Remote Code Execution in Clinic's Patient Management System v 1.0 allows Attacker to Upload arbitrary php webshell via profile picture upload functionality in users.php

Submitted by oretnom23 on Thursday, June 30, 2022 - 13:09.

****Introduction****

This simple project is a **Clinic Patient Management System**. This is a web-based application project developed in **PHP** and **MySQL Database**. This project's main purpose is to provide an **online and automated** platform for managing data for certain **Medical clinics**. This system helps the clinic to easily store, retrieve, and manage their **patients visiting and prescription records**. It has a pleasant user interface with the help of the **Bootstrap Framework and AdminLTE Template** that provides a better experience to the end-users. It also consists of multiple user-friendly features and functionalities.

****About the Clinic Patient Management System****

The project was developed with the following:

*   **XAMPP v3.3.0**
*   **PHP**
*   **MySQL Database**
*   **HTML**
*   **CSS**
*   **JavaScript**
*   **Ajax**
*   **jQuery**
*   **Bootstrap**
*   **Font Awesome**
*   **AdminLTE**

This **Clinic Patient Management System** is only accessible to the **clinic's management**. It requires the system users to log in with their valid credentials in order to gain access to the features and functionalities of the system. System users can manage the list of **Medicines**, **Medicine Details**, **Patients**, and **Patient Prescriptions**. Here the management can store the patients' visit information with some relevant data such as the blood pressure, weight, disease, and more. The management can create a prescription for the patient for its specific illness or based on her diagnosis. Using the system, the clinic's management can easily retrieve the patient history with the clinic. It also generates a printable and downloadable PDF Report for **Patients Visits Records** and **Diseases Records**.

****Features****

*   **Dashboard Page**
    *   Display the summary.
*   **Medicine Management**
    *   Add New Medicine
    *   List All Medicines
    *   Edit/Update Medicine Details
*   **Medicine Details Management**
    *   Add New Medicine Details
    *   List All Medicine Details
    *   Edit/Update Medicine Details Details
*   **Patient Management**
    *   Add New Patient
    *   List All Patients
    *   Edit/Update Patient Details
    *   Add New Patient's Prescription
    *   Patient's History List
*   **Report**
    *   Generating Printable and Downloadable Reports
        *   Patient Visits
        *   Disease Records
*   **User Management**
    *   Add New User
    *   List All Users
    *   Edit User Details
*   **Login and Logout**

The source code was developed only for educational purposes only. You can download the source code for free and modify it the way you wanted.

**System Snapshots of some Features******Login****

****Dashboard****

****Medicine Details List Page****

****Patient List Page****

****Patient Visits Report****

****Disease Record Report****

**How to Run ??**

****Requirements****

*   **Download** and **Install** any **local web server** such as **XAMPP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)

****System Installation/Setup****

1.  **Open** your **XAMPP Control Panel** and start ****Apache**** and ****MySQL****.
2.  **Extract** the **downloaded source code **zip** file**.
3.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
4.  **Browse** the ****PHPMyAdmin**** in a **browser**. i.e. ****http://localhost/phpmyadmin****
5.  **Create** a **new database** naming ****pms\_db****.
6.  **Import** the provided ****SQL**** file. The file is known as ****pms\_db.sql**** located inside the **database** folder.
7.  **Browse** the **Clinic Patient Management System** in a **browser**. i.e. ****http://localhost/pms/****.

****Admin Default Access:****

Username: **admin**  
Password: **admin123**

****DEMO VIDEO****

That's it. You can now explore the features and functionalities of this **Clinic Patient Management System** in **PHP**. I hope this will help you with what you are looking for and you'll find something useful for your future projects.

Explore more on this website for more **Free Source Codes** and **Tutorials**.

**Enjoy :)**

*   6445 views

CVE-2022-40471: Clinic's Patient Management System in PHP/PDO Free Source Code

Apple Security Advisory 2022-10-27-15 - Safari 16.1 addresses code execution, spoofing, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-10-27-15 Additional information for APPLE-SA-2022-10-24-7 Safari 16.1

Safari 16.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213495.

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Visiting a malicious website may lead to user interface  
spoofing  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 243693  
CVE-2022-42799: Jihwan Kim (@gPayl0ad), Dohyun Lee (@l33d0hyun)

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A type confusion issue was addressed with improved  
memory handling.  
WebKit Bugzilla: 244622  
CVE-2022-42823: Dohyun Lee (@l33d0hyun) of SSD Labs

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may disclose  
sensitive user information  
Description: A logic issue was addressed with improved state  
management.  
WebKit Bugzilla: 245058  
CVE-2022-42824: Abdulrahman Alqabandi of Microsoft Browser  
Vulnerability Research, Ryan Shin of IAAI SecLab at Korea University,  
Dohyun Lee (@l33d0hyun) of DNSLab at Korea University

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may disclose  
internal states of the app  
Description: A correctness issue in the JIT was addressed with  
improved checks.  
WebKit Bugzilla: 242964  
CVE-2022-32923: Wonyoung Jung (@nonetype_pwn) of KAIST Hacking Lab  
Entry added October 27, 2022

WebKit PDF  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
WebKit Bugzilla: 242781  
CVE-2022-32922: Yonghwi Jin (@jinmo123) at Theori working with Trend  
Micro Zero Day Initiative

Additional recognition

WebKit  
We would like to acknowledge Maddie Stone of Google Project Zero,  
Narendra Bhati (@imnarendrabhati) of Suma Soft Pvt. Ltd., an  
anonymous researcher for their assistance.

Safari 16.1 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNbKowACgkQ4RjMIDke  
NxlhOg/+I94LgMI7No4xw6dub1rdzNTbMV6A0R14HXwA7PoMzXgXJotYFyAfGUY4  
zd2fE9ixEuXqt+OsVrQ0/ZU4HcLEJLQk2ZkULoDfNeGiuJpi6k9VhPp6995XtLNb  
zGZgMu5dOPBkYsSaM5XaVwLQPtsIbac3u/Uoo6l2TyyN1B2clsI1dS2IXS8DEHkr  
2fCImTAcFfqIW7TZ6xqAdYOL5QLoJ8qXTcjSMaWtPpPzkfpZCTTwV8ifauK5rTQd  
JsFf49RFWMNdZ3qHNRaENsFMh1Y+bMRIW6Xt41WKXhSPdNXonv93N472YGhMtt7Z  
k+IuibGRVlwzc5Ri4AnQspBjhint6vo4vbJ39h1FoSzqTm3PruH+HGrhlfMTGR8/  
0s/QDBLQbA+UlM5r6uinQ5pI771rRyHTCWOxLUVVopDOV9ImV36Y+INakc3pTXL1  
420Wg31lCMO3cwwXyVYq/zDbCpJ2gDptSWTqlubli+omxMG7LRs0Vn9P4NTosVzk  
jN49FHJE2moD8O0D+sia6+lhyVhcP8UIA3WtcXegVngrwL6sAoFa5SCp49wmbb/O  
Ye1eysxuMR2xu7piVbUpGh0wRY50MbwwSWX0vRt0CwxcoiQK90lQFbqy2RFX4eN8  
k/jjh3nPUl20WxgOfQfLfiY/9aPcQSzvcOzba2bSovdgyk8xH+o=  
=3IzG  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-10-27-15

By Deeba Ahmed
A non-peer-reviewed paper published by The University of Texas at Austin provides a complete characterization of Starlink’s signals claiming to have taken the first step toward creating a brand-new global navigation technology.
This is a post from HackRead.com Read the original post: Researchers hack SpaceX Starlink satellite signal for GPS alternative

The University of Texas at Austin researchers hacked **SpaceX**’s Starlink Satellite’s Signal to use it as a GPS alternative without help or support from Elon Musk’s company.

For your information, **GPS** (global positioning system) is a group of 31 satellites monitored by the US government. These satellites transmit radio signals from an altitude of 12,500 miles. The signals are picked up by GPS receivers installed in phones, vehicles, etc.

**How it all Started?**

In 2020, The US Army-funded researcher at the University of Texas, Todd Humphreys, offered SpaceX an innovative method to help its continually evolving **Starlink** constellation to offer exact navigation, position, and timing. This can be achieved with a few software tweaks.  

Initially, SpaceX was thrilled at the idea. However, later, Musk decided not to pursue this proposal. According to Humphreys, Musk said that “every other LEO communications network has gone into bankruptcy. And so we have to focus completely on staying out of bankruptcy. We cannot afford any distractions.”

Hence, Humphreys was on his own in this task. Throughout the past two years, the Humphreys team at the university’s Radionavigation Lab **worked** at reverse engineering signals sent by Starlink internet satellites in LOE (low earth orbit) to ground-based receivers.

**Research Details**

After a breakthrough in **this research**, Humphreys published a non-peer-reviewed paper in which he explained that regular beacon signals from the constellation that help receivers establish a connection with the satellites could serve as a potent navigation system. All this was done without any involvement from SpaceX.

In the **paper** (PDF), Humphreys provided a complete characterization of Starlink’s signals thus far and claims to have taken the first step towards creating a brand-new global navigation technology that encourages the independent operation of GPS or its Russian, European, and Chinese counterparts.

The Starlink signal capture process (the University of Texas at Austin)

He further stated that the Starlink system signals structure had remained closely guarded and wasn’t even revealed when SpaceX cooperated on this idea in 2020. So, the team started the research from scratch and developed a radio telescope for monitoring their signals.

The university acquired a Starlink terminal and streamed high-definition tennis videos from YouTube to create a consistent source of signals from Starlink that could be eavesdropped from a nearby antenna. They gradually learned that Starlink used orthogonal frequency division multiplexing technology to encode digital transactions.

They didn’t break Starlink’s encryption or access user data on the satellites. They relied on synchronization sequences to encourage receiver coordination. Each sequence contained clues to the velocity and distance of the satellite.

Starlink satellites transmit four sequences every millisecond, which proved fantastic for dual usage of their system. By repeating the process for different satellites, a receiver can locate itself within thirty meters of range.

> “We were pleasantly surprised to find that they more synchronization sequences than is strictly required.”
> 
> Todd Humphreys – University of Texas

1.  **White hat hackers infect Canon DSLR camera with ransomware**
2.  **Shoe with GPS insole tracks ‘lost’ Alzheimer’s & dementia patients**
3.  **Researchers hack vacuum cleaner; turn it into perfect spying device**
4.  **Researchers demonstrate hacking traffic lights to manipulate outcome**
5.  **Hacking Satellite? FBI Warns of Attacks on SATCOM Network Providers**

Researchers hack SpaceX Starlink satellite signal for GPS alternative

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 21 and Oct. 28. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for October 21 to October 28

Advantech R-SeeNet Versions 2.4.19 and prior are vulnerable to path traversal attacks. An unauthorized attacker could remotely exploit vulnerable PHP code to delete .PDF files.

CVE-2022-3387

Directory Traversal vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server Dashboard allows Path Traversal. This affects versions from 1.5.11 through 1.5.12, from 1.6.5 through 1.6.20.1, from 1.7.0 before 1.7.16.1

CVE-2022-0072: openlitespeed/httpserver.cpp at v1.7.16 · litespeedtech/openlitespeed

Multiple command injection vulnerabilities in GL.iNet GoodCloud IoT Device Management System Version 1.00.220412.00 via the ping and traceroute tools allow attackers to read arbitrary files on the system.

CVE-2022-42055: GL.iNET MT300N-V2 Vulnerabilities and Hardware Teardown

A bipartisan bill aims to create a usable framework for the use of open source components when building applications, which Google is urging the private sector to support.

Google is throwing its considerable weight behind a proposed U.S. government-led policy framework aimed at shoring up security for open source software, urging the private sector to support the initiative.  

The Securing Open Source Software Act introduced in the Senate last month \[PDF\] is a bipartisan bill that would create a security and risk-mitigation blueprint for the federal government's use of open source software.

"We are glad to see a continued emphasis on the importance of open-source software security from the U.S. government, and we hope that both public and private organizations will follow their lead to promote improved cybersecurity for the ecosystem at large," noted Royal Hansen, engineering vice president for Google’s trust and safety team, in an Oct. 27 blog post.

Open source software code, i.e., the freely available building blocks for applications of all stripes, is fundamentally the engine that drives modern digital enterprise. But malicious cyber activity against the software supply chain has infamously spiraled in the past few quarters, from SolarWinds to Log4Shell to a cornucopia of malicious and poisoned projects and packages popping up in trusted code repositories like npm.

Hansen noted that "seemingly simple questions about the open-source supply chain are still difficult to answer," including:

*   Does a project contain known vulnerabilities?
*   Are the project’s maintainers and community following security best practices during software development?
*   What open source dependencies are part of a particular piece of software?
*   How secure was the distribution supply chain?

Google has been actively working on the problem, through initiatives like extending its bug-bounty efforts to open source. The industry has championed approaches like software bills of material (SBOMs) and automated code reviews to help catch vulnerable pieces before they propagate too far across the landscape. Google and other tech giants have also invested millions into nonprofit organizations and software foundations like the Open Source Security Foundation to support open source creators. On the policy side, the US government has embraced SBOMs for agencies, among other moves.

The new federal legislation, if it passes, will encourage more public-private partnership, and bring the public sector to the table in even more meaningful ways, according to the tech behemoth.

"Securing open-source software is a shared responsibility, and we look forward to continued collaboration on this urgent, critical problem," Hansen said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Trumpets US Federal Open Source Security Initiative

Concerns about breaches of sensitive information due to execution of malware scripts and growing adoption of cloud-based services are fueling growth of the content security market.

**CHICAGO, Oct. 26, 2022 /PRNewswire/** — The global Content Security Market size is expected to grow from an estimated value of USD 1,345 million in 2022 to 2,219 million USD by 2027, at a Compound Annual Growth Rate (CAGR) of 10.5% from 2022 to 2027**.** Some factors driving the Content Security Market growth include concerns regarding increased breach of sensitive information due to execution of malware scripts, growing adoption of cloud-based services/solutions, increased need to widespread information/content and engagement through advanced user interface, and user experience platforms.

**Download PDF Brochure:** https://www.marketsandmarkets.com/pdfdownloadNew.asp?id=194651579

**By Organization size, large enterprises are expected to witness higher market share during the forecast period**

The adoption of cloud services or solutions to take advantage of the digitalization era has been the primary area of interest for businesses in the context of both large and medium-sized businesses. At the same time, it gives hackers a chance to steal sensitive data by inserting malware scripts into website content, phishing emails, and other forms of communication. When it comes to considering the adoption of new technology, there is no doubt that large corporations are typically the ones to do so. This suggests that clever con scammers or whip-smart hackers have their sights set on these businesses. However, the small and medium-sized businesses are not far behind in adopting cloud services. In addition to considering cloud adoption for its cost-effectiveness and ability to automate manual processes, small business leaders should also consider data protection and security. The technology industry benefits from the growth of cloud users and its ecosystem. In addition, these business leaders must be aware of the drawbacks associated with utilizing lucrative services or deploying cloud solutions. Because of the growing concerns over data security, this makes it possible to envision content security as a possibility.

**Request Sample Pages:** https://www.marketsandmarkets.com/requestsampleNew.asp?id=194651579

**By vertical, BFSI segment is expected to witness highest market share during the forecast period**

The scope of content security and protection extends beyond a small number of industry verticals like BFSI, IT and ITeS, retail and e-commerce, media, and entertainment, and so on. BFSI is one of the industries that sets the standard for the adoption of digital technologies to streamline operations and operations as digital initiative grows. It includes banks, insurance companies, and financial institutions. From a strategic perspective, the BFSI industry is the most attractive target for scammers or hackers due to the sectors rapid digital progress and the substantial amount of consumer information it holds. As a result, the number of cybercrimes and frauds has increased steadily over time. There have been alarming numbers of cases involving the use of email content, phishing emails, and UI/UX that direct users to scripted altered websites. This shows how important it is to protect the public interest and content security in the global market.

**Get 10% Free Customization on this Report:** https://www.marketsandmarkets.com/requestCustomizationNew.asp?id=194651579

**By region, Asia Pacific is projected to grow with fastest growth rate during the forecast period**

When it comes to the content security market, North America is believed to hold most of the market share. It is not surprising that it has topped the list because it has witnessed a variety of cybercrimes, allowing the region to investigate a variety of malware or suspicious content origins. Digital transformation, on the other hand, has been a major focus of Asia-Pacific efforts to boost regional economic growth and integration. Asia-Pacific now ranks among the worlds fastest-growing regions, making it a huge potential market for content security. China, India, and Japan are a few of the regions most technologically advanced nations, which are facilitating the swift implementation of content security laws and regulations to improve data security. Additionally, despite the increasing number of cyberattacks and threats, businesses in the Asia-Pacific region have been adapting to the new digital trends.

**Key Players**

Major vendors in the **Global Content Security Market** include Cartesian Inc. (US), Microsoft Corporation (US), Trend Micro Inc. (Japan), Check point Software Technologies (Israel), Barracuda Networks (US), Sophos Technologies Pvt. Ltd (UK)., Proofpoint (US), Forcepoint (US), Verimetrix (France), Lookout (US), CommScope (US) and Infosec Information Technologies (Istanbul) are few key players in the content security market.

**Browse Adjacent Markets** : Information Security Market Research Reports & Consulting

**Related Reports**

**IDaaS Market** — Global Forecast to 2027

**Operational Technology (OT) Security Market** — Global Forecast to 2027

**Zero Trust Security Market** — Global Forecast to 2027

**Cybersecurity Insurance Market** — Global Forecast to 2027

**Supply Chain Management (SCM) Market** — Global Forecast to 2027

**About MarketsandMarkets™**

MarketsandMarkets™ provides quantified B2B research on 30,000 high growth niche opportunities/threats which will impact 70% to 80% of worldwide companies' revenues. Currently servicing 7500 customers worldwide including 80% of global Fortune 1000 companies as clients. Almost 75,000 top officers across eight industries worldwide approach MarketsandMarkets™ for their painpoints around revenues decisions.

Our 850 fulltime analyst and SMEs at MarketsandMarkets™ are tracking global high growth markets following the "Growth Engagement Model – GEM". The GEM aims at proactive collaboration with the clients to identify new opportunities, identify most important customers, write "Attack, avoid and defend" strategies, identify sources of incremental revenues for both the company and its competitors. MarketsandMarkets™ now coming up with 1,500 MicroQuadrants (Positioning top players across leaders, emerging companies, innovators, strategic players) annually in high growth emerging segments. MarketsandMarkets™ is determined to benefit more than 10,000 companies this year for their revenue planning and help them take their innovations/disruptions early to the market by providing them research ahead of the curve.

MarketsandMarkets's flagship competitive intelligence and market research platform, "Knowledge Store" connects over 200,000 markets and entire value chains for deeper understanding of the unmet insights along with market sizing and forecasts of niche markets.

Content Security Market Worth $2.2 Million by 2027 - Exclusive Study by MarketsandMarkets(TM)

Google admitted to loss of data responsive to 2016 search warrant and agreed to program enhancements, reporting obligations, and a first-of-its-kind Independent Compliance Professional.

The Department of Justice on Oct. 25 filed a stipulation and agreement resolving a dispute with Google over the loss of data responsive to a search warrant issued in 2016.

Pursuant to the first-of-its-kind resolution, Google has agreed to reform and upgrade its legal process compliance program to ensure timely and complete responses to legal process such as subpoenas and search warrants, as required under the Stored Communications Act (SCA) and other applicable legal authorities. To monitor that Google fulfills its legal obligations, an Independent Compliance Professional will be retained to serve as an outside third-party related to Google’s compliance enhancements.

“The Department is committed to ensuring that electronic communications providers comply with court orders to protect and facilitate criminal investigations,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division. “This agreement demonstrates the Department’s resolve in ensuring that technology companies, such as Google, provide prompt and complete responses to legal process to ensure public safety and bring offenders to justice.”

“The warrant underlying this agreement was sought in connection with a significant criminal investigation,” said U.S. Attorney Stephanie Hinds for the Northern District of California. “This agreement will help to ensure that, moving forward, Google will maintain the technical capability and resources necessary to comply with lawful warrants and orders, such as the one at issue in this case, that are critical to federal criminal investigations.”

As detailed in the Statement of Facts accompanying today’s agreement, in 2016, the United States obtained a search warrant in the Northern District of California for data held at Google related to the investigation of the criminal cryptocurrency exchange BTC-e. The warrant was issued under the SCA, the federal statute that requires providers such as Google to disclose customer communications when served with a warrant signed by a judge and supported by probable cause.

After the warrant was reviewed by a judge in the Northern District of California, sworn, signed, and served on Google, the Second Circuit Court of Appeals issued a decision holding that SCA search warrants did not reach data stored outside of the United States. Google halted execution of the search warrant and made rolling productions containing only information it could confirm was stored in the United States. Because Google’s data preservation tools at the time stored data in the United States – and thus brought the data under undisputed U.S. jurisdiction – Google also endeavored to create new tools that would prevent the data from being repatriated. Google and the government litigated regarding the search warrant through 2017 and into 2018, when Congress clarified that the SCA does indeed reach data that U.S. providers choose to store overseas. In the intervening time, data responsive to the warrant was lost.

In resolving the matter with the department, Google has agreed to numerous improvements to its legal process compliance program, as set forth in the filed agreement. The improvements are tailored to ensure that Google complies with its legal obligations to respond to lawful court orders, including those issued pursuant to the SCA. Google will maintain sufficient compliance staffing levels to support the enhancements to the program and will allocate engineering resources to support legal process compliance.

Google has further committed to implement processes and procedures to ensure timely response to legal process, as required under the SCA and other relevant legal frameworks, and to generate a compliance timeliness record for missed deadlines, which will be made available to the government upon request. Google will also develop and maintain needed tools to retrieve data in response to legal process, and to develop plans for legal process responses corresponding to new product launches.

The agreement (PDF) also provides that an Independent Compliance Professional will verify the accuracy of assertions in all reports contemplated by the agreement and evaluate Google’s assessment of its compliance with the enhancements to Google’s Legal Process Compliance Program set forth in the agreement. Pursuant to the agreement and in consultation with the mandated Independent Compliance Professional, Google will assemble periodic reports and updates regarding its Legal Process Compliance Program and its implementation of the enhancements set forth in the agreement. Google will provide these reports to the government, the Google Compliance Steering Committee, and the Audit and Compliance Committee of the Alphabet Board of Directors.

In the filed stipulation, Google represented to the court that it spent over $90 million on additional resources, systems, and staffing to implement legal process compliance program improvements.

Google will maintain its lawful protections of user data, and the agreement does not provide the United States access to Google user data.

Senior Counsel C. Alden Pelker of the Criminal Division’s Computer Crime and Intellectual Property Section and Corporate and Securities Fraud Section Chief Lloyd Farnham for the Northern District of California negotiated the agreement on behalf of the government.

Tag

#pdf