FUXA <= 1.1.12 has a Local File Inclusion vulnerability via file=fuxa.log

**FUXA vulnerable to Local File Inclusion**

Moderate severity GitHub Reviewed Published Sep 22, 2023 to the GitHub Advisory Database • Updated Sep 22, 2023

GHSA-45c3-c4c3-8rqg: FUXA vulnerable to Local File Inclusion

FUXA <= 1.1.12 is vulnerable to SQL Injection via `/api/signin`.

**FUXA SQL Injection vulnerability**

Moderate severity GitHub Reviewed Published Sep 22, 2023 to the GitHub Advisory Database • Updated Sep 22, 2023

GHSA-p46g-8c3q-89p2: FUXA SQL Injection vulnerability

FUXA <= 1.1.12 is vulnerable to Local File Inclusion via `/api/download`.

**FUXA local file inclusion vulnerability**

Moderate severity GitHub Reviewed Published Sep 22, 2023 to the GitHub Advisory Database • Updated Sep 22, 2023

GHSA-wwfj-h843-3hrq: FUXA local file inclusion vulnerability

A SQL Injection attack in FUXA <= 1.1.12 allows exfiltration of confidential information from the database.

GHSA-v9q5-9crp-92f9: FUXA SQL Injection vulnerability

Skip to content

Sign up

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    Explore
    
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   For
    
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    By Solution
    
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    Resources
    
    *   Customer Stories
    *   White papers, Ebooks, Webinars
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    Repositories
    
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

**Saved searches****Use saved searches to filter your results more quickly**

Sign in

Sign up

MateusTesser / **CVE-2023-31716** Public

*   Notifications
*   Fork 0
*   Star 0
    

0 stars 0 forks Activity

Star

Notifications

*   Code
*   Issues
*   Pull requests
*   Actions
*   Projects
*   Security
*   Insights

More

main

Switch branches/tags

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Clone
    
    Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Git stats**

*   **4** commits

**Files**Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

README.md

**README.md**

**CVE-2023-31716**

Name Affected product: FUXA

Version affected: <= 1.1.12

Problem: Local File Inclusion

Description: FUXA < 1.1.12 has a Local File Inclusion vulnerability via file=fuxa.log

**About**

No description, website, or topics provided.

**Resources**

Readme

Activity

**Stars**

**0** stars

**Watchers**

**1** watching

**Forks**

**0** forks

Report repository

**Releases**

No releases published

**Packages**

No packages published

CVE-2023-31716: GitHub - MateusTesser/CVE-2023-31716

FUXA <= 1.1.12 is vulnerable to SQL Injection via /api/signin.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

**CVE-2023-31719**

Its possible do inject SQL code into the JSON parameter "username" from the endpoint /api/signin via HTTP POST request

{"username":"test' OR 2891=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2))))-- ZJMj","password":"test"}

Name Affected product: FUXA

Version affected: <= 1.1.12

Problem: SQL Injection

Description: Its possible do inject SQL code into the JSON parameter "username" from the endpoint /api/signin via HTTP POST request

CVE-2023-31719: GitHub - MateusTesser/CVE-2023-31719

FUXA <= 1.1.12 is vulnerable to Local via Inclusion via /api/download.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

**CVE-2023-31718**

Its possible to include local files into the endpoint /api/download. This endpoint is to download reports from the FUXA and can read local files from HTTP GET "name" parameter.

/api/download?cmd=REPORT-DOWNLOAD&name=../../../../../../etc/passwd

Name Affected product: FUXA

Version affected: <= 1.1.12

Problem: Local File Inclusion

Description: It's possible to include local files into the endpoint /api/download. This endpoint is to download reports from the FUXA and can read local files from HTTP GET "name" parameter /api/download?cmd=REPORT-DOWNLOAD&name=../../../../../../etc/passwd

CVE-2023-31718: GitHub - MateusTesser/CVE-2023-31718

D-LINK DIR-806 1200M11AC wireless router DIR806A1_FW100CNb11 is vulnerable to command injection due to lax filtering of HTTP_ST parameters.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-43128: dlink/DIR-806/1/readme.md at main · mmmmmx1/dlink

Due to failure in validating the length provided by an attacker-crafted PostScript document, CUPS and libppd are susceptible to a heap-based buffer overflow and possibly code execution. This issue has been fixed in CUPS version 2.4.7, released in September of 2023.


Copying the same vulnerability from CUPS to cover the fix in libppd, reported by @todb

**Description**

Hello -- below is a draft advisory that we plan to publish in about 60 days (around October 22, 2023), or sooner if you choose to disclose before then. Also, thanks for the incredibly easy mechanism to report security issues!

We are a CNA, so no need to involve MITRE - we can take care of publishing and credit and all that.

**CVE-2023-4504: OpenPrinting CUPS Postscript Parsing Heap Overflow**

AHA! has discovered an issue with CUPS from OpenPrinting, and is publishing  
this disclosure in accordance with AHA!'s standard disclosure policy today,  
on $DATE. CVE-2023-4504 has been assigned to this issue.

Any questions about this disclosure should be directed to  
cve@takeonme.org.

**Executive Summary**

Due to failure in validating the length provided by an attacker-crafted CUPS document, CUPS version v2.5b1 and prior, by default, is susceptible to a heap-based buffer overflow, and possibly code execution. CVE-2023-4504 appears to be an instance of CWE-122, a heap-based buffer overflow.

**Technical Details**

The scan\_ps function in the CUPS codebase provides functionality that scans through a string looking for the next Postscript object. When iterating through a string which contains an open parenthesis and ends with a single backslash (0x5c) character, the code incorrectly iterates forward a character without properly checking the bounds of the string resulting in a 1 byte read beyond the allocated heap buffer.  
libppd took scan\_ps code and renamed it to ppd\_scan\_ps().

**Snippet of the vulnerable code:**

libppd/ppd/raster-interpret.c

    1039 static _ppd_ps_obj_t   *               /* O  - New object or NULL on EOF */
    1040 ppd_scan_ps(_ppd_ps_stack_t *st,           /* I  - Stack */
    1041         char             **ptr)         /* IO - String pointer */
    1042 {
    ...
    1085   switch (*cur)
    1086   {
    1087     case '(' :                          /* (string) */
    1088         obj.type = CUPS_PS_STRING;
    1089         start    = cur;
    1090
    1091         for (cur ++, parens = 1, valptr = obj.value.string,
    1092                  valend = obj.value.string + sizeof(obj.value.string) - 1;
    1093              *cur;
    1094              cur ++)
    1095         {
    1096           if (*cur == ')' && parens == 1)
    1097             break;
    1098
    1099           if (*cur == '(')
    1100             parens ++;
    1101           else if (*cur == ')')
    1102             parens --;
    1103
    1104           if (valptr >= valend)
    1105           {
    1106             *ptr = start;
    1107
    1108             return (NULL);
    1109           }
    1110
    1111           if (*cur == '\\')
    1112           {
    1113            /*
    1114             * Decode escaped character...
    1115             */
    1116
    1117             cur ++;
    1118
    1119             if (*cur == 'b')
    1120               *valptr++ = '\b';
    1121             else if (*cur == 'f')
    1122               *valptr++ = '\f';
    1123             else if (*cur == 'n')
    1124               *valptr++ = '\n';
    1125             else if (*cur == 'r')
    1126               *valptr++ = '\r';
    1127             else if (*cur == 't')
    1128               *valptr++ = '\t';
    1129             else if (*cur >= '0' && *cur <= '7')
    1130             {
    1131               int ch = *cur - '0';
    1132
    1133               if (cur[1] >= '0' && cur[1] <= '7')
    1134               {
    1135                 cur ++;
    1136                 ch = (ch << 3) + *cur - '0';
    1137               }
    1138
    1139               if (cur[1] >= '0' && cur[1] <= '7')
    1140               {
    1141                 cur ++;
    1142                 ch = (ch << 3) + *cur - '0';
    1143               }
    1144
    1145               *valptr++ = (char)ch;
    1146             }
    1147             else if (*cur == '\r')
    1148             {
    1149               if (cur[1] == '\n')
    1150                 cur ++;
    1151             }
    1152             else if (*cur != '\n')
    1153               *valptr++ = *cur;
    1154           }
    1155           else
    1156             *valptr++ = *cur;
    1157         }
    

Line 1085 contains the case statement which provides the logic used to iterate through the given string.

On line 1091, the for loop within the case statement is used to iterate through each character after encountering an open paranthesis character (0x28), storing the pointer to the current character in cur.

On line 1111, the code checks if the current character is a backslash and finally, in line 1117, the character index is incremented without checking the length, now pointing to the null byte terminating the string.

Upon the next iteration of the loop, on line 1094, the loop now begins iterating through unallocated memory resulting in undefined behaviour.

A Base64 encoded blob of an example PostScript document that can trigger the issue is below.

**Attacker Value**

By providing this malformed PostScript document, an attacker could compromise the machine running the software. Once compromised, this can provide an attacker a unique, privileged position in the targeted network.  
Credit

This issue is being disclosed through the AHA! CNA and is credited to: zenofex and WanderingGlitch

**Timeline**

    2023-07-27 (Thu): Initial findings presented at AHA! Meeting 0xffff
    2023-08-21 (Monday): PoC validated and this disclosure drafted.
    2023-08-23 (Day): Disclosed to the vendor per [their GitHub repo's instructions](https://github.com/OpenPrinting/cups/security).
    YYYY-MM-DD (Day): Vendor acknowledged the vulnerability.
    YYYY-MM-DD (Day): Vendor released fixed version [X.Y.Z](https://example.com/).
    YYYY-MM-DD (Day): Public disclosure of [CVE-2023-4504](https://takeonme.org/cves/CVE-2023-4504.html).

CVE-2023-4504: CUPS Heap-based buffer overflow

Mobile Security Framework (MobSF) <=v3.7.8 Beta is vulnerable to Insecure Permissions.

Tag

#git