Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.

CVE-2021-44526: ServiceDesk Plus readme | Service desk release notes | ServiceDesk Plus latest version read me notes | IT service management release notes | Service desk current version

Use after free in web apps in Google Chrome prior to 96.0.4664.93 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.

**Chrome Releases**

Release updates from the Chrome team

CVE-2021-4052: Stable Channel Update for Desktop

Out of bounds write in WebRTC in Google Chrome prior to 96.0.4664.93 allowed a remote attacker to potentially exploit heap corruption via crafted WebRTC packets.

CVE-2021-4079: Stable Channel Update for Desktop

Inappropriate implementation in WebAuthentication in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

About Monorail User Guide Release Notes Feedback on Monorail Terms Privacy

CVE-2021-38022: 1248862 - chromium - An open-source project to help move the web forward.

Inappropriate implementation in referrer in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

CVE-2021-38021: Stable Channel Update for Desktop

Use after free in loader in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2021-38005: 1241091 - chromium - An open-source project to help move the web forward.

The Directorist WordPress plugin before 7.0.6.2 was vulnerable to Cross-Site Request Forgery to Remote File Upload leading to arbitrary PHP shell uploads in the wp-content/plugins directory.

Starting this past Friday we have seen a number of websites showing a fake ransomware infection. Google search results for “_**FOR RESTORE SEND 0.1 BITCOIN**_” were sitting at 6 last week and increased to 291 at the time of writing this. Upon visiting their website webmasters have been met with an alarming message:

![](https://blog.sucuri.net/wp-content/uploads/2021/11/siteencrypted.png)

SITE ENCRYPTED

FOR RESTORE SEND 0.1 BITCOIN: 3BkiGYFh6QtjtNCPNNjGwszoqqCka2SDEc

(create file on site /unlock .txt with transaction key inside)

The warning indicated that the website was hit with a ransomware attack. The files were reported to be encrypted and the attackers demanded a ransom payment of 0.1 Bitcoin. While the price of Bitcoin is extremely volatile, at the time of writing this article that would clock in at a whopping $6,000+ USD

![](https://blog.sucuri.net/wp-content/uploads/2021/11/bitcoinexchange.png)

Not a negligible sum of money for an average website owner, to say the least! Before panicking and paying the ransom (or completely re-building their website from scratch) thankfully some website owners hired us to take a look.

**Past Cases of Website Ransomware**

This would certainly not be our first time seeing websites impacted by ransomware. Typically ransomware affects endpoint devices, sometimes entire businesses and institutions. In fact, as I type this the entire provincial health care system of Newfoundland has been brought to its knees with thousands of delayed surgeries due to a crippling suspected ransomware attack.

Starting at the beginning of 2016 we saw some examples of website files themselves being encrypted by attackers with a ransom being demanded, which we wrote about on our blog at the time. This was pretty short lived, however. Attackers always go after the money to maximise their profits. We can only presume that targeting websites wasn’t terribly profitable and was best for them to go after endpoints, businesses and organisations. It’s also much more common for website owners to have backups handy, rendering the entire attack moot.

**More than Meets the Eye**

The clock was ticking on the ransom notification: Seven days, ten hours, 21 minutes and 9 seconds to pay the ransom before the files would be encrypted and irretrievable forever. Tick, tock, tick, tock ⏰

However, when we began our investigation into the website it turned out that nothing was encrypted at all! Normally when ransomware attacks website files the extension is changed to _.lock_ or something similar, and the files have been rendered as unreadable, encrypted rubbish. Not so in this example!

So what was causing the frightening warning?

**Fake Ransomware Warning Generated by Plugin**

The solution to the source was actually quite simple: All we had to do was to query the file structure for the BitCoin account number. That led us to the following file:

./wp-content/plugins/directorist/directorist-base.php

Sure enough, the ransom warning was completely bogus. Nothing was encrypted at all! It was a simple HTML page generated by this bogus plugin and nothing more. Let’s take a look at this code and see what exactly it was doing.

Near the end of that file we can see that the malicious bit is just using some very basic HTML to generate the ransom message:

![](https://blog.sucuri.net/wp-content/uploads/2021/11/bitcoinr.png)

_FOR RESTORE SEND 0.1 BITCOIN: 3BkiGYFh6QtjtNCPNNjGwszoqqCka2SDEc_

As well as some basic PHP to generate the countdown clock:

![](https://blog.sucuri.net/wp-content/uploads/2021/11/countdown.png)

_All cases so far have defaulted to November 20th, 2021_

The desired date can be edited here to instill more panic into the request. Remember folks, rule number one about online scams like phishing is instilling a sense of _urgency_ to the victim!

**Removing the Infection**

Getting this infection cleared up is easy enough, all we had to do was remove the plugin from the wp-content/plugins directory. However, once we got the main website page back all of their pages and posts were leading to 404 Not Found responses.

The reason for this is the last snippet of the malicious plugin:

![](https://blog.sucuri.net/wp-content/uploads/2021/11/azze.png)

Here we see a basic SQL command which finds any posts and pages with the “**publish**” status and changes them to “**null**“. All the content was still in the database, just unable to be viewed! This can be reversed with an equally simple SQL command:

_UPDATE \`wp\_posts\` SET \`post\_status\` = 'publish' WHERE \`post\_status\` = 'null';_

This will publish any content in the database marked as _null._ If you have other content marked as such, it will re-publish that, but that is certainly better than losing all your website posts and pages.

We also see the plugin including the following file:

./wp-content/plugins/directorist/azz\_encrypt.php

However, so far we haven’t seen this file present in any of the infections. It’s possible that in other cases of this infection this file could contain functionality to encrypt the files, but so far we haven’t found a candidate with it present.

**Determining the Source**

In checking the access logs for the website it was easy enough to determine the IP address responsible. Our client was located in the southern United States, however we saw quite a few requests from a foreign IP address which was interacting with the directorist plugin using the plugin editor feature of wp-admin. This suggests that the legitimate plugin was already installed on the website and later tampered with by the attackers.

Interestingly, the very first request that we saw from the attacker IP address was from the wp-admin panel, suggesting that they had already established administrator access to the website before they began their shenanigans. Whether they had brute forced the admin password using another IP address or had acquired the already-compromised login from the black market is anybody’s guess.

**How to Protect your Site**

Once the plugin is removed and the nulled content in the database restored then tying up the loose ends is pretty straightforward!

*   Review admin users on the site, remove any bogus accounts and update/change all wp-admin passwords
*   Secure your wp-admin administrator page
*   Change other access point passwords (database, FTP, cPanel, etc)
*   Ideally, place your website behind a firewall
*   Don’t forget about reliable backups! Even if hackers manage to encrypt your whole site, it will be easy to restore it from the latest backup.

We recently published a detailed article on many of the different options that WordPress website owners have at their disposal to secure their admin page. Be sure to give it a read to make sure your website isn’t low hanging fruit for the bad guys! In particular, the _disallow\_file\_edit_ function would have helped prevent this attack!

If you are a website owner and are affected by this attack our remediation analysts can help remove the infection for you!

**UPDATE:** While the original point of this article was to mention this new malware infection and not locate its source we mentioned it may have been a compromised admin account. Upon further evaluation it was due to a cross-side request forgery vulnerability in the Directorist plugin which has since been patched. Thank you to Plugin Vulnerabilities for reading and paying close attention to our blog posts. Users of this plugin should update immediately!

CVE-2021-24981: Fake Ransomware Infection Spooks Website Owners

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.

CVE-2021-44790: Apache HTTP Server 2.4 vulnerabilities

Cross Site Request Forgery (CSRF) vulnerability in Change-password.php in phpgurukul user management system in php using stored procedure V1.0, allows attackers to change the password to an arbitrary account.

**Project Name**

User Management System in PHP Stored Procedure

**Language Used**

PHP5.6, PHP7.x

**Database**

MySQL 5.x

**User Interface Design**

HTML, AJAX,JQUERY,JAVASCRIPT

**Web Browser**

Mozilla, Google Chrome, IE8, OPERA

**Software**

XAMPP / Wamp / Mamp/ Lamp (anyone)

Last Updated

02 July 2021

This project is developed in PHP using Stored Procedure.

A stored procedure is a set of SQL commands that have been compiled and stored on the database server.  
Once the stored procedure has been “stored”, client applications can execute the stored procedure over and over again without sending it to the database server again and without compiling it again.  
Stored procedures improve performance by reducing network traffic and CPU  load.  
**_Comparison with dynamic SQL_**

*   Remove overhead
*   Avoidance of network  traffic
*   Encapsulation of business  logic
*   Delegation of access-rights
*   Some protection from SQL injection attacks

**This project have two modules**

*   User Module
*   Admin Module

**User Modules**

*   User can signup
*   User can log in to the system.
*   User Password Recovery
*   After login user can edit his/her own profile.
*   Change password.

**Admin Modules**

*   Admin can log in to the system.
*   Admin Password Recovery.
*   After login admin can view the admin dashboard.
*   Manage all the user(Update and delete the user profile).
*   Change Password.

**Stored Procedure used in this Project**

**User module**

*   sp\_signup (used for user signup)
*   sp\_checkemailavailabilty (check the email available for registration or not)
*   sp\_userlogin (used for user login)
*   sp\_userpwdrecoveryvalidation (used for password recovery user validation)
*   sp\_userpwdrecoveryvalidation (if user details verified by the above-stored procedure then it will reset the user password)
*   sp\_userprofile (used to view user profile)
*   sp\_userupdateprofile (used to update the user profile details) **Note:** This procedure used in both module
*   sp\_useremailupdation (used to update user email id) **Note:** This procedure used in both module
*   sp\_usercurrentpwdvalidate (used to valid user current password  for change password)
*   sp\_userchangepwd (if the password is validated by the above-stored procedure then this stored procedure  used to change the user password)

**Admin module**

*   sp\_adminlogin (used for admin login)
*   sp\_adminpwdrecoveryvalidation (used for password recovery admin validation)
*   sp\_adminpasswordrecovery (if admin details verfied by above stored procedure then it will reset the admin password)
*   sp\_adminprofile (used to view admin profile details)
*   sp\_admindashboard (used for admin dashboard)
*   sp\_recent15users (used to view the 15 recent registered user at dashboard)
*   sp\_allregisteredusers (used to view all registered users)
*   sp\_userdeletion (used to delete user profile)
*   sp\_userupdateprofile (used to updat the user profile details)   **Note:** This procdure used in both module
*   sp\_useremailupdation (used to update user email id)   **Note:** This procdure used in both module
*   sp\_admincurrentpwdvalidate (used to valid admincurrent password  for change password)
*   sp\_adminchangepwd (if the password is validate by above stored procedure then this store used to change the admin password)

**How to run the User Management System in PHP Stored Procedure**

1.Download the zip file

2.Extract the file and copy ums-sp folder

3.Paste inside root directory(for xampp xampp/htdocs, for wamp wamp/www, for lamp var/www/html)

4.Open PHPMyAdmin (http://localhost/phpmyadmin)

5.Create a database with name umspsdb

6.Import regdb.sql file(given inside the zip package in SQL file folder)

7.Run the script http://localhost/ums-sp

**User Credential**  
**Username:** anujk@gmail.com  
**Password:** Test@123  
or Register a new user

**Admin Credential**  
**Username:** admin  
**Password:** Test@123

**View Demo———————————————————————–**

UMS in PHP using Stored Procedure

Size: 7.44 MB

Version: V1.0

![](https://secure.gravatar.com/avatar/7b336ec82044887afe61d64e1c96b5cf?s=128&d=mm&r=g)

Anuj Kumar

Hi! I am Anuj Kumar, a professional web developer with 5+ years of experience in this sector. I found PHPGurukul in September 2015. My keen interest in technology and sharing knowledge with others became the main reason for starting PHPGurukul. My basic aim is to offer all web development tutorials like PHP, PDO, jQuery, PHP oops, and MySQL, etc. Apart from the tutorials, we also offer you PHP Projects, and we have around 80+ PHP Projects for you.

CVE-2021-26800: User Management System in PHP using Stored Procedure |User Management System using Stored Procedure - PHPGurukul

Cross Site Request Forgery (CSRF) vulnerability exits in Catfish <=6.1.* when you upload an html file containing CSRF on the website that uses a google editor; you can specify the menu url address as your malicious url address in the Add Menu column.

\[Suggested description\]  
Cross Site Request Forgery (CSRF) vulnerability exists incatfish - <=6.3.0. First, you upload an html file containing csrf on the website  
that uses a google editor, (you only need to search in google:  
inurl:catfishcms/index.php/admin/Index/addmenu.html and then use the authoity of this  
When you have background permissions and want to induce other users to perform sensitive operations, you can specify the menu url address as your malicious url address in the Add Menu column

\[Vulnerability Type\]  
Cross Site Request Forgery (CSRF)

\[Vendor of Product\]  
https://github.com/xwlrbh/Catfish

\[Affected Product Code Base\]  
catfish - <=6.3.0

\[Affected Component\]  
To find a website that uses this editor, you only need to search in google: inurl:catfishcms/index.php/admin/Index/addmenu.html  
Because this is the feature file of this editor

\[Attack Type\]  
Remote

\[Impact Code execution\]  
true

Attackers can use websites trusted by users to perform dangerous operations

\[Attack Vectors\]

<title>csrf test</title> // your target url

![image](https://user-images.githubusercontent.com/67416400/145698932-698b7901-5860-45fb-bdbd-08035654ecf3.png)  
![image](https://user-images.githubusercontent.com/67416400/145698969-6d6d61bd-443b-4f9d-85ab-b510cdb80d60.png)

![image](https://user-images.githubusercontent.com/67416400/145698960-9323b362-7980-423f-b1d8-6ad01576e561.png)

Tag

#google