak via the authorization code flow [rhint-serv-2] (CVE-2023-1584)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-1584

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2180886  
https://bugzilla.redhat.com/show_bug.cgi?id=2215445  
https://bugzilla.redhat.com/show_bug.cgi?id=2216888  
https://bugzilla.redhat.com/show_bug.cgi?id=2238034  
https://bugzilla.redhat.com/show_bug.cgi?id=2242803

Red Hat Security Advisory 2023-7653-03

Red Hat Security Advisory 2023-7606-03 - Red Hat OpenShift Container Platform release 4.13.25 is now available with updates to packages and images that fix several bugs and add enhancements.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7606.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenShift Container Platform 4.13.25 packages and security update  
Advisory ID:        RHSA-2023:7606-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7606  
Issue date:         2023-12-06  
Revision:           03  
CVE Names:          CVE-2023-40225  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.13.25 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.25. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2023:7604

Security Fix(es):

* haproxy: Proxy forwards malformed empty Content-Length headers (CVE-2023-40225)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

CVEs:

CVE-2023-40225

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2231370

Red Hat Security Advisory 2023-7606-03

Red Hat Security Advisory 2023-7604-03 - Red Hat OpenShift Container Platform release 4.13.25 is now available with updates to packages and images that fix several bugs and add enhancements.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7604.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.13.25 bug fix and security update  
Advisory ID:        RHSA-2023:7604-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7604  
Issue date:         2023-12-06  
Revision:           03  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.13.25 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.25. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2023:7606

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (Rapid Reset Attack) (CVE-2023-39325)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://issues.redhat.com/browse/OCPBUGS-11316  
https://issues.redhat.com/browse/OCPBUGS-18106  
https://issues.redhat.com/browse/OCPBUGS-22126  
https://issues.redhat.com/browse/OCPBUGS-23504  
https://issues.redhat.com/browse/OCPBUGS-23536

Red Hat Security Advisory 2023-7604-03

Red Hat Security Advisory 2023-7602-03 - Red Hat OpenShift Container Platform release 4.13.25 is now available with updates to packages and images that fix several bugs.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7602.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.13.25 security and extras update  
Advisory ID:        RHSA-2023:7602-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7602  
Issue date:         2023-12-06  
Revision:           03  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.13.25 is now available with updates to packages and images that fix several bugs.

This release includes a security update for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.25. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2023:7604

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (Rapid Reset Attack) (CVE-2023-39325)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296

Red Hat Security Advisory 2023-7602-03

Ubuntu Security Notice 6529-1 - It was discovered that Request Tracker incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to obtain sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6529-1  
December 04, 2023

request-tracker4 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in Request Tracker.

Software Description:  
- request-tracker4: An enterprise-grade issue tracking system

Details:

It was discovered that Request Tracker incorrectly handled certain inputs. If  
a user or an automated system were tricked into opening a specially crafted  
input file, a remote attacker could possibly use this issue to obtain  
sensitive information. (CVE-2021-38562, CVE-2022-25802, CVE-2023-41259,  
CVE-2023-41260)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   request-tracker4                4.4.4+dfsg-2ubuntu1.23.10.1  
   rt4-apache2                     4.4.4+dfsg-2ubuntu1.23.10.1  
   rt4-clients                     4.4.4+dfsg-2ubuntu1.23.10.1  
   rt4-db-mysql                    4.4.4+dfsg-2ubuntu1.23.10.1  
   rt4-db-postgresql               4.4.4+dfsg-2ubuntu1.23.10.1  
   rt4-db-sqlite                   4.4.4+dfsg-2ubuntu1.23.10.1  
   rt4-fcgi                        4.4.4+dfsg-2ubuntu1.23.10.1  
   rt4-standalone                  4.4.4+dfsg-2ubuntu1.23.10.1

Ubuntu 23.04:  
   request-tracker4                4.4.4+dfsg-2ubuntu1.23.04.1  
   rt4-apache2                     4.4.4+dfsg-2ubuntu1.23.04.1  
   rt4-clients                     4.4.4+dfsg-2ubuntu1.23.04.1  
   rt4-db-mysql                    4.4.4+dfsg-2ubuntu1.23.04.1  
   rt4-db-postgresql               4.4.4+dfsg-2ubuntu1.23.04.1  
   rt4-db-sqlite                   4.4.4+dfsg-2ubuntu1.23.04.1  
   rt4-fcgi                        4.4.4+dfsg-2ubuntu1.23.04.1  
   rt4-standalone                  4.4.4+dfsg-2ubuntu1.23.04.1

Ubuntu 22.04 LTS:  
   request-tracker4                4.4.4+dfsg-2ubuntu1.22.04.1  
   rt4-apache2                     4.4.4+dfsg-2ubuntu1.22.04.1  
   rt4-clients                     4.4.4+dfsg-2ubuntu1.22.04.1  
   rt4-db-mysql                    4.4.4+dfsg-2ubuntu1.22.04.1  
   rt4-db-postgresql               4.4.4+dfsg-2ubuntu1.22.04.1  
   rt4-db-sqlite                   4.4.4+dfsg-2ubuntu1.22.04.1  
   rt4-fcgi                        4.4.4+dfsg-2ubuntu1.22.04.1  
   rt4-standalone                  4.4.4+dfsg-2ubuntu1.22.04.1

Ubuntu 20.04 LTS:  
   request-tracker4                4.4.3-2+deb10u3build0.20.04.1  
   rt4-apache2                     4.4.3-2+deb10u3build0.20.04.1  
   rt4-clients                     4.4.3-2+deb10u3build0.20.04.1  
   rt4-db-mysql                    4.4.3-2+deb10u3build0.20.04.1  
   rt4-db-postgresql               4.4.3-2+deb10u3build0.20.04.1  
   rt4-db-sqlite                   4.4.3-2+deb10u3build0.20.04.1  
   rt4-fcgi                        4.4.3-2+deb10u3build0.20.04.1  
   rt4-standalone                  4.4.3-2+deb10u3build0.20.04.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   request-tracker4                4.4.2-2ubuntu0.1~esm1  
   rt4-apache2                     4.4.2-2ubuntu0.1~esm1  
   rt4-clients                     4.4.2-2ubuntu0.1~esm1  
   rt4-db-mysql                    4.4.2-2ubuntu0.1~esm1  
   rt4-db-postgresql               4.4.2-2ubuntu0.1~esm1  
   rt4-db-sqlite                   4.4.2-2ubuntu0.1~esm1  
   rt4-fcgi                        4.4.2-2ubuntu0.1~esm1  
   rt4-standalone                  4.4.2-2ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6529-1  
   CVE-2021-38562, CVE-2022-25802, CVE-2023-41259, CVE-2023-41260

Package Information:  
   https://launchpad.net/ubuntu/+source/request-tracker4/4.4.4+dfsg-2ubuntu1.23.10.1  
   https://launchpad.net/ubuntu/+source/request-tracker4/4.4.4+dfsg-2ubuntu1.23.04.1  
   https://launchpad.net/ubuntu/+source/request-tracker4/4.4.4+dfsg-2ubuntu1.22.04.1

 https://launchpad.net/ubuntu/+source/request-tracker4/4.4.3-2+deb10u3build0.20.04.1

Ubuntu Security Notice USN-6529-1

BSidesSF is soliciting submissions for presentations and panels for BSidesSF 2024 in San Francisco on May 4 and 5 2024.

    hi folks,We are now accepting <https://pretalx.com/bsidessf-2024/> submissions forpresentations and panels for BSidesSF 2024 in San Francisco on May 4, 52024.  BSidesSF <https://www.bsidessf.org/> is a non-profit organizationdesigned to advance the body of Information Security knowledge, byproviding an annual, open forum for discussion and debate for securitypractitioners. We produce a conference that is a source of education,collaboration, and continued conversation for information technologists.The technical and academic presentations at BSidesSF are given in thespirit of peer review and advanced knowledge dissemination. This allows thefield of Information Security to grow in breadth and depth, and continue inits pursuit of highly advanced, scientifically based knowledge.Please help us spread the word through your community and come share yourideas with industry peers.ThanksProgram TeamBSidesSF 2024

BSides SF 2024 Call For Papers

WordPress MW WP Form plugin versions 5.0.1 and below suffer from an arbitrary file upload vulnerability.

    Vulnerability Summary from Wordfence IntelligenceDescription: MW WP Form <= 5.0.1 – Unauthenticated Arbitrary File Upload Affected Plugin: MW WP FormPlugin Slug: mw-wp-formAffected Versions: <= 5.0.1CVE ID: CVE-2023-6316CVSS Score: 9.8 (Critical)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HResearcher/s: István Márton Fully Patched Version: 5.0.2The MW WP Form plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the ‘_single_file_upload’ function in versions up to, and including, 5.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible.Technical AnalysisThe MW WP Form plugin provides a shortcode-based form builder, with many customizable fields and many useful form options. Files can also be uploaded to the form with the [mwform_file name="file"] shortcode field.Examining the code reveals that the plugin uses the _single_file_upload() function in the MW_WP_Form_File class to file upload, and the check_file_type() function in the MWF_Functions class is used to check the file type.[View the code snippet on the blog]  The upload function checks the file and then copies it to the server with the move_uploaded_file() function. The file is only stored on the server if the “Saving inquiry data in database” option is selected in the form settings. Otherwise the file is immediately deleted after submitting the form.[View the code snippet on the blog]  Unfortunately, although the file type check function works perfectly and returns false for dangerous file types, it throws a runtime exception in the try block if a disallowed file type is uploaded, which will be caught and handled by the catch block. The catch block only uses the error_log() function to log the error without interrupting the upload. This means that even if the dangerous file type is checked and detected, it is only logged, while the function continues to run and the file is uploaded. This means that attackers could upload arbitrary PHP files and then access those files to trigger their execution on the server, achieving remote code execution.We would like to draw attention once again to the fact that the vulnerability only critically affects users who have enabled the “Saving inquiry data in database” option in the form settings, because the plugin only saves the files in this configuration.Disclosure TimelineNovember 24, 2023 – Discovery of the Arbitrary File Upload vulnerability in MW WP Form.November 24, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.November 24, 2023 – The vendor confirms the inbox for handling the discussion.November 24, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.November 29, 2023 – A fully patched version of the plugin, 5.0.2, is released.ConclusionIn this blog post, we detailed an Arbitrary File Upload vulnerability within the MW WP Form plugin affecting versions 5.0.1 and earlier. This vulnerability allows unauthenticated threat actors to upload arbitrary files, including PHP backdoors, and execute those files on the server. The vulnerability has been fully addressed in version 5.0.2 of the plugin.We encourage WordPress users to verify that their sites are updated to the latest patched version of MW WP Form.All Wordfence users, including those running Wordfence Premium , Wordfence Care , and Wordfence Response , as well as sites still running the free version of Wordfence, are fully protected against this vulnerability.If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.Did you know that Wordfence has a Bug Bounty Program ? We’ve recently increased our bounties by 6.25x until December 20th, 2023, with our bounties for the most critical vulnerabilities reaching $10,000 USD! If you’re an aspiring or current vulnerability researcher, click here to sign up.

WordPress MW WP Form 5.0.1 Arbitrary File Upload

FortiWeb VM version 7.4.0 build577 suffers from a post authentication CLI crash when provided a long password.

    ;; ;; FortiWeb VM (v7.4.0 build577) Post-auth CLI Crash;; ;; (...);; ;; code610 / some debug notes fyi;; ;; 17.11.2023 @ 23:33;; FortiWeb # diagnose debug crashlog show2023-11-16 05:07:00 <004315> application cli2023-11-16 05:07:00 <004315> *** signal Segmentation fault received ***2023-11-16 05:07:00 <004315> RIP     00007fdd1febf44f2023-11-16 05:07:00 <004315> EFLAGS  00000000000102062023-11-16 05:07:00 <004315> RAX     00000000000000002023-11-16 05:07:00 <004315> RBX     00000000000000052023-11-16 05:07:00 <004315> RCX     00005642dd55d4b12023-11-16 05:07:00 <004315> RDX     00007ffca74d8ff02023-11-16 05:07:00 <004315> RSI     00000000000000002023-11-16 05:07:00 <004315> RDI     00007ffca74d82d02023-11-16 05:07:00 <004315> RBP     00000000000000002023-11-16 05:07:00 <004315> RSP     00007ffca74d82082023-11-16 05:07:00 <004315> CS      00002023-11-16 05:07:00 <004315> GS      00002023-11-16 05:07:00 <004315> FS      00332023-11-16 05:07:00 <004315> Trap    000000000000000e2023-11-16 05:07:00 <004315> Error   00000000000000062023-11-16 05:07:00 <004315> Oldmask 00000000000000002023-11-16 05:07:00 <004315> CR2     00007ffca74d90202023-11-16 05:07:00 <004315> [0x00007fdd1febf44f] ==> /lib64/libc.so.6 + 0x000000000013d44f)2023-11-16 05:07:00 <004315> [0x00007fdd21329ae3] => /lib64/libconfd.so (cfg_backup+0x00000193)2023-11-16 05:07:00 <004315> [0x00007fdd21329ae3] => /lib64/libconfd.so (cfg_backup+0x00000193)2023-11-16 05:07:38 <004315> application cli2023-11-16 05:07:38 <004315> *** signal Segmentation fault received ***2023-11-16 05:07:38 <004315> RIP     00007fdd1fec034f2023-11-16 05:07:38 <004315> EFLAGS  00000000000102062023-11-16 05:07:38 <004315> RAX     00000000000000002023-11-16 05:07:38 <004315> RBX     00000000000000062023-11-16 05:07:38 <004315> RCX     00005642dd55403b2023-11-16 05:07:38 <004315> RDX     00007ffca74d8fe02023-11-16 05:07:38 <004315> RSI     00000000000000002023-11-16 05:07:38 <004315> RDI     00007ffca74d82d02023-11-16 05:07:38 <004315> RBP     00000000000000002023-11-16 05:07:38 <004315> RSP     00007ffca74d82082023-11-16 05:07:38 <004315> CS      00002023-11-16 05:07:38 <004315> GS      00002023-11-16 05:07:38 <004315> FS      00332023-11-16 05:07:38 <004315> Trap    000000000000000e2023-11-16 05:07:38 <004315> Error   00000000000000062023-11-16 05:07:38 <004315> Oldmask 00000000000000002023-11-16 05:07:38 <004315> CR2     00007ffca74d90102023-11-16 05:07:38 <004315> [0x00007fdd1fec034f] ==> /lib64/libc.so.6 + 0x000000000013e34f)2023-11-16 05:07:38 <004315> [0x00007fdd21329ae3] => /lib64/libconfd.so (cfg_backup+0x00000193)2023-11-16 05:07:38 <004315> [0x00007fdd21329ae3] => /lib64/libconfd.so (cfg_backup+0x00000193)2023-11-16 05:08:00 <004315> application cli2023-11-16 05:08:00 <004315> *** signal Segmentation fault received ***2023-11-16 05:08:00 <004315> RIP     00007fdd1febf2842023-11-16 05:08:00 <004315> EFLAGS  00000000000102462023-11-16 05:08:00 <004315> RAX     00000000000000002023-11-16 05:08:00 <004315> RBX     00000000000000062023-11-16 05:08:00 <004315> RCX     00005642dd558a802023-11-16 05:08:00 <004315> RDX     00007ffca74d90302023-11-16 05:08:00 <004315> RSI     ffffffffffffffc02023-11-16 05:08:00 <004315> RDI     00007ffca74d82d02023-11-16 05:08:00 <004315> RBP     00000000000000002023-11-16 05:08:00 <004315> RSP     00007ffca74d82082023-11-16 05:08:00 <004315> CS      00002023-11-16 05:08:00 <004315> GS      00002023-11-16 05:08:00 <004315> FS      00332023-11-16 05:08:00 <004315> Trap    000000000000000e2023-11-16 05:08:00 <004315> Error   00000000000000062023-11-16 05:08:00 <004315> Oldmask 00000000000000002023-11-16 05:08:00 <004315> CR2     00007ffca74d90002023-11-16 05:08:00 <004315> [0x00007fdd1febf284] ==> /lib64/libc.so.6 + 0x000000000013d284)2023-11-16 05:08:00 <004315> [0x00007fdd21329ae3] => /lib64/libconfd.so (cfg_backup+0x00000193)2023-11-16 05:08:00 <004315> [0x00007fdd21329ae3] => /lib64/libconfd.so (cfg_backup+0x00000193)FortiWeb # ;; version: FortiWeb VM (v7.4.0 build577) ;; quick poc:fgweb_cli> execute backup cli-config tftp SOMEFILENAME 1.1.1.1 PASSWD_LEN_IS_OUR_CRASHER ;; ;; https://code610.blogspot.com/search?q=fortigate;;

Source

Packet Storm