The Frontend File Manager Plugin WordPress plugin before 22.6 has a vulnerability that allows an Editor+ user to bypass the file download logic and download files such as `wp-config.php`

CVE-2023-5105

Traefik is an open source HTTP reverse proxy and load balancer. When a request is sent to Traefik with a URL fragment, Traefik automatically URL encodes and forwards the fragment to the backend server. This violates RFC 7230 because in the origin-form the URL should only contain the absolute path and the query. When this is combined with another frontend proxy like Nginx, it can be used to bypass frontend proxy URI-based access control restrictions. This vulnerability has been addressed in versions 2.10.6 and 3.0.0-beta5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

**Summary**

When a request is sent to Traefik with a URL fragment, Traefik automatically URL encodes and forwards the fragment to the backend server. This violates the RFC because in the origin-form the URL should only contain the absolute path and the query.

When this is combined with another frontend proxy like Nginx, it can be used to bypass frontend proxy URI-based access control  
restrictions.

**Details**

For example, we have this Nginx configuration:

    location /admin {
         deny all;
         return 403;
    }
    

This can be bypassed when the attacker is requesting to /#/../admin

This won’t be vulnerable if the backend server follows the RFC and ignores any characters after the fragment.

However, if Nginx is chained with another reverse proxy which automatically URL encode the character # (Traefik) the URL will become

/%23/../admin

And allow the attacker to completely bypass the Access Restriction from the Nginx Front-End proxy.

Here is a diagram to summarize the attack:

**PoC**

This is the POC docker I've set up. It contains Nginx, Traefik proxies and a backend server running PHP.

https://drive.google.com/file/d/1vLnA0g7N7ZKhLNmHmuJ4JJjV\_J2akNMt/view?usp=sharing

**Impact**

This allows the attacker to completely bypass the Access Restriction from Front-End proxy.

CVE-2023-47106: Incorrect processing of fragment in the URL leads to Authorization Bypass

An issue in the component /admin/api.plugs/script of ThinkAdmin v6.1.53 allows attackers to getshell via providing a crafted URL to download a malicious PHP file.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-48965: CVE/ThinkAdmin Logical defect getshell.md at main · 1dreamGN/CVE

kkFileView v4.3.0 is vulnerable to Incorrect Access Control.

**kkFileView****Introduction**

Document online preview project solution, built using the popular Spring Boot framework for easy setup and deployment. This versatile open source project provides basic support for a wide range of document formats, including:

1.  Supports Office documents such as doc, docx, xls, xlsx, xlsm, ppt, pptx, csv, tsv, , dotm, xlt, xltm, dot, xlam, dotx, xla, ,pages etc.
2.  Supports domestic WPS Office documents such as wps, dps, et , ett,  wpt.
3.  Supports OpenOffice, LibreOffice office documents such as odt, ods, ots, odp, otp, six, ott, fodt and fods.
4.  Supports Visio flowchart files such as vsd, vsdx.
5.  Supports Windows system image files such as wmf, emf.
6.  Supports Photoshop software model files such as psd ,eps.
7.  Supports document formats like pdf, ofd, and rtf.
8.  Supports software model files like xmind.
9.  Support for bpmn workflow files.
10.  Support for eml mail files
11.  Support for epub book documents
12.  Supports 3D model files like obj, 3ds, stl, ply, gltf, glb, off, 3dm, fbx, dae, wrl, 3mf, ifc, brep, step, iges, fcstd, bim, etc.
13.  Supports CAD model files such as dwg, dxf, dwf iges , igs, dwt , dng , ifc , dwfx , stl , cf2 , plt, etc.
14.  Supports all plain text files such as txt, xml (rendering), md (rendering), java, php, py, js, css, etc.
15.  Supports compressed packages such as zip, rar, jar, tar, gzip, 7z, etc.
16.  Supports image previewing (flip, zoom, mirror) of jpg, jpeg, png, gif, bmp, ico, jfif, webp, etc.
17.  Supports image information model files such as tif and tiff.
18.  Supports image format files such as tga.
19.  Supports vector image format files such as svg.
20.  Supports mp3,wav,mp4,flv .
21.  Supports many audio and video format files such as avi, mov, wmv, mkv, 3gp, and rm.
22.  Supports for dcm .
23.  Supports for drawio .

**Features**

*   Build with the popular frame spring boot
*   Easy to build and deploy
*   Basically support online preview of mainstream office documents, such as Doc, docx, Excel, PDF, TXT, zip, rar, pictures, etc
*   REST API
*   Abstract file preview interface so that it is easy to extend more file extensions and develop this project on your own

**Official website and DOCS**

URL：https://kkview.cn

**Live demo**

> Please treat public service kindly, or this would stop at any time.

URL：https://file.kkview.cn

**Contact Us**

> We will answer your questions carefully and solve any problems you encounter while using the project. We also kindly ask that you at least Google or Baidu before asking questions in order to save time and avoid ineffective communication. Let's cherish our lives and stay away from ineffective communication.

**Quick Start**

> Technology stack

*   Spring boot： spring boot Development Reference Guide
*   Freemarker
*   Redisson
*   Jodconverter

> Dependencies

*   Redis(Optional, Unnecessary by default)
*   OpenOffice or LibreOffice(Integrated on Windows, will be installed automatically on Linux, need to be manually installed on Mac OS)

1.  First step：git pull https://github.com/kekingcn/kkFileView.git
    
2.  second step：Run the main method of /server/src/main/java/cn/keking/ServerMain.java. After starting,visit http://localhost:8012/.
    

**Changelog**

> December 14, 2022, version 4.1.0 released:

1.  Updated homepage design by @wsd7747.
2.  Compatible with multipage tif for pdf and jpg conversion and multiple page online preview for tif image preview by @zhangzhen1979.
3.  Optimized docker build, using layered build method by @yl-yue.
4.  Implemented file encryption based on userToken cache by @yl-yue.
5.  Implemented preview for encrypted Word, PPT, and Excel files by @yl-yue.
6.  Upgraded Linux & Docker images to LibreOffice 7.3.
7.  Updated OFD preview component, tif preview component, and added support for PPT watermarking.
8.  Numerous other upgrades, optimizations, and bug fixes. We thank @yl-yue, @wsd7747, @zhangzhen1979, @tomhusky, @shenghuadun, and @kischn.sun for their code contributions.

> July 6, 2021, version 4.0.0 released:

1.  The integration of OpenOffice in the underlying system has been replaced with LibreOffice, resulting in enhanced compatibility and improved preview effects for Office files.
2.  Fixed the directory traversal vulnerability in compressed files.
3.  Fixed the issue where previewing PPT files in PDF mode was ineffective.
4.  Fixed the issue where the front-end display of image preview mode for PPT files was abnormal.
5.  Added a new feature: the file upload function on the homepage can be enabled or disabled in real-time through configuration.
6.  Optimized the logging of Office process shutdown.
7.  Optimized the logic for finding Office components in Windows environment, with built-in LibreOffice taking priority.
8.  Optimized the synchronous execution of starting Office processes.

> June 17, 2021, version 3.6.0 released:

This version includes support for OFD file type versions, and all the important features in this release were contributed by the community. We thank @gaoxingzaq and @zhangxiaoxiao9527 for their code contributions.

1.  Added support for previewing OFD type files. OFD is a domestically produced file format similar to PDF.
2.  Added support for transcoding and previewing video files through ffmpeg. With transcoding enabled, theoretically, all mainstream video file formats such as RM, RMVB, FLV, etc. are supported for preview.
3.  Beautified the preview effect of PPT and PPTX file types, much better looking than the previous version.
4.  Updated the versions of dependencies such as pdfbox, xstream, common-io.

> January 28, 2021:

The final update of the Lunar New Year 2020 has been released, mainly including some UI improvements, bug fixes reported by QQ group users and issues, and most importantly, it is a new version for a good year.

1.  Introduced galimatias to solve the problem of abnormal file download caused by non-standard file names.
2.  Updated UI style of index access demonstration interface.
3.  Updated UI style of markdown file preview.
4.  Updated UI style of XML file preview, adjusted the architecture of text file preview to facilitate expansion.
5.  Updated UI style of simTxT file preview.
6.  Adjusted the UI of continuous preview of multiple images to flip up and down.
7.  Simplified all file download IO operations by adopting the apache-common-io package.
8.  XML file preview supports switching to pure text mode.
9.  Enhanced prompt information when url base64 decoding fails.
10.  Fixed import errors and image preview bug.
11.  Fixed the problem of missing log directory when running the release package.
12.  Fixed the bug of continuous preview of multiple images in the compressed package.
13.  Fixed the problem of no universal matching for file type suffixes in uppercase and lowercase.
14.  Specified the use of the Apache Commons-code implementation for Base64 encoding to fix exceptions occurring in some JDK versions.
15.  Fixed the bug of HTML file preview of text-like files.
16.  Fixed the problem of inability to switch between jpg and pdf when previewing dwg files.
17.  Escaped dangerous characters to prevent reflected xss.
18.  Fixed the problem of duplicate encoding causing the failure of document-to-image preview and standardized the encoding.

> December 27, 2020:

The year-end major update of 2020 includes comprehensive architecture design, complete code refactoring, significant improvement in code quality, and more convenient secondary development. We welcome you to review the source code and contribute to building by raising issues and pull requests.

1.  Adjusted architecture modules, extensively refactored code, and improved code quality by several levels. Please feel free to review.
2.  Enhanced XML file preview effect and added preview of XML document structure.
3.  Added support for markdown file preview, including support for md rendering and switching between source text and preview.
4.  Switched the underlying web server to jetty, resolving the issue: #168
5.  Introduced cpdetector to solve the problem of file encoding recognition.
6.  Adopted double encoding with base64 and urlencode for URLs to completely solve preview problems with bizarre file names.
7.  Added configuration item office.preview.switch.disabled to control the switch of office file preview.
8.  Optimized text file preview logic, transmitting content through Base64 to avoid requesting file content again during preview.
9.  Disabled the image zoom effect in office preview mode to achieve consistent experience with image and pdf preview.
10.  Directly set pdfbox to be compatible with lower version JDK, and there will be no warning prompts even when run in IDEA.
11.  Removed non-essential toolkits like Guava and Hutool to reduce code volume.
12.  Asynchronous loading of Office components speeds up application launch to within 5 seconds.
13.  Reasonable settings of the number of threads in the preview consumption queue.
14.  Fixed the bug where files in compressed packages failed to preview again.
15.  Fixed the bug in image preview.

> May 20th 2020 ：

1.  Support for global watermark and dynamic change of watermark content through parameters
2.  Support for CAD file Preview
3.  Add configuration item base.url, support using nginx reverse proxy and set context-path
4.  All configuration items can be read from environment variables, which is convenient for docker image deployment and large-scale use in cluster
5.  Support the configuration of TrustHost (only the file source from the trust site can be previewed), and protect the preview service from abuse
6.  Support configuration of customize cache cleanup time (cron expression)
7.  All recognizable plain text can be previewed directly without downloading, such as .md .java .py, etc
8.  Support configuration to limit PDF file download after conversion
9.  Optimize Maven packaging configuration to solve the problem of line break in .sh script
10.  Place all CDN dependencies on the front end locally for users without external network connection
11.  Comment Service on home page switched from Sohu ChangYan to gitalk
12.  Fixed preview exceptions that may be caused by special characters in the URL
13.  Fixed the addtask exception of the transformation file queue
14.  Fixed other known issues
15.  Official website build: https://kkview.cn
16.  Official docker image repository build: https://hub.docker.com/r/keking/kkfileview

> June 18th 2019 ：

1.  Support automatic cleaning of cache and preview files
2.  Support http/https stream url file preview
3.  Support FTP url file preview
4.  Add Docker build

> April 8th 2019

1.  Cache and queue implementations abstract, providing JDK and REDIS implementations (REDIS becomes optional dependencies)
2.  Provides zip and tar.gz packages, and provides a one-click startup script

> January 17th 2018

1.  Refined the project directory, abstract file preview interface, Easy to extend more file extensions and depoly this project on your own
2.  Added English documentation (@幻幻Fate，@汝辉) contribution
3.  Support for more image file extensions
4.  Fixed the issue that image carousel in zip file will always start from the first

> January 12th 2018

1.  Support for multiple images preview
2.  Support for images rotation preview in rar/zip

> January 2nd 2018

1.  Fixed gibberish issue when preview a txt document caused by the file encoding problem
2.  Fixed the issue that some module dependencies can not be found
3.  Add a spring boot profile, and support for Multi-environment configuration
4.  Add pdf.js to preview the documents such as doc,etc.,support for generating doc headlines as pdf menu，support for mobile preview

**Sponsor Us**

If this project has been helpful to you, we welcome your sponsorship. Your support is our greatest motivation.！

CVE-2023-48815: GitHub - kekingcn/kkFileView: Universal File Online Preview Project based on Spring-Boot

PHPJabbers Appointment Scheduler version 3.0 suffers from a CSV injection vulnerability.

    # Exploit Title: PHPJabbers Appointment Scheduler v3.0 - CSV Injection# Date: 19/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/appointment-scheduler/# Version: v3.0# Tested on: Windows 10, Windows 11, MS Office 2010# CVE-2023-48841Descriptions:PHPJabbers Appointment Scheduler v3.0 is vulnerable to CSV injectionvulnerability which allows an attacker to execute remote code. Thevulnerability exists due to insufficient input validation on theUnique ID field in the Reservations list that is used to construct aCSV file.Steps to Reproduce:1. Login your panel.2. Go to Options Menu then click Language then click Labels section.3. Now use CSV Injection Payload in any field and go to Import/Export.4. Now click export and open your system.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48841)

PHPJabbers Appointment Scheduler 3.0 CSV Injection

PHPJabbers Appointment Scheduler version 3.0 suffers from a missing rate limiting control that can allow for resource exhaustion.

    # Exploit Title: PHPJabbers Apointment Scheduler v3.0 - No Rate Limit in Email# Date: 19/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/appointment-scheduler/# Version: v3.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-48840Descriptions:PHPJabbers Apointment Scheduler v3.0 is vulnerable to Rate limiting.Rate limiting is implemented in web applications and APIs to preventabuse, such as brute-force attacks or excessive requests that couldlead to resource exhaustion. When a rate limit is bypassed or notproperly enforced, it opens the door for attackers to carry outmalicious activities more quickly than intended, potentially leadingto unauthorized access, data breaches, or service disruption.Steps to Reproduce:1. Request Data:POST /1701529051_590/index.php?controller=pjBaseOptions&action=pjActionAjaxSendHTTP/1.1Host: demo.phpjabbers.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/119.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 426Origin: https://demo.phpjabbers.comReferer: https://demo.phpjabbers.com/1701529051_590/index.php?controller=pjBaseOptions&action=pjActionEmailSettingsSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closeoptions_update=1&next_action=pjActionEmailSettings&email=test1%40test.com&value-enum-o_send_email=mail%7Csmtp%3A%3Amail&value-string-o_smtp_host=&value-int-o_smtp_port=25&value-string-o_smtp_user=&value-string-o_smtp_pass=&value-enum-o_smtp_secure=none%7Cssl%7Ctls%3A%3Anone&value-enum-o_smtp_auth=LOGIN%7CPLAIN%3A%3ALOGIN&value-string-o_smtp_sender=&value-string-o_sender_email=test%40test.com&value-string-o_sender_name=Test2. Send it to intruder and configure then Start Attack and check mail.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48840)

PHPJabbers Appointment Scheduler 3.0 Missing Rate Limiting

PHPJabbers Appointment Scheduler version 3.0 suffers from multiple persistent cross site scripting vulnerabilities.

    # Exploit Title: PHPJabbers Appointment Scheduler v3.0 - Multiple Stored XSS# Date: 19/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/appointment-scheduler/# Version: v3.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-48839Descriptions:PHPJabbers Appointment Scheduler v3.0 is vulnerable to Multiple StoredCross-Site Scripting. Multiple Stored XSS is a type of securityvulnerability that occurs when an application or website allows anattacker to inject malicious scripts into the content that ispermanently stored on the server. Unlike reflected XSS, where themalicious script is embedded in a URL and executed immediately, storedXSS involves the persistent storage of the malicious script on thetarget server, waiting for unsuspecting users to access thecompromised content.Steps to Reproduce:1. Login your panel.2. Vulnerable parameters are "name, plugin_sms_api_key,plugin_sms_country_code, calendar_id, title, country name,customer_name".3. Go to System Menu then click SMS Settings.4. Then use any XSS Payload in "SMS API Key", "Default Country Code"input field and Save.5. You will see popup.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48839)

PHPJabbers Appointment Scheduler 3.0 Cross Site Scripting

PHPJabbers Appointment Scheduler version 3.0 suffers from multiple html injection vulnerabilities.

    # Exploit Title: PHPJabbers Appointment Scheduler v3.0 - Multiple HTML Injection# Date: 19/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/appointment-scheduler/# Version: v3.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-48838Descriptions:PHPJabbers Appointment Scheduler v3.0 is vulnerable to Multiple HTMLInjection. HTML injection, also known as HTML code injection orcross-site scripting (XSS), is a web security vulnerability thatallows an attacker to inject malicious code into a web page that isthen viewed by other users. This can lead to various attacks, such asstealing sensitive information, session hijacking, defacement ofwebsites, or delivering malware to users.Steps to Reproduce:1. Login your panel.2. Go to System Menu then click SMS Settings.3. Then use any HTML Tag in "SMS API Key", "Default Country Code"input field and Save.4. You will see HTML code working here.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48838)

PHPJabbers Appointment Scheduler 3.0 HTML Injection

October CMS version 3.4.0 suffers from a persistent cross site scripting vulnerability when a user has article posting capabilities.

    OctoberCMS v3.4.0 (Wiki_article) Stored Cross-Site Scripting VulnerabilityVendor: October CMSProduct web page: https://www.octobercms.comAffected version: 3.4.0Summary: OctoberCMS is a self-hosted content management system (CMS)based on the PHP programming language and Laravel web application framework.It supports MySQL, SQLite and PostgreSQL for the database back end anduses a flat file database for the front end structure. The October CMScovers a range of capabilities such as users, permissions, themes, andplugins, and is seen as a simpler alternative to WordPress.Desc: OctoberCMS suffers from stored cross-site scripting vulnerabilitywhen a user with the ability to create an article could perform a storedXSS attack against any other users with the ability to create an article.This can lead to execute arbitrary HTML/JS code in a user's browser sessionin context of an affected site.Tested on: macOS Monterey 12.6.3           Docker 4.12.0 (85629)           PHP/8.1.6Vulnerability discovered by Nazli Soysal Kuran                            @zeroscienceAdvisory ID: ZSL-2023-5807Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5807.php30.10.2023--Stored XSS (EntryRecord[content]):----------------------------------Endpoint: /backend/tailor/entries/wiki_articlePayload: EntryRecord%5Bcontent%5D="<script>alert(1)</script>"

October CMS 3.4.0 Wiki Article Cross Site Scripting

October CMS version 3.4.0 suffers from a persistent cross site scripting vulnerability when a user has category-creating capabilities.

    OctoberCMS v3.4.0 (Category) Stored Cross-Site Scripting VulnerabilityVendor: October CMSProduct web page: https://www.octobercms.comAffected version: 3.4.0Summary: OctoberCMS is a self-hosted content management system (CMS)based on the PHP programming language and Laravel web application framework.It supports MySQL, SQLite and PostgreSQL for the database back end anduses a flat file database for the front end structure. The October CMScovers a range of capabilities such as users, permissions, themes, andplugins, and is seen as a simpler alternative to WordPress.Desc: OctoberCMS suffers from stored cross-site scripting vulnerabilitywhen a user with the ability to a category-creating feature that storesdata persistently could create a stored XSS attack against any other usersvisiting the blog page. This can lead to execute arbitrary HTML/JS codein a user's browser session in context of an affected site.Tested on: macOS Monterey 12.6.3           Docker 4.12.0 (85629)           PHP/8.1.6Vulnerability discovered by Nazli Soysal Kuran                            @zeroscienceAdvisory ID: ZSL-2023-5806Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5806.php30.10.2023--Stored XSS (EntryRecord[title]):--------------------------------Endpoint: POST /backend/tailor/entries/blog_category/createPayload: EntryRecord%5Btitle%5D="</title><script>alert(1)</script>"

Tag

#php