FUXA <= 1.1.12 is vulnerable to Local File Inclusion via `/api/download`.

**FUXA local file inclusion vulnerability**

Moderate severity GitHub Reviewed Published Sep 22, 2023 to the GitHub Advisory Database • Updated Sep 22, 2023

GHSA-wwfj-h843-3hrq: FUXA local file inclusion vulnerability

A SQL Injection attack in FUXA <= 1.1.12 allows exfiltration of confidential information from the database.

**FUXA SQL Injection vulnerability**

Moderate severity GitHub Reviewed Published Sep 22, 2023 to the GitHub Advisory Database • Updated Sep 22, 2023

GHSA-v9q5-9crp-92f9: FUXA SQL Injection vulnerability

FUXA <= 1.1.12 has a Local File Inclusion vulnerability via file=fuxa.log

Skip to content

Sign up

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    Explore
    
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   For
    
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    By Solution
    
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    Resources
    
    *   Customer Stories
    *   White papers, Ebooks, Webinars
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    Repositories
    
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

**Saved searches****Use saved searches to filter your results more quickly**

Sign in

Sign up

MateusTesser / **CVE-2023-31716** Public

*   Notifications
*   Fork 0
*   Star 0
    

0 stars 0 forks Activity

Star

Notifications

*   Code
*   Issues
*   Pull requests
*   Actions
*   Projects
*   Security
*   Insights

More

main

Switch branches/tags

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Clone
    
    Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Git stats**

*   **4** commits

**Files**Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

README.md

**README.md**

**CVE-2023-31716**

Name Affected product: FUXA

Version affected: <= 1.1.12

Problem: Local File Inclusion

Description: FUXA < 1.1.12 has a Local File Inclusion vulnerability via file=fuxa.log

**About**

No description, website, or topics provided.

**Resources**

Readme

Activity

**Stars**

**0** stars

**Watchers**

**1** watching

**Forks**

**0** forks

Report repository

**Releases**

No releases published

**Packages**

No packages published

CVE-2023-31716: GitHub - MateusTesser/CVE-2023-31716

FUXA <= 1.1.12 is vulnerable to SQL Injection via /api/signin.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

**CVE-2023-31719**

Its possible do inject SQL code into the JSON parameter "username" from the endpoint /api/signin via HTTP POST request

{"username":"test' OR 2891=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2))))-- ZJMj","password":"test"}

Name Affected product: FUXA

Version affected: <= 1.1.12

Problem: SQL Injection

Description: Its possible do inject SQL code into the JSON parameter "username" from the endpoint /api/signin via HTTP POST request

CVE-2023-31719: GitHub - MateusTesser/CVE-2023-31719

FUXA <= 1.1.12 is vulnerable to Local via Inclusion via /api/download.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

**CVE-2023-31718**

Its possible to include local files into the endpoint /api/download. This endpoint is to download reports from the FUXA and can read local files from HTTP GET "name" parameter.

/api/download?cmd=REPORT-DOWNLOAD&name=../../../../../../etc/passwd

Name Affected product: FUXA

Version affected: <= 1.1.12

Problem: Local File Inclusion

Description: It's possible to include local files into the endpoint /api/download. This endpoint is to download reports from the FUXA and can read local files from HTTP GET "name" parameter /api/download?cmd=REPORT-DOWNLOAD&name=../../../../../../etc/passwd

CVE-2023-31718: GitHub - MateusTesser/CVE-2023-31718

Due to failure in validating the length provided by an attacker-crafted PostScript document, CUPS and libppd are susceptible to a heap-based buffer overflow and possibly code execution. This issue has been fixed in CUPS version 2.4.7, released in September of 2023.


Copying the same vulnerability from CUPS to cover the fix in libppd, reported by @todb

**Description**

Hello -- below is a draft advisory that we plan to publish in about 60 days (around October 22, 2023), or sooner if you choose to disclose before then. Also, thanks for the incredibly easy mechanism to report security issues!

We are a CNA, so no need to involve MITRE - we can take care of publishing and credit and all that.

**CVE-2023-4504: OpenPrinting CUPS Postscript Parsing Heap Overflow**

AHA! has discovered an issue with CUPS from OpenPrinting, and is publishing  
this disclosure in accordance with AHA!'s standard disclosure policy today,  
on $DATE. CVE-2023-4504 has been assigned to this issue.

Any questions about this disclosure should be directed to  
cve@takeonme.org.

**Executive Summary**

Due to failure in validating the length provided by an attacker-crafted CUPS document, CUPS version v2.5b1 and prior, by default, is susceptible to a heap-based buffer overflow, and possibly code execution. CVE-2023-4504 appears to be an instance of CWE-122, a heap-based buffer overflow.

**Technical Details**

The scan\_ps function in the CUPS codebase provides functionality that scans through a string looking for the next Postscript object. When iterating through a string which contains an open parenthesis and ends with a single backslash (0x5c) character, the code incorrectly iterates forward a character without properly checking the bounds of the string resulting in a 1 byte read beyond the allocated heap buffer.  
libppd took scan\_ps code and renamed it to ppd\_scan\_ps().

**Snippet of the vulnerable code:**

libppd/ppd/raster-interpret.c

    1039 static _ppd_ps_obj_t   *               /* O  - New object or NULL on EOF */
    1040 ppd_scan_ps(_ppd_ps_stack_t *st,           /* I  - Stack */
    1041         char             **ptr)         /* IO - String pointer */
    1042 {
    ...
    1085   switch (*cur)
    1086   {
    1087     case '(' :                          /* (string) */
    1088         obj.type = CUPS_PS_STRING;
    1089         start    = cur;
    1090
    1091         for (cur ++, parens = 1, valptr = obj.value.string,
    1092                  valend = obj.value.string + sizeof(obj.value.string) - 1;
    1093              *cur;
    1094              cur ++)
    1095         {
    1096           if (*cur == ')' && parens == 1)
    1097             break;
    1098
    1099           if (*cur == '(')
    1100             parens ++;
    1101           else if (*cur == ')')
    1102             parens --;
    1103
    1104           if (valptr >= valend)
    1105           {
    1106             *ptr = start;
    1107
    1108             return (NULL);
    1109           }
    1110
    1111           if (*cur == '\\')
    1112           {
    1113            /*
    1114             * Decode escaped character...
    1115             */
    1116
    1117             cur ++;
    1118
    1119             if (*cur == 'b')
    1120               *valptr++ = '\b';
    1121             else if (*cur == 'f')
    1122               *valptr++ = '\f';
    1123             else if (*cur == 'n')
    1124               *valptr++ = '\n';
    1125             else if (*cur == 'r')
    1126               *valptr++ = '\r';
    1127             else if (*cur == 't')
    1128               *valptr++ = '\t';
    1129             else if (*cur >= '0' && *cur <= '7')
    1130             {
    1131               int ch = *cur - '0';
    1132
    1133               if (cur[1] >= '0' && cur[1] <= '7')
    1134               {
    1135                 cur ++;
    1136                 ch = (ch << 3) + *cur - '0';
    1137               }
    1138
    1139               if (cur[1] >= '0' && cur[1] <= '7')
    1140               {
    1141                 cur ++;
    1142                 ch = (ch << 3) + *cur - '0';
    1143               }
    1144
    1145               *valptr++ = (char)ch;
    1146             }
    1147             else if (*cur == '\r')
    1148             {
    1149               if (cur[1] == '\n')
    1150                 cur ++;
    1151             }
    1152             else if (*cur != '\n')
    1153               *valptr++ = *cur;
    1154           }
    1155           else
    1156             *valptr++ = *cur;
    1157         }
    

Line 1085 contains the case statement which provides the logic used to iterate through the given string.

On line 1091, the for loop within the case statement is used to iterate through each character after encountering an open paranthesis character (0x28), storing the pointer to the current character in cur.

On line 1111, the code checks if the current character is a backslash and finally, in line 1117, the character index is incremented without checking the length, now pointing to the null byte terminating the string.

Upon the next iteration of the loop, on line 1094, the loop now begins iterating through unallocated memory resulting in undefined behaviour.

A Base64 encoded blob of an example PostScript document that can trigger the issue is below.

**Attacker Value**

By providing this malformed PostScript document, an attacker could compromise the machine running the software. Once compromised, this can provide an attacker a unique, privileged position in the targeted network.  
Credit

This issue is being disclosed through the AHA! CNA and is credited to: zenofex and WanderingGlitch

**Timeline**

    2023-07-27 (Thu): Initial findings presented at AHA! Meeting 0xffff
    2023-08-21 (Monday): PoC validated and this disclosure drafted.
    2023-08-23 (Day): Disclosed to the vendor per [their GitHub repo's instructions](https://github.com/OpenPrinting/cups/security).
    YYYY-MM-DD (Day): Vendor acknowledged the vulnerability.
    YYYY-MM-DD (Day): Vendor released fixed version [X.Y.Z](https://example.com/).
    YYYY-MM-DD (Day): Public disclosure of [CVE-2023-4504](https://takeonme.org/cves/CVE-2023-4504.html).

CVE-2023-4504: CUPS Heap-based buffer overflow

D-LINK DIR-806 1200M11AC wireless router DIR806A1_FW100CNb11 is vulnerable to command injection due to lax filtering of HTTP_ST parameters.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-43128: dlink/DIR-806/1/readme.md at main · mmmmmx1/dlink

Mobile Security Framework (MobSF) <=v3.7.8 Beta is vulnerable to Insecure Permissions.

CVE-2023-42261: hack16/Unauthorized Access to MobSF.md at main · woshinibaba222/hack16

An issue was discovered in Ivanti Endpoint Manager before 2022 SU4. A file disclosure vulnerability exists in the GetFileContents SOAP action exposed via /landesk/managementsuite/core/core.secure/OsdScript.asmx. The application does not sufficiently restrict user-supplied paths, allowing for an authenticated attacker to read arbitrary files from a remote system, including the private key used to authenticate to agents for remote access.

**2023**

**Q1 2023**

Strengthen cybersecurity posture and optimize digital employee experiences.

**Q2 2023**

Improving visibility, operational efficiency and experience​.

**Q3 2023**

Enhanced vulnerability prioritization and remediation, improving actionable insights, and experience.

**2022**

**Q1 2022**

Reduce risk while providing better and more productive employee experiences.

**Q2 2022**

Enhance security and the employee experience in the Everywhere Workplace.

**Q3 2022**

Provide secure, contextualized & productive employee experiences.

**Q4 2022**

CVE-2023-38344: Product Releases & Updates | Ivanti

A previously undocumented threat actor dubbed Sandman has been attributed to a set of cyber attacks targeting telecommunic koation providers in the Middle East, Western Europe, and the South Asian subcontinent.
Notably, the intrusions leverage a just-in-time (JIT) compiler for the Lua programming language known as LuaJIT as a vehicle to deploy a novel implant called LuaDream.
"The activities we

A previously undocumented threat actor dubbed **Sandman** has been attributed to a set of cyber attacks targeting telecommunic koation providers in the Middle East, Western Europe, and the South Asian subcontinent.

Notably, the intrusions leverage a just-in-time (JIT) compiler for the Lua programming language known as LuaJIT as a vehicle to deploy a novel implant called **LuaDream**.

"The activities we observed are characterized by strategic lateral movement to specific targeted workstations and minimal engagement, suggesting a deliberate approach aimed at achieving the set objectives while minimizing the risk of detection," SentinelOne security researcher Aleksandar Milenkoski said in an analysis published in collaboration with QGroup.

"The implementation of LuaDream indicates a well-executed, maintained, and actively developed project of a considerable scale."

Neither the campaign nor its tactics have been correlated with any known threat actor or group, although available evidence points to a cyber espionage adversary with a penchant for targeting the telecom sector across geographies. The attacks were first observed over several weeks in August 2023.

"The LuaDream staging chain is designed to evade detection and thwart analysis while deploying the malware directly into memory," Milenkoski explained. "LuaDream's implementation and staging process leverage the LuaJIT platform, the just-in-time compiler for the Lua scripting language. This is primarily to make malicious Lua script code difficult to detect."

String artifacts contained within the implant's source code reference June 3, 2022, indicating that the preparatory work has been underway for more than a year.

It's suspected that LuaDream is a variant of a new malware strain referred to as DreamLand by Kaspersky in its APT trends report for Q1 2023, with the Russian cybersecurity company describing it as employing "the Lua scripting language in conjunction with its Just-in-Time (JIT) compiler to execute malicious code that is difficult to detect."

The use of Lua is something of a rarity in the threat landscape, having been previously observed in three different instances since 2012: Flame, Animal Farm (aka SNOWGLOBE), and Project Sauron.

The exact mode of initial access remains unclear, but it has been observed stealing administrative credentials and conducting reconnaissance to breach workstations of interest and ultimately deliver LuaDream.

A modular, multi-protocol backdoor with 13 core and 21 support components, LuaDream is primarily designed to exfiltrate system and user information as well as manage attacker-provided plugins that expand on its features, such as command execution. It also features various anti-debugging capabilities to evade detection and thwart analysis.

Command-and-control (C2) communication is accomplished by establishing contact with a domain named "mode.encagil\[.\]com" using the WebSocket protocol. But it can also listen for incoming connections over TCP, HTTPS, and QUIC protocols.

The core modules implement all of the aforementioned features, while the support components are responsible for augmenting the backdoor's capabilities to await connections based on the Windows HTTP server API and execute commands.

"LuaDream stands as a compelling illustration of the continuous innovation and advancement efforts that cyber espionage threat actors pour into their ever-evolving malware arsenal," Milenkoski said.

The disclosure coincides with a parallel report from SentinelOne which detailed sustained strategic intrusions by Chinese threat actors in Africa, including those aimed at telecommunication, finance and government sectors in Africa, as part of activity clusters dubbed BackdoorDiplomacy, Earth Estries, and Operation Tainted Love.

UPCOMING WEBINAR

Level-Up SaaS Security: A Comprehensive Guide to ITDR and SSPM

Stay ahead with actionable insights on how ITDR identifies and mitigates threats. Learn about the indispensable role of SSPM in ensuring your identity remains unbreachable.

Supercharge Your Skills

The goal, the company said, is to extend influence throughout the continent and leverage such offensives as part of its soft power agenda.

SentinelOne said it detected a compromise of a telecommunications entity based in North Africa by the same threat actor behind Operation Tainted Love, adding the timing of the attack aligned with the organization's private negotiations for further regional expansion.

"Targeted intrusions by the BackdoorDiplomacy APT and the threat group orchestrating Operation Tainted Love indicate a level intention directed at supporting \[China in its efforts to\] shape policies and narratives aligned with its geostrategic ambitions, establishing itself as a pivotal and defining force in Africa's digital evolution," security researcher Tom Hegel said.

It also comes days after Cisco Talos revealed that telecommunication service providers in the Middle East are the target of a new intrusion set dubbed ShroudedSnooper that employs a set of stealthy backdoors called HTTPSnoop and PipeSnoop.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#git